1st paragraph: we wanted to respond to these claims. 2nd paragraph: never heard of PRISM, don't give direct access. 3rd paragraph: each request goes through legal channels. 4th paragraph: encourage governments to be more transparent.
EDIT: It gets worse. Here's Apple: "We have never heard of PRISM. We do not provide any government agency with direct access to our servers, and any government agency requesting customer data must get a court order."
Here's Paltalk: "We have not heard of PRISM. Paltalk exercises extreme care to protect and secure users’ data, only responding to court orders as required to by law. Paltalk does not provide any government agency with direct access to its servers.”
Here's AOL: "We do not have any knowledge of the PRISM program. We do not disclose user information to government agencies without a court order, subpoena or formal legal process, nor do we provide any government agency with access to our servers."
And here's Yahoo: "We do not provide the government with direct access to our servers, systems, or network."
Microsoft refused to issue a direct denial of involvement in PRISM.
It may look impressive that they all say they don't allow "direct access to servers", but it's hardly surprising, since the original Guardian headline was "Top-secret Prism program claims direct access to servers of firms including Google, Apple and Facebook". If they didn't say that exactly, you'd be suspicious.
It may look impressive that they all say they "haven't heard of PRISM," but this is really quite a natural thing to say if it's true, and someone accuses you of being involved in the program.
Moreover, aside from the "direct access" thing, the phrases they all use are actually different. "We have not heard of PRISM" in one case, "We have never heard of PRISM" in another, "We had not heard of a program called PRISM until yesterday," in a third, and so forth. You don't have any case for funny business based on similar wording (because it isn't), and the case for contamination based on similar content would be a whole lot more impressive if that content weren't something common and expected.
On the whole, I think the similarities have plausible mundane explanations. Admittedly, I am no student of accidental plagiarism. I don't have an academic opinion on how similar or dissimilar we should expect the statements to be when ten people try to say the same thing in response to the same accusation. But that is just my point: if you want to persuade me of something so preposterous as that all of these people are following a script, you're going to have to do more than wave your hands and say, "Look, there are similarities."
Please. That's the stuff of superstition. If you want to convince me the probability of this occurring at random is low, you're going to have to do some math.
To us he'd be a hero, to the rest of America he's just helped out terrorists by coming clean.
I wonder what Sergey thinks of all this.
...the tactic of the US government has been to attack and demonize whistleblowers as a means of distracting attention from their own exposed wrongdoing and destroying the credibility of the messenger so that everyone tunes out the message.
According to the same article:
...Obama prosecutes whistlelblowers at double the number of all previous presidents COMBINED
The US government could easily and expertly discredit any whistleblower CEO with trumped-up tax evasion charges.
They couldn't say it louder if they used a bullhorn.
Are you surprised? High profile figures are going to want their statements to say exactly what they mean to say, and no more, no less. This means vetting, and keeping it concise helps when your timeframe is "same day".
It requires that they coordinated with the companies PR departments in the process of setting up the program. The companies asked: what if the shit hits the fan, or this comes out in the public, what do we say? And the government had a simple, boilerplate answer for it.
You wouldn't even have to work with the PR dept, just one single person. Either a special rep in PR for government matters, or just the CEO himself. It would take 5 minutes to put together a generalized script for the CEO to follow in the event this hit the public news.
This (the PR response) would be extraordinarily easy to coordinate, and it would take just one conversation at the point the program was signed on to by the companies.
And when this all became public, the company could also easily then call up the US Government and ask them what to do (and more than likely, the NSA could call them and tell them what to do).
The part that requires incompetence is everything that has happened today. The NSA's job is intelligence. They are the experts in connecting dots, reading between the lines, seeing how random events might be a sign of something bigger, and whatever other cliches you want to throw in here. Yet they are an organization that doesn't know that having people reading from nearly identical scripts will make people think they are reading from nearly identically scripts?
Senator Wyden has openly talked about how he wanted to say something about these programs, and even now he can't reveal details of what's going on because it would violate national security and he'd probably be put in prison or at the least removed from Congress.
The overall fact that the NSA has been reading our email, tracking us on Facebook, tapping our phones, etc. has not been kept quiet. Exact details are far more difficult to come by, even now those are classified. The IRS was talking about their right to read our email four years ago. The IRS has no known infrastructure to pull that off, it's clear they were talking about NSA or FBI programs.
As someone else noted, the government is very frequently both competent and incompetent when performing tasks or running programs. There's nothing unusual about that, you see it throughout the government bureaucracy. Sometimes they pull off impressive feats that you only read about decades later, and other times they're Nixon trying to cover up Watergate.
| The IRS was talking about their right to read our
| email four years ago. The IRS has no known
| infrastructure to pull that off, it's clear they
| were talking about NSA or FBI programs.
Which is complete bullshit of course. Mike Gravel anyone?
Rumors of widespread data collection -- even specifically by the NSA -- from many of the providers at issue have surfaced many times, what was new recently is the same (or substantially similar) bits of documentary evidence substantiating and connecting those rumors.
So, to all appearances, it may not really have been "kept quiet" up until the recent leak, it was just that the information that got out before wasn't as well-supported and therefore hard to dismiss.
Which is exactly what governments are.
Extreme resources, very smart people, and very idiot people, incompetent bureaucrats, messy cover-ups, all co-exist, all the time.
What did you thought they were? Incredibly competent XOR incredibly incompetent? (Only the first would be a conspiracy theory, whereas only the second would be gross underestimation).
>If the NSA was able to keep this project under wraps for so long with the number of people involved, I think they would be smart enough to at least slightly alter the words of their puppets, after all this is supposed to be the area of their expertise.
You've never seen badly (or too fast) done spin work?
Not to mention, why would the NSA care to spend too much effort to how those things were phrased?
If you think it matters, I'm afraid, you give the American public too much credit. It's not like it's gonna get suspicious by such small and peripheral signs. Listening to and accepting bad arguments, BS excuses, fake promises, and shit from politicians if what people are doing all their life.
And it's not even like they're gonna do anything about the core situation with regards to privacy. It's just the "hot topic" of the day, to be forgotten for some BS next week. You surely don't expect some kind of revolt of anything? If that was to be, it would have been at the other 20 similar media expositions or against the horrible laws that have been passed openly.
Not just the American public. This is blanket spying on the people of the world. Now that might sound less problematic for Americans who want to see those pesky terrorists brought to justice, but it also allows the NSA to build up profiles on everyone.
US border security is already a nightmare, god knows what they can do with this kind of information. Ever searched for torrents on Google? Your next trip to the States might be interesting.
It seems also they could be sharing this data with other national security agencies, which is where this gets really scary:
Global Big Brother.
Personally as a user of Gmail, Skydrive, GDrive, Dropbox, Facebook,... I find this incredibly disturbing. I will be doing whatever I can to remove my dependency on any service hosted in the US.
You think Belgium or France or Poland spies on US citizens phone-calls and Google/FB? Inside the US?
As for "Nobody gives a shit if your torrented a movie", first, we're not talking about Joe Average, that downloads GoT in rural Idaho. We're talking about people that matter to society: writers, investigative journalists, dissidents, hackers, activists, etc. They cared very much what A. Swartz did, for example.
Second, even normal people, downloading a "torrented movie" have been hit with huge fines by RIAA.
It isn't chance that their statements look similar: You can be absolutely sure that each looked to the other for some sort of direction, and once that came they followed the leader simply because it makes sense.
Even excluding that, really how many variations could there possibly be? Someone said you did something illegal. Say "no I didn't do something illegal, and everything I have done has been above the board and transparent". Do the same thing to twenty people and you would get remarkably similar statements, because a response can only come in so many forms.
and citing this http://blog.reddit.com/2013/05/get-ready-for-global-reddit-m...
where it shows:
Most addicted city (over 100k visits total)
Eglin Air Force Base, FL
At the moment all there is on the front page are 2 stories on Greenwald and some "collecting anti surveillance arguments thread".
I guess after their role in promoting the anti-SOPA movement they got some "special attention.
Oh come on. We all know that it's Agent Phil Coulson of SHIELD that's doing this. "This isn't my first rodeo," he said.
Isn't that the definition of a government conspiracy?
It's even possible that the companies coordinated their press releases for the very purpose of raising questions. We shouldn't assume they are all isolated from one another. It's far more likely that there is some form of communication going on between them, or at least between the high officials.
In essence, this looks very much like a coordinated effort to rebel against a gag order without actually crossing the line and putting oneself in jeopardy. Read between the lines.
Many people are going to jump to the conclusion that it's because they were following the same broad script, but another possibility is that they want people to notice the similarities and become more upset about PRISM.
Ah, that makes sense, if they are under a gag order, but yet want to subtly convey that they are under a gag order! It would be a brilliant way of circumventing it.
Even if the gov tries to arrest them for leaking classified information, they'd be near-impossible to convict following the inevitable massive public outcry.
OTOH, I'm more skeptical about the implementation side. Have you ever set up a feed between two different organizations that needs to transmit a massive amount of data in real-time? It's an immensely complicated undertaking requiring a whole team on both sides, with managers, engineers, techwriters, QA, and support staff. It seems a little unbelievable to me that one of them wouldn't spill the beans, particularly if asked to participate in a morally-questionable program.
Implementation side would definitely be very difficult, but you could screen the candidates for those who are sympathetic toward it. Ensure they understand how important it is that the program stays secret. Keep retention high, and perhaps even have some ongoing benefits for any employees who do churn but were part of the program. It definitely wouldn't be easy, but I think it is doable.
There's also the issue of how to hide the source code (to my knowledge, both Google and Facebook use one source repository for the whole company, to which virtually everyone has access). This can be gotten around - I'm sure that there are private repositories off to the side that you could use to build a binary - but this is yet another integration point that could be discovered. (Eg. some SRE notices that network bandwidth is high for a DC, traces it to a machine, notices the machine is consuming a large amount of CPU, gets root and runs 'top', and suddenly notices an unknown process siphoning off all data. At this point, how could they not assume their network is being attacked - because that's really what this is, the U.S. government hacking into the company's DCs - and pull the alarm? So all the SREs, abuse teams, internal security, etc. would have to be briefed, which is small compared to the whole company but still a huge surface area for a top-secret project.)
That doesn't actually answer the parents question. What is the likelihood that a bunch of tech leaders would know about this and it wouldn't get out? That any group of people wouldn't let this out?
I agree with the latter half of your comment, but the first sentence is as powerful as saying, "The only way to keep a secret between three people is if two of them are dead."
They both sound like ominous truths, but neither is a particularly compelling argument.
It's not about arresting them. It's about harassing them and their businesses -- which the government can very easily do.
Also, who said those kind of CEOs are champions of public freedom? Google? Microsoft? Facebook? Because they're techies they're supposed to be "on our side"?
Not to mention it's very easy for the government to pamper them, and make them feel very patriotic and whatever for contributing to this cause for the safety of the US, etc etc.
If you receive a national security letter, you are not allowed to tell anyone (not your family, not your lawyer, not anyone).
If you break the life-long gag order, you go to jail for up to 5 years.
Hundreds of thousands of these have been issued, and the above story (about the owner of an ISP) is one of the few cases where someone fought back and won the right to speak about it.
That can't be constitutional. The government has no right to even know whether you told your lawyer or not.
At least sometimes that it is the case, though I don't know if it generally is.
If you have been authorized to have access to classified information, such as (if one accepts the authenticity of the presentation that the Guardian and WaPo have reported on) even the existence of PRISM, on the other hand, there are fairly substantial legal consequences to unauthorized divulgence of that information, and those consequences don't necessarily go away because someone else gave out the information first.
No, that's not Occam's Razor. That's "naive believer in government that's willing to ignore all the facts Razor".
Occam's Razor tells us that when some companies participate in a covert secret services program which is brought to light, then the secret services coordinate damage control and tell them what they are allowed to say to the press and what not.
A conspiracy was just uncovered... and we're concerned about conspiracy-theorizing? The word itself has been dragged through the mud to the point of becoming a dismissing scare tactic, it basically translates to "crazy person, crazy ideas".
Basically, if your story doesn't match the official conspiracy theory given by the government and the companies that work for it, then you must be a conspiracy theorist...
Life is comedy.
No, just one that accepts there is most certainly things going on behind closed doors the public is not privy to, which is all the definition a conspiracy is.
People say, "you are a conspiracy theorist" or a "tin foil hat wearer" in an attempt to discredit what you say. The government doesn't need paid goons to sleuth on the internet to defend them, their are armys of people just waiting to comment on how stupid we all are for challenging the government positions/laws. The battle is already lost in the mind of the average american.
If it's a conspiracy, what's the common goal? There's nothing in in for the companies involved. You might just as well say rape is a conspiracy between the rapist and the victim.
A conspiracy doesn't have to have a common goal between all parties. What kind of bizarro logic did you use to reach that conclusion? People and companies can conspire with others against their will, you know. E.g I blackmail you in order to conspire with me to steal valuable data from your employeer, etc.
The goals are set by the NSA, and the tech companies could not care less about them. The agree to conspire (ie. help the NSA) though, because there would be other consequences if they did not. From prosecution from the government, to under the table blackmail, etc.
That one is definitely optional and would not be part of any scripted response, the fact that a large number of the statements have this exact same optional closing paragraph suggests they are inspired by a common source.
This being said, if you read it more closely what they say is actually quite a bit more damning. Read closely, the denial is actually entirely nonsensical.
Both deny involvement in "PRISM" but both then go on to mistakenly identify PRISM with the Verizon order. Page says he learned about it when Greenwald broke the story (Greenwald broke the Verizon story, the Washington Post broke the PRISM story). Zucherberg similarly talks about metadata significantly.
In essence it is a bait and switch. Sort of like "I wasn't at work yesterday. I can show this because I didn't go on vacation."
The Norwegians have a story called "Good day fellow. Ax handle" which would be a fair summary of what is going on here. The story is about an old deaf ferryman who is deep in debt and left all alone to face the bailiff. So he thinks about all the questions he will face and answers he will give, but when the bailiff comes to ask directions to the inn, he gives answers that are entirely humorous.
"Where is your wife?" asked the bailiff (hoping to find someone less confused).
"I am going to tar her. She's lying down on the beach, cracked up at both ends." Replied the ferryman (thinking he was being asked about his boat).
Google: "we have not joined any program that would give the U.S. government—or any other government—direct access to our servers"
FB: "Facebook is not and has never been part of any program to give the US or any other government direct access to our servers."
Google: "We had not heard of a program called PRISM until yesterday."
FB: "We hadn't even heard of PRISM before yesterday."
Google: "there needs to be a more transparent approach."
FB: "governments to be much more transparent about all programs"
Call me nutty, but this can't be coincidence.
Participating with government requests doesn't make these companies any money. It must be a major drag, actually. It involves lawyers, tech people, and trying to strike an uncomfortable balance between user trust and trying to persuade a court that a request should be denied.
This might be because they've been given a script, but it might also be because they chose to copy each other. They could copy each other out of not wanting to be "the odd one out." Any company that puts out a statement much different from the others risks being trusted less than the others. They could copy each other because they want people to jump to the conclusion that the government gave them a script (even if they didn't) so that people get more pissed than they already are.
As others have pointed out, the similarity could also be because the PR/lawyer response to this is so cookie cutter. I think the "not wanting to be the odd one out" would be the #1 mundane reason, though.
The collusion/double speak/poppeteering or game theoretic layered messaging within a secretly orchestrated gag conspiracy are plausible but I'd prefer to wait for more evidence before I accept Facebook and Google are complicit or prisoners to that. That doesn't mean I think they are either of them blindingly righteous beacons of morality (or even chipped and dulled pyrite morality for that matter), just that the implications of the scenario (democracy canceled xor executives willfully distorting the donut of truth into a mug) are hard to believe.
1) The heads of these companies had a conference call this morning and agreed on a 4-paragraph format, with specific points for each paragraph.
Or 2) The federal government instructed each company to respond today, with a 4-paragraph point-by-point, and then Larry and Mark obediently complied.
What's ludicruous is thinking the Feds are tapping every major telecom provider, but wouldn't do the same to Facebook / Google / Apple / Microsoft. These companies are collectively vastly more important than AT&T and Verizon, worth about a cool trillion dollars, and now make-up a huge portion of the data infrastructure for American consumers.
A spy is given instructions in case of interrogation by the enemy. Why wouldn't a $250 billion corporation be given instruction in case one of the largest spying systems in history hits the public news? It's absurd to think they wouldn't be.
Are you kidding me?
In any case of accidental exposure of a covert government operation involving many such parties, there would be instructions how to handle the media.
Those could be known in advance (at least for some cases), or they would get a call in case of emergency with instructions on what they are allowed to reveal and how to say it.
It's not different than what would happen at a multinational if there was some embarrassing incident related to one branch (e.g a costly in human lives accident). The legal/marketing team would reach to each branch pronto, with instructions what to say to the media. So, if the media get the manager of the, say, Canadian, branch, he would say more or less what the manager of the German branch would tell to his media.
The only "ludicrous" thing is your misplaced scepticism -- as if things thing isn't both obvious and something that's standard practice to media handling from entities of any scale...
I think that explanation strikes an appropriate balance of competence and incompetence.
what could go wrong? http://s3.amazonaws.com/dk-production/images/14030/large/Occ...
-priceless. Of course they wouldn't participate in such a thing voluntarily, can you imagine how expensive that would be...
An NSA program like this would not be voluntary.
The value of the data inside Facebook would actually go down if it was transfer out of Facebook. Its much better if Facebook themselves would run the query (like they normally do with advertisement), and provide the NSA with either a summery or webbugs/custom code in form of targeted images (advertisement) sent to those NSA is interested about.
Copying massive data would not just be logistically hard, it would need to be constantly updated. The simplest answer is that "direct access" simply mean NSA provided queries that google/facebook run at "request". No need for backdoors.
You could even argue that an API would not be 'direct access'
First thing I noticed was really the fact that it took these companies so long to put these statements out there, in Mark's case less than an hour ago as of the time of this posting.
Personally, if someone accused my company of giving customer data to the government, and a large segment of my users believed these claims, then I would switch to damage control mode and send a statement out within 6 hours at the most.
Then again, I suppose if you sent out a statement too soon, then people might think that you knew in advance about the leak.
Well, anyway, the weirdness I observed pales in comparison to the odd coincidence you discovered.
I wish somebody had the guts to be a hero. We need more of them.
I feel these statements are for the fans of these companies that want to hear it to believe it and quick to dismiss it.
Personally: I got in trouble with Google in 08' and yet I still use their products even assuming that I am probably monitored or easily creating a gov profile that can easily be subpoenaed (or given just b/c they may not like me).
The sad truth is most people dont even care ...
- The companies are lying.
- The government has infiltrated these companies and developed backdoor access the executive team is unaware of.
- The government is intercepting traffic en-route and doesn't need cooperation of the companies.
- The government is confused on their talking about about what they're confirming here and PRISM has been misinterpreted by the press.
#1 is possible, but implies that there exists a National Security Letter-like mechanism that can coerce this kind of public behavior. I find that unlikely but certainly not impossible; that would definitely be a concerning outcome.
I think #2 is unlikely. There's an interesting passage in the original Washington Post article, though, about how they want to be careful to protect the identities of the cooperating companies so as to not "damage their sources". A simple reading of this is that the companies might pull out if they're publicly exposed as cooperating. However, since they appear capable of coercing cooperating anyway, a slightly more tin-foil-hat reading is that their access is less straightforward than asking Page and Zuckerberg for help.
#3 is probably happening regardless of whatever cooperation the companies are providing. However, if that's the extent of PRISM I think it says interesting things about the likelihood that RSA has fallen. Is that likely? I have no idea. It wouldn't be unprecedented compared to what the NSA and its predecessors have done historically, though. It's worth noting that the NSA hasn't approved asymmetric crypto for protecting classified data. (http://en.wikipedia.org/wiki/NSA_Suite_B_Cryptography)
But there's no email or fax needed, requests arrive via something like a JSON request and are automatically returned to NSA once the company looks up the requested data.
Company doesn't know NSA calls it PRISM. As far as the company is concerned it's just a bridge from their systems to the NSA for valid law enforcement reasons, why should they care what NSA calls it?
That would also explain why it's so cheap ($20 million). Or rather, why it's so expensive given how little it really is...
Gellman says that "We did hold back quite a bit from this story" and then later goes on to explain the reason the companies joined ... "The law does provide that they can give access and a secret surveillance court can make them give access, but in a situation that you have a clandestine program and a very rich and powerful component ... They don't want to litigate this with Facebook, they don't want a chance of it leaking ... Facebook also being a highly regulated industry, having all kinds of issues with privacy and whatever else doesn't want to antagonize the government, so they negotiate it. Now Apple took .. 5 years .. I don't know what happened, but Microsoft joined in 2007 and Apple didn't do it until the end of 2012."
Unless the author, Gellman, exaggerated the story it is very clear that this is well beyond FISA court ordered surveillance.
If Page's & Zuckerberg's denials are somewhat truthful it means there is a compromise in the traffic streams themselves.
They have to five access because the law demands it, but they also make it easy to use for the agency to use. Which for example Twitter does not do.
If the other theory about ISP level data collection would be true, it would make no sense that Twitter and Dropbox are missing and not part of PRISM.
> On the “no direct access” —ISPs push to a separate server the subset of accounts that the FISC order covers; NSA monitors them in real time
> Let’s say court order says “all Yahoo accounts in Pakistan” Yahoo would push those accounts to the server; NSA could watch them in real time
>They’d try & figure who & where the incoming emails were coming from. US persons data minimized automatically if possible (often it’s not).
The NSA PRISM program may not even exist, however the Obama government may be too incensed with the notion of anybody opposing government's encroachment on privacy and civil liberties, and thusly they're hastily defending and deflecting any accusations of wrong-doing.
It's safe to assume the NSA can easily do way more than 2 petaflops, and they have an exaflop goal, and that would be enough to run known attacks against DES, factor 1024bit RSA moduli ... and if they can compromise just one root CA (which uses 1024bit RSA) they can issue valid certifications of their own and MITM everyone, and none would be the wiser.
And all of this assuming the NSA relies on publicly known weaknesses in SSL/TLS. The matter of the fact is that they have very smart people with access to unlimited resources researching new vulns and actively exploiting them.
My assumption is some combination of #4 and #5, really.
There is evidence that directly contradicts their stories (i.e. The Guardian has verified the authenticity of the document, a 41-slide PowerPoint presentation – classified as top secret with no distribution to foreign allies – which was apparently used to train intelligence operatives on the capabilities of the program. The document claims "collection directly from the servers" of major US service providers. ).
Who are we to believe?
This would be reasonably easy for the NSA to do, relatively hard for companies to catch, and perfectly explains all published facts.
For that matter, who is the CEO authorized to tell if the CEO got the letter. Obviously they have to be authorized to tell at least enough employees to actually implement the demand.
All the companies ruled out is direct access (and Microsoft said is if there's a voluntary program, they're not part of it; they didn't rule out an involuntary program of course).
They did not rule out even something so simple as an API, or another party doing the work for the NSA (which the NSA then taps into, ala the Palantir concept).
Press reports that suggest that Google is providing open-ended access to our users’ data are false, period. Until this week’s reports, we had never heard of the broad type of order that Verizon received—an order that appears to have required them to hand over millions of users’ call records. We were very surprised to learn that such broad orders exist. Any suggestion that Google is disclosing information about our users’ Internet activity on such a scale is completely false.
If it is possible though, there could perhaps be an NSL that covers "just gmail" that is otherwise as broad as the Verizon one.
The notion that a CEO could be unaware of something like that happening is incredibly disturbing though. I hope that is not possible.
The covered persons in A would be just enough to appropriate the necessary budget and deliver the features.
When the VP of Engineering or CEO asked, 'why did we add this particular feature, what's the use case?' the answer was, "If it's business critical that you need to know, we would need to document that and see if you can be added to an NDA."
"An NDA with who?"
"I can't say."
NSLs take this to an entirely different level. Page and Zuck don't have a clue. As soon as the databases were large enough to be useful, the data was in the hands of the NSA. That much should be taken for granted. The more important question has always been "if and how can it be used against you?"
With Obama claiming it's legal and approved by 3 branches, and how widely outside the NSA the data will be shared, the reality of "show me the man, I'll show you the crime" has never been truer.
I suppose though that whatever part of a NSL that authorizes the CEO to tell developers to make it would likely also authorize the CEO to tell the security guys not to sound alarms about it.. at least not without consulting senior management first.
I mean you still need to deal with private keys but the NSA might have the certificate authorities wrapped around their fingers.
I don't think they would be intercepting SSL traffic either, because Google has a hard enough time legitimately updating their certificates  that I imagine if the government were doing it on a wide scale people would definitely notice.
* Data is not, as everyone seems to keep saying, "direct access" and either first sent to NSA servers or a copy is sent periodically.
* Companies don't know and NSA is unlawfully getting data (unlikely).
* Companies are being forced to not talk about it and outright deny it.
* There is somehow a plausible deniability. The are not willingly giving up the data but they aren't stopping them from taking it either and just turning a blind eye to NSA's activities.
Secondly, in defense of the companies, at least Google and Facebook, they've put up real people (Zuckerberg and Page) behind these assertions. In the case of the leaker, we just know that he/she is a career intelligence official...which could mean many things.
No, I'm not saying that leakers should be distrusted until they identify themselves...I'm saying when the evidence that the leaker has given is heavily redacted, then it's hard to know what assertions the responding companies have to actually lie about.
In other words, it could be the case that we shouldn't believe anyone so far.
If the programs were not as described, Obama would have certainly said so. Instead he confirmed their existence without disagreeing with what was said in the Washington Post about it.
Given that, there is good reason to believe the substance of the leak, even though we don't know who leaked it or exactly what is in that presentation.
> Q Mr. President, could you please react to the reports of secret government surveillance of phones and Internet? And can you also assure Americans that the government -- your government doesn't have some massive secret database of all their personal online information and activities?
THE PRESIDENT: Yes. When I came into this office, I made two commitments that are more important than any commitment I made: Number one, to keep the American people safe; and number two, to uphold the Constitution. And that includes what I consider to be a constitutional right to privacy and an observance of civil liberties.
Now, the programs that have been discussed over the last couple days in the press are secret in the sense that they're classified. But they're not secret in the sense that when it comes to telephone calls, every member of Congress has been briefed on this program. With respect to all these programs, the relevant intelligence committees are fully briefed on these programs. These are programs that have been authorized by broad bipartisan majorities repeatedly since 2006.
I'm not arguing against you, I'm saying that his statement is vague, and that it could just be a broad assertion of the executive powers. It doesn't matter whether the program is called PRISM or SUPERPATRIOT or what (in the president's reasoning), such surveillance measures have been legally approved and are regulated, if the government chooses to undertake such measures in the name of security. This is not the same as acknowledging that PRISM exists (which would put Google/Facebook's claims to the test).
The inevitable conclusion is that while he did not specifically confirm what was said in the press, he lent great credibility to the leaks being real documents describing real programs.
> I've never taken a single lesson in legal or PR and even I can see the big huge holes. They insist on direct access, they insist on servers rather than data and they insist on governments.
However the private keys have to deployed, on scale. So if as someone here is suggesting the NSA has infiltrated those companies, they could have got those keys and just decrypt the stream.
I wouldn’t bet my money on that… but it’s more likely than breaking the encryption, and if they can get military secrets, I guess they could get the keys.
Also those companies could have just volunteered them—that’s where the emphasis on ‘direct’ access comes in.
The suggestion that the companies actually gave them the keys and this explains the "direct access" phrase makes a lot of sense!
I mean Apple only got added in 2011. If what you're saying is true then what does this date refer to?
Well, if they are intercepting data through backbones, and much of that data is encrypted, they need to defeat the encryption in a durable way to get a clear feed. While I don't suggest that this is what was going on, if it was, there would be know reason that each provider would necessarily be broken at the same time; there would likely both be prioritization of resources directed at each provider, differences in the security of each provider, and chance involved as to when each was broken.
Growing popularity and usage of icloud and apple's own messaging system? iirc, before icloud, Apple didn't have that much user data.
But a running process or piece of hardware sitting in their DC sniffing traffic? No.
That's what I think they're saying, at any rate.
EDIT: One plausible explanation for why everyone keeps using the phrase "direct access" is because it appears in the Guardian story as the first sentence: http://www.guardian.co.uk/world/2013/jun/06/us-tech-giants-n...
* No direct access.
* Never heard of Prism.
* We review each request.
* We want more government transparency.
Edit: Formatted the list.
Now I'm thinking that, yes, they coordinated their responses with the aid of the government. Dammit. I guess that's where my optimism gets me.
Anyway, what difference does the origin of the statement make? The companies are either trying to deceive us, or they aren't. What matters is what's being done to us. We're all powerless here except to let politicians know we're unhappy, will vote against, fund EFF, etc. "Gotcha" parsing of official statements is not an important tool in this fight.
Personally I find ridiculous the notion that proud public figures will feel less ashamed technically not lying than actually bald-faced lying. Either way, you've sacrificed public credibility. So the whole discussion of "is this really a denial?" is uninteresting to me.
Assuming it the program is classified, and assuming that Zuckerberg has a security clearance, then under federal law he would potentially be eligible for the death penalty if he were to confirm the existence of the program.
And the answer is "a myriad of different phrasings could have expressed the same content. English, even encumbered by lawyers, is like that.".
Amazing how all them, to a company, are using the "direct access" phrase.
Plausible deniability for the whole world to see along with the revelation of the biggest spying operation in history.
The strange thing is that just having a presentation is usually not enough for the HN crowd. If it would have been, I would never have to execute on any of my ideas beyond the presentation stage. Personally, I really don't think some making a presentation is really evidence of anything.
I'm really not sure why HNers reacted differently in this instance though.
Because the government has admitted it.
LP: "...we have not joined any program that would give the U.S. government—or any other government—direct access to our servers."
MZ: "..Facebook is not and has never been part of any program to give the US or any other government direct access to our servers."
LP: "... we provide user data to governments only in accordance with the law."
MZ: "we... always follow the correct processes and all applicable laws."
LP: "...we have long believed—there needs to be a more transparent approach."
MZ: "We strongly encourage all governments to be much more transparent..."
It almost looks like they are reading from a template or script!
It's almost like someone is telling HN readers what to say...
He says explicitly Facebook is not providing information or metadata "in bulk", which seems to contradict the Guardian article ("direct access").
We have never received a blanket request or court order from
any government agency asking for information or metadata in bulk
When governments ask Facebook for data, we review each request
carefully to make sure they always follow the correct processes
and all applicable laws, and then only provide the information
if is required by law.
Personally, I believe Larry and Zuck, but the statements themselves are really weird.
2. "We hadn't even heard of PRISM before yesterday."
Somehow I doubt that the National Security Agency is in the habit of telling companies that they work with the names they use for projects internally.
3. "we review each request carefully to make sure they always follow the correct processes and all applicable laws, and then only provide the information if is required by law. We will continue fighting aggressively to keep your information safe and secure."
This doesn't preclude the idea that the government accesses more Facebook user data than the general public might realize under current law. Facebook can provide large volumes of info as the PRISM slides suggest if it is indeed lawful, and this statement would not be a lie. It hinges on what exactly is "required by law", or more precisely, what is allowed under the current interpretation of the law.
> When governments ask Facebook for data, we review each request carefully to make sure they always follow the correct processes and all applicable laws, and then only provide the information if is required by law.
So no back door at FB, because the front door is open to secret courts signing the secret subpoenas to do secret things.
I realize that statement implies that no one from government can go into the private sector without it suddenly becoming a conspiracy theory, but in this particular case the link is especially concerning.
"to give the US, or any other government, or any third party intermediary, direct or indirect access to our servers or our users' data"
I mean come on, I've never taken a single lesson in legal or PR and even I can see the big huge holes. They insist on direct access, they insist on servers rather than data and they insist on governments.
And that's not even taking into account the fact that most of those sentences are the same copy pasted text that we saw in Larry Page's message. If you want to make it sound like a personal message from the founder, maybe don't speak like a drone ...
> Facebook is not and has never been part of any program to give the US or any other government direct access to our servers.
We have however set up a tap that mirrors all traffic to Facebook to NSA servers, and we've given them the certificate to decrypt that traffic.
> We have never received a blanket request or court order from any government agency asking for information or metadata in bulk, like the one Verizon reportedly received.
Instead, we were requested to provide our SSL certificate and to install some hardware in our data center. We never handed over any data ourselves.
> And if we did, we would fight it aggressively.
Too much work to provide all that data. Best to just give them a mirrored PHY stream.
> We hadn't even heard of PRISM before yesterday.
We didn't know _what_ the program was called; they never told us, specifically for plausible deniability reasons.
Technically, they didn't ask for user data, they asked for a hardware interconnect and a private key.
> We will continue fighting aggressively to keep your information safe and secure.
Our lawyers made us say this. C'mon, we're Facebook, what do you expect?
> We strongly encourage all governments to be much more transparent about all programs aimed at keeping the public safe. It's the only way to protect everyone's civil liberties and create the safe and free society we all want over the long term.
Good God, what have we done?! We're under an NSL, can't you tell that, people?!
The cynic in me wants to believe the coincidence is because Facebook has equally good lawyers as Google.
The more cynical me wants to believe that Google has good lawyers and Facebook's lawyers, although perhaps as good, find it easier to plagiarize. :P
> I have no idea what you're talking about.
> We only give access when absolutely necessary within the confines of the law.
> We're on our customers side.
Now some of the terms such as "direct access" are errily familiar, I'll give you that but the message being conveyed and the order it's formed woudn't be enough to suprised me on it's own and the guys working PR for these orgs are probably pretty inbred. Still, it is interesting.
This is just a possibility - I tend to believe the companies are simply lying. But it is possible.
"400 billion Tweets and not one useful bit of data was ever transmitted"
If PRISM is indeed a "prism", that is, a network-level dump, duplicate RAW of data, then there is no direct access involved.
I don't think you can have both. Freedom has to be paid for, and the only currency it'll take is blood. If we're unwilling to pay that price then I guess we won't have freedom.
Also, I'm not sure I'd want freedom regulated by Facebook, where bare breast in centuries old paintings are forbidden or jokes have to pass a censoring committee.
I don't trust Zuckerberg, I don't trust Larry Page, hell, I wouldn't trust you either if you had to respond.
I'm thinking all these companies are legally being forced to give up data and provide direct access to some kind of third party company, which in turn works with the NSA.
It's pretty clear Google, facebook, apple, etc. can't just come out and say they're doing this. They're choosing their words very carefully.
1. If you are asked about it, you will deny it, and LIE about it. They actually tell you to lie.
2. If you break the contract you will be destroyed, and everyone you know will be destroyed.
Ask a senior member of the military how this stuff works.
What to make of this in light of the companies' chorus of denials?
Is it only me, or is Mark implying that agreeing on every government request to provide data would make your information unsafe and insecure?
Feel free to deny your company's involvement, but don't you fucking dare criticize the free press's reporting as "outrageous".
Once we all believe, the rabbit hole is an abyss.
Google: "the U.S. government does not have direct access"
Apple: "We do not provide any government agency with direct access"
Yahoo: "We do not provide the government with direct access"
The consistency is amazing - do they all use the same law firm?
Something stinks here.
That's what they mean by not providing direct access.
The government can't just waltz into their front doors and just ask for the data of all the users. Nor does the government have straight access to the servers or databases.
Hope you understand now.
John Doe asks, "Hey Larry, did you let Zuck read my mail I wrote you last week?".
Larry says, "No! He doesn't have my password or yours, right?"
Joe persists and proves Zuck knows the contents of the email. Then Larry shrugs and says, "Well, I didn't give him access to your email, I gave him a print out when he asked for it".
I would be surprised if they didn't.