Luckily I am now in a position where I am fully responsible and aware of the routes my data takes. Yet we as a B2B ISP constantly get requests by intelligence services to provide information regarding our customers. Strangely they always assume that's totally okay to -just- ask for the data, instead of going the formal way. If we demand the judicial permissions they always rant about emergencies and so on. We can't help but follow the law, and the law disallows us to keep specific data
for more than 60 days. I am really curious about how many ISPs voluntarily provide their customer data without asking for judicial permission beforehand.
Such conversations are coming around 2 or 3 times a week.
First, CALEA requires that the company provide a "senior official" as a point of access for law enforcement, and a backup 24/7 contact. Their senior official is their general counsel, and the backup is another lawyer. It's not their network operations center. Their general counsel wants to see a warrant, and checks back with the court to make sure it's valid. This is the way to do it; bring in Legal.
There's a procedure for "emergency requests" in advance of a warrant under CALEA. This telco immediately faxes the law enforcement requester a brief form to fill in for those. It requires name, police department, office address, badge number, and a brief explanation of why there's no warrant yet. The form to be signed by the law enforcement official contains a statement that the official will provide a warrant within 48 hours, and in the event that they fail to do so, their department will take full responsibility for their actions, including indemnifying the telco against any costs and damages. That's followed by a statement that in the event the law enforcement organization fails to authorize the actions of their official, the official will be personally responsible for said costs. The telco also reserves the right to disclose requests for which a court order does not follow.
This discourages fake "emergency" requests. Get your legal people to draft something like that. The key to this is that law enforcement's interface to your company should go through your legal department.
(I used to have a link for this, including their forms, but can't find it now. Can anyone else find it? )
"If Comcast makes an emergency disclosure to your law enforcement agency or
governmental entity pursuant to 18 U.S.C. § 2702(b) or § 2702(c), you agree to provide Comcast with a formal order to provide your agency with the information provided pursuant to this request within 72 hours. I declare under penalty of perjury under the laws of the United States of America that the foregoing is true and correct."
The law enforcement rep has to sign that. This discourages bogus requests.
Each carrier has their own form. Collect those up and show them to your legal people.
More info: an ACLU copy of some guidance for law enforcement on CALEA.  Note that DOJ says different carriers have different requirements; some require a court order, and some don't.
More info: Sprint's form. Another "under penalty of perjury" requirement, plus "Pursuant to Title 18 United States Code §2518, §2701, and §3125 all electronic surveillance assistance will terminate if the appropriate legal demand or customer consent is not received within
More info: MetroPCS's policy. "At a minimum,
requests for interceptions citing Exigent Circumstances must include: ... a statement that no warrant or court order is required by law. ...
a statement that all statutory requirements have been met.
... the signature of EITHER (i) the Attorney General of the United States, OR (ii) a law enforcement officer
specially designated by the Attorney General, the Deputy Attorney General, the Associate Attorney General, or by
the principal prosecuting attorney of any state or subdivision thereof."
It looks like industry practice other than for AT&T is to impose reasonably strict standards on confirming such requests.
It is way more likely that your data is protected from the local police than from NSA/CIA.
The big problem with that is cost.
If it's a giant telecom they are already paying in-house lawyers. If it's a smallish ISP then this costs them big bucks to keep outside counsel on retainer. Maybe they can work with their law firm and cut a deal?
This stuff is pretty much boilerplate, so maybe a paralegal can do most of the work and then get it blessed by a J.D.?
A thorough legal aid following the chain of evidence would see right through that.
If I were part of a business, I would be obliged to follow the laws about giving away data, so I would find out exactly what my legal obligation is, and follow that as best I could. If that means asking for a warrant, I would politely, but firmly ask for one.
I'm thinking of getting one of those doormats that say "GET A WARRANT", personally.
It's not illegal or even immoral for a detective or agent to ask a company or individual "Hey, what can you tell me about X?" Depending on the nature of the relationship between the company/individual being questioned and X, it's usually not illegal for them to provide information to the officer. The problem is, depending on the nature of the investigation, that information can be considered hearsay and can be attacked by a defense attorney, so usually when an officer asks those kinds of broad questions they are simply trying to see if it's worth their time to get a warrant and get all the information they can on X. They can then take what they learn to a judge to convince them to sign off on the warrant so they can get the admissable evidence needed to proceed with an arrest and indictment.
And yes, you have every right to not consent to questioning or a search without a warrant (whether you are being questioned as a witness or a suspect), and you should exercise that right vigorously. Don't make it easy on them, make them work hard to build their case, because they should indeed be held to a higher standard.
It's more akin to asking other witnesses if they saw/heard anything.
1: I will note that cooperating with LE voluntarily can have backlash. Ignorant AGs will go after you because they e.g. misunderstand how networks work and blame you for customer actions, even if you try to helpfully educate them.
Defense attorneys and their investigators also investigate crimes. This realization shows why the broadening the warrant requirement can have perverse outcomes.
Say you are defending a man accused of rape due to lack of consent. Let's also say that this is a false accusation that can be proven false because the accuser uploaded a video of the events which show consent to her Facebook account. Let's further say that the defense really wants access to this video. If a warrant is required, the defense can NEVER get it because there is no way under the law the defense can get a warrant (unlike a subpoena or court order).
Think about that for a minute. Everything that requires a warrant cannot be accessed by the defense, regardless of what is at stake (which is always life and liberty). Period.
PS: I'm not suggesting rape accusations are usually false. Just an example to illustrate the downside of a broad warrant requirement from someone who defends accused people.
> I would be obliged to follow the laws about giving away data, so I would find out exactly what my legal obligation is, and follow that as best I could.
Of course, the law requires people to obey subpoenas as well as warrants, as the commenter would find out if they did what they said. The point is to follow due process, not that everyone has to become a lawyer and learn the fine distinctions between different types of writ.
On HN and most places on the internet, most people support the warrant requirement for most or all digital data. I do too, in a sense, as I believe law enforcement shouldn't have unfettered access to a person digital info.
However, as a defense attorney, I've learned that a consequence of the warrant requirement is that the defense has no legal way access to digital information during a defense investigation.
In effect, a warrant requirement for digital materials means only law enforcement and prosecutors can access them. However, an accused person's attorney cannot.
Plus, who wants to sully a relationship with people who have the power to make your life and business miserable?
They're people driven by the same selfish pressures most are, but there is little oversight or regulation to keep that in check.
Getting answers quickly and cheaply is considered good investigative work. A warrant is a last resort and exists as a check against their desire for answers from someone who is unwilling to comply.
They don't have an ethical requirement to take the longest route to that goal. So, if asking nicely, or bullying gets the job done with less work, then many will do that.
What wonders me the most is, that most of the time they won't go down the legal way. Instead they just seem to do their job without the data as well afterwards. So what was the point in requesting the data in the beginning?
10 years old and not even close to the oldest evidence.
Now, we've gotten to the point where the challenges facing mass surveillance are political rather than physical. I think that this is a lot more dangerous than 1800s police looking at telegraph printouts line by line.
> We had no idea the government was recording every phone conversation in the u.s.
> We still had some hope that the rule of law as being followed
All lies. This was well covered on slashdot when it happened. We all knew exactly what it meant.
Snowden's release was iron clad and incontrovertible, which was refreshing, but it also detailed the extent to which private tech companies outside of AT&T were aiding the federal government in their illegal activities.
Even the most paranoid nutbag commenting on those old slashdot threads couldn't imagine how bad it was going to get. Reality outpaced the conspiracy theorists.
Wasn't it already ruled illegal prior to Snowden and the phone companies had to be retroactively indemnified by congress?
EDIT: This is it https://en.wikipedia.org/wiki/NSA_warrantless_surveillance_%...
Did anybody really think it stopped when the secret room was uncovered in 2006? Telecom companies make no promise that your traffic is protected. It's up to you to protect yourself.
Before discovery of that room everyone knew that there was close cooperation between the telecoms and the government, but we had no idea it was this close and we were shocked at especially the recording of all phone conversations in the u.s.
Risk assessment has always been part of security. And people have always said that you should probably assume a well funded government can and does read everything. This was more of an assumption, but the fact that governments do listen to everything should not have been a surprise.
By any available evidence, these guys can't even maintain a simple download counter on their wiki. A random IT contractor like Snowden was already gone for a month and they had no idea. I think they still have no clue what he has.
All the science fiction gives this very distorted picture when really the people working at the NSA are private-sector leftovers, and even if someone with half a brain slips into their ranks, a layer of ignorance and government inefficiency will promptly suffocate them. It's a good thing, their incompetence is our only protection.
Obviously it's still a terrible situation to setup this infrastructure given the potential for abuse, so I'm not defending it. I'm just saying I've been an American long enough to know $$ is at the heart of this, not control, and the $$ they're getting isn't dependent on how good of a job they do so don't expect a well oiled machined.
Lately, I'm becoming very suspicious of infosec people who imply huge threats, or mystical capabilities.
Snowdens cache certainly hasn't instilled any confidence in the NSAs abilities.
"NSA officials picked up on Google research in 2007 that ultimately paved the way for the intelligence agency’s formal adoption of cloud computing in 2010—part of a broad effort within the intelligence community to more effectively share data and services. In a similar move, the CIA last year signed a contract with Amazon Web Services for a cloud to be used by all 17 intelligence agencies."
I would hope (but do not expect) that the NSA or some other agency has a permanent penetration effort over those networks and databases, to discover vulnerabilities before others do. Because bygawd you know other governments and criminals must be so currently engaged.
And because of that, we can trust nobody, and work to encrypt everything at the most fundamental layers we have access to. Good for individual privacy, but you can't help but note that the NSA continues to shoot itself in the foot in pursuing its goals.
There has to be willful ignorance at the top of the food chain. They can't believe this stuff actually works, or is in any way actually related to national security. But it must be so, so they double-think themselves into believing it. Having met people at that level in other government branches, I can't see it as anything else.
"Gee guys, any idea why our conversion rates are so low?"
Take this for example: I am a student at the University of Wisconsin. There's a nonprofit/cooperative in Wisconsin called wiscnet . They provide(d) libraries and schools with Internet. A Wisconsin telecom association (mostly backed by AT&T) was able to use their lobby to push it out. Millions in infrastructure made useless because it was argued to be anticompetitive.
The story is told much better by Ars. 
Oklahoma's is "OneNet", and we had a T1 at usao.edu back in '93 .
 I set up the very first USAO web site as a summer Independent Study project in '95, running a web server on our VAX 4700. People told me "You have to have a Sun box to run a web server!" and I proved them wrong. It was a fun 9-week gig, because the actual work only took me a couple of weeks, including creating a HTML version of the Student Handbook. Bits of the site I created persisted for almost a decade.
Wow, they really think that's what they're doing, don't they? Nothing above and beyond here, right?
BTW, I was actually surveyed by AT&T on the phone when the news that they were doing this first broke over a decade ago.
The snowden releases cost u.s. tech companies $100B+, including a 10% drop in Cisco quarterly revenues. Hopefully this continues as multinationals continue to move their business outside the u.s.
Let the u.s. government spy on Americans all they want since Americans seem to like being spied on, while the rest of us move on. I know that mindset doesn't match many of the people here on HN, but Americans are mostly Authoritarian and seem to like the comfort they feel from programs like this.
What exactly is your source on this? If we're going to stick with anecdotal evidence, I (who actually live in the US) have found most people's reaction to the Snowden revelations to be overwhelmingly negative, particularly among younger people.
If we want to look at some actual data, instead of accusations about public opinion by someone who doesn't even live in the US, it appears that a majority of Americans don't approve of the NSA's actions. On top of that, companies like Apple, Facebook, etc. have been implementing end to end encryption so thoroughly that the government is pushing to make it illegal.
So I'd thank you to not decide that all Americans like to be spied on, or that we're mostly authoritarian, just because it fits your ideology.
I'm not going to criticize a Pew survey, much, but, I do think that the set of survey participants may be distinct from the people who vote. I also think that when people are answering a survey there is very little emotion involved as opposed to when they are voting; where people are barraged with messages fully intended to stimulate emotional responses. Those are a couple of things that might explain a difference. I'd also note that it has a relatively small sample size (475). So, I don't think the survey is the last word on the matter.
You only have to look at the consequences of the Snowden revelations. Nothing has really changed - some meaningless legislation was passed that moves the phone metadata recording to the phone companies from the NSA, but even then it's not clear that its stopped - the NSA data center in Utah where those conversations were recorded doesn't seem to be shutting down. I would bet the phone conversation, skype conversation, etc recording is still going on since it was never explicitly addressed anywhere in legislation.
And my comment about Americans being Authoritarian is nothing new - they've long considered to be Authoritarian.
So your evidence that the public doesn't care about the revelations is that the government (who are the perpetrators of the spying) haven't changed their ways? Could it instead be because when selecting candidates to vote for (for the minority that do vote, which is a separate problem), Americans have prioritized other issues? Do you think that the survey I cited was methodologically unsound, or that people were simply lying?
How about the fact that private companies are responding by changing their platforms to be more resistant to such data collection even under warrant, and publicizing the fact? Why do you think they are doing that, if not to appease the public?
> And my comment about Americans being Authoritarian is nothing new - they've long considered to be Authoritarian.
By who? You? And whether or not the government is authoritarian, how does that imply the people like it?
Sure, so you basically admitted to his first point being right. That Americans don't care so much when it comes to their privacy.
> How about the fact that private companies are responding by changing their platforms to be more resistant to such data collection even under warrant, and publicizing the fact? Why do you think they are doing that, if not to appease the public?
Those are PR stunts. From companies like FB that are on record founded by CIA, and having same investors as companies such Palantir, I'm sure bunch of data exchange is happening behind the curtains.
> By who? You? And whether or not the government is authoritarian, how does that imply the people like it?
Unless you are really this dumb, or you just plain trolling, how about the last 20 years of America's political history, for a start?
It means that they either don't care, or that they care about other issues more (foreign policy, economy, etc.). Even sticking to issues with technology, I am far more concerned about banning end-to-end encryption without key escrow than with legislation to ban wiretapping. The US government has a long history of doing illegal wiretapping anyway, so I think the better solution is for private companies and citizens to make it more difficult practically, not legally. Does that mean I don't care about privacy?
> Those are PR stunts.
Which is exactly my point. Why would they perform such stunts if the public at large didn't care about wiretapping, or if they mostly supported it?
> Unless you are really this dumb, or you just plain trolling
Thanks. That was a great rebuke to the way I personally insulted you and everyone else who has been a part of this conversation.
> how about the last 20 years of America's political history, for a start?
That is definitely evidence that America's government was and is authoritarian in many aspects, which I wholeheartedly agree is the case. It is also evidence that the voting segments of the population for the past 20 years (and further) have a similar bent. However, my issue with the original post is that he made a blanket statement about Americans in general. I don't think it's a great thing that the majority of Americans don't vote, but as a result this can only possible suggest the attitudes of a minority of Americans. That is why I prefer to judge what the public thinks about an issue by a poll, not by elected officials, or by anecdotal evidence (mine or anyone else's).
I don't vote, and I care about this issue. Why don't I vote? Mostly because the things I care about are not made campaign issues. That might be common.
If you care, please vote – even if it's just for the one guy who pledges to hold the NSA accountable for its actions.
OP thinks that because the people are supposed to be in charge of the government. If the people really want to change something, they should be able to change it - i.e. see what happens in France when an elected leader tries to take away a single day of maternity leave or change benefits - literally millions of people rally in the streets, then that person gets voted out, almost immediately.
Now, if the people of the United States are not in control of their government, you have a whole 'nother issue to solve.
I'm not really sure what you mean by encryption, though. Apple's iMessage may be encrypted, but their key exchange can be MitM'd easily.
Realistically you wouldn't use a service that exists because of the profit motive or is in the US. It will continue to operate to drive a profit while working with the government to stay in business.
They have been complicit with PRISM since 2012 without a peep.
Think municipal fiber, but at a wholesale level.
Google Fiber is this.
I'm suggesting a non-profit organization or entity that is a holding company for dark fiber assets for tech companies, with a charter that specifically protects the privacy and integrity of the packets that travel over it.
If your packets run over AT&T, you clearly have lost. But if you control physical access, the only way the government is going to gain unlawful access is through someone who has integrated themselves into your org or through an illicit fiber tap. You've significantly reduced your attack surface.
EDIT: You could even go so far as to require different orgs to travel over physically diverse strands, thereby preventing any sort of multi-tenant shenanigans, with the cable being shared ownership.
More importantly, they probably wouldn't. All those companies you previously listed have been identified in documents leaked by Edward Snowden as supporting the NSA with backdoors.
You're a foreign national with an interest in cryptography living in Switzerland. Of all the people in the world who shouldn't be so absolutely clueless, it's you. They're on you like stink on shit, and suggesting otherwise is laughably stupid. What do you think, Switzerland became a discreet financial haven out of a measure of luck, while Swiss intelligence sat around being good, decent, idle people?
For all of my extensive problems with U.S. intelligence, they at least made an effort to uphold the law. They failed, yes, but so many pivotal decisions were around the legal framework. I wonder how such a conversation goes in Ukrainian intelligence, or German, or Mexican. "We have a lead on El Chapo but we can't follow up because it's illegal to wiretap." Yeah, okay.
Come back to reality, bud.
Or the German intelligence collaborating with the NSA? I won't even mention the British GCHQ, because they almost make the NSA look good.
And that's just Western Europe. Let's not talk about the way Chinese citizens can enjoy frank exchanges of views on the Internet without fear of repercussions.
I'm going to reiterate, because I can't believe I'm having this conversation: you said, nearly verbatim, the other Western governments do not spy like the United States. And you consider that a sane opinion in the wake of these disclosures, and call me a shill for disputing it.
The retroactive immunity to which you refer is one disclosure we know about. What I was speaking to was President Bush's PSP, which they made a significant effort to satisfy legality on. Everyone is in accord on that: them, Poitras, Snowden. They were wrong, particularly Gonzales, but they still tried to base it in the law until they lost the Justice Department. Even the FISA court is an attempt at legality. I'm not saying I agree, I'm saying the government made a conscious choice to try to play by the rules, even though their rule book was absolutely bananas. I'm making the case that in other governments, that same zeal might not apply, and there are probably governments wherein rights are more freely trampled upon.
Again, that you think I'm a shill for presenting the completely normal security industry philosophy of don't trust anyone is just hilarious. I've been charged with multiple felonies by the United States justice system for CFAA-related offenses and convicted of one. I have the most stake in criticizing the way we do things. You're laying down smoke to cover your own opinions going after my "shill" status, and I want you to know that it's entirely transparent.
Sometimes I think Hacker News is just trolls trolling trolls.
Tomorrow, after your meds, read what you wrote and you will see that you are arguing against yourself. I'm only responding to you so that others here can see how insane you are.
Tomorrow if you wish to continue this debate we can do so in person with Roberts rules of debate, the loser with their head between their knees.
Doubly so because you ignored our request to improve.
It's also long past time when providers like Google, Microsoft, Yahoo, etc. could have been offering secure communications and storage. At some point you have to suspect they are in with the surveillance state as much as the telcos are.
Right, the people here on HN only support spying when they are the ones doing it to users for "ad targeting" purposes.