Hacker News new | comments | show | ask | jobs | submit login
Facebook Releases Data, Including All National Security Requests (fb.com)
238 points by erict15 1618 days ago | hide | past | web | 199 comments | favorite

I may be part of the minority here, but I have/see no reason to believe the Facebook is lying about these numbers, or lying about the fact they actually check every request, and don't have a NSA backdoor. If I am correct, they only thing that shows Facebook has given the NSA/government agency access to their servers is a leaked PowerPoint presentation. I believe it is more than likely that one of the following two options is true. (1) The PowerPoint is just wrong, and was made it up someone working for a government contractor. (2) The PowerPoint is inaccurate in that these corporations have complied with the government, when asked to and required by law too, through the use of warrants, both secret and otherwise.

Personally I think option 2 is the most likely scenario. Facebook (and Google and most of the other named corporations) have done nothing to lose my trust in them. The only party that at this time, I know is to blame is the NSA/government for conducting a cloaked surveillance operation on the entire US population. Until there is proof, or a reasonable argument, showing that these corporations willingly complies with the NSA and were a part of PRISM, I don't think they have lost any substantial part of my trust.

The problem is that before these leaks, the Director of National Intelligence was asked point-blank in a congressional hearing whether or not the NSA was conducting surveillance on Americans, and he unequivocally said no. Given that history, I think it's prudent to approach the veracity of further denials with caution.

It's true that Facebook is not the US government, so perhaps we should be less hesitant about the claims they make. However, Facebook does have a history in this area that gives me some pause. Their former CSO was Max Kelly, who is ex-FBI, and would give talks about shit like the need for "uniting" military and commercial "cyber defense." So to the extent that we're dependent on Facebook's internal narrative to determine how they respond to the US government, my sense is that at Facebook, much of that narrative was set by someone who is largely sympathetic to government cooperation.

I think you're correct in pointing out that the NSA is ultimately to blame. However, I think we should acknowledge that while companies like Facebook obviously do not have malicious intent, they are still in the surveillance business. What they are building does have some inherent danger, and will continue to attract the interest of the US government, foreign governments, and attackers.

I wish I saw more people hammering home the point you made in the first paragraph. Too many people are looking for ways around discussing what is just as an important piece of this puzzle as the leak itself: The director of National Intelligence lied to the Senate. To their faces, through his teeth, on camera, in front of the American people.

I'm in the camp that Senator Wyden asked the question in such a way because he knew what the answer was going into the thing.

At this point, you need to start looking at everyone as a suspect. It's an uncomfortable notion, we might not like it, but it's a reality pill ya gotta swallow.

And also Obama promised no surveillance before winning the first election. It took him weeks to change his mind.

I'm sure it's all shrouded in "classified" and "top secret" tape, but I'm intensely curious to know what President Obama knows that Candidate Obama doesn't.

Maybe it's the same thing all presidents learn their first couple of months in office. Maybe it's a memo that gets placed on the desk in the Oval Office by some shadowy figure. Whatever the case, the honeymoon is over, folks.

I suspect that it was much like the "too big to fail" scandal. President Obama was new to the game and let the people who said they knew what they were doing run the show. On one hand he's got the feel-good speeches he made as a candidate and on the other hand he's got agencies and contractors with billions of dollars of budget on the line all pushing as hard as they can to justify their existence and their budgets. The inertia alone was probably impossible to defeat given how divided his focus was (the economic collapse and the two years of obamacare politics come to mind).

It could be as easily be the case that Candidate Obama was free while President Obama is blackmailed.

That's the problem with centralization, with representative democracy. A single point of failure is a bad idea. It's time for participatory/direct democracy.

Yes, but you're missing something. Google, Apple, Microsoft, Yahoo also offered blanket denials. So the fact that FB has a former CSO with some FBI background has nothing to do with the other companies.

Put another way, DNI lying != FB|Google|Apple|MSFT|Yahoo lying.

If we're talking about the same question, he was asked if the NSA collects data of millions Americans, to which he answered in the negative. This information from Facebook does not contradict that statement.

And to me, that's an important distinction: millions versus < 20,000. I might be persuaded that there existed a few thousand cases in those six months where law enforcement had legitimate reasons to get data from Facebook, for the types of criminal activity mentioned in this post from Facebook.

Does anyone have a link the the congressional hearing that was mentioned? I haven't seen it and would be curious to watch it, in particular the part that was referenced here. I think that the Director of National Intelligence flat out lied in a congressional hearing is one of the scariest aspects to all of this. Obviously he/the NSA isn't scared to lie to us and to the government while under oath. (At least I presume he was under oath.)

Here's the clip. The Daily Show also had fun with it on Monday.


I agree some skepticism is warranted, so I am looking to see what Google and others say. If several big companies all say similar things then we either believe in a much bigger conspiracy or accept their claims there is not bulk access to all accounts.

What are you looking for? The statements have all been made by those companies, and they all deny that any sort of broad data access by the NSA happens.

Either FB|Microsoft|Google|Yahoo|etc... are all lying, or Snowden didn't understand what he leaked. I'm betting the later.

Facebook's comments do not discredit the leaked materials because even if you treat Facebook as trustworthy, the NSA slides explicitly encourage analysts to use a combination methods including "UPSTREAM" data collection ("You should use both", the document reads).

The only really interesting revelation here is Facebook's confirmation that the FISA court is bundling approval for multiple users into single warrants. And if we assume that the vast majority of requests are for single users, this is a non-trivial admission. With those numbers, there could easily be a handful of warrants used to grab information on thousands of users.

They have very good reasons to lie if the government threatened Zuckerberg, et. al., with the Worldcom treatment.

I'm not saying you are wrong. There is most definitely a chance that you are correct. I guess my point is that I think these companies deserve the right of "innocent until proven guilty." And I don't believe enough has been done to prove they are guilty.

EDIT: I don't think that "innocent until proven guilty" should only apply to crimes. I think the same concept can and should be used in almost all cases of accusing a party of something.

They aren't being accused of a crime (or at least most of the controversy isn't about things that are normally considered crimes), so I'm not sure if innocent-until-proven should necessarily apply.

Innocent until proven guilty is as much logic as law/ethics. There is nothing Facebook can say or do to prove their honesty, but their dishonesty can be proven, eg, someone could leak data which could plausibly only have come from the sort of backdoor they say doesn't exist.

Of course, even if you can't prove anything, it might be prudent to hedge against the possibilities by assuming everything is actually public, but given the sort of things people post publicly (to four thousand of their closest friends and confidants) on Facebook, that might be a pretty low bar.

That's kinda the point: the US Government is threatening to literally put them on trial.

The rest of us are watching all the signs for info to help us develop our own strategy in this not-so-theoretical game of prisoner's dilemma.

Put them on trial? OK, I'll do it; source please?

<marshray> cited a CNET article I wrote this week as a threat to "put them on trial." As the author, I disagree.

If FB received a FISA Sec. 702 order for the contents of nycterrorcell@facebook.com's account, and they disclosed that, that would presumably violate a court order and they would find themselves in contempt of court. For good reason: when there is an actual terrorist investigation (remember the terrorist threat is overhyped and you're more likely to get struck by lighting), you don't want to tip off the bad guys.

But aside from that very narrow non-disclosure exception, there is no threat to "put them on trial."

And if you refuse or actively obstruct the court order?

(I was mainly citing your article to establish the the gag order. First hit for https://duckduckgo.com/?q=facebook+gag+nsa )

Ah, thanks. Didn't know it was the first hit.

If you, the recipient, want to challenge the order as invalid, you're free to do so, and there's an appeal process. I was the first to disclose two weeks ago that Google is fighting two national security orders in two different federal courts (SF and NYC). There have been other similar cases. A facial challenge to FISAA 702 (by Amnesty, not the provider) went all the way to the Supreme Court.

You really need to read the applicable laws. My articles link to them. Otherwise it's like talking about the details of mobile app development without knowing how to program.

One can't read the applicable laws, they may not have been written yet. Executives who cooperate get retroactive immunity. Those who don't go to jail for stock transactions while knowing secrets they can't legally share.


(Note I'm not pretending to be a journalist here, just wearing my conspiracy hat today)

There is no trial for contempt of court. The judge can throw you in the slammer for disobeying a lawful order issued under valid authority of the Court.

Sounds kind of tyrannical to me, but what do I know?

The judge can "throw you in the slammer" for Direct Contempt of Court. This is when you are physically in the court room or in front of the presiding judge and do/say something that "disturbs the court." However not complying with a court order is Indirect Contempt of Court and the defendant has the right to a hearing in this case.

So disobeying a court order is contempt of court, but a judge can't throw you in jail without a hearing for it.

Source: http://en.wikipedia.org/wiki/Contempt_of_court#United_States

You can't believe anything these companies say. If they are ordered to misreport info to the public, they will. Remember that companies are not monolithic things. They are made of people, and if anyone or a group try to make a stand they will be hunted down. It's easier to follow along than be honest.

Personally, I won't trust any of these companies until the entire Homeland security dept is dismantled and its component agencies restored to their pre-9/11 statuses.

And although the TSA is not directly part of this spying issue, they need to go away as well. It's all part of the same shadowy cabal and its time for a clean slate.

I'm not against the principles of the FBI and NSA. They do a lot of good work. But there's too much dry brush and weeds cluttering up their mandates and it needs to be burned out.

There's a lot to be said for cleaning house in D.C.

But contrary to your suspicion, there is no law requiring companies to misreport info to the public. Even AT&T, which illegally opened its network to the NSA, never lied about it, as I showed here earlier this week: http://news.cnet.com/8301-13578_3-57589012-38/nsa-surveillan...

To keep things in perspective (assuming these numbers are roughly accurate...)

The odds of Facebook handing over your data to a government agency are similar to the odds of dying from a shark attack or lightning...

source : http://well.blogs.nytimes.com/2007/10/31/how-scared-should-w...

I still find these numbers fairly high. If cops need a warrant to get into my home why don't they need one to get into my "facebook home"?

I find it darkly amusing that the rarity of these events is being invoked to convince people to moderate their concern, when this situation only exists due to the government's insistence that we treat even more rare events as gravely serious threats to our way of life.

Goddamned that's a brilliant take I hadn't considered. Well said.

> "why don't they need one to get into my "facebook home"?

Because there is no such thing as your Facebook home.

If you're associating Facebook with "your home", they have you by the balls. Google is trying desperately to grab your balls too, so that your Google profile is the center of your online persona. They make incremental, subtle changes to push users towards Google+ to achieve this. The latest change happened this week, where you can no longer have a profile picture on Youtube unless it comes from Google+. They actually removed my profile picture, and popped a message up saying I have to go to Google+ to set up the profile picture again. They replaced my avatar with a generic blue pattern that looks like crap. Bastards. I don't want a Google+ profile. I don't like being forced to use social media services just to have a profile picture on Youtube, or just to rate an app on the play store.

Your "home", digital or otherwise, should be under your control, not sold out to a company. IMHO there needs to be new laws designed to protect our "digital homes" from the very tech giants who facilitate them and change the rules at their choosing, absent user preference and input.

Imagine not being able to get into your own house without first logging into Facebook? Or not being able to use the internet without first checking in with Google? Far-fetched? Not really, it's slowly heading that way in baby steps. The needs and wishes of companies and government first, citizen freedoms and user-control and true privacy second or third, or not at all.

   They make incremental, subtle changes to push users towards Google+ [...]
I wouldn't call it subtle. These steps are very direct and probably successful in that avoiding a G+ profile became really hard.

Well, except that the risk of Facebook handing over my data is uncorrelated with how often I swim at beaches or stand under a tree in an electrical storm.

It's not like someone goes around with a random number generator deciding whether you'll have horrible things happen to you. They depend on your specific circumstance.

"The odds of Facebook handing over your data to a government agency are similar to the odds of dying from a shark attack or lightning..."

How do yo know that? What if I have friends, relatives or clients in the middle east and I'm known to be unhappy about particular political issues but never swim in shark infested waters?

This is true. The average Facebook user is unlikely to be affected, but that's not true for everyone. And you don't have to be a "terror suspect" or easily mistaken for one: if you have reason to worry about industrial espionage or Watergate tactics from the US government then your odds are likely to be a lot shorter too.

I don't know what numbers you are using but my calculations are different.

I don't think it matters that there are 1 billion users worldwide. I think it's fair to assume that a majority of local, state, and federal requests affected US users. That number is more like 165 million [1]. Which means the likelihood you are affected assuming a random distribution of requests and you live in the US is closer to one in a thousand.

And that only accounts for Facebook requests. Consider if you regularly visit 10 websites. That might make the odds much closer to one in a hundred.

[1] http://www.quintly.com/blog/2013/02/facebook-country-stats-f...

Why do you assume the NSA mostly targets US users? That's not a fair assumption at all.

I was under the impression they only needed to get a warrant, or, broadly speaking, gave a *k about the privacy of American citizens.

Anyone else, world wide, could have their data accessed without any need for special secret orders.

Am I mistaken? I honestly thought that was the case.

If you're a non-resident alien, they have to get the FISC court to review and approve a FAA 702 order targeting you. The bad news is that there's no standard of probable cause or anything remotely like it: more or less the only thing the FISC is actually even supposed to review and rule on is the likelihood that you are not a US citizen or in the US. The good news is that they still have to issue that FAA 702 order, and fewer than 2000 FAA 70* orders have been issued in any year prior to this one. (That number includes 702s along with other orders which can intentionally target US citizens or residents but involve a higher burden of proof.)

That still leaves the possible loophole of having those 2000 orders cover a huge number of people in a manner similar to the Verizon metadata order (which is a FISA order, but isn't a FAA 70* order and isn't counted among the 2000 https://news.ycombinator.com/item?id=5879366 ). But this Facebook disclosure along with earlier statements from Google and others allows us to cautiously rule that out (though we probably don't have the same clarity on the situation of all 9 PRISM firms).

Of course, none of this tells us much about what they're doing (or able to do) using "upstream collection" at the telcos. Or indeed through similar "direct collection" from non-US Web companies running non-US servers, which I'm guessing (IANAL) would probably be outside US law altogether.

They would still need to issue a National Security Request to compel Facebook to release data.

I agree with your point re: the odds of it happening. It puts things in perspective.

Entire books have been written about the legal standards required. It's difficult to summarize here. One short answer is that the Fourth Amendment is not viewed as applying to non-U.S. citizens abroad. Check out the NSA director's 2006 testimony on nsa.gov for more on this.

> I still find these numbers fairly high. If cops need a warrant to get into my home why don't they need one to get into my "facebook home"?

The COPS do - they are required to get warrants for data requests and those warrants can't be overly broad.

The NSA are not cops, though, and somehow ended up with different rules.

"The odds of Facebook handing over your data to a government agency are similar to the odds of dying from a shark attack or lightning..."

The odds can only be determined by how many requests they rejected. If they approved 100% of the government's requests, then the odds of them handing over data requested by the government are notably higher than lightening or shark bites. All they're waiting for is the request.

But how will you know you're not just a brain in a vat being fed false electrical signals?

You are just a brain in a biochemical vat being fed electrical signals through the sensory organs.

Are they false signals? There are non-negligible priors that support his accusation, such as gag orders and a proven and recent history of lies and obfuscation. I personally think the simpler model of Facebook telling the truth holds more weight -- to the point of a conspiracy of this magnitude sounding more than a little silly -- but there will always be a shadow of doubt to some, and not fully without reason.

Then what is going on? What did Snowden risk his life for? Is he just a silly person?

Presumably the same way he goes about answering that question now.

And it's very easy to release misleading statements like this. It's great to know about all the "user data requests" from law enforcement, but they mention nothing about the allegation that NSA didn't need to submit these requests.

Yep. If you can't legally acknowledge the request, leave it out of the data you report.

Or walk the line by conveniently reporting your data for a six month period that doesn't include the NSA request for all user data now and in the future.

If there's slipperiness in this statement, I think it's probably in the use of the term "user data requests".

>The total number of Facebook user accounts for which data was requested pursuant to the entirety of those 9-10 thousand [user data] requests was between 18,000 and 19,000 accounts.

Is a "user data request" a request for data about a specific user? Would the request "give us the names and birthdays of everyone that has searched for 'discontent with government'" constitute a user data request? Or would that be a "search term request"?

I'm not sure I think this is slippery language, but there's definitely room for that interpretation.

If there is slipperyness it's the fact that the guy who wrote this and is Facebook General Counsel, Ted Ullyot, use to be G.W Bush's right hand man.

If character assassination is wrong when they do it to Snowden, why is it right when you do it to Ullyot? Did he lie or did he not?

I don't view it as character assassination so much as suspicion by association. He was part of the group (Bush + Obama Administrations) that pushed for these programs. It makes him more suspect to be lying than a random person. It's not proof of a lie, just reason for scepticism (grain of salt and all that).

The stuff about Snowden doesn't even make any sense. The fact that he's a high school drop-out doesn't matter. Some people who drop out of high school have a lower intelligence, but that doesn't imply the Snowden does. The fact that he worked for the CIA, the NSA, and as a NSA contractor actually implies that he is either intelligent or the CIA/NSA are incompetent. Even if Snowden was of lower intelligence, it would imply that there is less likelihood that the documents are elaborate fakes, and more likely to the be the real deal.

I was just bringing the point to light for discussion.

I consider myself unusually sensitive to slippery language and have called out--on HN--several fishy denials by tech companies that I thought were laughably weasely, including Facebook's previous statements. But I'm not seeing it here. A user data request is a request for users' data, and I don't see a way around that. Additionally, this is remarkably unambiguous:

...>this means that a tiny fraction of one percent of our user accounts were the subject of any kind of U.S. state, local, or federal U.S. government request

The only wiggle there is "subject to", and it's not much. So right, they could always be lying, but I don't see much room for interpretation.

More broadly, at some level, we're always going to be dependent on companies to be honest about what they do with our data. Not trusting them is fine, but that's not really a question of transparency or policy; it's just a question of corporate integrity. We should instead focus on what we can concretely hope to control:

- Transparency, which means a) we know exactly what the rules are governing what the government can ask for, b) a detailed accounting of what they actually do ask for, and c) the range of data that can be requested and a precise account of what the standard for requesting the various kinds of data.

- Reform, by which I mean changes to the rules about what can be accessed by whom and under what conditions, with an eye towards individualized requests for specific data, the way wiretaps have been handled (until recently) for a long time. The domestic/foreign distinction should also be removed as part of this point.

- Accountability, by which I mean that companies should never, ever get any form of immunity from law suits. Companies should be liable to their customers about privacy issues, and they should face real consequences if they lie about it. I think this might be the heart of the trust issue.

- Oversight, which is largely colinear with transparency, wherein there is a meaningful adversarial process for balancing the issues of privacy and security, as opposed to the lame, secretive rubber stamping we have now.

- Scale. Last but not least, the relative values of privacy and security are way out of wack, especially given how few people terrorism has really killed and how small of a threat thoughtful analysis reveals it to be (or even the extent to which "terrorism" is a coherent concept). So we just need to raise the bar on what constitutes a reasonable seizure of data.

All of that is stuff you could reasonably pass laws on, so some of the nihilism in this thread is unfortunate. Maybe we'll get all of those reforms, or some of them, or maybe none of them; I don't know. But if those are genuinely our aims as a people, we should see Facebook's release as a real step in the right direction on three of those fronts. If they're lying, of course that sucks, but I'm not sure what we hope to do here besides pushing for more accountability. But in meantime, kudos to Facebook.

> but they mention nothing about the allegation that NSA didn't need to submit these requests.

That's because everyone has already denied that claim. If you didn't believe them the first thousand times they said they don't do that, why would you believe them if they said it yet again?

You should look at this in the context of the company's earlier blanket denials.

I wouldn't trust them even after all the agencies are dismantled. New agencies get made and who knows what they'll turn into?

The only thing that would work is some kind of widespread ban on the use of gag orders, non-disclosure agreements, and similar legal devices by our government. And for what, so we can trust our own corporations to at least say what is in their own best interest? So then you also have to ban the use of funds to keep them silent. Really, the whole thing is a mess.

>Remember that companies are not monolithic things. They are made of people, and if anyone or a group try to make a stand they will be hunted down. It's easier to follow along than be honest.

Hunted down? In the bay area? As a software engineer? You must be new here.

New rule: anyone who uses a computer for a technical reason may be in on the conspiracy.

Neither the NSA nor the FBI are part of the Department of Homeland Security.

A great deal of the comments here border on being ridiculous conspiracy theories. I know that when it was "revealed" to us that the NSA had direct access to Facebook, it was a green light for many to share their formerly private conspiracy theories as if they were now completely validated. With the revealed claims being bogus, the "validated" conspiracy theories are once again naked.

Of course, it comes as no surprise that when the sensationalized Greenwald claims were walked back we'd hear that it was all a cover-up and the NSA is threatening to throw Zuckerberg in jail and drone strike Snowden, etc. There is literally nothing that could possibly happen that would convince some people that Greenwald was full of shit.

I hope Edward Snowden sees this. He and Glenn Greenwald should be proud.

The economics of surveillance have now changed because it comes with reputation effects on US based companies.

Yes and these ass holes will keep lying their teeth out and now no one will believe them.

That's a massive load of shit, the 'economics of surveillance' is a drop in a very large bucket.

Most people don't give a shit about surveillance and half the people that do care think it's great.

This blog post is damage control to avoid getting banned across the world since it's become painfully clear that Facebook is inseparable from the US Government.

Most people don't give a shit because it does not effect them. If we can show them that it does effect them, their opinions will change. And it does effect everyone, because if you have to worry about explaining what you say to other people or face consequences then freedom of speech and freedom of conscience is effectively dead.

From first-hand experience, Facebook is overly protective of user data when it comes to state and local law enforcement requests (I obviously don't know about the NSA side). They provide very little on initial subpoenas and require warrants for anything more. In fact, most law enforcement are angry at how little Facebook will reveal about a suspect.

If you don't mind me asking, what level of law enforcement are you involved in? Are you a officer or are do you work more on the DA/attorney side?

Just curios, that's all.

I support Crimes Against Children investigators on the tech side. I'm a civilian.

With all of the secrecy and secret gag orders, and all of the blatant, proven lies, how on earth are we supposed to trust anything anyone says about this issue?

Why aren't people getting fired and prosecuted for lying to the American public?

Because the American public simply doesn't care.

As a Brit this is the attitude the US is currently projecting.

Of course as a brit I suspect our programs are far more invasive than anything the NSA has cooked up (so far).

*insert reference to 'Spooks' here.

While I've never believed their statements...

..by their own account this is ~50 "intercepts" per day, on facebook alone... that's more than 2 per hour, every hour, for 6 months.

That's a remarkably low rate, considering that it includes all levels of law enforcement. For instance, around 2000 children are reported missing in the US every day. I would expect a lot of those to lead to local police to ask to see the child's Facebook data, and that alone could account for most of the requests.

Now throw in all the other ordinary crime local police deal with every day, and I'm completely astonished that Facebook only deals with 50 requests a day.

And now you see why they've tried to automate the part of the process that could be automated.

All this conspiratorial thinking is all very X-Files "I Want to Believe" and stunningly short on rational thinking. Consider:

1. Let's accept that Facebook, Google, Yahoo et al are rapacious profit-oriented corporations who could give a crap about anything but their own self interest. Fine.

2. At this point, given the statements made, in order for there to still be some kind of "back door" direct access to all of their DBs by the NSA, it would involve direct, bald-faced, massive lies to the public about its existence by top management.

3. What would the cost be to these companies be if these were revealed to be massive lies? I'm not talking about the government granting immunity from prosecution, which most commentary seems to focus on. I'm asking, how would customers react?

Answer: Their business would blow up. Revelations of lying at this scale, completely destroying their credibility, would literally threaten the entire existence of their companies. It would be a stupendous business risk to take on.

4. What is the probability that such a massive lie would be revealed? Consider that to facilitate broad access to company datasets there would need to be a bunch of technical staff in on the conspiracy -- and not just at one company. This allegedly involves most of the major Internet companies. A whistleblower at any one of them would blow it for everyone.

So, in order for any one company to participate in the conspiracy, they would need to take a bet-your-company risk that all the other companies would keep a lid on it.

5. Finally, now that we've reviewed the downsides, what's the upside? What would the benefit to these companies be of lying? Some commentary has suggested they obtained privileged information about competitors or foreign attackers (e.g. Google & China). Ok. How does that benefit compare to the risk of nuking billions of dollars in value overnight if your company's credibility with customers is utterly destroyed?

I am all for more public oversight of the secret courts governing these requests for data. The Verizon order is extraordinarily broad, and we can't have much confidence that even the relatively small number of monitored Facebook accounts aren't abuses. But this idea that Facebook, Google etc. are lying to the public about their role just doesn't stand up to scrutiny.

Hackers built Facebook. They hire hackers. If there's a group that's hardest to pigeonhole in terms of beliefs it's hackers.

The idea that a company composed if hackers could have not a single whistleblower, no single person that objects so strongly that they must speak up regardless of their personal situation is betting against human nature. Nay, hacker nature.

Freedom ain't looking good nowadays, but this is not the vast conspiracy it may seem.

Large companies keep government secrets every day. What do the employees have to gain? It's called not going to prison. There are ~4M cleared individuals in the US right now. They keep secrets every day. It would not be hard to put a team into place of cleared workers and literally seal them away in contained rooms and tell everyone else to go away. They're called SCIFs. You go in and leave your cell phones outside with any other electronics and do your top secret work. On the outside they appear as normal offices. My point is, this industry already knows how to work without you knowing anything. You're basing your hunches on faith and naivety about how intelligence agencies work.

I think frankly it is you who doesn't understand how intelligence agencies work. Massive conspiracies have leaks. No agency would set up something as broad and involving as many people as you describe and expect it to stay secret.

Also problematic is your theory about motivation. That Mark Zuckerberg and his chief legal officer are compelled to take bet-the-company risks and lie to their shareholders under threat of prison. There is no such law. They are only restricted in how much they can reveal about the requests for info.

1. It wouldn't have to be a massive conspiracy. It would just require access to the data through a few people. It's called compartmentalizing and it's how they work.

2. There certainly are laws that govern classified information and the gathering of it. Leaking US government secrets is against the law, period. Are you arguing that's not the case? Verizon was required to assist the government by law. What makes FB and Google+ exempt from the same rules?

You can dig further and find out I'm not just making stuff up. This really is how they work, frankly.

Google and Facebook are not intelligence agencies.

Yes I'm aware of that. Verizon isn't either, yet they do plenty of intelligence work.

A fraction of a percent of US citizens are wrongly incarcerated. I'm not sure what relative numbers even mean here. 19,000 people under scrutiny is still scary to me.

It's scrutiny beyond national security and secret requests.

Facebook gives some good examples of requests that aren't NSA or FISA based, e.g. "a federal marshal tracking a fugitive". Given the appropriate legal paperwork, should it be scary for a federal marshal to request access to a fugitive's facebook data to check things like last login time and IP address, or private messages?

To really decide how "scary" it is, we need to know what proportion of the requests are related to what kind of thing, and of what scope are the requests. Unfortunately, Facebook has still not been permitted to release any of this data.

Unfortunately it's not a fraction of a percent.

2.2 million people in prison in the US at the moment.

That's probably about 1.5 million that are "wrongly" incarcerated (extrapolating based on the number of people in prison before the war on drugs began, and what it should be today based on population growth). They're political prisoners.

This graphic nicely sums up the obviousness of that:


Well that's my whole point; half a percent of the population, which is what I also calculated when writing my original comment and consider a fraction, being wrongly incarcerated is an atrocity so Facebook's "fraction of a percent" means nothing to me.

Technically 2.2 million is something around 7/10ths of a percent.

The trust is gone. They shouldn't have waited until they were caught red-handed to come up with some numbers. Doesn't even matter if it's correct now. No one will believe them.

If there is no way for them to regain trust, or make people whole in any way at all, then what reason do you leave for them trying to improve transparency? What should the Zuck do, commit seppuku? Is that what would make people happy going forward?

I don't think it's Zucks fault and there's nothing he can do, but he's still going to hurt for this. It's a political and governance problem and can only be solved at those levels.

Until we're sure that intelligence agencies can't lie at senate hearings, secret courts and laws don't exist, and we're sure the government can't force CEOs to lie, we just can't be sure

And until foreigners get the same right to at least a judge overseeing a warrant we're going to see a move away from US companies no matter where in the world they are.

How do you regain trust in any relationship? Usually it's a combination of time and repeated demonstration of truthfulness. Right now, no one knows what happened behind closed doors, and the suspicion is still high.

There is no way.

The government has already shown us how they are fully capable of lying, and even worse - forcing companies under their control to lie.

Non-US company CIOs will be having long conversations around their previously hyped US/five eyes cloud based infrastructure. The stories around US (five eyes too?) companies getting free corporate intel for favours - presumably on their competitiors - won't have helped.

The sucking sound we're hearing is trust in anything related to five eyes related corporate infrastructure having any integrity at all.

Yes, it's pretty clear that the DNI lied to Congress. But it is untrue that FedGov can force companies to lie. Neither AT&T nor Verizon lied: http://news.cnet.com/8301-13578_3-57589012-38/nsa-surveillan...

Did you read the PRISM denials?

It was very obvious that the companies were told exactly what to say. They might not be lying in a grammatical legal sense if you parse their words, but they were clearly told by someone how to deny everything.

I've read all of them. I've written about them. They're categorical.

> The government has already shown us how they are fully capable of lying, and even worse - forcing companies under their control to lie.

The government can, and does, lie.

The government can NOT force other companies to lie. Nor is the claim that Facebook & others are under the governments control remotely supported by anything resembling evidence.

Trust is fragile, even when you're talking about the relationships and reputations of a business.

Donate his fortune to the EFF and start from scratch. Of course, that will never happen so for now, if you're concerned with security, you need to find new services to use.

>...Donate his fortune to the EFF and start from scratch. Of course, that will never happen...


Would it be legally contrary to shareholder value? I think this is a terrific idea for all of them to do. Zuck and the others appear genuinely upset from Snowden disclosure blowback and are frustrated at reclaiming their user's trust. These may be their best cred ROI. Perhaps someone experienced could organize this. EFF ...itself?(?!)

> what reason do you leave for them trying to improve transparency?

To decrease the mistrust.

Facebook hasn't been fully trustworthy for a long time, if ever. That's normal - I don't think any company really is.

Total bollocks. The statement simply discloses some more specific numbers about procedures that were never secret to begin with. The fact that a law enforcement agency could get a court order for an individual's data was never secret: it was even in the online documentation for the site!

Why is this surprising to anyone? I mean, bloody hell, anyone who's watched Law & Order should know that there are lawful procedures for these things.

There were lawful procedures for putting people onto trains to Poland. Lots of paperwork and rubber stamping.

Of course the public didn't find out what was going on in Auschwitz until the end of the war.

Where is the substance behind the statement "the trust is gone"? Has there been mass voluntary closings of Facebook accounts? Did their stock take a hit? Are their actual customers, the advertisers, even phased? I somehow doubt that we can attribute this release entirely to the fear of trust loss in their "user"base.

You're behind the times if you think people had trust in Facebook before this latest round of issues. I've had friends and family closing there accounts and not returning in a slow dribble for the last two years.

Go have a look at your friends list, see how many accounts are inactive but still listed. Most people I've done this come in around the 10-15% of contacts in that inactive state.

Mine has been growing slowly with most people not reactivating accounts. It started out around 5% a year or so ago, and was headed upto towards 15% before I just deleted a bunch of them and screwed my metrics.

Doing that should give you a metric you can start to track yourself without taking anyone else's word for it.

An interesting this I've noticed is with married couples, the less socially motivated of the pair will usually close there account and get there partner to do all the leg work for them. Generally its the husband that closes the account, but sometimes, in the case of my mother, its sometimes the wife that closes.

My mother did something novel I thought for handling family photos. She has started uploading them into a shared drop box account. I literally get notifications while I'm sitting at work that new photos have been sync'ed. I'm quite enjoying that form of photo sharing ATM.

These anecdotes are interesting, but do they address my comments? I'm talking about everybody.

> There is the substance behind the statement "the trust is gone"? Has there been mass voluntary closings of Facebook accounts?

Do you think there is a link between people "trusting" Facebook (whatever that would mean) and people not closing their accounts?

What do you think I meant by "trust"? What I believe I meant was: Sufficient assumption of good will, respect, and principle on the part of Facebook's staff such that their private messages, restricted-access content etc would stay that way in accordance with the privacy they expect living in the U.S. If their expectations are too low, and/or most people are simply uninformed, couldn't it easily be the case that people-in-general are really just no more Facebook-averse after this passed week?

I completely agree that there is a huge problem that this whole situation had to be leaked, but in all fairness to these companies I seriously doubt they'd have got anywhere attempting talks to achieve this sort of transparency before it leaked.

Distain with `Facebook trust' Hapless inane ad-feeds? Well, you too, you can reciprocate Clapper-speak. I was a youngster in the Warsaw ghetto, memories of forced labor clearing stones as a five year old, and for the past five months, I was a little girl. Watch your ad-feed adapt. Anyone I care about knows the truth, all else is noise.

> a tiny fraction of one percent of our user accounts were the subject of any kind of U.S. state, local, or federal U.S. government request (including criminal and national security-related requests) in the past six months.

Nice try, Facebook. Key words, in the past six months. The NSA could've requested a continuously updated copy of all user data more than six months ago.

But it says "were the subject ... in the past six months".

"were the subject of [a] request", not necessarily the subject of the data the NSA is reading.

I'm pretty surprised they've been given the go-ahead to release this. Typically, these agencies would never consider such a thing, especially under pressure.

If I were more trusting, I suppose I would see this as a nice evolution toward a more transparent state of affairs. But it's uncharacteristic of these agencies and the state of affairs that has been going on.

I find it hard to believe they would move so quickly to pull back some of the secrecy they've imposed if they weren't expecting a great deal of scrutiny for what we've yet to learn.

It's already been reported that you can expect to see more disclosures from the DNI and NSA next week. I think the government understands that the past week has been bad for them - and that it's bad for all of us if Americans have recent to doubt their government.

You can also look at it as they would like a chance to correct bad impressions given by inaccurate or incorrect reporting (we can't really judge this yet).

Am I to understand that this:

>The total number of Facebook user accounts for which data was requested pursuant to the entirety of those 9-10 thousand requests was between 18,000 and 19,000 accounts.

Is global? As in, 19,000 accounts in total across the globe over the past six months? The description of the requests is "all U.S. national security-related requests (including FISA as well as National Security Letters)." Or is this just the number of persons 51% likely to be a US citizen?

It says " the total number of user-data requests Facebook received from any and all government entities in the U.S. ", which I take to mean the target accounts may or may not be US citizens, but the requests came from US government agencies.

International government agency requests, which I assume they also comply with in certain situations, would be not included.

Yes that is global 19,000 accounts in total USA and non-USA citizen.

Ted Ullyot, Facebook General Counsel


"From January 2003 to January 2005, Ullyot worked in the White House as associate counsel and as a deputy assistant to President George W. Bush. He then served as chief of staff to U.S. Attorney General Alberto R. Gonzales."

What point are you trying to make here? Are you just saying that Facebook's general counsel has ties to the Government? Because if so I fail to see how that relates to the current controversy. Many people have connections, and previously worked for the Government, and didn't have any knowledge or control over any of this.

People were discussing the legitimacy of this release. I read the release, googled the authors name and I thought his history relevant to the conversation. Not just ties 'deputy assistant to President George W. Bush'.

Is there any practical way for them to actually prove this is the complete number, rather than the number they're allowed to tell us about?

What would you accept as proof?

Vivisection. Public vivisection.

Strap these organizations down and cut them the fuck open with no regard for their wellbeing. If the procedure kills them, then so be it.

There is a threshold past which live dissection (https://en.wikipedia.org/wiki/Stasi#Recovery_of_the_Stasi_fi...) is the only way that trust can be restored. I assert we have run across that threshold. And before anyone whines about it; no, we are not as bad as the Stasi yet. The Stasi do not represent the position of the threshold, they were miles past it.

Incidentally, this would be a great advance on Zuckerberg's professed goal of making the world a more open place. Safer or better would be arguable - more open would not be.

Oh, don't get me wrong, we certainly should not start with Facebook.

Going after Facebook would probably be unnecessary after we were through with the accused government organizations. At that point Facebook's innocence would either be clear, or it would be clear that Facebook was a victim in this. If we found reason to believe both of these were not true, then we could pursue them as well.

I think the exploration of the answer to this question is about the most frightening implication of this whole mess

That's the problem. I don't think I we can accept anything at this point. We literally cannot trust our government, or the corporations under its control, to be telling us the truth.

I don't think we can accept much as proof now seeing as the trust between client and service has been broken. Hopefully this whole debacle will drive new zero-knowledge services to take over. Let us use your servers and tools, we can handle the contents of our data.

This simple question raises so many interesting problems.

Perhaps I should defer to Jean Chretien... "A proof is a proof. What kind of a proof? It's a proof. A proof is a proof. And when you have a good proof, it's because it's proven."

Honestly though - I don't know. It's why I asked.

Possibly they can't, because how do you prove you're not lying other than saying you're not lying? It's not like there's some sort of an unshakable, absolute truth hardware log that details every single data access.

> how do you prove you're not lying other than saying you're not lying?

There is something called "evidence" used exctly at those circunstances.

Of course, I have no idea what kind of evidence those companies or the US government have, they are not telling anybody. And that is evidence that they are lying.

You could file a FOIA request and find out.



Assuming we believe the numbers, it seems pretty clear PRISM was not the drag net it was originally portrayed as. 19k accounts over 9k requests is not mass access.

There is,however, a readily confirmable and some what plausible alternative: Facebook's numbers are low because no one the NSA is interested in (e.g. AQ, China, Wikileaks, maybe even Occupy) uses Facebook heavily.

If Google and Microsoft aren't allowed to release numbers, than we should actually be concerned about this possibility.

It makes me kind of cynical that suddenly the security agencies get all friendly and start being "flexible" when they suddenly realise it's in their own political interest to do so. Until exactly this point they would have put people in jail for even mentioning these numbers. Now, oops, that was a stretch too far, we can all be reasonable can't we? So was it about security in the first place? or not?

The issue to me is if the so-called "upstream" actually stores all the raw SSL data, and how fast it's decrypted. This is apart from any corporate cooperation, except for the Mark Klein AT&T splitter variety. (Unless of course Google, Facebook, etc are handing over their private SSL keys.)

> a local sheriff trying to find a missing child

As worthy as these cases might be... this is not a national security issue. This kind of case should never use any law regarding national security. This is a regular police investigation, and as such, should require a regular old subpoena or warrant.

They did not say that those requests use national security laws. They are just giving us the total number of accounts they have released information on regardless of what law was used to compel release.

Ah, you're right, now that I read it closer, that is the case. Thanks for the clarification.

> "We hope this helps put into perspective the numbers involved, and lays to rest some of the hyperbolic and false assertions in some recent press accounts about the frequency and scope of the data requests that we receive"

God Damnit! When did we start using the total number of violations of the fourth amendment as the yardstick by which we measure it's importance or relevance to a reasonable expectation of privacy? "Hey, hey, hey... we ONLY violated 'x' number of people's rights. Not the 'x' times 'y' you are accusing us of doing, therefore..."

Putting that aside for just a moment, their response lumps in and equivocates the well-intentioned, and IMHO well-justified, search for a missing child with fourth amendment violations of millions of American's under the guise of national security and terrorism.

They still don't get it. The government still doesn't get it. Feigning outrage is not a good transparency policy.

I've never once considered myself a Libertarian. It's never so much as crossed my mind. I'm not even an excitable or rash person. But the recent exposure of the breadth and scope of the shielded activities of the NSA has caused me to give a long, hard, well-reasoned review of how I vote.


Apparently, it was an agreement based on negotiating between the companies in question and the US Government. It makes me sick to my stomach that in spite of the relative uselessness of the exact count of requests, that the Government is just as interested in presenting a positive spin as they are claiming that the acknowledging the mere existence of the requests presents a risk to national security.

"the total number of user-data requests Facebook received from any and all government entities in the U.S."

It's common for 3 letter agencies to set up a corporation to handle their dirty work. I wonder if a front organization would be considered a government entity?


But Facebook does not need to answer any request from a non government entity.

More than that, they vigorously oppose such requests in court, as my article here revealed: http://news.cnet.com/8301-13578_3-57518086-38/facebook-fight...

Great to see these numbers from Facebook - hopefully now Google can do the same, and report numbers that should have been public in the first place (and that they probably would have liked to make public). I can't see any justification for saying that they're lying, and frankly think it is verging on conspiracy theory to say they are, why would they bother releasing anything at all? Though broader in scope than many (including myself) would like, this tallies with their initial statements, and with a system as described in the PRISM documents (which are pretty vague anyway). Of course this isn't the entirety of the information the NSA is collecting, and probably not the entirety of data from FaceBook if they are also harvesting traffic, but it could very well be everything FaceBook knows about.

The thing that worries me most about all this collection is that the NSA probably never deletes any of its data (as evidenced by their massive storage facilities being built), so eventually they can build up quite a large store of complete data on people if they just keep collecting from various sources gradually over time.

They don't publish all requests including fisa requests, I think they're still negotiating about that. See the first sentence of the page you linked.

I wonder if this is something that Google and Co. will also be allowed to do?

They already do. Google have been publishing statistics and reports about this stuff for a while:


None of this is relevant though. These are legal requests. The issue that people should remain focused on is whether or not the NSA has illegal, ongoing, unfettered access to wholesale data under PRISM or other programmes.

Google does not publish information about requests which come with a gag order. They were the first to request the ability to publish that data several days ago, followed by Facebook and others shortly after. Facebook is the first to publish updated statistics with the numbers from National Security Letter and FISA warrants included after being granted permission. Google presumably will do so soon as well.

Incorrect. Google disclosed NSL summary stats months ago. As you say, FISA stats are next. I'd expect them this evening.

I stand corrected. They do indeed have the NSL stats, in the somewhat useless 0 – 999 range, here:


Yep, but it was more than any other company in the history of this country has ever disclosed. And give them another 48-72 hours from now to divulge more info.

Oh, I agree. I think it's great they're disclosing what they can and pushing to be able to disclose even more. The "somewhat useless" remark was directed more at the restrictions preventing them from divulging more than at Google themselves.

Google was only allowed to release some of this data. FISA requests were not permitted.

>we can now include in a transparency report all U.S. national security-related requests (including FISA as well as National Security Letters) – which until now no company has been permitted to do.

So, this is a change, albeit still a limited one.

I imagine they're all getting the go-ahead.

The whole concept of a secret warrant is repugnant. A pox on both of them.

They don't have to be lying.

19k over 6 months is still quite a large number, I think.

All you need to remember about Zuckerberg and Facebook from his quotes here:

Zuck: Yeah so if you ever need info about anyone at Harvard Zuck: Just ask Zuck: I have over 4,000 emails, pictures, addresses, SNS Friend: What? How'd you manage that one? Zuck: People just submitted it. Zuck: I don't know why. Zuck: They "trust me" Zuck: Dumb fucks

I actually don't see anything particularly wrong there. If I were to set up a page asking for personal info, and a bunch of college students (supposedly more technologically informed people) were to give them to me, I'd consider them somewhat dumb as well. It's not that I'd do anything wrong with the data, but they didn't know that.

This doesn't mean I support him or Facebook; I certainly don't.

He was 19 years old.

He's 29 now. Think about that for a second.

Zuckerberg, perhaps. Facebook, as in the current Facebook entity, absolutely not.

The principle still applies: the information has been submitted, collected, and is accessible to those who ask persuasively enough.

You say those who ask persuasively enough, but we only know they've given data to governments, they are legally obliged to do so. I wouldn't say that's the same in any way as giving it to friends.

I'm waiting to see what the EFF says about this. Is all the information there? I hope that's the case.

Good call. This whole situation is so messed up that the EFF is one of the few agencies I trust. I'm glad to see there's healthy skepticism about the validity of this release though.

Why are they only offering figures for the last 6 months?

If it's anything like the last 6 months stock market volumes well it doesn't mean shit; it's probably intended to mislead everyone from the mega volume spikes that often do occur. 5 years data might be worthwhile.

It is interesting to note what the number of requests is, however, it shouldn't put anyone's mind at ease. This is as much about what the government can do than it is about what they have done.

Even if the program has been used "judiciously" by the government to this point (if such a case can be made), it is ripe for abuse. Our protection should come by the law itself, not by the judgment and whim of the Executive (i.e. those executing the law).

Otherwise, we are not much different than a monarchy, hoping for a just king or queen.

I would be interested in what Facbook and other internet companies (or anyone else who has a clue) have to say to this article:

"PRISM: Here's how the NSA wiretapped the Internet" http://www.zdnet.com/prism-heres-how-the-nsa-wiretapped-the-...

It's a very convoluted and speculative article, but I wonder how much of it is realistic.

CNN's news report is pretty good, with coverage of MS' and Google's responses. http://edition.cnn.com/2013/06/15/politics/data-tech-giants/

I'm surprised that Microsoft's own statistics released about an hour ago haven't made their way to the HN front page: https://news.ycombinator.com/item?id=5883894

Based on everything else I've read, NSA is still sniffing traffic off the wire or something similar.

It's nice that Facebook is pushing for a little more transparency, but they could be telling the absolute truth here and the NSA could still be getting all the data.

From Mark Zuckerberg:

  > I want to respond personally to the outrageous press reports about
  > PRISM. ...
Mark Zuckerberg should apologize for calling the activities of the free press "outrageous".

1% of 1.1 billion is ~ 10 million? Doesn't seem like a tiny amount.

A fraction of 1% the release says.

The "less than one percent" claim is based on the total number of GLOBAL users and the total number of requests made by U.S. officials. It is misleading.

I think these are true numbers. I assume that everything I put on Facebook is prone to public dissemination anyhow. The whole point of site is to share your data.

> from things like a local sheriff trying to find a missing child

So ... why do they need to hide a request for something as 'innocent' as this?

They don't, but were either not allowed or not willing to publish the number of requests excluding the non-secret ones or the breakdown of the total number into "innocent" and otherwise.

So if people don't trust them, figure out how to verify this. Hint: they are publicly traded companies.

Those numbers seem odd. So almost 2 persons are the subject of every request?

"Submit profile data for user $FOO and all users $FOO has messaged from $DATE_1 to $DATE_2". I'm assuming it's something like that.

It's possible that some requests they aren't counting as hitting any accounts.

How much longer till a similarly-worded release from Google?

Everybody here seems to be distracted. The law abiding requests disclosed here could still be served alongside a covert operation. This has no impact on the PRISM scandal.

I think this is intended to be comforting, especially for corporate entities as they feel scrapegoated into bad light by the government, but there's very little for the public to acknowledge these numbers. I'm not saying Facebook is lying, I'm saying the people giving Facebook the numbers are probably lying. There's no way to tell.

Facebook know how many requests they've responded to. If there is any dishonesty here, it's coming from Facebook. They might have been told to give false numbers, but they've got the correct numbers.

There's the shared-private-keys argument, by which they wouldn't actually know how many requests were made. I haven't been followed very closely so I don't know if private keys thing was specifically denied - was it?

As far as I know, they deny any sort of blanket availability of data - so a shared private key would seem to be denied under that guise. I think claiming a number as they have, and a number of affected users, would also be denial of that. Circular logic, but we can't do much better. If they're lying and just made up these numbers, there's nowhere to really go with that.

Why give false numbers when you can give true numbers for only a six month period? Just leave out the NSA request for all user data that was made earlier.

What people would be giving Facebook the numbers? Those are Facebook's own stats, compiled by their own legal department.

... or so says Facebook's legal department ;). How can we tell?

Simply put, we cannot.

Well this is 100% bullshit

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact