Hacker News new | comments | show | ask | jobs | submit login
Mark Zuckerberg addresses PRISM (facebook.com)
412 points by cbrsch on June 7, 2013 | hide | past | web | favorite | 282 comments

Look at the two writeups (Zuckerberg's and Page's) side by side. Each has 4 paragraphs. Each of the pairs of paragraphs addresses the same thing.

1st paragraph: we wanted to respond to these claims. 2nd paragraph: never heard of PRISM, don't give direct access. 3rd paragraph: each request goes through legal channels. 4th paragraph: encourage governments to be more transparent.


EDIT: It gets worse. Here's Apple: "We have never heard of PRISM. We do not provide any government agency with direct access to our servers, and any government agency requesting customer data must get a court order."

Here's Paltalk: "We have not heard of PRISM. Paltalk exercises extreme care to protect and secure users’ data, only responding to court orders as required to by law. Paltalk does not provide any government agency with direct access to its servers.”

Here's AOL: "We do not have any knowledge of the PRISM program. We do not disclose user information to government agencies without a court order, subpoena or formal legal process, nor do we provide any government agency with access to our servers."

And here's Yahoo: "We do not provide the government with direct access to our servers, systems, or network."

Microsoft refused to issue a direct denial of involvement in PRISM.

I'm not impressed. Most press releases have only a handful of paragraphs. I'd believe it was common to go over the topics of "What We're Talking About, What We Deny, What We Affirm, and How It Could Be Better."

It may look impressive that they all say they don't allow "direct access to servers", but it's hardly surprising, since the original Guardian headline[1] was "Top-secret Prism program claims direct access to servers of firms including Google, Apple and Facebook". If they didn't say that exactly, you'd be suspicious.

It may look impressive that they all say they "haven't heard of PRISM," but this is really quite a natural thing to say if it's true, and someone accuses you of being involved in the program.

Moreover, aside from the "direct access" thing, the phrases they all use are actually different. "We have not heard of PRISM" in one case, "We have never heard of PRISM" in another, "We had not heard of a program called PRISM until yesterday," in a third, and so forth. You don't have any case for funny business based on similar wording (because it isn't), and the case for contamination based on similar content would be a whole lot more impressive if that content weren't something common and expected.

On the whole, I think the similarities have plausible mundane explanations. Admittedly, I am no student of accidental plagiarism. I don't have an academic opinion on how similar or dissimilar we should expect the statements to be when ten people try to say the same thing in response to the same accusation. But that is just my point: if you want to persuade me of something so preposterous as that all of these people are following a script, you're going to have to do more than wave your hands and say, "Look, there are similarities."

Please. That's the stuff of superstition. If you want to convince me the probability of this occurring at random is low, you're going to have to do some math.

[1] http://www.guardian.co.uk/world/2013/jun/06/us-tech-giants-n...

or all these companies are intentionally making similar press releases in hopes people will catch on that theyre being coerced into denying involvement. this way they're (assuming they have one) fulfilling their denial obligation with the NSA, yet still are protesting what they dont actually want to be doing

The real issue, IMHO, isn't whether or not the companies are participating in PRISM or any similar program – yes, it'd be problematic if they are – but yes or no, the fact that we can so easily be suspicious of our government is much, much more telling about the state of democracy and society in the United States of America. We've seen enough to be unable to trust, regardless of ground truth in this case.

My guess is they all got the same template of what they're allowed to say. With something this sensitive the language is very important, especially for public company communications.

So imagine Larry Page or Mark Zuckerberg comes out and admits it. Do you think they end up in federal prison?

Yes. There's no point in being a billionaire high-tech visionary if you're stuck behind bars on treason charges.

To us he'd be a hero, to the rest of America he's just helped out terrorists by coming clean.

If you want to see how it is really done, look at Russia - people that have money get charged with money things. You have tax audits, labor laws audits, financial compliance audits, whatever. With 2000-page laws and over 50 new federal crimes added to the statutes every year, I'm sure if you need it you can find it. I'm not saying Obama is there yet - I really hope not - but the technology is there. Nixon was impeached in part for using it, and Obama could use it too and there's some evidence it is being used here and there, even though no evidence yet it is used systematically by the highest branches of government. But it is there, and it works.

I don't think it would happen. It would be a disaster and a scandal for any administration to pursue such charges against someone so high profile.

Whose to say they would pursue those charges? Why do they have to even disclose why they nabbed them? Under the PATRIOT act they can make anyone disappear without justification. Obviously if they're committing treason they could figure out any number of ways to make it happen.

Julian Assange is pretty high profile, considered a journalist by many, has run an organisation that exposed many legitimate scandals, etc. Celebrities also go to prison quite often.

The law _should_ apply to everyone.

dude, If someone at that level gets jailed, it wouldn't be treason. It'd be insider trading, or perhaps something less palatable.

Why make it above the table like that? The NSA has all the data they need to blackmail and intimidate these people at the very least.

I wonder what Sergey thinks of all this.

About whistleblowers, The Guardian[1] warned:

...the tactic of the US government has been to attack and demonize whistleblowers as a means of distracting attention from their own exposed wrongdoing and destroying the credibility of the messenger so that everyone tunes out the message.

According to the same article:

...Obama prosecutes whistlelblowers at double the number of all previous presidents COMBINED

The US government could easily and expertly discredit any whistleblower CEO with trumped-up tax evasion charges.

[1] http://m.guardian.co.uk/commentisfree/2013/jun/07/whistleblo...

Yes. The uniformity of their responses is too similar to ignore or dismiss. It's chilling to read. It's a big fat hint to anyone not already drunk on the kool-aid that the NSA is coercing them to lie.

They couldn't say it louder if they used a bullhorn.

why the day-old account?

Most press releases have only a handful of paragraphs

Are you surprised? High profile figures are going to want their statements to say exactly what they mean to say, and no more, no less. This means vetting, and keeping it concise helps when your timeframe is "same day".

The implication that there is some central figure behind this giving these companies scripts to read meets the most common flaw of governmental conspiracy theories. It requires the government to be simultaneously incredibly competent and incompetent. If the NSA was able to keep this project under wraps for so long with the number of people involved, I think they would be smart enough to at least slightly alter the words of their puppets, after all this is supposed to be the area of their expertise.

You're wrong, it does not require that they be incredibly competent, not in the least.

It requires that they coordinated with the companies PR departments in the process of setting up the program. The companies asked: what if the shit hits the fan, or this comes out in the public, what do we say? And the government had a simple, boilerplate answer for it.

You wouldn't even have to work with the PR dept, just one single person. Either a special rep in PR for government matters, or just the CEO himself. It would take 5 minutes to put together a generalized script for the CEO to follow in the event this hit the public news.

This (the PR response) would be extraordinarily easy to coordinate, and it would take just one conversation at the point the program was signed on to by the companies.

And when this all became public, the company could also easily then call up the US Government and ask them what to do (and more than likely, the NSA could call them and tell them what to do).

Let me be more clear. The part that requires competence is everything up to the leak. Given the scope, keeping this quiet is no small task. It isn't just keeping the people who know about this from talking. It is also preventing other people from finding out. Depending the way they theoretically got this data, that could stretch from keeping this hidden directly in the code base at Facebook to hiding huge amounts of traffic emanating from Facebook's data centers. Remember a lot of these tech companies helped recognize and locate likely Chinese sponsored government hackers in the past. If someone is doing something they aren't supposed to, a lot of people are going to find out about it.

The part that requires incompetence is everything that has happened today. The NSA's job is intelligence. They are the experts in connecting dots, reading between the lines, seeing how random events might be a sign of something bigger, and whatever other cliches you want to throw in here. Yet they are an organization that doesn't know that having people reading from nearly identical scripts will make people think they are reading from nearly identically scripts?

It's not difficult to keep something quiet when the consequences are that you violate national security and go to prison.

Senator Wyden has openly talked about how he wanted to say something about these programs, and even now he can't reveal details of what's going on because it would violate national security and he'd probably be put in prison or at the least removed from Congress.

The overall fact that the NSA has been reading our email, tracking us on Facebook, tapping our phones, etc. has not been kept quiet. Exact details are far more difficult to come by, even now those are classified. The IRS was talking about their right to read our email four years ago. The IRS has no known infrastructure to pull that off, it's clear they were talking about NSA or FBI programs.

As someone else noted, the government is very frequently both competent and incompetent when performing tasks or running programs. There's nothing unusual about that, you see it throughout the government bureaucracy. Sometimes they pull off impressive feats that you only read about decades later, and other times they're Nixon trying to cover up Watergate.

  | The IRS was talking about their right to read our
  | email four years ago. The IRS has no known
  | infrastructure to pull that off, it's clear they
  | were talking about NSA or FBI programs.
I seem to remember that this was about their ability to just walk up to Google and request someone's emails without a warrant of any sort. There's no implication that it has to be related to some NSA or FBI program. Assuming that the NSA has every email ever written in storage, I doubt that they would coordinate with something as 'mundane' as IRS tax collection. They are a spy agency after all, and their purview is National Security.

>Senator Wyden has openly talked about how he wanted to say something about these programs, and even now he can't reveal details of what's going on because it would violate national security and he'd probably be put in prison or at the least removed from Congress.

Which is complete bullshit of course. Mike Gravel anyone?

> Given the scope, keeping this quiet is no small task.

Rumors of widespread data collection -- even specifically by the NSA -- from many of the providers at issue have surfaced many times, what was new recently is the same (or substantially similar) bits of documentary evidence substantiating and connecting those rumors.

So, to all appearances, it may not really have been "kept quiet" up until the recent leak, it was just that the information that got out before wasn't as well-supported and therefore hard to dismiss.

That implies the same people who architected this are responsible for the damage control... highly doubtful. The press releases & language reeks of one thing... Lawyers.

>The implication that there is some central figure behind this giving these companies scripts to read meets the most common flaw of governmental conspiracy theories. It requires the government to be simultaneously incredibly competent and incompetent.

Which is exactly what governments are.

Extreme resources, very smart people, and very idiot people, incompetent bureaucrats, messy cover-ups, all co-exist, all the time.

What did you thought they were? Incredibly competent XOR incredibly incompetent? (Only the first would be a conspiracy theory, whereas only the second would be gross underestimation).

>If the NSA was able to keep this project under wraps for so long with the number of people involved, I think they would be smart enough to at least slightly alter the words of their puppets, after all this is supposed to be the area of their expertise.

You've never seen badly (or too fast) done spin work?

Not to mention, why would the NSA care to spend too much effort to how those things were phrased?

If you think it matters, I'm afraid, you give the American public too much credit. It's not like it's gonna get suspicious by such small and peripheral signs. Listening to and accepting bad arguments, BS excuses, fake promises, and shit from politicians if what people are doing all their life.

And it's not even like they're gonna do anything about the core situation with regards to privacy. It's just the "hot topic" of the day, to be forgotten for some BS next week. You surely don't expect some kind of revolt of anything? If that was to be, it would have been at the other 20 similar media expositions or against the horrible laws that have been passed openly.

> If you think it matters, I'm afraid, you give the American public too much credit.

Not just the American public. This is blanket spying on the people of the world. Now that might sound less problematic for Americans who want to see those pesky terrorists brought to justice, but it also allows the NSA to build up profiles on everyone.

US border security is already a nightmare, god knows what they can do with this kind of information. Ever searched for torrents on Google? Your next trip to the States might be interesting.

It seems also they could be sharing this data with other national security agencies, which is where this gets really scary:


Global Big Brother.

Personally as a user of Gmail, Skydrive, GDrive, Dropbox, Facebook,... I find this incredibly disturbing. I will be doing whatever I can to remove my dependency on any service hosted in the US.

Give me a break. Every other country is spying on every other country. Nobody gives a shit if your torrented a movie.

Nobody gives a shit until the government has some beef with you. Then it becomes the crime of the century.

Actually, no, "every other country is" NOT "spying on every other country".

You think Belgium or France or Poland spies on US citizens phone-calls and Google/FB? Inside the US?

As for "Nobody gives a shit if your torrented a movie", first, we're not talking about Joe Average, that downloads GoT in rural Idaho. We're talking about people that matter to society: writers, investigative journalists, dissidents, hackers, activists, etc. They cared very much what A. Swartz did, for example.

Second, even normal people, downloading a "torrented movie" have been hit with huge fines by RIAA.

Oh, so it's all OK then. Thanks for putting my mind at ease. I realise now that blanket collection of data could never be misused in the way I describe because "nobody gives a shit".

Things done in haste tend to look like this. It is almost absurd to think that every company mentioned somehow came up with the same statement by chance.

We've had this same conspiracy appear a number of times.

It isn't chance that their statements look similar: You can be absolutely sure that each looked to the other for some sort of direction, and once that came they followed the leader simply because it makes sense.

Even excluding that, really how many variations could there possibly be? Someone said you did something illegal. Say "no I didn't do something illegal, and everything I have done has been above the board and transparent". Do the same thing to twenty people and you would get remarkably similar statements, because a response can only come in so many forms.

We see Eglin's sockpuppets all the time on reddit, they are actually pretty easy to spot.

The airforce base has sock puppets?

I think he's talking about this: http://www.guardian.co.uk/technology/2011/mar/17/us-spy-oper...

and citing this http://blog.reddit.com/2013/05/get-ready-for-global-reddit-m...

where it shows:

Most addicted city (over 100k visits total) Eglin Air Force Base, FL

That's news to me. And it would also explain why the spy scandal is pretty much a non-story on Reddit.

At the moment all there is on the front page are 2 stories on Greenwald and some "collecting anti surveillance arguments thread".

I guess after their role in promoting the anti-SOPA movement they got some "special attention.

Basically, yes - its been confirmed that they have a shit-ton of traffic to reddit from Eglin, and the rumor is the HBGary scandal is related to this as they do a lot of online "sentiment shaping" from there.

Isn't the standard denial required of NSLs (http://en.wikipedia.org/wiki/National_security_letter)? Could it be possible that the NSA is using an FBI trick to remain legal and quiet?

> The implication that there is some central figure behind this giving these companies scripts to read meets the most common flaw of governmental conspiracy theories.

Oh come on. We all know that it's Agent Phil Coulson of SHIELD that's doing this. "This isn't my first rodeo," he said.

> The implication that there is some central figure behind this giving these companies scripts to read meets the most common flaw of governmental conspiracy theories.

Isn't that the definition of a government conspiracy?

It's actually quite conceivable that there was a first-line response memo crafted by a NSA/government official, that was sent out to the companies in question. What the NSA might not have expected is that the receivers decided to stick to the template so closely.

It's even possible that the companies coordinated their press releases for the very purpose of raising questions. We shouldn't assume they are all isolated from one another. It's far more likely that there is some form of communication going on between them, or at least between the high officials.

In essence, this looks very much like a coordinated effort to rebel against a gag order without actually crossing the line and putting oneself in jeopardy. Read between the lines.

PG made a post on Twitter about the Yahoo and Apple quotes being similar, but I initially thought it were probably due to the way the journalist asked the question. The similarity between these two does suggest something else is happening.

Many people are going to jump to the conclusion that it's because they were following the same broad script, but another possibility is that they want people to notice the similarities and become more upset about PRISM.

>>..another possibility is that they want people to notice the similarities and become more upset about PRISM.

Ah, that makes sense, if they are under a gag order, but yet want to subtly convey that they are under a gag order! It would be a brilliant way of circumventing it.

Realistically though, can you imagine there being so many CEOs knowing that this thing is going on and being forced to lie about it, and not one of them spilling the beans?

Even if the gov tries to arrest them for leaking classified information, they'd be near-impossible to convict following the inevitable massive public outcry.

You don't get to be CEO unless you can learn to lie & keep secrets.

OTOH, I'm more skeptical about the implementation side. Have you ever set up a feed between two different organizations that needs to transmit a massive amount of data in real-time? It's an immensely complicated undertaking requiring a whole team on both sides, with managers, engineers, techwriters, QA, and support staff. It seems a little unbelievable to me that one of them wouldn't spill the beans, particularly if asked to participate in a morally-questionable program.

Yeah, there is very little chance of CEOs leaking. The obligation they feel most is their obligation to the interests of their company. It definitely wouldn't be in a company's interests to rebel against the government of the country in which the company is headquartered.

Implementation side would definitely be very difficult, but you could screen the candidates for those who are sympathetic toward it. Ensure they understand how important it is that the program stays secret. Keep retention high, and perhaps even have some ongoing benefits for any employees who do churn but were part of the program. It definitely wouldn't be easy, but I think it is doable.

With a technical field, though, you have the added constraint that you need people who are familiar with the technology involved. At the low-level infrastructure level of a company like Google or Facebook, that might number in the dozens-to-hundreds - not exactly a huge pool to choose from, particularly when implementation will require quite a few people. And you need someone to do the choosing who can both be trusted by the government and knows all the people with the relevant technical skills.

There's also the issue of how to hide the source code (to my knowledge, both Google and Facebook use one source repository for the whole company, to which virtually everyone has access). This can be gotten around - I'm sure that there are private repositories off to the side that you could use to build a binary - but this is yet another integration point that could be discovered. (Eg. some SRE notices that network bandwidth is high for a DC, traces it to a machine, notices the machine is consuming a large amount of CPU, gets root and runs 'top', and suddenly notices an unknown process siphoning off all data. At this point, how could they not assume their network is being attacked - because that's really what this is, the U.S. government hacking into the company's DCs - and pull the alarm? So all the SREs, abuse teams, internal security, etc. would have to be briefed, which is small compared to the whole company but still a huge surface area for a top-secret project.)

>"You don't get to be CEO unless you can learn to lie & keep secrets."

That doesn't actually answer the parents question. What is the likelihood that a bunch of tech leaders would know about this and it wouldn't get out? That any group of people wouldn't let this out?

I agree with the latter half of your comment, but the first sentence is as powerful as saying, "The only way to keep a secret between three people is if two of them are dead."

They both sound like ominous truths, but neither is a particularly compelling argument.

>Even if the gov tries to arrest them for leaking classified information, they'd be near-impossible to convict following the inevitable massive public outcry.

It's not about arresting them. It's about harassing them and their businesses -- which the government can very easily do.

Also, who said those kind of CEOs are champions of public freedom? Google? Microsoft? Facebook? Because they're techies they're supposed to be "on our side"?

Not to mention it's very easy for the government to pamper them, and make them feel very patriotic and whatever for contributing to this cause for the safety of the US, etc etc.

CEO's and public figures? Definitely, if the NSA and similar agencies had the power to label them as traitors and / or terrorists (with all due consequences) and/or destroy their companies.

I agree, and this is the exact same reason why 9/11 conspiracy theorists have such a weak argument: of the 535 representatives in Congress, NOT ONE spoke up and said it was an inside job? Or any of their interns, assistants, etc.

On the flip side, hundreds of people got NSLs and effectively kept them a secret for years before it came out.

Someone correct me if I'm wrong, but you can admit to a gag order being placed on you. As in, FB and Google would be totally entitled to say "there is a gag order preventing us from going into this". So they don't need to convey anything.

You're wrong on this one sadly.

If you receive a national security letter, you are not allowed to tell anyone (not your family, not your lawyer, not anyone).

If you break the life-long gag order, you go to jail for up to 5 years.


Hundreds of thousands of these have been issued, and the above story (about the owner of an ISP) is one of the few cases where someone fought back and won the right to speak about it.

You can't even tell your lawyer?!

That can't be constitutional. The government has no right to even know whether you told your lawyer or not.

Welcome to the PATRIOT act. There's a reason people are pissed about it.

Aha. Thank you for citing a source on this one. I still wonder though, if your involvement has been directly leaked, whether you are able to confirm the existence of it. I suppose it wouldn't be a course of action any lawyer recommends.

Particularly at the rate the Obama Admin has been prosecuting people on leaks, there's little question it would still be very advisable to err on the side of extreme caution.

> Someone correct me if I'm wrong, but you can admit to a gag order being placed on you.

At least sometimes that it is the case, though I don't know if it generally is.

If you have been authorized to have access to classified information, such as (if one accepts the authenticity of the presentation that the Guardian and WaPo have reported on) even the existence of PRISM, on the other hand, there are fairly substantial legal consequences to unauthorized divulgence of that information, and those consequences don't necessarily go away because someone else gave out the information first.

No, they can't admit if there's a gag order in place by the NSA.

That doesn't seem likely to me. If you want to let the truth be known, but you feel so much under the gun that you issue not just a minimum-compliance false statement but a fulsome one under your own name, would you really feel safe contacting a bunch of other Silicon Valley CEOs to co-ordinate such a subtle but intentional secret message?

The last part in each, the part about transparency, makes me think that it is possible they all decided to co-ordinate an intentional not secret message: they think there should be more transparency.

Sure: it seems possible that these statements are co-ordinated, but instead of being false or deceptive statements co-ordinated by a three-letter agency they're truthful or largely truthful statements co-ordinated by the tech companies' PR departments, and the close similarities are designed to amplify a message the companies agreed among themselves. Of course, under the circumstances the similarity looks suspicious, but it seems possible that could be an unintentional blunder rather than a genuine sign of guilt.

Agreed...unlikely. But I will say this jokingly...if they were coordinating, they might not be using Verizon to do so. ;)

Actually they wouldn't necessarily need to coordinate. If Google posted first and Zuck wanted to cause this phenomena, the facebook post just needs to mirror the Google one. No communication with Google required.

What's most likely is that a PR person in companies B, C and D read the first PR piece from company A, deemed it acceptable and followed it with something similar.

We could go one deeper and consider the possibility that they wanted us to think that they were trying to signal something to us with the similar statements so they would have our goodwill. I feel like Lawrence Pritchard Waterhouse.

Wouldn't Occam's Razor instead suggest that since the Page statement was much earlier that Zuckerberg or whoever wrote this (probably not Mark) just copied the style of Page's statement semi-intentionally? They'd have almost certainly have read it.

>Wouldn't Occam's Razor instead suggest that since the Page statement was much earlier that Zuckerberg or whoever wrote this (probably not Mark) just copied the style of Page's statement semi-intentionally? They'd have almost certainly have read it.

No, that's not Occam's Razor. That's "naive believer in government that's willing to ignore all the facts Razor".

Occam's Razor tells us that when some companies participate in a covert secret services program which is brought to light, then the secret services coordinate damage control and tell them what they are allowed to say to the press and what not.

Precisely this. It's really sad to see the sheer volume of conspiracy-theorizing going on around HN.

It's also sad to see the immediate dismissal of alternate story lines even after this discovery.

A conspiracy was just uncovered... and we're concerned about conspiracy-theorizing? The word itself has been dragged through the mud to the point of becoming a dismissing scare tactic, it basically translates to "crazy person, crazy ideas".

Basically, if your story doesn't match the official conspiracy theory given by the government and the companies that work for it, then you must be a conspiracy theorist...

Life is comedy.

I've been called a conspiracy theorist enough, I wear it as a badge of honor now. I'm not one of these anti-vaccine, anti-gmo glenn beck style conspiracy theorist.

No, just one that accepts there is most certainly things going on behind closed doors the public is not privy to, which is all the definition a conspiracy is.

People say, "you are a conspiracy theorist" or a "tin foil hat wearer" in an attempt to discredit what you say. The government doesn't need paid goons to sleuth on the internet to defend them, their are armys of people just waiting to comment on how stupid we all are for challenging the government positions/laws. The battle is already lost in the mind of the average american.

Even though this is an actual conspiracy between the government and several large Internet companies?

> Even though this is an actual conspiracy between the government and several large Internet companies?

If it's a conspiracy, what's the common goal? There's nothing in in for the companies involved. You might just as well say rape is a conspiracy between the rapist and the victim.

>If it's a conspiracy, what's the common goal?

A conspiracy doesn't have to have a common goal between all parties. What kind of bizarro logic did you use to reach that conclusion? People and companies can conspire with others against their will, you know. E.g I blackmail you in order to conspire with me to steal valuable data from your employeer, etc.

The goals are set by the NSA, and the tech companies could not care less about them. The agree to conspire (ie. help the NSA) though, because there would be other consequences if they did not. From prosecution from the government, to under the table blackmail, etc.

wow - a rape analogy? Really?

I'm pretty sure that's it, especially given the call for 'greater transparency'.

That one is definitely optional and would not be part of any scripted response, the fact that a large number of the statements have this exact same optional closing paragraph suggests they are inspired by a common source.

If he would be free to say what he wants, he would intentionally try to write the statement in different style and with different words, not to give impression that statements are scripted.

This is what a student would do when they want to do homework fast and don't want to give much thought about it. I don't think this is the case here.

It's almost as if they all had their lawyers write these statements, who then wrote it in the predictable, stylized, way lawyers do.

You're raining on someone's conspiracy parade, there.

I looked at these very carefully and slowly, looking for signs of shared authorship or template structure, and the only structures I could find were those practically dictated.

This being said, if you read it more closely what they say is actually quite a bit more damning. Read closely, the denial is actually entirely nonsensical.

Both deny involvement in "PRISM" but both then go on to mistakenly identify PRISM with the Verizon order. Page says he learned about it when Greenwald broke the story (Greenwald broke the Verizon story, the Washington Post broke the PRISM story). Zucherberg similarly talks about metadata significantly.

In essence it is a bait and switch. Sort of like "I wasn't at work yesterday. I can show this because I didn't go on vacation."

The Norwegians have a story called "Good day fellow. Ax handle" which would be a fair summary of what is going on here. The story is about an old deaf ferryman who is deep in debt and left all alone to face the bailiff. So he thinks about all the questions he will face and answers he will give, but when the bailiff comes to ask directions to the inn, he gives answers that are entirely humorous.

Things like:

"Where is your wife?" asked the bailiff (hoping to find someone less confused).

"I am going to tar her. She's lying down on the beach, cracked up at both ends." Replied the ferryman (thinking he was being asked about his boat).

You're getting a lot of flak, but I immediately noticed the same thing.

Google: "we have not joined any program that would give the U.S. government—or any other government—direct access to our servers"

FB: "Facebook is not and has never been part of any program to give the US or any other government direct access to our servers."

Google: "We had not heard of a program called PRISM until yesterday."

FB: "We hadn't even heard of PRISM before yesterday."

Google: "there needs to be a more transparent approach."

FB: "governments to be much more transparent about all programs"

Call me nutty, but this can't be coincidence.

It's definitely not coincidence, but it's important to keep an open mind about all the possibilities.

Participating with government requests doesn't make these companies any money. It must be a major drag, actually. It involves lawyers, tech people, and trying to strike an uncomfortable balance between user trust and trying to persuade a court that a request should be denied.

This might be because they've been given a script, but it might also be because they chose to copy each other. They could copy each other out of not wanting to be "the odd one out." Any company that puts out a statement much different from the others risks being trusted less than the others. They could copy each other because they want people to jump to the conclusion that the government gave them a script (even if they didn't) so that people get more pissed than they already are.

As others have pointed out, the similarity could also be because the PR/lawyer response to this is so cookie cutter. I think the "not wanting to be the odd one out" would be the #1 mundane reason, though.

This is the first thing I noticed. It really scares me as well. I put more of my trust in Google, and perhaps even Facebook then I place in the Gov. or the phone companies and others. However, these definitely look like they are created from the same template. Very worrying coming from Page and Zuckerberg like this at the exact same time. I just hope there really isn't a man behind the curtain pulling the strings of such powerful figures in technology today.

I hope someone can find out if possibly these CEOs met yesterday. Perhaps they decided to try and come up with a uniform and consistent way to respond to this situation, and there wasn't some external source actually able to tell them all what to say. If there is not some kind of explanation such as this I am going to have to rethink how much trust I can have in such huge companies with no real clue about who is really controlling the show.

I call convergent evolution on this one. A convex optimization problem. It's the simplest explanation. They need a broadly accessible response, so that gives like what 2000 words? By the time you account for the various pits of contradiction, handwash to some sufficiently nebulous concept of indirect access; all while the government breathes down your back, the outraged crowd bustles for explanations and a gaggle of lawyers dog your every step like a herd of bumper cars, you have basically 6 or 7 words left in your vocabulary and only one way to string them into a sentence. Before proceeding to inflate into paragraphs from a very limited palette of legalese sanctioned fluff.

The collusion/double speak/poppeteering or game theoretic layered messaging within a secretly orchestrated gag conspiracy are plausible but I'd prefer to wait for more evidence before I accept Facebook and Google are complicit or prisoners to that. That doesn't mean I think they are either of them blindingly righteous beacons of morality (or even chipped and dulled pyrite morality for that matter), just that the implications of the scenario (democracy canceled xor executives willfully distorting the donut of truth into a mug) are hard to believe.


You seem to be suggesting one of two things. Either:

1) The heads of these companies had a conference call this morning and agreed on a 4-paragraph format, with specific points for each paragraph.

Or 2) The federal government instructed each company to respond today, with a 4-paragraph point-by-point, and then Larry and Mark obediently complied.


It's not ludicrous at all that the companies were given basic PR instruction when they signed on, in the case of being asked about the program. In fact, that's exactly what would occur.

What's ludicruous is thinking the Feds are tapping every major telecom provider, but wouldn't do the same to Facebook / Google / Apple / Microsoft. These companies are collectively vastly more important than AT&T and Verizon, worth about a cool trillion dollars, and now make-up a huge portion of the data infrastructure for American consumers.

A spy is given instructions in case of interrogation by the enemy. Why wouldn't a $250 billion corporation be given instruction in case one of the largest spying systems in history hits the public news? It's absurd to think they wouldn't be.


Are you kidding me?

In any case of accidental exposure of a covert government operation involving many such parties, there would be instructions how to handle the media.

Those could be known in advance (at least for some cases), or they would get a call in case of emergency with instructions on what they are allowed to reveal and how to say it.

It's not different than what would happen at a multinational if there was some embarrassing incident related to one branch (e.g a costly in human lives accident). The legal/marketing team would reach to each branch pronto, with instructions what to say to the media. So, if the media get the manager of the, say, Canadian, branch, he would say more or less what the manager of the German branch would tell to his media.

The only "ludicrous" thing is your misplaced scepticism -- as if things thing isn't both obvious and something that's standard practice to media handling from entities of any scale...

More likely would be that the NSA (or whoever) gave all the involved companies the same standard talking points, either in the past few hours/days or years ago when each company "joined" the program, and each company loosely paraphrased those same talking points. Having all the companies issue the same denial at the same time was probably not anticipated, so they didn't coordinate with each other to avoid sounding like they're all parroting the same talking points.

I think that explanation strikes an appropriate balance of competence and incompetence.

Or some copied the others.

Could Zuckerberg's statement have been "inspired" by Google's? Did any other companies release similar statements?

In college, after we'd submit a programming assignment, our code was run through a program to test for plagiarism of another student's code. Can we run the same analysis on these announcements?

Something like this? http://churnalism.com/

They have good lawyers who come to similar conclusions how to formulate these statements from a legal and PR perspective.

Totally integrated corporate-state repression of dissent

what could go wrong? http://s3.amazonaws.com/dk-production/images/14030/large/Occ...

Could you explain what exactly that is?

I might be wrong, but I believe it a section of the leaked document that discussed using a sniper to kill leaders of Occupy movements.

That is correct. Blackwater working for DHS essentially.

Need a generic PRISM involvement denial statement? Well you're in luck:


Microsoft did directly deny being in a widescale program - it's here:


"If the government has a broader voluntary national security program to gather customer data we don’t participate in it."

-priceless. Of course they wouldn't participate in such a thing voluntarily, can you imagine how expensive that would be...

No, they didn't deny anything meaningful.

An NSA program like this would not be voluntary.

They don't participate in any "voluntary" programs.

Isn't a possibility just that they are using the same PR template, or that one looked at the other as they were responding? They are remarkably similar, but if you were the PR person at a company isn't that exactly what you would say as well?

Those responses are eery close, and both Zuckerberg's and Page responses do not address a key question: Do their companies run queries over users data to answer questions that the state are willing to pay/force to get?

The value of the data inside Facebook would actually go down if it was transfer out of Facebook. Its much better if Facebook themselves would run the query (like they normally do with advertisement), and provide the NSA with either a summery or webbugs/custom code in form of targeted images (advertisement) sent to those NSA is interested about.

Copying massive data would not just be logistically hard, it would need to be constantly updated. The simplest answer is that "direct access" simply mean NSA provided queries that google/facebook run at "request". No need for backdoors.

This phrase 'direct access' -- I wouldn't assume, if there exists something like PRISM, that it would have 'direct access' to anybody's servers. More likely, the data would be given from a company TO PRISM.

You could even argue that an API would not be 'direct access'

You could argue that anything not physical would not be 'direct access'.

I'd be curious to know if either Page or Zuckerberg met with Obama while he was in SV last night.

Whoa, spooky.

First thing I noticed was really the fact that it took these companies so long to put these statements out there, in Mark's case less than an hour ago as of the time of this posting.

Personally, if someone accused my company of giving customer data to the government, and a large segment of my users believed these claims, then I would switch to damage control mode and send a statement out within 6 hours at the most.

Then again, I suppose if you sent out a statement too soon, then people might think that you knew in advance about the leak.

Well, anyway, the weirdness I observed pales in comparison to the odd coincidence you discovered.

This is the exact same thing that sprung to my mind as soon as I read the testimonies. They sound too homogeneous; too staged and rehearsed to be genuine.

I wish somebody had the guts to be a hero. We need more of them.

I want them to say not only 'direct' access but also no third parties between them and the government. None have said that...

I agree with you!

I feel these statements are for the fans of these companies that want to hear it to believe it and quick to dismiss it.

Personally: I got in trouble with Google in 08' and yet I still use their products even assuming that I am probably monitored or easily creating a gov profile that can easily be subpoenaed (or given just b/c they may not like me).

I think all companies followed the government supplied script on purpose. To alert public that it was a govt supplied script and that they still have gag orders. They expected people to see a pattern - this is the best that they could do, given the handcuffs they are wearing.

Maybe the official responses by these major companies were about the same event were all reviewed by corporate lawyers who all hone in on very similar language and addressable points because it's a tricky statement to make and there are few ways to make it correctly?

That was my initial reaction as well. The "we never heard of PRISM" line is particularly interesting. Varizon stuff that was leaked mentioned a clause that they can't talk about it so I'm assuming that's the reason.

The message is clear: the government is forcing them to say that. They're resisting by repeating their mandated message verbatim, which is as far as they can go in admitting that it's a lie.

I bet the White House wrote up a response for all companies to follow in light of the NSA leak.

but they are not lying because according to terms of service, you licensed your content to them..... so they are not sharing your content.... they are sharing their content

Maybe they just copied each other's language?

Oh noes, it's a conspiracy!

each were prepared by the same law / PR firm ... ( dont know could be :) ), or even worse , it is a template written directly by your government("if you get caught , say that").

The sad truth is most people dont even care ...

The really sad thing I thought when I clicked the link was that over 100k people liked that post.

Oceania had always been at war with Eurasia.

Lawyer-speak tends to be consistent.

I'm now just confused. If I understand it correctly, the government has publicly acknowledged the program and tried to explain how it's "limited and legal," but extant nonetheless. Now the companies are all uniformly denying it. The options:

- The companies are lying.

- The government has infiltrated these companies and developed backdoor access the executive team is unaware of.

- The government is intercepting traffic en-route and doesn't need cooperation of the companies.

- The government is confused on their talking about about what they're confirming here and PRISM has been misinterpreted by the press.

#1 is possible, but implies that there exists a National Security Letter-like mechanism that can coerce this kind of public behavior. I find that unlikely but certainly not impossible; that would definitely be a concerning outcome.

I think #2 is unlikely. There's an interesting passage in the original Washington Post article, though, about how they want to be careful to protect the identities of the cooperating companies so as to not "damage their sources". A simple reading of this is that the companies might pull out if they're publicly exposed as cooperating. However, since they appear capable of coercing cooperating anyway, a slightly more tin-foil-hat reading is that their access is less straightforward than asking Page and Zuckerberg for help.

#3 is probably happening regardless of whatever cooperation the companies are providing. However, if that's the extent of PRISM I think it says interesting things about the likelihood that RSA has fallen. Is that likely? I have no idea. It wouldn't be unprecedented compared to what the NSA and its predecessors have done historically, though. It's worth noting that the NSA hasn't approved asymmetric crypto for protecting classified data. (http://en.wikipedia.org/wiki/NSA_Suite_B_Cryptography)

Option #6: PRISM is the NSA-end of an interface to each named company to help automate data collection. The company still grabs the data, still runs each request through their legal team, etc.

But there's no email or fax needed, requests arrive via something like a JSON request and are automatically returned to NSA once the company looks up the requested data.

Company doesn't know NSA calls it PRISM. As far as the company is concerned it's just a bridge from their systems to the NSA for valid law enforcement reasons, why should they care what NSA calls it?

That would also explain why it's so cheap ($20 million). Or rather, why it's so expensive given how little it really is...

There is no way that this is just some nice interface for court ordered collections. Watch the Washington Post video with the (Pulitzer Prize) author Barton Gellman.

Gellman says that "We did hold back quite a bit from this story" and then later goes on to explain the reason the companies joined ... "The law does provide that they can give access and a secret surveillance court can make them give access, but in a situation that you have a clandestine program and a very rich and powerful component ... They don't want to litigate this with Facebook, they don't want a chance of it leaking ... Facebook also being a highly regulated industry, having all kinds of issues with privacy and whatever else doesn't want to antagonize the government, so they negotiate it. Now Apple took .. 5 years .. I don't know what happened, but Microsoft joined in 2007 and Apple didn't do it until the end of 2012."

Unless the author, Gellman, exaggerated the story it is very clear that this is well beyond FISA court ordered surveillance.

If Page's & Zuckerberg's denials are somewhat truthful it means there is a compromise in the traffic streams themselves.

Actually, I think that sounds just like some nice interface.

They have to five access because the law demands it, but they also make it easy to use for the agency to use. Which for example Twitter does not do.

If the other theory about ISP level data collection would be true, it would make no sense that Twitter and Dropbox are missing and not part of PRISM.

I'm glad you pointed out that the government acknowledged the program. Obama himself did. If I had to guess, there was miscommunication in the government. Somebody ordered the CEO's to lie, and somebody acknowledged the program. I think this is also why the company's statements are nearly the same, they were either given a script or they are trying to send a message.

Marc Ambinder, a well-respected national security journalist who literally wrote the book on this topic, speculated (or perhaps stated what his sources have told him) how this could work on Twitter earlier tonight. Buzzfeed recapped it here: http://www.buzzfeed.com/jwherrman/direct-access-is-the-defin...

> On the “no direct access” —ISPs push to a separate server the subset of accounts that the FISC order covers; NSA monitors them in real time

> Let’s say court order says “all Yahoo accounts in Pakistan” Yahoo would push those accounts to the server; NSA could watch them in real time

>They’d try & figure who & where the incoming emails were coming from. US persons data minimized automatically if possible (often it’s not).

I may be naive but I have a theory that government officials will defend anything the government does -- regardless of whether the accusations are true.

The NSA PRISM program may not even exist, however the Obama government may be too incensed with the notion of anybody opposing government's encroachment on privacy and civil liberties, and thusly they're hastily defending and deflecting any accusations of wrong-doing.

#3 doesn't necessarily require breaking RSA, just TLS (via fake certificates or something else). Breaking RSA would be pretty interesting though.

SSL/TLS was broken once by breaking MD5. Now if the NSA can break SHA-1 using its numerous known weaknesses (there's a working attack on SHA-1 with 2^52 operations), they can pull off internet-wide MITMing.

It's safe to assume the NSA can easily do way more than 2 petaflops, and they have an exaflop goal, and that would be enough to run known attacks against DES, factor 1024bit RSA moduli ... and if they can compromise just one root CA (which uses 1024bit RSA) they can issue valid certifications of their own and MITM everyone, and none would be the wiser.

And all of this assuming the NSA relies on publicly known weaknesses in SSL/TLS. The matter of the fact is that they have very smart people with access to unlimited resources researching new vulns and actively exploiting them.

Bill Binney has already stated that the NSA does not even need to break online encryption in most cases, since they already have the key(s) in the first place.

#1 - It's really pretty simple. The companies get legal immunity from the government by denying the existence of the program. They already are, no doubt, indemnified. Companies are so risk averse they wouldn't do it without immunity. Disclosing information about the program would violate the conditions of that immunity.

Option #5: They have a program regarding some data acquired in some manner but since it's still classified, even if something is leaked, they're not going to sit down and explain the specifics to everyone. The government's response has been vague at best.

My assumption is some combination of #4 and #5, really.

I would like to believe these reports from Google [1] and Facebook [2], but someone is not telling the truth.

There is evidence that directly contradicts their stories (i.e. The Guardian has verified the authenticity of the document, a 41-slide PowerPoint presentation – classified as top secret with no distribution to foreign allies – which was apparently used to train intelligence operatives on the capabilities of the program. The document claims "collection directly from the servers" of major US service providers. [3]).

Who are we to believe?

[1] http://googleblog.blogspot.ca/2013/06/what.html

[2] https://www.facebook.com/zuck/posts/10100828955847631

[3] http://www.guardian.co.uk/world/2013/jun/06/us-tech-giants-n...

There is no contradiction if you accept the suggestion from http://financialcryptography.com/mt/archives/001431.html that the NSA got access to this information by planting moles at target companies who then created back doors for the NSA to use.

This would be reasonably easy for the NSA to do, relatively hard for companies to catch, and perfectly explains all published facts.

How are NSLs addressed? I assume to the CEO, but what if one was sent to a departmental VP? Would that VP be permitted, by the NSL, to inform the CEO that the letter had been received?

For that matter, who is the CEO authorized to tell if the CEO got the letter. Obviously they have to be authorized to tell at least enough employees to actually implement the demand.

Google's statement was strong enough to rule out the possibility that either the CEO or chief legal counsel was aware of the existence of NSLs or warrants that are nearly as broad as what Verizon received. Therefore, while they can't say one way or the other whether they receive NSLs, it is a safe inference that Google has not received broad NSLs.

No it wasn't strong enough.

All the companies ruled out is direct access (and Microsoft said is if there's a voluntary program, they're not part of it; they didn't rule out an involuntary program of course).

They did not rule out even something so simple as an API, or another party doing the work for the NSA (which the NSA then taps into, ala the Palantir concept).

We may be thinking of different statements by Google. The one that I am thinking of is at https://plus.google.com/106189723444098348646/posts/A98pnaek.... Specifically this chunk of paragraph 3:

Press reports that suggest that Google is providing open-ended access to our users’ data are false, period. Until this week’s reports, we had never heard of the broad type of order that Verizon received—an order that appears to have required them to hand over millions of users’ call records. We were very surprised to learn that such broad orders exist. Any suggestion that Google is disclosing information about our users’ Internet activity on such a scale is completely false.

Yeah, I'm wondering if "someone down the chain in Gmail got NSL'd" is a possibility or not. I'm not familiar with Google's org chart nor do I know if NSLs are even flexible enough to accomplish such a thing.

If it is possible though, there could perhaps be an NSL that covers "just gmail" that is otherwise as broad as the Verizon one.

The notion that a CEO could be unaware of something like that happening is incredibly disturbing though. I hope that is not possible.

It's not uncommon for an NDA to name specific individuals in company A which could use proprietary information from company B to add features which would be useful to B into company A's product.

The covered persons in A would be just enough to appropriate the necessary budget and deliver the features.

When the VP of Engineering or CEO asked, 'why did we add this particular feature, what's the use case?' the answer was, "If it's business critical that you need to know, we would need to document that and see if you can be added to an NDA."

"An NDA with who?"

"I can't say."

NSLs take this to an entirely different level. Page and Zuck don't have a clue. As soon as the databases were large enough to be useful, the data was in the hands of the NSA. That much should be taken for granted. The more important question has always been "if and how can it be used against you?"

With Obama claiming it's legal and approved by 3 branches, and how widely outside the NSA the data will be shared, the reality of "show me the man, I'll show you the crime" has never been truer.

I assume they can but it would be a risky strategy. If google security found a breach where customer data was being leaked then they might disclose publicly before they can be informed that it is a national security issue.

I wonder if this could happen anyway in reverse.

I suppose though that whatever part of a NSL that authorizes the CEO to tell developers to make it would likely also authorize the CEO to tell the security guys not to sound alarms about it.. at least not without consulting senior management first.

If moles are involved, they might have simply leaked the private SSL keys. If used together with MITM this would be almost impossible to catch.

This. I imagine that an agency with the resources of the NSA could probably work out a couple of ways to obtain almost any private key they want.

Why do you need a mole? Just have someone dig up the street, and intercept the fiber optic cable.

I mean you still need to deal with private keys but the NSA might have the certificate authorities wrapped around their fingers.

If the NSA was MITMing SSL communications on a wide scale, presumably the companies would notice that the cert fingerprints were not what the companies expected.

I didn't say MITM. I said redirecting/copying traffic to spy on it.

That would mean they've broken TLS which, whatever powers the NSA supposedly has, seems unlikely.

I don't think they would be intercepting SSL traffic either, because Google has a hard enough time legitimately updating their certificates [1] that I imagine if the government were doing it on a wide scale people would definitely notice.

[1]: http://googleonlinesecurity.blogspot.com.au/2013/05/changes-...

Without the key, they couldn't read it. Getting a CA on board doesn't give them that (that would only allow them to create an alternative key that software without pinning would accept), they would need to either be given the key by anyone that had it or factor it themselves.

The private key should not be that hard to obtain. Google has thousands of frontend servers, each one of them has to have the SSL private key (at least in memory). Probably at least a hundred people have access to these servers. It's enough to bribe just one of them.

But this would cost way more than the yearly costs of $20 million in the leaked documents.

FB is riddled with ex-government employees.

Exactly why is no company addressing the fact that the government already accepted the program's existence and the fact that they snoop emails/communications. How can the program exist and take data and these companies not giving the data at the same time? Other explanations include...

* Data is not, as everyone seems to keep saying, "direct access" and either first sent to NSA servers or a copy is sent periodically.

* Companies don't know and NSA is unlawfully getting data (unlikely).

* Companies are being forced to not talk about it and outright deny it.

* There is somehow a plausible deniability. The are not willingly giving up the data but they aren't stopping them from taking it either and just turning a blind eye to NSA's activities.

One thing that has bothered me is that neither the Guardian or the Washington Post (someone kindly post the link if I've missed it) has posted more than just a few slides of this 41-slide presentation. I understand the leaker may want as few of slides as possible shown due to the danger of them being watermarked, but the few slides posted so far alone seem to lack important context.

Secondly, in defense of the companies, at least Google and Facebook, they've put up real people (Zuckerberg and Page) behind these assertions. In the case of the leaker, we just know that he/she is a career intelligence official...which could mean many things.

No, I'm not saying that leakers should be distrusted until they identify themselves...I'm saying when the evidence that the leaker has given is heavily redacted, then it's hard to know what assertions the responding companies have to actually lie about.

In other words, it could be the case that we shouldn't believe anyone so far.

Implicit confirmation that the programs described in the press are real and as described goes all of the way to Obama himself. For example he responded to a reporter today by saying, "With respect to the Internet and emails, this does not apply to U.S. citizens and it does not apply to people living in the United States."

If the programs were not as described, Obama would have certainly said so. Instead he confirmed their existence without disagreeing with what was said in the Washington Post about it.

Given that, there is good reason to believe the substance of the leak, even though we don't know who leaked it or exactly what is in that presentation.

FWIW, here's the press conference referred to, and here's the question:

> Q Mr. President, could you please react to the reports of secret government surveillance of phones and Internet? And can you also assure Americans that the government -- your government doesn't have some massive secret database of all their personal online information and activities?

THE PRESIDENT: Yes. When I came into this office, I made two commitments that are more important than any commitment I made: Number one, to keep the American people safe; and number two, to uphold the Constitution. And that includes what I consider to be a constitutional right to privacy and an observance of civil liberties.

Now, the programs that have been discussed over the last couple days in the press are secret in the sense that they're classified. But they're not secret in the sense that when it comes to telephone calls, every member of Congress has been briefed on this program. With respect to all these programs, the relevant intelligence committees are fully briefed on these programs. These are programs that have been authorized by broad bipartisan majorities repeatedly since 2006.

I'm not arguing against you, I'm saying that his statement is vague, and that it could just be a broad assertion of the executive powers. It doesn't matter whether the program is called PRISM or SUPERPATRIOT or what (in the president's reasoning), such surveillance measures have been legally approved and are regulated, if the government chooses to undertake such measures in the name of security. This is not the same as acknowledging that PRISM exists (which would put Google/Facebook's claims to the test).

See http://blogs.wsj.com/washwire/2013/06/07/transcript-what-oba...; for the full answer to the question. Obama separately addresses the phone issue and the internet issue. In both cases he implicitly admits that what was said in the press about them is substantively true. In both cases he claims that Congress and the FISA court were kept appraised. In both cases he defends the programs with justifications that can be supported by what was said about them in the press. He makes it clear that they are separate programs.

The inevitable conclusion is that while he did not specifically confirm what was said in the press, he lent great credibility to the leaks being real documents describing real programs.

To quote myself in another message,

> I've never taken a single lesson in legal or PR and even I can see the big huge holes. They insist on direct access, they insist on servers rather than data and they insist on governments.

Anything else would be simply untrue. These companies obviously give limited data (not server access, not direct) to the government when required by subpoena and whatnot so they couldn't say "we give no access to any data" or anything like that.

The NSA have hooks in various data centers and internet backbones. They collect the intel indirectly giving the companies plausible deniability.

Yes, but how would they do this exactly? To collect anything valuable from Google they would need to MITM SSL on a large scale. And Chrome actually ships with a list of pinned certificates, including those for Google, making it difficult to MITM even for the government.

They wouldn’t do that, obviously, even if it was actually feasible. That kind of MITM would be easily detectable (though still effective, in short term)—we know when the Chinese do it.

However the private keys have to deployed, on scale. So if as someone here is suggesting the NSA has infiltrated those companies, they could have got those keys and just decrypt the stream.

I wouldn’t bet my money on that… but it’s more likely than breaking the encryption, and if they can get military secrets, I guess they could get the keys.

Also those companies could have just volunteered them—that’s where the emphasis on ‘direct’ access comes in.

My understanding is that MITM (but in a perfect way, using the leaked private key) is still required, if ephemeral Diffie-Hellman is involved. You can't just passively record the stream and decrypt it, since you don't know the exchanged DH secret.

The suggestion that the companies actually gave them the keys and this explains the "direct access" phrase makes a lot of sense!

Right. But if you look at the slide why would companies slowly get "added" rather than just implicitly be being spied upon?

I mean Apple only got added in 2011. If what you're saying is true then what does this date refer to?

> But if you look at the slide why would companies slowly get "added" rather than just implicitly be being spied upon?

Well, if they are intercepting data through backbones, and much of that data is encrypted, they need to defeat the encryption in a durable way to get a clear feed. While I don't suggest that this is what was going on, if it was, there would be know reason that each provider would necessarily be broken at the same time; there would likely both be prioritization of resources directed at each provider, differences in the security of each provider, and chance involved as to when each was broken.

> I mean Apple only got added in 2011. If what you're saying is true then what does this date refer to?

Growing popularity and usage of icloud and apple's own messaging system? iirc, before icloud, Apple didn't have that much user data.

iMessage debuted in 2011.

And Obama came out to defend the program without saying that the companies were not involved (he did not say they were involved either) His press conference: http://www.youtube.com/watch?feature=player_embedded&v=iS6MO...

Maybe the government conspiracy is a government conspiracy!

<sarcasm>That's the problem with you geeks: you need real evidence for everything. Can't you just have faith? Can't you learn to just believe?</sarcasm>

It's so creepy how Zuckerberg and Page, as well as every other CEO's responses are worded exactly the same. The same goes for Apple too. It's entirely not believable that everyone's answers would sound so similar.

Makes sense to me: they can't say the government has no access to their servers because, of course, the US courts could compel access to their servers. They're US companies.

But a running process or piece of hardware sitting in their DC sniffing traffic? No.

That's what I think they're saying, at any rate.

EDIT: One plausible explanation for why everyone keeps using the phrase "direct access" is because it appears in the Guardian story as the first sentence: http://www.guardian.co.uk/world/2013/jun/06/us-tech-giants-n...

It's not just using the phrase 'direct access'. Anyone with half a brain knows that all these CEOs could not have released this responses that are so exactly the same except for choice of words independently. There has to be some explanation, whether it is completely innocent, or otherwise, is the question for me.

One explanation is a coordinated call for transparency. The last paragraph certainly has greater weight when sung in chorus. If you look at the releases of the EFF and Google over the last 48 hours there seems to be a growing plea for this.

I guess anyone with half a brain would hire a really good legal team that would probably arrive at the optimum initial salvo in a lawsuit defense:

* No direct access.

* Never heard of Prism.

* We review each request.

* We want more government transparency.

Edit: Formatted the list.

Doubt they would be formatted w/ the same structure into four paragraphs, in the same order, with the same exact wording for the important phrases and points, and nothing but phrasing changed for the general talk. Perhaps you do, but I don't believe these two letters, as they are, could have been arrived at independently. I had assumed 99% of people would agree with me. Do most of you feel the same way as drhayes9?

Not that anyone will read this now... but looks like I was wrong: http://www.nytimes.com/2013/06/08/technology/tech-companies-...

Now I'm thinking that, yes, they coordinated their responses with the aid of the government. Dammit. I guess that's where my optimism gets me.

I can't help but think that they agreed to word this so similarly as a way to hint that the words have been put in their mouths. It's like what somebody that's being held hostage would do to make you understand that they can't talk freely.

Zuck likely saw the Page stmt before he+lawyers finished theirs, so it's not at all necessary to jump from "doesn't seem independently formulated" to "therefore govt handlers probably gave them a PR formula".

Anyway, what difference does the origin of the statement make? The companies are either trying to deceive us, or they aren't. What matters is what's being done to us. We're all powerless here except to let politicians know we're unhappy, will vote against, fund EFF, etc. "Gotcha" parsing of official statements is not an important tool in this fight.

Personally I find ridiculous the notion that proud public figures will feel less ashamed technically not lying than actually bald-faced lying. Either way, you've sacrificed public credibility. So the whole discussion of "is this really a denial?" is uninteresting to me.

"It's like what somebody that's being held hostage would do to make you understand that they can't talk freely."

Assuming it the program is classified, and assuming that Zuckerberg has a security clearance, then under federal law he would potentially be eligible for the death penalty if he were to confirm the existence of the program.

How should he phrased his FB post differently?

The question is not "how should" but rather "how could".

And the answer is "a myriad of different phrasings could have expressed the same content. English, even encumbered by lawyers, is like that.".

> Facebook is not and has never been part of any program to give the US or any other government direct access to our servers.

Amazing how all them, to a company, are using the "direct access" phrase.

Plausible deniability for the whole world to see along with the revelation of the biggest spying operation in history.

The phrase "direct access" was used in the original Guardian article that made the accusation and was a core part of the accusation, hence it's not surprising it's been used in the denial.

I agree, the funny thing is Obama already admitted the programs existence (WSJ article).

The WSJ article was about NSA requesting CDRs from Verizon. This is not the same as having unrestricted access to private user data as the presentation titled PRISM claims.

The strange thing is that just having a presentation is usually not enough for the HN crowd. If it would have been, I would never have to execute on any of my ideas beyond the presentation stage. Personally, I really don't think some making a presentation is really evidence of anything.

I'm really not sure why HNers reacted differently in this instance though.

Sorry, kind of have to throw "benefit of the doubt" out the window when dealing with "massive state-wide surveillance programs that have no transparent oversight."

> I'm really not sure why HNers reacted differently in this instance though.

Because the government has admitted it.

Maybe they all share the same lawyer /s

It is remarkable how similar the two statements from Larry Page (LP) and Mark Zuckerberg (MZ) are below. The same responses worded slightly differently, and expressed in the same order:

LP: "...we have not joined any program that would give the U.S. government—or any other government—direct access to our servers."

MZ: "..Facebook is not and has never been part of any program to give the US or any other government direct access to our servers."

LP: "... we provide user data to governments only in accordance with the law."

MZ: "we... always follow the correct processes and all applicable laws."

LP: "...we have long believed—there needs to be a more transparent approach."

MZ: "We strongly encourage all governments to be much more transparent..."

It almost looks like they are reading from a template or script!

Let's not rule out the possibility that Zuckerberg saw Page's statement and sort of copy-pasted it.

These comments read just like the ones on the Larry Page thread!

It's almost like someone is telling HN readers what to say...

There is a comment just like yours on the other page. Who are you? :P

Amazing how much Zuck's PRISM response was like Page's. Almost like the same people were telling them what to say.

Every single official corporate response in this story so far was formulated using the exact same terms, and did not constitute an actual, categorical denial of the claims. We have not giving "direct access". We are providing the government with our data through "legal channels".

Like someone in the other thread about Pages blogpost asked: What could Zuck say more to convince you otherwise?

He says explicitly Facebook is not providing information or metadata "in bulk", which seems to contradict the Guardian article ("direct access").

He says:

  We have never received a blanket request or court order from 
  any government agency asking for information or metadata in bulk
Not that they don't provide information in bulk. The next paragraph comes closer:

  When governments ask Facebook for data, we review each request
  carefully to make sure they always follow the correct processes
  and all applicable laws, and then only provide the information 
  if is required by law.
Which in an ungenerous reading leaves plenty of wiggle room. eg, "When governments ask", not "When governments order us".

Personally, I believe Larry and Zuck, but the statements themselves are really weird.

My thoughts exactly. And not just the content, but the vocabulary and the whole way the language is structured.

Felt the same way reading it.

1. It would be nice if these statements defined "direct access to our servers". It's safe to guess that they are using the narrowest definition possible, meaning that a NSA employee can walk into the building that Facebook's servers are hosted in and log in to any server and run arbitrary commands. This is likely not what a layman's use of "direct access" would mean. The issue is whether or not the government can access whatever user data they wish provided the correct clearance or assertions.

2. "We hadn't even heard of PRISM before yesterday."

Somehow I doubt that the National Security Agency is in the habit of telling companies that they work with the names they use for projects internally.

3. "we review each request carefully to make sure they always follow the correct processes and all applicable laws, and then only provide the information if is required by law. We will continue fighting aggressively to keep your information safe and secure."

This doesn't preclude the idea that the government accesses more Facebook user data than the general public might realize under current law. Facebook can provide large volumes of info as the PRISM slides suggest if it is indeed lawful, and this statement would not be a lie. It hinges on what exactly is "required by law", or more precisely, what is allowed under the current interpretation of the law.

Hmm, what I'd like to hear is tech CEOs say "the NSA does not have the private key for our SSL certs." Beam splitters are a pretty cheap buy.

I wish the people who have knowledge of implementing these things would come forward with a leak of some sort. Surely, somewhere their are citizens of this type, right?

this a thousand times

> Facebook is not and has never been part of any program to give the US or any other government direct access to our servers.

> ...

> When governments ask Facebook for data, we review each request carefully to make sure they always follow the correct processes and all applicable laws, and then only provide the information if is required by law.

So no back door at FB, because the front door is open to secret courts signing the secret subpoenas to do secret things.

Got it.

Anyone find it interesting that "direct access to servers" keeps being mentioned when PRISM could almost be an in-joke for the kind of beam-splitting tech they were already using in Room 641A (and elsewhere) - i.e. they're not touching servers, they're just siphoning off a perfect copy of all network traffic

I still find it suspicious that the previous White House press secretary, Robert Gibbs, left the White House to work at Facebook.

I realize that statement implies that no one from government can go into the private sector without it suddenly becoming a conspiracy theory, but in this particular case the link is especially concerning.

It is eerie how similarly worded Zuckerberg and Page's denials are.

> to give the US or any other government direct access to our servers

"to give the US, or any other government, or any third party intermediary, direct or indirect access to our servers or our users' data"

I mean come on, I've never taken a single lesson in legal or PR and even I can see the big huge holes. They insist on direct access, they insist on servers rather than data and they insist on governments.

And that's not even taking into account the fact that most of those sentences are the same copy pasted text that we saw in Larry Page's message. If you want to make it sound like a personal message from the founder, maybe don't speak like a drone ...

With the creepy similarities, why do I get the feeling that it's these collective companies way of saying "Yes, they're monitoring you but we just can't say anything..."

If I were covering this story my first move would be to figure out who wrote the boilerplate version of the press release being used by all these tech companies.

Reading between the lines:

> Facebook is not and has never been part of any program to give the US or any other government direct access to our servers.

We have however set up a tap that mirrors all traffic to Facebook to NSA servers, and we've given them the certificate to decrypt that traffic.

> We have never received a blanket request or court order from any government agency asking for information or metadata in bulk, like the one Verizon reportedly received.

Instead, we were requested to provide our SSL certificate and to install some hardware in our data center. We never handed over any data ourselves.

> And if we did, we would fight it aggressively.

Too much work to provide all that data. Best to just give them a mirrored PHY stream.

> We hadn't even heard of PRISM before yesterday.

We didn't know _what_ the program was called; they never told us, specifically for plausible deniability reasons.

> When governments ask Facebook for data, we review each request carefully to make sure they always follow the correct processes and all applicable laws, and then only provide the information if is required by law.

Technically, they didn't ask for user data, they asked for a hardware interconnect and a private key.

> We will continue fighting aggressively to keep your information safe and secure.

Our lawyers made us say this. C'mon, we're Facebook, what do you expect?

> We strongly encourage all governments to be much more transparent about all programs aimed at keeping the public safe. It's the only way to protect everyone's civil liberties and create the safe and free society we all want over the long term.

Good God, what have we done?! We're under an NSL, can't you tell that, people?!

Note how similarly worded this response is to that posted by Larry Page: http://googleblog.blogspot.com/2013/06/what.html

The cynic in me wants to believe the coincidence is because Facebook has equally good lawyers as Google.

> The cynic in me wants to believe the coincidence is because Facebook has equally good lawyers as Google.

The more cynical me wants to believe that Google has good lawyers and Facebook's lawyers, although perhaps as good, find it easier to plagiarize. :P

I believe, without a doubt, that both the Zuck response and the Page response were created from the same template or set of explanations. Unless all these CEOs met up together and decided how they would respond, then this seems very shady to me indeed.

Another possibility would be that PR works in fairly formulistic way. It might not be an exact science, but if asked to comment on such a subject, and you were innocent, I'm sure the following would be what you say:

> I have no idea what you're talking about. > We only give access when absolutely necessary within the confines of the law. > We're on our customers side.

Now some of the terms such as "direct access" are errily familiar, I'll give you that but the message being conveyed and the order it's formed woudn't be enough to suprised me on it's own and the guys working PR for these orgs are probably pretty inbred. Still, it is interesting.

I have also been skeptical of the carefully worded releases, but looking at the PRISM slides more carefully just now, nothing on them necessarily indicates that the target companies actually know what is happening. Perhaps PRISM is based on partnering with backbone providers to suck data straight off the pipe, and the "Dates When PRISM Collection Began" refer to dates when they completed software to scope out information specifically destined for or leaving the services of each "provider".

This is just a possibility - I tend to believe the companies are simply lying. But it is possible.

About this direct access phrase, I read a post earlier today (linked from a comment on HN but can't find it now...) that described a hypothetical system offered by facebook to intelligence agencies, this system would allow the user to search for a person and then accept a EULA before being given access to personal information. If this system were to automate the submission and acceptance of a subpoena, would the system then be classed as having given indirect access through the correct "legal channels"?

"Yeah so if you ever need info about anyone at Harvard. Just ask. I have over 4,000 emails, pictures, addresses, SNS." Asked how, he responds: "People just submitted it. I don't know why. They 'trust me.' Dumb fucks."


ok now... how Twitter's CEO will respond with 140 chars?

"Direct access 2 r servers: nope #prism #nsa"

hahahah perfect

indeed !

Isn't all Twitter data public? They don't need to deny anything

direct messages are private.

well , twitter doesnt publish your IP,your email or your social security number everytime you tweet ... so no , all its data is not public.

How would twitter have it's user's SSN?

i was joking , my point is there are some data twitter has that could be interesting for any administration. There was a case here in France where people were making jokes about jews ( "un bon juif"), Anyway, the french government asked for the ips of the people who made that joke , but Twitter refused to give up user ips.

Well the original comment was a bit of a joke. As many of you say that twitter info is public I do not agree. Twitter knows what i search, knows where I am all the time and what I feel about it. Knows with what I interact. I never said that I liked "kittens" but it has that information as google does.


"400 billion Tweets and not one useful bit of data was ever transmitted"

Twitter may or may not be involved in this program or similar, but so far the documents released don't mention them. I wouldn't expect any sort of statement from them.

Twitter seems unlikely because most of the data produced by twitter is public anyways. Only private communication is DM.

The keyword for me here is "direct".

If PRISM is indeed a "prism", that is, a network-level dump, duplicate RAW of data, then there is no direct access involved.

It does seem as though these companies are trying to signal something (a la cryptonomicon), by the repeated emphasis on direct. That's the part that is scary - as someone else pointed out, with the right SSL keys and a copy of the bytes flowing thru a limited number of NAP's, you don't need your grubby fingers in the google/facebook datacenters. The telcom's seem quite willing to roll over...

> ... create the safe and free society we all want over the long term

I don't think you can have both. Freedom has to be paid for, and the only currency it'll take is blood. If we're unwilling to pay that price then I guess we won't have freedom.

Also, I'm not sure I'd want freedom regulated by Facebook, where bare breast in centuries old paintings are forbidden or jokes have to pass a censoring committee.

Why would you believe anything these guys have to say on this matter? For one, the government has clearly given them some kind of deniability. For two, if they were given orders under the National Security Letter program, they couldn't admit they had knowledge even if they did.

I don't trust Zuckerberg, I don't trust Larry Page, hell, I wouldn't trust you either if you had to respond.

Something fishy is going on... the same message, same exact words being used.

I'm thinking all these companies are legally being forced to give up data and provide direct access to some kind of third party company, which in turn works with the NSA.

It's pretty clear Google, facebook, apple, etc. can't just come out and say they're doing this. They're choosing their words very carefully.

If you want to go full conspiracy theorist, you might suggest the slide deck and capabilities were all a psy-ops tactic to persuade the real criminals to abandon using google,Facebook,apple, and all of the big corps who refused to freely hand over user data, and instead flee to smaller businesses that the government could much more easily coerce into participating...

The fact is, when you sign an agreement with the government like this you are given a 30+ page contract. Some items ALWAYS in the contract are:

1. If you are asked about it, you will deny it, and LIE about it. They actually tell you to lie. 2. If you break the contract you will be destroyed, and everyone you know will be destroyed.

Ask a senior member of the military how this stuff works.


Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact