This is getting overlooked, but a 2009 NYT article claimed an NSA analyst looked through Bill Clinton's email out of curiosity (he was caught). I think this is very revealing.
Think Facebook and the DMV. As controls mature around the process, trolling through the data becomes relatively easy to enforce. My understanding is that in most state DMVs, looking up the driving record of a public figure or similarly flagged individual by some clerk is immediately detected, and "curiosity" lookups on friends and family eventually get caught by audit.
This information is being passed on to American corporations. This is very old news.
Economic espionage is a big part of what intelligence agencies are doing all day.
With the exception of the handful of Members on relevant intelligence committees, most Members of Congress were not aware of the massive scope of this program, or even that it existed in its current form.
Access to this type of information by a private citizen would require a hell of a lot more access than writing a big check to a Representative can get you.
And while it's certainly possible that they will all simply be told to shoo (and I didn't assert otherwise), a large number of big, clouty US companies (not individuals) hinting that they would like to see some more results from PRISM aggregates to the kind of political pressure that I'm not certain Congress will simply ignore.
They could probably still get access to a very limited number through some pretext, or with cooperation from other staff (like sysadmins or the reviewers), but it's less of a risk with NSA I think than it is with other agencies.
When I was head of an IT division within lockheed (non-classified) I could have accessed anything - with admin accounts i was the sole owner of. I was ethically precluded from doing so...
At a company where there is "open access" with "logging the shit out of access (e.g. Facebook) -- then this situation could arise where an arbitrary employee could access any data, assuming they had the knowledge of where to find the info they were looking for, didn't get caught and the logging was either faulty, ignored or fictitious -- or the employee used an account other than their own to avoid suspicions.
It would be interesting,actually, to understand to what deep level of privs B.A.H - as a company - was afforded to NSA data/systems/programs/etc...
One thing I am not clear on is how this employee of a 3rd party def contractor (albeit, supposedly the biggest to the NSA) was able to access information that is considered to be so deeply secret to the USG? Is this an indication that a significantly "important" program (PRISM) was, for the most part, outsourced to be run by contractors such as Snowden within BAH?
Did Snowden systematically seek out, deftly, access to information over a long period of time through his privs afforded him as a sys ad? This to me is the most intriguing and unknown part: For how long was Snowden planning this? Was this something he truly accomplished on his own? Or was there a cast of supporting characters that we are unaware of"
If there is no supporting characters who helped him put this together - that this guy is one of the most brilliant high-school drop-outs I have heard of.
If there is a cast of supporting characters were they operating as whistleblowers in support of the seemingly patriotic reveal that we have thus far seen?
Or was there a supporting cast of characters that have helped snowden architect this whole event, masterfully - it seems, for a motive that we, the outsiders, are not yet aware: There seem to be three possible realities if this is true:
1) Snowden plus team is a smokescreen designed to purposefully air this info to further the surveillance agenda by seeing how far the world acquiesces to it. Stir up a reaction that can result in tighter controls of liberty when protesting pops up and the USG can claim that these are all threats to our national security and these efforts are vital.
2) Snowden plus team are truly patriots and heroes and are looking to stop the furtherance of USG/tyranny over individual freedom and are airing this info to allow for an open dialogue.
3) Snowden and team really are double/triple agents and are an attack on the USG directly attempting to make the USG look bad and have the US lose face/credibility...
(I am sure there are countless other potential scenarios that the NSA/USG have mapped out... I would be REALLY interested in hearing them for consideration)
My personal opinion is simple - I am very happy this series of events has taken place as I have known of Echelon for decades - and now feel that there is 100% irrefutable proof that it is in place... what the next steps are is unclear, but I hope that it is an awakening and invigoration of people all over the world to fight to make this place a better world to live in rather than a worse one.
If you were aware of any notable hacking incidents in China, and could claim to have privileged knowledge, then it's easy to say the NSA were behind whatever you want (just in this case, obviously the NSAs mission would imply it attempts hacking of foreign networks).
PRISM is disclosed via a powerpoint presentation. Presentation as in, a thing you tend to show to a large audience. Its highly likely he was simply given a copy of it after being shown it, since good internal education and knowledge sharing is a pretty core concept to running a successful enterprise.
He clearly has released top secret documents; your assertion that he "hasn't released anything" is simply untrue. If you truly feel this isn't a leak, you obviously think the top secret classification is irrelevant and disagree with the US gov. on this. Some examples of his assertions verified by documents:
NSA keeping daily phone records for every American
NSA receiving data from US internet companies
GCHQ (and thus NSA) keeping 3 days complete internet traffic passing through UK
GCHQ (and thus NSA) keeping the content of all UK text messages
It's a leak, yes. He should be prosecuted for it, yes. But it's also widely disseminated internal data by nature of being a presentation.
Everything else is him claiming to have knowledge of things, without providing specific details beyond "his word". There's no reason to think he had the powers he claims to have and he's been leaking the NSAs foreign survieillance programs in broad-strokes like a sieve, but American specific stuff? Mysteriously quiet. With equally quiet walkbacks of the claims by the Washington Post and Guardian.
QED. That's not all of course, but gives the lie to your claims.
This is not counting the thousands of documents submitted to journalists, who have only published a selection, at his insistence.
My question is, what has Snowden released which confirms the idea that he had the type of broad-ranging access which you claim.
Nothing you just cited confirms that: the first is Verizon phone records. Again - public knowledge since 2007 if anyone was actually paying attention.
The second and third are a warrant of the type used to request surveillance (you know, due process and all that) and a document of procedures for minimizing data on US citizens.
Both documents, explicitly dealing with not collecting broad-ranging data on US citizens and demonstrating oversight and limitation to the process. So again, where is the smoking gun? Where is any proof that Edward Snowden has done more then simply make a copy of a library of guidelines and procedures for NSA employees? Because nothing you just linked proves that he has anything substantive which actually proves wrongdoing, overreach, or the NSA going beyond mission parameters.
Some of your assertions were simply untrue - if you want people to take you seriously, don't try to distort the truth. If the documents above were common knowledge they would not be stamped 'TOP SECRET/NOFORN', he released more than the powerpoint slides, etc.
Because nothing you just linked proves that he has anything substantive which actually proves wrongdoing, overreach, or the NSA going beyond mission parameters.
To take just this one example, I consider tracking the domestic phone records of all Americans daily to be a huge infringement of the NSA's stated mission and the privacy of hundreds of millions of Americans, which you so blithely dimiss as 'public knowledge'. YMMV on that, but frankly your arguments that this is nothing of consequence are absurd given the reaction of the US President, Congress, the NSA, Foreign governments, and journalists around the world to these leaks - clearly they are important and clearly the revelations have shocked many people.
You may consider the phone records a huge infringement but again: this program was public knowledge. There were articles written about it. In fact it was public as early as 2006:
[http://usatoday30.usatoday.com/news/washington/2006-05-10-ns...]. Edward Snowden releasing anything on it is thus mundane except for the fact Edward Snowden is doing it, and again - doesn't prove that he actually knows anything significant or had the type of access he claims to have.
Which is the point here: not what you personally find invasive, but the idea that Edward Snowden has the goldmine of data and knowledge people are wildly speculating he does, despite scant evidence in that direction.
It is a very big deal and the US needs to forget about Snowden and concentrate on how to go forward.
So if he's charged with espionage, even if he hasn't released anything, does that mean he has circumvented something? Or that access to that information didn't actually require being circumvented in the first place?
Is no one else paying attention to anything beyond the "slides" in this story?!
I still prefer well-run self-hosted mail unless:
* You have a <6 month retention policy (i.e. so ECPA's weaker protections are a non issue) (which can be specified in Google Apps for Your Domain)
* You don't have the technical competence to run your own mail server (which gets complicated in a larger organization due to HR risk), or don't have the business competence to hire a contractor to run it in-house in such a way that their staff don't become a huge risk.
There's a third way which would be a lot better for everyone, but it's not technically feasible yet -- a way to outsource some aspects of the server without giving up control.
A lot of this was just a quick Google search away, and would have been just as relevant the very year GMail was introduced.
Likewise there's no theoretical reason to trust internal Google policy controls over U.S. government legal and policy controls. Even if what the author thought had been true about U.S. law actually was true, he'd still have been setting his customer up for the possibility of having their confidential data leaked (maliciously or not) or hacked into (e.g. by the always-vulnerable password reset function).
That's not just a nitpick either. There have been a couple of services at work I would have liked to setup on something like Digital Ocean, Basecamp Breeze, etc. that I can't because of PII concerns.
So while I'm sorry that the author made wrong assumptions I don't know what to tell him other than IANAL isn't just a five-letter acronym, and "due diligence" doesn't simply mean "hire a contractor to think about this for me".
You could just use the "virtual appliance" model and do virtual machine level upgrades, with data on a separate partition -- less of a hassle than testing a bunch of upgrades from smaller patches (the paranoia about breaking it is that the service provider doesn't have root, so a failed upgrade could be bad). I'd probably want encrypted backups held with the provider too, for most non sophisticated users.
There is a huge amount of interest among cryptography researchers and from DARPA and the NSF.
I'm kind of tempted to do this, since we largely do this kind of thing for VPN already. Doing it with trusted execution lets the code execute on hardware owned by the service provider, but that is technically difficult and hard to prove. Just letting you run code on your own virtual machine host is a lot easier (could be a third party virtualization provider if that is what you want, but I'd at least go for colo of my own server, if not on premise.)
Take advantage of the zeitgeist rdl.
You can look forward to at least one customer if you decide to go ahead with this. (me). :)
People who target your company and employees specifically, maybe not. But even this could be made more difficult for spammers by only allowing access to your public key directory from trusted IP ranges.
It's also a great idea from the standpoint of giving an encryption policy teeth. I'm thinking of a company where the official line is "We encrypt all our email," but then some IT screwup results in having half the company sending each other cleartext email for several quarters before anybody notices.
If your mailservers reject unencrypted mail, the above scenario can't happen, because presumably people will notice when everyone's mail starts getting discarded, and it'll be fixed very quickly.
At this point, I'd consider NOT using START TLS for your MTA to be nearly as irresponsible as not using ssh instead of telnet/rsh, or not using secure passwords. It correctly pushes all the pain onto the sysadmin (and a very tiny amount of pain), rather than end users.
I kinda doubt it - if for some reason your outgoing mail server connects to one of my secondary/relaying MX servers, I don't think there's any way for you to ensure that server bothers trying to set up a TLS session when it relays my mail(which I guess is mostly my problem/fault) - and similarly, if your ISP requires you to send mail via their SMTP servers (blocking port 25 isn't uncommon here) - I don't think you've got any say in whether or not that server requires TLS?
(I know - I really should go and look this up myself…)
Spoiler Alert: Apps for Business/Education only
The Prism scandal may have come as a surprise to US citizens, but the US has been spying foreign nationals and companies for years, and we've long known about it - haven't you heard of Echelon? It was also well known that these systems were used for industrial espionage.
European Parliament adopts 'Echelon' report
(...) the document lists several examples in which intelligence officers are believed to have interfered in a commercial contract. The report claims that European aircraft maker Airbus Industrie had its lines tapped in 1994 while negotiating a $6 billion contract with the Saudi Arabian government and national airline.
Verizon metadata is different perhaps, as is the idea of 641A-style mass interception of communications. But PRISM itself automated FISA compliance, it didn't actually create more NSA powers than existed before it.
Everybody will think thrice before storing their data in the US. Especially since Obama has made it more than clear that the rule of law does not apply to foreigners.
It was simply an area I'd never done any work in - that's the benefit of a global, diverse (and still very small) organization.
Nothing was "known" until these leaks. It was the conspiracy theory of nut jobs. Now and only now is it "known".
no. you should have a very short memory, or you just consider the dossier made by "European Commission" about Echelon the work of nut jobs: http://cryptome.org/echelon-ep-fin.htm
Really, ECHELON in particular has been acknowledged to exist by pretty much everybody since 2000 or so.
American businesses could and should lobby Congress to fight this and to find ways to protect US stored data, I know I wouldn't trust a Chinese cloud company not to snoop or steal business/corporate ideas and trade secrets.
But if there were assurances for US cloud businesses that this doesn't affect their business ideas accidentally or deliberately then we could set a global example on how to run cloud data storage that is safe and business friendly. There is an opportunity here for Google, Amazon, Apple etc for cloud data.
Lots of damage control to be done here for international clients. As an American I would always trust our systems more but international companies may have a very hard time trusting without the US being a shining example of how to correctly protect business data in clouds here, especially encrypted data that is automatically subject to storage/filtering if international.
I am talking about protections on unauthorized access by agencies (even for national security) meaning no more blanket access to all email/files/etc rather explicit machine read systems that only access data that has a warranted access and useful to the investigations.
Human access should not be allowed unless the data has already been warranted, filtered by the system and useful in the investigation that the NSA/DOJ/ etc might be using.
A big problem right now with it is blanket access and collecting content in bulk to sift through. There should be no way a human can go into an email box or cloud files and read everything for instance unless the person themselves is under investigation, email communication with that person can only be pulled from other innocent people's boxes that are part of the investigation, not everything. As is it right now they just collect everything and store it. It should also have heavy encryption and 3-5 approvals/logs/access audits per individual human access so there is a minimized threat of people searching business ideas for personal gain. This would prevent the one time email or document share with someone that they allows access to all their data. Explicit access and heavily verified across judicial, audits and multiple users 3-5 at least approving or seeing the access within the security organization.
NSA and CIA etc are patriots and like their freedoms as well, I am sure they don't want colleagues stealing ideas, business plans and random people's personal info when they go civilian. It is currently too sweeping and broad due to terrorism threats that have yet to take away as many freedoms as our own internal legal overreaches.
For example, right now let's say I am some crooked agent or politician, I could have one email or call to a person and justify looking at all their data. This might be someone who is in a competitive company or business information they want to find out. Steps like the above would minimize those abuses which are bound to happen. Take for instance oil mining or product plans, these types of competitive environments are very susceptible to snooping and corporate espionage without heavy controls on access to data.
Protection for international users in the same as US persons. Noone will trust storing data on our servers and cloud systems if they know all their data is being filtered and easily accessible by a single agent.
Also, extremely fast audits, judicial warranting. There is no reason it should take a long time with today's tools. I imagine the NSA and others are collecting all this data because the bureaucracy makes it difficult to get approvals in time, so they go in bulk as a fail safe. I dont' envy them the work is very hard and it is justified when true threats exist, these people typically aren't evil and most have the best intentions. But with great access to information comes a power that is hard to contain if not verified.
Timed release/removal of information that is not needed now, not indefinite storage. Will this make us less safe? Maybe but freedoms are not easy, it takes work to be free. Authoritarian is easy.
Maybe something like a Bill of Data Rights that also applies to international people in addition to the US. We would really revolutionize rights and data rights in the world, it would attract alot of business to data storage in the US. However currently data is free-er in other places sadly.
Access should not be allowed unless the data has already been warranted.
I don't care a fig whether my privacy is being violated by amoral machines or amoral humans.
Yes, of course, but this is not enforceable. You have to trust the company that they will not allow it. You can't ensure it.
How about this: only businesses (like Facebook, Google et al.) should be able to say 'trust in me' - to their customers. Privacy regulation is only for the government, this will ensure that the surveillance state is built by corporations, as God intended.
It's obviously a huge risk and embarrassment if the US government looks at data from Europeans. But if American companies sell each other that data, that should be of no concern to Europeans, because private companies are all inherently trustworthy without external oversight.
Also I mention that frequently because the people that say 'I have nothing to hide' and don't mind, might think differently if they are business focused and do worry about people stealing ideas, plans, or reacting based on those business secrets.
It is bad all around when individual privacy is at risk unknowingly, but it also affects business privacy and that impacts everyone and harms perception of US cloud services for one which the article mentions.
If you make something public on a website like Facebook you should expect that will be used. But noone expected private emails, phone calls, logs of files in the cloud to be so easily accessible. It creates huge problems in business trustworthiness and protections. That aside from the more important lack of individual privacy that is expected in the same and the root of the problem.
As a user of Facebook, you aren't a customer, but the product that is sold to the advertising customers.
Yet most of the managers I see who make this decision just don't care. They ignore the advice of their systems admins and follow the old adage "you can't get fired for buying IBM" like sheep to a slaughter. It's typical of the short-term mindset that drives so many business decisions.
I chalk this up to a lack of education, both in business and IT. While CS professors obsess over data structures and algorithms, and non-IT departments preach about the relevance of the next quarter's results, "Rome is burning".
My apology is really around the fact that at the time we were trusting that such programs would not exist here (this was before explained Echelon to us), and that the US didn't work that way. I was naive and I was wrong.
It's still not clear what programs you are talking about. Because google provides no access logs "someone could go into our account and take confidential information, and we would never know". What does that have to do with Echelon or Prism?
(B) Governments aren't the only ones potentially spying on peoples' unencrypted comms.
Experienced IT staff can typically exceed the uptime of Google and Salesforce on a standard budget with no special accommodation. Perhaps the organization's IP (intellectual property) wasn't really worth that much, or upper management forced their hand? Sounds like that wasn't the case but you never really know.
It's so obvious.