
Internet Giants Erect Barriers to Spy Agencies - panarky
http://www.nytimes.com/2014/06/07/technology/internet-giants-erect-barriers-to-spy-agencies.html
======
logn
I like this, but the reality is that in the USA there isn't this fairy tale
ending that NYTimes is writing.

> Telecommunications companies say they are denying requests to volunteer data
> not covered by existing law.

Existing law covers (and will cover) bulk collection. The USA Freedom Act,
from my understanding, actually strengthens the legality of bulk collection
without the pesky need to renew the PATRIOT Act every few years (collection
queries can be based on devices, for instance... so you could collect based on
iPhone, Android, or browser user agent).

I am happy that Google and other companies recognize it's in their interests
to protect privacy. But until substantive legislation protects the public, we
have no reason to celebrate.

(edited for typos)

------
javajosh
It's tempting to say that these measures are pointless since, ultimately, the
USG has the _capability_ to access any data it wants. (After all they can send
armed men to get anything that you have access to.)

But actually, even imperfect, these measures by Google in particular are very
useful and important, and are laudable. These measures stop the
_surreptitious_ acquisition of data, and so _at least_ force data-acquisition
activity into the open, and make it slightly more expensive to get.

Good! The US spy agencies are too reliant on technology! The bad guys can only
really be found before they strike through face-to-face social interactions,
which is inherently slow and doesn't scale. Good! Justice is a human problem
and deserves to be executed at human scale. If it isn't then we risk a whole
raft of moral hazards, which we are already seeing.

~~~
MichaelGG
It's not just the USG that can do this. Anyone that can dig up some fibre and
install equipment would have been able to tap these lines, as I understand.

As far as the government relying on technology, I doubt that is a battle that
can be won. Laws were written with inefficiency as an obvious countermeasure
for abuse. Now that inefficiency is disappearing, the laws need to be
revisited and countermeasures directly written in. This will be difficult.

Google's roadblock is laudable and good, but perhaps a bit overdue. They were
knowingly transmitting user data in plaintext outside of their physical
control.

~~~
fiber08

        Google's roadblock is laudable and good,
        but perhaps a bit overdue. They were
        knowingly transmitting user data in
        plaintext outside of their physical control.
    

I dunno about that.

Imagine you're the engineer reviewing the design doc for the system that does
cross-colo data transfers on company owned fiber. Do you really expect to see
a detailed encryption system in there? Or even any discussion? I'm not sure
I'd have said yes even now, much less a year ago.

I may be a minority and sound hyperbolic in saying this, but in many ways
Snowden feels like something of a "9/11" for our industry: innocent
assumptions we made prior (the company-internal network is safe; no terrorist
would go down with the plane) just aren't true anymore..

~~~
rhizome
If Snowden is 9/11 for "our industry," what does that say about Risen and
Lichtblau's story describing NSA surveillance getting spiked by the NYTimes
just before the 2004 elections, before eventually being allowed to be
published over a year later?

[http://www.nytimes.com/2005/12/16/politics/16program.html?pa...](http://www.nytimes.com/2005/12/16/politics/16program.html?pagewanted=all&_r=0)

Those with innocent assumptions last year had their heads in the sand, and if
we're talking about Google, Apple, et al, who claim to hire the best of the
best, then that's a sad situation indeed. The simpler explanation is that it
wasn't a problem to them until their customers found out.

------
MichaelGG
>N.S.A. had brilliantly exploited

Eh? Tapping a wire is one of the easiest ways to listen in to communications.
It's not like Google or MS or anyone was unaware of this threat vector, they
just decided they didn't want to spend the time and money to deploy crypto on
all their networks (I don't blame them, making it all work is a pain, and
troubleshooting becomes more difficult, too).

And on top of that, AT&T was revealed to be splitting fibre for intelligence
agencies in 2006. So in 2013 for Google or anyone to be caught unaware or call
this "brilliant" is really overstating things.

What next, revelations on how Google is shocked that someone setup acoustic
eavesdropping and keylogging? How this was "brilliant"?

NYT shouldn't give the NSA credit for being more than thugs on this particular
thing. They've got a huge budget and apparently a fairly free legal reign. Of
course they can go listen to other people.

~~~
001sky
_" Eh? Tapping a wire is one of the easiest ways to listen in to
communications"_

Yet splicing into fiber-optics, especially undetected, is not the same thing
at all. The americans have special-forces submarines that help them with this.
Not exactly rookie stuff.

see, eg
>[https://en.wikipedia.org/wiki/USS_Jimmy_Carter_%28SSN-23%29](https://en.wikipedia.org/wiki/USS_Jimmy_Carter_%28SSN-23%29)

~~~
MichaelGG
I'm guessing not all fibre optics run under water and don't need special
forces submarines.

~~~
001sky
'I'm guessing' 'trivial' and 'splicing fiber optics' doesn't realy flow,

logically.

~~~
MichaelGG
If you have the money to buy the commercial splitting/tapping products, and
the resources to go find and attack the fibre lines, then I think it's as
trivial as it's going to be. Certainly within range of corporate budgets.

------
znowi
If Snowden didn't leak data on NSA surveillance none of the "internet giants"
would care about encryption now. They'd continue cooperating as usual. What
they do now is saving face, appearing like privacy heroes. These actions are
likely agreed upon with the relevant agencies and designed to calm down the
public.

------
mschuster91
> "Google, for example, is laying its own fiber optic cable under the world’s
> oceans"

Google becoming an ISP for customers is well known, but where did they get the
massive capital required to setup transoceanic fiber? (And why don't they just
rent dedicated fibers on existing lines)

~~~
confluence
Cables aren't that expensive to lay down when you have upwards of $40bn in the
bank.

~~~
adventured
$60 billion. Google could lay down a semi-global fiber network of their own if
they wanted to.

~~~
mschuster91
I guess this is why Google has been shifting in lots of... well, non-Search
product areas, in the last few years.

Advertising in internet is bound to fall due to ad blockers, it's just
sensible for them to spread their knowledge and ubiquity... so if Adword
profits vanish, they'll still be a profitable ISP/megacorp.

~~~
ihsw
Bound to fall? I doubt it.

I wouldn't be surprised if some Google people came to the conclusion that ad-
blocking is prevalent in affluent demographics (namely people with non-trivial
technical skill) whereas 'the next 1 billion' coming online are predominantly
simply not installing ad-blocking software (browser extensions/plug-ins,
desktop applications, etc).

It stands to reason that this would certainly drive Google's interest in being
on the forefront of 'the next 1 billion' coming online.

~~~
mschuster91
The "next 1 billion" will have low-powered devices, mostly cellphones - not
able to display any advertising bigger than an Adword. Not to mention that
neither Africa nor India has an advertising market remotely comparable to
US/EU (especially, the advertising budgets of the companies).

------
Zigurd
All barriers are an improvement because good defense is defense in depth. But
in an age of secret courts and secret interpretation of laws, the ones that
really matter are the ones that put data out of reach of everyone except the
holders of the private keys.

------
beloch
Google still has my plaintext.

We already know that the NSA has the power to barge into Google's server
stacks and install their little black boxes wherever they please. Ergo, if
Google has your plaintext, nothing Google does really matters. When Gmail
starts to use public key encryption to encode my emails at my own computer and
automagically decrypts them at my friends' computers, I'll start to trust
Google. That's never going to happen though, because Google needs my plaintext
so they can serve me targeted ads. That is their lifeblood.

If you fear the NSA, you should still fear Google.

~~~
magicalist
> _We already know that the NSA has the power to barge into Google 's server
> stacks and install their little black boxes wherever they please_

Please do point out how we know that.

> _When Gmail starts to use public key encryption to encode my emails at my
> own computer and automagically decrypts them at my friends ' computers, I'll
> start to trust Google. That's never going to happen though_

So you didn't read the end of the article or see the news from earlier this
week.

~~~
balls187
Pure speculation:

They have agents that work for Google. Either employees' or people who are
paid very large sums of money to do the NSA's bidding.

~~~
balls187
Not sure why the downvotes.

Anyway, I don't want to make the NSA to seem like the boogie man, but from the
leaked documents, they've shown that they pretty much at-will can access
secure data and systems.

I believe Google has a lot of resources, and has very smart people, but the
NSA is no slouch either.

Add to that, security/threat prevention is very much a game of Cat and Mouse.

~~~
ewoodrich
I downvoted you, although I now regret doing so because of the sincerity of
your argument. (dang: can we maybe get the ability to undo ratings if you get
a chance?).

Prefacing a post with "Pure speculation" especially on HN, invites a negative
response by default. I would recommend providing a bit more "meat" in support
of your argument, or at least provide enough detail so that commenters can
assume good faith. These are only my opinions, however.

In response to your argument, I would suggest you investigate some of the
specific vulnerabilities, such as in DUAL_EC_DRBG. There is evidence that
particular components of certain encryption schemes have been compromised, but
at least to my knowledge, use of appropriate libraries with common schemes
like AES are still considered secure.

~~~
balls187
Thanks for letting me know about HN. I wanted to make it very clear I was
speculating wildly. It doesn't seem that outlandish to think that the NSA
could have agents working at top communications companies.

I worked for a small security startup, and our main security engineer would
mention that he believed that at MSFT, there were groups that secretly worked
with the government to install government backdoors in various software. He
had no proof, but it seemed plausible.

------
suprgeek
I think the EFF said it best ""Anyone trying to perform mass surveillance is
going to have a much harder job today than even 6 months ago".

Not only are there technical barriers being set-up but now a lot of companies
have started to grow a spine and challenge the Govt..

Plus that "smiley" on the leaked NSA slide bragging about hacking all the big
companies has VERY seriously ticked off some of the bright folks at these
companies :)

------
Noctem
> and their business has declined steadily in countries like Asia, Brazil and
> Europe over the last year.

I hadn't realized that Asia and Europe are countries now. I suppose the EU is
at least a step in that direction.

------
KaiserPro
Running your own cables won't prevent splicing attacks.

Especially as long stretches of dark fiber tend to need repeaters, which tend
to be in easily locatable places....

------
balls187
If the NSA is capble of MITM attacks, Google laying their own Fiber seems not
like a good solution.

What would prevent the NSA from going into the ocean and tapping direct?

~~~
ewoodrich
Encryption? Or the relative difficulty of needing to use a submarine of some
sort, instead of tapping directly into Room 641A, for example?

~~~
balls187
Certainly getting at Room 641A would be easier, but for the US Government,
nothing seems out of reach, resource wise.

Forgive my ignorance, but I thought the revelation was that the NSA can
routinely break encryption schemes.

Also, I thought it was against US export law to use certain types of
encryption for data leaving the US.

------
uuyyk
Unpopular opinion ahead:

I find myself unbothered by these NSA "revelations", and I feel most are just
pretending to be. It's all far from unexpected, and other governments have
cynically latched onto these leaks to further their interests.

I don't care about for the heightened focus on privacy tech and policy, it's
boring.

The NSA did bring it on itself though by allowing this stuff to leak out,
which is the only difference between it and other nations' intelligence
bodies.

~~~
TheCondor
The disengenuousness of it is what upsets me. I could find great national
pride in this if it was used on terrorists as they claim. Fact is they aren't
stopping domestic terrorists like the sandy hook shooter or the batman gunman
or the boston marathon bombers. And "real terrorists" aren't Americans or
generally even in America. If they tracked everybody and then dismissed the
law abiding citizens and released their data as they added them to a white
list or something, I could get with that. This approach to fighting terrorism
is just fishing in the wrong pond though.

~~~
balls187
Seems like a slippery slope. I'd classify a lot of these domestic mass
shootings as lack of mental health support in the US, rather than a lack of
willingness on the NSA.

There isn't much that comes out of these mass shootings that indicate a series
of coordinated digital events, that typically occur for foreign groups looking
to attack US interests. Instead it's the work of a single, mentally disturbed
person.

------
Lunatic666
Google is worse than the N.S.A. anyway. They do exactly the same only that
they give you a shitty UI for your emails in return

~~~
Noctem
Do you not understand the difference between the motives and powers of
businesses and governments?

Governments tax, imprison, and kill. Businesses serve ads.

So when a government gets your data, they look for reasons to imprison or kill
you. When Google gets your data, they try to find more relevant ads for you.

------
adventured
Why don't Google, Facebook, Apple, Microsoft, etc. invent their own new forms
of encryption, and build a whole solution from software to hardware? At their
scale, throwing a billion at a problem like this would be irrelevant.

~~~
nowne
That wouldn't solve much, if anything at all, see Kerckhoffs's Principle[1].
The standard encryption algorithms perform perfectly well to the best of our
knowledge, why make your own encryption algorithm and risk getting it wrong?

[1]
[http://en.wikipedia.org/wiki/Kerckhoffs's_principle](http://en.wikipedia.org/wiki/Kerckhoffs's_principle)

