- We do not provide direct access to our servers.
- We do not provide direct access nor is there a backdoor.
- O, but we do still pipe all of your data to external NSA servers. </sarc>
Every company named (I'm not just picking on Google here) has come out with the same overarching statement. "We do not provide direct access". It just smells of being rehearsed, and carefully coordinated to select such language.
Until this week’s reports, we had never heard of the
broad type of order that Verizon received—an order that
appears to have required them to hand over millions of
users’ call records. We were very surprised to learn
that such broad orders exist. Any suggestion that Google
is disclosing information about our users’ Internet
activity on such a scale is completely false.
Verizon was given a Patriot Act order for business records, metadata; no names; no content, but all citizens or foreigner.
Google and other tech companies are said to have gotten orders under section 702 of the FISA Amendments Act of 2008. That allows the government to compel communications companies to furnish lots of metadata and CONTENT on NON-U.S. persons. This was Congress legalizing warrantless wiretapping ala AT&T, but limiting it by requiring it to be targeted at non U.S. persons.
Compliance is mandatory, under contempt of court and companies must provide facilities and help. They also get reimbursed.
So it's likely Google never got an order like Verizon did, they likely got one that involves content, but is supposed to exclude intentional targeting of Americans.
Any suggestion that Google is disclosing information
about our users’ Internet activity on such a scale
is completely false.
They all said stuff about "direct access", without discussing what would and wouldn't qualify as "indirect". They didn't deny doing all kinds of different access that could be called indirect in some way.
The last sentence he made, that the government needs to be far more transparent about what they're doing is the only sentence I can really trust as honest, especially given that the alternative to lying could be being thrown into Guantanamo for 'assisting terrorists'.
>"Fisa was broken because it provided privacy protections to people who were not entitled to them," the presentation claimed. "It took a Fisa court order to collect on foreigners overseas who were communicating with other foreigners overseas simply because the government was collecting off a wire in the United States. There were too many email accounts to be practical to seek Fisas for all."
Another possibility is that the NSA could have served orders on Google employees directly, and they are compelled not to tell their managers about what they did for the NSA.
You hire a foreign national, working for a foreign division of Google to be your spy. Unless every US citizens mail server is domestic, lotta a loopholes to be found.
People should also not assume the credit card statement from their bank is a batch job run on US servers by their bank. I've been told this stuff is outsourced, probably to the lowest bidder. Which if I were an intelligence service, I would be more than happy to subsidize.
You have been told incorrectly. (Source: I work for a major US credit card company.) Certain pieces of the development and maintenance may be outsourced (under the supervision of US employees), but we (and, as far as I know, all our major competitors) own the data centers where they are run.
| they are compelled not to tell their managers
| about what they did for the NSA.
Isn't it more plausible that they're intercepting data flowing in and out of Google servers?
We haven't seen posts from the CEOs of Cisco/Juniper/Dell/HP or other manufacturers of datacenter grade network equipment. Who needs Google/Facebook's "knowledge" if you've got root on all the border network gear (and SSL termination hardware)?
I know here in .au, Huawei have been excluded from the government-deployed National Broadband Network due to suspicions that the Chinese government has too much control/access to Huawei newtwork hardware.
a new time option - Larry is lying because of the gag order.
in between - Larry said "on such scale". Well, Google probably is of a bigger scale than Verizon.
Anyway, once the data is out there, it is only a matter of time and determination for a government (or any financially well backed up player) to get to it.
This scandal will be a great boost for any services involving "crypto", and probably would spring a new ones like an encrypted phone exchange/switch service, where one can see incoming and outcoming phone numbers, yet not which one connected to which :)
These can be installed at the trunk level with virtually no one knowing about it (maybe a couple of on site managers). They can handle massive data and pipe it directly to the NSA. The problem of course is you're dealing with raw data which isn't nearly as easy to work with then if you had direct access to internals.
These are already installed on every major backbone so I also don't see why they would bother to involve anyone, so there must be more to it.
ps. It would be nice if another whistleblower came out with the data on optic splitters and how the NSA uses them.
Access is trivial, volume is a much more interesting problem.
There could be a lot less data leaving than you think.
If you consider that PRISM is not a 'dragnet' but rather an automated system that processes FISA warrants on company premises then the denial wouldn't be wrong. There is no 'scale' that you wouldn't be able to get using regular data requests to internet companies. PRISM could just make the process a lot easier for everyone involved.
So instead of sending a warrant over, having the company verify and send the data to the NSA, then finally transforming the data into a reportable format PRISM automates the whole process.
If you read some of the media descriptions it almost looks like PRISM is more of a data aggregation and portal system that sits on top of a data source and allows analysts to explore content.
No, it was a FISA order: http://www.guardian.co.uk/world/interactive/2013/jun/06/veri...
It specifically states that such an order can be made "provided that such investigation of a United States person is not conducted solely upon the basis of activities protected by the first amendment to the Constitution".
If they have been violated, then there are a number of members of Congress and the Senate who are falling down on their job - the Attorney General must inform the Permanent Select Committee on Intelligence of the House of Representatives and the Select Committee on Intelligence of the Senate. On top of this, every 6 months the Attorney General must also provide a report to the Committee on the Judiciary of the House of Representatives and the Senate which details the total number of applications made for orders approving requests for the production of tangible things and the total number of such orders either granted, modified, or denied.
I've read and documented the USA PATRIOT Act on Wikipedia incidentally. Took me two years to read and understand the thing. Possibly things after the Patriot Act changed FISA, I wasn't going to spend any more time on writing up about this subject. I'm an Australian citizen, after all.
I should note that I'm not thrilled about the fact that the U.S. government can read my communications. Not that I have anything to hide, nor am I of any interest to them, but hardly the point.
The two parts to read on Wikipedia, incidentally are:
But how would you determine on the internet that an account holder was a US person or not ?
If I claim to be the person X who is a US person by registering for an account in their name, am I then a US person and therefore supposedly exempt from monitoring? Even IP-based clues are not enough as those are not full-proof.
I suspect that both US persons can be just as susceptible to tracking from the Government.
That's why they only have to check a box saying they a reasonably sure that there is at least a 51% chance.
Vague laws are invariably wildcards that can and will be abused.
Does Google give anyone, any company, any entity, anyone at all direct access to their data? They've specifically excluded NSA. Does NSA subcontract that to Booz Allen Hamilton? Google claims that no government has this access, what about one of the 1200+ Top Secret cleared contracting companies?
Can these companies officially comment on this stuff yet? Or are they violating court orders if they talk about it? I like Google, I really want to trust them and I think they've moved the needle in our industry in some very positive ways. Honestly though, I think they could make much much stronger statements about this stuff. I expect them to say stuff like this to keep up with appearances.
There is no "careful parsing" of the Constitution going on. Just people who never read the document very carefully other than what they thought the teacher said in 8th grade.
This is the entirety of the 4th amendment: "The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized."
If any "parsing" is going on, it's creative parsing to make the argument that information you freely handed over to Google and AT&T, or indeed information that was never even in your possession but was generated by AT&T (e.g. call data records, web server logs) is somehow your "papers or effects." Tell me how that is anything other than creative parsing? How is a document that you never even had in your possession somehow your private information?
Wiretaps themselves became illegal and the information from them inadmissible under the 1934 Communications Act. This didn't really stop wiretaps. Instead they were used as a method of intelligence gathering to go and find stuff that was admissible. Note that this was not a reflection on the Constitutionality of wiretaps, but instead the sense that they just weren't needed to convict criminals.
By the 1960's wiretaps were again brought to the Supreme Court and they outlined how a wiretap statue could pass Constitutional muster. The Katz case is where the "expectation of privacy" language was introduced. This resulted in wiretap statues passing in late the late 60s and that's basically what we had until the PATRIOT Act of 2001.
In a world where important documents are increasingly electronic, and electronic stuff is increasingly routinely backed up, transmitted through, or just stored on remote servers, people's personal papers will be increasingly in the possession of others.
I won't argue that it's impossible to read the Constitution so that it becomes a set of meaningless restrictions on outdated technologies--legal text is never deterministic and always subject to multiple interpretations--but it's certainly not unreasonable for somebody to have "read the document very carefully" and found it more robust and relevant than you do.
Wouldn't I be pretty stupid if I had a problem with these things, yet still uploaded these documents in clear text to Google's servers where absolutely nothing stopped Google from doing these things? Especially when they tell me point blank that they do indeed sift through the documents (for ad targeting)?
* Google scans email, not other documents in Drive:
* Just as the NSA claims that collecting data doesn't count until a person reads it, Google affirms that humans do not read user data without permission.
* Documents are are encrypted in transit, not uploaded in clear text.
If my secretary holds my briefcase, is the government allowed to seize it without any warrant or judicial approval?
Email is slightly more complicated, due to automated ads scanning.
if your secretary agrees to give it to them , of course they can.
Have you been to a doctor? Have you seen that folder full of your medical information? Have you ever possessed it? Most likely not, but that is your private information and there are very strict rules about how it is handled and who can access its contents.
The thing is that usually CDR data doesn't require a warrant. The court ruled that since people are typically aware that the existance of CDR's and may rely on them for services from the telephone company, and because they are relatively non-revealing they do not constitute a search.
The point is that the user of the telephone service discloses the calling information to the phone company and in such a way as to expect no privacy over the information. A similar case might be IP packet header information over routers, or photocopying address/return address/postmarks on the outside of envelopes passing through the USPS. None of these are considered to violate any reasonable expectation of privacy because, for example, we can expect that the address on the letter we drop of at the post office is publicly visible.
O'Connor got it right in Casey when she distanced the right to abortion from the right to privacy: "That is because the liberty of the woman is at stake in a sense unique to the human condition and so unique to the law."
"The Constitution does not explicitly mention any right of privacy. In a line of decisions, however, going back perhaps as far as Union Pacific R. Co. v. Botsford, 141 U.S. 250, 251 (1891), the Court has recognized that a right of personal privacy, or a guarantee of certain areas or zones of privacy, does exist under the Constitution. In varying contexts, the Court or individual Justices have, indeed, found at least the roots of that right in the First Amendment, Stanley v. Georgia, 394 U.S. 557, 564 (1969); in the Fourth and Fifth Amendments, Terry v. Ohio, 392 U.S. 1, 8-9 (1968), Katz v. United States, 389 U.S. 347, 350 (1967), Boyd v. United States, 116 U.S. 616 (1886), see Olmstead v. United States, 277 U.S. 438, 478 (1928) (Brandeis, J., dissenting); in the penumbras of the Bill of Rights."
That handwave-y language ("does not explicitly mention", "a right of personal privacy, or a guarantee of certain areas or zones of privacy", "at least the roots") doesn't exactly inspire confidence in the existence of a broad, fundamental right to privacy in the Constitution. Also, it uses "privacy" in a somewhat different sense than the surveillance debate. In Roe, it's used more like "liberty."
If you think there should be a right to privacy of electronic communications, then convince people of it. Get an amendment passe. Don't twist the Constitution to say what you wish it said.
Any suggestion that Google is disclosing information about our users’ Internet activity on such a scale is completely false.
He doesn't say "Any suggestion that Google is disclosing information directly to the government..."
As such, I think you can either take it as "we don't disclose anything to anyone, or you can say that the sentence isn't true.
> we had never heard of the broad type of order that Verizon received—an order that appears to have required them to hand over millions of users’ call records. [...] Any suggestion that Google is disclosing information about our users’ Internet activity on such a scale is completely false.
> Honestly though, I think they could make much much stronger statements about this stuff.
They can't really, though - they do cooperate with the government on a ton of properly-filed, fully-legal subpoenas. And that's fine, that's what they have to do, and it's what every other company in the world would do - though we should all push our government(s) to be more transparent about what they're requesting and why.
> Indeed, the U.S. government does not have direct access or a “back door” to the information stored in our data centers.
Do they give carte blanch access to their data to ANYONE? Regardless of the datacenter. If they don't they can say that.
It is possible to permanently erase or disable your search history from here: https://support.google.com/accounts/answer/54067?hl=en
You can opt out of Google Analytics using this add-on: https://tools.google.com/dlpage/gaoptout
Saying that denial is a lie . . . is a completely different charge.
Kind of like Mariano Rajoy insisted that Spain didn't need a bailout?
EDIT: I mean: (a) No one cares if they have heard about a program called "PRISM" when the point of that program is to aggregate data from other programs. (b) Anyone who is actually innocent in this needs to stop mentioning "direct access to servers": no one expects this program to be directly accessing servers. (c) We also don't care whether actions were "in accordance with the law", as the constitutionality of the surrounding laws is part of the debate.
I will say that "Any suggestion that Google is disclosing information about our users’ Internet activity on such a scale is completely false." is a good statement to make. It sounds broad in a good way and doesn't appear to have many weasel words, other than specifying "Internet activity" and not email or general activity. Are Google searches even "Internet activity", or is he referring to Google Analytics / Google +1 / 126.96.36.199 DNS?
If you're refuting claims of behavior X, it's natural to say "We don't do behavior X."
I don't mind targeted surveillance against genuine suspected terrorists. What frightens me is broader intelligence collection especially commercial intelligence. Over time programs broaden and if we're not really, really careful we'll find gmail being read by intelligence analysts who can brief our US competitors.
If non-Americans can't trust Google with their information that is an existential risk to its future. I think the Google leadership needs to do a lot more than this one short post!
 From Obama's comments:
Now, with respect to the Internet and emails, this does not apply to U.S. citizens, and it does not apply to people living in the United States. And again, in this instance, not only is Congress fully apprised of it, but what is also true is that the FISA Court has to authorize it.
So in summary, what you’ve got is two programs that were originally authorized by Congress, have been repeatedly authorized by Congress.
That seems pretty clear - there is a congress-approved spying on non-US citizens Internet and email.
EDIT: added Obama quote
This kind of language bothers me - "suspected terrorist" requires no proof at all, while sounding authoritative (65% of Americans support the remote execution by drone of 'suspected terrorists').
I know roughly what you meant, of course, but where that line is drawn is a discussion that needs to be had. I'd say that with the level of surveillance that goes on, we are all suspected terrorists now.
It rather makes it clear that Google is participating in espionage programs for the NSA. Supposedly, maybe, it isn't directed at Americans (har har).
The president has not, however, confirmed that the news reports about "PRISM" are accurate. All he's done is summarized the law.
"We post this information on our Transparency Report whenever possible... ...we understand that the U.S. and other governments need to take action to protect their citizens’ safety—including sometimes by using surveillance. But the level of secrecy around the current legal procedures undermines the freedoms we all cherish."
I do think Google is working hard to protect our users from unwarranted government requests. Just speaking for me personally, I really dislike provisions in the PATRIOT Act and FISA that compel secrecy. One thing I did like in Google's blog post was that we spoke out against the "level of secrecy around the current legal procedures." I was encouraged that Facebook later said something similar. In my opinion, a lot of the frustration about the current situation would be best applied to changing some laws in the United States.
While I honestly think _you_ believe Google is doing "the right thing" - there's a nagging suspicion that there's some NSL-style legal (or possibly extra-legal) compulsion being used at the very top levels. Even if I believe that Larry is 100% "on my side" against the government - I'm also under no doubt that Larry and Google are effectively powerless against the pressure the various US government agencies could apply if they so chose.
While explanations of the similarity between Larry's and Mark Z's posts based on direct rebuttal of the WaPo article are plausible, when combined with Apple's, AOL's, and Yahoo's suspiciously similar structure and wording - cynical-me can't help but wonder if all 5 CEO's are being compelled to disseminate the same government supplied message (and are possibly intentionally using almost word-for-word similar language as a plausibly deniable way of telling people that).
I'm not sure if there's much Google can say or do - given the depth and seriousness of the seeds of suspicion that've already been sown… (Having said that, I was pleased to read Yonatan's G+ post earlier today…)
Federal law may "authorize and in some cases require telecommunications companies to furnish information" to the executive branch, said Bradford Berenson, who was associate White House counsel when President Bush authorized the NSA surveillance program in late 2001 and is now a partner at the Sidley Austin law firm in Washington, D.C. Far from being complicit in an illegal spying scheme, Berenson said, "AT&T is essentially an innocent bystander."
And a sealed AT&T document I obtained tried to offer benign reasons why there would be a secret room at its downtown San Francisco switching center that would be designed to monitor Internet and telephone traffic:
What Google and Facebook are doing today is precisely the opposite of what AT&T did.
What Sergey (and Google) bravely did in China gave Google years of priceless respectability. This is one of those situations where civil disobedience is best. I realize you can't just "pull out of the United States", yet Google is looking like liars, and that just doesn't work.
For what it's worth, if Larry summoned the courage to speak his conscience completely, he will not go to jail. Far from it ... Google will be the true statesman, showing courage and leadership.
Indeed, I believe it may help Google the most, by catalyzing people's courage to do what's right. It's simply wrong to associate yourself with this.
It must come from Google first, Google is the strongest. Please consider the honor in doing this. Done genuinely, the public will rally behind Google, just like SOPA/PIPA. And don't forget, you have the world's largest bully pulpit.
For what it's worth, I'd recommend reading this post: https://plus.sandbox.google.com/+YonatanZunger/posts/huwQsph... To me, Yonatan's post read as the sort of personal, even blunt statement that you're asking for.
Are you asking Larry to violate the law on National Security Letters, by publicly posting their content?
Why should we trust the safety of any information on our searches, emails, location data, chats etc stored by Google? Stop storing it
Compelled and limited is a very different story than voluntary, wide-scale, and direct. Do I like FISA? No, I think it sucks. FISA orders come with a gag order, and laws that compel secrecy like that should be struck down, in my opinion. But in recent days, you've heard the CEO of Google say that they haven't gotten the sort of broad requests that (say) Verizon got, and that Google can and does push back on requests that they consider too broad.
I think the proper response to this issue should be frustration with bad laws, and calling your Senator or Representative in Congress to tell them that.
"We cannot confirm or deny the existence of such a program,"
"It is not our policy to comment on national security topics"
"We'll wait for the results of the investigation."
No, I think it's most likely that Page doesn't know of any such program. Now, it's always possible that such a thing is being carried out on the scale everyone fears by a rogue, loyal-to-the-NSA employee, or a group of them. Or it's possible the original Powerpoint slide including Google as an information source is oversimplified or even inaccurate. Such things do happen when presenting overviews of program capabilities.
And many other things in between are possible. It's concerning, but . . . I'll wait for the results of the investigation. ;)
I think there's a world of difference between a gag order where you are not allowed to confirm, and an order to explicitly deny involvement. I'm not saying the former is "good", but there's a difference.
I think there's a non-zero probability that there are US government agencies who can and have compelled people to explicitly deny something that they know is true.
Realistically, it would boggle my mind to discover they'd done that to all the founders/CEOs/legal departments of all the companies involved here (at least Google/Facebook/Apple/Yahoo/AOL), but given the stakes in this game - I have no doubt that it _could_ be done.
Either the government is coercing them, and they have to issue lies as denials, or they are participating voluntarily and are voluntarily lying, or they are not participating. The second option seems unlikely to me.
But at the same time they can't all be right. NSA says it's getting data in some form from Google, Page says no direct access.
The truth is probably somewhere in the middle then... but where?
If that is true, why would we expect that Google officials would be able to make any public confirmation of the Top Secret program? And, given that, why, in that case, would we expect the truth to be "in the
Conversely, if the leaked document is not genuine, then I still don't see any basis for expecting the truth to be in the "middle" between the false document and the Google denial.
I just think it's important to not be entirely cynical here, and to keep in mind what such a statement might look like if it were being truthful. I don't know how much different it might be, which generally makes the statement only as good as Larry Page's word, and only then if he doesn't have a gun to his head.
Page says no direct access and not even legal access at that scale (verizon). He doesn't say they don't have any access -- in fact he says they comply within the bounds of law, but it's not at the Verizon scale.
You assume Google is giving the NSA information and act accordingly.
Doubts are like bothersome flies...
until they are crushed...
you will never be comfortable at your current position.
On one hand, I would think a very-visible CEO of a major corp would keep their name off of a press release, if the press release was a lie that they were compelled to tell by the government.
On the other hand, I feel like each company's response and their use of the exact same terminology ("direct access", etc) feels like a wink and a nod.
If I was going to go completely conspiracy-nutter, I'd say that Page has been kept out of the loop intentionally for plausible deniability, and the actual incursion happens at a much lower level, where the people involved are coerced into keeping their mouths shut. That way, the bigwigs get to tell what they think is the truth, the NSA gets their data, and nobody is the wiser.
Granted, I think that belongs more in the plot of a thriller novel than in this actual world we're living in, but given the revelations of the past couple of days, fiction doesn't seem that implausible.
"A US government-mandated backdoor allowed China to hack into Gmail"
"In order to comply with government search warrants on user data, Google created a backdoor access system into Gmail accounts. This feature is what the Chinese hackers exploited to gain access."
Maybe those hackers just used the regular tech support "back door", as in "SELECT * FROM gmail where email = 'email@example.com'
Their business is based on user's data. If you do not feel comfortable giving them your data, it might hurt their business. Hence, IMHO, they do have some incentive to deny PRISM, regardless of the facts.
It's the opposite of what Larry Page is doing.
So the answer they give when asked, and they do get asked, is "no comment."
If they were voluntarily part of PRISM, and legally required to keep that quiet, I'd expect them to say "no comment."
Doing the opposite make so little sense. It means they're having to flat-out lie to their users, something very hard to recover from.
They probably want to confirm it, but in a completely open and transparent way that assures people there's nothing they should fear here, which they can't do because it's all cloaked in secrecy.
Now, I'm not so naive to think that if someone tried this, the government and courts would just say "Herp, derp, you sure outfoxed us there!" But has that strategy ever been tested in court?
And they note:
This scheme is not infallible. Although signing the declaration makes it impossible for a third party to produce arbitrary declarations, it does not prevent them from using force to coerce rsync.net to produce false declarations. The news clip in the signed message serves to demonstrate that that update could not have been created prior to that date. It shows that a series of these updates were not created in advance and posted on this page.
1) This is exactly what you would need to do, to consider it realtime
2) None of the denials cover this
Consumers of the data need to know where it comes from and its scope, they don't necessarily need to know whether its acquired through cooperation or coercion or infiltration of the providers.
Also, that's what they were doing for more traditional wiretaps and you should be sure that they have access to siphon off live traffic for analysis if they want.
To be fair, if anyone can do this it's precisely these people.
... still not likely, though, I agree.
Edit: Found the answer:
The notion that it exists, and Google isn't involved in it, is pretty absurd. That'd be like talking about tapping the telecom companies, but leaving out Verizon and AT&T.
"The top intelligence official in the United States condemned as “reprehensible” leaks revealing a secret program to collect information from leading Internet companies and said a separate disclosure about an effort to sweep up records of telephone calls threatens “irreversible harm” to the nation’s national security."
Mr. Clapper said in a statement that the classified program to collect information from Internet providers is used to “protect our nation from a wide variety of threats” and he condemned the leaks of documents describing its existence.
They didn't give the NSA "direct access" to their system but created a front end for them instead... LOL.
"We only give data to the government in response legal requests about named individuals."
I'm not going to comment on what's true or what's not, but I know a few things:
1. Having been "in the news" or when I've had firsthand knowledge of an event in the news, I'm always shocked by how inaccurate the news is. Usually not in broad strokes, but in lots of details. I have learned to take everything I read in the media with a healthy grain of salt. I'm not dissing journalists here, but that's what they are: journalists. They are not tech experts. What we are reading could very well be inaccurate. We've not vetted their source either. At least Google is known entity.
2. This whole "we scan everything" business just seems farfetched. That's a lot of data to just double.
3. This program has been subject to oversight. I haven't lost that much faith in my elected officials, or government employees for that matter.
Do you all remember when the "news" was "leaked" by "anonymous hackers" who claimed to lift Apple user data from a hacked FBI laptop? The Internet lost its mind frothing against the surveillance state.
The minority of critical thinkers who suggested that maybe the claims of anonymous hackers shouldn't be taken entirely at face value were either ignored or shouted down. Blanket denials by the FBI were met with retorts of "we know they're lying!". News outlets -- many the very same covering the PRISM story -- repeated uncritically the accusations of the FBI harvesting Apple user data.
Do you all remember what the actual outcome of that story was? Spoiler alert: the allegations were grade-A bullshit. The only part that was true was that it involved (old) data lifted from a hack (against an app developer). Everything else was bogus self-aggrandizing, and the Internet loudmouths played right into it. Why? Because it confirmed people's existing fears.
The sad reality is that everything that has hit the news about this PRISM story -- and the Verizon story -- has actually shed very little light on anything. We have a source with unknown credibility providing incomplete and possibly even misunderstood information colliding with large corporate and government interests. Maybe everyone is lying. Maybe nobody is.
The only thing that is certain is that people unquestionably believe claims that confirm their existing beliefs.
This PRISM business (of which there had been no hint before) is a massive one-up on the seriousness of the Verizon scandal, and its timing in relation to it is deeply suspicious. It wouldn't be too difficult for someone in the intelligence services to make a pithy PowerPoint presentation about how the NSA slurps data from all and sundry (what was it supposed to be for again? "Training"?) and fake a leak to a few newspapers.
I predict that this story will turn out to be a complete wash, and in the meantime everyone will have forgotten about the not-as-sexy but much-more-true Verizon leak.
They say "we do not provide direct access", because as explained, any access goes through proper legal channels.
I'm not sure what you'd call it?
Remember language matters, and these are actionable public communications.
> First, we have not joined any program that would give the U.S. government—or any other government—direct access to our servers.
You would be hard pressed to argue that "direct" access proxied through a gov't contractor isn't the same as direct access. I don't think they'd cut the truth that close unless they were under oath. The court of public opinion is less caring of technicalities.
Isn't that basically their entire business model?
First, we have not joined any program that would give the U.S. government—or any other government—direct access to our servers. Indeed, the U.S. government does not have direct access or a “back door” to the information stored in our data centers. We had not heard of a program called PRISM until yesterday...Press reports that suggest that Google is providing open-ended access to our users’ data are false, period. Until this week’s reports, we had never heard of the broad type of order that Verizon received—an order that appears to have required them to hand over millions of users’ call records.
That kind of thing.
So, basically, what politicians put into their speeches?
Read over your statement again. There's very little of substance in there. For example, what does "this" in "We would never do 'this'" mean? And I'm not being pedantic, because exact language is important here. The question is, what could a non-PRISM-supporting Google say that would differ from what we see in the OP?
And this: It goes against everything we personally believe in and stand for.
OK...let's assume "It" has been properly defined. This hyperbole would be a lie, because....everything? Again, impossible.
"Even if we were legally required to cooperate, we would resist and suffer incarceration if necessary."
OK...cooperate in what? The statement you've proposed leaves room for other kinds of cooperation, if not technically the kind being alleged right now. So this statement doesn't resolve anything.
"We believe in freedom more strongly than we fear the consequences of not cooperating with an oppressive government"
OK, same objections as before. But -- and again, I'm referring to an alternate reality in which Google is standing up against the NSA and PRISM, which may or may not be the reality we are actually living -- if Page is telling the truth about knowing what PRISM stands for before yesterday, then the statement you've proposed is impossible for him to assert, because we still don't know everything about PRISM...and so how would Page know if PRISM is the act of an oppressive government? He literally would not know because PRISM was unknown to him until yesterday.
And if you're saying, well, he should just know, because obviously Google is taking part in the program...well, that's begging the question.
And if you're saying, well, he should just be able to make that statement because any reasonable person, upon reading the reports yesterday, would conclude that PRISM is the act of an oppressive government. OK, that's fine, but that's still not really an assertion of fact, it's just rhetoric.
If Google was actually taking a moral/ethical stance that being an accessory to unconstitutional warrantless searches is something that they find to be morally wrong, yes, I would be more comfortable. My reading of this was Larry saying, "I enjoy being a billionaire and will say whatever it takes to continue being one."
But when their impossible-to-verify assertion is that they've done nothing wrong, you'll accept that just fine?
There's a difference between these two things:
1. Issuing a vague non-denial so that when the truth is revealed, you can claim that you didn't technically lie ("Hey, I never said I didn't molested him, I just said I never slept with him")
2. Issuing a denial that is proven later to be false.
I'm not arguing with the GP that Page is telling the truth, but that, as much as we can tell, Page has issued a statement that can satisfiably be shown to be true or false.
I would feel better if Google put its brand at stake a little more, yeah.
Google is ACTIVELY forgoing revenue in China, because it wouldn't play by their rules. 
It's a start.
That's subjective, and I think you have severely unrealistic expectations of how far companies should be willing to go in this matter.
I believe Google's response is satisfactory. We can't prove negatives, so it's pointless to second guess Larry's post as being an orchestrated ruse. It at leasts gives us an official position and stance from the other party.
The typical response here on HN is that the threat of terrorism is greatly overstated. This is probably true, but I don't think it's reasonable to assert that the threat of terrorism is nonexistent. Given the amount of people who use Google's services, I think it's highly likely that such data does exist on Google's servers.
Should they be developing software to figure out who is beating their kids and notify the local police? Cheating on thier taxes and notify the IRS? Breaking their marriage vows and notify thier spouses?
Therefore, IMO, the best thing to do is assume that every single bit that hits a Google server, and every bit stored by Google, is available to the NSA, FBI, CIA, DIA, MI6, Mossad, etc., etc... which means using strong crypto to protect your stuff if you really care about keeping it private.
The only requests for information to which we respond are requests that contain the full name(s) of the people whose data is requested.
I'm sympathetic to being caught between a rock and a hard place, but given that this program only seems to involve US based companies, I would suggest that where ever possible people should prefer non-US software and services. Just as one prefers non-Chinese hardware for the exact same reason.
Argh. Hacker News refuses to save the URL. Replace %xF; with "/"
However with all the shady definitions the NSA is using (e.g
I can imagine some weasel claiming user data is only the content not the metadata) I would have liked an explicit example.
Something like, "For example, when one gmail user emails another gmail user the government is not, for the majority of users who are not the subject of a specific government order, made aware of this in any way including the contents of the email, metadata and even that an email was sent. Obviously, we have no control over emails, sent outside our network."
But I also believe the government works with ISP's (all major ISPs) so that they can intercept traffic. Which would be a type of MITM attack allowing them to get data from all major web sites.
"Any suggestion that Google is disclosing information about our users’ Internet activity on such a scale is completely false."
Those sentences seems straightforward and unambiguous.
What would you prefer Google to say?
So realistically, the best approach is just to wait and see.
Even if you hold the root certs and can issue attack certs that validate up the cert chain, you can't MITM a cert-pinned client. In order to attack a cert-pinned site, the NSA would have to inject their own certs into Chrome's cert store, or have Google's private cert keys. Either would require compliance from Google.
That said, the canned "direct access" line - the exact terminology curiously arrived at by no less than 5 separate corporate PR departments within hours of each other - is a poor facade. They should have considered how using identical terminology would make these denials so transparent.
James Clapper, the director of national intelligence, released a statement last night saying the Guardian and Post articles about PRISM "contain numerous inaccuracies."
Clapper's statement didn't confirm or deny any NSA activity. He said only that the articles "refer to collection of communications pursuant to Section 702 of the Foreign Intelligence Surveillance Act," and that any such collection is legal.
The Verizon order was limited to 3 months, for example, which is hardly open-ended... except that it presumably got re-upped every three months.
AND THE TWO AFTER THAT: "We were very surprised to learn that such broad orders exist. Any suggestion that Google is disclosing information about our users’ Internet activity on such a scale is completely false."
The two after that look like a pretty good denial, though.
Next time, hopefully they'll make it less clear so that you have to translate the company-specific jargon and feel better that it's spontaneous and careless. </sarcasm>
This link has been submitted to the new queue at https://news.ycombinator.com/item?id=5841505 and I hope it gets voted up for wider attention.
this isn't difficult or particularity far-fetched!
this has previously happened: stuxnet (a product of several intelligence agencies) was digitally signed by a large semiconductor company!
The first sentence of the WPo article which started this is "The NSA and the FBI are tapping directly into the central servers of nine leading U.S. Internet companies". I think saying "we do not provide direct access" is a reasonable response.
So it's reasonable to suppose that the article was the source of that phrase.
From the rest of your comment, I think that you understand it quite well.
I re-read the Larry's response carefully, and he did NOT refute the claim, that they are giving data to some 3rd party (who then forwards it to the government). He just says that government do not have direct access to it. But the issue that someone else can have the access is avoided, and it is exactly the same as the Zuck's response.
Third, we would assume through logical deduction that someone who does deny the program's existence is either lying, being misleading, or has been mislead themselves.
Finally, if this program does not actually exist, what the hell program are Obama and these Senators' referring to?
> The Guardian and The Washington Post articles refer to collection of communications pursuant to Section 702 of the Foreign Intelligence Surveillance Act. They contain numerous inaccuracies.
I think for a lot of folks complaining, his language (i.e. "direct access") is just overly precise enough to leave too much room in the margins for technical loopholes concerning "who" has access to "what" data. When Larry defends their general policies stating google "pushes back on requests", I am not convinced when terms like "overly broad" and "correct process" are left undefined.
But it's a 4 paragraph blog post- what do I expect?
My bet is that Google is under order of some kind of National Security Letter and has to deny involvement here.
"No direct access", "No backdoors".
"Press reports that suggest that Google is providing open-ended access to our users’ data are false, period".
> Such subpoenas, including those covered under the USA Patriot Act, provide criminal penalties for revealing the existence of the warrant to any third party, including the service provider's customers.