
Facebook, LinkedIn, Yahoo, Google, Microsoft disclose data about NSA requests - jonalmeida
http://thenextweb.com/insider/2014/02/03/facebook-linkedin-google-microsoft-reveal-data-showing-range-accounts-requested-nsa/?fromcat=all
======
harshreality
How about a magic trick?

Watch this hand, which is issuing specific requests for data.

Ignore the other hand that was snooping on (until Google started encrypting
last year) Google's inter-datacenter links, almost all Yahoo! traffic since
they only enabled ssl for non-premium accounts last year, most
Hotmail/Outlook.com traffic since their defaults had ssl disabled until
recently (last year?), and anything else we can (everything of interest that's
not encrypted or that we can break[1]).

Ignore that restrictions on spying on our own citizens are weakened since
they're not citizens to the other 4 "5 eyes" countries, and in some situations
they can share back that data or they can query it for us.

Ignore that we don't consider collecting metadata on phone calls to be a 4th
amendment violation. Because knowing if you called Bill Ayers or an abortion
clinic or an HIV clinic is not private personal data at all.

Ignore that the data we collect, although nominally for national security
purposes, is being used in criminal prosecutions having nothing to do with
national security, and that we encourage law enforcement agencies to use
"parallel construction" to avoid revealing the true source of the data that
jumpstarted their investigations. Since we've been caught doing this, the Dept
of Justice is now revealing in court when this occurs, but please ignore that
these domestic criminal cases may not have been possible at all without the
mass data collection we do for "national security" purposes.

Ignore our attempts to compromise internet infrastructure and subvert public
cryptographic standards.

Ignore that the DNI lied to Congress. Ignore, ignore, ignore.

[1] RC4 maybe; see
[https://twitter.com/ioerror/status/398059565947699200](https://twitter.com/ioerror/status/398059565947699200)

~~~
rsync
The google-inter-datacenter links is nothing but plausible deniability. You
will not see the end of "breaches" like this, since both sides knew what was
going on (even if joe-sysadmin at google was "shocked, shocked!").

~~~
rdl
I don't think this is the case.

OTOH, I'm surprised Google, after being the victim of known hacking by an
intelligence agency (in pursuit of a religious extremist group, presumably),
consisting of malware, targeted malware/spearphishing, attacks on staff
(presumably inserting trusted staff into Google in various roles), etc.,
didn't include bulk encryption within its network as a way to compartmentalize
things.

They certainly pulled out of the world's largest Internet market, locked down
their employee workstations across the board (essentially banning Windows,
IIRC), adopted 2FA internally, and generally have better internal security
than banks or virtually any large enterprises. On the customer-facing side,
they're leading in cert pinning, "ssl everywhere", etc. So not doing bulk
encryption between datacenters was an oversight -- it's technically expensive
to implement, which was probably a major factor.

(In case it's not obvious, this isn't Google v NSA)

~~~
saraid216
> OTOH, I'm surprised Google [...] didn't include bulk encryption within its
> network as a way to compartmentalize things.

You mean this?

[http://www.washingtonpost.com/business/technology/google-
enc...](http://www.washingtonpost.com/business/technology/google-encrypts-
data-amid-backlash-against-nsa-
spying/2013/09/06/9acc3c20-1722-11e3-a2ec-b47e45e6f8ef_story.html)

~~~
rdl
The whole point of my comment was drawing a parallel between when _China_
spied on Google (and Google's response, and this one lacking element), and
what happened after NSA.

~~~
saraid216
Right. Clearly, like they did with China, Google should just stop doing
business in the US.

------
smtddr
0-999 ....Ridiculous.

The USgov/NSA thinks we're fools. This range tells me nothing. I can assume
the worse and conclude they send 999 requests every 6 months, but then I'd be
a conspiracy-nutcase. They know what they're doing. Ed Snowden's data is more
valuable to the public than this PR stunt. If there are anymore of you people
out there with info like Snowden considering doing a leak, please do it. I
understand it's a very personal decision to kinda ruin your life and be unable
to support loved ones around you; that's something only you can decide.

But if what's holding you back is _" duty to your country"_, look to Ed
Snowden. His actions gave true duty to the country... and the world.

------
tedivm
If they're already snooping on the links between data centers and picking the
data up using other means then they don't need to make any requests from the
companies while they're actually "investigating" things. The only reason they
would need to give them a reason why they have information they shouldn't
have- basically, when they need to bring something to court.

These reports are useful only in that they show how much the company is in bed
with the government versus how much they're just getting abused. You don't see
these types of reports from the phone companies, for example, because they've
been helping the government snoop for years.

------
Zigurd
Instead of complaining, or even in addition to complaining, every one of these
services could have built secure messaging and real time communications into
their products. Loss of ad targeting data? Fine, charge me for the difference
in the value of ads.

And yet, so far, nothing, not an announcement, a rumor, a hiring ad, nothing,
nothing, nothing.

~~~
jmillikin
It's not possible for a web application to be secure against the host of the
web application. If the host renders the HTML, then they need to access the
user's data. If the host serves the Javascript, then they have the opportunity
to acceess the user's data. If the user doesn't manage their own private keys,
then the host manages them and can compromise them.

Arguing that {Google,Yahoo,Facebook,LinkedIn} should implement secure
communication is equivalent to arguing that they should shut down their
existing products in favor of secure client-side implementations. The moment
they do this, the resulting product gap will be filled by some other company
and nothing will have changed.

The corollary is that any web-based service that claims to offer secure
communication is almost certainly not doing anything of the sort, and should
be treated with great suspicion.

~~~
Zigurd
Most of these companies provide some client-side software. Google provides a
whole OS, it's middleware layer, and many apps published open source. The
Android SDK runs on all three major PC OSs, as does Google Earth. Chrome runs
on all the major PC OSs, and has an open source "sister" project Chromium.

Web software is convenient, for sure, but it isn't so difficult to run ad-
supported services with client-side software.

~~~
jmillikin
Lets consider Gmail as an example.

It's trivially easy to configure a local Gmail client. Install Thunderbird,
type in your username and password, and you're good to go. The result is a
Gmail experience with an excellent UI, no ads, and the user is running only
open-source software.

Installing the Enigmail extension, GPG, and generating a GPG key provides a
secured communication channel. The user need only tick a checkbox to send
emails that are impervious to known interception methods.

Thus it's already possible to use Gmail for secure communications. No changes
on Google's part are required to enable secure emails in Gmail. So what are
you actually asking for?

It sounds like what you're saying is that Google ought to shut down the Gmail
web UI because you don't think hosted services are sufficiently secure. But
the thing is, almost nobody (excluding HN) actually cares. If Gmail moved to a
secure model tomorrow, it would be effectively the same as shutting down the
service because the userbase would migrate to Yahoo or Hotmail overnight. What
benefit has the new "secure" Gmail then achieved?

~~~
Zigurd
Using Thunderbird is not a solution. If Google or any of the other services
had their own client that properly integrated with back-end services like key
exchange, key signing, etc. you would not have to understand and implement
identity verification yourself.

You are setting up some straw men for demolition. As Skype showed, before it
was nerfed, there is no need for a client interface, especially a mobile
client interface not to support security that is so easy that it is equivalent
to an unsecured product.

~~~
jmillikin

      > If Google or any of the other services had their own
      > client that properly integrated with back-end services
      > like key exchange, key signing, etc. you would not have
      > to understand and implement identity verification yourself.
    

If key exchange and verification were handled by a third-party service, then a
compromise of that service would threaten the security of all communications.
To be secure, key exchange and verification must be handled offline at the
level of individual users.

Pre-acquisition Skype was not a secure communications system, any more than
iMessage or Hangouts are today. If you believe it was, then you have not spent
sufficient time considering how to compromise such a system.

~~~
Zigurd
Apart from meeting in person and exchanging keys, what other way do people
have of finding someone else's public key? Securing that is what key signing
and web-of-trust are for.

Also, Skype in unlike iMessage or Hangouts in that messages traversed nodes
that could capture and attack traffic. Skype had security requirements these
other services did not have. A modern, verifiable service could be built that,
to end users, resembled Skype in simplicity. Or, for that matter, Hangouts
could open source their client and enable verifiable security that, to the
end-user, would be no more complicated than using Hangouts is currently.

------
nkurz
It's great to get more openness about the numbers, but it's hard to know what
to make of them. One "advantage" of snooping on traffic is that you can issue
far fewer requests for data. If you already know the contents, you only need
to go through the legal process in the cases where you need to legitimize your
knowledge for further use. Should this make us more or less comfortable with
relatively low numbers of legal requests?

------
higherpurpose
Yeah, okay. You're not fooling anyone with these numbers guys. If you want
people to believe you care about their data privacy, then actually build
secure systems where even _you_ can't access the users' data, and therefore
the feds can't ask you for the keys either. This should especially become a
priority if this comes to pass:

[http://www.wired.com/threatlevel/2014/02/courtint/](http://www.wired.com/threatlevel/2014/02/courtint/)

------
wellboy
< With regards to Facebook, it says that within the last six months of 2012,
only a “small fraction” of one percent of its users were the target of any
government data requests

So with 1%, they mean that over 10 freaking million Facebook users were under
surveillance?

~~~
mdwrigh2
Only if you interpret small fraction to be 100%.

------
yuvadam
Those numbers mean jack shit. End of story.

------
belorn
The number of accounts impacted is a very deceitful number, and don't say
anything about the nature of the intrusion of users private data.

Let me try it: Let me run code to sieve through every politician mailbox. I
won't go after all of them, so only a handful will be "impacted" on.

And this is only first-order of impact. What happens with second order impacts
when a mail account by a person like Jacob Appelbaum is "impacted"? Is every
dissident that emailed in danger, and what if their organization is not in
favor of current US politics?

------
avisk
I assume these companies were honoring NSA requests for long time. These
requests are made public only after Snowden revelation, just because these
companies are scared about losing their customers.

------
seeingfurther
How is this really helpful? Random numbers on a page. The only number you
really care about is when YOUR number has been called and the government has
snooped on you.

------
coldcode
[0..some big number] is not disclosure.

------
gaf
Amazon is mysteriously absent from any list in the news.

Given the number of virtual servers they have in the cloud right now, the
amount of corporate data stored and passing through those, and the NSA's
interest in SSL, I would REALLY like to know where Amazon stands.

------
fredgrott
Number of NSA/Law Enforcement data requests without any number of
breakins/intrusions detected vs intrusions/breakins prevented is somewhat very
dubious non meaning number.

This is PR stunt..

------
noiv
It would be more concerning if these numbers decline, indicating a more
efficient 'grey' approach.

Btw: How can I boycott NSA and still use the Internet?

------
tiatia
If I may ask something offtopic: I try to host my own email in Iceland. I go
everything working so far. My server is not powerful enough for spamassassin
but I can live without it. One last problem: I don't get SSL to work. Does
https require lots of server resources?

------
pjaun
I don't think those numbers are "NSA requests".

------
popee
Damage mitigation?

