
Microsoft and Google to sue over US surveillance requests - ghosh
http://www.theguardian.com/law/2013/aug/31/microsoft-google-sue-us-fisa
======
javajosh
Perhaps, in the end, the NSA has done us all a favor: they have shown us the
fundamental insecurity of giving 3rd parties access to our data. With this
move, Google and Microsoft clearly believe that there is demand for privacy,
and understand that loss of trust has real, possibly severe, bottom-line
implications. They act not of idealism, but out of fear.

The issue, of course, is that if someone wants to talk to me they need to
connect with my physical equipment. In a perfect world, people would look me
up with a simple IP address, and I'd have whatever services I wish to provide
running on various ports from that IP. This machine could be my phone, or a
computer I keep in my home. But what's funny is how the modern internet
appears to conspire against this extraordinarily simple idea: the first
problem is IPv4. There aren't enough IPs to give every internet-connected
device a unique IP address, which means NAT, which is, AFAIK, fundamentally
insecure when handling inbound traffic. The second is that virtually all
internet providers forbid us, in their terms of service, from running
"servers". Which brings us to this interesting syllogism:

1\. Communication sent through third parties is not private.

2\. All internet communication involves a third party

3\. There is no private communication on the internet

Until the problems of IPv6 adoption and contractual restrictions on how you
use your internet connection are solved, people do not have a viable
alternative to using 3rd party hardware for communication over the internet.

Of course, if the "no fly list" is any precedent, the government argument will
be something like, "then don't communicate with the internet".

~~~
devx
I'm not sure I would go as far as saying it's _impossible_ to have private
communications on the Internet.

It's impossible _right now_ for the _masses_ , because they've decided they
can _trust_ these 3rd parties. So we never really put much thought into
adopting "Trust No One" type of services. But having such services is probably
doable, and now that we know these companies can't actually be trusted,
perhaps we'll start using them.

Again, the main reason we didn't have private communications through 3rd
parties, is because we thought we could trust those 3rd parties. But that has
changed now.

~~~
huhtenberg
> _they 've decided they can trust these 3rd parties_

Most of said masses don't even realize there's trust involved, leave along
_making a decision_ on whether to trust vendors or not. They just swallow
what's free without much thinking.

Just look at something like the real-estate business. You'd think that
realtors would appreciate how much private information is passing through
their hands and that they would conform to the privacy protection laws they
are typically bound with. And yet, every single one of these retards uses
Gmail and routinely email forms stuffed _to the brim_ with delicious personal
info in plain text. How can you realistically expect _the masses_ to do any
better?

------
sker
PR theater. After how these companies reacted to the initial leaks, I can't
think of another possible scenario other than the CEOs sitting in a room with
government officials discussing the best strategy for damage control, and the
government giving them green light to sue. But I guess I'm just stating the
obvious.

~~~
dylangs1030
How do you know it's just PR theater, and that these companies aren't just
trying to legitimately defend their reputation? You dismiss the entire story
and claim that it's so obvious, but how can any of us know that right now?

And, in the face of not knowing, why default to an explanation other than what
has been given to us?

~~~
jbjohns
When it comes to security, your default position should always be one of
extreme scepticism. Believing "what has been given to us" is what got us in
this mess to begin with.

~~~
dylangs1030
I understand what you mean, but I'm not opposed to extreme skepticism. It's
alternative explanations that seem contrived that I'm opposed to.

There is a difference between extreme skepticism in the face of one story, and
postulating hypothetical scenarios that have equal or higher burdens or proof,
and are less likely or more difficult to demonstrate.

In fact, in terms of logic, the two are diametrically opposed.

------
smackay
Damned if they do, damned if they don't. It's really an impossible situation
for the companies involved as their actions, as the comments so far state,
will be viewed through the biases of the observer.

One way out, to appease the outrage over what happened, would be for a few
CEOs to spill the beans on what took place at their organizations. But after
they were carted away to jail the company would still be in the situation it
was before. Another would be simply to shut up shop in the USA and move
somewhere else - but where? It would need to be a county where the
intelligence services did not have the capability - end of business. About the
only realistic and probably credible response is not to sue but to put a lot
of effort into supporting third-parties opposed to the situation such as the
EFF. Then at least, despite what they were forced to do behind closed doors
the company would at least have a visible position and be seen to be trying to
getting of the handcuffs put on it by the government.

~~~
rayiner
The tech industry needs to get over this underdog mentality. It dwarfs
industries that people regularly claim somehow own the government (e.g. media
industry).

If tech companies thought it was in their best interest, they could bury the
DOJ in litigation for years and barely feel it in the pocket book. It happens
all the time when it comes to other industries that have more balls.

~~~
mikeash
Agreed. I'm always fascinated by how different industries punch above or below
their weight in government.

The movie industry seems to more or less own half of Congress, and appears to
be able to get industry-specific legislation created nearly at will. Yet total
US movie industry revenue is in the neighborhood of $85 billion, which is
about half of Apple all by itself, not even counting _any_ of the many other
valuable tech companies out there.

~~~
marcosdumay
Calculate "total revenues"/"added value to society". The bigger this number,
the more likely that the industry is heavily involved with the government.

Except for negative numbers, of course.

~~~
rayiner
Because oil isn't valuable to society while internet advertising is very
valuable.

------
anigbrowl
These comments tell us far more about the people making them than they do
about the issue in question.

~~~
dylangs1030
Yep...we have no proof of Google or Microsoft being complicit in NSA
surveillance.

Despite that, news like this is going to be analyzed in whatever light suits
the reader's bias. People are going to argue and say that this is just a fake
attempt at saving face, and that it's a conspiracy sanctioned by the
government to allow these companies to regain their reputation. Then there are
going to be counter arguments citing what the CEOs announced publicly. And so
on and so forth.

People will believe what they want, one way or another. Occam's razor be
damned.

~~~
MikeCapone
> Yep...we have no proof of Google or Microsoft being complicit in NSA
> surveillance.

The top secret internal NSA documents saying they were partners in PRISM with
colorful logos and all weren't enough?

~~~
dylangs1030
No, they aren't, not after the Guardian backtracked on "direct access." It was
independently reported elsewhere as well.

[http://news.cnet.com/8301-13578_3-57588337-38/no-evidence-
of...](http://news.cnet.com/8301-13578_3-57588337-38/no-evidence-of-nsas-
direct-access-to-tech-companies/)

~~~
devx
They didn't really backtrack. Maybe on some kind of semantic definition of
"direct access", but not on the whole thing.

They even wrote later from new leaks, how Microsoft was having a "team play"
with the NSA to give them a lot of data from Skype, Outlook.com and Skydrive,
in an almost "direct access" kind of way:

[http://www.theguardian.com/world/2013/jul/11/microsoft-
nsa-c...](http://www.theguardian.com/world/2013/jul/11/microsoft-nsa-
collaboration-user-data)

~~~
MichaelGG
If by team play you mean they obeyed court orders for interception, well, yes.
That article is incredibly deceitful in its wording. "Circumvent encryption"
aka "hand over unencrytped data on disk". Using "pre-encryption" sounds
intriguing, but it's nothing special and most companies are going to obey a
court order versus shutting down. If you had to implement a wiretap, I doubt
LE is going to accept you sending them the emails after you encrypt them.
Pretty sure if you tried such a stunt, a judge would smack you back since it's
obvious you're obstructing their order.

It may be that Microsoft really, really, loves to give the NSA everything, but
so far, there's no evidence of anything beyond complying with the law. Just
speculation and spin.

~~~
devx
But this is what we're talking about here. Those "orders" give them almost
unrestricted access to everything they want - for _mass spying_. All thanks to
the so called general "warrants" from FISA.

Does that make you feel any better? I know it's not making me feel any better,
because I know there's virtually no oversight, and the fact that you can even
get a warrant for thousands or millions of people at once, is not right, and
quite disgusting move from the government (regardless of how constitutional it
is - there's such thing as human rights, too).

~~~
MichaelGG
Microsoft has said there are no general orders to tap everything. There is a
huge difference in a rubber-stamp, poorly-audited system, and a wholesale
surveillance where Microsoft is giving the NSA raw data on everyone.

Trying to conflate the two for media impact will backfire by making people
jaded after they discover the spin being put on things. The info Snowden has
released is bad enough as-is (the lack of oversight, the scope, etc.) -
there's no need to invent stuff.

------
devx
I hope these companies aren't delusional enough to think that even if they win
this one, and are allowed to say how many NSL's they receive, they would score
some kind of "big win" with us, the public.

This will barely register on my radar, if they don't take serious steps in not
just fighting the government more aggressively over the mass spying (they
should be fighting to declare NSL's and mass data collection unconstitutional,
for starters), but also in securing their services end-to-end.

So even if we can't trust them anymore per se (which we won't), we could still
probably use their services if they adopt that.

------
einhverfr
Now that their back is to the wall and their reputations destroyed.... now
they will sue.

I think there is a point however where one has to accept the reality of
surveillance at this point and that large companies are probably not going to
be the best points of resistance. Open source and open infrastructure with
strong crypto and chain of custody tracking on keys is what is going to be
required in the long run. I am not even sure we can go back to trusting the
certificate authorities here and if we can't do that then these lawsuits are
way too little way too late.

------
todos
A clumsy and crude PR exercise to minimise financial loss.

~~~
walshemj
And dangerous as both Google and MS are quite opaque - this falls into the "be
careful what you wish for".

I could see pressure being on both of these companies to be more transparent
as a result of this.

------
smtddr
Trust is a very delicate thing. I feel sorry[1] for these companies; this
whole thing can't have been easy to deal with. We can talk could-have,would-
have,should-have all day long. Bottom line is _right now_ we've got what we've
got. Does anyone on HN have any idea what could possibly be done at this point
to rebuild trust? Or is it just completely wrecked? It seems that to trust big
internet companies again we have to believe the USgov is trust-worthy. To be
brutally honest that's something I cannot see happening without a very real
revolution. I'm curious if there's anything else that could restore trust.

1\.
[https://news.ycombinator.com/item?id=6182651](https://news.ycombinator.com/item?id=6182651)

~~~
sounds
Here's a suggestion I read early on in the Snowden-storm that hit HN, and that
I thought was reasonable:

If Microsoft and Google are really united and seriously hurting, why don't
they each individually (not acting as a cartel) kick the NSA out of their data
centers? There may be a lawsuit, yes, and there will likely be a hit to their
share value, but it's that same old problem of trading short-term safety for
long-term freedoms.

It's a good way for them to put the money where the mouth is. Yes, I'm aware
of the "requirements" to allow monitoring equipment; I'm specifically calling
for the executives of these companies to engage in civil disobedience.
Politicians are famously sensitive to anything that actually gets the
attention of the _masses_. Like, shutting down Google due to court-ordered
monitoring and Google refusing to comply. How long would the NSA endure such a
standoff before backing down with some weasel-words about "coming to an
agreement"?

~~~
spankalee
Google at least says that the NSA is _not_ in their data centers, and that
there isn't and never was any "direct access". So how can they kick the NSA
out if they're not there? Google admits to granting lawful requests for data,
such as warrants and NSLs, but this appears to be by delivering the requested
data via some non-direct-access means like CD or SFTP. Google is not a telecom
and does not have to implement wiretapping like Verizon, etc., so there's no
law requiring equipment or access.

------
consider_this
Two giants whose revenue streams revolve around knowing their clients'
personal business inside and out are suing the government because they want to
get paid for turning the information over.

Just like the money PRISM brought to enable the monitoring, now they want per-
use or even better regular rents from the government to keep the taps open.

The nice little side benefit is the puppet theater for their customers who
still labor under the delusion that they have some shred of privacy with
either of these for-profit corporations.

------
popee
Why haven't they do this before? Cause now this looks like damage control,
they have to _show_ they care because they are losing money. But tooo late,
compromised services opened significant area for others, only in question is
quality, but quality is also defined by people using those services and lot of
people want to use something not compromised -> if you ask me now is right
time to get dirty and do the job.

------
saosebastiao
What needs to happen is for these companies to place an intentionally insecure
vulnerability on their website somewhere that leads to a full archive of NSA
correspondence. Then sit and wait for someone to hack it and release it
anonymously. Remember, according to the CFAA, security doesn't matter, and
therefore 100% of the blame falls on the hacker the that found it.

------
drderidder
If Microsoft really believed they had a "clear right under the US Constitution
to share more data" they would step up and do it. Suing for the right to
exercise constitutional rights looks more like a cheap dog and pony show to
make the public think they haven't completely whored themselves out to the
neo-stasi agencies. It's too late. They should get ready for a steady Exodus
away from US based technology products and services.

------
frank_boyd
In case you don't buy the PR circus, start protecting yourself:

[https://prism-break.org/](https://prism-break.org/)

------
selfexperiments
Only now, after selling out their users and lying about it, only after seeing
they can't manipulate the public with distractions, now they sue.

