- We do not provide direct access to our servers.
- We do not provide direct access nor is there a backdoor.
- O, but we do still pipe all of your data to external NSA servers. </sarc>
Every company named (I'm not just picking on Google here) has come out with the same overarching statement. "We do not provide direct access". It just smells of being rehearsed, and carefully coordinated to select such language.
Until this week’s reports, we had never heard of the
broad type of order that Verizon received—an order that
appears to have required them to hand over millions of
users’ call records. We were very surprised to learn
that such broad orders exist. Any suggestion that Google
is disclosing information about our users’ Internet
activity on such a scale is completely false.
Verizon was given a Patriot Act order for business records, metadata; no names; no content, but all citizens or foreigner.
Google and other tech companies are said to have gotten orders under section 702 of the FISA Amendments Act of 2008. That allows the government to compel communications companies to furnish lots of metadata and CONTENT on NON-U.S. persons. This was Congress legalizing warrantless wiretapping ala AT&T, but limiting it by requiring it to be targeted at non U.S. persons.
Compliance is mandatory, under contempt of court and companies must provide facilities and help. They also get reimbursed.
So it's likely Google never got an order like Verizon did, they likely got one that involves content, but is supposed to exclude intentional targeting of Americans.
Any suggestion that Google is disclosing information
about our users’ Internet activity on such a scale
is completely false.
They all said stuff about "direct access", without discussing what would and wouldn't qualify as "indirect". They didn't deny doing all kinds of different access that could be called indirect in some way.
The last sentence he made, that the government needs to be far more transparent about what they're doing is the only sentence I can really trust as honest, especially given that the alternative to lying could be being thrown into Guantanamo for 'assisting terrorists'.
>"Fisa was broken because it provided privacy protections to people who were not entitled to them," the presentation claimed. "It took a Fisa court order to collect on foreigners overseas who were communicating with other foreigners overseas simply because the government was collecting off a wire in the United States. There were too many email accounts to be practical to seek Fisas for all."
Another possibility is that the NSA could have served orders on Google employees directly, and they are compelled not to tell their managers about what they did for the NSA.
You hire a foreign national, working for a foreign division of Google to be your spy. Unless every US citizens mail server is domestic, lotta a loopholes to be found.
People should also not assume the credit card statement from their bank is a batch job run on US servers by their bank. I've been told this stuff is outsourced, probably to the lowest bidder. Which if I were an intelligence service, I would be more than happy to subsidize.
You have been told incorrectly. (Source: I work for a major US credit card company.) Certain pieces of the development and maintenance may be outsourced (under the supervision of US employees), but we (and, as far as I know, all our major competitors) own the data centers where they are run.
| they are compelled not to tell their managers
| about what they did for the NSA.
Isn't it more plausible that they're intercepting data flowing in and out of Google servers?
We haven't seen posts from the CEOs of Cisco/Juniper/Dell/HP or other manufacturers of datacenter grade network equipment. Who needs Google/Facebook's "knowledge" if you've got root on all the border network gear (and SSL termination hardware)?
I know here in .au, Huawei have been excluded from the government-deployed National Broadband Network due to suspicions that the Chinese government has too much control/access to Huawei newtwork hardware.
a new time option - Larry is lying because of the gag order.
in between - Larry said "on such scale". Well, Google probably is of a bigger scale than Verizon.
Anyway, once the data is out there, it is only a matter of time and determination for a government (or any financially well backed up player) to get to it.
This scandal will be a great boost for any services involving "crypto", and probably would spring a new ones like an encrypted phone exchange/switch service, where one can see incoming and outcoming phone numbers, yet not which one connected to which :)
These can be installed at the trunk level with virtually no one knowing about it (maybe a couple of on site managers). They can handle massive data and pipe it directly to the NSA. The problem of course is you're dealing with raw data which isn't nearly as easy to work with then if you had direct access to internals.
These are already installed on every major backbone so I also don't see why they would bother to involve anyone, so there must be more to it.
ps. It would be nice if another whistleblower came out with the data on optic splitters and how the NSA uses them.
Access is trivial, volume is a much more interesting problem.
There could be a lot less data leaving than you think.
If you consider that PRISM is not a 'dragnet' but rather an automated system that processes FISA warrants on company premises then the denial wouldn't be wrong. There is no 'scale' that you wouldn't be able to get using regular data requests to internet companies. PRISM could just make the process a lot easier for everyone involved.
So instead of sending a warrant over, having the company verify and send the data to the NSA, then finally transforming the data into a reportable format PRISM automates the whole process.
If you read some of the media descriptions it almost looks like PRISM is more of a data aggregation and portal system that sits on top of a data source and allows analysts to explore content.
No, it was a FISA order: http://www.guardian.co.uk/world/interactive/2013/jun/06/veri...
It specifically states that such an order can be made "provided that such investigation of a United States person is not conducted solely upon the basis of activities protected by the first amendment to the Constitution".
If they have been violated, then there are a number of members of Congress and the Senate who are falling down on their job - the Attorney General must inform the Permanent Select Committee on Intelligence of the House of Representatives and the Select Committee on Intelligence of the Senate. On top of this, every 6 months the Attorney General must also provide a report to the Committee on the Judiciary of the House of Representatives and the Senate which details the total number of applications made for orders approving requests for the production of tangible things and the total number of such orders either granted, modified, or denied.
I've read and documented the USA PATRIOT Act on Wikipedia incidentally. Took me two years to read and understand the thing. Possibly things after the Patriot Act changed FISA, I wasn't going to spend any more time on writing up about this subject. I'm an Australian citizen, after all.
I should note that I'm not thrilled about the fact that the U.S. government can read my communications. Not that I have anything to hide, nor am I of any interest to them, but hardly the point.
The two parts to read on Wikipedia, incidentally are:
But how would you determine on the internet that an account holder was a US person or not ?
If I claim to be the person X who is a US person by registering for an account in their name, am I then a US person and therefore supposedly exempt from monitoring? Even IP-based clues are not enough as those are not full-proof.
I suspect that both US persons can be just as susceptible to tracking from the Government.
That's why they only have to check a box saying they a reasonably sure that there is at least a 51% chance.
Vague laws are invariably wildcards that can and will be abused.
Does Google give anyone, any company, any entity, anyone at all direct access to their data? They've specifically excluded NSA. Does NSA subcontract that to Booz Allen Hamilton? Google claims that no government has this access, what about one of the 1200+ Top Secret cleared contracting companies?
Can these companies officially comment on this stuff yet? Or are they violating court orders if they talk about it? I like Google, I really want to trust them and I think they've moved the needle in our industry in some very positive ways. Honestly though, I think they could make much much stronger statements about this stuff. I expect them to say stuff like this to keep up with appearances.
There is no "careful parsing" of the Constitution going on. Just people who never read the document very carefully other than what they thought the teacher said in 8th grade.
This is the entirety of the 4th amendment: "The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized."
If any "parsing" is going on, it's creative parsing to make the argument that information you freely handed over to Google and AT&T, or indeed information that was never even in your possession but was generated by AT&T (e.g. call data records, web server logs) is somehow your "papers or effects." Tell me how that is anything other than creative parsing? How is a document that you never even had in your possession somehow your private information?
Wiretaps themselves became illegal and the information from them inadmissible under the 1934 Communications Act. This didn't really stop wiretaps. Instead they were used as a method of intelligence gathering to go and find stuff that was admissible. Note that this was not a reflection on the Constitutionality of wiretaps, but instead the sense that they just weren't needed to convict criminals.
By the 1960's wiretaps were again brought to the Supreme Court and they outlined how a wiretap statue could pass Constitutional muster. The Katz case is where the "expectation of privacy" language was introduced. This resulted in wiretap statues passing in late the late 60s and that's basically what we had until the PATRIOT Act of 2001.
In a world where important documents are increasingly electronic, and electronic stuff is increasingly routinely backed up, transmitted through, or just stored on remote servers, people's personal papers will be increasingly in the possession of others.
I won't argue that it's impossible to read the Constitution so that it becomes a set of meaningless restrictions on outdated technologies--legal text is never deterministic and always subject to multiple interpretations--but it's certainly not unreasonable for somebody to have "read the document very carefully" and found it more robust and relevant than you do.
Wouldn't I be pretty stupid if I had a problem with these things, yet still uploaded these documents in clear text to Google's servers where absolutely nothing stopped Google from doing these things? Especially when they tell me point blank that they do indeed sift through the documents (for ad targeting)?
* Google scans email, not other documents in Drive:
* Just as the NSA claims that collecting data doesn't count until a person reads it, Google affirms that humans do not read user data without permission.
* Documents are are encrypted in transit, not uploaded in clear text.
If my secretary holds my briefcase, is the government allowed to seize it without any warrant or judicial approval?
Email is slightly more complicated, due to automated ads scanning.
if your secretary agrees to give it to them , of course they can.
Have you been to a doctor? Have you seen that folder full of your medical information? Have you ever possessed it? Most likely not, but that is your private information and there are very strict rules about how it is handled and who can access its contents.
The thing is that usually CDR data doesn't require a warrant. The court ruled that since people are typically aware that the existance of CDR's and may rely on them for services from the telephone company, and because they are relatively non-revealing they do not constitute a search.
The point is that the user of the telephone service discloses the calling information to the phone company and in such a way as to expect no privacy over the information. A similar case might be IP packet header information over routers, or photocopying address/return address/postmarks on the outside of envelopes passing through the USPS. None of these are considered to violate any reasonable expectation of privacy because, for example, we can expect that the address on the letter we drop of at the post office is publicly visible.
O'Connor got it right in Casey when she distanced the right to abortion from the right to privacy: "That is because the liberty of the woman is at stake in a sense unique to the human condition and so unique to the law."
"The Constitution does not explicitly mention any right of privacy. In a line of decisions, however, going back perhaps as far as Union Pacific R. Co. v. Botsford, 141 U.S. 250, 251 (1891), the Court has recognized that a right of personal privacy, or a guarantee of certain areas or zones of privacy, does exist under the Constitution. In varying contexts, the Court or individual Justices have, indeed, found at least the roots of that right in the First Amendment, Stanley v. Georgia, 394 U.S. 557, 564 (1969); in the Fourth and Fifth Amendments, Terry v. Ohio, 392 U.S. 1, 8-9 (1968), Katz v. United States, 389 U.S. 347, 350 (1967), Boyd v. United States, 116 U.S. 616 (1886), see Olmstead v. United States, 277 U.S. 438, 478 (1928) (Brandeis, J., dissenting); in the penumbras of the Bill of Rights."
That handwave-y language ("does not explicitly mention", "a right of personal privacy, or a guarantee of certain areas or zones of privacy", "at least the roots") doesn't exactly inspire confidence in the existence of a broad, fundamental right to privacy in the Constitution. Also, it uses "privacy" in a somewhat different sense than the surveillance debate. In Roe, it's used more like "liberty."
If you think there should be a right to privacy of electronic communications, then convince people of it. Get an amendment passe. Don't twist the Constitution to say what you wish it said.
Any suggestion that Google is disclosing information about our users’ Internet activity on such a scale is completely false.
He doesn't say "Any suggestion that Google is disclosing information directly to the government..."
As such, I think you can either take it as "we don't disclose anything to anyone, or you can say that the sentence isn't true.
> we had never heard of the broad type of order that Verizon received—an order that appears to have required them to hand over millions of users’ call records. [...] Any suggestion that Google is disclosing information about our users’ Internet activity on such a scale is completely false.
> Honestly though, I think they could make much much stronger statements about this stuff.
They can't really, though - they do cooperate with the government on a ton of properly-filed, fully-legal subpoenas. And that's fine, that's what they have to do, and it's what every other company in the world would do - though we should all push our government(s) to be more transparent about what they're requesting and why.
> Indeed, the U.S. government does not have direct access or a “back door” to the information stored in our data centers.
Do they give carte blanch access to their data to ANYONE? Regardless of the datacenter. If they don't they can say that.
It is possible to permanently erase or disable your search history from here: https://support.google.com/accounts/answer/54067?hl=en
You can opt out of Google Analytics using this add-on: https://tools.google.com/dlpage/gaoptout
Saying that denial is a lie . . . is a completely different charge.
Kind of like Mariano Rajoy insisted that Spain didn't need a bailout?
EDIT: I mean: (a) No one cares if they have heard about a program called "PRISM" when the point of that program is to aggregate data from other programs. (b) Anyone who is actually innocent in this needs to stop mentioning "direct access to servers": no one expects this program to be directly accessing servers. (c) We also don't care whether actions were "in accordance with the law", as the constitutionality of the surrounding laws is part of the debate.
I will say that "Any suggestion that Google is disclosing information about our users’ Internet activity on such a scale is completely false." is a good statement to make. It sounds broad in a good way and doesn't appear to have many weasel words, other than specifying "Internet activity" and not email or general activity. Are Google searches even "Internet activity", or is he referring to Google Analytics / Google +1 / 184.108.40.206 DNS?
If you're refuting claims of behavior X, it's natural to say "We don't do behavior X."
I don't mind targeted surveillance against genuine suspected terrorists. What frightens me is broader intelligence collection especially commercial intelligence. Over time programs broaden and if we're not really, really careful we'll find gmail being read by intelligence analysts who can brief our US competitors.
If non-Americans can't trust Google with their information that is an existential risk to its future. I think the Google leadership needs to do a lot more than this one short post!
 From Obama's comments:
Now, with respect to the Internet and emails, this does not apply to U.S. citizens, and it does not apply to people living in the United States. And again, in this instance, not only is Congress fully apprised of it, but what is also true is that the FISA Court has to authorize it.
So in summary, what you’ve got is two programs that were originally authorized by Congress, have been repeatedly authorized by Congress.
That seems pretty clear - there is a congress-approved spying on non-US citizens Internet and email.
EDIT: added Obama quote
This kind of language bothers me - "suspected terrorist" requires no proof at all, while sounding authoritative (65% of Americans support the remote execution by drone of 'suspected terrorists').
I know roughly what you meant, of course, but where that line is drawn is a discussion that needs to be had. I'd say that with the level of surveillance that goes on, we are all suspected terrorists now.
It rather makes it clear that Google is participating in espionage programs for the NSA. Supposedly, maybe, it isn't directed at Americans (har har).
The president has not, however, confirmed that the news reports about "PRISM" are accurate. All he's done is summarized the law.
"We post this information on our Transparency Report whenever possible... ...we understand that the U.S. and other governments need to take action to protect their citizens’ safety—including sometimes by using surveillance. But the level of secrecy around the current legal procedures undermines the freedoms we all cherish."
I do think Google is working hard to protect our users from unwarranted government requests. Just speaking for me personally, I really dislike provisions in the PATRIOT Act and FISA that compel secrecy. One thing I did like in Google's blog post was that we spoke out against the "level of secrecy around the current legal procedures." I was encouraged that Facebook later said something similar. In my opinion, a lot of the frustration about the current situation would be best applied to changing some laws in the United States.
While I honestly think _you_ believe Google is doing "the right thing" - there's a nagging suspicion that there's some NSL-style legal (or possibly extra-legal) compulsion being used at the very top levels. Even if I believe that Larry is 100% "on my side" against the government - I'm also under no doubt that Larry and Google are effectively powerless against the pressure the various US government agencies could apply if they so chose.
While explanations of the similarity between Larry's and Mark Z's posts based on direct rebuttal of the WaPo article are plausible, when combined with Apple's, AOL's, and Yahoo's suspiciously similar structure and wording - cynical-me can't help but wonder if all 5 CEO's are being compelled to disseminate the same government supplied message (and are possibly intentionally using almost word-for-word similar language as a plausibly deniable way of telling people that).
I'm not sure if there's much Google can say or do - given the depth and seriousness of the seeds of suspicion that've already been sown… (Having said that, I was pleased to read Yonatan's G+ post earlier today…)
Federal law may "authorize and in some cases require telecommunications companies to furnish information" to the executive branch, said Bradford Berenson, who was associate White House counsel when President Bush authorized the NSA surveillance program in late 2001 and is now a partner at the Sidley Austin law firm in Washington, D.C. Far from being complicit in an illegal spying scheme, Berenson said, "AT&T is essentially an innocent bystander."
And a sealed AT&T document I obtained tried to offer benign reasons why there would be a secret room at its downtown San Francisco switching center that would be designed to monitor Internet and telephone traffic:
What Google and Facebook are doing today is precisely the opposite of what AT&T did.
What Sergey (and Google) bravely did in China gave Google years of priceless respectability. This is one of those situations where civil disobedience is best. I realize you can't just "pull out of the United States", yet Google is looking like liars, and that just doesn't work.
For what it's worth, if Larry summoned the courage to speak his conscience completely, he will not go to jail. Far from it ... Google will be the true statesman, showing courage and leadership.
Indeed, I believe it may help Google the most, by catalyzing people's courage to do what's right. It's simply wrong to associate yourself with this.
It must come from Google first, Google is the strongest. Please consider the honor in doing this. Done genuinely, the public will rally behind Google, just like SOPA/PIPA. And don't forget, you have the world's largest bully pulpit.
For what it's worth, I'd recommend reading this post: https://plus.sandbox.google.com/+YonatanZunger/posts/huwQsph... To me, Yonatan's post read as the sort of personal, even blunt statement that you're asking for.
Are you asking Larry to violate the law on National Security Letters, by publicly posting their content?
Why should we trust the safety of any information on our searches, emails, location data, chats etc stored by Google? Stop storing it
Compelled and limited is a very different story than voluntary, wide-scale, and direct. Do I like FISA? No, I think it sucks. FISA orders come with a gag order, and laws that compel secrecy like that should be struck down, in my opinion. But in recent days, you've heard the CEO of Google say that they haven't gotten the sort of broad requests that (say) Verizon got, and that Google can and does push back on requests that they consider too broad.
I think the proper response to this issue should be frustration with bad laws, and calling your Senator or Representative in Congress to tell them that.
"We cannot confirm or deny the existence of such a program,"
"It is not our policy to comment on national security topics"
"We'll wait for the results of the investigation."
No, I think it's most likely that Page doesn't know of any such program. Now, it's always possible that such a thing is being carried out on the scale everyone fears by a rogue, loyal-to-the-NSA employee, or a group of them. Or it's possible the original Powerpoint slide including Google as an information source is oversimplified or even inaccurate. Such things do happen when presenting overviews of program capabilities.
And many other things in between are possible. It's concerning, but . . . I'll wait for the results of the investigation. ;)
I think there's a world of difference between a gag order where you are not allowed to confirm, and an order to explicitly deny involvement. I'm not saying the former is "good", but there's a difference.
I think there's a non-zero probability that there are US government agencies who can and have compelled people to explicitly deny something that they know is true.
Realistically, it would boggle my mind to discover they'd done that to all the founders/CEOs/legal departments of all the companies involved here (at least Google/Facebook/Apple/Yahoo/AOL), but given the stakes in this game - I have no doubt that it _could_ be done.
Either the government is coercing them, and they have to issue lies as denials, or they are participating voluntarily and are voluntarily lying, or they are not participating. The second option seems unlikely to me.
But at the same time they can't all be right. NSA says it's getting data in some form from Google, Page says no direct access.
The truth is probably somewhere in the middle then... but where?
If that is true, why would we expect that Google officials would be able to make any public confirmation of the Top Secret program? And, given that, why, in that case, would we expect the truth to be "in the
Conversely, if the leaked document is not genuine, then I still don't see any basis for expecting the truth to be in the "middle" between the false document and the Google denial.
I just think it's important to not be entirely cynical here, and to keep in mind what such a statement might look like if it were being truthful. I don't know how much different it might be, which generally makes the statement only as good as Larry Page's word, and only then if he doesn't have a gun to his head.
Page says no direct access and not even legal access at that scale (verizon). He doesn't say they don't have any access -- in fact he says they comply within the bounds of law, but it's not at the Verizon scale.
You assume Google is giving the NSA information and act accordingly.
Doubts are like bothersome flies...
until they are crushed...
you will never be comfortable at your current position.
On one hand, I would think a very-visible CEO of a major corp would keep their name off of a press release, if the press release was a lie that they were compelled to tell by the government.
On the other hand, I feel like each company's response and their use of the exact same terminology ("direct access", etc) feels like a wink and a nod.
If I was going to go completely conspiracy-nutter, I'd say that Page has been kept out of the loop intentionally for plausible deniability, and the actual incursion happens at a much lower level, where the people involved are coerced into keeping their mouths shut. That way, the bigwigs get to tell what they think is the truth, the NSA gets their data, and nobody is the wiser.
Granted, I think that belongs more in the plot of a thriller novel than in this actual world we're living in, but given the revelations of the past couple of days, fiction doesn't seem that implausible.
"A US government-mandated backdoor allowed China to hack into Gmail"
"In order to comply with government search warrants on user data, Google created a backdoor access system into Gmail accounts. This feature is what the Chinese hackers exploited to gain access."
Maybe those hackers just used the regular tech support "back door", as in "SELECT * FROM gmail where email = 'email@example.com'
Their business is based on user's data. If you do not feel comfortable giving them your data, it might hurt their business. Hence, IMHO, they do have some incentive to deny PRISM, regardless of the facts.
It's the opposite of what Larry Page is doing.
So the answer they give when asked, and they do get asked, is "no comment."
If they were voluntarily part of PRISM, and legally required to keep that quiet, I'd expect them to say "no comment."
Doing the opposite make so little sense. It means they're having to flat-out lie to their users, something very hard to recover from.
They probably want to confirm it, but in a completely open and transparent way that assures people there's nothing they should fear here, which they can't do because it's all cloaked in secrecy.
Now, I'm not so naive to think that if someone tried this, the government and courts would just say "Herp, derp, you sure outfoxed us there!" But has that strategy ever been tested in court?
And they note:
This scheme is not infallible. Although signing the declaration makes it impossible for a third party to produce arbitrary declarations, it does not prevent them from using force to coerce rsync.net to produce false declarations. The news clip in the signed message serves to demonstrate that that update could not have been created prior to that date. It shows that a series of these updates were not created in advance and posted on this page.
1) This is exactly what you would need to do, to consider it realtime
2) None of the denials cover this
Consumers of the data need to know where it comes from and its scope, they don't necessarily need to know whether its acquired through cooperation or coercion or infiltration of the providers.
Also, that's what they were doing for more traditional wiretaps and you should be sure that they have access to siphon off live traffic for analysis if they want.
To be fair, if anyone can do this it's precisely these people.
... still not likely, though, I agree.
Edit: Found the answer:
The notion that it exists, and Google isn't involved in it, is pretty absurd. That'd be like talking about tapping the telecom companies, but leaving out Verizon and AT&T.
"The top intelligence official in the United States condemned as “reprehensible” leaks revealing a secret program to collect information from leading Internet companies and said a separate disclosure about an effort to sweep up records of telephone calls threatens “irreversible harm” to the nation’s national security."
Mr. Clapper said in a statement that the classified program to collect information from Internet providers is used to “protect our nation from a wide variety of threats” and he condemned the leaks of documents describing its existence.
They didn't give the NSA "direct access" to their system but created a front end for them instead... LOL.
"We only give data to the government in response legal requests about named individuals."
I'm not going to comment on what's true or what's not, but I know a few things:
1. Having been "in the news" or when I've had firsthand knowledge of an event in the news, I'm always shocked by how inaccurate the news is. Usually not in broad strokes, but in lots of details. I have learned to take everything I read in the media with a healthy grain of salt. I'm not dissing journalists here, but that's what they are: journalists. They are not tech experts. What we are reading could very well be inaccurate. We've not vetted their source either. At least Google is known entity.
2. This whole "we scan everything" business just seems farfetched. That's a lot of data to just double.
3. This program has been subject to oversight. I haven't lost that much faith in my elected officials, or government employees for that matter.
Do you all remember when the "news" was "leaked" by "anonymous hackers" who claimed to lift Apple user data from a hacked FBI laptop? The Internet lost its mind frothing against the surveillance state.
The minority of critical thinkers who suggested that maybe the claims of anonymous hackers shouldn't be taken entirely at face value were either ignored or shouted down. Blanket denials by the FBI were met with retorts of "we know they're lying!". News outlets -- many the very same covering the PRISM story -- repeated uncritically the accusations of the FBI harvesting Apple user data.
Do you all remember what the actual outcome of that story was? Spoiler alert: the allegations were grade-A bullshit. The only part that was true was that it involved (old) data lifted from a hack (against an app developer). Everything else was bogus self-aggrandizing, and the Internet loudmouths played right into it. Why? Because it confirmed people's existing fears.
The sad reality is that everything that has hit the news about this PRISM story -- and the Verizon story -- has actually shed very little light on anything. We have a source with unknown credibility providing incomplete and possibly even misunderstood information colliding with large corporate and government interests. Maybe everyone is lying. Maybe nobody is.
The only thing that is certain is that people unquestionably believe claims that confirm their existing beliefs.
This PRISM business (of which there had been no hint before) is a massive one-up on the seriousness of the Verizon scandal, and its timing in relation to it is deeply suspicious. It wouldn't be too difficult for someone in the intelligence services to make a pithy PowerPoint presentation about how the NSA slurps data from all and sundry (what was it supposed to be for again? "Training"?) and fake a leak to a few newspapers.
I predict that this story will turn out to be a complete wash, and in the meantime everyone will have forgotten about the not-as-sexy but much-more-true Verizon leak.
They say "we do not provide direct access", because as explained, any access goes through proper legal channels.
I'm not sure what you'd call it?
Remember language matters, and these are actionable public communications.
> First, we have not joined any program that would give the U.S. government—or any other government—direct access to our servers.
You would be hard pressed to argue that "direct" access proxied through a gov't contractor isn't the same as direct access. I don't think they'd cut the truth that close unless they were under oath. The court of public opinion is less caring of technicalities.
Isn't that basically their entire business model?
First, we have not joined any program that would give the U.S. government—or any other government—direct access to our servers. Indeed, the U.S. government does not have direct access or a “back door” to the information stored in our data centers. We had not heard of a program called PRISM until yesterday...Press reports that suggest that Google is providing open-ended access to our users’ data are false, period. Until this week’s reports, we had never heard of the broad type of order that Verizon received—an order that appears to have required them to hand over millions of users’ call records.
That kind of thing.
So, basically, what politicians put into their speeches?
Read over your statement again. There's very little of substance in there. For example, what does "this" in "We would never do 'this'" mean? And I'm not being pedantic, because exact language is important here. The question is, what could a non-PRISM-supporting Google say that would differ from what we see in the OP?
And this: It goes against everything we personally believe in and stand for.
OK...let's assume "It" has been properly defined. This hyperbole would be a lie, because....everything? Again, impossible.
"Even if we were legally required to cooperate, we would resist and suffer incarceration if necessary."
OK...cooperate in what? The statement you've proposed leaves room for other kinds of cooperation, if not technically the kind being alleged right now. So this statement doesn't resolve anything.
"We believe in freedom more strongly than we fear the consequences of not cooperating with an oppressive government"
OK, same objections as before. But -- and again, I'm referring to an alternate reality in which Google is standing up against the NSA and PRISM, which may or may not be the reality we are actually living -- if Page is telling the truth about knowing what PRISM stands for before yesterday, then the statement you've proposed is impossible for him to assert, because we still don't know everything about PRISM...and so how would Page know if PRISM is the act of an oppressive government? He literally would not know because PRISM was unknown to him until yesterday.
And if you're saying, well, he should just know, because obviously Google is taking part in the program...well, that's begging the question.
And if you're saying, well, he should just be able to make that statement because any reasonable person, upon reading the reports yesterday, would conclude that PRISM is the act of an oppressive government. OK, that's fine, but that's still not really an assertion of fact, it's just rhetoric.
If Google was actually taking a moral/ethical stance that being an accessory to unconstitutional warrantless searches is something that they find to be morally wrong, yes, I would be more comfortable. My reading of this was Larry saying, "I enjoy being a billionaire and will say whatever it takes to continue being one."
But when their impossible-to-verify assertion is that they've done nothing wrong, you'll accept that just fine?
There's a difference between these two things:
1. Issuing a vague non-denial so that when the truth is revealed, you can claim that you didn't technically lie ("Hey, I never said I didn't molested him, I just said I never slept with him")
2. Issuing a denial that is proven later to be false.
I'm not arguing with the GP that Page is telling the truth, but that, as much as we can tell, Page has issued a statement that can satisfiably be shown to be true or false.
I would feel better if Google put its brand at stake a little more, yeah.
Google is ACTIVELY forgoing revenue in China, because it wouldn't play by their rules. 
It's a start.
That's subjective, and I think you have severely unrealistic expectations of how far companies should be willing to go in this matter.
I believe Google's response is satisfactory. We can't prove negatives, so it's pointless to second guess Larry's post as being an orchestrated ruse. It at leasts gives us an official position and stance from the other party.
The typical response here on HN is that the threat of terrorism is greatly overstated. This is probably true, but I don't think it's reasonable to assert that the threat of terrorism is nonexistent. Given the amount of people who use Google's services, I think it's highly likely that such data does exist on Google's servers.
Should they be developing software to figure out who is beating their kids and notify the local police? Cheating on thier taxes and notify the IRS? Breaking their marriage vows and notify thier spouses?
Therefore, IMO, the best thing to do is assume that every single bit that hits a Google server, and every bit stored by Google, is available to the NSA, FBI, CIA, DIA, MI6, Mossad, etc., etc... which means using strong crypto to protect your stuff if you really care about keeping it private.
The only requests for information to which we respond are requests that contain the full name(s) of the people whose data is requested.
I'm sympathetic to being caught between a rock and a hard place, but given that this program only seems to involve US based companies, I would suggest that where ever possible people should prefer non-US software and services. Just as one prefers non-Chinese hardware for the exact same reason.
Argh. Hacker News refuses to save the URL. Replace %xF; with "/"
However with all the shady definitions the NSA is using (e.g
I can imagine some weasel claiming user data is only the content not the metadata) I would have liked an explicit example.
Something like, "For example, when one gmail user emails another gmail user the government is not, for the majority of users who are not the subject of a specific government order, made aware of this in any way including the contents of the email, metadata and even that an email was sent. Obviously, we have no control over emails, sent outside our network."
But I also believe the government works with ISP's (all major ISPs) so that they can intercept traffic. Which would be a type of MITM attack allowing them to get data from all major web sites.
"Any suggestion that Google is disclosing information about our users’ Internet activity on such a scale is completely false."
Those sentences seems straightforward and unambiguous.
What would you prefer Google to say?
So realistically, the best approach is just to wait and see.
Even if you hold the root certs and can issue attack certs that validate up the cert chain, you can't MITM a cert-pinned client. In order to attack a cert-pinned site, the NSA would have to inject their own certs into Chrome's cert store, or have Google's private cert keys. Either would require compliance from Google.
That said, the canned "direct access" line - the exact terminology curiously arrived at by no less than 5 separate corporate PR departments within hours of each other - is a poor facade. They should have considered how using identical terminology would make these denials so transparent.
James Clapper, the director of national intelligence, released a statement last night saying the Guardian and Post articles about PRISM "contain numerous inaccuracies."
Clapper's statement didn't confirm or deny any NSA activity. He said only that the articles "refer to collection of communications pursuant to Section 702 of the Foreign Intelligence Surveillance Act," and that any such collection is legal.
The Verizon order was limited to 3 months, for example, which is hardly open-ended... except that it presumably got re-upped every three months.
AND THE TWO AFTER THAT: "We were very surprised to learn that such broad orders exist. Any suggestion that Google is disclosing information about our users’ Internet activity on such a scale is completely false."
The two after that look like a pretty good denial, though.
Next time, hopefully they'll make it less clear so that you have to translate the company-specific jargon and feel better that it's spontaneous and careless. </sarcasm>
This link has been submitted to the new queue at https://news.ycombinator.com/item?id=5841505 and I hope it gets voted up for wider attention.
this isn't difficult or particularity far-fetched!
this has previously happened: stuxnet (a product of several intelligence agencies) was digitally signed by a large semiconductor company!
The first sentence of the WPo article which started this is "The NSA and the FBI are tapping directly into the central servers of nine leading U.S. Internet companies". I think saying "we do not provide direct access" is a reasonable response.
So it's reasonable to suppose that the article was the source of that phrase.
From the rest of your comment, I think that you understand it quite well.
I re-read the Larry's response carefully, and he did NOT refute the claim, that they are giving data to some 3rd party (who then forwards it to the government). He just says that government do not have direct access to it. But the issue that someone else can have the access is avoided, and it is exactly the same as the Zuck's response.
Third, we would assume through logical deduction that someone who does deny the program's existence is either lying, being misleading, or has been mislead themselves.
Finally, if this program does not actually exist, what the hell program are Obama and these Senators' referring to?
> The Guardian and The Washington Post articles refer to collection of communications pursuant to Section 702 of the Foreign Intelligence Surveillance Act. They contain numerous inaccuracies.
I think for a lot of folks complaining, his language (i.e. "direct access") is just overly precise enough to leave too much room in the margins for technical loopholes concerning "who" has access to "what" data. When Larry defends their general policies stating google "pushes back on requests", I am not convinced when terms like "overly broad" and "correct process" are left undefined.
But it's a 4 paragraph blog post- what do I expect?
My bet is that Google is under order of some kind of National Security Letter and has to deny involvement here.
"No direct access", "No backdoors".
"Press reports that suggest that Google is providing open-ended access to our users’ data are false, period".
> Such subpoenas, including those covered under the USA Patriot Act, provide criminal penalties for revealing the existence of the warrant to any third party, including the service provider's customers.
"Second, we provide user data to governments only in accordance with the law. Our legal team reviews each and every request, and frequently pushes back when requests are overly broad or don’t follow the correct process."
"We were very surprised to learn that such broad orders exist. Any suggestion that Google is disclosing information about our users’ Internet activity on such a scale [as of the Verizon order] is completely false."
Finally, NSLs cannot compel an organization to lie like this, and doing so would be very legally dangerous for Google.
It's amazing how little critical thinking HN does when we see something that confirms our beliefs.
They have poisoned public discourse beyond repair, and you make it sound like a conspiracy theory.
We can't conflate everything the government or the NSA does. This program seems unlikely for a number of reasons, including the conspiracy aspect (quite a lot of engineers working for Google, Apple, etc. would have to be in on it) and the technical challenges involved. Do you have any idea how much data Google produces? How complicated their infrastructure is?
That still doesn't mean we can accept the government lieing to us or hiding basic information, just because we believe they are harmless kids way over their head.
For a continuous activity stream, a single fiber would do. How many queries and mails do you think google processes per second?
I found somewhere that they have 4 billion queries per day. I put 100 bytes per query, that translates to a measly 5MB/s. For emails I estimated 10% of 300 billion (some figures I found somewhere), with 10KB/email that translates to 3GB/s.
A single fiber optic cable contains many fibers each carrying at least 1TB/s. It's easily doable in a stealth way. They don't need to use more than 1% of a single fibre.
1) James Clapper admitted Prism is real
2) Of course such a program would involve the top Internet companies, who in the world else would it involve (the smallest Internet companies?)
"The top intelligence official in the United States condemned as “reprehensible” leaks revealing a secret program to collect information from leading Internet companies"
I'll give you gizmodo because it has specifically the quotes
PRISM is a completely separate issue and one I'm much more skeptical about. I also haven't seen anybody specifically admit to PRISM's existence, so I'd be interested if you can find a better source.
I have a naive understanding of how the internet works at the physical layer, but it seems like it would be trivial to create a system that allows for this statement to be true and for the data to actually be captured.
For an oversimplified, spherical-cow-in-a-vacuum example: if the user is the source in a passive optical network and both the nsa and google are targets, google has not provided access to their data to the nsa, the user has.
edit: And what would a statement of denial that is inclusive of all possible arrangements sound like? I think that any statement that asserts a one-to-one correspondence between you and google would be unrealistic.
We were also the first company to publish our transparency report on governmental requests, and the first company to include any specific number ranges on the number of national security letter (NSLs) that we get.
See also http://www.wired.com/threatlevel/2013/04/google-fights-nsl&#...; about national security letters. The appropriate and constructive place to channel frustation is at bad laws/legal provisions.
How is that related to helping the US government spy on its citizens?
> push back on overly broad governmental requests
> publish our transparency report on governmental requests
and also mentioned Google 'fighting back' at National Security Letters.
The fact that courts have upheld secrecy between NSA and Google before (just the one we know about) is quite relevant.
There are bad things at play here and just because Google has a cute, colorful logo and hires nerds doesn't make them innocent either.
We refused to comply obviously as the request was absurd, but in the small print of the request we were told we were not allowed to speak of the request and were to deny any involvement if asked under some unknown penalty.
I wouldn't be surprised if special terms of Google's interaction with any government agencies has a similar clause.
Remember when IBM announced they'd built the largest filesystem in history? That was only 120PB. A YB is 10 million times bigger than that.
Consider also that a YB is 1000x the entire storage industry output from 2012. So under your theory there is a parallel hard disk drive industry consisting of at least 99% of all hard disk production on Earth.
You're off by a factor of 10-15 on the square footage. Per the wiki page, "The planned structure is 1 million or 1.5 million square feet."
Typical government installation. 90% overhead.
Regardless, no one has theorized that the NSA storing yottabytes of data. The (still probably crazy) rumors are zettabytes.
"NSA to store yottabytes in Utah data centre" -- http://crave.cnet.co.uk/gadgets/nsa-to-store-yottabytes-in-u...;
If you reduced Facebook's storage demands down to always static text, I think there's little doubt you could eliminate over 90% of their storage requirements (I'd say closer to 97%). And that's without any kind of compression.
It's not going to be able to hold more than an average size datacenter, and there are a lot of data centers out there, each holding more data that would have to be copied. The NSA has huge capabilities, but they're not nearly there yet. Most of what we should be worried about is their legal capabilities.
edit: it's also worth noting that the wikipedia article's source is the wired article, and all the wired article says is that a DoD report says that they need to start designing their network to handle yottabytes, which isn't even related to the NSA's data center. Wired then does some interpolation by using "yottabyte" to make the requirements of the data center sound big, but they never say that it was designed to handle that level of data or that it will ever be able to handle that level of data (in fact, they never even cite any level of data that it was designed to handle). But the Wikipedia article cites the Wired article, and suddenly it's become "a data storage facility for the United States Intelligence Community that is designed to store data on the scale of yottabytes".
Why not? Most data centers aren't designed to store a bunch of stuff, but instead are designed to serve a lot of users. Facebook has at least one storage forward data center and it packs an exabyte into a 60k sqft footprint:
I don't think the NSA has zettabytes at hand, but you can store a massive amount of stuff in 100k square feet.
So yes, the NSA does have a new datacenter. But no, it's not the new Area 51 nor is it host to magic computers.
The bulk of the data transmission and storage costs are probably under another budget
(My point with this comment is to point out a contradiction--you can't prove that silence clauses work by talking about a real example of one.)
They considered anyone who provided internet access to 100's of people a provider (mostly universities etc) and requested that they install the pre specified hardware at their own expense (purchase, installation and maintenance).
They may have been concerned specifically with universities due to their foreign students and access to certain backbone lines that normal ISP's dont always have (WWW2?).
I spoke with the EFF and I was told I wasn't alone, but most people were rejecting the 'request' and not suffering any consequences. Our IT director took a hard line on the topic and tried to speak openly to reporters about how much the request offended him. He got as far as the school newspaper as in 2005 most people didn't understand the ramifications of this activity.
This was a request to install hardware to collect all data at any time.
1. Is there any way that someone outside of Google, can get a copy of an email I sent from my gmail to my own gmail, without a warrant that specifies my exact gmail address?
2. If I delete my Google search history, is there any way for anyone to access this history, with or without a warrant?
3. If I make a Google search from an incognito window, is there any way for Google to connect it to my Google account via my IP address? I know I've done this in the past to prevent spambots from creating fake accounts. Can Google connect these dots if someone sends them an NSL?
If the answer to any of this is YES, I am going to have to rethink my entire online life.
I would think google has historical backups they could refer to to pull out data that you've recently deleted.
Why not? You should already assume that google and pretty much any site logs your IP whether you are using incognito or not. You should also assume that any time you log in to gmail your IP is noted. It's extremely basic to do a db search for all gmail accounts that have been accessed by a given IP.
I should have clarified: except for temporary cache or periodic backups.
> Why not? You should already assume that google and pretty much any site logs your IP whether you are using incognito or not. You should also assume that any time you log in to gmail your IP is noted. It's extremely basic to do a db search for all gmail accounts that have been accessed by a given IP.
I meant if you do not login to Google and do a search in incognito mode, is that history stored? I can delete my history if I'm logged in. But there is no way to delete history by IP. It seems 'safer' to in fact use your logged in Google account to search.
At least you can mark it as deleted, and you can't access it anymore. Is it really "deleted"?
Anything else involves trust.
Resort to that and fight back from there.
This whole issue makes me want to donate a bunch of money to the EFF. If anyone else feels the same way, you can donate to the EFF here: https://supporters.eff.org/donate and I believe a lot of employers will match contributions.
Let me ask you this - do you feel 100% comfortable that nobody outside of Google can read your personal gmail?
Obviously this opens the door to all kinds of unfalsifiable, paranoid conspiracy madness, but that is a direct consequence of the government's unrelenting commitment to maximum secrecy.
Then they can just save all your encrypted traffic and break it on demand.
We all need to start considering moving to Elliptic Curve Cryptography.
It's just a guess, but it could fit with the relatively low cost figure given ($20 Million).
I'd be a bit happier if we were to hear from Soviet refugee Sergey Brin....
* That's one of the terrible things about doing everything in secret; we know that if Google is subject to a broad demand from a National Security Letter they can't tell us that without suffering terrible penalties. The government has set up a situation where we literally are not able to trust the words of Google et. al.---at least prior to a major figure deciding to pay that penalty for the greater good. Which history tells us requires a rare courage.
For some people, I doubt trust can ever be regained. Companies affected by this PRISM program should sue the US Government for damages, or at least sue them until it is completely declassified.
First, I'm not a US citizen. So, it seems I just have to assume that NSA is certainly tracking me.
Now to the topic of spying on US citizens, considering how no one seems to have ever heard about PRISM, the breaking of this story based on flimsy evidence seems to me like an attempt to side track from the real and confirmed story of NSA accessing Call Data Records from Verizon of millions of citizens (The industry calls it CDRs, why have we started calling it "Metadata" since yesterday).
I wouldn't be surprised (though I have no evidence at all) that the PRISM story was planted to change the public discourse.
Which is what is in question, no? If being in accordance with the law means keeping secret the requests you do serve, even if broad, means you're still handing out the information. You just don't have to put it in your, "transparency report."
Can't really say any of this is even remotely surprising given what we, in the industry of software development, know about what kind of information can be gathered and how vast volumes of it can be processed and analyzed.
He's clearly stating that they do read non-American's emails. So how do they do it if they don't have access to Google's servers?
BTW, if you run a company outside of America you'd be crazy to rely on Google since the US could be reading your emails for corporate espionage purposes. I think in the long run these revelations are very threatening to Silicon Valley.
The US could be spying on activities, including email transmissions, that happen wholly outside of the US, as well.
The only reason PRISM, et al., are newsworthy is that there are expectations and widely-perceived legal/constitutional limitations of US government domestic surveillance that don't exist for foreign surveillance.
It makes no sense to use Google which is why I'm saying this is threatening to Silicon Valley. Think of it this way, do you think a Chinese email service could become trusted enough to become globally competitive?
Which is great, if you have a decent idea of the NSA's (and the US intelligence establishment in general) capabilities. If not, you're essentially fumbling around in the dark trying to make that kind of infrastructure selection. (And, of course, the US intelligence community isn't the only threat, China -- through whom much traffic that neither originates in nor terminates in China is routed -- has to be a consideration, particularly, but they aren't the only other threat, either.)
If you don't have a system where you have strong theoretical guarantees of end-to-end security and integrity with the data sent over untrusted infrastructure, its security against any of the major threats really relies more than anything on them just not caring about it, and if you think that you are meaningfully buying security by choosing between Google or one of their competitors for basic services, you are probably deluding yourself.
So there's this protocol called SMTP...
The way the government bends the law for some years now just to punish everyone they feel like, either through imprisonment, scrutiny or simply by wasting years of their lives, savings of their lives and leaving them with a huge lawyer's bill, I wouldn't be surprised if Page had no choice than to lie on the record. And guess what; if, arguendo, he did, he will be pardoned later on. What would you choose? Admit to a secret program ran by secret agency and face brutal consequences (fines, imprisonment, charge with espionage or maybe capital punishment? (why not? why wouldn't government go after Page "proving" that by admitting US sees everything everyone types to Google, it tipped over some terrorist somewhere that stopped using Google and because of that government lost a track of him until he blew himself up in the middle of crowded street. You get the drift)), or perhaps come up as a good patriot and tell the truth. We already have one that told the truth. He spent 3 years in solitary confinement and may be facing life sentence or capital punishment.
People need to understand. This is too big of a secret even for someone like Page to come up and admit.
If we're to be a country where innocence is presumed and guilt is proven, we must consider what Larry Page would write in the case that Google is not supplying any sort of un-warranted feed to NSA. Would it be any different?
There's nothing Google, Apple, Facebook, etc can say that some people won't poke holes into.
There is another vector of privacy leakage here - there are also the ISPs, who I am pretty sure work alongside the government in a majorly secretive way.
We live in a semi-authoritarian society. Anyone the authorities might want to use for their purposes is suspect. We _should_ be encrypting everything as a matter of principle and not relying on one huge point of failure like Google.
But to be honest, I don't bear any ill will toward Google on this. Based on their behavior in the past, I'm willing to believe that if this program existed, they pushed back to the extent they felt they could... but if they eventually complied, it's difficult to blame them, given the threats the government is capable of making.
Unfortunately, the only place to resolve this is at the government level, if it can be resolved at all.
Specifically, the personal integrity of the founders -- especially vis-a-vis these kinds of issues -- is one of the bedrocks of Google's culture. If a statement like this was proven out to be a deliberate misrepresentation (even if not an outright lie) it would cause IMO severe harm to Google morale.
The key phrase is "in the United States" so they just replicate the data outside the United States and you've got yourself a data 'black site' outside the jurisdiction of US law. No direct access. No laws broken. Open access to the NSA.
- What lawful data does Google automatically provide to the government without any requests?
- Can the government can ask Google for data once, and then Google is required to constantly supply data, periodically? If so, what is that data?
- What data does Google provide to the government upon request?
First, we have not joined [Maybe you didn't "join", but instead merely participated in?] any program that would give the U.S. government—or any other government—direct access [How about indirect access? What is "direct access", anyway?] to our servers [The reporting suggests the NSA provided some hardware. So I guess it's not your servers, huh?]. Indeed, the U.S. government does not have direct access [There's that weird term again] or a “back door” [With quotes. Nice.] to the information stored in our data centers. We had not heard of a program called PRISM until yesterday [This one is especially bad. Apparently the NSA didn't tell them the program was called 'PRISM'?]
Second, we provide user data to governments only in accordance with the law [Note that the government also claims this program is in accordance with the law]. Our legal team reviews each and every request [What's the scope of a request?], and frequently pushes back when requests are overly broad or don’t follow the correct process. Press reports that suggest that Google is providing open-ended access to our users’ data [Not what the reports are suggesting] are false, period. Until this week’s reports, we had never heard of the broad type of order that Verizon received—an order that appears to have required them to hand over millions of users’ call records [Which is wholly unrelated to PRISM and Google.]. We were very surprised to learn that such broad orders exist. Any suggestion that Google is disclosing information about our users’ Internet activity on such a scale is completely false [Such a scale being what, exactly? All of your users' data?].
Note what it doesn't answer:
Does Google provide data to the NSA?
Does the NSA have resources in Google data centers?
Does Google know what these reports about the NSA spying on our Google accounts are all about?
It really doesn't answer those. Lame.
What Internet companies are they getting information from, such that they wouldn't target the top dozen companies that account for the radical majority of anything you'd want to bother tapping into? Who do people think they're talking about? Excite? Some small local ISP?
They got Verizon and AT&T to sign on to massive scale spying. If they can do that, they can get Google and Facebook and so on. These companies simply have no choice in the matter. You'll recall that Google's anti-trust inquiry recently, conveniently, went away with barely a slap on the wrist.
We're all big kids, if you read that the Chinese/Russian/whatever government had access to information straight from Facebook's servers most people wouldn't doubt it for a second and most people would assume they took it through hacking.
So how can you be surprised that NSA is listening to your Skype calls? Maybe they're using a backdoor made for them, maybe they're using a backdoor MS put in for synergy, maybe they threw a million gpus at it for a few years... And maybe they got permissions from MS, or maybe they social hacked it, maybe they take it before it gets to MS's servers. Some of those might be illegal and some not but anyone who's surprised or suddenly outraged has been living under a rock since forever.
 "It is generally done via secret arrangements not with the company, but with the employees. The company does not provide back-door access, but the people do. The trick is to place people with excellent tech skills and dual loyalties into strategic locations in the company. These 'assets' will then execute the work required in secret, and spare the company and most all of their workmates the embarrassment"
I don't see any citation or evidence given for this so this persons claim could just be idle speculation but it's along the lines of what I'd assume. The NSA treats your privacy as a math problem and routes around it.
What kind of security do companies like Google and Facebook have to protect private user data from employees? I remember reading that Facebook used to (?) allow unfettered access to all private user data until (surprise!) some creepy employees began stalking people.
Now look at it side-by-side with Larry Page's response. Anyone with half a brain should be scared by this. It really scares me as well. I put more of my trust in Google, and perhaps even Facebook then I place in the Government, or the phone companies, or others. However, these definitely look like they are created from the same template. Very worrying coming from Page and Zuckerberg like this at the exact same time. I just hope there really isn't a man behind the curtain pulling the strings of such powerful figures in technology today.
Does anyone know if there could have been a meeting between these CEOs to decide how they were going to respond. Perhaps they all decided to make their responses uniform together, instead of some external source telling them what to do.
This is problematic when the government decides the law means you have to give them your data, you can't say no, you can't say anything about it, and if asked you must deny it.
In this day and age, who knows who's telling the truth. When lying becomes law, truth no longer exists.
What sort of information about me would the NSA be interested in?
Using piecemeal "direct access" would also hurt the government's data mining ambitions, so there are a lot of factors that suggest internet companies are simply obligated to stream all their data into a gov black box. This way, everybody wins: the government gets warrant-less, hassle-free access to absolutely everything, the internet companies get freedom from search warrants and NSLs, and they get to use the canned "direct access" denial line which is technically true but is still actually a huge lie.
Google could have used their platform to campaign for better laws : a 'free speech + question mark' logo on their home page outlining their concerns would have been consistent with 'Dont be Evil'.. but they didn't even do that.
A not-just-non-evil-but-actively-good Google should have said to the Government : "No, you may not have any access to our customers data - you need to physically raid our buildings with a warrant to prise that from our stewardship. You need to hold us as a company in contempt of court."
How much better is the US than China ? : how can there be a democracy without both free speech and a right to private conversation ?
1. What the leaker communicated to news outlets
2. What the news outlets communicated to us
It seems likely that exact terms and technical capabilities have been misunderstood or misinterpreted. Already, there are common misconceptions arising from the public's interpretation of the news...for example, conflating the NSA's deal with Verizon to the PRISM program. And there's also the natural confusion that generally arises in any discussion of government surveillance programs...some people seem to be surprised that the NSA is spying on foreign communications, when that is pretty much NSA's raison d'etre.
I think we should take Page as a clear denial, that is, that he's not weaseling out on a technicality. That doesn't mean he couldn't be flat out lying, of course. I think it's also a believable that if Google were to participate in a program like PRISM, that Page would be one of the people in the know.
"Indeed, the U.S. government does not have direct access or a “back door” to the information stored in our data centers."
Sure, that's fine. But the fact that the initial PPT gives a specific date on which Google cooperation began already suggests that Google may be handing over data, not that the gov't is sucking it all down automatically.
Also, they say "data centers" in particular. Data travels over lots of other pipes.
"We had not heard of a program called PRISM until yesterday."
Not surprising the NSA wouldn't tell them the secret code name of the project in their discussions.
"we provide user data to governments only in accordance with the law. Our legal team reviews each and every request, and frequently pushes back when requests are overly broad or don’t follow the correct process."
This is an enormous loophole. "in accordance to the law" could mean anything, and with automated review systems the volume of data passing through could be massive.
"Press reports that suggest that Google is providing open-ended access to our users’ data are false, period."
Not providing "open-ended acces" does not mean not providing any access.
"We were very surprised to learn that such broad orders exist."
But not surprised to learn that other not-so-broad orders exist. How broad is too broad?
Not "on such a scale", but on a slightly smaller scale, sure.
"there needs to be a more transparent approach"
In other words, we wish we could tell you about everything we're doing with the NSA, but we aren't allowed to.
Really this doesn't read like any sort of denial at all.
What happened to the government working for us, the people? Yes, I'm sure I'm naive, but still.
I don't see this getting better before it gets worse. Sorry.
Zuck: They "trust me"
Zuck: Dumb fucks.
He has no credibility.
It may be just an unfortunate coincidence of timing and nature of lawyer laden executive language - but together these statements almost become counterproductive.
Ie. "Never heard of it... We push back as much as we can... See these push-backs in our transparency report. Feel Better?"
Or was it just "indirect access", as in via some other company?
Right, but government-hired contractors are not 'the government'. So while this could be true, users' data could still be being intercepted.
So what would satisfy me?
"We minimize intrusions into our users' privacy by encrypting their data on the client side with good crypto algorithms and secure keys that assuming a secure client system are under the full control of our users."
Followed by a list of types of data, and which types are or are not encrypted in this way.
That comes close. It's not exactly PR-speak, but captures the spirit I would hope for.
Google could at least try harder to be proactive about protecting privacy.
The team itself wouldn't even need to know about it. Just keep them funded and let them stay current on supporting the latest doodad, and it stays useful to the nefarious spy work as well.
Especially the final sentence is explicit:
But the level of secrecy around the current legal
procedures undermines the freedoms we all cherish.
Just make a big enough stir, be explicit about what threats were levied, and tell us all. It would be impossible to prosecute them after that shitstorm.
I'm wouldn't be surprised if none of these companies was involved, and it's just a case that the NSA is simply harvesting and processing all of their traffic for a net same result.
When the chief legal officer co-authors a post with a ceo, it means that each word has been carefully chosen, because each of these statements carries serious consequences if they get it wrong.
Well, now I feel better. Oh wait, PRISM is technically legal since it's supposedly authorized by the senate?
Who's lying? Confused?
Would be much better if this were "only when required to by law".
"As Google’s CEO and Chief Legal Officer, we wanted you to have the facts."
While something along the general lines of 'Prism' probably exists, in aggregate, across different NSA programs, I believe the presentation slides are fake and were created / leaked by the executive branch.
Here's my reasoning:
Who is the audience????
Who were these slides prepared for? Who is the target audience? If real, the information is obviously very, very sensitive- so it follows that the original audience would have been very, very high level.
But who at that high of a level needs this type of explanation for a project that started years ago?? It reads more like something you would create for someone that has never heard of it. Doesn't make sense.
Gee- nice of the creator to put the logos of each of the companies at the top of the slide- of every slide. Which leads me to ask...
Where are the rest of the slides?
Was it only a 4 slide presentation? Who gives super-high level presentations with only 4 slides? If there were more than 4 slides, were the company logos across the top of EVERY page? Does that even make sense?
It's also interesting that the 4 slides present such a simple, easy to understand story line- it reads like the target audience is a school tour - not super-secret-high-level-officials-(hearing about it for the first time).
Who made the logo? The NSA graphic design office? Seriously, why would a program like that have a logo? For marketing purposes??
Prism has a web page!
From the bottom of slide 3- "Complete list and details on Prism web page: Go PRISMFAA" A web page? Even if it's private to the NSA it's absurd.
The Political Angle (motive)
IRS - Big Government Story
The IRS / Tea Party story was looking very, very bad for the administration. It's one thing for Republicans / Libertarians to say big government is bad - you play that off as partisan politics. The average person goes about their day.
The IRS is different- EVERYONE deals with the IRS. The narrative was a simple one - IRS abuses power to attack political enemies. That scares people- pretty much everyone.
The Obama administration is all about big government - they don't see it as a bad thing. They believe government is in a unique position to help people. If the electorate turns against 'big government', whatever agenda Obama has for the next 3 year would be finished. The IRS story is a very big deal.
Incredibly Savvy Political Operators
The Obama political team is a force to be reckoned with. Between incredible political savvy and incredible data analysis, they have taken the political game to an entirely new level. They are very, very good.
How does one 'fix' this problem? A tried and true solution is for a bigger story to come along and eclipse the 'problem' story. In the Wag The Dog world, you would start a war. But that's just a movie.
What would be a perfect story? How about a story that simultaneously eclipses the IRS story, while blurring the big government issue?
That's just what happened. The NSA story is at an abstract level the same as the IRS story- it's about big government run amok. However, by rolling the two together Obama can claim 'security' as a trump card. It only really applies to the NSA part of the story - but the press isn't big on subtle distinctions, so no worries there.
Is it a coincidence the Washington Post broke the story just as the evening news was starting on the West Coast? IE - the end of the day's news cycle? That gives a full day for the press to roll the IRS stories up and for the President to make a presidential statement about security. Sum it all up on the evening news and gee - look at that - it's Friday. Time for a summer weekend.
All the firms listed in the slide presentation header have denied the story. Yes the language they used is very similar but at the same time it is the same language used by the press ("direct access"). The denials sound pretty believable to me. Even if Larry Page were under some gag order, I doubt he'd say something along the lines of 'I've never heard of it.' I think he'd follow the letter of the law (gag order), but not the spirit.
This is a long post - and my first post (long time lurker though).
In a nutshell:
The slide presentation looks very 'Made for TV'
The timing is SUPER convenient.
Apple: "We do not provide any government agency with direct access"
Facebook: "We do not provide any government organization with direct access"
Yahoo: "We do not provide the government with direct access"
Remarkably consistent - as if it was coordinated, or scripted by an attorney...
Did the NSA choose "PRISM" because they are splitting the signal upstream of providers, thus giving private companies plausible deniability?
Larry smells the end of his company's "trust us with all your data...all your life on cloud...search while logged in...visit pages with Google Analytics...it's secure" etc. etc etc. While NSA might not catalog everything you do, Google does and everything is there for NSA's and FBI's asking. The more information Google and Facebook (to pick two of the largest) have stored, the worst it is for us. They know EVERYTHING about pages you visit, how long you stay there, what you searched for, what places you went to (Android) what you emailed, foods you liked, what your ordered from ebay, and so on. A treasure trove for NSA, a nightmare for us.
Start thinking! Stay logged out of Google and FB, use hosts file, Ghostery etc to block and make NSA's and FBI's life as hard as possible.
What's good for Google is good for NSA, but not necessarily for you. NSA would love Google Now, wouldn't they?
Great! So if the law - namely the Patriot Act - states the Government has the authority to spy on all your users emails, your legal team reviews it, says it's ok according to the law and you cooperate. Is that how it works?