

Google on NSA: No server access, no back door, no drop box, no free-for-all - moultano
http://venturebeat.com/2013/06/19/google-issues-clearest-statement-yet-on-nsa-and-prism-no-server-access-no-back-door-no-drop-box-no-free-for-all/

======
quaunaut
I'm still leaning toward the idea that if this is happening at all, it's
happening at the ISP/Backbone level. Which would mean none of these companies
are lying- but still that the Government is way overstepping, by leaps and
bounds.

There's also the distinct possibility this is all bullshit. There have been a
lot of holes and misinformation on Snowden's side("They can watch your
thoughts form as you type", when none of the services except for GMail send
textual data at real-time, etc), and the Q&A either doubled down some of them
or was trying to be misleading.

I'm still waiting for the Guardian to stop milking this and just give us the
rest of the slides, the rest of their evidence. At this point, my confidence
in the story is shaken enough that I want more if I'm gonna go Pitchfork in
hand at the NSA with all of this.

~~~
ianhawes
If this were happening at the packet level, PRISM would need constant
maintenance for each service, and a MUCH higher budget than $20mil a year.
Think about it, to be effective, you'd need to parse the format at which the
data is sent. Formats and protocols change daily for all these services. And I
highly doubt analysts are expected to look at pcap dumps to put together
intelligence.

I think reality is that PRISM is nothing more than a parsing software for data
dumps after NSA has legally obtained the data from the provider. And I'm
willing to bet the other 37 slides show that.

~~~
wildgift
Maybe it's not PRISM that's doing deep packet inspection.

~~~
ianhawes
Definitely a possibility. If that is the case, what is PRISM's responsibility
then?

~~~
nl
PRISM is a reporting and analysis system.

------
mindcrime
I'm sorry, but I can't take these statements at face value. Those PRISM slides
have not exactly been disavowed by the NSA, and they make it quite clear that
there _is_ some kind of "program" that Google (and others) are part of. I
don't buy that it's no more than "you send us a court order and we send you
the data" because that wouldn't justify having a name ("PRISM") and a list of
"join dates" for the various companies, etc.

Simply put, I think Google, Yahoo, Apple, MS, etc. are all lying about their
involvement in all this, to some extent. Maybe the NSA does or doesn't have
"direct" access (whatever you think that means) but I believe there is
something going on, beyond the run of the mill request/response scenario.

~~~
jpatokal
Is your hypothesis falsifiable? In other words, is there _anything_ Google
could do or say to convince you that they are _not_ , in fact, in cahoots with
the NSA?

~~~
ekianjo
They could release all details regarding what the NSA asked of them, for
starters, and what they do to ensure the NSA has no way to get data from
Google in one way or another.

And participate in stopwatching.us. Why no support there?

~~~
jpatokal
You are aware that Google is currently suing FISA for the right to release
that information, yes?

[http://money.cnn.com/2013/06/18/technology/security/google-n...](http://money.cnn.com/2013/06/18/technology/security/google-
nsa-first-amendment/index.html)

~~~
ekianjo
Yes, and it seems more like a PR coup than anything else, seriously. For a
company that has as much resources as Google, this is far from being
significant.

------
rdl
At this point, it seems more plausible to me that Google is telling the truth
here and the Prism slides are either inaccurate or refer to DPI reconstruction
or just a live hosting/presentation environment for conventionally-delivered
dossiers. I can't see Google intentionally making statements which are both
incorrect and falsifiable to this degree, especially since it looks like more
leaks are coming, or actual official declassifications.

There is absolutely some horrible shit going down -- backbone sniffing and
DPI, mass telephone metadata (and either OTA or carrier-delivered copies of
content for "interesting" numbers and maybe areas), etc. And, there are
serious future trust issues with cloud computing. But, at this time, I don't
think NSA has pervasive access at Google -- I'm sure they (and the Chinese,
Israel, and others) have Google staff who they know are likely to be
"friendly" if they actually did need to do something (much much more
applicable to non-US agencies), but even that doesn't need to be formalized
until used.

Because NSA has so many other tools (legal and technical) to use, I don't
think they do high-odds-of-being-detected stuff, certainly not on a widespread
basis. Active MITM of connections, or really intrusive requests to companies,
seems unlikely.

This is _not_ the case for China, Israel, etc., so they are far far more
likely to use external or internal attacks (other than legal) to get data from
companies. And, guess what -- look at the news or your own networks -- lots of
attacks from China, some quite sophisticated and successful.

I'd actually say there are higher odds of a given Google SRE being purely
commercially evil and selling access to crime organizations than that NSA is
doing this actively against Google.

This all means the threat is every bit as real as if NSA were doing it
pervasively _if_ you're likely to be a target. I don't think we ever thought
NSA was using its pervasive monitoring for anything other than ultimately
going after some specific targets, not for general law enforcement risk, so
the situation is no different either way -- you can mostly trust Google if you
blend in, but can't if you're "interesting".

Against some kind of pervasive secret program involving many people: The odds
of a single Googler on any team being a "whistleblower" are far higher than
the odds at NSA, and we've had a lot of espionage leaks over the years, plus
actual leakers.

Occam's razor is that Google is telling the truth here.

~~~
throwaway10001
_Against some kind of pervasive secret program involving many people: The odds
of a single Googler on any team being a "whistleblower" are far higher than
the odds at NSA, and we've had a lot of espionage leaks over the years, plus
actual leakers._

Ya think that random Googlers would spy for NSA or feed them info? They are
probably hundreds of Googlers with Top Secret clearance.

~~~
rdl
"Top Secret" doesn't mean very much (either positively or negatively). It's
being read into very specific special access programs which matter. Those can
have populations from like 2 to thousands.

I actually think the whole the USG handles classified information and
clearances is broken -- it keeps too much secret from the public or businesses
which could use it, AND fails to effectively keep essential-to-keep-secret
stuff secret. It's borderline OK in operational DoD units other than
NSA/intel/etc. (like, keeping maps and such secret), but other than that, it's
horrible.

Unlike the 1980s, they now have laughable internal security, where a
contractor in the provinces gets superuser access (unlogged!) to the point
where he can exfiltrate mad data, tamper with things, etc.

There are commercial organizations who do a vastly better job with their
secrets.

I'm torn between wanting to fix this all by making technical controls much
stronger, background checks more effective, etc., and wanting to let it
collapse (because 90% of what is classified is overclassified, and a lot of
the mission is either unnecessary or immoral, both in the general Eisenhower
"every dollar spent on bombs is theft from humanity" and in the specific sense
of violating civil liberties.

------
coopdog
Given that it's from a lawyer also, who no offence are often skilled at lying
by telling only the truth, it does make me a little hesitant to accept this.
I'd rather hear it directly from the CEO or some senior engineer, in the hope
that they'd know there's not some legal loophole they have to tread carefully
around as they speak.

Great that Google are saying this though. Let's fix the politics, stop the
secret court rulings and gag orders and have them say it one last time, along
with the approximate number of users effected by all requests ever.

~~~
ianhawes
[http://googleblog.blogspot.com/2013/06/what.html?m=1](http://googleblog.blogspot.com/2013/06/what.html?m=1)

From Larry Page, CEO of Google

That IS what you wanted, right?

~~~
coopdog
I'm pretty sure that was written by a lawyer according to talking points from
PR and given a glance and stamp by the CEO

Really it's all for nothing though until the politics are sorted out

------
sampsonjs
Yahoo fought Prism and failed:
[http://www.newyorker.com/online/blogs/closeread/2013/06/yaho...](http://www.newyorker.com/online/blogs/closeread/2013/06/yahoo-
and-the-secret-court.html).

Yahoo now wants us to believe that this was a court order saying, in effect,
Yahoo must comply with court orders to turn over specific user data. WTF?
Yahoo also wants its users to believe that Prism is nothing to worry about,
even though it tried to fight it back in 2008. "Notwithstanding the parade of
horribles trotted out by the petitioner ... Little more than a lament about
the risk that government officials will not operate in good faith." Nothing to
see here folks, move along!

~~~
anigbrowl
A real mischaractterization of the opinion:
[http://www.fas.org/irp/agency/doj/fisa/fiscr082208.pdf](http://www.fas.org/irp/agency/doj/fisa/fiscr082208.pdf)

Of course, the thing about slippery-slope arguments is that you never have to
deliver on them. It's curious that people who scoff at the idea of a rock that
keeps tigers away are so willing to believe in one that attracts them.

------
jread
I believe these statements are sidestepping the facts. Explicit requests for
user data and backdoor access are a separate issue. If Prism involves
capturing and storing packets at major Internet backbones (perhaps just
upstream from private networks like Google's), anything plaintext could be
searched and extracted after the fact - email messages, web browsing, chat,
etc. To this day, a significant amount of communication related Internet
traffic is not encrypted. I've worked on software that does exactly this. Here
is a public marketing writeup:

"Every packet is recorded, classified, and indexed, making quick discovery,
reconstruction, and delivery of files in their original formats easy and
intuitive. Reconstruct email attachments, windows file transfers, PDF, Word,
PowerPoint, Excel, and more, giving you full visibility into everything on
your network.... Show all activity over time for a single user or all file-
type activity over time for all users."

NSA could apply simple port based filtering to limit capture to only those
packets related to communication, thereby streamlining storage requirements.
If this was the Prism architecture, then these company statements would be
truthful, but misleading. The NSA does not have direct access to their systems
or user data, but if the NSA is allowed to record user traffic before it
enters, or after it leaves their doors, then the end result is similar.

~~~
alwaysdoit
Sure, but Google has been pushing enabling HTTPS including forward secrecy by
default for years now.

~~~
jread
Source encryption does not guarantee endpoint encryption. In the case of gmail
via https, an email recipient might download or forward in it in plaintext via
pop, imap, smtp or an http email client.

------
ck2
Qualifying Phrases of this decade:

 _" Under this program"_

 _" That we know of"_

 _" Not willfully"_

They are like a get-out-of-jail-free card.

"No more _illegal_ wiretapping of all US citizens like under Bush" (we'll just
make it legal instead).

------
embolism
The problem is that Google's business model fundamentally makes it into a
liability for a free society. The more they stockpile data on people, the more
dangerous they become.

Unless we have a change in the constitution that spells out a clear limit on
the government's right to access this data (and for that matter, limits
google's own rights to use it), the risk of misuse will only grow. Even if the
NSA's access _today_ is somewhat limited, the risk won't get any less.

Google is like a fireworks factory waiting for a stray spark.

~~~
BouncyBall
Perhaps, its a good thing that the worlds most powerful agency has a close
interior relationship with the most powerful corporation.

How else would you get the human race to move forward?

------
CamperBob2
Of course, the one thing we know for certain is that to the extent that a
company is required to assist with extra-Constitutional surveillance efforts,
they are also required to lie about it if asked.

So this is yet another zero-information thread on the subject.

------
signed0
It seems strange that they didn't just say this in the first place.

~~~
moultano
They did, but everyone picked apart the language so much that it seemed like
they didn't.

~~~
Groxx
To be fair, there was plenty to pick apart, and there was the eerie similarity
to the letters from other companies. And they (all) refuted "direct access"
but weaseled / legalesed out of any kind of _actual_ refutation of excessive
access to data.

This is much clearer. This is what everyone _very obviously_ wanted at the
very beginning, and it does seem strange that they didn't do this then, or _at
all_ sooner. What took them so long?

~~~
moultano
They have been saying this from the beginning.
[https://plus.google.com/116899029375914044550/posts/TMh6gUVr...](https://plus.google.com/116899029375914044550/posts/TMh6gUVrwMq)

------
duaneb
Doesn't the government have the capability to force corporations to lie about
matters of national security (of which the most benign form is a gag letter)?
Or is that just FUD?

------
genwin
Why would the NSA be building a facility large enough to store a big chunk of
the planet's digital info if they'll have data for only a few thousand Google
users?

~~~
asperous
The facilities are not just for Google, they are for a lot of survalence data
including underwater recording of internet backbones.

~~~
genwin
Including all phone conversations, and not just foreign ones.

Why wouldn't the NSA request _all_ Google searches, with IP address? That
would be highly valuable info.

