Hacker News new | comments | show | ask | jobs | submit login
Larry Page addresses PRISM (googleblog.blogspot.com)
715 points by raldi on June 7, 2013 | hide | past | web | favorite | 441 comments

I can't understand the repeated use of "direct access". It's the kind of language a lawyer would use to qualify a patent clause.

- We do not provide direct access to our servers.

- We do not provide direct access nor is there a backdoor.

- O, but we do still pipe all of your data to external NSA servers. </sarc>

Every company named (I'm not just picking on Google here) has come out with the same overarching statement. "We do not provide direct access". It just smells of being rehearsed, and carefully coordinated to select such language.

    Until this week’s reports, we had never heard of the 
    broad type of order that Verizon received—an order that 
    appears to have required them to hand over millions of 
    users’ call records. We were very surprised to learn 
    that such broad orders exist. Any suggestion that Google 
    is disclosing information about our users’ Internet 
    activity on such a scale is completely false.
I'm not sure how much more strongly you'd like that worded. It seems pretty complete to me.

There's 2 different things going on, under different legal authorities and Google is confusing them.

Verizon was given a Patriot Act order for business records, metadata; no names; no content, but all citizens or foreigner.

Google and other tech companies are said to have gotten orders under section 702 of the FISA Amendments Act of 2008. That allows the government to compel communications companies to furnish lots of metadata and CONTENT on NON-U.S. persons. This was Congress legalizing warrantless wiretapping ala AT&T, but limiting it by requiring it to be targeted at non U.S. persons.

Compliance is mandatory, under contempt of court and companies must provide facilities and help. They also get reimbursed.

So it's likely Google never got an order like Verizon did, they likely got one that involves content, but is supposed to exclude intentional targeting of Americans.

I don't buy it. What I quoted above doesn't say anything about US persons or non-US persons, about content or metadata, about this law or that one. It just says,

    Any suggestion that Google is disclosing information 
    about our users’ Internet activity on such a scale 
    is completely false.
Now, Page may well be lying, but he definitely isn't weaseling. I'm pretty sure that denial covers both of the possibilities you're referring to.

Of course it's weaseling. Maybe they disclosed such information on a slightly lesser scale. That passage doesn't say.

They all said stuff about "direct access", without discussing what would and wouldn't qualify as "indirect". They didn't deny doing all kinds of different access that could be called indirect in some way.

WaPost backtracks on claim tech companies ‘participate knowingly’ in PRISM data collection


Of course they don't deny indirect because that would be a lie. Everyone provides data indirectly via a thing called "warrants". Google publishes how many indirect requests they comply with right here: http://www.google.com/transparencyreport/userdatarequests

The thing is we can't trust any statement by anyone because of the gagging component of NSLs. I've heard it said that the above information is for FBI requests under the patriot act and doesn't include NSLs. For all we know NSL gags could explicitly forbid that kind of reporting and may even compel the recipients to lie if asked.

The last sentence he made, that the government needs to be far more transparent about what they're doing is the only sentence I can really trust as honest, especially given that the alternative to lying could be being thrown into Guantanamo for 'assisting terrorists'.

Those goole reports are for regular law enforcement requests. They have nothing to do with spying that happens in the name of national intelligence.

False, national intelligence is still covered by Google's transparency report - see the NSL (National Security Letters) part.

>The presentation claims Prism was introduced to overcome what the NSA regarded as shortcomings of Fisa warrants in tracking suspected foreign terrorists. It noted that the US has a "home-field advantage" due to housing much of the internet's architecture. But the presentation claimed "Fisa constraints restricted our home-field advantage" because Fisa required individual warrants and confirmations that both the sender and receiver of a communication were outside the US.

>"Fisa was broken because it provided privacy protections to people who were not entitled to them," the presentation claimed. "It took a Fisa court order to collect on foreigners overseas who were communicating with other foreigners overseas simply because the government was collecting off a wire in the United States. There were too many email accounts to be practical to seek Fisas for all."


I think there are a lot of possibilities that could be consistent with Page's statement that also involve the NSA spying on Google users. For example, perhaps the NSA asked Google to disclose their SSL private keys; then, if they are willing to do an active attack with their own infrastructure, they could transparently perform a MITM attack on all requests to gmail, and it would be virtually undetectable.

Another possibility is that the NSA could have served orders on Google employees directly, and they are compelled not to tell their managers about what they did for the NSA.

Or you just follow standard operating procedures for foreign intelligence collection.

You hire a foreign national, working for a foreign division of Google to be your spy. Unless every US citizens mail server is domestic, lotta a loopholes to be found.

People should also not assume the credit card statement from their bank is a batch job run on US servers by their bank. I've been told this stuff is outsourced, probably to the lowest bidder. Which if I were an intelligence service, I would be more than happy to subsidize.

>I've been told this stuff is outsourced, probably to the lowest bidder.

You have been told incorrectly. (Source: I work for a major US credit card company.) Certain pieces of the development and maintenance may be outsourced (under the supervision of US employees), but we (and, as far as I know, all our major competitors) own the data centers where they are run.

  | they are compelled not to tell their managers
  | about what they did for the NSA.
This seems problematic. What if another employee discovers what was done? What if it goes all the way up the chain? When they ask the employee why the created a backdoor, is the employee then obligated to lie? Get fired for the lie? Go to prison while maintaining it's not a NSA secret program?

The key issue here is that Google and the other companies may have no idea this is going on. My read is that the NSA has managed to gain access to the data centers either through inside help, spy craft, hardware/router back doors, or some other means we have no idea about.

AT&T and Verizon are two of the most powerful companies in the US, and have massive lobbying power. The notion that those companies were compelled to sign on to huge espionage programs, with their chiefs being fully aware of it - but yet somehow Facebook / Google / Microsoft / Apple etc. did not have to sign on to anything related to Prism (which has been openly admitted to exist by the Feds), nor were they aware of anything, is just about impossible.

It's hard for me to believe they could access to the data centers without Google's knowledge.

Isn't it more plausible that they're intercepting data flowing in and out of Google servers?


<conspiracy theory> We haven't seen posts from the CEOs of Cisco/Juniper/Dell/HP or other manufacturers of datacenter grade network equipment. Who needs Google/Facebook's "knowledge" if you've got root on all the border network gear (and SSL termination hardware)?

I know here in .au, Huawei have been excluded from the government-deployed National Broadband Network due to suspicions that the Chinese government has too much control/access to Huawei newtwork hardware.

an old time option - a few employees "compelled" to provide access and keep mouth shout.

a new time option - Larry is lying because of the gag order.

in between - Larry said "on such scale". Well, Google probably is of a bigger scale than Verizon.

Anyway, once the data is out there, it is only a matter of time and determination for a government (or any financially well backed up player) to get to it.

This scandal will be a great boost for any services involving "crypto", and probably would spring a new ones like an encrypted phone exchange/switch service, where one can see incoming and outcoming phone numbers, yet not which one connected to which :)

This was my initial assumption, that Prism referred to fiber optic prisms that are used to duplicate data with zero interference.

These can be installed at the trunk level with virtually no one knowing about it (maybe a couple of on site managers). They can handle massive data and pipe it directly to the NSA. The problem of course is you're dealing with raw data which isn't nearly as easy to work with then if you had direct access to internals.

These are already installed on every major backbone so I also don't see why they would bother to involve anyone, so there must be more to it.

ps. It would be nice if another whistleblower came out with the data on optic splitters and how the NSA uses them.

possible the timeline on the slide is when NSA successfully began making sense of the raw data they could be collecting at internet backbones? also possible that the document purposefully threw the public off track by implicating these players, thus limiting the legitimacy of the claim if it ever came to light?

Consider the sheer volume of data we're talking about here. Unless you think these companies would miss a fiber optic trunk running out the back door of their data centers, does that make any sense?

The Feds have direct taps into every major telecom carrier in the US. You can't fire off a search query to Google without the Feds technically being able to pick it up.

Access is trivial, volume is a much more interesting problem.

This is accurate. When your service provider is having a scheduled maintenance, it might be a passive optical tap or port replicator.

How much data is leaving?

There could be a lot less data leaving than you think.

>>Any suggestion that Google is disclosing information about our users’ Internet activity on such a scale is completely false.

If you consider that PRISM is not a 'dragnet' but rather an automated system that processes FISA warrants on company premises then the denial wouldn't be wrong. There is no 'scale' that you wouldn't be able to get using regular data requests to internet companies. PRISM could just make the process a lot easier for everyone involved.

So instead of sending a warrant over, having the company verify and send the data to the NSA, then finally transforming the data into a reportable format PRISM automates the whole process.

If you read some of the media descriptions it almost looks like PRISM is more of a data aggregation and portal system that sits on top of a data source and allows analysts to explore content.

I 100% agree; I don't see how anyone can ask for a more blatant and firm statement than that.

But if they were give similar court order terms as under the Verizon court order wouldn't he legally have to lie or violate the court order? Or just not give a comment, but no comment on this would implies guilt to a lot of people so lying could seem like the correct path.

I don't believe he can be forced to lie. If he was in that situation, I imagine he would simply not respond.

> Verizon was given a Patriot Act order for business records, metadata; no names; no content, but all citizens or foreigner.

No, it was a FISA order: http://www.guardian.co.uk/world/interactive/2013/jun/06/veri...

Both of you are correct. The Patriot Act Section 215 amended the FISA statutes.

I don't see how they could have gotten an order under the Patriot Act. The section that deals with this is section 215, which amended section 501 of FISA.

It specifically states that such an order can be made "provided that such investigation of a United States person is not conducted solely upon the basis of activities protected by the first amendment to the Constitution".

If they have been violated, then there are a number of members of Congress and the Senate who are falling down on their job - the Attorney General must inform the Permanent Select Committee on Intelligence of the House of Representatives and the Select Committee on Intelligence of the Senate. On top of this, every 6 months the Attorney General must also provide a report to the Committee on the Judiciary of the House of Representatives and the Senate which details the total number of applications made for orders approving requests for the production of tangible things and the total number of such orders either granted, modified, or denied.

I've read and documented the USA PATRIOT Act on Wikipedia incidentally. Took me two years to read and understand the thing. Possibly things after the Patriot Act changed FISA, I wasn't going to spend any more time on writing up about this subject. I'm an Australian citizen, after all.

I should note that I'm not thrilled about the fact that the U.S. government can read my communications. Not that I have anything to hide, nor am I of any interest to them, but hardly the point.

The two parts to read on Wikipedia, incidentally are:

* http://en.wikipedia.org/wiki/Patriot_Act,_Title_II#Overview

* http://en.wikipedia.org/wiki/Detailed_breakdown_of_USA_PATRI...

>This was Congress legalizing warrantless wiretapping ala AT&T, but limiting it by requiring it to be targeted at non U.S. persons

But how would you determine on the internet that an account holder was a US person or not ?

If I claim to be the person X who is a US person by registering for an account in their name, am I then a US person and therefore supposedly exempt from monitoring? Even IP-based clues are not enough as those are not full-proof.

I suspect that both US persons can be just as susceptible to tracking from the Government.

> But how would you determine on the internet that an account holder was a US person or not?

That's why they only have to check a box saying they a reasonably sure that there is at least a 51% chance.

Vague laws are invariably wildcards that can and will be abused.

Unless I am mistaken US and most European countries are based on Democracy. Wikipedia defines Democracy as a form of government in which all eligible citizens have an equal say in the decisions that affect their lives. Granted, wikipedia is not the oracle but it gives a good definition in my opinion. Does, the gathering of my personal data, affect my life ? Well in my personal opinion it does, therefore I should be informed about it.

The US was based on the ideas of a Constitutional Republic, not a Democracy.

Right, there are different forms of democracies. From this chart I see that US is categorized under Full Democracy: https://en.wikipedia.org/wiki/File:Democracy_Index_2012_gree... https://en.wikipedia.org/wiki/Democracy_Index https://en.wikipedia.org/wiki/Democracy

What's become very clear is that there is a lot of careful parsing going on. Careful parsing of the constitution, careful parsing of various laws, very very careful interpretation of the words on the page.

Does Google give anyone, any company, any entity, anyone at all direct access to their data? They've specifically excluded NSA. Does NSA subcontract that to Booz Allen Hamilton? Google claims that no government has this access, what about one of the 1200+ Top Secret cleared contracting companies?

Can these companies officially comment on this stuff yet? Or are they violating court orders if they talk about it? I like Google, I really want to trust them and I think they've moved the needle in our industry in some very positive ways. Honestly though, I think they could make much much stronger statements about this stuff. I expect them to say stuff like this to keep up with appearances.

> Careful parsing of the constitution, careful parsing of various laws, very very careful interpretation of the words on the page.

There is no "careful parsing" of the Constitution going on. Just people who never read the document very carefully other than what they thought the teacher said in 8th grade.

This is the entirety of the 4th amendment: "The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized."

If any "parsing" is going on, it's creative parsing to make the argument that information you freely handed over to Google and AT&T, or indeed information that was never even in your possession but was generated by AT&T (e.g. call data records, web server logs) is somehow your "papers or effects." Tell me how that is anything other than creative parsing? How is a document that you never even had in your possession somehow your private information?

To follow up even the Supreme Court ruled in 1928 that a wiretap did not constitute a search under the 4th Amendment so there was no need for a warrant.

Wiretaps themselves became illegal and the information from them inadmissible under the 1934 Communications Act. This didn't really stop wiretaps. Instead they were used as a method of intelligence gathering to go and find stuff that was admissible. Note that this was not a reflection on the Constitutionality of wiretaps, but instead the sense that they just weren't needed to convict criminals.

By the 1960's wiretaps were again brought to the Supreme Court and they outlined how a wiretap statue could pass Constitutional muster. The Katz case is where the "expectation of privacy" language was introduced. This resulted in wiretap statues passing in late the late 60s and that's basically what we had until the PATRIOT Act of 2001.


Katz is not the whole story. Yet again, I suggest reading Smith v. Maryland.

Really? You don't think of information in your Gmail or Google Drive as personal "papers or effects"? Would you be fine with a Google employee reading through your email or your spreadsheets in order to figure out whether you were working on a product that might compete with one of Google's, or maybe because they ran across your profile on a dating site and wanted to check up on you? If so, I think you're unusual.

In a world where important documents are increasingly electronic, and electronic stuff is increasingly routinely backed up, transmitted through, or just stored on remote servers, people's personal papers will be increasingly in the possession of others.

I won't argue that it's impossible to read the Constitution so that it becomes a set of meaningless restrictions on outdated technologies--legal text is never deterministic and always subject to multiple interpretations--but it's certainly not unreasonable for somebody to have "read the document very carefully" and found it more robust and relevant than you do.

> Would you be fine with a Google employee reading through your email or your spreadsheets in order to figure out whether you were working on a product that might compete with one of Google's, or maybe because they ran across your profile on a dating site and wanted to check up on you?

Wouldn't I be pretty stupid if I had a problem with these things, yet still uploaded these documents in clear text to Google's servers where absolutely nothing stopped Google from doing these things? Especially when they tell me point blank that they do indeed sift through the documents (for ad targeting)?

We routinely rely on social codes rather than technology to protect our privacy (as well as our property and lives). There's nothing physically preventing my building super from using her key to go into my apartment and look through or steal all my stuff, but I'd be upset if it happened. What's more, 99.9% of Google's users are in no position to evaluate the cryptographic security, or lack thereof, of their documents. Finally, Google has actually said no humans read your email, in response to that Microsoft campaign. So no, hypothetical you wouldn't be stupid, and you are wrong to imply that the millions of Google users who would have a problem with those things are being stupid now. Making a series of decisions that we will at some point regret, perhaps, but your condescension is unwarranted.

Please stop spreading misinformation.

* Google scans email, not other documents in Drive: http://support.google.com/a/bin/answer.py?hl=en&answer=60762

* Just as the NSA claims that collecting data doesn't count until a person reads it, Google affirms that humans do not read user data without permission.

* Documents are are encrypted in transit, not uploaded in clear text.

Google Drive is very much like a safe deposit box in a bank, in terms of user expectation of privacy, and vendor promises.

If my secretary holds my briefcase, is the government allowed to seize it without any warrant or judicial approval?

Email is slightly more complicated, due to automated ads scanning.

> If my secretary holds my briefcase, is the government allowed to seize it without any warrant or judicial approval?

if your secretary agrees to give it to them , of course they can.

And if your secretary doesn't agree? When the FBI man gives an order, submission is not consent.

How is a document that you never even had in your possession somehow your private information?

Have you been to a doctor? Have you seen that folder full of your medical information? Have you ever possessed it? Most likely not, but that is your private information and there are very strict rules about how it is handled and who can access its contents.

Those rules are all statutory. There is no Constitutional protection for those documents.

Congress can repeal HIPAA.

First, third party doctrine is more limited than that, and in the event where a party is compelled to retain information and disclose it, third party doctrine becomes quite questionable (because they end up acting under the color of law).

The thing is that usually CDR data doesn't require a warrant. The court ruled that since people are typically aware that the existance of CDR's and may rely on them for services from the telephone company, and because they are relatively non-revealing they do not constitute a search.

The point is that the user of the telephone service discloses the calling information to the phone company and in such a way as to expect no privacy over the information. A similar case might be IP packet header information over routers, or photocopying address/return address/postmarks on the outside of envelopes passing through the USPS. None of these are considered to violate any reasonable expectation of privacy because, for example, we can expect that the address on the letter we drop of at the post office is publicly visible.

You should read about Roe v. Wade, rayiner

Roe v. Wade was a pure exercise in legislating from the bench, and even many of its supporters will admit that.

O'Connor got it right in Casey when she distanced the right to abortion from the right to privacy: "That is because the liberty of the woman is at stake in a sense unique to the human condition and so unique to the law."

From Roe: "The Constitution does not explicitly mention any right of privacy. In a line of decisions, however, going back perhaps as far as Union Pacific R. Co. v. Botsford, 141 U.S. 250, 251 (1891), the Court has recognized that a right of personal privacy, or a guarantee of certain areas or zones of privacy, does exist under the Constitution. In varying contexts, the Court or individual Justices have, indeed, found at least the roots of that right in the First Amendment, Stanley v. Georgia, 394 U.S. 557, 564 (1969); in the Fourth and Fifth Amendments, Terry v. Ohio, 392 U.S. 1, 8-9 (1968), Katz v. United States, 389 U.S. 347, 350 (1967), Boyd v. United States, 116 U.S. 616 (1886), see Olmstead v. United States, 277 U.S. 438, 478 (1928) (Brandeis, J., dissenting); in the penumbras of the Bill of Rights."

That handwave-y language ("does not explicitly mention", "a right of personal privacy, or a guarantee of certain areas or zones of privacy", "at least the roots") doesn't exactly inspire confidence in the existence of a broad, fundamental right to privacy in the Constitution. Also, it uses "privacy" in a somewhat different sense than the surveillance debate. In Roe, it's used more like "liberty."

So you understand there is more to our rights that just a document. They have to exist in a framework of judges and the executive branch.

I'm not saying otherwise. But flaming the government for acting Unconstitutionally for activity that is not contrary to the text of the document is lame and misleading.

If you think there should be a right to privacy of electronic communications, then convince people of it. Get an amendment passe. Don't twist the Constitution to say what you wish it said.

I disagree with your definition of papers. And that is why we have Judges.

Your disagreement isn't with my definition of "papers" (we both probably agree that "papers" can easily be read to encompass both physical and digital documents). Your disagreement is with my assertion that handing your "papers" over to a third party robs you of any 4th amendment interest you might have had in those documents.

What happens with safety deposit boxes?

The quote is:

Any suggestion that Google is disclosing information about our users’ Internet activity on such a scale is completely false.

He doesn't say "Any suggestion that Google is disclosing information directly to the government..."

As such, I think you can either take it as "we don't disclose anything to anyone, or you can say that the sentence isn't true.

No, the quote is still vague and I agree with Nelson69. He could easily say that "we don't provide any access to gov, nor to their subcontractors nor to any other entity,..." - if that would be true.

what does "on such a scale" mean? i mean it could be 40% of what we think it is and its still scary.

Based on the sentence two lines before it, it likely means "millions of users":

> we had never heard of the broad type of order that Verizon received—an order that appears to have required them to hand over millions of users’ call records. [...] Any suggestion that Google is disclosing information about our users’ Internet activity on such a scale is completely false.

Larry Page links to a Google "transparency report" in his blog post which gives a rough figure:


I also wanted to point out this:

> Honestly though, I think they could make much much stronger statements about this stuff.

They can't really, though - they do cooperate with the government on a ton of properly-filed, fully-legal subpoenas. And that's fine, that's what they have to do, and it's what every other company in the world would do - though we should all push our government(s) to be more transparent about what they're requesting and why.

Did you read Larry's blog post? He didn't rule out the NSA, he did rule out the USgovernment period. Quote:

> Indeed, the U.S. government does not have direct access or a “back door” to the information stored in our data centers.

I did read it, with the dozens of other articles and such it's blurred together. He did rule out the US Government, does that rule out contractors? Does that rule out Verizon? What if Google has data in someone else' datacenter? That's specifically what they said the US government doesn't have direct access to.

Do they give carte blanch access to their data to ANYONE? Regardless of the datacenter. If they don't they can say that.

No one gets carte blanch access. Even Googlers don't get carte blanch access.

And yet this still misses more important issues. While it is fantastic that Google does not give the USG a free pass to the whole enchilada, Google still collects and stores this data, and gives it when compelled, if they truly had the users best interests in mind they would reduce the data collected to only what they MUST have to do what they do, and not use Vacuum cleaner like methods to get and keep everything they can, if Google did not keep it, the USG would not want it. So the best way for Google to be a part of the solution would be to reduce what they intake and keep, burn the rest.

https://www.google.com/dashboard provides an overview over your data at Google. Most/all of these services have permanent delete buttons.

It is possible to permanently erase or disable your search history from here: https://support.google.com/accounts/answer/54067?hl=en

You can opt out of Google Analytics using this add-on: https://tools.google.com/dlpage/gaoptout

What do you consider to be "what they do"?

It's exactly the kind of denial you'd expect them to issue if they were legally required to deny any involvement.

That's moving the goalposts, though. The initial assertion -- that this is a cleverly-worded non-denial -- doesn't hold up with the text. Page is clearly and unambiguously denying that Google supplies any information to the government on a millions-of-users scale.

Saying that denial is a lie . . . is a completely different charge.

Google could be searching email for certain series of characters, like "xxxx obama" and handing that over. Perhaps NSA supplies google a list of phrases to look for.

> Page is clearly and unambiguously denying that Google supplies any information to the government on a millions-of-users scale.

Kind of like Mariano Rajoy insisted that Spain didn't need a bailout?

And the Federal Reserve said there was no real estate bubble to worry about. And the banks were well capitalized.

Yes, and murderers always insist that they're innocent. QED. We've got them now!

Really? You don't see any difference between the denial posted by Google's CEO vs. the way that (say) Verizon responded? Here's Verizon's response: http://www.businessinsider.com/verizons-memo-to-workers-abou...

A better carefully worded response is still a carefully worded response. Google is in a difficult place because we all expected this to be happening, there are now documents suggesting that it has been happening, and no one takes at face value anything that sounds like a lawyer wrote it.

EDIT: I mean: (a) No one cares if they have heard about a program called "PRISM" when the point of that program is to aggregate data from other programs. (b) Anyone who is actually innocent in this needs to stop mentioning "direct access to servers": no one expects this program to be directly accessing servers. (c) We also don't care whether actions were "in accordance with the law", as the constitutionality of the surrounding laws is part of the debate.

I will say that "Any suggestion that Google is disclosing information about our users’ Internet activity on such a scale is completely false." is a good statement to make. It sounds broad in a good way and doesn't appear to have many weasel words, other than specifying "Internet activity" and not email or general activity. Are Google searches even "Internet activity", or is he referring to Google Analytics / Google +1 / DNS?

"direct access to servers" looks suspicios to me as well. However, maybe several dozen lawyers had no clue how to react today, and they just copied one another's text?

More likely: the first paragraph from the Guardian and the Washington Post both emphasized "direct" access. See the picture here: http://cl.ly/image/2S3i1g2W2R2k

If you're refuting claims of behavior X, it's natural to say "We don't do behavior X."

Especially when you're doing X' instead, and don't want to draw attention to it.

The problem is that Obama himself has acknowledged the program both exists and is very active, the only limitation being 'Internet monitoring is only for those outside United States'- no comfort for Google users like myself outside the US[1].

I don't mind targeted surveillance against genuine suspected terrorists. What frightens me is broader intelligence collection especially commercial intelligence. Over time programs broaden and if we're not really, really careful we'll find gmail being read by intelligence analysts who can brief our US competitors.

If non-Americans can't trust Google with their information that is an existential risk to its future. I think the Google leadership needs to do a lot more than this one short post!

[1] From Obama's comments: Now, with respect to the Internet and emails, this does not apply to U.S. citizens, and it does not apply to people living in the United States. And again, in this instance, not only is Congress fully apprised of it, but what is also true is that the FISA Court has to authorize it.

So in summary, what you’ve got is two programs that were originally authorized by Congress, have been repeatedly authorized by Congress.

That seems pretty clear - there is a congress-approved spying on non-US citizens Internet and email.

EDIT: added Obama quote

"I don't mind targeted surveillance against genuine suspected terrorists."

This kind of language bothers me - "suspected terrorist" requires no proof at all, while sounding authoritative (65% of Americans support the remote execution by drone of 'suspected terrorists').

I know roughly what you meant, of course, but where that line is drawn is a discussion that needs to be had. I'd say that with the level of surveillance that goes on, we are all suspected terrorists now.

I find it fascinating that Matt Cutts didn't bother to address any of this in his defense of Google. Obama and James Clapper have both admitted to what is obviously Prism, a large scale spying program targeting Internet users and their data.

It rather makes it clear that Google is participating in espionage programs for the NSA. Supposedly, maybe, it isn't directed at Americans (har har).

I don't think they are. I think ISP's allow government equipment on their networks to capture traffic as they see fit. If every ISP participates, then they have Google data, Facebook data, Yahoo data, and on and on.

Obama has acknowledged that federal law allows FedGov to obtain emails of non-citizens without a search warrant but through a court-overseen process. This is part of a 2008 law that we all know (if you've been paying attention) does this.

The president has not, however, confirmed that the news reports about "PRISM" are accurate. All he's done is summarized the law.

The last couple lines of his blog post seemed to convey, at least to me, that he was posting truth but perhaps not as much as he'd like.

"We post this information on our Transparency Report whenever possible... ...we understand that the U.S. and other governments need to take action to protect their citizens’ safety—including sometimes by using surveillance. But the level of secrecy around the current legal procedures undermines the freedoms we all cherish."

In the transparency report, Google can only report wide ranges of numbers, not actual numbers (i.e. 1000-4999). They have always said they wished they could provide the actual numbers of requests as well as copies of the requests themselves, so this is consistent with that.

It's well-known that there are restrictions on how much companies can legally disclose about some of these government requests.

Matt - Many of us believe that many of the people at Google are doing their best, however in this instance you're not doing the right thing.

Hey teawithcarl, I appreciate that. I'd be interested in hearing what you think the right thing is. I suspect that we're actually in agreement on most points. If there's something you think we should be doing differently (and I agree with you :), I'm more than happy to lobby for that within Google.

I do think Google is working hard to protect our users from unwarranted government requests. Just speaking for me personally, I really dislike provisions in the PATRIOT Act and FISA that compel secrecy. One thing I did like in Google's blog post was that we spoke out against the "level of secrecy around the current legal procedures." I was encouraged that Facebook later said something similar. In my opinion, a lot of the frustration about the current situation would be best applied to changing some laws in the United States.

Hey Matt.

While I honestly think _you_ believe Google is doing "the right thing" - there's a nagging suspicion that there's some NSL-style legal (or possibly extra-legal) compulsion being used at the very top levels. Even if I believe that Larry is 100% "on my side" against the government - I'm also under no doubt that Larry and Google are effectively powerless against the pressure the various US government agencies could apply if they so chose.

While explanations of the similarity between Larry's and Mark Z's posts based on direct rebuttal of the WaPo article are plausible, when combined with Apple's, AOL's, and Yahoo's suspiciously similar structure and wording - cynical-me can't help but wonder if all 5 CEO's are being compelled to disseminate the same government supplied message (and are possibly intentionally using almost word-for-word similar language as a plausibly deniable way of telling people that).

I'm not sure if there's much Google can say or do - given the depth and seriousness of the seeds of suspicion that've already been sown… (Having said that, I was pleased to read Yonatan's G+ post earlier today…)

When AT&T was asked politely by the NSA to open its networks under the warrantless surveillance program, the company refused to confirm or deny. They actually offered arguments like this one from an AT&T attorney:

http://news.cnet.com/Legal-loophole-emerges-in-NSA-spy-progr... Federal law may "authorize and in some cases require telecommunications companies to furnish information" to the executive branch, said Bradford Berenson, who was associate White House counsel when President Bush authorized the NSA surveillance program in late 2001 and is now a partner at the Sidley Austin law firm in Washington, D.C. Far from being complicit in an illegal spying scheme, Berenson said, "AT&T is essentially an innocent bystander."

And a sealed AT&T document I obtained tried to offer benign reasons why there would be a secret room at its downtown San Francisco switching center that would be designed to monitor Internet and telephone traffic: http://news.cnet.com/2100-1028_3-6077353.html

What Google and Facebook are doing today is precisely the opposite of what AT&T did.

Hi Matt - Thanks for answering. I genuinely appreciate your earnest communication. To answer your question, I sincerely believe Larry should do the right thing irregardless of the law, which means telling the American public the truth.

What Sergey (and Google) bravely did in China gave Google years of priceless respectability. This is one of those situations where civil disobedience is best. I realize you can't just "pull out of the United States", yet Google is looking like liars, and that just doesn't work.

For what it's worth, if Larry summoned the courage to speak his conscience completely, he will not go to jail. Far from it ... Google will be the true statesman, showing courage and leadership.

Indeed, I believe it may help Google the most, by catalyzing people's courage to do what's right. It's simply wrong to associate yourself with this.

It must come from Google first, Google is the strongest. Please consider the honor in doing this. Done genuinely, the public will rally behind Google, just like SOPA/PIPA. And don't forget, you have the world's largest bully pulpit.

Thanks for posting this. Here's something I wrote to someone recently: "I view talking about FISA (see http://en.wikipedia.org/wiki/Foreign_Intelligence_Surveillan... ) like handling radioactive waste or juggling chainsaws: it has to be done carefully." The reason is that FISA orders come with a gag order: see https://ssd.eff.org/foreign/fisa . So I understand why official company blog posts, even from Larry, have been carefully worded so far, even if that comes across as legalistic or weaselly-worded to some.

For what it's worth, I'd recommend reading this post: https://plus.sandbox.google.com/+YonatanZunger/posts/huwQsph... To me, Yonatan's post read as the sort of personal, even blunt statement that you're asking for.

Will do, thanks. Genuinely appreciate you.

It is literally impossible for you to know for certain if Larry Page is telling the truth or lying about PRISM. So, now what?

Are you asking Larry to violate the law on National Security Letters, by publicly posting their content?

Verizon said what they could: we have to comply with the orders when we get them. Nothing weaselly, maybe because we read the judge's order.

Why should we trust the safety of any information on our searches, emails, location data, chats etc stored by Google? Stop storing it

Thought twice about posting this, but am I the only one who feels really queasy about someone like Matt Cutts jumping directly into conversations about their own company on HN (especially when it could be connoted as being part of damage control)? He's hardly rank-and-file. I think it is plain old creepy, YMMV.

Yes, you might be the only person here to suggest Matt Cutts is ever unwelcome on any HN thread.

Heh, did you get out of the wrong side of bed today? I don't spend all day reading HN comments - sorry if my knowledge of responses to Matt Cutts' posts isn't as comprehensive and magnificent as your own. When I posted this, nobody else had said anything.

As a reporter, I think it's great. I wish we'd see senior folks from Microsoft, Yahoo, Facebook, AOL, and Apple doing the same right now.

ashleyblackmore, the initial news stories seemed to imply voluntary, wide-scale, direct access to Google's (and other's) data by the NSA. I genuinely thought that sounded wrong and against the bent of Google--both its execs and the rank and file employees. In the last few days, more recent stories have indicated that it's more like compelled, limited FISA requests, which all US companies are legally required to respond to. See Yahoo's recent post at http://yahoo.tumblr.com/post/52491403007/setting-the-record-... which also points in this direction.

Compelled and limited is a very different story than voluntary, wide-scale, and direct. Do I like FISA? No, I think it sucks. FISA orders come with a gag order, and laws that compel secrecy like that should be struck down, in my opinion. But in recent days, you've heard the CEO of Google say that they haven't gotten the sort of broad requests that (say) Verizon got, and that Google can and does push back on requests that they consider too broad.

I think the proper response to this issue should be frustration with bad laws, and calling your Senator or Representative in Congress to tell them that.

You demand answers from Google leaders. A Google leader gives you answers. This upsets you?

I don't think so. Those usually sound like,

    "We cannot confirm or deny the existence of such a program," 

    "It is not our policy to comment on national security topics"

    "No comment." 
or even

    "We'll wait for the results of the investigation."
I don't think the government generally asks civilians to lie so enthusiastically, because . . . well, as a rule, they just aren't good at it.

No, I think it's most likely that Page doesn't know of any such program. Now, it's always possible that such a thing is being carried out on the scale everyone fears by a rogue, loyal-to-the-NSA employee, or a group of them. Or it's possible the original Powerpoint slide including Google as an information source is oversimplified or even inaccurate. Such things do happen when presenting overviews of program capabilities.

And many other things in between are possible. It's concerning, but . . . I'll wait for the results of the investigation. ;)

It's also possible that Larry is concerned about his share price, and what would happen to it if Google was revealed to be completely in bed with the NSA (My guess is it would fall quite a bit). He has real money at stake in limiting the damage that comes from this revelation.

The fallout in such a case has to be smaller than it would be if it comes out later that, not only were they in bed with the NSA, they (and the other companies in this situation) blatantly lied about it with their statements today.

I guess keeping an eye out for Larry (et al) cashing out shares over the next few weeks/months might be a good indicator of the likelyhood of exactly that "coming out later".

For obvious reasons, it is illegal for CEOs to sell stock on short notice.

I've never heard it said that anyone was required to deny involvement. Did you mean that exactly as you wrote?

I think there's a world of difference between a gag order where you are not allowed to confirm, and an order to explicitly deny involvement. I'm not saying the former is "good", but there's a difference.

OK, I'll say it.

I think there's a non-zero probability that there are US government agencies who can and have compelled people to explicitly deny something that they know is true.

Realistically, it would boggle my mind to discover they'd done that to all the founders/CEOs/legal departments of all the companies involved here (at least Google/Facebook/Apple/Yahoo/AOL), but given the stakes in this game - I have no doubt that it _could_ be done.

I agree, but what could Page say to convince us otherwise?

Either the government is coercing them, and they have to issue lies as denials, or they are participating voluntarily and are voluntarily lying, or they are not participating. The second option seems unlikely to me.

Well, you can't prove a negative so I'm not sure there's anything Page can say.

But at the same time they can't all be right. NSA says it's getting data in some form from Google, Page says no direct access.

The truth is probably somewhere in the middle then... but where?

I don't know why we'd expect the truth to be in the middle. If the NSA document is genuine, the information the NSA is collecting from Google is part of a Top Secret program as described in the leaked internal document.

If that is true, why would we expect that Google officials would be able to make any public confirmation of the Top Secret program? And, given that, why, in that case, would we expect the truth to be "in the middle"?

Conversely, if the leaked document is not genuine, then I still don't see any basis for expecting the truth to be in the "middle" between the false document and the Google denial.

Did I miss some information? I only saw two slides. One that show the potential data accessible and one that show when the companies were added. It doesn't say exactly that they had access to everything. As far as we know PRISM can simply be there to centralize the information that the NSA got in legals ways. We do know that the government ask about 100 users account information each day to Google, we can guess that they do the same to every company on that list and they were all added to PRISM at the date you can find on the slides. I mean that slide contains one of the most important information that we currently have to guess the magnitude of PRISM, the budget. They only need 20 millions $ every years. True data mining is much more expensive than that.

I'm 100% with you. I don't know what Page could say, and I agree that it's extremely likely that the truth is somewhere in the middle, but damned if any of us have any ability to actually suss out what that is. It's very frustrating.

I just think it's important to not be entirely cynical here, and to keep in mind what such a statement might look like if it were being truthful. I don't know how much different it might be, which generally makes the statement only as good as Larry Page's word, and only then if he doesn't have a gun to his head.

The truth comes from the source that wasn't intended to be public.

> NSA says it's getting data in some form from Google, Page says no direct access.

Page says no direct access and not even legal access at that scale (verizon). He doesn't say they don't have any access -- in fact he says they comply within the bounds of law, but it's not at the Verizon scale.

I don't know how many of us served as officers in the military, but the requisite action in this situation is pretty clear. If one is interested in day to day security, speaking from a strictly tactical perspective:

You assume Google is giving the NSA information and act accordingly.

Doubts are like bothersome flies...

until they are crushed...

you will never be comfortable at your current position.

We obviously stil have a lot to learn about PRISM... But with that said, I have some conflicting instincts & feelings about all of this and the company responses.

On one hand, I would think a very-visible CEO of a major corp would keep their name off of a press release, if the press release was a lie that they were compelled to tell by the government.

On the other hand, I feel like each company's response and their use of the exact same terminology ("direct access", etc) feels like a wink and a nod.

I completely agree, and I don't know how to reconcile the two.

If I was going to go completely conspiracy-nutter, I'd say that Page has been kept out of the loop intentionally for plausible deniability, and the actual incursion happens at a much lower level, where the people involved are coerced into keeping their mouths shut. That way, the bigwigs get to tell what they think is the truth, the NSA gets their data, and nobody is the wiser.

Granted, I think that belongs more in the plot of a thriller novel than in this actual world we're living in, but given the revelations of the past couple of days, fiction doesn't seem that implausible.

This may not be PRISM, but wtf is this???

"A US government-mandated backdoor allowed China to hack into Gmail"

"In order to comply with government search warrants on user data, Google created a backdoor access system into Gmail accounts. This feature is what the Chinese hackers exploited to gain access."


Schneier is a smart guy, but he provides no evidence, links, or conjecture of what this backdoor may be.

Maybe those hackers just used the regular tech support "back door", as in "SELECT * FROM gmail where email = 'target@gmail.com'

> or they are participating voluntarily and are voluntarily lying, ... seems unlikely to me.

Their business is based on user's data. If you do not feel comfortable giving them your data, it might hurt their business. Hence, IMHO, they do have some incentive to deny PRISM, regardless of the facts.

Or the news organizations summarizing the leaked slides got it wrong.

No, it's not. Gag orders can also be satisfied by saying "no comment" or just not saying anything at all, which is differently then actively denying something.

This is a false assumption. AT&T did not deny opening its networks to the NSA during the EFF litigation. It simply declined to comment, and offered suggestions (which I wrote about at the time) about how the law allowed it to comply with such a secret court order.

It's the opposite of what Larry Page is doing.

No, it's not. What little we've had about super-secret legal requests isn't that companies have to lie about them. It's that they can't acknowledge them at all.

So the answer they give when asked, and they do get asked, is "no comment."

If they were voluntarily part of PRISM, and legally required to keep that quiet, I'd expect them to say "no comment."

Doing the opposite make so little sense. It means they're having to flat-out lie to their users, something very hard to recover from.

The thing is "no comment" would basically confirm that 'something' is happening that's secret. Everyone would go conspiracy wild and pull everything they have away from Google.

They probably want to confirm it, but in a completely open and transparent way that assures people there's nothing they should fear here, which they can't do because it's all cloaked in secrecy.

One thing we know for sure is the truth of what they have been doing will leak out.

That's not true, in Verizon's case they just said that they are under a gag-order: http://publicpolicy.verizon.com/blog/entry/from-the-desk-of-...

There are cases in which you can't even confirm the existence of a gag order. I can not believe it's constitutional... but they do it.

What about the strategy you hear about of getting around this? Where they say "we're not under a gag order" (or whatever) each day until they are, until they go under a gag order, at which point it reveals they are.

Now, I'm not so naive to think that if someone tried this, the government and courts would just say "Herp, derp, you sure outfoxed us there!" But has that strategy ever been tested in court?

Rsync.net does this:


And they note:

This scheme is not infallible. Although signing the declaration makes it impossible for a third party to produce arbitrary declarations, it does not prevent them from using force to coerce rsync.net to produce false declarations. The news clip in the signed message serves to demonstrate that that update could not have been created prior to that date. It shows that a series of these updates were not created in advance and posted on this page.

I'd imaging it'd get you a free one way ticket to Cuba, not charged.

Google doesn't have to actively disclose...the government just needs to know where to "listen" to get the same data that's moving around Google's data centers.

Consider the NSA having MITM capabilities before the data reaches google:

1) This is exactly what you would need to do, to consider it realtime

2) None of the denials cover this

If it's MITM between user and Google, then Google would not be coordinating or even necessarily aware.

Would the NSA list Google as a "partner" that it needs to keep protected in these leaked slides if this were the case?

1) They didn't, and 2) Even if they had, unclear, inaccurate, or misleading information regarding Google's degree of cooperation or the mechanics of acquiring tha data in a document prepared for consumers of the data for which information on the details of collection was not essential actually makes quite a lot of sense in a highly classified program (whether its classified for appropriate, security related reasons, or for political reasons.)

Consumers of the data need to know where it comes from and its scope, they don't necessarily need to know whether its acquired through cooperation or coercion or infiltration of the providers.

This is false. The NSA did not list Google as a partner. Reporters may have, which is different from what the leaked slides actually say.

They'd have to MITM SSL traffic largely.

Also, that's what they were doing for more traditional wiretaps and you should be sure that they have access to siphon off live traffic for analysis if they want.

"They'd have to MITM SSL traffic largely."

To be fair, if anyone can do this it's precisely these people.

... still not likely, though, I agree.

Is that even possible if Google's SSL certs have Extended Validation? They'd have to have cooperation all the way down to the browser vendors and I can't see Mozilla caving that easily.

There are several governments (Spain, France, Netherlands, Japan) who publicly have Root CAs in the trusted browser list[1]. It seems pretty likely (cf say, Prism) that the NSA has a CA cert where they can generate whatever certificates they want in order to MITM browser SSL communications...

[1] http://www.mozilla.org/projects/security/certs&#x2F;

Can we remove Root CAs from our browser?

Edit: Found the answer: https://wiki.mozilla.org/CA:UserCertDB

I was referring to cryptographic attacks. Unlikely that they have such, but if anyone does, it's pretty likely to be them.

The Verizon order explicitly applies to calls within America between American citizens, which is why it was so novel. PRISM, as described, only incidentally collects information about Americans. This statement does not preclude the direct access to user data that the PRISM reports describe.

The Guardian suggested that more leaks are going to be published...

Prism has been admitted by the government to exist.

The notion that it exists, and Google isn't involved in it, is pretty absurd. That'd be like talking about tapping the telecom companies, but leaving out Verizon and AT&T.


"The top intelligence official in the United States condemned as “reprehensible” leaks revealing a secret program to collect information from leading Internet companies and said a separate disclosure about an effort to sweep up records of telephone calls threatens “irreversible harm” to the nation’s national security."

Mr. Clapper said in a statement that the classified program to collect information from Internet providers is used to “protect our nation from a wide variety of threats” and he condemned the leaks of documents describing its existence.


Also, this is very interesting from a NYTimes article on the matter: "But instead of adding a back door to their servers, the companies were essentially asked to erect a locked mailbox and give the government the key, people briefed on the negotiations said. Facebook, for instance, built such a system for requesting and sharing the information, they said."

They didn't give the NSA "direct access" to their system but created a front end for them instead... LOL.

He did not say

"We only give data to the government in response legal requests about named individuals."

Well, I guess he will have to find a proper way to prove it, because if you are satisfied with just a blog post maybe you should think again.

I'm curious why we're satisfied with an anonymous leaker and some shoddy looking powerpoints.

I'm not going to comment on what's true or what's not, but I know a few things:

1. Having been "in the news" or when I've had firsthand knowledge of an event in the news, I'm always shocked by how inaccurate the news is. Usually not in broad strokes, but in lots of details. I have learned to take everything I read in the media with a healthy grain of salt. I'm not dissing journalists here, but that's what they are: journalists. They are not tech experts. What we are reading could very well be inaccurate. We've not vetted their source either. At least Google is known entity.

2. This whole "we scan everything" business just seems farfetched. That's a lot of data to just double.

3. This program has been subject to oversight. I haven't lost that much faith in my elected officials, or government employees for that matter.

Many times this.

Do you all remember when the "news" was "leaked" by "anonymous hackers" who claimed to lift Apple user data from a hacked FBI laptop? The Internet lost its mind frothing against the surveillance state.

The minority of critical thinkers who suggested that maybe the claims of anonymous hackers shouldn't be taken entirely at face value were either ignored or shouted down. Blanket denials by the FBI were met with retorts of "we know they're lying!". News outlets -- many the very same covering the PRISM story -- repeated uncritically the accusations of the FBI harvesting Apple user data.

Do you all remember what the actual outcome of that story was? Spoiler alert: the allegations were grade-A bullshit. The only part that was true was that it involved (old) data lifted from a hack (against an app developer). Everything else was bogus self-aggrandizing, and the Internet loudmouths played right into it. Why? Because it confirmed people's existing fears.

The sad reality is that everything that has hit the news about this PRISM story -- and the Verizon story -- has actually shed very little light on anything. We have a source with unknown credibility providing incomplete and possibly even misunderstood information colliding with large corporate and government interests. Maybe everyone is lying. Maybe nobody is.

The only thing that is certain is that people unquestionably believe claims that confirm their existing beliefs.

You know, there's a conspiracy theory angle here. A tactic I have observed for dealing with awkward leaks is to allow the speculation about the unknown aspects of the leak ramp up to extreme levels, then rebut the more ridiculous theories without addressing the sensible ones. Joe average reads the rebuttal, feels let down that the story wasn't quite as inflammatory as the hype had led him to believe, and moves on.

This PRISM business (of which there had been no hint before) is a massive one-up on the seriousness of the Verizon scandal, and its timing in relation to it is deeply suspicious. It wouldn't be too difficult for someone in the intelligence services to make a pithy PowerPoint presentation about how the NSA slurps data from all and sundry (what was it supposed to be for again? "Training"?) and fake a leak to a few newspapers.

I predict that this story will turn out to be a complete wash, and in the meantime everyone will have forgotten about the not-as-sexy but much-more-true Verizon leak.

What about the date where "PRISM collection began" for Google, given as 1/14/09? What is that about?


Either way, if Google has troves of info of everything you do online, NSA will get it. One way or another, front door, back door, in-direct access and what not

They can't say "we don't provide access", because depending on the law, they are forced to.

They say "we do not provide direct access", because as explained, any access goes through proper legal channels.

I'm not sure what you'd call it?

Remember language matters, and these are actionable public communications.

Sure, but the statement as worded does not rule out the possibility that a third party contractor (Palantir) has access, and feeds it to the government. So Google has the motive (some theoretical secret law they need to abide) and they haven't denied a potential means (third party mediation). That's enough for people to convict in this situation.

It does. "Any suggestion that Google is disclosing information about our users’ Internet activity on such a scale is completely false."

Sure. The statement does not rule out the possibility that aliens are using advanced technology to watch the bits on optical lines without affecting the photos either.

True. However, the prior probability of that statement being true is exceedingly remote, so a non-denial of that still leaves me relatively certain that I don't have to worry about aliens conspiring with the federal government to spy on me.

"prior probability" is a fancy way of saying "without evidence, I believe what I want". Not that there's anything wrong with that, but that's not something Larry Page can help you with.

I think that would fall under this denial:

> First, we have not joined any program that would give the U.S. government—or any other government—direct access to our servers.

You would be hard pressed to argue that "direct" access proxied through a gov't contractor isn't the same as direct access. I don't think they'd cut the truth that close unless they were under oath. The court of public opinion is less caring of technicalities.

> Palantir

Isn't that basically their entire business model?

OK, in an alternate reality, what would a clear, flat-out denial look like? I mean, how could we tell such a thing differently than what was in the OP?

First, we have not joined any program that would give the U.S. government—or any other government—direct access to our servers. Indeed, the U.S. government does not have direct access or a “back door” to the information stored in our data centers. We had not heard of a program called PRISM until yesterday...Press reports that suggest that Google is providing open-ended access to our users’ data are false, period. Until this week’s reports, we had never heard of the broad type of order that Verizon received—an order that appears to have required them to hand over millions of users’ call records.

"We would never do this, not because the government hasn't asked us to, but because it's morally abhorrent. It goes against everything we personally believe in and stand for. Even if we were legally required to cooperate, we would resist and suffer incarceration if necessary. We believe in freedom more strongly than we fear the consequences of not cooperating with an oppressive government."

That kind of thing.

So, you'd feel more comfortable if the company threw in some rhetoric about morals and freedom that are, as assertions, impossible to verify, but would make people feel more warm and fuzzy?

So, basically, what politicians put into their speeches?

Read over your statement again. There's very little of substance in there. For example, what does "this" in "We would never do 'this'" mean? And I'm not being pedantic, because exact language is important here. The question is, what could a non-PRISM-supporting Google say that would differ from what we see in the OP?

And this: It goes against everything we personally believe in and stand for.

OK...let's assume "It" has been properly defined. This hyperbole would be a lie, because....everything? Again, impossible.

"Even if we were legally required to cooperate, we would resist and suffer incarceration if necessary."

OK...cooperate in what? The statement you've proposed leaves room for other kinds of cooperation, if not technically the kind being alleged right now. So this statement doesn't resolve anything.

"We believe in freedom more strongly than we fear the consequences of not cooperating with an oppressive government"

OK, same objections as before. But -- and again, I'm referring to an alternate reality in which Google is standing up against the NSA and PRISM, which may or may not be the reality we are actually living -- if Page is telling the truth about knowing what PRISM stands for before yesterday, then the statement you've proposed is impossible for him to assert, because we still don't know everything about PRISM...and so how would Page know if PRISM is the act of an oppressive government? He literally would not know because PRISM was unknown to him until yesterday.

And if you're saying, well, he should just know, because obviously Google is taking part in the program...well, that's begging the question.

And if you're saying, well, he should just be able to make that statement because any reasonable person, upon reading the reports yesterday, would conclude that PRISM is the act of an oppressive government. OK, that's fine, but that's still not really an assertion of fact, it's just rhetoric.

> "So, you'd feel more comfortable if the company threw in some rhetoric about morals and freedom that are, as assertions, impossible to verify, but would make people feel more warm and fuzzy?"

If Google was actually taking a moral/ethical stance that being an accessory to unconstitutional warrantless searches is something that they find to be morally wrong, yes, I would be more comfortable. My reading of this was Larry saying, "I enjoy being a billionaire and will say whatever it takes to continue being one."

What does any of that have to do with your original assertion that it was a carefully worded non-denial denial? Your point now seems to be "I don't like Google, and this doesn't convince me otherwise." That's fine, but hardly relevant.

Maybe you and many others would be better off by paying attention to actions vs words, and notice which company was the first to push back on the government to provide transparency to national security letters when everyone else bowed down before the government. Being skeptical and not falling for feel good platitudes could help all of us.

> So, you'd feel more comfortable if the company threw in some rhetoric about morals and freedom that are, as assertions, impossible to verify, but would make people feel more warm and fuzzy?

But when their impossible-to-verify assertion is that they've done nothing wrong, you'll accept that just fine?

No. I'm not saying that Page's assertion is true, but I am saying that it is a concrete assertion.

There's a difference between these two things:

1. Issuing a vague non-denial so that when the truth is revealed, you can claim that you didn't technically lie ("Hey, I never said I didn't molested him, I just said I never slept with him")

2. Issuing a denial that is proven later to be false.

I'm not arguing with the GP that Page is telling the truth, but that, as much as we can tell, Page has issued a statement that can satisfiably be shown to be true or false.

threw in some rhetoric about morals and freedom

I would feel better if Google put its brand at stake a little more, yeah.

Google used to cooperate with China.

Google is ACTIVELY forgoing revenue in China, because it wouldn't play by their rules. [1]

It's a start.

[1] https://en.wikipedia.org/wiki/Google_China#Ending_of_self-ce...

The blog post concludes with "But the level of secrecy around the current legal procedures undermines the freedoms we all cherish." That's a clear statement criticizing overly broad secrecy provisions.

It's a clear criticism, but not a clear assurance that Google isn't cooperating ("voluntarily" or not) with those "legal procedures".

>...it's morally abhorrent...even if we were legally required to cooperate, we would resist and suffer incarceration... oppressive government.

That's subjective, and I think you have severely unrealistic expectations of how far companies should be willing to go in this matter.

I believe Google's response is satisfactory. We can't prove negatives, so it's pointless to second guess Larry's post as being an orchestrated ruse. It at leasts gives us an official position and stance from the other party.

I don't think that the ethics are so clear cut. Let's suppose that Google's servers contain data that the U.S. federal government could use to prevent an act of violence that would harm or kill innocent people. Is it more ethical to deny access to this data on privacy grounds, or to grant access to this data to prevent violence?

The typical response here on HN is that the threat of terrorism is greatly overstated. This is probably true, but I don't think it's reasonable to assert that the threat of terrorism is nonexistent. Given the amount of people who use Google's services, I think it's highly likely that such data does exist on Google's servers.

Why limit it to terrorism? With access to email, instant messages, social media streams, search terms and some damn fine data scientists Google could sniff out an awful lot of wrongdoing.

Should they be developing software to figure out who is beating their kids and notify the local police? Cheating on thier taxes and notify the IRS? Breaking their marriage vows and notify thier spouses?

That would be a lot stronger a statement, but at the end of the day... we'll never know. Anything he says could have been written with a govt. agent holding a gun to his head. I know, I know, total conspiracy theory territory. And I'm not saying that is the case, just pointing out that - at the end of the day - there's very little we can actually know for sure about their involvement or lack thereof.

Therefore, IMO, the best thing to do is assume that every single bit that hits a Google server, and every bit stored by Google, is available to the NSA, FBI, CIA, DIA, MI6, Mossad, etc., etc... which means using strong crypto to protect your stuff if you really care about keeping it private.

I would like this:

The only requests for information to which we respond are requests that contain the full name(s) of the people whose data is requested.

Instead of enumerating what they don't do, which leads one to wonder what's left out, they could exhaustively enumerate the ways that they do cooperate. To a certain extent that's what they do with the transparency report. But I saw no strong claim that the report was complete, on the contrary the "whenever possible" language outright suggests the report is incomplete.

I'm sympathetic to being caught between a rock and a hard place, but given that this program only seems to involve US based companies, I would suggest that where ever possible people should prefer non-US software and services. Just as one prefers non-Chinese hardware for the exact same reason.

See http://www.google.com/transparencyreport/userdatarequests&#x...;

Argh. Hacker News refuses to save the URL. Replace %xF; with "/"

I have an extremely hard time believing google received less than 2000 requests for user data last year.

Given that the graph indicates they received 20,000 - not 2,000 - I would have a hard time believing it as well!

It's a good start for a response, especially since it has the CEO's imprimatur on it.

However with all the shady definitions the NSA is using (e.g I can imagine some weasel claiming user data is only the content not the metadata) I would have liked an explicit example.

Something like, "For example, when one gmail user emails another gmail user the government is not, for the majority of users who are not the subject of a specific government order, made aware of this in any way including the contents of the email, metadata and even that an email was sent. Obviously, we have no control over emails, sent outside our network."

I believe Google on this. The language is clear and non-weasel-y. Google does not hand over user data to the government unless specifically requested. There is no open-ended access.

But I also believe the government works with ISP's (all major ISPs) so that they can intercept traffic. Which would be a type of MITM attack allowing them to get data from all major web sites.

I think it's completely weaselly. It leaves wide open the possibility that a 3rd party, like Palantir, has access to the data.

"Press reports that suggest that Google is providing open-ended access to our users’ data are false, period."

"Any suggestion that Google is disclosing information about our users’ Internet activity on such a scale is completely false."

Those sentences seems straightforward and unambiguous.

I'm not much of a conspiracy theorist but those statements are hardly unambiguous. It's the "press reports" that are called false. Close-ended could pretty much be just as broad. The second sentence is hedged with "on such a scale". What is "information about our users' Internet activity"? Does that preclude sharing the actual internet activity? Also, Page keeps referring to "orders" but the press reports suggest some sort of volunteering.

Of course it's hedged with a limitation of scale. Obviously Google, like any other company, is going to provide information on much smaller scales (e.g. a user or a handful of users) for investigation based on specific court-issued warrants. It would be lying to state that Google never provides information about any user activity at all.

What would you prefer Google to say?

My reply was specifically to do with the contention that the sentences were "straightforward and unambiguous".

In this sentence, I would prefer Google to say: "First, we have not joined any program that would give the U.S. government—or any other government— OR ANY OTHER ENTITY - direct OR INDIRECT OR ANY OTHER TYPE OF access to our servers. [capitalized words are mine]

Except that that would be untrue, because there are perfectly legitimate reasons why the government would have access to data on a small scale - e.g. subpoenaing an individual's records in a specific criminal trial.

The fundamental problem here is that we have allegations that the US Government ordered all these companies to do something bad(tm) and not talk about it. So, if we assume that the allegations are correct, then the companies denying it are in on it, and the denial is false. But if the allegations are not true(either wholly or just for Google), then their denial may be entirely true. That's why it's problematic, because if you believe that the reports are true, then Google's actions are perfectly in-line with that belief. If you believe they're false(or even not as extensive as reported), then Google's actions are perfectly in-line with that belief.

So realistically, the best approach is just to wait and see.

Unless you can MITM SSL, having ISP access isn't enough. Remember, Google's the company that discovered that Turktrust had issued rogue CA certificates through Chrome's cert pinning.

unless you assume the NSA has the root SSL certs.

Root certs don't let you decrypt content encrypted with a descending cert. They just let you issue new certs that'll be considered valid. So, a MITM could send a client a compromised cert in the hopes that the client will encrypt content with it (after accepting it as valid due to it validating up the cert chain to root), but Chrome's certificate pinning is specifically designed to detect this class of attack - it is how the compromised Turkcert certs were discovered.

Even if you hold the root certs and can issue attack certs that validate up the cert chain, you can't MITM a cert-pinned client. In order to attack a cert-pinned site, the NSA would have to inject their own certs into Chrome's cert store, or have Google's private cert keys. Either would require compliance from Google.

Does anyone seriously believe that they don't?

I believe everyone's using the term "direct access" in contrast to the access the government is already known to have, which is via warrant or other "indirect" requests.

Unfortunately for Google, the Director of National Intelligence himself has confirmed the program and publicly called its disclosure "reprehensible". However, Google and the rest of these companies are in an awkward position. This program is still technically Top Secret, even though everyone now knows about it. Because of the obligation to secrecy that comes with having received classified information through the proper channels, they are essentially the only people in the world that are required by law not to acknowledge the existence of the program.

That said, the canned "direct access" line - the exact terminology curiously arrived at by no less than 5 separate corporate PR departments within hours of each other - is a poor facade. They should have considered how using identical terminology would make these denials so transparent.

That is untrue. See:

http://news.cnet.com/8301-13578_3-57588279-38/google-ceo-on-...; James Clapper, the director of national intelligence, released a statement last night saying the Guardian and Post articles about PRISM "contain numerous inaccuracies." Clapper's statement didn't confirm or deny any NSA activity. He said only that the articles "refer to collection of communications pursuant to Section 702 of the Foreign Intelligence Surveillance Act," and that any such collection is legal.

So, you are suggesting that the slides detailing their participation were simply made up?

There are no such slides. The slide just has a name and a date, no details of what "participation" means.

Read the blog post. "Press reports that suggest that Google is providing open-ended access to our users’ data are false, period"

Which is still pretty flexible language. "Oh, it's not open-ended access, it's limited to the conditions in the authorization..."

The Verizon order was limited to 3 months, for example, which is hardly open-ended... except that it presumably got re-upped every three months.

Read the NEXT SENTENCE! "Until this week’s reports, we had never heard of the broad type of order that Verizon received—an order that appears to have required them to hand over millions of users’ call records."

AND THE TWO AFTER THAT: "We were very surprised to learn that such broad orders exist. Any suggestion that Google is disclosing information about our users’ Internet activity on such a scale is completely false."

"NEXT SENTENCE": I don't think they're a telco with millions of users, Goggle Voice is pretty small, right?

The two after that look like a pretty good denial, though.

It is very possible that Google is lying.

Of course it is, but in this conversation that is moving the goalposts. And if we had to address every possibility, very little progress would ever be made in any discussion.

Then why bother parsing their language or even reading their blog posts?

He also says: "Until this week’s reports, we had never heard of the broad type of order that Verizon received... We were very surprised to learn that such broad orders exist. Any suggestion that Google is disclosing information about our users’ Internet activity on such a scale is completely false."

No, its pretty clearly written to me. Larry Page is genuinely surprised that this program thinks it has access to Google data on demand.

I interpreted the repeated use of "direct access" as a response to the media reports yesterday that used that same phrase. My memory could be mistaken but I seem to recall hearing reporters use that phrase over and over. So it would stand to reason that Google and other companies would use the same phrase in their press releases. That would be a simple explanation of the consistent language. That said, I wish Congress would appoint a special prosecutor so that we can get to the bottom of all this.

Same thing with the "we've never heard of PRISM" language a number of companies are using. Well, yeah - that code name probably stayed within the NSA.

> It just smells of being rehearsed, and carefully coordinated to select such language.

Next time, hopefully they'll make it less clear so that you have to translate the company-specific jargon and feel better that it's spontaneous and careless. </sarcasm>

That explanation is far easier for me to believe than the theory that Google would have agreed to cooperate in this spying effort.

This link has been submitted to the new queue at https://news.ycombinator.com/item?id=5841505 and I hope it gets voted up for wider attention.

This is incredibly far fetched. None of the audit controls at these companies notice that these employees are constantly accessing user's private data? And these double-agent employees manage to do all this secret work while still maintaining a cover as a regular employee who does well enough of a job to get good perf reviews and stick around?

Yeah, for real. We're not talking about sneaking a few files out on a thumb drive, here. We're suggesting petabytes of data being sent out over Google's networks without Google noticing. Meh.

I guess the question then, is: how big of a cabal of "rogue" employees would it take to put evil code into production at a place like Google. I seriously doubt one person could do it, no matter how highly placed.

one person, maybe not, but if you're a intelligence agency with a multi-million dollar budget to tap Google, you'd probe the organisation and bribe those with access, and anyone in the chain those employees could credibly report to.

this isn't difficult or particularity far-fetched!

Don't you think China/Russia/Israel/etc would have attempted/done the same thing, too?

The biggest reason is, what is the downside? Working with US spy agencies as an american on american soil you don't risk getting thrown into jail for the rest of your life and the biggest downside is getting caught and fired but you are being compensated with money anyways so why would you care. Working with foreign governments is much more risky but I am sure they have tried and do have agents working in large companies such as google.

who says they haven't? maybe not completely (it's way easier for the US, as most of Google resides on US soil), but you can bet they have people in a position to extract at least some data on demand.

this has previously happened: stuxnet (a product of several intelligence agencies) was digitally signed by a large semiconductor company!

They're using the phrase "direct access" because that phrase appeared in the leaked NSA slides.

Are you alleging they are trying to avoid making untrue statements in this blog post? Then what about "Press reports that suggest that Google is providing open-ended access to our users' data are false, period."?

The first sentence of the WPo article which started this is "The NSA and the FBI are tapping directly into the central servers of nine leading U.S. Internet companies". I think saying "we do not provide direct access" is a reasonable response.

The term direct access was first used by the Guardian in their original story: "but the Prism program allows the intelligence services direct access to the companies' servers." - most of the early denials (where the companies presumably hadn't read the article) didn't include the phrase but the later ones did.

So it's reasonable to suppose that the article was the source of that phrase.

Yeah, this is really the most straightforward explanation.

> I can't understand the repeated use of "direct access".

From the rest of your comment, I think that you understand it quite well.

I agree, the wording "direct access" is indeed very suspicious, and I tend to believe Arrington might be into something: http://uncrunched.com/2013/06/06/triangulating-on-truth-the-...;

I re-read the Larry's response carefully, and he did NOT refute the claim, that they are giving data to some 3rd party (who then forwards it to the government). He just says that government do not have direct access to it. But the issue that someone else can have the access is avoided, and it is exactly the same as the Zuck's response.

The key word here is "direct". Based on the other thread speculating about Palantir its pretty likely there is a 3rd party contractor who does have direct access, and provides convenient plausible deniability to both parties

First, we have heard no denials from government officials that these programs exist. Indeed, US Senators & Obama have acknowledged they exist. Second, we have no denials of the document's authenticity.

Third, we would assume through logical deduction that someone who does deny the program's existence is either lying, being misleading, or has been mislead themselves.

Finally, if this program does not actually exist, what the hell program are Obama and these Senators' referring to?

Program existing != program being exactly as described by the media.

> The Guardian and The Washington Post articles refer to collection of communications pursuant to Section 702 of the Foreign Intelligence Surveillance Act. They contain numerous inaccuracies.


The point is, they don't need to provide anything direct... the problem is the gov monitors the pipes and sees all, period. The problem is at the telcos, fundamentally. Even then it's not the telco's fault since they were forced and given immunity. The problem is our elected government, plain and simple. We've known about this since 2007. Happy to see it finally discussed in the mainstream.

Totally integrated corporate-state repression of dissent. What could go wrong?


"Direct access" is a phrase from the original report in The Guardian: "The National Security Agency had obtained direct access..." - first sentence of the report.


Possibly no direct access because the NSA has copies of Facebook, Google and Apple SSL private keys? Just sniffing the backbone...

Couldn't agree more. The key terms used are subject to interpretation. Still not feeling comfortable about this.

Is there any statement that would actually make you feel comfortable? If you're going to choose to disbelieve someone's statements, there's very little they can say to change that.

Larry's post was designed to quickly assuage our knee-jerk fears about a giant like google having anything to do with "PRISM". In that, it is effective.

I think for a lot of folks complaining, his language (i.e. "direct access") is just overly precise enough to leave too much room in the margins for technical loopholes concerning "who" has access to "what" data. When Larry defends their general policies stating google "pushes back on requests", I am not convinced when terms like "overly broad" and "correct process" are left undefined.

But it's a 4 paragraph blog post- what do I expect?

Even legal docs are open to interpretation - they're not math. It's hard to expect a concise and readable post, not couched in legal phrasing, to somehow exclude all possible alternate interpretations. Especially when it can't be absolute in phrasing because there are known (and accepted) exceptions.

The top couple of posts on Hacker News are about PRISM right now. On each post the first comment is about how similar the responses of each company are. It's almost as if there is a conspiracy to be conspiracy nuts on Hacker News.

Thats because they do give access through court orders, etc, ie "indirect access". Then again if they're "lying" then it means indirect access as in "they had to authenticate first!!"

Does it matter? What are the odds these guys are telling the truth when the President himself has lied about it? Maybe it's a concern of national security?

The most interesting thing about Google's repeated use of the phrase 'direct access' is that there are so many nerds that don't comprehend how much wiggle room that phrase implies.

My bet is that Google is under order of some kind of National Security Letter and has to deny involvement here.

AT&T didn't deny involvement during EFF's NSA wiretapping lawsuit. They didn't confirm or deny.

Voted up for an astute observation

I'm not quite sure how you came to that conclusion, to me it reads like the opposite of slick lawyer talk, it's pretty unambiguous:

"No direct access", "No backdoors".

"Press reports that suggest that Google is providing open-ended access to our users’ data are false, period".

they are required, by the law, to deny any involvment with the NSA anyway or they can go straight in jail.

Citation of such law?

It's a part of the Patriot Act. This is from a Wikipedia article on a warrant canary, which is a clever method devised to alert customers of such warrants indirectly. [1]

> Such subpoenas, including those covered under the USA Patriot Act, provide criminal penalties for revealing the existence of the warrant to any third party, including the service provider's customers.

[1] http://en.wikipedia.org/wiki/Warrant_canary


Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact