Hacker News new | comments | show | ask | jobs | submit login
Why didn't tech company leaders blow the whistle? (stanford.edu)
551 points by ot on June 9, 2013 | hide | past | web | favorite | 82 comments

Blow the whistle on what? The problem with the "conversation" going on in these threads is that no one is defining that first.

If we're talking about the first leaked version of PRISM, we still don't even know if it exists or how it works. Subsequent revisions have made it seem that if the NSA doesn't have the immediate ability to query the companies' backends, then they have some kind of carte blanche ability to ask for data and immediately receive it. If either of these are true, then certainly, where are the whistleblowers? If not, and there's a very real chance that neither of these are true, then the question doesn't make sense.

If instead we're talking about FISA orders, there's nothing secret to blow the whistle on. Everyone knew what they would allow. Congress was briefed on what they actually have allowed. The EFF has been in court for years (7 and 5 on different cases) to try to just figure out if their clients have standing to sue over FISA. Many of the companies on that PRISM list now have transparency reports that tell you exactly how they disclose data and provide numbers for requests (other than FISA, which you're not allowed to do). There's been tech blog coverage for years by sites like Ars Technica that discuss everything from the flawed ECPA to the attempts by the Obama administration to use national security as a guise to subvert all attempts to find out what these intelligence programs even do, let alone who they do them to. So, what did you expect them to blow a whistle on?

For instance, Google and Microsoft are both now reporting ranges of the NSLs they receive; in effect, a kind of whistleblowing, albeit a legal and vetted one. NSLs are very much like FISA orders, in that they contain gag orders and have minimal oversight (and no public oversight) for their approval. Where's the indignation and action over those?

If we're going for hindsight here, the real question is where the hell were the major news outlets and where the hell were the American people? Or why has Congress been willing to approve this program on multiple occasions? Assuming incompetence in all three of those groups, the usual response to those questions, is not an acceptable answer.

If instead we're actually looking to the future, we need to ask how we're going to hold the Obama administration and Congress's feet to the fire to make sure that this ends, and that any real search beyond basic information (in a very narrow scope!) requires probable cause demonstrated before a judge, and that notification of a warrant can't be gag-ordered and withheld indefinitely.

Section 215, known as the "business records" portion of The PATRIOT Act allows "FBI agents to obtain any "tangible thing," including "books, records, papers, documents, and other items," a broad term that includes dumps from private-sector computer databases, with limited judicial oversight."[1]

That Section 215 exits is public record. However, the government has a "secret interpretation" of the law that allows itself many more powers than what is written in the publicly accessible version.

Only congressmen on the Senate Intelligence committee were briefed on the secret interpretation. With the exceptions of Mark Udall and Ron Wyden, who tried warn the American public without revealing anything classified (in 2011), the rest of the congressmen on the committee did not have a problem with what the NSA was doing. Many of the congressmen on the SIC are ex-military or receive large campaign contributions from defense contractors and/or the intelligence community.

[1]: http://news.cnet.com/8301-31921_3-20067005-281.html

It would appear that the FISA court agrees with that interpretation as well, correct?

The court's opinion is classified. The DOJ is trying to block a FOIA suit filed by the EFF to release the opinion.


To be honest I don't really understand the EFF's position. The FOIA explicitly applies only to executive branch government agencies. The FISA court is fully under the control of the SCOTUS.

"...agency" as defined in section 551(1) of this title includes any executive department, military department, Government corporation, Government controlled corporation, or other establishment in the executive branch of the Government (including the Executive Office of the President), or any independent regulatory agency..."[0].

I suppose it might be possible to go after the briefs and evidence presented by the DoJ to the FISA court with FOIA requests but anything you would get would be redacted to nothing.

[0] [pdf]: http://www.justice.gov/oip/amended-foia-redlined-2010.pdf

Court opinions can be classified? What in the actual fuck?

In ex Yugoslavia we had secret laws, published by secret official journal and enforced by secret courts.

So you could easily get persecuted for breaking the law that you were prohibited to know it even existed.

The same was going on in east Germany and other socialist countries.

I warmly recommend watching The Lives of Others (http://www.imdb.com/title/tt0405094/) to those who haven't seen it yet.

Amusing that the US claimed victory in the cold war and then ends up adopting all their "enemies'" worst stuff.

They didn't give all those ex-Nazi scientists jobs for nothing you know.

My surprise was directed at the fact that people have this in a system advertised as democratic. I am quite well-acquainted with cases like those you quote.

The Soviet Union was advertised as democratic. Nazi Germany was advertised as democratic. Communist China was/is advertised as democratic.

My old debating coaches saying was that any country with 'democratic' or 'peoples' in it's name was most certainly not either of those things.

Aye, but no Chinese without political involvement and no mental problems would freely claim (and believe!) he's a free man living under a democratic regime.

"Advertised as democratic" won't get you very far in predicting how democratic a country is.

This seriously sounds like Kafka's The trial :( http://en.wikipedia.org/wiki/The_Trial)

"In its response filed with the FISC today, the government offers a circular argument, asserting that only the Executive Branch can de-classify the opinion, but that it is somehow prohibited by the FISC rules from doing so."

It seems to me the FISA Court still has the power the make the ruling public, even if the government classified it. It wouldn't be the first time a judge overrules classified information, right?

It seems to me the judges are accomplices to the government (why would they still grant the warrants, if they already found it unconstitutional?), and even if there was some kind of conflict in the law, I assume they would know this could go to the Supreme Court and it would be solved there.

IIRC only the Supreme Court can really decide on constitutionality other judges are just supposed to follow the laws laid out by Congress.

Then why did the court re-authorize the Verizon order in April 2013?

I'm just not sure there are easy answers in any direction here. Should they have the program at all? If they should, did they choose the right parameters? If the parameters are right, is the oversight adequate to both preventing misuse of these undeniably broad powers and making the rest of us feel like it is still, in the end, our government? Who should make each of those decisions? Given democratic uncertainty over whether all the forgoing are within spitting distance of 'correct' (whatever that means), what is any individual actor's responsibility -- even assuming he has full knowledge of the program -- to undermine most of those decisions when he feels it's wrong? How wrong would he have to feel it was, and on what axes?

There are easy answers here: there should be no program at all. Terrorism is no legitimate threat to the US and never has been. Any time you give the government the ability to override checks and balances, they are already abusing that ability (and usually want it applied to previous behavior so they can't be prosecuted for past infractions).

I hold a less extreme position, that (1) The laws should have a two-year sunset clause (2) The government should have to prove the law's efficacy to the public. Fuck this 'it works but we can't tell you' bullshit. (3) We have to understand full well that when we allows these laws they will be used fully. I don't think it takes an evil person for this to be true. I think most of us, if we were given the responsibility of protecting the public and the authority for doing so, we would use that authority. Nobody wants to be the guy that people look back on after a terrorist act and say, 'but YOU could have prevented this.' Look at all the grief the spooks are getting with this 'Marathon Bomber' kid (Tsarnaev). Apparently they were warned that he could be a threat. But they respected his rights and let him be free. And now they are being accused of being incompetent.

>If not, and there's a very real chance that neither of these are true, then the question doesn't make sense.

Particularly since every tech company leader (and the NSA) are insisting that neither is true.

This is just it. This time last week it was public knowledge that (for example) Google complied with FISA 702 orders. Now it's public knowledge that Google complies with FISA 702 orders, using a workflow-automation system. There are hints of extra reasons to be more worried than before, but so far it seeems they're all either speculative or disputed:

(I'll keep talking about Google specifically just to narrow things down for now.)

* NYT suggested that FISA orders can be broad and shallow ("a broad sweep for intelligence, like logs of certain search terms") instead of narrow and deep (eg. everything on person or company X), but CNET's source contradicted that https://news.ycombinator.com/item?id=5845878 .

* The Washington Post used language which suggested that Google's lawyers may have been taken out of its FISA-702-order-execution loop altogether, but NYT contradicts that and Google has denied it https://news.ycombinator.com/item?id=5847846 .

* The Verizon mega-warrant suggests that NSA might be gathering data under similarly broad FISA orders, something that (like broad-and-shallow orders) would make "no direct access" a lot less meaningful, but that's been denied by Google https://news.ycombinator.com/item?id=5847959 and the various anonymous sources seem to be contradicting it too.

* The NYT article http://www.nytimes.com/2013/06/08/technology/tech-companies-... seemed to hint at the possiblity that the Google lawyers processing FISA orders could be suffering some kind of reverse regulatory capture or that Larry Page and Chief Legal Officer David Drummond could have lost track of the extent and nature of what they were approving. There doesn't seem to be any specific evidence for that though.

One thing that does seem to be true is that if you make it more convenient for the NSA to get data under FISA 702 orders it will respond by getting a lot more of it. Apparently the NSA's PRISM stack boasts of a 63% increase in the number of communications obtained in 2012 from Google http://www.guardian.co.uk/world/2013/jun/06/us-tech-giants-n... (and much larger increases at other companies). Still, it seems the PRISM system hasn't - or at least, hasn't yet! - facilitated an order-of-magnitude or game-changing increase in the scale of FISA 702 snooping. Overall there doesn't seem to be any great change in what we think we know http://www.wired.com/images_blogs/threatlevel/2013/05/fisaca... about that.

So, unless some of those hinted worries are true, there doesn't seem to be anything very big that Larry Page could have brought to our attention that wasn't public knowledge last week already. The biggest news is probably the increase in the scale of the data requested, and if Page cared enough about that he could presumably just have done a Twitter and declined to build a semi-automatic pipeline...

(IANAL or anything else.)

Not a bad summary. (I wrote one of the articles you cited.)

One more. The new slide released yesterday:


What exactly happens if you just don't respond to a FISA warrant?

Well it's a real (if secret) court, so I assume it would be what normally happens for contempt of court.

It's my understanding that the secret court ruled the primary legal justification for PRISM (FISA Section 702) as unconstitutional. The Justice Department is trying to keep that ruling as secret as possible. [1] So, really, what would they do?

[1] https://www.eff.org/deeplinks/2013/06/government-says-secret...

How can they rule the justification as unconstitutiona when the judges were giving court orders under that justification?

More broadly though, I don't understand how you can possibly have secret courts. Justice not only must be done but must be seen to be done, otherwise its not justice.

Secret courts are not about justice.

They are about masking injustice behind the veil of "law".

Since US is a country with long tradition of rule of law. The easiest way of subverting the rule of law is by subverting the concept of a judge and of a court.


I'm not a lawyer, but I believe they declared only part of FISA unconstitutional. The part they declared unconstitutional happens to be the primary crux of the legal argument for PRISM.

I don't understand how you can have secret courts either. It's a perversion of what this country was founded upon.

I'm personally most interested in ACLU's challenges about Tor/VPN providers and FAA.

What sort of consequences can they impose without revealing the existence of the secret court?

The existence of the court itself is not secret, the proceedings are. But they could issue a fine or jail sentence without leaking the rest of the proceedings themselves, if I understand the legal process right.

Edit: Way to mind-meld on the comments, team. Holy crap.

Your edit just reminds me of all of the people screaming that all of the companies wrote their stories using a "template" because each press release they put out sounded similar and used similar words. Heh...

The existence of the court isn't secret, it's the proceedings that are.

The existence of the court is not secret, only its proceedings.

Also its members and its decisions.

> Or why has Congress been willing to approve this program on multiple occasions?

From what Obama said, "Congress was informed", it was not asked to approve anything. That's very different.

There are several valid reasons why they didn't blow the whistle:

1. As the NYTimes article leaks[1], the leaders of these tech companies may not actually know the extent of FISA and PRISM within their servers - employees cooperating with the NSA would be forbidden from sharing this even with the CEOs.

2. What are they blowing the whistle on? There are a flurry of competing facts and fragmented stories. It came out afterwards that the NSA may not actually have as incredible access as they originally claimed. All they had to go on was the original Guardian article, which merely states "direct access" - everything else is, as the CEOs stated, covered under FISA laws.

3. Speaking of FISA laws, it's a violation of national security to even acknowledge the existence of FISA requests. PRISM is justified through section 702 of FISA. They wouldn't risk treason. This is reasonable. Are you on such a high horse as to say you would do differently?

[1]: http://www.nytimes.com/2013/06/08/technology/tech-companies-...

The government making a request like this to an employee of a tech company, with a gag order that doesnt let him share that information with the company he is working for is a blatant abuse of power. An employee has no resources to fight something like this if he cant tell the company he works for what he is doing, meaning that any company is vulnerable to this way of operating.

Companies like Google ought to have internal audits to detect rogue employees. (These audits are usually put in place after the first time a curious employee snoops on a famous person.) If the employee refuses to justify his actions, he's fired.

Everyone here seems to be assuming that tech company leaders actually knew the whole picture, but that isn't necessarily the case.

Think about it: Let's say you're the CEO of any of these companies. If someone from the NSA or the FBI serves a top secret FISA order on some poor SRE in your datacenter, do you even qualify as one of "those persons to whom disclosure is necessary to comply with such Order", or an attorney?

Now, maybe your General Counsel knows what's going on, or maybe the knowledge is scattered throughout your legal team. Your lawyers, who are supposed to be representing your interests, are now bound to keep these secrets from you, and possibly even from each other. This is something that affects millions of people, and you can't do anything to fight it, because you aren't necessarily allowed to know what's going on in your own company. The only sign might be that a few previously-happy key employees suddenly seem stressed and quit for no apparent reason.

Freedom of speech is such a basic assumption in our society that we struggle to understand the full implications of what can happen when it's taken away.

In all likelihood, because they need the government to work with them. Google, Facebook, Microsoft -- all companies that must deal with regulations and shareholders who care more about profits than morals. The last thing any of them need is for the government to retaliate with stricter enforcement of those regulations, which might hurt their profits. The FBI's latest push for backdoors sends these companies a clear message: standing up to the government is bad for business.

Or, if we want to be optimistic, maybe they had no idea what their companies were participating in. Maybe the NSA people they met with were lying about their plans or purposes. It is a classified system, so maybe they felt compelled to leave out details that would otherwise have had the CEOs fighting back.

... and shareholders who care more about profits than morals

I think this issue goes against shareholders because they can lose real customers feeling defrauded.

It's realistic to expect legal actions against Google/Microsoft/etc operations outside US, mainly for Government accounts.

What makes you think these companies are going to lose any substantial number of customers? Most of the anger here is directed at the government, and it is only a small minority of people who even are angry about this. Only a very tiny minority of people will actually stop using Google or Facebook because of this incident.

In the short term nothing will change for Google, Facebook etc. But i think you are underestimating the longer term reaction from members of this community. The cloud in its current form is dead. Google's goal of collecting the world's information is a dead end if everything ends up in the hands of the NSA. New user data models with better privacy will eventually be introduced by one or more startups that could be a treat to Google and co.

>The cloud in its current form is dead.

I've heard several people say this... I find that... unlikely.

Do you really see the type of people who use facebook; the type of people who buy things that are advertised online, well, do you see them changing their behavior? I'm pretty sure most of them are okay with being watched; otherwise they wouldn't be on facebook to begin with.

And those are the users that matter.

This is the hear of it, isn't it? You have a whole bunch of people who don't care if Google uses automated scanning of their emails. You expect them to care if the NSA does it? Sure, there is some subset of people who will draw a distinction between the government and a private company, a distinction which isn't baseless, but most just don't care.

Also, look at it from the governments point of view. If you're NSA, do you really feel like you're violating intimate privacies to go through information people knowingly expose to one time acquantances on Facebook? The NSA is made of people, remember. How people view their own information enforces their understanding of where the line is.

Because, outside US, government agencies and companies that considers their communication security critical will choose another provider. They are paying Google Apps, Microsoft 365, etc.

Would anyone (especially from a foreign country) who considers their communication security critical really be using any of those services today?

Yes. Obviously not the most sensitive ones but there are a lot of government operations using their services.

"and shareholders who care more about profits than morals."

Well, I don't know what your prejudices about shareholders are, but I know a few of them and they really care about morals, probably much more than average Joe.

Anyway, making a super State that controls everything goes against shareholder's interest as history shows the first thing super states do is eliminate competitors altogether.

You know Mr Adolf Hitler asked again for more business contributions to his party. They were angry to be asked again so they put a condition in place: "Only if you don't ask again in a long time". Hitler smiled and say:" Don't worry, it is the last time I ask you for contributions."

It was.

1.) "shareholders who care more about profits than morals" != "shareholders care more about profits than morals"

2.) Nazism != fascism. (And even Nazism "worked" for some Nazi industrials for a while, if you will).

Mussolini: "Fascism should more appropriately be called Corporatism because it is a merger of state and corporate power."

Chomsky: "Governments have a defect, they're potentially democratic. Corporations have no defect, they're pure tyrannies."

So yeah, it's great that corporations don't want anyone who could possibly stop them in their undertakings. Actual people on the other hand would do well to restrict both government and corporations. That is, we should make them in our image, not the other way around.

"In this case a corrupt federal prosecutor (is there any other kind?)...."

According to superstar trial lawyer Gerry Spence (http://en.wikipedia.org/wiki/Gerry_Spence), as of when he wrote his book on Ruby Ridge, in an aside WRT serious prosecutor misconduct in that case, he has never tried a case against a Federal prosecutor in which there wasn't egregious misconduct. Come to think of it, his skill in finding that probably helps his near perfect success rate, and especially his signature tactic of resting without presenting a defense.

It's simple. Verizon, Qwest, etc. are not tech companies. They are telecommunications carriers, regulated utilities, who are close to an extension of the government.

The implausible part of the worst PRISM allegations was that Google/Facebook/etc. behaved like that, but telcos have acted as extensions of spy agencies for as long as they've been around -- back to the "Black Chambers".

> regulated utilities, who are close to an extension of the government.

This is a good concrete example of something I often point out, which is that an extension of the government is what regulation is.

It's an important point, and one that many people miss. I often see people on the left complain about corporations trying to lobby the government for control, and people on the right complain about the government trying to control corporations, but the reality is that there's basically no distinction between the two.

There's a huge difference between large companies in regulated industries and startups in non-regulated industries (or even decent-sized companies in lightly regulated industries, like tech). And local/state governments vs. federal.

It might be wishful thinking, but part of me wonders if Steve Jobs might have actually been able to push back a little and prevented Apple from joining the program at the same time as Microsoft/Google et al. Apple isn't known for being outspoken about privacy, but Jobs is a formidable character to deal with and, well, if anyone had the balls to say 'no', he did.

Apple wasn't added until after Jobs died, years after other major players:


Jobs doesn't have a history of EFF-like activism and has always played ball with the government. I think its a little unhealthy to build him into this superman juggernaut. Yes he was talented and died before his time, but he's no NSA slayer.

To OP's point, if anybody at Apple at all were going to be asked by the government, I have to imagine Jobs would've been left out of the equation. That's one loudmouthed asshole you didn't want keeping secrets for you.

It's because Apple isn't any good at services, and didn't have a cloud of note until extremely recently.

I think the timing is a coincidence.

The most surveillance-relevant services Apple provides are probably iMessage, iCloud and FaceTime. All were announced in 2011 and saw widespread adoption in 2012.


I'd noticed that too. Given that Jobs seems to have had the juice to get away with signficant and brazen securities fraud, he may have been in a fairly secure position to say 'no' to PRISM. But for that matter Twitter's CEOs, much less mighty figures, also seem to have been able to say 'no' too. Or maybe the rickety state of Apple's Web services (MobileMe and all that) had something to do with it...

Because treason and national security are taken very seriously.

It's well known that there is a "secret" interpretation of the PATRIOT Act and FISA revisions that basically allow unlimited loopholes for accessing any data. Going up against what is arguably the most powerful organization in the world and the most powerful government in the world, while you have a nice cushy tech job, would be dumb.

Besides that, not many engineers employees for private companies have a firm grasp on all of the details of the law. How many people can say for certainty that it is even illegal for the NSA to do broad data-mining of US citizens?

For the post linked in the headline, those seem like shocking accusations, but the kind I'm now accustomed to taking with a grain of salt. It seems perfectly plausible that the guy legitimately deserves a 6 year sentence for reasons unrelated to any of this.

As for the subject/headline, which I'm not sure is related to the particular post linked, it seems pretty simple. Tech companies would probably see PRISM with much more perspective than the internet's knee-jerk reaction. After all, these are companies who have that information at their finger tips 24/7, who can invade all kinds of privacy without any oversight or checks and balances and nobody would even know to get outraged. The media companies, particularly Google, are companies that regularly collect and profile that information anyway for the expressed purpose of profiling people in order to maximize their ability to manipulate the public. As far as tech leaders are concerned, the NSA is the first party to suggest doing something non-evil or selfish with all that data.

So for things like listening to phone conversations, there's still an argument and some outrage to be had. But I think for a lot of the companies, the leaders would have to sooner blow the whistle on themselves than the NSA. The whistle blowing would have to come from where it apparently did--an ideologue who has a fetish-ized view of the public sector as something evil and invasive even as the private sector pours over all the same information unimpeded for selfish ends.

> The media companies, particularly Google, are companies that regularly collect and profile that information anyway for the expressed purpose of profiling people in order to maximize their ability to manipulate the public. As far as tech leaders are concerned, the NSA is the first party to suggest doing something non-evil or selfish with all that data.

I think you have it reversed. The NSA is the only ones doing evil at this point. The private sector isn't in a position to use force in combination with the data.

> an ideologue who has a fetish-ized view of the public sector as something evil and invasive

You mean a public sector that would be deliberately violating the Constitution they swore to uphold? That would really be a fetish -- holding the public sector to the Constitution.

Because they didn't get rich blowing whistles, or by biting the hand that feeds them.

The problem is the subpoenas come stapled to a gag order. "Why didn't tech company leaders blow the whistle?" is really not the right question to ask, and not the one the thread answers. They couldn't "blow the whistle" without going to jail.

The right question to ask is "Why didn't tech companies fight the orders in court", and the answer is, of course, if you're in a heavily regulated industry the government can crush you without involving the judiciary. You could win the court battle and go out of business, even if regulators don't attack you personally over "three felonies a day".

Speculation: because the heads of those companies think that surveillance is just peachy and it's their business model? That is certainly the case with Facebook, which acknowledges that they try to encourage sharing and break down norms surrounding privacy, then take the new norms they've created, treat them as a baseline, and extend them further. They think this is good. And it's not like the NSA is going to compete with them for advertiser $, so no bigs.

This is a difficult thing to wrap your head around. My assumption is that the vast majority of people haven't formed an opinion yet. And many others don't have a problem with what the NSA is doing.

"Do no evil" but do something much worst.

..Because anyone who 'blows the whistle' will have their lives destroyed, a la Manning and Snowden.

The first rule of FISA Warrant Club is "do not talk about FISA Warrant Club."

The first rule of PRISM is you do not talk about PRISM

Chicago politics? Nope, just politics.


Everyone falls for the MONEY


This article is crap - Joseph P. Nacchio is serving 6 years for Insider Trading.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact