Hacker News new | past | comments | ask | show | jobs | submit login
AT&T Helped N.S.A. Spy on an Array of Internet Traffic (nytimes.com)
568 points by tchalla on Aug 15, 2015 | hide | past | favorite | 117 comments

Cases like this reinforce my opinion, that there is an increasing demand to educate consumers how to prevent getting data leaked to government institutions like intelligence services. Especially the consequences of picking the wrong service provider.

Luckily I am now in a position where I am fully responsible and aware of the routes my data takes. Yet we as a B2B ISP constantly get requests by intelligence services to provide information regarding our customers. Strangely they always assume that's totally okay to -just- ask for the data, instead of going the formal way. If we demand the judicial permissions they always rant about emergencies and so on. We can't help but follow the law, and the law disallows us to keep specific data for more than 60 days. I am really curious about how many ISPs voluntarily provide their customer data without asking for judicial permission beforehand.

Such conversations are coming around 2 or 3 times a week.

There's one cellular provider which has the obligation under CALEA to do wiretaps. They comply with the law strictly, which annoys the FBI.

First, CALEA requires that the company provide a "senior official" as a point of access for law enforcement, and a backup 24/7 contact. Their senior official is their general counsel, and the backup is another lawyer. It's not their network operations center. Their general counsel wants to see a warrant, and checks back with the court to make sure it's valid. This is the way to do it; bring in Legal.

There's a procedure for "emergency requests" in advance of a warrant under CALEA. This telco immediately faxes the law enforcement requester a brief form to fill in for those. It requires name, police department, office address, badge number, and a brief explanation of why there's no warrant yet. The form to be signed by the law enforcement official contains a statement that the official will provide a warrant within 48 hours, and in the event that they fail to do so, their department will take full responsibility for their actions, including indemnifying the telco against any costs and damages. That's followed by a statement that in the event the law enforcement organization fails to authorize the actions of their official, the official will be personally responsible for said costs. The telco also reserves the right to disclose requests for which a court order does not follow.

This discourages fake "emergency" requests. Get your legal people to draft something like that. The key to this is that law enforcement's interface to your company should go through your legal department.

(I used to have a link for this, including their forms, but can't find it now. Can anyone else find it? )

Here's Comcast's form for emergencies.[1] It ends with

"If Comcast makes an emergency disclosure to your law enforcement agency or governmental entity pursuant to 18 U.S.C. § 2702(b) or § 2702(c), you agree to provide Comcast with a formal order to provide your agency with the information provided pursuant to this request within 72 hours. I declare under penalty of perjury under the laws of the United States of America that the foregoing is true and correct."

The law enforcement rep has to sign that. This discourages bogus requests.

Each carrier has their own form. Collect those up and show them to your legal people.

More info: an ACLU copy of some guidance for law enforcement on CALEA. [2] Note that DOJ says different carriers have different requirements; some require a court order, and some don't.

More info: Sprint's form.[3] Another "under penalty of perjury" requirement, plus "Pursuant to Title 18 United States Code §2518, §2701, and §3125 all electronic surveillance assistance will terminate if the appropriate legal demand or customer consent is not received within 48 hours."

More info: MetroPCS's policy.[4] "At a minimum, requests for interceptions citing Exigent Circumstances must include: ... a statement that no warrant or court order is required by law. ... a statement that all statutory requirements have been met. ... the signature of EITHER (i) the Attorney General of the United States, OR (ii) a law enforcement officer specially designated by the Attorney General, the Deputy Attorney General, the Associate Attorney General, or by the principal prosecuting attorney of any state or subdivision thereof."

It looks like industry practice other than for AT&T is to impose reasonably strict standards on confirming such requests.

[1] http://www.comcast.com/~/Media/403EEED5AE6F46118DDBC5F8BC436... [2] https://www.aclu.org/files/cellphonetracking/20120328/celltr... [3] http://al911board.com/sites/default/files/Sprint%20-%20Nexte... [4] https://info.publicintelligence.net/metropcscalea.pdf

I think you conflating law enforcement/evidence-gathering surveillance (which the NSA does not give a rat's ass about) with national security/intelligence community spying. On all accounts the story is less dire for the former.

It is way more likely that your data is protected from the local police than from NSA/CIA.

I am very interested in these forms and would be grateful if someone could provide a link to them. If they're watertight, we could probably reduce some overhead with them. Although I dislike the idea of using an employee as an "responsibility-shield" for failing government agencies.

I am interested in discovering the carrier with the most onerous forms in order to procure service from them.

It helps that carriers now have immunity so they can do whatever the NSA asks of them without fear of any repercussions (another than stories like this one, but meh, everyone is going to think "it's not going to happen to us" at the time of doing the deed).

This is the way to do it; bring in Legal.

The big problem with that is cost.

If it's a giant telecom they are already paying in-house lawyers. If it's a smallish ISP then this costs them big bucks to keep outside counsel on retainer. Maybe they can work with their law firm and cut a deal?

This stuff is pretty much boilerplate, so maybe a paralegal can do most of the work and then get it blessed by a J.D.?

CALEA has some provision to reimburse costs. Not sure how well it works in practice.

I would set up an fake identity for the whole department to use and use that for all requests.

Wouldn't that make the evidence inadmissible though?

A thorough legal aid following the chain of evidence would see right through that.


Looked at another way, assisting the government in subverting the Constitution should not be a "Get Out Of Jail, Free" card.

To be fair, if I were investigating a crime I would start by just asking companies to give me information informally, even if most say no.

Out of curiosity, how about if you were investigating potential crime, or tasked with crime prevention? In other words, crimes that you believe are being planned and may happen in the future, based on some non-individualized correlation (e.g. past shootings in a particularly problematic neighborhood). Would this change your approach?

I'm not sure I understand the question. If I were investigating a potential crime and I thought it was important and I thought some company had information that would help me solve it or prevent it, then yes, I would probably ask the company about it. Wouldn't you?

One at a time, sure, ask the companies. But are you going to write an algorithm to ask every single company in the US about every single possible crime? What would you then do with that information? It would be a ridiculous amount of false positives and innocent people getting privacy and rights thrown by the wayside. I think that's what he's getting at...


Exactly, thanks for stating it more clearly than I did. The NSA isn't claiming credible evidence of a specific threat to justify this for a limited period of time – they're collecting everything and sifting through it, in order to try to prevent harm caused by an open-ended and non-specific threat.

To be fair, if I were (a public servant) involved in organised crime I would start by just asking companies to give me the information informally, even if most say no.

Why? If you were investigating a crime, you're in law enforcement. Officers of the law have an ethical duty to obey the law, perhaps a stronger duty than those of us who are not sworn to uphold the Constitution or some other higher document. Law enforcement officers also have better knowledge of the law and what it requres of both officers and people/businesses with data.

If I were part of a business, I would be obliged to follow the laws about giving away data, so I would find out exactly what my legal obligation is, and follow that as best I could. If that means asking for a warrant, I would politely, but firmly ask for one.

I'm thinking of getting one of those doormats that say "GET A WARRANT", personally.

Having worked in law enforcement for many years in the past, maybe I can shed some light on this.

It's not illegal or even immoral for a detective or agent to ask a company or individual "Hey, what can you tell me about X?" Depending on the nature of the relationship between the company/individual being questioned and X, it's usually not illegal for them to provide information to the officer. The problem is, depending on the nature of the investigation, that information can be considered hearsay and can be attacked by a defense attorney, so usually when an officer asks those kinds of broad questions they are simply trying to see if it's worth their time to get a warrant and get all the information they can on X. They can then take what they learn to a judge to convince them to sign off on the warrant so they can get the admissable evidence needed to proceed with an arrest and indictment.

And yes, you have every right to not consent to questioning or a search without a warrant (whether you are being questioned as a witness or a suspect), and you should exercise that right vigorously. Don't make it easy on them, make them work hard to build their case, because they should indeed be held to a higher standard.

Are they breaking the law by asking people to voluntarily hand over information they have? Does the US has privacy laws that require a company to demand a warrant? I don't think there is, and having been involved in telecom for a while, I've not heard of such a thing[1].

It's more akin to asking other witnesses if they saw/heard anything.

1: I will note that cooperating with LE voluntarily can have backlash. Ignorant AGs will go after you because they e.g. misunderstand how networks work and blame you for customer actions, even if you try to helpfully educate them.

"If you were investigating a crime, you're in law enforcement." False.

Defense attorneys and their investigators also investigate crimes. This realization shows why the broadening the warrant requirement can have perverse outcomes.

Say you are defending a man accused of rape due to lack of consent. Let's also say that this is a false accusation that can be proven false because the accuser uploaded a video of the events which show consent to her Facebook account. Let's further say that the defense really wants access to this video. If a warrant is required, the defense can NEVER get it because there is no way under the law the defense can get a warrant (unlike a subpoena or court order).

Think about that for a minute. Everything that requires a warrant cannot be accessed by the defense, regardless of what is at stake (which is always life and liberty). Period.

PS: I'm not suggesting rape accusations are usually false. Just an example to illustrate the downside of a broad warrant requirement from someone who defends accused people.

The comment you're responding to said

> I would be obliged to follow the laws about giving away data, so I would find out exactly what my legal obligation is, and follow that as best I could.

Of course, the law requires people to obey subpoenas as well as warrants, as the commenter would find out if they did what they said. The point is to follow due process, not that everyone has to become a lawyer and learn the fine distinctions between different types of writ.

I agree with you. My comment was more of a commentary on the unintended consequences of this: http://www.wired.com/2013/01/google-says-get-a-warrant/

On HN and most places on the internet, most people support the warrant requirement for most or all digital data. I do too, in a sense, as I believe law enforcement shouldn't have unfettered access to a person digital info.

However, as a defense attorney, I've learned that a consequence of the warrant requirement is that the defense has no legal way access to digital information during a defense investigation.

In effect, a warrant requirement for digital materials means only law enforcement and prosecutors can access them. However, an accused person's attorney cannot.

Because it takes the least amount of time and effort to get the answers you need. Most people want to do the "right thing" to catch the bad guy, and will help out a LEO without a warrant to that end.

Plus, who wants to sully a relationship with people who have the power to make your life and business miserable?

Sadly, I image you're correct. But you're speaking of regular citizens, not the law enforcement officers. The officers would seem to have a greaty duty than ordinary citizens, no?

What duty do they have other than to ensure they get credit for a job well done and to continue their career building?

They're people driven by the same selfish pressures most are, but there is little oversight or regulation to keep that in check.

Getting answers quickly and cheaply is considered good investigative work. A warrant is a last resort and exists as a check against their desire for answers from someone who is unwilling to comply.

I guess for all practical purposes, no other duty. I am 100% positive that all law officers take a special oath, and are also treated differently according to the letter of the law. Police officers are allowed to carry firearms and shoot people legally, after all. In addition to extra leniency about capping people, law officers have additional legal duties. I mean, we're treated to "ignorance of the law is no excuse", so I must believe that law officers aren't ignorant of the law, and have extra legal duties. So in practice I agree, they're motivated by all the same things the rest of us are, but we give police special privileges, supposedly in return for extra responsibilities. i believe we (including the law officers themselves) should hold law officers to higher standards.

An oath and standards are ideals unless we do something significant to uphold them. I agree with your last point entirely.

>Officers of the law have an ethical duty to obey the law

They don't have an ethical requirement to take the longest route to that goal. So, if asking nicely, or bullying gets the job done with less work, then many will do that.

It could just be a technique to convince you it's perfectly normal to give up the data. I wouldn't be surprised if many people would fall for such a thing.

That is of course possibe. I highly think that most companies fall for it. If you speak with someone of a state agency, you always feel like they are used to get it. Some of them are actually surprised and openly disappointed when you refuse to hand over.

What wonders me the most is, that most of the time they won't go down the legal way. Instead they just seem to do their job without the data as well afterwards. So what was the point in requesting the data in the beginning?

It's a shame these conversations don't get published in realtime.

Where have you all been?


10 years old and not even close to the oldest evidence.

It goes back hundreds of years! National intelligence agencies have consistently managed to get full intercepts. Way back in the day, they counterfeited wax seals and steamed open letters. In the 1800s, they got telegraph printouts. In the early 1900s, wires. In the 60s-70s, tapes. Then hard drives. It's just part of what governments do ;)

I think that the big difference today is that they can analyze all data that they can grab. Back in the Good Old Days, you had to devote considerable manpower to this analysis; if you wanted to read letters, you had to be specific because you simply didn't have the resources to look at everyone's mail. This is why most people (including me) have no problem with the idea of monitoring POTS lines; it ties up a considerable amount of resources, so the police are much more likely only to tap the phones they think will get results.

Now, we've gotten to the point where the challenges facing mass surveillance are political rather than physical. I think that this is a lot more dangerous than 1800s police looking at telegraph printouts line by line.

Yes, that's an excellent point. And capabilities for data analysis are improving rapidly. Google still has far better tools, but the NSA has the intercepts. And it will get the tools. Eventually, it will become the Eschaton ;)

This was an interesting and early revelation, but it wasn't until the Snowden documents that we understood what this closet really meant. We had no idea the government was recording every phone conversation in the u.s., every email, etc... We still had some hope that the rule of law as being followed and that this closet was just a way to make targeted surveillance easier.

> but it wasn't until the Snowden documents that we understood what this closet really meant.

> We had no idea the government was recording every phone conversation in the u.s.

> We still had some hope that the rule of law as being followed

All lies. This was well covered on slashdot when it happened. We all knew exactly what it meant.

Snowden's release was iron clad and incontrovertible, which was refreshing, but it also detailed the extent to which private tech companies outside of AT&T were aiding the federal government in their illegal activities.

Even the most paranoid nutbag commenting on those old slashdot threads couldn't imagine how bad it was going to get. Reality outpaced the conspiracy theorists.

This is my recollection too. I think everyone held their breath hoping we'd pull away from the edge.

>some hope that the rule of law as being followed

Wasn't it already ruled illegal prior to Snowden and the phone companies had to be retroactively indemnified by congress?

Close, I think that the premise the Bush administration used to obtain this information, "dragnet surveillance", was ruled illegal, which exposed the phone companies to lawsuits. Congress then retroactively indemnified them.

EDIT: This is it https://en.wikipedia.org/wiki/NSA_warrantless_surveillance_%...

Worth reading: ProPublica (who co-published with NYT on this story) has an explainer of how they followed the trail of documents to break this story:


Is this really a surprise to anyone? We've known that the N.S.A. has gotten (or coerced) support from communications companies in the past, and AT&T in particular (the article mentions it going back as far as 2003 https://en.wikipedia.org/wiki/Room_641A).

Did anybody really think it stopped when the secret room was uncovered in 2006? Telecom companies make no promise that your traffic is protected. It's up to you to protect yourself.

I'm not surprised, but it still needs to be called out. The price of freedom from your government is eternal vigilance.

Spying on the u.n. based on terrorism legislation is a revelation. Recording of all telephone conversations in the u.s. is a revelation. Recording of all emails, skype, sms, etc is a revelation.

Before discovery of that room everyone knew that there was close cooperation between the telecoms and the government, but we had no idea it was this close and we were shocked at especially the recording of all phone conversations in the u.s.

Even though we had pretty thorough proof of this with ECHELON? Including the EU parliamen report into echelon; and the stuff about the US using it to provide commercial advantage to their aerospace industry?

Risk assessment has always been part of security. And people have always said that you should probably assume a well funded government can and does read everything. This was more of an assumption, but the fact that governments do listen to everything should not have been a surprise.

No, not really with ECHELON. That would have required all phone calls in the u.s. to be routed outside of the u.s., and really the only cooperating country was the UK, even though Canada was part of the group. It wasn't practical to route all communications from the u.s. through the UK, and it probably would have been noticed.

The NSA's giant database will be breached. It's only a matter of time. It could be state-sponsored (e.g. like the OPM theft), or it could be due to the NSA's own lack of internal security oversight. Maybe not this year, maybe not next. I certainly won't have anything to do with it. But it'll eventually happen. What then?

What makes you think they are not already breached?

By any available evidence, these guys can't even maintain a simple download counter on their wiki. A random IT contractor like Snowden was already gone for a month and they had no idea. I think they still have no clue what he has.

All the science fiction gives this very distorted picture when really the people working at the NSA are private-sector leftovers, and even if someone with half a brain slips into their ranks, a layer of ignorance and government inefficiency will promptly suffocate them. It's a good thing, their incompetence is our only protection.

Surveillance state is all about $$, it's an evolving industry where people have figured out how to make billions. I share the same doubts with OP here, they aren't as much of a Big Brother as they are just a bloated cash cow scraping by & keeping appearances. They aren't particularly competent primarily because they don't really care as much as we think they do.

Obviously it's still a terrible situation to setup this infrastructure given the potential for abuse, so I'm not defending it. I'm just saying I've been an American long enough to know $$ is at the heart of this, not control, and the $$ they're getting isn't dependent on how good of a job they do so don't expect a well oiled machined.

Wow, if you really believe this, you've got another thing coming.

Do you even have anecdotes to back this up? I'd prefer some kind of data, a citation or a revelation from you, but even anecdotes allow me to consider internal consistency.

Lately, I'm becoming very suspicious of infosec people who imply huge threats, or mystical capabilities.

I don't get it, what's keeping this childhood dream alive?

Snowdens cache certainly hasn't instilled any confidence in the NSAs abilities.

Here is an article on security agencies using a private amazon cloud system built at the governments spying facility in Utah. http://www.nextgov.com/cloud-computing/2014/11/nsa-turns-clo.... So it is possible Amazon can secure it properly.

"NSA officials picked up on Google research in 2007 that ultimately paved the way for the intelligence agency’s formal adoption of cloud computing in 2010—part of a broad effort within the intelligence community to more effectively share data and services. In a similar move, the CIA last year signed a contract with Amazon Web Services for a cloud to be used by all 17 intelligence agencies."

The NSA's databases must be the Holy Grail for other governments and criminals.

I would hope (but do not expect) that the NSA or some other agency has a permanent penetration effort over those networks and databases, to discover vulnerabilities before others do. Because bygawd you know other governments and criminals must be so currently engaged.

Could already be breached, and we would probably never know. It's not feasible for somebody to post all the info online like often happens in hacks, there's just too much data.

This should surprise no one. https://en.wikipedia.org/wiki/Room_641A

You should also be unsuprised to have it pointed out that your surprise level is wholly is irrelevant and rather silly to mention. Murder is unsurprising and we don't ignore it. The "And this surprises you?" Meme response should always be "Adults are talking."

> At the same time, the government has been fighting in court to keep the identities of its telecom partners hidden.

And because of that, we can trust nobody, and work to encrypt everything at the most fundamental layers we have access to. Good for individual privacy, but you can't help but note that the NSA continues to shoot itself in the foot in pursuing its goals.

There has to be willful ignorance at the top of the food chain. They can't believe this stuff actually works, or is in any way actually related to national security. But it must be so, so they double-think themselves into believing it. Having met people at that level in other government branches, I can't see it as anything else.

My favorite part of this was the not 1 but /3/ AT&T U-verse advertisements embedded in the mobile page.

"Gee guys, any idea why our conversion rates are so low?"

It must be so nice for AT&T; making money twice on the same customer.

It's interesting that they released this report on a Saturday, when markets are closed.

let's keep it on the front page until Monday

What we really need is less centralization and more communities able to invest in 21st century infrastructure. We might be too far gone, though.

Take this for example: I am a student at the University of Wisconsin. There's a nonprofit/cooperative in Wisconsin called wiscnet [1]. They provide(d) libraries and schools with Internet. A Wisconsin telecom association (mostly backed by AT&T) was able to use their lobby to push it out. Millions in infrastructure made useless because it was argued to be anticompetitive.

The story is told much better by Ars. [2]

[1]: http://wiscnet.net/

[2]: http://arstechnica.com/tech-policy/2011/06/wisconsin-public-...

I think a lot of states have (if not active, legacy) Internet backbones where schools and such had connectivity back in the day before the "general public".

Oklahoma's is "OneNet"[1], and we had a T1 at usao.edu back in '93 [2].

[1] https://onenet.net/

[2] I set up the very first USAO web site as a summer Independent Study project in '95, running a web server on our VAX 4700. People told me "You have to have a Sun box to run a web server!" and I proved them wrong. It was a fun 9-week gig, because the actual work only took me a couple of weeks, including creating a HTML version of the Student Handbook. Bits of the site I created persisted for almost a decade.

“We don’t comment on matters of national security”

Wow, they really think that's what they're doing, don't they? Nothing above and beyond here, right?

BTW, I was actually surveyed by AT&T on the phone when the news that they were doing this first broke over a decade ago.

Geez, what a yawner. This has been either assumed or an open secret for decades.

Could the actual physical infrastructure be decentralised? At least in Citys?

"news": The "Alphabet" companies help one another.

Cuckoo's nest?

Hopefully companies and organizations like the UN start moving away from AT&T. AT&T is a publicly traded company and so the only thing they understand is profit and loss.

The snowden releases cost u.s. tech companies $100B+, including a 10% drop in Cisco quarterly revenues. Hopefully this continues as multinationals continue to move their business outside the u.s.

Let the u.s. government spy on Americans all they want since Americans seem to like being spied on, while the rest of us move on. I know that mindset doesn't match many of the people here on HN, but Americans are mostly Authoritarian and seem to like the comfort they feel from programs like this.

> Let the u.s. government spy on Americans all they want since Americans seem to like being spied on, while the rest of us move on. I know that mindset doesn't match many of the people here on HN, but Americans are mostly Authoritarian and seem to like the comfort they feel from programs like this.

What exactly is your source on this? If we're going to stick with anecdotal evidence, I (who actually live in the US) have found most people's reaction to the Snowden revelations to be overwhelmingly negative, particularly among younger people.

If we want to look at some actual data, instead of accusations about public opinion by someone who doesn't even live in the US, it appears that a majority of Americans don't approve of the NSA's actions[1]. On top of that, companies like Apple, Facebook, etc. have been implementing end to end encryption so thoroughly that the government is pushing to make it illegal[2].

So I'd thank you to not decide that all Americans like to be spied on, or that we're mostly authoritarian, just because it fits your ideology.

[1]: http://www.pewresearch.org/fact-tank/2015/05/29/what-america... [2]: http://www.npr.org/sections/thetwo-way/2015/07/08/421251662/...

I live in the US too, and as far as I can tell most people are barely aware of anything to do with Snowden. Of those that are, many have a negative opinion and a very unsympathetic attitude towards privacy or civil rights.

My mom thinks spying is great and my dad thinks the first amendment should have limitations so you can have laws requiring you to be sensitive to particular ethnic groups. They vote every single time. My wife and I disagree with both positions, but we never vote. Neither of those issues really bothers us enough to want to take time off work on a weekday, and we don't think there is a point when the boomers have politics locked up for another few election cycles anyway.

My own mom also doesn't see spying as something that negatively affects her/our cohort, but she probably won't vote because she thinks it protects her from jury summonses. None of my family live in a swing state, and so I'll skip an election unless I care about some of the local candidates. My wife and I have started to take more of an interest in politics recently though and it even looks like my state could flip in 2018 or 2020, maybe even in 2016, but doubtful.

I provided the Pew result because my anecdotal evidence is nearly as suspect as the one given in the post (the only difference is that I actually live in the US now). Do you think there is something wrong with the survey?

>Do you think there is something wrong with the survey?

I'm not going to criticize a Pew survey, much, but, I do think that the set of survey participants may be distinct from the people who vote. I also think that when people are answering a survey there is very little emotion involved as opposed to when they are voting; where people are barraged with messages fully intended to stimulate emotional responses. Those are a couple of things that might explain a difference. I'd also note that it has a relatively small sample size (475). So, I don't think the survey is the last word on the matter.

First, I'm American. I've worked on NSA and DoD projects, and I've worked for PGP. I now live in Switzerland.

You only have to look at the consequences of the Snowden revelations. Nothing has really changed - some meaningless legislation was passed that moves the phone metadata recording to the phone companies from the NSA, but even then it's not clear that its stopped - the NSA data center in Utah where those conversations were recorded doesn't seem to be shutting down. I would bet the phone conversation, skype conversation, etc recording is still going on since it was never explicitly addressed anywhere in legislation.

And my comment about Americans being Authoritarian is nothing new - they've long considered to be Authoritarian.

> You only have to look at the consequences of the Snowden revelations. Nothing has really changed...

So your evidence that the public doesn't care about the revelations is that the government (who are the perpetrators of the spying) haven't changed their ways? Could it instead be because when selecting candidates to vote for (for the minority that do vote, which is a separate problem), Americans have prioritized other issues? Do you think that the survey I cited was methodologically unsound, or that people were simply lying?

How about the fact that private companies are responding by changing their platforms to be more resistant to such data collection even under warrant, and publicizing the fact? Why do you think they are doing that, if not to appease the public?

> And my comment about Americans being Authoritarian is nothing new - they've long considered to be Authoritarian.

By who? You? And whether or not the government is authoritarian, how does that imply the people like it?

> Could it instead be because when selecting candidates to vote for (for the minority that do vote, which is a separate problem), Americans have prioritized other issues?

Sure, so you basically admitted to his first point being right. That Americans don't care so much when it comes to their privacy.

> How about the fact that private companies are responding by changing their platforms to be more resistant to such data collection even under warrant, and publicizing the fact? Why do you think they are doing that, if not to appease the public?

Those are PR stunts. From companies like FB that are on record founded by CIA, and having same investors as companies such Palantir, I'm sure bunch of data exchange is happening behind the curtains.

> By who? You? And whether or not the government is authoritarian, how does that imply the people like it?

Unless you are really this dumb, or you just plain trolling, how about the last 20 years of America's political history, for a start?

> Sure, so you basically admitted to his first point being right. That Americans don't care so much when it comes to their privacy.

It means that they either don't care, or that they care about other issues more (foreign policy, economy, etc.). Even sticking to issues with technology, I am far more concerned about banning end-to-end encryption without key escrow than with legislation to ban wiretapping. The US government has a long history of doing illegal wiretapping anyway, so I think the better solution is for private companies and citizens to make it more difficult practically, not legally. Does that mean I don't care about privacy?

> Those are PR stunts.

Which is exactly my point. Why would they perform such stunts if the public at large didn't care about wiretapping, or if they mostly supported it?

> Unless you are really this dumb, or you just plain trolling

Thanks. That was a great rebuke to the way I personally insulted you and everyone else who has been a part of this conversation.

> how about the last 20 years of America's political history, for a start?

That is definitely evidence that America's government was and is authoritarian in many aspects, which I wholeheartedly agree is the case. It is also evidence that the voting segments of the population for the past 20 years (and further) have a similar bent. However, my issue with the original post is that he made a blanket statement about Americans in general. I don't think it's a great thing that the majority of Americans don't vote, but as a result this can only possible suggest the attitudes of a minority of Americans. That is why I prefer to judge what the public thinks about an issue by a poll, not by elected officials, or by anecdotal evidence (mine or anyone else's).

If the public cared, this would be a campaign issue, and it really isn't.

Or maybe it is just that the segment of the public that is expected to vote doesn't care.

I don't vote, and I care about this issue. Why don't I vote? Mostly because the things I care about are not made campaign issues. That might be common.

You don't have to vote on every issue, candidate, or seat – there's no penalty for skipping questions. I do this routinely for issues where I either (a) don't feel qualified/informed enough, or (b) only a single candidate is available (writing in "no confidence").

If you care, please vote – even if it's just for the one guy who pledges to hold the NSA accountable for its actions.

The segment that doesn't care happens to be the majority. Which is exactly the point the original post made.

> So your evidence that the public doesn't care about the revelations is that the government

OP thinks that because the people are supposed to be in charge of the government. If the people really want to change something, they should be able to change it - i.e. see what happens in France when an elected leader tries to take away a single day of maternity leave or change benefits - literally millions of people rally in the streets, then that person gets voted out, almost immediately.

Now, if the people of the United States are not in control of their government, you have a whole 'nother issue to solve.

It's very hard to move away from telecom companies. You may switch your direct services, but whoever you switch to will still use AT&T backbones and the like. All the big telecoms are guilty of being complicit with the government, what would make a difference is one taking a stand like Apple/Google has regarding encryption. That would put pressure on the others to follow suit.

There is no sense in trying to bend all the middle men to our will. The problem is broadcasting anything in the clear. Being able to effectively encrypt data at the IP level is what really needs to happen.

Google and Apple are still subject to the same pressures applied by warrants, subpeonas and national security letters.

I'm not really sure what you mean by encryption, though. Apple's iMessage may be encrypted, but their key exchange can be MitM'd easily.

Realistically you wouldn't use a service that exists because of the profit motive or is in the US. It will continue to operate to drive a profit while working with the government to stay in business.

I heard a rumour that iMessage/Apple is trying to fight an NSL. Does anyone have more details?

Given that NSLs have a gag order, this is probably a PR stunt like the lawsuit against the government.

They have been complicit with PRISM since 2012 without a peep.

Could Google, Facebook, Amazon, and Apple create a non-profit that owns their own dark fiber and parcels out capacity?

Think municipal fiber, but at a wholesale level.

Each of those companies has been implicated as complicit in cooperating with the NSA's warrantless domestic spying.

Not sure why you are down voted but the US Intelligence Agencies are Amazon's single biggest customer.

Also not sure why we haven't heard anything about Amazon/AWS within the Snowden docs... yet. Anyone?

That was the CIA.

The customer yes, but I ment some relevations about tapping AWS internally by the NSA.

Because there are several people on HN who think an illusion of privacy is good enough.

Why would they do it non-profit?

Google Fiber is this.

Google Fiber is for the last mile, consumer/business users.

I'm suggesting a non-profit organization or entity that is a holding company for dark fiber assets for tech companies, with a charter that specifically protects the privacy and integrity of the packets that travel over it.

If your packets run over AT&T, you clearly have lost. But if you control physical access, the only way the government is going to gain unlawful access is through someone who has integrated themselves into your org or through an illicit fiber tap. You've significantly reduced your attack surface.

EDIT: You could even go so far as to require different orgs to travel over physically diverse strands, thereby preventing any sort of multi-tenant shenanigans, with the cable being shared ownership.

They maybe could, but that probably wouldn't stop the NSA from gaining access through other means.

More importantly, they probably wouldn't. All those companies you previously listed have been identified in documents leaked by Edward Snowden as supporting the NSA with backdoors.

Who are these lucky "rest of us" fellows who have both advanced technical infrastructure and no government spying? They don't live in the EU, Russia, and I guess most of Asia.


The idea that Five Eyes is unique in its pursuits and "any Western country besides the u.s." isn't monitoring everything that is technically possible is so naïve that I'm amazed you worked for PGP. I don't normally go after people for being anti-American, but I'll make an exception here because your ideology is making you look comical.

You're a foreign national with an interest in cryptography living in Switzerland. Of all the people in the world who shouldn't be so absolutely clueless, it's you. They're on you like stink on shit, and suggesting otherwise is laughably stupid. What do you think, Switzerland became a discreet financial haven out of a measure of luck, while Swiss intelligence sat around being good, decent, idle people?

For all of my extensive problems with U.S. intelligence, they at least made an effort to uphold the law. They failed, yes, but so many pivotal decisions were around the legal framework. I wonder how such a conversation goes in Ukrainian intelligence, or German, or Mexican. "We have a lead on El Chapo but we can't follow up because it's illegal to wiretap." Yeah, okay.

Come back to reality, bud.


Well, how about the French government passing a law to make legal the very SIGINT practices French intelligence had been doing for years with no legal supervision?

Or the German intelligence collaborating with the NSA? I won't even mention the British GCHQ, because they almost make the NSA look good.

And that's just Western Europe. Let's not talk about the way Chinese citizens can enjoy frank exchanges of views on the Internet without fear of repercussions.

So just to be clear, here, you claim to have worked for PGP, so you've been in the security industry at least a day or two, and yet you consider the opinion that the United States cannot possibly be the only bad actor rhetoric? I'm disputing your claim that other Western governments aren't as bad as the United States. Nobody knows that, everybody with half a clue assumes otherwise, and the irony of you going after my lack of substance in doing so is palpable.

I'm going to reiterate, because I can't believe I'm having this conversation: you said, nearly verbatim, the other Western governments do not spy like the United States. And you consider that a sane opinion in the wake of these disclosures, and call me a shill for disputing it.

The retroactive immunity to which you refer is one disclosure we know about. What I was speaking to was President Bush's PSP, which they made a significant effort to satisfy legality on. Everyone is in accord on that: them, Poitras, Snowden. They were wrong, particularly Gonzales, but they still tried to base it in the law until they lost the Justice Department. Even the FISA court is an attempt at legality. I'm not saying I agree, I'm saying the government made a conscious choice to try to play by the rules, even though their rule book was absolutely bananas. I'm making the case that in other governments, that same zeal might not apply, and there are probably governments wherein rights are more freely trampled upon.

Again, that you think I'm a shill for presenting the completely normal security industry philosophy of don't trust anyone is just hilarious. I've been charged with multiple felonies by the United States justice system for CFAA-related offenses and convicted of one. I have the most stake in criticizing the way we do things. You're laying down smoke to cover your own opinions going after my "shill" status, and I want you to know that it's entirely transparent.

Sometimes I think Hacker News is just trolls trolling trolls.

jsmthrowaway - I have a question for you about a different thread you commented on. Can I email you?

Ha ha! I know who you are.

Tomorrow, after your meds, read what you wrote and you will see that you are arguing against yourself. I'm only responding to you so that others here can see how insane you are.

Tomorrow if you wish to continue this debate we can do so in person with Roberts rules of debate, the loser with their head between their knees.

We've banned this account for repeatedly flouting the HN guidelines.

Doubly so because you ignored our request to improve.

People just don't pay attention at all. I'm not sure which is worse.

It's all hostile territory. While it's rational to punish quislings, it's irrational to think anyone handling a large amount of communications isn't a quisling. Certainly nobody is making claims that they are working to secure your data against state surveillance.

It's also long past time when providers like Google, Microsoft, Yahoo, etc. could have been offering secure communications and storage. At some point you have to suspect they are in with the surveillance state as much as the telcos are.

After the Snowden revelations I believe AT&T was stopped from expanding in Europe. Mexico seems to welcome them on the other hand...

> I know that mindset doesn't match many of the people here on HN

Right, the people here on HN only support spying when they are the ones doing it to users for "ad targeting" purposes.

I wonder what percentage of YC ventures have their revenue model based on advertising prospects.

This is a standard trope, but it requires that you be willfully ignorant that 1) all western countries are sharing intel 2) the US does most of its spying on foreign countries 3) there is no European politician that has even tried to run on an anti US platform. I wonder why?


You make some good arguments elsewhere in this thread. But you're not helping yourself with these over-the-top snide remarks.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact