Hacker News new | comments | show | ask | jobs | submit login
Larry Page addresses PRISM (googleblog.blogspot.com)
715 points by raldi 1211 days ago | hide | past | web | 441 comments | favorite

I can't understand the repeated use of "direct access". It's the kind of language a lawyer would use to qualify a patent clause.

- We do not provide direct access to our servers.

- We do not provide direct access nor is there a backdoor.

- O, but we do still pipe all of your data to external NSA servers. </sarc>

Every company named (I'm not just picking on Google here) has come out with the same overarching statement. "We do not provide direct access". It just smells of being rehearsed, and carefully coordinated to select such language.

    Until this week’s reports, we had never heard of the 
    broad type of order that Verizon received—an order that 
    appears to have required them to hand over millions of 
    users’ call records. We were very surprised to learn 
    that such broad orders exist. Any suggestion that Google 
    is disclosing information about our users’ Internet 
    activity on such a scale is completely false.
I'm not sure how much more strongly you'd like that worded. It seems pretty complete to me.

There's 2 different things going on, under different legal authorities and Google is confusing them.

Verizon was given a Patriot Act order for business records, metadata; no names; no content, but all citizens or foreigner.

Google and other tech companies are said to have gotten orders under section 702 of the FISA Amendments Act of 2008. That allows the government to compel communications companies to furnish lots of metadata and CONTENT on NON-U.S. persons. This was Congress legalizing warrantless wiretapping ala AT&T, but limiting it by requiring it to be targeted at non U.S. persons.

Compliance is mandatory, under contempt of court and companies must provide facilities and help. They also get reimbursed.

So it's likely Google never got an order like Verizon did, they likely got one that involves content, but is supposed to exclude intentional targeting of Americans.

I don't buy it. What I quoted above doesn't say anything about US persons or non-US persons, about content or metadata, about this law or that one. It just says,

    Any suggestion that Google is disclosing information 
    about our users’ Internet activity on such a scale 
    is completely false.
Now, Page may well be lying, but he definitely isn't weaseling. I'm pretty sure that denial covers both of the possibilities you're referring to.

Of course it's weaseling. Maybe they disclosed such information on a slightly lesser scale. That passage doesn't say.

They all said stuff about "direct access", without discussing what would and wouldn't qualify as "indirect". They didn't deny doing all kinds of different access that could be called indirect in some way.

WaPost backtracks on claim tech companies ‘participate knowingly’ in PRISM data collection


Of course they don't deny indirect because that would be a lie. Everyone provides data indirectly via a thing called "warrants". Google publishes how many indirect requests they comply with right here: http://www.google.com/transparencyreport/userdatarequests

The thing is we can't trust any statement by anyone because of the gagging component of NSLs. I've heard it said that the above information is for FBI requests under the patriot act and doesn't include NSLs. For all we know NSL gags could explicitly forbid that kind of reporting and may even compel the recipients to lie if asked.

The last sentence he made, that the government needs to be far more transparent about what they're doing is the only sentence I can really trust as honest, especially given that the alternative to lying could be being thrown into Guantanamo for 'assisting terrorists'.

Those goole reports are for regular law enforcement requests. They have nothing to do with spying that happens in the name of national intelligence.

False, national intelligence is still covered by Google's transparency report - see the NSL (National Security Letters) part.

>The presentation claims Prism was introduced to overcome what the NSA regarded as shortcomings of Fisa warrants in tracking suspected foreign terrorists. It noted that the US has a "home-field advantage" due to housing much of the internet's architecture. But the presentation claimed "Fisa constraints restricted our home-field advantage" because Fisa required individual warrants and confirmations that both the sender and receiver of a communication were outside the US.

>"Fisa was broken because it provided privacy protections to people who were not entitled to them," the presentation claimed. "It took a Fisa court order to collect on foreigners overseas who were communicating with other foreigners overseas simply because the government was collecting off a wire in the United States. There were too many email accounts to be practical to seek Fisas for all."


I think there are a lot of possibilities that could be consistent with Page's statement that also involve the NSA spying on Google users. For example, perhaps the NSA asked Google to disclose their SSL private keys; then, if they are willing to do an active attack with their own infrastructure, they could transparently perform a MITM attack on all requests to gmail, and it would be virtually undetectable.

Another possibility is that the NSA could have served orders on Google employees directly, and they are compelled not to tell their managers about what they did for the NSA.

Or you just follow standard operating procedures for foreign intelligence collection.

You hire a foreign national, working for a foreign division of Google to be your spy. Unless every US citizens mail server is domestic, lotta a loopholes to be found.

People should also not assume the credit card statement from their bank is a batch job run on US servers by their bank. I've been told this stuff is outsourced, probably to the lowest bidder. Which if I were an intelligence service, I would be more than happy to subsidize.

>I've been told this stuff is outsourced, probably to the lowest bidder.

You have been told incorrectly. (Source: I work for a major US credit card company.) Certain pieces of the development and maintenance may be outsourced (under the supervision of US employees), but we (and, as far as I know, all our major competitors) own the data centers where they are run.

  | they are compelled not to tell their managers
  | about what they did for the NSA.
This seems problematic. What if another employee discovers what was done? What if it goes all the way up the chain? When they ask the employee why the created a backdoor, is the employee then obligated to lie? Get fired for the lie? Go to prison while maintaining it's not a NSA secret program?

The key issue here is that Google and the other companies may have no idea this is going on. My read is that the NSA has managed to gain access to the data centers either through inside help, spy craft, hardware/router back doors, or some other means we have no idea about.

AT&T and Verizon are two of the most powerful companies in the US, and have massive lobbying power. The notion that those companies were compelled to sign on to huge espionage programs, with their chiefs being fully aware of it - but yet somehow Facebook / Google / Microsoft / Apple etc. did not have to sign on to anything related to Prism (which has been openly admitted to exist by the Feds), nor were they aware of anything, is just about impossible.

It's hard for me to believe they could access to the data centers without Google's knowledge.

Isn't it more plausible that they're intercepting data flowing in and out of Google servers?


<conspiracy theory> We haven't seen posts from the CEOs of Cisco/Juniper/Dell/HP or other manufacturers of datacenter grade network equipment. Who needs Google/Facebook's "knowledge" if you've got root on all the border network gear (and SSL termination hardware)?

I know here in .au, Huawei have been excluded from the government-deployed National Broadband Network due to suspicions that the Chinese government has too much control/access to Huawei newtwork hardware.

an old time option - a few employees "compelled" to provide access and keep mouth shout.

a new time option - Larry is lying because of the gag order.

in between - Larry said "on such scale". Well, Google probably is of a bigger scale than Verizon.

Anyway, once the data is out there, it is only a matter of time and determination for a government (or any financially well backed up player) to get to it.

This scandal will be a great boost for any services involving "crypto", and probably would spring a new ones like an encrypted phone exchange/switch service, where one can see incoming and outcoming phone numbers, yet not which one connected to which :)

This was my initial assumption, that Prism referred to fiber optic prisms that are used to duplicate data with zero interference.

These can be installed at the trunk level with virtually no one knowing about it (maybe a couple of on site managers). They can handle massive data and pipe it directly to the NSA. The problem of course is you're dealing with raw data which isn't nearly as easy to work with then if you had direct access to internals.

These are already installed on every major backbone so I also don't see why they would bother to involve anyone, so there must be more to it.

ps. It would be nice if another whistleblower came out with the data on optic splitters and how the NSA uses them.

possible the timeline on the slide is when NSA successfully began making sense of the raw data they could be collecting at internet backbones? also possible that the document purposefully threw the public off track by implicating these players, thus limiting the legitimacy of the claim if it ever came to light?

Consider the sheer volume of data we're talking about here. Unless you think these companies would miss a fiber optic trunk running out the back door of their data centers, does that make any sense?

The Feds have direct taps into every major telecom carrier in the US. You can't fire off a search query to Google without the Feds technically being able to pick it up.

Access is trivial, volume is a much more interesting problem.

This is accurate. When your service provider is having a scheduled maintenance, it might be a passive optical tap or port replicator.

How much data is leaving?

There could be a lot less data leaving than you think.

>>Any suggestion that Google is disclosing information about our users’ Internet activity on such a scale is completely false.

If you consider that PRISM is not a 'dragnet' but rather an automated system that processes FISA warrants on company premises then the denial wouldn't be wrong. There is no 'scale' that you wouldn't be able to get using regular data requests to internet companies. PRISM could just make the process a lot easier for everyone involved.

So instead of sending a warrant over, having the company verify and send the data to the NSA, then finally transforming the data into a reportable format PRISM automates the whole process.

If you read some of the media descriptions it almost looks like PRISM is more of a data aggregation and portal system that sits on top of a data source and allows analysts to explore content.

I 100% agree; I don't see how anyone can ask for a more blatant and firm statement than that.

But if they were give similar court order terms as under the Verizon court order wouldn't he legally have to lie or violate the court order? Or just not give a comment, but no comment on this would implies guilt to a lot of people so lying could seem like the correct path.

I don't believe he can be forced to lie. If he was in that situation, I imagine he would simply not respond.

> Verizon was given a Patriot Act order for business records, metadata; no names; no content, but all citizens or foreigner.

No, it was a FISA order: http://www.guardian.co.uk/world/interactive/2013/jun/06/veri...

Both of you are correct. The Patriot Act Section 215 amended the FISA statutes.

I don't see how they could have gotten an order under the Patriot Act. The section that deals with this is section 215, which amended section 501 of FISA.

It specifically states that such an order can be made "provided that such investigation of a United States person is not conducted solely upon the basis of activities protected by the first amendment to the Constitution".

If they have been violated, then there are a number of members of Congress and the Senate who are falling down on their job - the Attorney General must inform the Permanent Select Committee on Intelligence of the House of Representatives and the Select Committee on Intelligence of the Senate. On top of this, every 6 months the Attorney General must also provide a report to the Committee on the Judiciary of the House of Representatives and the Senate which details the total number of applications made for orders approving requests for the production of tangible things and the total number of such orders either granted, modified, or denied.

I've read and documented the USA PATRIOT Act on Wikipedia incidentally. Took me two years to read and understand the thing. Possibly things after the Patriot Act changed FISA, I wasn't going to spend any more time on writing up about this subject. I'm an Australian citizen, after all.

I should note that I'm not thrilled about the fact that the U.S. government can read my communications. Not that I have anything to hide, nor am I of any interest to them, but hardly the point.

The two parts to read on Wikipedia, incidentally are:

* http://en.wikipedia.org/wiki/Patriot_Act,_Title_II#Overview

* http://en.wikipedia.org/wiki/Detailed_breakdown_of_USA_PATRI...

>This was Congress legalizing warrantless wiretapping ala AT&T, but limiting it by requiring it to be targeted at non U.S. persons

But how would you determine on the internet that an account holder was a US person or not ?

If I claim to be the person X who is a US person by registering for an account in their name, am I then a US person and therefore supposedly exempt from monitoring? Even IP-based clues are not enough as those are not full-proof.

I suspect that both US persons can be just as susceptible to tracking from the Government.

> But how would you determine on the internet that an account holder was a US person or not?

That's why they only have to check a box saying they a reasonably sure that there is at least a 51% chance.

Vague laws are invariably wildcards that can and will be abused.

Unless I am mistaken US and most European countries are based on Democracy. Wikipedia defines Democracy as a form of government in which all eligible citizens have an equal say in the decisions that affect their lives. Granted, wikipedia is not the oracle but it gives a good definition in my opinion. Does, the gathering of my personal data, affect my life ? Well in my personal opinion it does, therefore I should be informed about it.

The US was based on the ideas of a Constitutional Republic, not a Democracy.

Right, there are different forms of democracies. From this chart I see that US is categorized under Full Democracy: https://en.wikipedia.org/wiki/File:Democracy_Index_2012_gree... https://en.wikipedia.org/wiki/Democracy_Index https://en.wikipedia.org/wiki/Democracy

What's become very clear is that there is a lot of careful parsing going on. Careful parsing of the constitution, careful parsing of various laws, very very careful interpretation of the words on the page.

Does Google give anyone, any company, any entity, anyone at all direct access to their data? They've specifically excluded NSA. Does NSA subcontract that to Booz Allen Hamilton? Google claims that no government has this access, what about one of the 1200+ Top Secret cleared contracting companies?

Can these companies officially comment on this stuff yet? Or are they violating court orders if they talk about it? I like Google, I really want to trust them and I think they've moved the needle in our industry in some very positive ways. Honestly though, I think they could make much much stronger statements about this stuff. I expect them to say stuff like this to keep up with appearances.

> Careful parsing of the constitution, careful parsing of various laws, very very careful interpretation of the words on the page.

There is no "careful parsing" of the Constitution going on. Just people who never read the document very carefully other than what they thought the teacher said in 8th grade.

This is the entirety of the 4th amendment: "The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized."

If any "parsing" is going on, it's creative parsing to make the argument that information you freely handed over to Google and AT&T, or indeed information that was never even in your possession but was generated by AT&T (e.g. call data records, web server logs) is somehow your "papers or effects." Tell me how that is anything other than creative parsing? How is a document that you never even had in your possession somehow your private information?

To follow up even the Supreme Court ruled in 1928 that a wiretap did not constitute a search under the 4th Amendment so there was no need for a warrant.

Wiretaps themselves became illegal and the information from them inadmissible under the 1934 Communications Act. This didn't really stop wiretaps. Instead they were used as a method of intelligence gathering to go and find stuff that was admissible. Note that this was not a reflection on the Constitutionality of wiretaps, but instead the sense that they just weren't needed to convict criminals.

By the 1960's wiretaps were again brought to the Supreme Court and they outlined how a wiretap statue could pass Constitutional muster. The Katz case is where the "expectation of privacy" language was introduced. This resulted in wiretap statues passing in late the late 60s and that's basically what we had until the PATRIOT Act of 2001.


Katz is not the whole story. Yet again, I suggest reading Smith v. Maryland.

Really? You don't think of information in your Gmail or Google Drive as personal "papers or effects"? Would you be fine with a Google employee reading through your email or your spreadsheets in order to figure out whether you were working on a product that might compete with one of Google's, or maybe because they ran across your profile on a dating site and wanted to check up on you? If so, I think you're unusual.

In a world where important documents are increasingly electronic, and electronic stuff is increasingly routinely backed up, transmitted through, or just stored on remote servers, people's personal papers will be increasingly in the possession of others.

I won't argue that it's impossible to read the Constitution so that it becomes a set of meaningless restrictions on outdated technologies--legal text is never deterministic and always subject to multiple interpretations--but it's certainly not unreasonable for somebody to have "read the document very carefully" and found it more robust and relevant than you do.

> Would you be fine with a Google employee reading through your email or your spreadsheets in order to figure out whether you were working on a product that might compete with one of Google's, or maybe because they ran across your profile on a dating site and wanted to check up on you?

Wouldn't I be pretty stupid if I had a problem with these things, yet still uploaded these documents in clear text to Google's servers where absolutely nothing stopped Google from doing these things? Especially when they tell me point blank that they do indeed sift through the documents (for ad targeting)?

We routinely rely on social codes rather than technology to protect our privacy (as well as our property and lives). There's nothing physically preventing my building super from using her key to go into my apartment and look through or steal all my stuff, but I'd be upset if it happened. What's more, 99.9% of Google's users are in no position to evaluate the cryptographic security, or lack thereof, of their documents. Finally, Google has actually said no humans read your email, in response to that Microsoft campaign. So no, hypothetical you wouldn't be stupid, and you are wrong to imply that the millions of Google users who would have a problem with those things are being stupid now. Making a series of decisions that we will at some point regret, perhaps, but your condescension is unwarranted.

Please stop spreading misinformation.

* Google scans email, not other documents in Drive: http://support.google.com/a/bin/answer.py?hl=en&answer=60762

* Just as the NSA claims that collecting data doesn't count until a person reads it, Google affirms that humans do not read user data without permission.

* Documents are are encrypted in transit, not uploaded in clear text.

Google Drive is very much like a safe deposit box in a bank, in terms of user expectation of privacy, and vendor promises.

If my secretary holds my briefcase, is the government allowed to seize it without any warrant or judicial approval?

Email is slightly more complicated, due to automated ads scanning.

> If my secretary holds my briefcase, is the government allowed to seize it without any warrant or judicial approval?

if your secretary agrees to give it to them , of course they can.

And if your secretary doesn't agree? When the FBI man gives an order, submission is not consent.

How is a document that you never even had in your possession somehow your private information?

Have you been to a doctor? Have you seen that folder full of your medical information? Have you ever possessed it? Most likely not, but that is your private information and there are very strict rules about how it is handled and who can access its contents.

Those rules are all statutory. There is no Constitutional protection for those documents.

Congress can repeal HIPAA.

First, third party doctrine is more limited than that, and in the event where a party is compelled to retain information and disclose it, third party doctrine becomes quite questionable (because they end up acting under the color of law).

The thing is that usually CDR data doesn't require a warrant. The court ruled that since people are typically aware that the existance of CDR's and may rely on them for services from the telephone company, and because they are relatively non-revealing they do not constitute a search.

The point is that the user of the telephone service discloses the calling information to the phone company and in such a way as to expect no privacy over the information. A similar case might be IP packet header information over routers, or photocopying address/return address/postmarks on the outside of envelopes passing through the USPS. None of these are considered to violate any reasonable expectation of privacy because, for example, we can expect that the address on the letter we drop of at the post office is publicly visible.

You should read about Roe v. Wade, rayiner

Roe v. Wade was a pure exercise in legislating from the bench, and even many of its supporters will admit that.

O'Connor got it right in Casey when she distanced the right to abortion from the right to privacy: "That is because the liberty of the woman is at stake in a sense unique to the human condition and so unique to the law."

From Roe: "The Constitution does not explicitly mention any right of privacy. In a line of decisions, however, going back perhaps as far as Union Pacific R. Co. v. Botsford, 141 U.S. 250, 251 (1891), the Court has recognized that a right of personal privacy, or a guarantee of certain areas or zones of privacy, does exist under the Constitution. In varying contexts, the Court or individual Justices have, indeed, found at least the roots of that right in the First Amendment, Stanley v. Georgia, 394 U.S. 557, 564 (1969); in the Fourth and Fifth Amendments, Terry v. Ohio, 392 U.S. 1, 8-9 (1968), Katz v. United States, 389 U.S. 347, 350 (1967), Boyd v. United States, 116 U.S. 616 (1886), see Olmstead v. United States, 277 U.S. 438, 478 (1928) (Brandeis, J., dissenting); in the penumbras of the Bill of Rights."

That handwave-y language ("does not explicitly mention", "a right of personal privacy, or a guarantee of certain areas or zones of privacy", "at least the roots") doesn't exactly inspire confidence in the existence of a broad, fundamental right to privacy in the Constitution. Also, it uses "privacy" in a somewhat different sense than the surveillance debate. In Roe, it's used more like "liberty."

So you understand there is more to our rights that just a document. They have to exist in a framework of judges and the executive branch.

I'm not saying otherwise. But flaming the government for acting Unconstitutionally for activity that is not contrary to the text of the document is lame and misleading.

If you think there should be a right to privacy of electronic communications, then convince people of it. Get an amendment passe. Don't twist the Constitution to say what you wish it said.

I disagree with your definition of papers. And that is why we have Judges.

Your disagreement isn't with my definition of "papers" (we both probably agree that "papers" can easily be read to encompass both physical and digital documents). Your disagreement is with my assertion that handing your "papers" over to a third party robs you of any 4th amendment interest you might have had in those documents.

What happens with safety deposit boxes?

The quote is:

Any suggestion that Google is disclosing information about our users’ Internet activity on such a scale is completely false.

He doesn't say "Any suggestion that Google is disclosing information directly to the government..."

As such, I think you can either take it as "we don't disclose anything to anyone, or you can say that the sentence isn't true.

No, the quote is still vague and I agree with Nelson69. He could easily say that "we don't provide any access to gov, nor to their subcontractors nor to any other entity,..." - if that would be true.

what does "on such a scale" mean? i mean it could be 40% of what we think it is and its still scary.

Based on the sentence two lines before it, it likely means "millions of users":

> we had never heard of the broad type of order that Verizon received—an order that appears to have required them to hand over millions of users’ call records. [...] Any suggestion that Google is disclosing information about our users’ Internet activity on such a scale is completely false.

Larry Page links to a Google "transparency report" in his blog post which gives a rough figure:


I also wanted to point out this:

> Honestly though, I think they could make much much stronger statements about this stuff.

They can't really, though - they do cooperate with the government on a ton of properly-filed, fully-legal subpoenas. And that's fine, that's what they have to do, and it's what every other company in the world would do - though we should all push our government(s) to be more transparent about what they're requesting and why.

Did you read Larry's blog post? He didn't rule out the NSA, he did rule out the USgovernment period. Quote:

> Indeed, the U.S. government does not have direct access or a “back door” to the information stored in our data centers.

I did read it, with the dozens of other articles and such it's blurred together. He did rule out the US Government, does that rule out contractors? Does that rule out Verizon? What if Google has data in someone else' datacenter? That's specifically what they said the US government doesn't have direct access to.

Do they give carte blanch access to their data to ANYONE? Regardless of the datacenter. If they don't they can say that.

No one gets carte blanch access. Even Googlers don't get carte blanch access.

And yet this still misses more important issues. While it is fantastic that Google does not give the USG a free pass to the whole enchilada, Google still collects and stores this data, and gives it when compelled, if they truly had the users best interests in mind they would reduce the data collected to only what they MUST have to do what they do, and not use Vacuum cleaner like methods to get and keep everything they can, if Google did not keep it, the USG would not want it. So the best way for Google to be a part of the solution would be to reduce what they intake and keep, burn the rest.

https://www.google.com/dashboard provides an overview over your data at Google. Most/all of these services have permanent delete buttons.

It is possible to permanently erase or disable your search history from here: https://support.google.com/accounts/answer/54067?hl=en

You can opt out of Google Analytics using this add-on: https://tools.google.com/dlpage/gaoptout

What do you consider to be "what they do"?

It's exactly the kind of denial you'd expect them to issue if they were legally required to deny any involvement.

That's moving the goalposts, though. The initial assertion -- that this is a cleverly-worded non-denial -- doesn't hold up with the text. Page is clearly and unambiguously denying that Google supplies any information to the government on a millions-of-users scale.

Saying that denial is a lie . . . is a completely different charge.

Google could be searching email for certain series of characters, like "xxxx obama" and handing that over. Perhaps NSA supplies google a list of phrases to look for.

> Page is clearly and unambiguously denying that Google supplies any information to the government on a millions-of-users scale.

Kind of like Mariano Rajoy insisted that Spain didn't need a bailout?

And the Federal Reserve said there was no real estate bubble to worry about. And the banks were well capitalized.

Yes, and murderers always insist that they're innocent. QED. We've got them now!

Really? You don't see any difference between the denial posted by Google's CEO vs. the way that (say) Verizon responded? Here's Verizon's response: http://www.businessinsider.com/verizons-memo-to-workers-abou...

A better carefully worded response is still a carefully worded response. Google is in a difficult place because we all expected this to be happening, there are now documents suggesting that it has been happening, and no one takes at face value anything that sounds like a lawyer wrote it.

EDIT: I mean: (a) No one cares if they have heard about a program called "PRISM" when the point of that program is to aggregate data from other programs. (b) Anyone who is actually innocent in this needs to stop mentioning "direct access to servers": no one expects this program to be directly accessing servers. (c) We also don't care whether actions were "in accordance with the law", as the constitutionality of the surrounding laws is part of the debate.

I will say that "Any suggestion that Google is disclosing information about our users’ Internet activity on such a scale is completely false." is a good statement to make. It sounds broad in a good way and doesn't appear to have many weasel words, other than specifying "Internet activity" and not email or general activity. Are Google searches even "Internet activity", or is he referring to Google Analytics / Google +1 / DNS?

"direct access to servers" looks suspicios to me as well. However, maybe several dozen lawyers had no clue how to react today, and they just copied one another's text?

More likely: the first paragraph from the Guardian and the Washington Post both emphasized "direct" access. See the picture here: http://cl.ly/image/2S3i1g2W2R2k

If you're refuting claims of behavior X, it's natural to say "We don't do behavior X."

Especially when you're doing X' instead, and don't want to draw attention to it.

The problem is that Obama himself has acknowledged the program both exists and is very active, the only limitation being 'Internet monitoring is only for those outside United States'- no comfort for Google users like myself outside the US[1].

I don't mind targeted surveillance against genuine suspected terrorists. What frightens me is broader intelligence collection especially commercial intelligence. Over time programs broaden and if we're not really, really careful we'll find gmail being read by intelligence analysts who can brief our US competitors.

If non-Americans can't trust Google with their information that is an existential risk to its future. I think the Google leadership needs to do a lot more than this one short post!

[1] From Obama's comments: Now, with respect to the Internet and emails, this does not apply to U.S. citizens, and it does not apply to people living in the United States. And again, in this instance, not only is Congress fully apprised of it, but what is also true is that the FISA Court has to authorize it.

So in summary, what you’ve got is two programs that were originally authorized by Congress, have been repeatedly authorized by Congress.

That seems pretty clear - there is a congress-approved spying on non-US citizens Internet and email.

EDIT: added Obama quote

"I don't mind targeted surveillance against genuine suspected terrorists."

This kind of language bothers me - "suspected terrorist" requires no proof at all, while sounding authoritative (65% of Americans support the remote execution by drone of 'suspected terrorists').

I know roughly what you meant, of course, but where that line is drawn is a discussion that needs to be had. I'd say that with the level of surveillance that goes on, we are all suspected terrorists now.

I find it fascinating that Matt Cutts didn't bother to address any of this in his defense of Google. Obama and James Clapper have both admitted to what is obviously Prism, a large scale spying program targeting Internet users and their data.

It rather makes it clear that Google is participating in espionage programs for the NSA. Supposedly, maybe, it isn't directed at Americans (har har).

I don't think they are. I think ISP's allow government equipment on their networks to capture traffic as they see fit. If every ISP participates, then they have Google data, Facebook data, Yahoo data, and on and on.

Obama has acknowledged that federal law allows FedGov to obtain emails of non-citizens without a search warrant but through a court-overseen process. This is part of a 2008 law that we all know (if you've been paying attention) does this.

The president has not, however, confirmed that the news reports about "PRISM" are accurate. All he's done is summarized the law.

The last couple lines of his blog post seemed to convey, at least to me, that he was posting truth but perhaps not as much as he'd like.

"We post this information on our Transparency Report whenever possible... ...we understand that the U.S. and other governments need to take action to protect their citizens’ safety—including sometimes by using surveillance. But the level of secrecy around the current legal procedures undermines the freedoms we all cherish."

In the transparency report, Google can only report wide ranges of numbers, not actual numbers (i.e. 1000-4999). They have always said they wished they could provide the actual numbers of requests as well as copies of the requests themselves, so this is consistent with that.

It's well-known that there are restrictions on how much companies can legally disclose about some of these government requests.

Matt - Many of us believe that many of the people at Google are doing their best, however in this instance you're not doing the right thing.

Hey teawithcarl, I appreciate that. I'd be interested in hearing what you think the right thing is. I suspect that we're actually in agreement on most points. If there's something you think we should be doing differently (and I agree with you :), I'm more than happy to lobby for that within Google.

I do think Google is working hard to protect our users from unwarranted government requests. Just speaking for me personally, I really dislike provisions in the PATRIOT Act and FISA that compel secrecy. One thing I did like in Google's blog post was that we spoke out against the "level of secrecy around the current legal procedures." I was encouraged that Facebook later said something similar. In my opinion, a lot of the frustration about the current situation would be best applied to changing some laws in the United States.

Hey Matt.

While I honestly think _you_ believe Google is doing "the right thing" - there's a nagging suspicion that there's some NSL-style legal (or possibly extra-legal) compulsion being used at the very top levels. Even if I believe that Larry is 100% "on my side" against the government - I'm also under no doubt that Larry and Google are effectively powerless against the pressure the various US government agencies could apply if they so chose.

While explanations of the similarity between Larry's and Mark Z's posts based on direct rebuttal of the WaPo article are plausible, when combined with Apple's, AOL's, and Yahoo's suspiciously similar structure and wording - cynical-me can't help but wonder if all 5 CEO's are being compelled to disseminate the same government supplied message (and are possibly intentionally using almost word-for-word similar language as a plausibly deniable way of telling people that).

I'm not sure if there's much Google can say or do - given the depth and seriousness of the seeds of suspicion that've already been sown… (Having said that, I was pleased to read Yonatan's G+ post earlier today…)

When AT&T was asked politely by the NSA to open its networks under the warrantless surveillance program, the company refused to confirm or deny. They actually offered arguments like this one from an AT&T attorney:

http://news.cnet.com/Legal-loophole-emerges-in-NSA-spy-progr... Federal law may "authorize and in some cases require telecommunications companies to furnish information" to the executive branch, said Bradford Berenson, who was associate White House counsel when President Bush authorized the NSA surveillance program in late 2001 and is now a partner at the Sidley Austin law firm in Washington, D.C. Far from being complicit in an illegal spying scheme, Berenson said, "AT&T is essentially an innocent bystander."

And a sealed AT&T document I obtained tried to offer benign reasons why there would be a secret room at its downtown San Francisco switching center that would be designed to monitor Internet and telephone traffic: http://news.cnet.com/2100-1028_3-6077353.html

What Google and Facebook are doing today is precisely the opposite of what AT&T did.

Hi Matt - Thanks for answering. I genuinely appreciate your earnest communication. To answer your question, I sincerely believe Larry should do the right thing irregardless of the law, which means telling the American public the truth.

What Sergey (and Google) bravely did in China gave Google years of priceless respectability. This is one of those situations where civil disobedience is best. I realize you can't just "pull out of the United States", yet Google is looking like liars, and that just doesn't work.

For what it's worth, if Larry summoned the courage to speak his conscience completely, he will not go to jail. Far from it ... Google will be the true statesman, showing courage and leadership.

Indeed, I believe it may help Google the most, by catalyzing people's courage to do what's right. It's simply wrong to associate yourself with this.

It must come from Google first, Google is the strongest. Please consider the honor in doing this. Done genuinely, the public will rally behind Google, just like SOPA/PIPA. And don't forget, you have the world's largest bully pulpit.

Thanks for posting this. Here's something I wrote to someone recently: "I view talking about FISA (see http://en.wikipedia.org/wiki/Foreign_Intelligence_Surveillan... ) like handling radioactive waste or juggling chainsaws: it has to be done carefully." The reason is that FISA orders come with a gag order: see https://ssd.eff.org/foreign/fisa . So I understand why official company blog posts, even from Larry, have been carefully worded so far, even if that comes across as legalistic or weaselly-worded to some.

For what it's worth, I'd recommend reading this post: https://plus.sandbox.google.com/+YonatanZunger/posts/huwQsph... To me, Yonatan's post read as the sort of personal, even blunt statement that you're asking for.

Will do, thanks. Genuinely appreciate you.

It is literally impossible for you to know for certain if Larry Page is telling the truth or lying about PRISM. So, now what?

Are you asking Larry to violate the law on National Security Letters, by publicly posting their content?

Verizon said what they could: we have to comply with the orders when we get them. Nothing weaselly, maybe because we read the judge's order.

Why should we trust the safety of any information on our searches, emails, location data, chats etc stored by Google? Stop storing it

Thought twice about posting this, but am I the only one who feels really queasy about someone like Matt Cutts jumping directly into conversations about their own company on HN (especially when it could be connoted as being part of damage control)? He's hardly rank-and-file. I think it is plain old creepy, YMMV.

Yes, you might be the only person here to suggest Matt Cutts is ever unwelcome on any HN thread.

Heh, did you get out of the wrong side of bed today? I don't spend all day reading HN comments - sorry if my knowledge of responses to Matt Cutts' posts isn't as comprehensive and magnificent as your own. When I posted this, nobody else had said anything.

As a reporter, I think it's great. I wish we'd see senior folks from Microsoft, Yahoo, Facebook, AOL, and Apple doing the same right now.

ashleyblackmore, the initial news stories seemed to imply voluntary, wide-scale, direct access to Google's (and other's) data by the NSA. I genuinely thought that sounded wrong and against the bent of Google--both its execs and the rank and file employees. In the last few days, more recent stories have indicated that it's more like compelled, limited FISA requests, which all US companies are legally required to respond to. See Yahoo's recent post at http://yahoo.tumblr.com/post/52491403007/setting-the-record-... which also points in this direction.

Compelled and limited is a very different story than voluntary, wide-scale, and direct. Do I like FISA? No, I think it sucks. FISA orders come with a gag order, and laws that compel secrecy like that should be struck down, in my opinion. But in recent days, you've heard the CEO of Google say that they haven't gotten the sort of broad requests that (say) Verizon got, and that Google can and does push back on requests that they consider too broad.

I think the proper response to this issue should be frustration with bad laws, and calling your Senator or Representative in Congress to tell them that.

You demand answers from Google leaders. A Google leader gives you answers. This upsets you?

I don't think so. Those usually sound like,

    "We cannot confirm or deny the existence of such a program," 

    "It is not our policy to comment on national security topics"

    "No comment." 
or even

    "We'll wait for the results of the investigation."
I don't think the government generally asks civilians to lie so enthusiastically, because . . . well, as a rule, they just aren't good at it.

No, I think it's most likely that Page doesn't know of any such program. Now, it's always possible that such a thing is being carried out on the scale everyone fears by a rogue, loyal-to-the-NSA employee, or a group of them. Or it's possible the original Powerpoint slide including Google as an information source is oversimplified or even inaccurate. Such things do happen when presenting overviews of program capabilities.

And many other things in between are possible. It's concerning, but . . . I'll wait for the results of the investigation. ;)

It's also possible that Larry is concerned about his share price, and what would happen to it if Google was revealed to be completely in bed with the NSA (My guess is it would fall quite a bit). He has real money at stake in limiting the damage that comes from this revelation.

The fallout in such a case has to be smaller than it would be if it comes out later that, not only were they in bed with the NSA, they (and the other companies in this situation) blatantly lied about it with their statements today.

I guess keeping an eye out for Larry (et al) cashing out shares over the next few weeks/months might be a good indicator of the likelyhood of exactly that "coming out later".

For obvious reasons, it is illegal for CEOs to sell stock on short notice.

I've never heard it said that anyone was required to deny involvement. Did you mean that exactly as you wrote?

I think there's a world of difference between a gag order where you are not allowed to confirm, and an order to explicitly deny involvement. I'm not saying the former is "good", but there's a difference.

OK, I'll say it.

I think there's a non-zero probability that there are US government agencies who can and have compelled people to explicitly deny something that they know is true.

Realistically, it would boggle my mind to discover they'd done that to all the founders/CEOs/legal departments of all the companies involved here (at least Google/Facebook/Apple/Yahoo/AOL), but given the stakes in this game - I have no doubt that it _could_ be done.

I agree, but what could Page say to convince us otherwise?

Either the government is coercing them, and they have to issue lies as denials, or they are participating voluntarily and are voluntarily lying, or they are not participating. The second option seems unlikely to me.

Well, you can't prove a negative so I'm not sure there's anything Page can say.

But at the same time they can't all be right. NSA says it's getting data in some form from Google, Page says no direct access.

The truth is probably somewhere in the middle then... but where?

I don't know why we'd expect the truth to be in the middle. If the NSA document is genuine, the information the NSA is collecting from Google is part of a Top Secret program as described in the leaked internal document.

If that is true, why would we expect that Google officials would be able to make any public confirmation of the Top Secret program? And, given that, why, in that case, would we expect the truth to be "in the middle"?

Conversely, if the leaked document is not genuine, then I still don't see any basis for expecting the truth to be in the "middle" between the false document and the Google denial.

Did I miss some information? I only saw two slides. One that show the potential data accessible and one that show when the companies were added. It doesn't say exactly that they had access to everything. As far as we know PRISM can simply be there to centralize the information that the NSA got in legals ways. We do know that the government ask about 100 users account information each day to Google, we can guess that they do the same to every company on that list and they were all added to PRISM at the date you can find on the slides. I mean that slide contains one of the most important information that we currently have to guess the magnitude of PRISM, the budget. They only need 20 millions $ every years. True data mining is much more expensive than that.

I'm 100% with you. I don't know what Page could say, and I agree that it's extremely likely that the truth is somewhere in the middle, but damned if any of us have any ability to actually suss out what that is. It's very frustrating.

I just think it's important to not be entirely cynical here, and to keep in mind what such a statement might look like if it were being truthful. I don't know how much different it might be, which generally makes the statement only as good as Larry Page's word, and only then if he doesn't have a gun to his head.

The truth comes from the source that wasn't intended to be public.

> NSA says it's getting data in some form from Google, Page says no direct access.

Page says no direct access and not even legal access at that scale (verizon). He doesn't say they don't have any access -- in fact he says they comply within the bounds of law, but it's not at the Verizon scale.

I don't know how many of us served as officers in the military, but the requisite action in this situation is pretty clear. If one is interested in day to day security, speaking from a strictly tactical perspective:

You assume Google is giving the NSA information and act accordingly.

Doubts are like bothersome flies...

until they are crushed...

you will never be comfortable at your current position.

We obviously stil have a lot to learn about PRISM... But with that said, I have some conflicting instincts & feelings about all of this and the company responses.

On one hand, I would think a very-visible CEO of a major corp would keep their name off of a press release, if the press release was a lie that they were compelled to tell by the government.

On the other hand, I feel like each company's response and their use of the exact same terminology ("direct access", etc) feels like a wink and a nod.

I completely agree, and I don't know how to reconcile the two.

If I was going to go completely conspiracy-nutter, I'd say that Page has been kept out of the loop intentionally for plausible deniability, and the actual incursion happens at a much lower level, where the people involved are coerced into keeping their mouths shut. That way, the bigwigs get to tell what they think is the truth, the NSA gets their data, and nobody is the wiser.

Granted, I think that belongs more in the plot of a thriller novel than in this actual world we're living in, but given the revelations of the past couple of days, fiction doesn't seem that implausible.

This may not be PRISM, but wtf is this???

"A US government-mandated backdoor allowed China to hack into Gmail"

"In order to comply with government search warrants on user data, Google created a backdoor access system into Gmail accounts. This feature is what the Chinese hackers exploited to gain access."


Schneier is a smart guy, but he provides no evidence, links, or conjecture of what this backdoor may be.

Maybe those hackers just used the regular tech support "back door", as in "SELECT * FROM gmail where email = 'target@gmail.com'

> or they are participating voluntarily and are voluntarily lying, ... seems unlikely to me.

Their business is based on user's data. If you do not feel comfortable giving them your data, it might hurt their business. Hence, IMHO, they do have some incentive to deny PRISM, regardless of the facts.

Or the news organizations summarizing the leaked slides got it wrong.

No, it's not. Gag orders can also be satisfied by saying "no comment" or just not saying anything at all, which is differently then actively denying something.

This is a false assumption. AT&T did not deny opening its networks to the NSA during the EFF litigation. It simply declined to comment, and offered suggestions (which I wrote about at the time) about how the law allowed it to comply with such a secret court order.

It's the opposite of what Larry Page is doing.

No, it's not. What little we've had about super-secret legal requests isn't that companies have to lie about them. It's that they can't acknowledge them at all.

So the answer they give when asked, and they do get asked, is "no comment."

If they were voluntarily part of PRISM, and legally required to keep that quiet, I'd expect them to say "no comment."

Doing the opposite make so little sense. It means they're having to flat-out lie to their users, something very hard to recover from.

The thing is "no comment" would basically confirm that 'something' is happening that's secret. Everyone would go conspiracy wild and pull everything they have away from Google.

They probably want to confirm it, but in a completely open and transparent way that assures people there's nothing they should fear here, which they can't do because it's all cloaked in secrecy.

One thing we know for sure is the truth of what they have been doing will leak out.

That's not true, in Verizon's case they just said that they are under a gag-order: http://publicpolicy.verizon.com/blog/entry/from-the-desk-of-...

There are cases in which you can't even confirm the existence of a gag order. I can not believe it's constitutional... but they do it.

What about the strategy you hear about of getting around this? Where they say "we're not under a gag order" (or whatever) each day until they are, until they go under a gag order, at which point it reveals they are.

Now, I'm not so naive to think that if someone tried this, the government and courts would just say "Herp, derp, you sure outfoxed us there!" But has that strategy ever been tested in court?

Rsync.net does this:


And they note:

This scheme is not infallible. Although signing the declaration makes it impossible for a third party to produce arbitrary declarations, it does not prevent them from using force to coerce rsync.net to produce false declarations. The news clip in the signed message serves to demonstrate that that update could not have been created prior to that date. It shows that a series of these updates were not created in advance and posted on this page.

I'd imaging it'd get you a free one way ticket to Cuba, not charged.

Google doesn't have to actively disclose...the government just needs to know where to "listen" to get the same data that's moving around Google's data centers.

Consider the NSA having MITM capabilities before the data reaches google:

1) This is exactly what you would need to do, to consider it realtime

2) None of the denials cover this

If it's MITM between user and Google, then Google would not be coordinating or even necessarily aware.

Would the NSA list Google as a "partner" that it needs to keep protected in these leaked slides if this were the case?

1) They didn't, and 2) Even if they had, unclear, inaccurate, or misleading information regarding Google's degree of cooperation or the mechanics of acquiring tha data in a document prepared for consumers of the data for which information on the details of collection was not essential actually makes quite a lot of sense in a highly classified program (whether its classified for appropriate, security related reasons, or for political reasons.)

Consumers of the data need to know where it comes from and its scope, they don't necessarily need to know whether its acquired through cooperation or coercion or infiltration of the providers.

This is false. The NSA did not list Google as a partner. Reporters may have, which is different from what the leaked slides actually say.

They'd have to MITM SSL traffic largely.

Also, that's what they were doing for more traditional wiretaps and you should be sure that they have access to siphon off live traffic for analysis if they want.

"They'd have to MITM SSL traffic largely."

To be fair, if anyone can do this it's precisely these people.

... still not likely, though, I agree.

Is that even possible if Google's SSL certs have Extended Validation? They'd have to have cooperation all the way down to the browser vendors and I can't see Mozilla caving that easily.

There are several governments (Spain, France, Netherlands, Japan) who publicly have Root CAs in the trusted browser list[1]. It seems pretty likely (cf say, Prism) that the NSA has a CA cert where they can generate whatever certificates they want in order to MITM browser SSL communications...

[1] http://www.mozilla.org/projects/security/certs&#x2F;

Can we remove Root CAs from our browser?

Edit: Found the answer: https://wiki.mozilla.org/CA:UserCertDB

I was referring to cryptographic attacks. Unlikely that they have such, but if anyone does, it's pretty likely to be them.

The Verizon order explicitly applies to calls within America between American citizens, which is why it was so novel. PRISM, as described, only incidentally collects information about Americans. This statement does not preclude the direct access to user data that the PRISM reports describe.

The Guardian suggested that more leaks are going to be published...

Prism has been admitted by the government to exist.

The notion that it exists, and Google isn't involved in it, is pretty absurd. That'd be like talking about tapping the telecom companies, but leaving out Verizon and AT&T.


"The top intelligence official in the United States condemned as “reprehensible” leaks revealing a secret program to collect information from leading Internet companies and said a separate disclosure about an effort to sweep up records of telephone calls threatens “irreversible harm” to the nation’s national security."

Mr. Clapper said in a statement that the classified program to collect information from Internet providers is used to “protect our nation from a wide variety of threats” and he condemned the leaks of documents describing its existence.


Also, this is very interesting from a NYTimes article on the matter: "But instead of adding a back door to their servers, the companies were essentially asked to erect a locked mailbox and give the government the key, people briefed on the negotiations said. Facebook, for instance, built such a system for requesting and sharing the information, they said."

They didn't give the NSA "direct access" to their system but created a front end for them instead... LOL.

He did not say

"We only give data to the government in response legal requests about named individuals."

Well, I guess he will have to find a proper way to prove it, because if you are satisfied with just a blog post maybe you should think again.

I'm curious why we're satisfied with an anonymous leaker and some shoddy looking powerpoints.

I'm not going to comment on what's true or what's not, but I know a few things:

1. Having been "in the news" or when I've had firsthand knowledge of an event in the news, I'm always shocked by how inaccurate the news is. Usually not in broad strokes, but in lots of details. I have learned to take everything I read in the media with a healthy grain of salt. I'm not dissing journalists here, but that's what they are: journalists. They are not tech experts. What we are reading could very well be inaccurate. We've not vetted their source either. At least Google is known entity.

2. This whole "we scan everything" business just seems farfetched. That's a lot of data to just double.

3. This program has been subject to oversight. I haven't lost that much faith in my elected officials, or government employees for that matter.

Many times this.

Do you all remember when the "news" was "leaked" by "anonymous hackers" who claimed to lift Apple user data from a hacked FBI laptop? The Internet lost its mind frothing against the surveillance state.

The minority of critical thinkers who suggested that maybe the claims of anonymous hackers shouldn't be taken entirely at face value were either ignored or shouted down. Blanket denials by the FBI were met with retorts of "we know they're lying!". News outlets -- many the very same covering the PRISM story -- repeated uncritically the accusations of the FBI harvesting Apple user data.

Do you all remember what the actual outcome of that story was? Spoiler alert: the allegations were grade-A bullshit. The only part that was true was that it involved (old) data lifted from a hack (against an app developer). Everything else was bogus self-aggrandizing, and the Internet loudmouths played right into it. Why? Because it confirmed people's existing fears.

The sad reality is that everything that has hit the news about this PRISM story -- and the Verizon story -- has actually shed very little light on anything. We have a source with unknown credibility providing incomplete and possibly even misunderstood information colliding with large corporate and government interests. Maybe everyone is lying. Maybe nobody is.

The only thing that is certain is that people unquestionably believe claims that confirm their existing beliefs.

You know, there's a conspiracy theory angle here. A tactic I have observed for dealing with awkward leaks is to allow the speculation about the unknown aspects of the leak ramp up to extreme levels, then rebut the more ridiculous theories without addressing the sensible ones. Joe average reads the rebuttal, feels let down that the story wasn't quite as inflammatory as the hype had led him to believe, and moves on.

This PRISM business (of which there had been no hint before) is a massive one-up on the seriousness of the Verizon scandal, and its timing in relation to it is deeply suspicious. It wouldn't be too difficult for someone in the intelligence services to make a pithy PowerPoint presentation about how the NSA slurps data from all and sundry (what was it supposed to be for again? "Training"?) and fake a leak to a few newspapers.

I predict that this story will turn out to be a complete wash, and in the meantime everyone will have forgotten about the not-as-sexy but much-more-true Verizon leak.

What about the date where "PRISM collection began" for Google, given as 1/14/09? What is that about?


Either way, if Google has troves of info of everything you do online, NSA will get it. One way or another, front door, back door, in-direct access and what not

They can't say "we don't provide access", because depending on the law, they are forced to.

They say "we do not provide direct access", because as explained, any access goes through proper legal channels.

I'm not sure what you'd call it?

Remember language matters, and these are actionable public communications.

Sure, but the statement as worded does not rule out the possibility that a third party contractor (Palantir) has access, and feeds it to the government. So Google has the motive (some theoretical secret law they need to abide) and they haven't denied a potential means (third party mediation). That's enough for people to convict in this situation.

It does. "Any suggestion that Google is disclosing information about our users’ Internet activity on such a scale is completely false."

Sure. The statement does not rule out the possibility that aliens are using advanced technology to watch the bits on optical lines without affecting the photos either.

True. However, the prior probability of that statement being true is exceedingly remote, so a non-denial of that still leaves me relatively certain that I don't have to worry about aliens conspiring with the federal government to spy on me.

"prior probability" is a fancy way of saying "without evidence, I believe what I want". Not that there's anything wrong with that, but that's not something Larry Page can help you with.

I think that would fall under this denial:

> First, we have not joined any program that would give the U.S. government—or any other government—direct access to our servers.

You would be hard pressed to argue that "direct" access proxied through a gov't contractor isn't the same as direct access. I don't think they'd cut the truth that close unless they were under oath. The court of public opinion is less caring of technicalities.

> Palantir

Isn't that basically their entire business model?

OK, in an alternate reality, what would a clear, flat-out denial look like? I mean, how could we tell such a thing differently than what was in the OP?

First, we have not joined any program that would give the U.S. government—or any other government—direct access to our servers. Indeed, the U.S. government does not have direct access or a “back door” to the information stored in our data centers. We had not heard of a program called PRISM until yesterday...Press reports that suggest that Google is providing open-ended access to our users’ data are false, period. Until this week’s reports, we had never heard of the broad type of order that Verizon received—an order that appears to have required them to hand over millions of users’ call records.

"We would never do this, not because the government hasn't asked us to, but because it's morally abhorrent. It goes against everything we personally believe in and stand for. Even if we were legally required to cooperate, we would resist and suffer incarceration if necessary. We believe in freedom more strongly than we fear the consequences of not cooperating with an oppressive government."

That kind of thing.

So, you'd feel more comfortable if the company threw in some rhetoric about morals and freedom that are, as assertions, impossible to verify, but would make people feel more warm and fuzzy?

So, basically, what politicians put into their speeches?

Read over your statement again. There's very little of substance in there. For example, what does "this" in "We would never do 'this'" mean? And I'm not being pedantic, because exact language is important here. The question is, what could a non-PRISM-supporting Google say that would differ from what we see in the OP?

And this: It goes against everything we personally believe in and stand for.

OK...let's assume "It" has been properly defined. This hyperbole would be a lie, because....everything? Again, impossible.

"Even if we were legally required to cooperate, we would resist and suffer incarceration if necessary."

OK...cooperate in what? The statement you've proposed leaves room for other kinds of cooperation, if not technically the kind being alleged right now. So this statement doesn't resolve anything.

"We believe in freedom more strongly than we fear the consequences of not cooperating with an oppressive government"

OK, same objections as before. But -- and again, I'm referring to an alternate reality in which Google is standing up against the NSA and PRISM, which may or may not be the reality we are actually living -- if Page is telling the truth about knowing what PRISM stands for before yesterday, then the statement you've proposed is impossible for him to assert, because we still don't know everything about PRISM...and so how would Page know if PRISM is the act of an oppressive government? He literally would not know because PRISM was unknown to him until yesterday.

And if you're saying, well, he should just know, because obviously Google is taking part in the program...well, that's begging the question.

And if you're saying, well, he should just be able to make that statement because any reasonable person, upon reading the reports yesterday, would conclude that PRISM is the act of an oppressive government. OK, that's fine, but that's still not really an assertion of fact, it's just rhetoric.

> "So, you'd feel more comfortable if the company threw in some rhetoric about morals and freedom that are, as assertions, impossible to verify, but would make people feel more warm and fuzzy?"

If Google was actually taking a moral/ethical stance that being an accessory to unconstitutional warrantless searches is something that they find to be morally wrong, yes, I would be more comfortable. My reading of this was Larry saying, "I enjoy being a billionaire and will say whatever it takes to continue being one."

What does any of that have to do with your original assertion that it was a carefully worded non-denial denial? Your point now seems to be "I don't like Google, and this doesn't convince me otherwise." That's fine, but hardly relevant.

Maybe you and many others would be better off by paying attention to actions vs words, and notice which company was the first to push back on the government to provide transparency to national security letters when everyone else bowed down before the government. Being skeptical and not falling for feel good platitudes could help all of us.

> So, you'd feel more comfortable if the company threw in some rhetoric about morals and freedom that are, as assertions, impossible to verify, but would make people feel more warm and fuzzy?

But when their impossible-to-verify assertion is that they've done nothing wrong, you'll accept that just fine?

No. I'm not saying that Page's assertion is true, but I am saying that it is a concrete assertion.

There's a difference between these two things:

1. Issuing a vague non-denial so that when the truth is revealed, you can claim that you didn't technically lie ("Hey, I never said I didn't molested him, I just said I never slept with him")

2. Issuing a denial that is proven later to be false.

I'm not arguing with the GP that Page is telling the truth, but that, as much as we can tell, Page has issued a statement that can satisfiably be shown to be true or false.

threw in some rhetoric about morals and freedom

I would feel better if Google put its brand at stake a little more, yeah.

Google used to cooperate with China.

Google is ACTIVELY forgoing revenue in China, because it wouldn't play by their rules. [1]

It's a start.

[1] https://en.wikipedia.org/wiki/Google_China#Ending_of_self-ce...

The blog post concludes with "But the level of secrecy around the current legal procedures undermines the freedoms we all cherish." That's a clear statement criticizing overly broad secrecy provisions.

It's a clear criticism, but not a clear assurance that Google isn't cooperating ("voluntarily" or not) with those "legal procedures".

>...it's morally abhorrent...even if we were legally required to cooperate, we would resist and suffer incarceration... oppressive government.

That's subjective, and I think you have severely unrealistic expectations of how far companies should be willing to go in this matter.

I believe Google's response is satisfactory. We can't prove negatives, so it's pointless to second guess Larry's post as being an orchestrated ruse. It at leasts gives us an official position and stance from the other party.

I don't think that the ethics are so clear cut. Let's suppose that Google's servers contain data that the U.S. federal government could use to prevent an act of violence that would harm or kill innocent people. Is it more ethical to deny access to this data on privacy grounds, or to grant access to this data to prevent violence?

The typical response here on HN is that the threat of terrorism is greatly overstated. This is probably true, but I don't think it's reasonable to assert that the threat of terrorism is nonexistent. Given the amount of people who use Google's services, I think it's highly likely that such data does exist on Google's servers.

Why limit it to terrorism? With access to email, instant messages, social media streams, search terms and some damn fine data scientists Google could sniff out an awful lot of wrongdoing.

Should they be developing software to figure out who is beating their kids and notify the local police? Cheating on thier taxes and notify the IRS? Breaking their marriage vows and notify thier spouses?

That would be a lot stronger a statement, but at the end of the day... we'll never know. Anything he says could have been written with a govt. agent holding a gun to his head. I know, I know, total conspiracy theory territory. And I'm not saying that is the case, just pointing out that - at the end of the day - there's very little we can actually know for sure about their involvement or lack thereof.

Therefore, IMO, the best thing to do is assume that every single bit that hits a Google server, and every bit stored by Google, is available to the NSA, FBI, CIA, DIA, MI6, Mossad, etc., etc... which means using strong crypto to protect your stuff if you really care about keeping it private.

I would like this:

The only requests for information to which we respond are requests that contain the full name(s) of the people whose data is requested.

Instead of enumerating what they don't do, which leads one to wonder what's left out, they could exhaustively enumerate the ways that they do cooperate. To a certain extent that's what they do with the transparency report. But I saw no strong claim that the report was complete, on the contrary the "whenever possible" language outright suggests the report is incomplete.

I'm sympathetic to being caught between a rock and a hard place, but given that this program only seems to involve US based companies, I would suggest that where ever possible people should prefer non-US software and services. Just as one prefers non-Chinese hardware for the exact same reason.

See http://www.google.com/transparencyreport/userdatarequests&#x...;

Argh. Hacker News refuses to save the URL. Replace %xF; with "/"

I have an extremely hard time believing google received less than 2000 requests for user data last year.

Given that the graph indicates they received 20,000 - not 2,000 - I would have a hard time believing it as well!

It's a good start for a response, especially since it has the CEO's imprimatur on it.

However with all the shady definitions the NSA is using (e.g I can imagine some weasel claiming user data is only the content not the metadata) I would have liked an explicit example.

Something like, "For example, when one gmail user emails another gmail user the government is not, for the majority of users who are not the subject of a specific government order, made aware of this in any way including the contents of the email, metadata and even that an email was sent. Obviously, we have no control over emails, sent outside our network."

I believe Google on this. The language is clear and non-weasel-y. Google does not hand over user data to the government unless specifically requested. There is no open-ended access.

But I also believe the government works with ISP's (all major ISPs) so that they can intercept traffic. Which would be a type of MITM attack allowing them to get data from all major web sites.

I think it's completely weaselly. It leaves wide open the possibility that a 3rd party, like Palantir, has access to the data.

"Press reports that suggest that Google is providing open-ended access to our users’ data are false, period."

"Any suggestion that Google is disclosing information about our users’ Internet activity on such a scale is completely false."

Those sentences seems straightforward and unambiguous.

I'm not much of a conspiracy theorist but those statements are hardly unambiguous. It's the "press reports" that are called false. Close-ended could pretty much be just as broad. The second sentence is hedged with "on such a scale". What is "information about our users' Internet activity"? Does that preclude sharing the actual internet activity? Also, Page keeps referring to "orders" but the press reports suggest some sort of volunteering.

Of course it's hedged with a limitation of scale. Obviously Google, like any other company, is going to provide information on much smaller scales (e.g. a user or a handful of users) for investigation based on specific court-issued warrants. It would be lying to state that Google never provides information about any user activity at all.

What would you prefer Google to say?

My reply was specifically to do with the contention that the sentences were "straightforward and unambiguous".

In this sentence, I would prefer Google to say: "First, we have not joined any program that would give the U.S. government—or any other government— OR ANY OTHER ENTITY - direct OR INDIRECT OR ANY OTHER TYPE OF access to our servers. [capitalized words are mine]

Except that that would be untrue, because there are perfectly legitimate reasons why the government would have access to data on a small scale - e.g. subpoenaing an individual's records in a specific criminal trial.

The fundamental problem here is that we have allegations that the US Government ordered all these companies to do something bad(tm) and not talk about it. So, if we assume that the allegations are correct, then the companies denying it are in on it, and the denial is false. But if the allegations are not true(either wholly or just for Google), then their denial may be entirely true. That's why it's problematic, because if you believe that the reports are true, then Google's actions are perfectly in-line with that belief. If you believe they're false(or even not as extensive as reported), then Google's actions are perfectly in-line with that belief.

So realistically, the best approach is just to wait and see.

Unless you can MITM SSL, having ISP access isn't enough. Remember, Google's the company that discovered that Turktrust had issued rogue CA certificates through Chrome's cert pinning.

unless you assume the NSA has the root SSL certs.

Root certs don't let you decrypt content encrypted with a descending cert. They just let you issue new certs that'll be considered valid. So, a MITM could send a client a compromised cert in the hopes that the client will encrypt content with it (after accepting it as valid due to it validating up the cert chain to root), but Chrome's certificate pinning is specifically designed to detect this class of attack - it is how the compromised Turkcert certs were discovered.

Even if you hold the root certs and can issue attack certs that validate up the cert chain, you can't MITM a cert-pinned client. In order to attack a cert-pinned site, the NSA would have to inject their own certs into Chrome's cert store, or have Google's private cert keys. Either would require compliance from Google.

Does anyone seriously believe that they don't?

I believe everyone's using the term "direct access" in contrast to the access the government is already known to have, which is via warrant or other "indirect" requests.

Unfortunately for Google, the Director of National Intelligence himself has confirmed the program and publicly called its disclosure "reprehensible". However, Google and the rest of these companies are in an awkward position. This program is still technically Top Secret, even though everyone now knows about it. Because of the obligation to secrecy that comes with having received classified information through the proper channels, they are essentially the only people in the world that are required by law not to acknowledge the existence of the program.

That said, the canned "direct access" line - the exact terminology curiously arrived at by no less than 5 separate corporate PR departments within hours of each other - is a poor facade. They should have considered how using identical terminology would make these denials so transparent.

That is untrue. See:

http://news.cnet.com/8301-13578_3-57588279-38/google-ceo-on-...; James Clapper, the director of national intelligence, released a statement last night saying the Guardian and Post articles about PRISM "contain numerous inaccuracies." Clapper's statement didn't confirm or deny any NSA activity. He said only that the articles "refer to collection of communications pursuant to Section 702 of the Foreign Intelligence Surveillance Act," and that any such collection is legal.

So, you are suggesting that the slides detailing their participation were simply made up?

There are no such slides. The slide just has a name and a date, no details of what "participation" means.

Read the blog post. "Press reports that suggest that Google is providing open-ended access to our users’ data are false, period"

Which is still pretty flexible language. "Oh, it's not open-ended access, it's limited to the conditions in the authorization..."

The Verizon order was limited to 3 months, for example, which is hardly open-ended... except that it presumably got re-upped every three months.

Read the NEXT SENTENCE! "Until this week’s reports, we had never heard of the broad type of order that Verizon received—an order that appears to have required them to hand over millions of users’ call records."

AND THE TWO AFTER THAT: "We were very surprised to learn that such broad orders exist. Any suggestion that Google is disclosing information about our users’ Internet activity on such a scale is completely false."

"NEXT SENTENCE": I don't think they're a telco with millions of users, Goggle Voice is pretty small, right?

The two after that look like a pretty good denial, though.

It is very possible that Google is lying.

Of course it is, but in this conversation that is moving the goalposts. And if we had to address every possibility, very little progress would ever be made in any discussion.

Then why bother parsing their language or even reading their blog posts?

He also says: "Until this week’s reports, we had never heard of the broad type of order that Verizon received... We were very surprised to learn that such broad orders exist. Any suggestion that Google is disclosing information about our users’ Internet activity on such a scale is completely false."

No, its pretty clearly written to me. Larry Page is genuinely surprised that this program thinks it has access to Google data on demand.

I interpreted the repeated use of "direct access" as a response to the media reports yesterday that used that same phrase. My memory could be mistaken but I seem to recall hearing reporters use that phrase over and over. So it would stand to reason that Google and other companies would use the same phrase in their press releases. That would be a simple explanation of the consistent language. That said, I wish Congress would appoint a special prosecutor so that we can get to the bottom of all this.

Same thing with the "we've never heard of PRISM" language a number of companies are using. Well, yeah - that code name probably stayed within the NSA.

> It just smells of being rehearsed, and carefully coordinated to select such language.

Next time, hopefully they'll make it less clear so that you have to translate the company-specific jargon and feel better that it's spontaneous and careless. </sarcasm>

That explanation is far easier for me to believe than the theory that Google would have agreed to cooperate in this spying effort.

This link has been submitted to the new queue at https://news.ycombinator.com/item?id=5841505 and I hope it gets voted up for wider attention.

This is incredibly far fetched. None of the audit controls at these companies notice that these employees are constantly accessing user's private data? And these double-agent employees manage to do all this secret work while still maintaining a cover as a regular employee who does well enough of a job to get good perf reviews and stick around?

Yeah, for real. We're not talking about sneaking a few files out on a thumb drive, here. We're suggesting petabytes of data being sent out over Google's networks without Google noticing. Meh.

I guess the question then, is: how big of a cabal of "rogue" employees would it take to put evil code into production at a place like Google. I seriously doubt one person could do it, no matter how highly placed.

one person, maybe not, but if you're a intelligence agency with a multi-million dollar budget to tap Google, you'd probe the organisation and bribe those with access, and anyone in the chain those employees could credibly report to.

this isn't difficult or particularity far-fetched!

Don't you think China/Russia/Israel/etc would have attempted/done the same thing, too?

The biggest reason is, what is the downside? Working with US spy agencies as an american on american soil you don't risk getting thrown into jail for the rest of your life and the biggest downside is getting caught and fired but you are being compensated with money anyways so why would you care. Working with foreign governments is much more risky but I am sure they have tried and do have agents working in large companies such as google.

who says they haven't? maybe not completely (it's way easier for the US, as most of Google resides on US soil), but you can bet they have people in a position to extract at least some data on demand.

this has previously happened: stuxnet (a product of several intelligence agencies) was digitally signed by a large semiconductor company!

They're using the phrase "direct access" because that phrase appeared in the leaked NSA slides.

Are you alleging they are trying to avoid making untrue statements in this blog post? Then what about "Press reports that suggest that Google is providing open-ended access to our users' data are false, period."?

The first sentence of the WPo article which started this is "The NSA and the FBI are tapping directly into the central servers of nine leading U.S. Internet companies". I think saying "we do not provide direct access" is a reasonable response.

The term direct access was first used by the Guardian in their original story: "but the Prism program allows the intelligence services direct access to the companies' servers." - most of the early denials (where the companies presumably hadn't read the article) didn't include the phrase but the later ones did.

So it's reasonable to suppose that the article was the source of that phrase.

Yeah, this is really the most straightforward explanation.

> I can't understand the repeated use of "direct access".

From the rest of your comment, I think that you understand it quite well.

I agree, the wording "direct access" is indeed very suspicious, and I tend to believe Arrington might be into something: http://uncrunched.com/2013/06/06/triangulating-on-truth-the-...;

I re-read the Larry's response carefully, and he did NOT refute the claim, that they are giving data to some 3rd party (who then forwards it to the government). He just says that government do not have direct access to it. But the issue that someone else can have the access is avoided, and it is exactly the same as the Zuck's response.

The key word here is "direct". Based on the other thread speculating about Palantir its pretty likely there is a 3rd party contractor who does have direct access, and provides convenient plausible deniability to both parties

First, we have heard no denials from government officials that these programs exist. Indeed, US Senators & Obama have acknowledged they exist. Second, we have no denials of the document's authenticity.

Third, we would assume through logical deduction that someone who does deny the program's existence is either lying, being misleading, or has been mislead themselves.

Finally, if this program does not actually exist, what the hell program are Obama and these Senators' referring to?

Program existing != program being exactly as described by the media.

> The Guardian and The Washington Post articles refer to collection of communications pursuant to Section 702 of the Foreign Intelligence Surveillance Act. They contain numerous inaccuracies.


The point is, they don't need to provide anything direct... the problem is the gov monitors the pipes and sees all, period. The problem is at the telcos, fundamentally. Even then it's not the telco's fault since they were forced and given immunity. The problem is our elected government, plain and simple. We've known about this since 2007. Happy to see it finally discussed in the mainstream.

Totally integrated corporate-state repression of dissent. What could go wrong?


"Direct access" is a phrase from the original report in The Guardian: "The National Security Agency had obtained direct access..." - first sentence of the report.


Possibly no direct access because the NSA has copies of Facebook, Google and Apple SSL private keys? Just sniffing the backbone...

Couldn't agree more. The key terms used are subject to interpretation. Still not feeling comfortable about this.

Is there any statement that would actually make you feel comfortable? If you're going to choose to disbelieve someone's statements, there's very little they can say to change that.

Larry's post was designed to quickly assuage our knee-jerk fears about a giant like google having anything to do with "PRISM". In that, it is effective.

I think for a lot of folks complaining, his language (i.e. "direct access") is just overly precise enough to leave too much room in the margins for technical loopholes concerning "who" has access to "what" data. When Larry defends their general policies stating google "pushes back on requests", I am not convinced when terms like "overly broad" and "correct process" are left undefined.

But it's a 4 paragraph blog post- what do I expect?

Even legal docs are open to interpretation - they're not math. It's hard to expect a concise and readable post, not couched in legal phrasing, to somehow exclude all possible alternate interpretations. Especially when it can't be absolute in phrasing because there are known (and accepted) exceptions.

The top couple of posts on Hacker News are about PRISM right now. On each post the first comment is about how similar the responses of each company are. It's almost as if there is a conspiracy to be conspiracy nuts on Hacker News.

Thats because they do give access through court orders, etc, ie "indirect access". Then again if they're "lying" then it means indirect access as in "they had to authenticate first!!"

Does it matter? What are the odds these guys are telling the truth when the President himself has lied about it? Maybe it's a concern of national security?

The most interesting thing about Google's repeated use of the phrase 'direct access' is that there are so many nerds that don't comprehend how much wiggle room that phrase implies.

My bet is that Google is under order of some kind of National Security Letter and has to deny involvement here.

AT&T didn't deny involvement during EFF's NSA wiretapping lawsuit. They didn't confirm or deny.

Voted up for an astute observation

I'm not quite sure how you came to that conclusion, to me it reads like the opposite of slick lawyer talk, it's pretty unambiguous:

"No direct access", "No backdoors".

"Press reports that suggest that Google is providing open-ended access to our users’ data are false, period".

they are required, by the law, to deny any involvment with the NSA anyway or they can go straight in jail.

Citation of such law?

It's a part of the Patriot Act. This is from a Wikipedia article on a warrant canary, which is a clever method devised to alert customers of such warrants indirectly. [1]

> Such subpoenas, including those covered under the USA Patriot Act, provide criminal penalties for revealing the existence of the warrant to any third party, including the service provider's customers.

[1] http://en.wikipedia.org/wiki/Warrant_canary

For all those complaining about the language of this and other denials, what could possibly satisfy you? This seems as blanket as possible.

"Second, we provide user data to governments only in accordance with the law. Our legal team reviews each and every request, and frequently pushes back when requests are overly broad or don’t follow the correct process."

"We were very surprised to learn that such broad orders exist. Any suggestion that Google is disclosing information about our users’ Internet activity on such a scale [as of the Verizon order] is completely false."

Finally, NSLs cannot compel an organization to lie like this, and doing so would be very legally dangerous for Google.

It's amazing how little critical thinking HN does when we see something that confirms our beliefs.

Huh? This is the direct result of the governments toxic conduct. They issue orders that forbid you from talking about having received any such order, they classify everything (to the point where a parallel society to the tune of 1M people exist that have access to (e.g.) cables, as became apparent during the WikiLeaks diplomatic cables row), they institute secret courts, laws with secret interpretations..

They have poisoned public discourse beyond repair, and you make it sound like a conspiracy theory.

At this point, it pretty much is a conspiracy theory. The only evidence we have of these companies' involvement is the leaked slides, which could have been the result of over-promising from a contractor or a misunderstanding from a non-technical manager. We have a lot of evidence to the contrary, particular that nearly every company allegedly involved has issued strong denials, which, again, they cannot be compelled to do by NSLs.

We can't conflate everything the government or the NSA does. This program seems unlikely for a number of reasons, including the conspiracy aspect (quite a lot of engineers working for Google, Apple, etc. would have to be in on it) and the technical challenges involved. Do you have any idea how much data Google produces? How complicated their infrastructure is?

I'm the first to believe that the one thing saving us from the surveillance state is the unlimited technical incompetence of our watchmen. To that tune, when I hear about stuff like ThinThread or other surveillance fantasies, I think of upper management losers dreaming up Java Enterprise systems that only ever achieve to convert gigantic amounts of energy into waste heat.

That still doesn't mean we can accept the government lieing to us or hiding basic information, just because we believe they are harmless kids way over their head.

> Do you have any idea how much data Google produces? How complicated their infrastructure is?

For a continuous activity stream, a single fiber would do. How many queries and mails do you think google processes per second?

I found somewhere that they have 4 billion queries per day. I put 100 bytes per query, that translates to a measly 5MB/s. For emails I estimated 10% of 300 billion (some figures I found somewhere), with 10KB/email that translates to 3GB/s.

A single fiber optic cable contains many fibers each carrying at least 1TB/s. It's easily doable in a stealth way. They don't need to use more than 1% of a single fibre.

No, it's not a conspiracy theory.

1) James Clapper admitted Prism is real

2) Of course such a program would involve the top Internet companies, who in the world else would it involve (the smallest Internet companies?)

Obama confirmed in a press conference that PRISM exists, so concluding the program is imaginary would seem to require a fair lack of critical thinking.

Could you quote/link to Obama's confirmation that Prism exists, and also the claim that it is imaginary?

How about someone with even better knowledge on it than Obama?

"The top intelligence official in the United States condemned as “reprehensible” leaks revealing a secret program to collect information from leading Internet companies"


> Could you quote/link to Obama's confirmation that Prism exists

I'll give you gizmodo because it has specifically the quotes http://gizmodo.com/president-obamas-prism-response-wont-make...

None of those seem to have anything to do with PRISM. This is a confusing situation, because two secret surveillance programs were leaked on subsequent days. These seem to be related to the first leaked program, which involves collection of Verizon's call metadata. That seems pretty clear-cut. Verizon has issued a non-denial, it's in line with what we've known about the NSA's conduct since 9/11, and various members of congress and the executive branch have commented on it.

PRISM is a completely separate issue and one I'm much more skeptical about. I also haven't seen anybody specifically admit to PRISM's existence, so I'd be interested if you can find a better source.

I stand corrected

Did he confirm PRISM exists, or the court order to Verizon? These are separate things. The Verizon story came first, followed by PRISM separately, less than a day later. Many people seem to be conflating the two.

In order to consider the possibility that this is clever language avoiding the truth of the issue, can someone explain how a system might work where google maintains plausible deniability while allowing access to the information it collects?

I have a naive understanding of how the internet works at the physical layer, but it seems like it would be trivial to create a system that allows for this statement to be true and for the data to actually be captured.

For an oversimplified, spherical-cow-in-a-vacuum example: if the user is the source in a passive optical network[1] and both the nsa and google are targets, google has not provided access to their data to the nsa, the user has.


edit: And what would a statement of denial that is inclusive of all possible arrangements sound like? I think that any statement that asserts a one-to-one correspondence between you and google would be unrealistic.

Larry Page wants to live. And he wants Google to keep functioning as a company, and not e.g., to have sudden tax issues crop up with the IRS. He has plenty of incentive to tell an out-and-out lie in this case.

Oh come on. Google is willing and able to push back on overly broad governmental requests. When the Department of Justice sent subpoenas to 34 companies in 2005 asking for months of user queries, Google was the only company I know of that fought back in court and won. I know because I wrote a declaration for that case. See http://www.mattcutts.com/blog/doj-sent-subpoenas-to-34-compa...; and http://www.mattcutts.com/blog/google-responds-to-doj-subpoen...; for example.

We were also the first company to publish our transparency report on governmental requests, and the first company to include any specific number ranges on the number of national security letter (NSLs) that we get.

See also http://www.wired.com/threatlevel/2013/04/google-fights-nsl&#...; about national security letters. The appropriate and constructive place to channel frustation is at bad laws/legal provisions.

Matt, I know you really love Google but you need to do a bit more research:


I'm sorry but that article talks about how Google and NSA worked together when the accounts of Chinese activist were being hacked.

How is that related to helping the US government spy on its citizens?

Cutts said:

> push back on overly broad governmental requests

> publish our transparency report on governmental requests

and also mentioned Google 'fighting back' at National Security Letters.

The fact that courts have upheld secrecy between NSA and Google before (just the one we know about) is quite relevant.

There are bad things at play here and just because Google has a cute, colorful logo and hires nerds doesn't make them innocent either.

like, say, into the actual source of that story[1] instead of the wired blog writeup? For instance, the part that explicitly talks about limiting the share of information to the Chinese intrusion and not user data?


Equating the allegations denied in this post to the response to an attack by a nation state against Google is kind of like comparing reporting a robbery to the police to criminally conspiring with them.

Google just recently got out from under anti-trust scrutiny. It would be trivial for the Feds to bust Google's chops using that at any time. They've got Google's number any day of the week now. Step out of line, suddenly a new anti-trust inquiry begins.

Pedants gonna be pedantic.

When I worked IT for a medium sized university we were asked by the DOJ to install switches that copied all internet traffic directly to an unspecified government server. We were told all ISPs (anyone providing internet to more than 100 persons) were told to do this as well.

We refused to comply obviously as the request was absurd, but in the small print of the request we were told we were not allowed to speak of the request and were to deny any involvement if asked under some unknown penalty.

I wouldn't be surprised if special terms of Google's interaction with any government agencies has a similar clause.

Please throw out an estimate of how big you think a mirror of all Google's network traffic might be.

The NSA's Utah data center was designed to host more storage than existed on the entire planet at the time. Sheer volume of data is among the least of their concerns.

OK, so you can read wikipedia, but does it make any sense? A single 65MW datacenter with only 100ksqft of machine room space can hold all of the data in the world? That's not even as much power as one of Facebook's facilities in Oregon.

Remember when IBM announced they'd built the largest filesystem in history? That was only 120PB. A YB is 10 million times bigger than that.

Consider also that a YB is 1000x the entire storage industry output from 2012. So under your theory there is a parallel hard disk drive industry consisting of at least 99% of all hard disk production on Earth.

>" A single 65MW datacenter with only 100ksqft of machine room space can hold all of the data in the world? That's not even as much power as one of Facebook's facilities in Oregon."

You're off by a factor of 10-15 on the square footage. Per the wiki page, "The planned structure is 1 million or 1.5 million square feet."

"According to USACE, the center will have 100,000 square feet of raised-floor data center space and more than 900,000 square feet of technical support and administrative space."

Typical government installation. 90% overhead.


Facebook's servers spend most of their time finding, sorting and then transmitting bits to the billion people who use Facebook. Storing a bunch of data and storing a bunch of data that needs to be dynamically assembled in real time for a billion users are two very different things.

Regardless, no one has theorized that the NSA storing yottabytes of data. The (still probably crazy) rumors are zettabytes.

"no one has theorized" that except for Wikipedia, Wired magazine, C-Net, and most of the people commenting on this thread.

"NSA to store yottabytes in Utah data centre" -- http://crave.cnet.co.uk/gadgets/nsa-to-store-yottabytes-in-u...;

The NSA wouldn't be storing all the photos or videos from Facebook. Storing text is trivial compared to that.

If you reduced Facebook's storage demands down to always static text, I think there's little doubt you could eliminate over 90% of their storage requirements (I'd say closer to 97%). And that's without any kind of compression.

According to the Wired story on it, it's four 25,000 square foot data center buildings[1]. That's smaller than one of Apple's smaller data centers. Apple's Oregon one is going to be 500,000 square feet.

It's not going to be able to hold more than an average size datacenter, and there are a lot of data centers out there, each holding more data that would have to be copied. The NSA has huge capabilities, but they're not nearly there yet. Most of what we should be worried about is their legal capabilities.

edit: it's also worth noting that the wikipedia article's source is the wired article, and all the wired article says is that a DoD report says that they need to start designing their network to handle yottabytes, which isn't even related to the NSA's data center. Wired then does some interpolation by using "yottabyte" to make the requirements of the data center sound big, but they never say that it was designed to handle that level of data or that it will ever be able to handle that level of data (in fact, they never even cite any level of data that it was designed to handle). But the Wikipedia article cites the Wired article, and suddenly it's become "a data storage facility for the United States Intelligence Community that is designed to store data on the scale of yottabytes".

[1] http://www.wired.com/threatlevel/2012/03/ff_nsadatacenter/al...

[2] http://appleinsider.com/articles/12/08/16/apples_oregon_data...

> It's not going to be able to hold more than an average size datacenter, and there are a lot of data centers out there. T

Why not? Most data centers aren't designed to store a bunch of stuff, but instead are designed to serve a lot of users. Facebook has at least one storage forward data center and it packs an exabyte into a 60k sqft footprint:


I don't think the NSA has zettabytes at hand, but you can store a massive amount of stuff in 100k square feet.

I was replying to the fantastical claim that the datacenter "was designed to host more storage than existed on the entire planet at the time". Of course 100,000 square feet is a medium sized data center and can hold quite a bit of data. If you're happy to go even slower, you could fit even more in with a tape archive that big. You're still so very very far away from a data center sucking up all human-produced data (even accounting for duplication) and storing it for later retrieval and analysis as many here apparently believe.

So yes, the NSA does have a new datacenter. But no, it's not the new Area 51 nor is it host to magic computers.

Big. But the NSA has been sucking in ridiculous amounts of data for many many years.

http://en.wikipedia.org/wiki/Room_641A http://en.wikipedia.org/wiki/Carnivore_(software)

the social "who's talking to who, and what sites did they visit" information... oh, probably this big -> http://en.wikipedia.org/wiki/Utah_Data_Center

I'd like to point out that their upper capacity limit, "a trillion terabytes", would require approximately 1 trillion hard drives, probably at a cost of $10-$100 trillion. I feel comfortable saying that they have not built out to that scale yet.

They don't need to access to all network traffic, just the interesting bits, like e.g. the internal traffic for the storage/backup systems used for GMail or Google Accounts .

And this is relevant to what?

It's relevant because some of the things that are being suggested here on HN are clearly infeasible, from an infrastructure standpoint.

Word. I get that. I just thought the question sort of steered away from the main point of the parent comment, which was that if Google did have some sort of nefarious partnership that they would be legally obliged to deny it no matter what. My apologies, I'm probably just being a bit nitpicky.

I think his point is it would be extremely expensive. The leaked presentation claimed the cost of PRISM was only $20M.

PRISM is clearly not the whole picture. The Utah Data Center alone is much more than $20M a year and PRISM's specified purpose was using US IT infrastructure to intercept foreign communications, which would presumably be filtered from a large data set.

The bulk of the data transmission and storage costs are probably under another budget

And yet here you are talking about it.

(My point with this comment is to point out a contradiction--you can't prove that silence clauses work by talking about a real example of one.)

Why would they bother asking you, when they could simply ask your ISP? Why ask each customer?

The program and requirements were somewhat surreal. The architecture of the plan seemed to make little to no sense.

They considered anyone who provided internet access to 100's of people a provider (mostly universities etc) and requested that they install the pre specified hardware at their own expense (purchase, installation and maintenance).

They may have been concerned specifically with universities due to their foreign students and access to certain backbone lines that normal ISP's dont always have (WWW2?).

I spoke with the EFF and I was told I wasn't alone, but most people were rejecting the 'request' and not suffering any consequences. Our IT director took a hard line on the topic and tried to speak openly to reporters about how much the request offended him. He got as far as the school newspaper as in 2005 most people didn't understand the ramifications of this activity.

Presumably university IT would have been able to provide more precise demographically identifying data than the ISP. It's unlikely the ISP was running the RADIUS server.

You're right, I hadn't considered that. Identifying individual students within public areas of the network was only possible through the schools ID system. Otherwise public access would be anyones guess as to who was using the computer.

You're not allowed to talk about NSLs, i recommend you change your post. Whats really bad about NSLs is they last forever, even a decade after receiving one you still can't talk about it without risking prosecution. NSLs issued in 2002 have no bearings on any active case yet we can't talk about them publicly. This makes it really hard to have a public debate on their usage.

Was not an NSL as that would be turning over data on a specific individual.

This was a request to install hardware to collect all data at any time.

I don't want any more fluff "no direct access" emails. I just want these questions to be answered with a YES/NO:

1. Is there any way that someone outside of Google, can get a copy of an email I sent from my gmail to my own gmail, without a warrant that specifies my exact gmail address?

2. If I delete my Google search history, is there any way for anyone to access this history, with or without a warrant?

3. If I make a Google search from an incognito window, is there any way for Google to connect it to my Google account via my IP address? I know I've done this in the past to prevent spambots from creating fake accounts. Can Google connect these dots if someone sends them an NSL?

If the answer to any of this is YES, I am going to have to rethink my entire online life.

You're asking very broad questions with only negative (ie: unprovable) answers. I don't think any company could ever say there is "no" way anybody can every get your search history after you delete it.They don't immediately run out and shred all the hard drives storing your data every time you delete something. Data would always be recoverable with some extreme amount of effort.

What about Q1?

Look at how governments these days are acting. Can you afford to assume that the answer to all these questions is NO?

You don't need google to answer some of these.

2. If I delete my Google search history, is there any way for anyone to access this history, with or without a warrant?

I would think google has historical backups they could refer to to pull out data that you've recently deleted.

3. If I make a Google search from an incognito window, is there any way for Google to connect it to my Google account via my IP address? I know I've done this in the past to prevent spambots from creating fake accounts. Can Google connect these dots if someone sends them an NSL?

Why not? You should already assume that google and pretty much any site logs your IP whether you are using incognito or not. You should also assume that any time you log in to gmail your IP is noted. It's extremely basic to do a db search for all gmail accounts that have been accessed by a given IP.

> I would think google has historical backups they could refer to to pull out data that you've recently deleted.

I should have clarified: except for temporary cache or periodic backups.

> Why not? You should already assume that google and pretty much any site logs your IP whether you are using incognito or not. You should also assume that any time you log in to gmail your IP is noted. It's extremely basic to do a db search for all gmail accounts that have been accessed by a given IP.

I meant if you do not login to Google and do a search in incognito mode, is that history stored? I can delete my history if I'm logged in. But there is no way to delete history by IP. It seems 'safer' to in fact use your logged in Google account to search.

> I can delete my history if I'm logged in.

At least you can mark it as deleted, and you can't access it anymore. Is it really "deleted"?

Get a VPN anonymously, pay in Bitcoin and never expect third party companies to adhere to any policy they can potentially break.

Anything else involves trust.

That's not the point. The point is if we have to resort to such measures, we have already lost.

We have AFAICS.

Resort to that and fight back from there.

Personally, I'm really glad that Google published such a clear, plain-spoken post to tackle this issue head on.

This whole issue makes me want to donate a bunch of money to the EFF. If anyone else feels the same way, you can donate to the EFF here: https://supporters.eff.org/donate and I believe a lot of employers will match contributions.

EFF is certainly doing a great job right now, so donations are definitely going to help.

Let me ask you this - do you feel 100% comfortable that nobody outside of Google can read your personal gmail?

Me personally? I do. I still want Google to up the number of key bits on our SSL connections, plus explore how to make the connection even more secure though. But yes, I'm quite confident.

It looks like the security team is currently working on upping the SSL bits.


2048 bits! Woohoo!

Thanks! Believe it or not, your one statement made me feel more assured than all the press releases I've seen so far.

I'm sorry, but google's response was demagogical at best (what does 'direct access' even means!??!). In many countries the judiciary would already be in the case and the head of those companies (which didn't provide 'direct access' but there is obviously something happening) would have a lot of explanation to do.

"Direct access" was the wording used in the original article that started this entire debate. All they're doing is responding to the same language they were presented with.

I have donated even before this. How about Google giving them say $10M to hold some people's feet to the fire?

General Clapper point-blank lied - or provided a legally-truthful answer so contorted it may as well have been a lie - to Representative Wyden when questioned about NSA phone-data collection just a few months ago. You can't take any statement by any authority figure on these types of programs at face value.

Obviously this opens the door to all kinds of unfalsifiable, paranoid conspiracy madness, but that is a direct consequence of the government's unrelenting commitment to maximum secrecy.

What a lot of people haven't considered is that it's likely that the NSA had a big breakthrough on Integer Factorization and their capable of breaking RSA public key crypto (used everywhere you see HTTPS)

Then they can just save all your encrypted traffic and break it on demand.

We all need to start considering moving to Elliptic Curve Cryptography.

Why is this at all likely?

I am going to guess that PRISM is a system which receives and parses the data files from those companies that are produced as a result of warrants/subpoenas/national security letters. So the excerpt from the NSA document that the Washington Post gave—"Collection directly from the servers of these U.S. Service Providers: Microsoft, Yahoo, Google, Facebook, PalTalk, AOL, Skype, YouTube, Apple" — may refer only to some kind of secure file transfer (private circuit with NSA hardware encryption, maybe).

It's just a guess, but it could fit with the relatively low cost figure given ($20 Million).

Aren't these the same words we've been hearing from the others, ones that ignore the concept of a front door, push mechanism to satisfy government demands that cannot be revealed without committing a felony?*

I'd be a bit happier if we were to hear from Soviet refugee Sergey Brin....

* That's one of the terrible things about doing everything in secret; we know that if Google is subject to a broad demand from a National Security Letter they can't tell us that without suffering terrible penalties. The government has set up a situation where we literally are not able to trust the words of Google et. al.---at least prior to a major figure deciding to pay that penalty for the greater good. Which history tells us requires a rare courage.

There's a new kind of Birther or Truther, let's call them PRISMers. No amount of denials or evidence to the contrary, no matter how they are worded or exposed, will satisfy PRISMers that Google is not uploading all user activity to the NSA. It's just impossible to repair the harm that's been done to the brand by the government.

For some people, I doubt trust can ever be regained. Companies affected by this PRISM program should sue the US Government for damages, or at least sue them until it is completely declassified.

Disclaimer: I don't know the truth about anything that's going on.

First, I'm not a US citizen. So, it seems I just have to assume that NSA is certainly tracking me.

Now to the topic of spying on US citizens, considering how no one seems to have ever heard about PRISM, the breaking of this story based on flimsy evidence seems to me like an attempt to side track from the real and confirmed story of NSA accessing Call Data Records from Verizon of millions of citizens (The industry calls it CDRs, why have we started calling it "Metadata" since yesterday).

I wouldn't be surprised (though I have no evidence at all) that the PRISM story was planted to change the public discourse.

> Second, we provide user data to governments only in accordance with the law.

Which is what is in question, no? If being in accordance with the law means keeping secret the requests you do serve, even if broad, means you're still handing out the information. You just don't have to put it in your, "transparency report."

Can't really say any of this is even remotely surprising given what we, in the industry of software development, know about what kind of information can be gathered and how vast volumes of it can be processed and analyzed.

In his remarks today Obama said "Now, with respect to the Internet and emails, this does not apply to U.S. citizens, and it does not apply to people living in the United States."

He's clearly stating that they do read non-American's emails. So how do they do it if they don't have access to Google's servers?

BTW, if you run a company outside of America you'd be crazy to rely on Google since the US could be reading your emails for corporate espionage purposes. I think in the long run these revelations are very threatening to Silicon Valley.

> BTW, if you run a company outside of America you'd be crazy to rely on Google since the US could be reading your emails for corporate espionage purposes.

The US could be spying on activities, including email transmissions, that happen wholly outside of the US, as well.

The only reason PRISM, et al., are newsworthy is that there are expectations and widely-perceived legal/constitutional limitations of US government domestic surveillance that don't exist for foreign surveillance.

If my company is outside the US I can try to use infrastructure that at least makes it harder for the US to gain access. If, for example, the US is spying on European allies' infrastructure it would be a diplomatically damaging revelation and the European governments would try to fight it off. If I use a Silicon Valley service I know for a fact that the US can read my data at will without any recourse on my part.

It makes no sense to use Google which is why I'm saying this is threatening to Silicon Valley. Think of it this way, do you think a Chinese email service could become trusted enough to become globally competitive?

> If my company is outside the US I can try to use infrastructure that at least makes it harder for the US to gain access.

Which is great, if you have a decent idea of the NSA's (and the US intelligence establishment in general) capabilities. If not, you're essentially fumbling around in the dark trying to make that kind of infrastructure selection. (And, of course, the US intelligence community isn't the only threat, China -- through whom much traffic that neither originates in nor terminates in China is routed -- has to be a consideration, particularly, but they aren't the only other threat, either.)

If you don't have a system where you have strong theoretical guarantees of end-to-end security and integrity with the data sent over untrusted infrastructure, its security against any of the major threats really relies more than anything on them just not caring about it, and if you think that you are meaningfully buying security by choosing between Google or one of their competitors for basic services, you are probably deluding yourself.

Hey look, I'm already being proven right http://www.reuters.com/article/2013/06/07/europe-surveillanc...

Well in that case, these latest revelations just serve as a reminder to everyone that they shouldn't be using cloud services at all. And that's a threat to Silicon Valley.

> So how do they do it if they don't have access to Google's servers?

So there's this protocol called SMTP...

This was a TOP SECRET document that leaked out. Page may be well in position not only to deny any knowledge of PRISM, but even further publicly deny Google worked or works with PRISM/NSA.

The way the government bends the law for some years now just to punish everyone they feel like, either through imprisonment, scrutiny or simply by wasting years of their lives, savings of their lives and leaving them with a huge lawyer's bill, I wouldn't be surprised if Page had no choice than to lie on the record. And guess what; if, arguendo, he did, he will be pardoned later on. What would you choose? Admit to a secret program ran by secret agency and face brutal consequences (fines, imprisonment, charge with espionage or maybe capital punishment? (why not? why wouldn't government go after Page "proving" that by admitting US sees everything everyone types to Google, it tipped over some terrorist somewhere that stopped using Google and because of that government lost a track of him until he blew himself up in the middle of crowded street. You get the drift)), or perhaps come up as a good patriot and tell the truth. We already have one that told the truth. He spent 3 years in solitary confinement and may be facing life sentence or capital punishment.

People need to understand. This is too big of a secret even for someone like Page to come up and admit.

Okay, HN, how can Google provide a compelling denial that they're not participating in PRISM as described in the leak?

If we're to be a country where innocence is presumed and guilt is proven, we must consider what Larry Page would write in the case that Google is not supplying any sort of un-warranted feed to NSA. Would it be any different?

If this entire PRISM thing is fabrication, then it is the best thing to have happened to personal liberties and Internet privacy since encryption. Until the recent shooting in CA, all the major networks were going on and on about PRISM. No amount of money could have bought the kind of attention PRISM is getting.

Some of the comments here just shows that people will believe what they want to believe.

There's nothing Google, Apple, Facebook, etc can say that some people won't poke holes into.

That's the frustrating state of the law. Gag orders make it very difficult to trust public communications like this. With secret, fairly unaccountable courts that statistically appear to rubber-stamp government requests, it's hard to discount the possibility of the NSA having, say, the authority to say "Google, you will post the following PR release now" as part of one of these orders.

Why is everyone so suspicious of Google to begin with? Is there a shred of evidence to lend any credibility to the accusations thus far? Given how Google's technology works, I imagine it would be quite an expense to provide the kind of access the govt. would want and Google hasn't been exactly overly enthused with having to comply with BS government requests(e.g. see how they deal with requests to scrub search results).

The President getting on national television and acknowledging that the program exists is a pretty big shred of evidence.

PRISM can exist, AND they cannot have direct access to Google data. Both can be true.

There is another vector of privacy leakage here - there are also the ISPs, who I am pretty sure work alongside the government in a majorly secretive way.

He said nothing about Google, which is the topic of the OP.

In case you missed it, this is the program he acknowledged - Note the three Google products whose logos feature prominently in the leaked doc: http://www.guardian.co.uk/world/2013/jun/06/us-tech-giants-n...

I missed the pictures of the slides. That said, there are ways to target these services without involving the companies directly. Up to and including espionage itself.

One of the earlier articles discussed the government's concerns about keeping the program secret, lest they lose the cooperation of their private sector partners. That isn't a concern that they'd have if they were implementing the program through espionage.

> Why is everyone so suspicious of Google to begin with?

We live in a semi-authoritarian society. Anyone the authorities might want to use for their purposes is suspect. We _should_ be encrypting everything as a matter of principle and not relying on one huge point of failure like Google.

US government agencies have money available to them for this sort of things.

OK. How does this automatically make Google and not, I don't know Chevrolet's onstar system, a target for criticism? Where's the evidence?

I only write this to say that money for such activity is not a problem.

Regardless of the wording, no statement from Google (or Facebook, Apple, etc) is really going to be believed. A denial from innocence is indistinguishable from a denial which is legally compelled by the language of an order form the government.

But to be honest, I don't bear any ill will toward Google on this. Based on their behavior in the past, I'm willing to believe that if this program existed, they pushed back to the extent they felt they could... but if they eventually complied, it's difficult to blame them, given the threats the government is capable of making.

Unfortunately, the only place to resolve this is at the government level, if it can be resolved at all.

One thing I'd think about: If Google is lying or misrepresenting the truth here, then it would be phenomenally foolish to put out a denial under Larry's name as it just did.

Specifically, the personal integrity of the founders -- especially vis-a-vis these kinds of issues -- is one of the bedrocks of Google's culture. If a statement like this was proven out to be a deliberate misrepresentation (even if not an outright lie) it would cause IMO severe harm to Google morale.

Here's an idea. Instead of telling us what you DON'T do, tell us what you DO do.

They're legally barred from doing so.

Watch this: http://youtu.be/oYNXVgYhPOc

The key phrase is "in the United States" so they just replicate the data outside the United States and you've got yourself a data 'black site' outside the jurisdiction of US law. No direct access. No laws broken. Open access to the NSA.


The dark side of the moon.

- What indirect access does Google provide to the government?

- What lawful data does Google automatically provide to the government without any requests?

- Can the government can ask Google for data once, and then Google is required to constantly supply data, periodically? If so, what is that data?

- What data does Google provide to the government upon request?

This is absolutely crammed with weasel wording. With notes:

First, we have not joined [Maybe you didn't "join", but instead merely participated in?] any program that would give the U.S. government—or any other government—direct access [How about indirect access? What is "direct access", anyway?] to our servers [The reporting suggests the NSA provided some hardware. So I guess it's not your servers, huh?]. Indeed, the U.S. government does not have direct access [There's that weird term again] or a “back door” [With quotes. Nice.] to the information stored in our data centers. We had not heard of a program called PRISM until yesterday [This one is especially bad. Apparently the NSA didn't tell them the program was called 'PRISM'?]

Second, we provide user data to governments only in accordance with the law [Note that the government also claims this program is in accordance with the law]. Our legal team reviews each and every request [What's the scope of a request?], and frequently pushes back when requests are overly broad or don’t follow the correct process. Press reports that suggest that Google is providing open-ended access to our users’ data [Not what the reports are suggesting] are false, period. Until this week’s reports, we had never heard of the broad type of order that Verizon received—an order that appears to have required them to hand over millions of users’ call records [Which is wholly unrelated to PRISM and Google.]. We were very surprised to learn that such broad orders exist. Any suggestion that Google is disclosing information about our users’ Internet activity on such a scale is completely false [Such a scale being what, exactly? All of your users' data?].

Note what it doesn't answer:

Does Google provide data to the NSA?

Does the NSA have resources in Google data centers?

Does Google know what these reports about the NSA spying on our Google accounts are all about?

It really doesn't answer those. Lame.

With Clapper's admission that Prism is real, I don't understand why it's still a debate as to whether Google / Facebook / Microsoft / Apple are involved.

What Internet companies are they getting information from, such that they wouldn't target the top dozen companies that account for the radical majority of anything you'd want to bother tapping into? Who do people think they're talking about? Excite? Some small local ISP?

They got Verizon and AT&T to sign on to massive scale spying. If they can do that, they can get Google and Facebook and so on. These companies simply have no choice in the matter. You'll recall that Google's anti-trust inquiry recently, conveniently, went away with barely a slap on the wrist.

There's that "direct access to our servers" verbiage again. I love how these people apparently think that denying doing something that's not the thing that everyone is talking about is going to distract and mollify the public...

I think the US government can put enough pressure on any CEO of any company in the United States to lie about information collection efforts that such denial is meaningless.

Just because the government has access to Google's servers doesn't mean Google gave them that access.

We're all big kids, if you read that the Chinese/Russian/whatever government had access to information straight from Facebook's servers most people wouldn't doubt it for a second and most people would assume they took it through hacking.

So how can you be surprised that NSA is listening to your Skype calls? Maybe they're using a backdoor made for them, maybe they're using a backdoor MS put in for synergy, maybe they threw a million gpus at it for a few years... And maybe they got permissions from MS, or maybe they social hacked it[1], maybe they take it before it gets to MS's servers. Some of those might be illegal and some not but anyone who's surprised or suddenly outraged has been living under a rock since forever.

[1] "It is generally done via secret arrangements not with the company, but with the employees. The company does not provide back-door access, but the people do. The trick is to place people with excellent tech skills and dual loyalties into strategic locations in the company. These 'assets' will then execute the work required in secret, and spare the company and most all of their workmates the embarrassment"


I don't see any citation or evidence given for this so this persons claim could just be idle speculation but it's along the lines of what I'd assume. The NSA treats your privacy as a math problem and routes around it.

Could the NSA have recruited Google employees as moles? The company might not be providing "direct access", but an individual employee might be able to.

What kind of security do companies like Google and Facebook have to protect private user data from employees? I remember reading that Facebook used to (?) allow unfettered access to all private user data until (surprise!) some creepy employees began stalking people.

The obvious issue here is that if the order was similar to Verizon's, Google wouldn't be allowed to admit its existence anyway.

Everyone please also go read Mark Zuckerberg's response:


Now look at it side-by-side with Larry Page's response. Anyone with half a brain should be scared by this. It really scares me as well. I put more of my trust in Google, and perhaps even Facebook then I place in the Government, or the phone companies, or others. However, these definitely look like they are created from the same template. Very worrying coming from Page and Zuckerberg like this at the exact same time. I just hope there really isn't a man behind the curtain pulling the strings of such powerful figures in technology today.

Does anyone know if there could have been a meeting between these CEOs to decide how they were going to respond. Perhaps they all decided to make their responses uniform together, instead of some external source telling them what to do.

>Second, we provide user data to governments only in accordance with the law.

This is problematic when the government decides the law means you have to give them your data, you can't say no, you can't say anything about it, and if asked you must deny it.

In this day and age, who knows who's telling the truth. When lying becomes law, truth no longer exists.

While I enjoy my tinfoil hat, it seems that they're being open about the access given. This being said, if I didn't trust Google I wouldn't use them. I accept that I am trading certain information about me (interests, usage etc) for the bevvy of free services they provide.

What sort of information about me would the NSA be interested in?

I think they are probably replicating their content in realtime onto government servers, so technically Google et al don't give the NSA any "direct" server access. In practice it's way more convenient to house all that data directly under the NSA/DHS/whatever umbrella than to connect to Google every time they need something.

Using piecemeal "direct access" would also hurt the government's data mining ambitions, so there are a lot of factors that suggest internet companies are simply obligated to stream all their data into a gov black box. This way, everybody wins: the government gets warrant-less, hassle-free access to absolutely everything, the internet companies get freedom from search warrants and NSLs, and they get to use the canned "direct access" denial line which is technically true but is still actually a huge lie.

Missing from this cynical legal response, is the outrage towards the government for spying on all our private communications [ both legally and illegally ]

Google could have used their platform to campaign for better laws : a 'free speech + question mark' logo on their home page outlining their concerns would have been consistent with 'Dont be Evil'.. but they didn't even do that.

A not-just-non-evil-but-actively-good Google should have said to the Government : "No, you may not have any access to our customers data - you need to physically raid our buildings with a warrant to prise that from our stewardship. You need to hold us as a company in contempt of court."

How much better is the US than China ? : how can there be a democracy without both free speech and a right to private conversation ?

Very carefully worded & not a denial of the allegations.

(At least) one party did not tell the truth - opinions?

There's two middlemen layers in this game of telephone:

1. What the leaker communicated to news outlets 2. What the news outlets communicated to us

It seems likely that exact terms and technical capabilities have been misunderstood or misinterpreted. Already, there are common misconceptions arising from the public's interpretation of the news...for example, conflating the NSA's deal with Verizon to the PRISM program. And there's also the natural confusion that generally arises in any discussion of government surveillance programs...some people seem to be surprised that the NSA is spying on foreign communications, when that is pretty much NSA's raison d'etre.

I think we should take Page as a clear denial, that is, that he's not weaseling out on a technicality. That doesn't mean he couldn't be flat out lying, of course. I think it's also a believable that if Google were to participate in a program like PRISM, that Page would be one of the people in the know.

"Tech companies might have also denied knowledge of the full scope of cooperation with national security officials because employees whose job it is to comply with FISA requests are not allowed to discuss the details even with others at the company, and in some cases have national security clearance, according to both a former senior government official and a lawyer representing a technology company. "


Several of the largest telephone carriers in the United States knowingly and voluntarily assisted the National Security Agency in illegally spying, the online companies I feel have more too lose if they took that kind of mindless attitude. Online companies monetize user data so consumers may lose faith in the companies ability to protect their data from government if they have "direct access". Online firms adopted a aggressive, pro-privacy legal theories. The problem isn't about direct access, the friendly benefits the intelligence community gets with current structuring of federal law is what needs to be changed for more respect to privacy in our society.

Ok, let's read this closely. It doesn't seem to me like Larry and David are really denying much of anything.

"Indeed, the U.S. government does not have direct access or a “back door” to the information stored in our data centers."

Sure, that's fine. But the fact that the initial PPT gives a specific date on which Google cooperation began already suggests that Google may be handing over data, not that the gov't is sucking it all down automatically.

Also, they say "data centers" in particular. Data travels over lots of other pipes.

"We had not heard of a program called PRISM until yesterday."

Not surprising the NSA wouldn't tell them the secret code name of the project in their discussions.

"we provide user data to governments only in accordance with the law. Our legal team reviews each and every request, and frequently pushes back when requests are overly broad or don’t follow the correct process."

This is an enormous loophole. "in accordance to the law" could mean anything, and with automated review systems the volume of data passing through could be massive.

"Press reports that suggest that Google is providing open-ended access to our users’ data are false, period."

Not providing "open-ended acces" does not mean not providing any access.

"We were very surprised to learn that such broad orders exist."

But not surprised to learn that other not-so-broad orders exist. How broad is too broad?

"Any suggestion that Google is disclosing information about our users’ Internet activity on such a scale is completely false."

Not "on such a scale", but on a slightly smaller scale, sure.

"there needs to be a more transparent approach"

In other words, we wish we could tell you about everything we're doing with the NSA, but we aren't allowed to.

Really this doesn't read like any sort of denial at all.

"We put that in our transparency report "whenever possible". :)

I'm sure many people have said the same thing much more eloquently than I can, but what I find extra depressing in all this is that we all obviously want to take advantage of the possibilities that the Internet gives us, but while people are prosecuted right and left for sharing a song the government (any government) can do things on a scale which we can only dream of. We're all connected, but has it empowered us or has it made us into a bunch of sheep?

What happened to the government working for us, the people? Yes, I'm sure I'm naive, but still.

I don't see this getting better before it gets worse. Sorry.

This from the same guy who once gave away access to anyone's data to impress friends.

His quote:

Zuck: They "trust me" Zuck: Dumb fucks.

He has no credibility.



Not the same guy at all...

It's disturbing how similar the language of the different denials is. While individually they are quite convincing (to me, anyway), when you read them one after the other they all have the same "voice". It starts to sound like Orwellian newspeak, exactly how it would sound if all these statements were coordinated by a shadowy background figure.

It may be just an unfortunate coincidence of timing and nature of lawyer laden executive language - but together these statements almost become counterproductive.

Google doesn't know what the program is called inside the NSA, that is not earth shattering news. The problem is they don't need to "know" any of this. Hypothetically; If I was approached by the NSA for access to my users data... I would ask or come up with, at a minimum, some kind of Plausible Deniability... its the only sane option given the nature of these requests.

Ie. "Never heard of it... We push back as much as we can... See these push-backs in our transparency report. Feel Better?"

So the gmail access given to government agencies, that allegedly enabled the Chinese to hack it in 2010 - as reported by CNN (http://edition.cnn.com/2010/OPINION/01/23/schneier.google.ha...) was just a figment of Bruce Schneier's imagination?

Or was it just "indirect access", as in via some other company?

> First, we have not joined any program that would give the U.S. government—or any other government—direct access to our servers. Indeed, the U.S. government does not have direct access or a “back door” to the information stored in our data centers. We had not heard of a program called PRISM until yesterday.

Right, but government-hired contractors are not 'the government'. So while this could be true, users' data could still be being intercepted.

Wow, so many weasel words.

So what would satisfy me?

"We minimize intrusions into our users' privacy by encrypting their data on the client side with good crypto algorithms and secure keys that assuming a secure client system are under the full control of our users."

Followed by a list of types of data, and which types are or are not encrypted in this way.

That comes close. It's not exactly PR-speak, but captures the spirit I would hope for.

Google could at least try harder to be proactive about protecting privacy.

It just occurred to me: the "data liberation" thing they have which lets you download your own data... would be terribly useful for such requests. What better way to scrape the entirety of the various storage systems than to have a team who does nothing but that?

The team itself wouldn't even need to know about it. Just keep them funded and let them stay current on supporting the latest doodad, and it stays useful to the nefarious spy work as well.

We should really read what the Times has to say about this before we engage in armchair investigation.


The last paragraph sound to me like: "Oh guys, we'd love to tell you what they force us to do, but we can't because we're under gag order.".

Especially the final sentence is explicit:

     But the level of secrecy around the current legal    
     procedures undermines the freedoms we all cherish.
Am I reading this wrong?

This just looks like it was crafted from the same template as Mark Zuckerberg's response! Very worrying coming from Page and Zuckerberg, (and I hear other CEOs) like this at the exact same time. I just hope there really isn't a man behind the curtain pulling the strings of such powerful figures in technology today.

At some point, I think - perhaps this is only wishful thinking, but I do think it nonetheless - someone from one of these companies will simply come out in a TV interview and spill the beans.

Just make a big enough stir, be explicit about what threats were levied, and tell us all. It would be impossible to prosecute them after that shitstorm.

IDK, if the gov't has core network switch access and is sniffing all of the packets, that's "back door" enough for my mind.

I'm wouldn't be surprised if none of these companies was involved, and it's just a case that the NSA is simply harvesting and processing all of their traffic for a net same result.

The denials sound like a politician denying he had an affair...and in the end it turns out to be true. PRISM at least expresses the intent of the government, which trashes our right to privacy, probable cause,etc. The only right to privacy these days is if you're having an abortion.

There's some undertone about having Drummond listed as the co-author.

When the chief legal officer co-authors a post with a ceo, it means that each word has been carefully chosen, because each of these statements carries serious consequences if they get it wrong.

Couldn't a huge amount of metadata be gleaned by just monitoring the size, disposition, and timing of encrypted traffic. That sort of information would only be useful to government and would give them the ability to deny everything.

Sure thing, Larry. So you won't be afraid to swear as such under oath nor sign a contract stipulating multibillion dollar penalties should this in any way prove to be a lie or deception, right?

Hopefully all this spurs more transparency like Larry suggests. We're certainly on the wrong side of a slippery slope right now. -(says a Canuck who has to deal with this stuff to)

I assume the government would require them to deny involvement, just like companies aren't (weren't?) allowed to discuss NSLs. Consequently, I view the denials as meaningless.

So then what could these companies do to convince you, short of giving you physical access to all of their datacenters and shell access to all of their servers?

Nothing, that's the problem. What needs to happen is for these programs to be brought in to the sunlight and for Congress to make it explicitly legal for people to discuss them, regardless of any previous prohibition. Then I might be able to believe a denial, or at least accept it as meaningful.

"Second, we provide user data to governments only in accordance with the law"

Well, now I feel better. Oh wait, PRISM is technically legal since it's supposedly authorized by the senate?

If these companies truly were innocent they would immediately sue press for slander. The fact that they all posted a denial that are all exactly same worded says everything imo.

If Google is forced to turn over data to the government, but precluded from discussing it due to national security laws then the denial really doesn't mean anything. Right?

Qualified statement "direct". Of course they are not providing "direct" access to production servers. What about "copies"?

I trust Google more than the U.S. Gov't.

Who's lying? Confused?

If you don't trust the government how can you trust google in a situation like this?

"Second, we provide user data to governments only in accordance with the law."

Would be much better if this were "only when required to by law".

Does anyone care, outside of tech circles? Most people don't seem to care, even though they understand what's happening

I had to chuckle at Mr Page using the "royal we":

"As Google’s CEO and Chief Legal Officer, we wanted you to have the facts."

Is it just me or did the personal statements by Larry Page and Mark Zuckerberg have similar format and language?

indeed, very similar like a government script ...

Google gave the Chinese gov direct access that's how they got hacked.

It is very possible that Google is lying or, at best, bending the truth.

Maybe the larger point is that they don't need permission

A nice $10M donation to the EFF would help me believe him.

Drafted at Bilderberg 2013

yeah but what about Google's Irish branch?

principiis obsta et respice finem

I have a completely different take on this.

While something along the general lines of 'Prism' probably exists, in aggregate, across different NSA programs, I believe the presentation slides are fake and were created / leaked by the executive branch.

Here's my reasoning:

The Slides ----------

Who is the audience????

Who were these slides prepared for? Who is the target audience? If real, the information is obviously very, very sensitive- so it follows that the original audience would have been very, very high level.

But who at that high of a level needs this type of explanation for a project that started years ago?? It reads more like something you would create for someone that has never heard of it. Doesn't make sense.

Slide Design

Gee- nice of the creator to put the logos of each of the companies at the top of the slide- of every slide. Which leads me to ask...

Where are the rest of the slides?

Was it only a 4 slide presentation? Who gives super-high level presentations with only 4 slides? If there were more than 4 slides, were the company logos across the top of EVERY page? Does that even make sense?

It's also interesting that the 4 slides present such a simple, easy to understand story line- it reads like the target audience is a school tour - not super-secret-high-level-officials-(hearing about it for the first time).

Prism Logo

Who made the logo? The NSA graphic design office? Seriously, why would a program like that have a logo? For marketing purposes??

Prism has a web page!

From the bottom of slide 3- "Complete list and details on Prism web page: Go PRISMFAA" A web page? Even if it's private to the NSA it's absurd.

The Political Angle (motive) ----------------------------

IRS - Big Government Story

The IRS / Tea Party story was looking very, very bad for the administration. It's one thing for Republicans / Libertarians to say big government is bad - you play that off as partisan politics. The average person goes about their day.

The IRS is different- EVERYONE deals with the IRS. The narrative was a simple one - IRS abuses power to attack political enemies. That scares people- pretty much everyone.

The Obama administration is all about big government - they don't see it as a bad thing. They believe government is in a unique position to help people. If the electorate turns against 'big government', whatever agenda Obama has for the next 3 year would be finished. The IRS story is a very big deal.

Incredibly Savvy Political Operators

The Obama political team is a force to be reckoned with. Between incredible political savvy and incredible data analysis, they have taken the political game to an entirely new level. They are very, very good.

How does one 'fix' this problem? A tried and true solution is for a bigger story to come along and eclipse the 'problem' story. In the Wag The Dog world, you would start a war. But that's just a movie.

What would be a perfect story? How about a story that simultaneously eclipses the IRS story, while blurring the big government issue?

That's just what happened. The NSA story is at an abstract level the same as the IRS story- it's about big government run amok. However, by rolling the two together Obama can claim 'security' as a trump card. It only really applies to the NSA part of the story - but the press isn't big on subtle distinctions, so no worries there.


Is it a coincidence the Washington Post broke the story just as the evening news was starting on the West Coast? IE - the end of the day's news cycle? That gives a full day for the press to roll the IRS stories up and for the President to make a presidential statement about security. Sum it all up on the evening news and gee - look at that - it's Friday. Time for a summer weekend.

Denials -------

All the firms listed in the slide presentation header have denied the story. Yes the language they used is very similar but at the same time it is the same language used by the press ("direct access"). The denials sound pretty believable to me. Even if Larry Page were under some gag order, I doubt he'd say something along the lines of 'I've never heard of it.' I think he'd follow the letter of the law (gag order), but not the spirit.

This is a long post - and my first post (long time lurker though).

In a nutshell:

The slide presentation looks very 'Made for TV' The timing is SUPER convenient.


Larry Page: "the U.S. government does not have direct access"

Apple: "We do not provide any government agency with direct access"

Facebook: "We do not provide any government organization with direct access"

Yahoo: "We do not provide the government with direct access"

Remarkably consistent - as if it was coordinated, or scripted by an attorney...

Or as if they are addressing the media talking points from yesterday... It was all over the news. Every channel was saying "direct access" and then throwing names like "Google," "Apple," and "Iphone" around.

+1 "direct access" is just a deceiving jargon that is being used by a bunch of corporate lawyers working in sync.

Letting out my inner conspiracy theorist for a moment, a prism can be used to split light. For example, think of a pentaprism mirror in many DSLR cameras.

Did the NSA choose "PRISM" because they are splitting the signal upstream of providers, thus giving private companies plausible deniability?

It's not "direct" access, it's access through a one-way live xml feed

It's for the government, gotta be CSV in EBCDIC.

Please ... it will be binary format. Even the government isn't so wasteful to transmit data as xml. And if it did you could easily find where the servers were located by the 5 nuclear power plants needed to power such parsing.

I hate to tell you this, but the government has never been concerned enough with overhead to not use something like XML. Frankly its probably tab deliminated ASCII. We'd be lucky to see a binary protocol.



A few thoughts: It's unlikely that he cannot deny or admit giving data to NSA /FBI, because he both admitted and denied, albeit with weasel words. No "backdoor" and "no direct access" but maybe from the front door and indirect access :). I suspect that NSA has live access to Google /FB / MS for certain cases, tracking every online move for certain individuals. That's why it costs just $20 million, maybe they created a portal from which they track Person A going from site to site, what he searches for, who he calls, and what he types.

Larry smells the end of his company's "trust us with all your data...all your life on cloud...search while logged in...visit pages with Google Analytics...it's secure" etc. etc etc. While NSA might not catalog everything you do, Google does and everything is there for NSA's and FBI's asking. The more information Google and Facebook (to pick two of the largest) have stored, the worst it is for us. They know EVERYTHING about pages you visit, how long you stay there, what you searched for, what places you went to (Android) what you emailed, foods you liked, what your ordered from ebay, and so on. A treasure trove for NSA, a nightmare for us.

Start thinking! Stay logged out of Google and FB, use hosts file, Ghostery etc to block and make NSA's and FBI's life as hard as possible.

What's good for Google is good for NSA, but not necessarily for you. NSA would love Google Now, wouldn't they?

If Google is not part of PRISM where is the lawsuit for damaging the image of Google and putting their Trademark in a document that is fake a lie... Where is that slander, PR lawsuit? Google you have billions, if its not true file a lawsuit we will believe you then.

> Second, we provide user data to governments only in accordance with the law.

Great! So if the law - namely the Patriot Act - states the Government has the authority to spy on all your users emails, your legal team reviews it, says it's ok according to the law and you cooperate. Is that how it works?

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact