Hacker News new | past | comments | ask | show | jobs | submit login
NSA Buys Americans' Internet Data Without Warrants, Unclassified Letter Says (nytimes.com)
230 points by pseudolus 9 months ago | hide | past | favorite | 98 comments



I'm trying to think through this from a legal perspective.

If I'm going from store-to-store around town, my understanding is that police are allowed to watch me and even go into the businesses and ask questions or pull security footage without a warrant. The information they gather is circumstantial and probably would not hold up in court, but they can use it as grounds to get a warrant.

Let's imagine a different case. Instead of police having to go in and ask nicely for customer logs and security footage, the owner happens to have meticulous notes that he keeps and sells to randos around town. Creepy... but it's largely the same data that they could have gotten by asking nicely enough anyway.

If there is no law against the proprietor bundling up his customer data and selling it, it doesn't seem like there is a strong legal case against police using it.

Obviously, this is a MUCH bigger problem on the internet than in real life - just in the huge difference in scale in the amount of data and the ability to parse it.


I think this gets down to a fundamental problem with tech that society is ignoring like a pink elephant in the room.

Society fundamentally changed with the introduction of computers. Things have become possible that were never possible before. This is obvious if you consider the tech of 1900, 1950, and today.

The elephant in the room is that the more complete the dataset the more dangerous it is. Its like gunpowder. Firecrackers are sold without license, small amount of gunpowder. Dynamite and other explosives with larger amounts of gunpowder are heavily restricted because of the damage that can be done. Today, there are laws against re-packaging explosives to protect people.

I believe the damage that these datasets are doing to society are covert and second-order effects that are hard to track. Most datasets like what the NSA are doing are kept secret precisely because they don't want transparency. If there was transparency, the damage would become obvious that regulations would swiftly come.


There's the chilling effect, people not wanting to protest or organize against government overreach for fear of being put on a watch list. This allows the state to enact more draconian laws with less push back from the general public.

It's like a vicious circle that feeds itself, the more surveillance the government permits, the less the public are able to complain or fight back against it. Thus leading to even worse surveillance.


You are talking about the panopticon, where, in the perfect jail, anyone can be looked at but they themselves have no awareness of that fact. This changes behaviour. The implementation of technology we have is the panopticon across the whole of society. This is not accidental, it is part of the governance control system.


What a coincidence, I was thinking of the same concept pictorially reading the comment you replied to, but I did not remember its name.

Panopticon it is:

https://en.wikipedia.org/wiki/Panopticon

Generally, there is plenty of reasons to be worried:

  - Firmware-wise (e.g., Intel Management Engine, Coreboot, Libreboot, system on a chip)
  - Hardware-wise (i.e., Von Neumann architecture - Code + Data)
  - Operating System-wise
    (e.g., 0-click exploits, remote code execution to manipulate the CPU's instruction pointer,
     stack overflow, Pegasus)
  - Facility-wise (e.g., electromagnetic waves, cell towers, Faraday cloth)
  - You (making mistakes)
What you can ultimately do is: rely on randomness (e.g., rolling casino-grade dice), Diceware, one-time pad, no computers of any kind. Further, hope that time traveling backwards remains impossible. Otherwise officers will travel back in time and can see what you wrote (e.g., unencrypted message) back then.

If you need some electronics go with analogue electronic devices. Or, make your own computer systems from scratch with transistors etc.:

jdh, I built my own computer. by hand., https://youtu.be/vaGZapAGvwM?si=lGQuskkFxZ7FHe1h


what a crazy, interesting project and video.


We can talk about the datasets, but the elephant in the room - to me - is that the world is deeply deeply intermediated.

Our lived experiences are filled with countless powers preying upon us humans. They want to stay middlemen, they want to keep us using their convenient systems, they want their hand in every pot, and they use networks to vend their position to as many other would industrialists as they can.

That's them, what about us? We humans have lost direct and authentic connection to the world around us. We lack orientation & cannot make sense & decide & understand (and that alone may be a ghastly threat to democracy). We don't have visible economies around us anymore.

There's such a deeply Dark Forest scenario playing out, as companies invisibly consume & process society. It's so asymmetric, so hard to even grasp how thoroughly & tightly the corporate surveillance winds itself around us. Are the datasets generated terrifying? Sure, yeah. But the result is not the only horror here. The potential power of what is gathered is only one form of damage that the de-huamnizing/intermediating of humanity strikes against us with.


Well, they're sometimes outright overt. Here's Spanish defense ministry trying to extort 100.000$ from an 18 year old kid because he made a tasteless joke in a message to his friend> https://www.businessinsider.com/passenger-faces-120k-fines-a...


> The BBC reported that before departing, he told a friend on Snapchat: "On my way to blow up the plane (I'm a member of the Taliban)."

> Security services saw the message and flagged it to Spanish authorities, who sent two F-18 jets to follow the airliner until it landed, per the BBC.

> He faces a public-disorder charge, which could result in him being ordered to pay over $120,000 if he's found guilty.

> About $103,000 of that is from the Spanish Defense Ministry for the cost of scrambling the fighter jets.

Definitely alarming than encrypted Snapchats are clearly not private, but the response as a whole still seems fairly reasonable, no? He did kinda threaten to blow up a commercial airliner.

I think the BBC article about his acquittal has a lot more points relevant to the discussion about privacy:

https://www.bbc.com/news/world-europe-68099669


No, charging 100k to a teenager over a shitty joke over private encrypted communication channel is absolutely not reasonable. Spanish military can eat the cost of their false positive response. Why would you think an innocent individual paying for trigger happiness of authorities would ever be reasonable?


> No, charging 100k to a teenager over a shitty joke over private encrypted communication channel is absolutely not reasonable.

Where are you putting the stress in this sentence?

If your issue is with the encrypted private channel being spied upon, then I completely agree, and so did the court system.

But outside of that, if he had said this via SMS, this would be the standard response. It may be a shitty joke, but jokes don't make you magically immune to consequences. You can't yell "fire" in a clouded theater, and you can't say "on my way to blow up the plane (I'm a member of the Taliban)" while boarding a commercial airliner. Well, you can, you just should expect to be sued.


Also, it appears that a lot of the danger is political. Both Trump and Biden were presumably being spied on by the incumbent administration (Trump because of the Russia thing, Biden because of the Ukraine thing). It seems likely that Trump is being spied on again, and there is no reason to believe this pattern is going to stop.

The hazing process for electing a president is already cruel enough that nobody sane runs. Add in the risk of the incumbent administration finding a way to leak all your dirty laundry from as far back as the records go and it will be really weird. Probably corrupt, ugly and with bad results for everyone outside the intelligence apparatus.

In some sense that isn't new, there are questionmarks over the US spooks dating back to J. Edgar Hoover. But the damage that sort of actor can do is greater the more data they have to make decisions with.


I'd argue there's an even more fundamental reason for the hazing process, as you call it, which is that the voting system itself incentivizes negative campaigning as just as if not more effective than positive. In other words, a dollar spent trashing the "other side" is destructive yet effective. This destroys healthy competition and encourages mutually destructive behavior.


software is naturally authoritarian.


Is is though?

Maybe that's just a reflection of the organizations that have created said software.


yes, because it allows centralized control and that control is absolute.

Whether an organization decides to lock things down or not is a different discussion, but software itself is absolutely authoritarian in nature.

And the scary part is that it's absolute. If you have employees who shouldn't be doing a thing you make it company policy, but with software you flat out enforce it.


Software has its absolutes - and those are often good things. Security, ability for backup, redundancy, scalability. We value these things.

Whether those attributes are applied toward authoritarianism or freedom is largely up to the developer and the backers and users.

And over time we may have started with systems that are centralized because our abilities were young at the time, but distributed systems are very popular and often the goal. One example is version control systems: all the systems prior to Git/Mercurial and those after.

With social networks, the network effects are dominant, but I am hopeful that distributed systems will eventually dominate.


> Whether those attributes are applied toward authoritarianism or freedom is largely up to the developer and the backers and users.

That they can be applied at all makes software authoritarian in nature.

software enables something we've never truly had, which is automated, effective force at a distance.


Well, yes. American discourse has got backed into this corner:

- "the government" (broadly defined) is not supposed to be able to spy on people

- there is no general privacy law, only narrowly defined bits for e.g. video rental records and libraries

- corporations spying on people is completely normalized

- reporting the results of your spying to other people is free speech

> If there is no law against the proprietor bundling up his customer data and selling it, it doesn't seem like there is a strong legal case against police using it.

So long as there's a strong "corporations good, government bad" faction this is going to continue to be a problem.

(Weirdly, the "government bad" faction don't seem to be concerned with police accountability at all, except in very narrow cases where one of their own is arrested for blatent crimes)


Technically, if we'd consider corporations part of the government (which we arguably should; many acts of regulation that would be impractical to implement directly through the government are farmed out as the responsibility of corporations as a pre-req of doing business), many surveillance capitalism patterns would become fraught by default.

The "corporations aren't government entities" defies logic. As without government recognition, they aren't even a thing.


> if we'd consider corporations part of the government (which we arguably should;

I'm not sure that even the Chinese legal system does that. It makes a nonsense of "part of".


It does not. If you're a legal fiction, at some level your existential DNA is entwined with your political system's existence.

It doesn't make a nonsense of "part-of" at all; unless you don't want to inherit government centric probibitions to deal with in calculating your business model.


You're talking about police, but the NSA has a charter and in that charter is supposed to (for SIGINT : signals intelligence, i.e., gathering) be doing signals gathering outside the US on at least one end of conversations.

Perhaps something changed over the last 20 years. But perhaps the rule still applies (or is supposed to apply) and that's the implied misbehavior.


They aren't allowed to collect the data directly...so they have the other UKUSA/5eyes do it for them with what used to be call ECHELON. There are supposed to be restrictions on that but it is hard to tell from the outside.


You aren't wrong but the misuse is within the bounds of what you are saying. They only need to make a reasonable effort to avoid directly surveilling conversations between two Americans if there's evidence available they are both Americans. They collect until they realize both parties are American and from what I understand those communications after the realization are not purged.

Additionally if you are speaking with foreigners they are also authorized to collect. The idea is that they can only use it for intelligence purposes but those data sets including domestic communications which were collected 'by accident' are exposed to the FBI for counter intelligence reasons. The problem is that the FBI has notoriously abused this and run searches against the database for domestic individuals for reasons other than counter intelligence.

https://www.eff.org/deeplinks/2023/04/internal-documents-sho...


Regardless of their formal categorization, they're a subset of "cop", which means they're not held accountable for misbehavior.


Furthermore, their misbehaviour couldn’t even be tried in a normal courtroom, even if there was mass public and political support for such an action.

They’d have to be tried in a secret FISA Court.


Before Congress would be possible depending on how much media attention arose


I think it comes down to quantitative differences resulting in qualitative differences.

It's not unreasonable for anyone (public or police) to notice when I am out in public, and what I do in public. But at some point an accumulation of these OK interaction becomes not OK, in the same way we already recognize that an individual simply seeing somebody in public is a protected right but stalking is not.

When the technology exists to track everything I do in the public sphere, catalog, summarize it, and sell it for profit, we are dealing with a qualitatively different animal that has entirely different implications morally and with respect to our rights as individuals.


Smart = spy. Smart devices are spy devices, part of the governance control infrastructure.


Technology automates the spying so there is no upper limit on the amount compared to in person spying.

Some Google servers can do stuff that Stasi could not even dream about. The upper limit of Stasi was that all DDR citizens were to be Stasi employees or informants. Google can do it no-hands.

E.g. I am all for the Police ticketing speeders, but I don't want some automated spy network tracking me instead. At least the Police should have to work for getting me if I speed ...


The bigger issue that people always miss is that NSA is not law enforcement so they do not need a warrant. The Census Bureau does not need a warrant to gather information on Americans either, but for some weird reason people find the NSA controversial but not the census.


"Some weird reason" being that the Census Bureau hasn't engaged in cyber attacks such as Stuxnet


I think you are unexpectedly proving my point. The answer is bias.


I don't know why you think them not being law enforcement changes anything?

Constitutional prohibitions generally apply to all governmental bodies, i.e. a school is limited in its ability to constrain your freedom of speech or religion.


The difference there is that the first amendment applies to actions of the individual but the fourth amendment applies to actions of the government. That difference in scope of application thus determines not just whom is protected but also to whom is limited. These first ten amendments exist explicitly to provide individuals lawful rights and when these rights are not violated these laws thus do not apply. For an example see the exclusionary rule. Thus the 4th amendment’s application does not apply all functions of government equally and no law or prior practice says otherwise.


I've actually known a few people that had a real problem with the census.


> The information they gather is circumstantial and probably would not hold up in court, but they can use it as grounds to get a warrant.

Just to clarify a possible misunderstanding: an officer testifying that they saw you go into a store is direct evidence that you were in that store. Likewise, a cashier testifying to what they saw you buy is also direct evidence. It’s eyewitness testimony.

On the other hand, for example, a receipt found in your wallet is circumstantial evidence. There are many possible explanations, some more plausible than others. Circumstantial doesn’t mean weak—-all forensic evidence is circumstantial.


The US Supreme Court has already shown its reluctance to allow wide-spread, but otherwise legal, data gathering.

In US v Jones, a GPS tracking case, the minority opinions were basically concerned with the fact that the GPS monitoring continued over a wide period of time, covering a wide area:

In his concurring opinion, Justice Samuel Alito wrote with respect to privacy: "short-term monitoring of a person's movements on public streets accords with expectations of privacy" but "the use of longer term GPS monitoring in investigations of most offenses impinges on expectations of privacy"

https://en.wikipedia.org/wiki/United_States_v._Jones_(2012)


> a MUCH bigger problem on the internet than in real life

THIS, sadly. And a large-enough quantitative difference becomes a serious qualitative difference.


This BS is allowed by "Third Party Doctrine" which means that once you give information to a third party, you no longer have a legitimate "expectation of privacy" so therefore you don't have one.

For example, if I want to pay you $100:

- I can give you $100 directly in cash. We can limit that knowledge to two people, therefore it could remain private.

- If I pay you via check, credit card or Paypal, now I've involved a third party and the government can collect any information they want. It's up to that third party to choose not to share it.

Check out the book "Habeas Data" if you want to understand the US rules - and how we got there - https://amzn.to/311a0yl


The third party doctrine is eminently unfit for the modern era.


> NSA Buys Americans' Internet Data Without Warrants, Unclassified Letter Says

I really hate to take NSA part on this, but, if the data is available on the open market, why would they need a warrant.

The problem is not that NSA buy it (they have access to it anyway, through other means) the problem is that everyone can buy it.


Think of it this way: knives are available on the open market, that doesn't mean NSA can just go around stabbing people.

The concept of a warrant is to have an authorization to do something that an entity would normally not be allowed to do. So if the NSA would normally not be allowed to have some bit of information, then it doesn't matter where that information is, how it is acquired or how 'available' it is.

Of course, that's all up to interpretation because the various documents/amendments etc. are all made up in legalese that relies on precedent and opinion to make some sort of sense of what's actually allowed. So in the case of the NSA they would make the same argument you are making: the NSA didn't "get" the information so therefore they don't need to be authorised to "have" it. But the issue is that "getting" something and "having" something isn't the same thing.

Realistically, the problem is exactly as you describe it, you can't really protect people if you're allowing random parties to just collect data on everyone with no consent or legal base for processing. Because even if the NSA needs a warrant, you can just proxy that too where you don't even buy the data, you just buy 'search results' and offload the entire data mining process. Now the NSA doesn't acquire the data nor hold it, it just gets results. And then we'd all get a discussion about that, and they could just proxy that too (have some other entity to collection and investigation etc. and just relay results as anonymous tips to the NSA). It never seems to end.


> Think of it this way: knives are available on the open market, that doesn't mean NSA can just go around stabbing people.

but the nsa can go around and buy knifes


And how many people have they stabbed with those?


I second this.

If the data is available on the open market, it's available for purchase by any legal entity.

How it's used can be criminal but purchasing it is a valid scenario for any entity.

If we're concerned about the NSA using it, we should be concerned about anyone using it.

So I think the bigger debate is why is all of this personally identifiable information available on the open market?


VC backed startup sells user data on open market.


It seems like the problem is that the information is for sale at all.

I generally think warrants should be needed when police (or i guess spies) do something that an ordinary citizen wouldn't be allowed to do. If the info is available for purchase by anyone, then i don't think warrants should be needed.


one step further: the problem is the existence of the data

as in, pii should be a massive liability and everyone should be incentivized to avoid collecting it


I’ve got news, lots of fellow HN readers support this data collection through jobs called the ad / marketing industry.


barely news, thou most industries profit from consumer insight in some way


Making it illegal to sell would go a long way in that direction.


not as much as it would strengthen black markets


This makes it seem as if the NSA would stop spying on Americans if the data wasn’t available on the open market. If we just change our data privacy laws! Historically, the NSA doesn’t care whether they get the info off the open market or from in-house infrastructure. They’re probably doing both now.

The problem isn’t this particular method they happen to be using today. The problem is that the NSA and the 4th Amendment are often in conflict, and the NSA wins because there’s no consequences for violating it.


Maybe this is a naive question, but if the information is for sale, why would the government need a warrant?


Fourth Amendment.

Here’s the answer in depth:

https://www.lawfaremedia.org/article/when-the-government-buy...


The fourth amendment is not about buying things everyone else is able to buy


You should consider reading the article.


Really truly hate agreeing with brookings, but they are right here.

I find it interesting where the line between freedom and acceptable government intervention seems to be for many people. There must be an aspect of “what do I have to worry about” that doesn’t kick in until people explicitly see what they have to worry about looming.


It's the classic "I have nothing to hide" argument. Which immediately breaks down when you realize that, with enough information about someone, you can implicate them in something illegal. A case can be built against them, a narrative spun, and an innocent person spending their lives locked up. This happens constantly in the US judicial system, though I believe it is often unintentional, just human bias doing it's thing.


I've read the article, and it addresses the point vaguely at best:

"The standard argument in favor of unfettered government purchases of private data is that such data is commercially available, and so anyone should be able to purchase it, including government officers."

Agreed.

"... while government officials can generally purchase items available to the public without constitutional restriction, sensitive private data about cell phone users isn’t actually available to the public."

What? I may be misunderstanding, but this looks like a deliberate attempt to conflate two concerns: publicly available data for sale and sensitive private data. I don't see any argument here against the government buying publicly available data.


Just because it is for sale, doesn’t mean it’s for sale to just about anyone - a lot of the brokers that collate, match, and enrich this data choose to only sell their product to government agencies.

Because it’s “on the market” it’s deemed “public”, but that market only is open to governments.


You should consider reading the rules


Apologies. Not my intention to be rude.


The fact that it is with or without warrants is almost completely irrelevant in the article itself. The headline is misleading.


If the government is doing it as an end run around the fourth amendment then that should be illegal.


But they are though? I agree that intrinsic privacy rights should prevent this. But the fact is this data is freely available, it's public information, the individual has released it appropriately. The problem isn't the govt using public data, the problem is that the data is public. You simply cannot have a privacy concern when you've agreed for it to not be private in the first place.


It's not freely available, it's for sale. And just because private data is for sale does make it public.


It's private property that happens to be data. The fact it's allowed to be collected and sold to anyone much less the government.


Which means that private consent in contract for data collection here is meaningless.

Similar to how one cannot sign away one’s constitutional rights in a contract.


Why would it be legal for a person or company to buy this publicly offered information but illegal for the government?


The government is bound by the fourth amendment.

Regardless, if people cannot have privacy because companies can coerce and buy so much information about them, then that too is a violation that should be illegal. (For example because it's increasingly impractical to live without a smart phone and cell tower connections, or avoid iTags.)


The third-party doctrine is a loophole in the fourth amendment.

> The third-party doctrine is a United States legal doctrine that holds that people who voluntarily give information to third parties—such as banks, phone companies, internet service providers (ISPs), and e-mail servers—have "no reasonable expectation of privacy" in that information. A lack of privacy protection allows the United States government to obtain information from third parties without a legal warrant and without otherwise complying with the Fourth Amendment prohibition against search and seizure without probable cause and a judicial search warrant.

https://en.wikipedia.org/wiki/Third-party_doctrine


> The government is bound by the fourth amendment.

The fourth amendment is a restriction on the government's ability to search or seize - things that a regular private entity is not permitted to do at all, that represent an enormously abusable power. I don't see how buying public information fits into that.

> if people cannot have privacy because companies can coerce and buy so much information about them, then that too is a violation that should be illegal.

Perhaps. But looking to ban the government from buying that information on the open market is putting the cart before the horse. If the problem is our private information being sold, let's look for a fix for that that would protect us from large companies or wealthy individuals with a grudge, rather than focusing narrowly on the government.


It is not a violation of the fourth amendment to buy information you’ve granted to parties to sell. Hacking your router and gathering the information that way would be illegal, this is just buying data like a thousand other businesses do.


That doesn’t make any sense at all.


The fact that this data is available at all is such a fail.


Right, but raising a panic by saying the government has this data or China gets this data is a distraction from the real issue, that such a vast marketplace exists openly for anyone to shop.


Can't say I disagree.


Therefore, so did China and Russia and anyone else.



For the level of surveillance taking place, I want a lot less crime.


Be careful what you wish for, because you wont just get less crime but less deviant behavior.

We are borg.


I don't. That would require them to use it.


Its a perfect, self serving loop, if you think about it from a governance perspective.

Government takes taxes. It uses those taxes to spy on its citizens. This makes the citizens more compliant. Compliant citizens acquiesce more easily. Government therefore increases its power and does more of the same.

Greater invasive control results in more extraction from the citizens and more power to government.

From a governance perspective, this is a positive feedback loop. From a citizens perspective, it is a negative feedback loop.


Can anyone explain why people choose to use internet providers that sell their data? Do they get internet for free?


Because a ton of people only have one reasonable option.


most commercial isp's do this


In the US you mean, where I live this is nether legal nor common.


ich wett nen kasten dass das bei uns auch läuft


Related from last week:

Feds crack down hard on selling of personal data without consent

https://news.ycombinator.com/item?id=39062247


Many threat intelligence companies buy that data and then resell it as a service. I'm not very clear as to how accessing that data in the first place is legal...


>N.S.A. Buys Americans’ Internet Data Without Warrants, Letter Says

I haven't seen a cent, where do I collect my check?


I’d love to have a chat with their LLM. Must be absolutely astonishing what it knows.


These headlines should all be "Your personal browsing history for sale to anyone"


I think this Orwell guy talked about this, I think there is even a book? Probably nothing. lol


Ironically this is referred to as "open source" data.




Consider applying for YC's W25 batch! Applications are open till Nov 12.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: