
How the U.S. is forcing Internet firms' hands on surveillance - declan
http://news.cnet.com/8301-13578_3-57593538-38/how-the-u.s-is-forcing-internet-firms-hands-on-surveillance/
======
coldcode
If you have access to every record of a person's life including financial,
it's not hard to find a way to get people to do what you want them to.

------
amirmc
_" The government's ability to perform surveillance even when armed with a
court order depends in large part on the decisions engineers made when
designing a product."_

So it's up to engineers building new products to incorporate security from the
ground up. No more lip-service to 'Your privacy is important to us' but actual
technical changes.

~~~
Zigurd
The one thing I have not heard amid the denials from Internet portals, search
engines, and social networks is any move at all to provide truly secure
communications and storage. The only consumer-oriented service I know of that
advertises the ability to encrypt your data with your own key is Carbonite,
and they did so long before Snowden. They all could do it. They all could
provide routine strong encryption, and they could make it simple. They all
could have been securing your email from hackers and foreign spies, long
before the NSA became an issue. By taking that step they could regain trust.
And yet...

------
mtgx
I consider helping the government that way worse than letting them get the
data forcefully with their own equipment, because then the companies won't
even protest against it anymore, since they will be "partners in crime" so to
speak.

I feel the same way about ISP's handing over data for money and turning it
into another profit center.

~~~
declan
Perhaps, but the problem is that the FedGov's equipment may vacuum up far more
than it's supposed to, or disrupt the network, or do a MITM attack not
authorized by the court order, etc.

From my article: "A federal magistrate judge sided with the government,
despite the fact that 'Carnivore would enable remote access to the ISP's
network and would be under the exclusive control of government agents.'"

If you're running a company and care about your users' privacy, would _you_
want an NSA black box with "remote access" \-- remember, you can't log into it
and don't know what it does -- inside your firewalls? It might be better to
say: Okay, here's a process through which we'll give you a .tar.gz file of the
account via Secure FTP. Just keep those NSA black boxes the hell away from us.
Hello, PRISM.

~~~
Zigurd
That's a rationale for sure, but the risks you cite are likely to be present
nonetheless if the firewall, networking, and SAN gear you are running has
backdoors.

~~~
declan
If you have evidence that the "firewall, networking, and SAN gear" used by
Facebook, Apple, Microsoft, Google, Yahoo, etc. have supersecret government
backdoors, we'd be delighted if you could share it with us.

~~~
epistasis
I'm not sure if this what was originally referenced, and honestly I'd be very
surprised if HP storage saw much use in these companies, but the tech support
backdoors that have recently been revealed in two HP storage products have
caused me personal concern.

My first Google hit, seems somewhat accurate:
[http://www.infoworld.com/t/data-security/hp-admits-
undocumen...](http://www.infoworld.com/t/data-security/hp-admits-undocumented-
backdoors-in-two-separate-storage-lines-222614)

~~~
superuser2
The only remote attack is DoS. You'd need physical access to steal data with
that.

------
stfu
Top comment on the page _Honestly I don 't care if the government wants to
vacuum up all this info, and they are using it for legitimate investigations
and trustworthy people have access to it. My only concern is with the people
who have access to this information and intend to do harm with it. Case in
point - Snowden._

Is there some decent management tool that would allow tracking/commenting on
popular news-websites? This is something where I would approve of a voting
ring system.

~~~
ChrisAntaki
Yeah, you could try hitting up the air force.
[http://www.rawstory.com/rs/2011/02/18/revealed-air-force-
ord...](http://www.rawstory.com/rs/2011/02/18/revealed-air-force-ordered-
software-to-manage-army-of-fake-virtual-people/)

------
Nimi
So.... the answer to the question in the title is "by law".

The article seems to answer a different question: "Why do Internet firms
invest resources in implementing software which aids the NSA's surveillance?"
Because otherwise, the NSA will build it themselves, and force the companies
to install it inside their datacenters.

------
psbp
I think a lot of outrage on this site and others is misplaced. Why are there
more posts about boycotting than about affecting change in the federal
government?

The efficacy of boycotting is pretty dubious given that prism is probably just
one program of many being employed by the NSA and other governmental agencies.

~~~
disintermediate
These companies go to great lengths to avoid US tax jurisdiction, employing an
army of accountants and lawyers to avoid giving money to the IRS. Perhaps they
could work with the same dedication to avoid giving their users data to the
NSA.

~~~
declan
That is true, but numbers matter. There's a big difference between the NSA
serving 10 FAA702/FISA orders a year on Microsoft for Skype intercepts vs. 10
million. It's targeted vs. wholesale surveillance. We know from companies'
disclosures the upper bound is on the order of thousands, and is likely to be
far less.

Put another way, there _are_ some actual terrorists/spies/etc. out there, even
if the number of terrorists is far lower than the government would like you to
believe. If the NSA serves Microsoft with, say, 10 or 100 lawful orders a year
to eavesdrop on those communications, is that something worthy of working with
"dedication" to prevent? Probably not.

What the companies should be doing is encrypting what they can to frustrate
wholesale surveillance. Which Microsoft isn't doing. Which I wrote about here:
[http://news.cnet.com/8301-13578_3-57590389-38/](http://news.cnet.com/8301-13578_3-57590389-38/)

And here:
[http://news.cnet.com/8301-13578_3-57591179-38/](http://news.cnet.com/8301-13578_3-57591179-38/)

~~~
ChrisAntaki
When Verizon was served with a FISA request for all their customer's meta
data, each day for 3 months, that counted as one order.

That means Verizon might have "only" received 4 FISA orders a year.

~~~
declan
No, the Internet companies have said that's not what's happening. Facebook has
said, for instance, it has received a total of requests covering 18,000
accounts over a 6-month period, which includes NSA requests and local cops
trying to find a missing person:
[http://news.cnet.com/8301-13578_3-57589461-38/facebook-
micro...](http://news.cnet.com/8301-13578_3-57589461-38/facebook-microsoft-
release-nsa-stats-to-reassure-users/)

The Facebook etc. statements were designed to address precisely the concern
you raised. Verizon and AT&T, on the other hand, have remained very, very
quiet. For good reason:
[http://news.cnet.com/8301-13578_3-57591391-38/surveillance-p...](http://news.cnet.com/8301-13578_3-57591391-38/surveillance-
partnership-between-nsa-and-telcos-points-to-at-t-verizon/)

~~~
coldtea
> _No, the Internet companies have said that 's not what's happening._

Ah, it's ok then.

~~~
declan
If you have evidence they're lying, I'd be delighted to hear it. Otherwise
I'll believe them over a random HN comment, thanksverymuch.

------
carey
The article mentions that Microsoft’s systems support silently forwarding
email to a “shadow account”. Here’s Google’s announcement of the same
functionality, theoretically only available to Google Apps administrators:

[http://googleappsupdates.blogspot.com/2010/05/new-api-
releas...](http://googleappsupdates.blogspot.com/2010/05/new-api-released-
google-apps-audit-api.html)

Any significance to the timing?

------
drucken
So, the only "escape clause" US courts have given against this kind of
intrusion is end-to-end encryption, hardware and all?

~~~
declan
I think that's a good way to put it. Yes.

