Hacker News new | comments | show | ask | jobs | submit login
Court Order told Yahoo that Prism does not require a warrant [pdf] (fas.org)
202 points by sampsonjs 1610 days ago | hide | past | web | 61 comments | favorite

'Yonatan Zunger, the chief architect of Google+, wrote in a Google+ post today that: "I can tell you that the only way in which Google reveals information about users are when we receive lawful, specific orders about individuals -- things like search warrants."'

From the court order: "We add, moreover, that there is a high degree of probability that requiring a warrant wound hinder the government's ability to collect time-sensitive information and, thus, would impede the vital national security interests that are at stake." Cough

I think you've misunderstood what you read. Under US law an FAA order carries the same compliance burden as a warrant. And, just like a warrant, the party served can push back on an overly broad or unjustified order. So, there's nothing untrue or even remotely misleading in the statement that "the only way in which Google reveals information about users are when we receive lawful, specific orders about individuals -- things like search warrants."

You should read the second half of his paste. Maybe disclose bias too.

Did you read the surrounding context of that quote in the original document? This comment implies you did not.

We all have bias. Is he wrong or not is the question.

"things like search warrants", where "things" may be, for example, a FISA order.

Because these are FISA requests for individuals "reasonably suspected to be residing outside the U.S.". Those have never required warrants. Before FISA existed they just did it to whomever they pleased; now it requires a FISA request which is not the same thing as a warrant.

Nowhere in that document does it say anything about not needing a warrant to get information on U.S. citizens residing in the U.S. What it does actually say is

For these reasons, we hold that a foreign intelligence exception to the Fourth Amendment's warrant requirement exists when surveillance is conducted to obtain foreign intelligence for national security purposes and is directed against foreign powers or agents of foreign powers reasonably believed to be located outside the United States.

I.e. a FISA request.

Was the Verizon FISC order that was leaked, requiring daily dumps on all calls even with both endpoints inside the US, targeting individuals reasonably believed to be outside the US?

A U.S. cell phone number can be used abroad, last I knew.

A few points. A FISA order really is a warrant, and the NSA needs one to collect on a US person (ie. US citizen anywhere or anyone on US soil). Before 9/11, FISA warrants were also used to compel US companies to comply with collection against non US persons for which they were the carrier. At some point after 9/11 the Bush administration realized the law could be reasonably interpreted as not strictly requiring this, so they stopped using FISA for this purpose. That was the heart of the warrantless wiretapping controversy, and the primary goal of the FISA Amendments Act was to add requirements and oversight for these situations.

A FISA order really is a warrant

Not according to the language used in this document it isn't. You can say it is similar if you want, but when they say "A warrant is not required" in this case they are not saying "no authorization is required".

False, see Verizon order

Your response is in no way related to my comment. What point were you trying to make?

Keyword is "reasonably" believed to be located outside...

So, one access to a external server? Visiting overseas?

The petitioner is redacted, so why does the title presume it to be Yahoo? Did I miss something?

Also, PRISM is an acronym for Planning Tool for Resource Integration, Synchronization, and Management. Could people please stop abusing it as a term for whatever random scary thing they want to believe the NSA is doing?

We learned this month that the company was Yahoo. See:


Thanks, that's certainly useful context. It's a shame the link is a bare PDF, without that background.

"...the petition requires us to weigh the nation's security interests against the Fourth Amendment privacy interests of United States persons."

The text Fourth Amendment doesn't narrow itself to "United States Persons". It says:

"The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized."

Why do you think 'the people' in the Fourth Amendment is not a reference to the same "We 'the people' of the United States" in the Constitution?

It is so strange to see a judgment reference a previous case as Re Sealed Case.

It feels like the judge is stating: The authority for this principle can be found in Black Box.

It may be justified for civil cases to be held in secret. After all, civil cases can be resolved by mediation, arbitration, even just negotiation. When the matter concerns a petition against the government however, or against a law, there is no reason for the case to be sealed or secret.

Whats next, the congress voted in a closed secret session a new secret law?

Can anybody decode this jibberish? Is it any wonder our rights are being violated by lawyers, lawyers-turned-lawmakers, and lawyers-turned-judges?

The Protect America Act still exists? Why isn't there more discussion about it?

No it doesn't. Even this ruling clearly notes that the PAA had a one year sunset and expired in 2008.

The PAA does not exist. But similar language appears in the FISA Amendments Act of 2008, which Congress renewed most recently in December. Bipartisan enthusiasm, with approximately three-quarters of senators voting for it after safely defeating the pro-privacy amendments: http://thomas.loc.gov/cgi-bin/bdquery/z?d112:HR5949:

I don't see how you could think the PAA and FAA have similar language. The PAA was a pretty ugly bill, and significantly loosened both FISA and USSID 18 restrictions against collection on US persons. Whereas the FAA actually reinstated FISA order requirements and closed the third-party carrier loophole. So, the FAA was an unambiguous win for privacy over the then-expiring PAA, and more importantly it was an improvement over the pre PAA version of FISA.

Before the FAA passed, there were no requirements or oversight governing collection of non US persons communicating over a US carrier. And in fact, existing legal precedent does not treat the carrier as party to the communication, so collection under those circumstances was likely legal. That's exactly the loophole the previous administration exploited to compel third-party compliance in foreign intelligence collection without oversight.

I didn't think it was controversial to claim that the PAA and FAA have similar language. Here's one section from both bills (Sec. 702 in the FAA and 105B in the PAA) authorizing warrantless surveillance:

http://thomas.loc.gov/cgi-bin/bdquery/z?d110:s.01927: Notwithstanding any other law, the Director of National Intelligence and the Attorney General, may for periods of up to one year authorize the acquisition of foreign intelligence information concerning persons reasonably believed to be outside the United States...

http://thomas.loc.gov/cgi-bin/bdquery/z?d110:H.R.6304: Notwithstanding any other provision of law... the Attorney General and the Director of National Intelligence may authorize jointly, for a period of up to 1 year from the effective date of the authorization, the targeting of persons reasonably believed to be located outside the United States...

I didn't say they were identical, just that they were similar. Though each does use the identical language about limits on targeting "persons reasonably believed to be located outside the United States" -- and we found out from last week's leaks how far that language can be stretched.

Claiming the bills have similar language implies that they have similar effect. However, the facts are quite opposite. The PAA significantly reduced oversight and individual protections while the effect of the FAA was to increase both.

Even those passages you're citing are night and day apart. The first authorizes collection against US persons on foreign soil, which flew in the face of 50 years of precedent. Whereas the second is truncated to the point of being almost meaningless, but in context it defines some terms of collection against non US persons outside the US--something legal for all of US history. The only similarities between the two are the responsible parties and the duration, which are basically boilerplate.

Justin, have you read the recently leaked NSA rules outlining how they define a non-US person for the purpose of FAA surveillance?

See: http://www.guardian.co.uk/world/interactive/2013/jun/20/exhi..., page 4, paragraph 1.

If the NSA does not know whether someone is a US person or a foreigner, the agency assumes that the person is a foreigner. That matters a lot if, for example, you're using Tor.

You might also want to look at the recently leaked minimization rules, which permit the retention of purely domestic communications collected under the FAA, if that information can be used to develop and exploit security vulnerabilities. Given where you work now, and what you work on, that might be somewhat important.

See: http://www.guardian.co.uk/world/interactive/2013/jun/20/exhi..., page 5, paragraph 3.

Chris, that's one paragraph absent the surrounding context. Targeting must be validated and verified as outside the US, but beyond that it can be very hard to authoritatively guarantee what the nationality of the parties is. The best I can add is that I've done the job, and I know the cardinal rule is you do not collect on US persons except in the rare case that you have a FISA order. And the people I know still doing the job concur that hasn't changed. Violating it willfully or negligently means the end of a career and possible jail time.

There appears to be a bit of a conflict between the cardinal rule you were taught when you worked at NSA of not collecting information on US persons with the current practices of the NSA.

The Section 215 program in which the NSA has been collecting metadata about every domestic telephone call would appear to violate that rule, even if, as we are told, only a couple dozen NSA employees can query the database, and even if they only use it for investigations related to terrorism.

Likewise, the non-us persons targeting rules leaked last week suggest that the NSA has ongoing access to GSM Home Location Register data for the entire United States. While this doesn't pinpoint someone's location to a house or street, we're still talking about the NSA getting city-level location data for hundreds of millions of innocent Americans.

See page 6 of: http://www.guardian.co.uk/world/interactive/2013/jun/20/exhi...

Given how compartmentalized NSA is, it seems quite reasonable that your former team (which, I assume, penetrated the computers of foreign targets) would have no contact at all with the teams tasked with collecting domestic communications.

I don't know what was ambiguous about "except in the rare case that you have a FISA order." I'm dubious of the metadata thing (a bit less knowing that it is not part of the collection and A&P pipeline), but the fact is that it was approved by the FISA court and an order was issued.

You're clearly using the bullshit redefinition of "collect" here, because you know damn well that's a lie.

I was amused to see your claim of the FAA "increas[ing]" oversight appearing within a few hours of the Guardian's article on the latest NSA disclosures. It says precisely the opposite: that the FAA "relaxed surveillance restrictions." Here's the link:

http://www.guardian.co.uk/world/2013/jun/27/nsa-online-metad... It relied, legally, on "FAA Authority", a reference to the 2008 Fisa Amendments Act that relaxed surveillance restrictions.

You do realize how the last one of these Greenwald articles from the Guardian played out, right? Another reporter actually had to write a piece walking back every one of the accusations concerning PRISM. And yet, given Greenwald's proven track record of being wrong, you're happy to take him at face value? Perhaps it's time you look inward and consider your own personal biases and motivations here?

My article was, I believe, the first to rebut those accusations: http://news.cnet.com/8301-13578_3-57588337-38/no-evidence-of...

I just happened to be reading that Greenwald article around the same time I saw your response, but I'm not relying on his analysis: I posted excerpts from both bills. They are similar, not identical, and I wrote about both at the time they were enacted.

I'm going to decline to speculate about personal biases and motivations.

Wait, are there actually people in the US who still assume that there someone has to get a warrant to investigate them under the auspices of terrorism or National Security? I assumed this was a more or less accepted fact by now.

They take everything they want off the wire anyway; the best case scenario is that they have FISA rubber stamp warrants for the times where they "need a warrant".

Do we really care about specific instances of uses of PRISM? I mean, in an honest way I'm curious :: is there really any benefit if we could definitely prove that PRISM was used without a warrant? Is it worse than any of the other things that have been disclosed or leaked since originally finding out about PRISM?

I don't think so, but I was screaming bloody murder about NSLs in 2006, soooo......

Just because everyone "knew" doesn't make this less useful to be released. Last month if you went on CNN and claimed that the NSA had free reign to access whatever they wanted, you'd be considered a conspiracy theorist. Now you are at least just considered to be aiding the terrorists. This type of thing is also useful for groups like the ACLU filing lawsuits because they need more proof than "everyone knows already"

"free rein". It's a metaphor about horses, not kingdoms (though I have heard that the one can be exchanged for the other).

I've heard that the offer has been made, but there's no record of the transaction ever having been completed.

You're right. I don't know why I was being such a pessimist about it. More ammo, more attention, it's probably good unless or until we reach the max attention span of people who need to become more informed. Or if we encounter the 'disaster porn/fatigue' effect of this stuff.

I guess that's pretty much exactly what I'm experiencing. "Why bother trying if no one is listening". Not exactly the concept of 'disaster porn' but it's a close enough allusion.

> I don't know why I was being such a pessimist about it.

Almost everyone I know that's involved in some kind of activism has this happen to them; I know that I feel it almost all the time. I'm not saying you're actually _doing_ any activism, but I think it's a side effect of paying so much attention to the letter of the law: law is a messy, sloppy thing, or at least it appears that way to this non-lawyer. It doesn't mesh well with my 'computers are deterministic' general mindset.

And really, _especially_ on this privacy front, it's terribly hard to see that these things are going to happen, get called 'crazy' and 'paranoid,' see them happen, and then sigh: "I told you so."

>I'm not saying you're actually _doing_ any activism

You mightn't have meant it but that was a polite way of provoking a bit of self evaluating. I don't really know what more to do outside of donate to the EFF, write my Congresspersons, etc. But I haven't made nearly an exhaustive effort of investigating what I could be doing.

>It doesn't mesh well with my 'computers are deterministic' general mindset. And really, _especially_ on this privacy front, it's terribly hard to see that these things are going to happen, get called 'crazy' and 'paranoid,' see them happen, and then sigh: "I told you so."

Are both very insightful statements.

:) I think something that's sorely needed is easy-to-use crypto for 'normal' people, and by 'normal,' of course, I mean most of us. I recently set up PGP for all of my email, but it wasn't exactly something that I'd recommend to a non-technical person.

If you're looking for something you could do.

koush is kind of kicking ass on this front: https://plus.google.com/110558071969009568835/posts/gVt8SWRR...

From his comments it sounds like he's working with other app makers who are making independent apps so this could target everyone, effectively.

I do have a side project that would, at least personally, greatly decrease my dependence/reliance/usage of GMail...

The use of FISA "warrants" (misnomer, really) is highly questionable as is, especially when they're just rubber-stamped anyway, but if we can prove that most of the time they don't even bother to use those "warrants", then we can at least take steps to sue them over it and try to declare it unconstitutional, and hopefully get Congress to not only repeal many of the current laws allowing them to do with this their secret interpretations of those laws, but also create other laws that put a lot of restrictions and oversight in place.

I don't think there's a single factually accurate statement in your comment. A FISA order really is a warrant in the legal sense, so it's not a misnomer. There's no substantiated evidence that the government is failing to comply with its legal obligations under FISA and other relevant laws here. The Supreme court has consistently upheld that constitutional protections do not apply to non US persons. The general trend since roughly 2008 has actually been increased oversight and scaling back of 9/11 era expansion of surveillance powers.

FISA warrant = "general warrant" = misnomer

According to the 4th amendment, "warrants" must be used in specific investigations and for specific individuals. There's nothing specific about a FISA warrant. They just get data en masse from a lot of people. And they use this paper that they are calling a "warrant" from the FISA court, that says they can get the data on everyone.

Also, FISA warrants completely ignores such things as "probable cause" and "reasonable searches", which are pretty important for a democracy, I'd say. You can't say you're getting all the data of 100 million people, and also have "probable cause" for them.

"The Fourth Amendment (Amendment IV) to the United States Constitution is the part of the Bill of Rights which guards against unreasonable searches and seizures, along with requiring any warrant to be judicially sanctioned and supported by probable cause. It was adopted as a response to the abuse of the writ of assistance, which is a type of general search warrant, in the American Revolution. Search and seizure (including arrest) should be limited in scope according to specific information supplied to the issuing court, usually by a law enforcement officer, who has sworn by it."


FISA warrants are not the same thing as search warrants, in the same sense that an arrest warrant is not the same thing as a search warrant.

FISA "warrants" are really an oversight mechanism to the executive's generally accepted authority to conduct national security operations targeted at foreign powers. They're specifically to "warrant" that the Fourth Amendment is not being violated by a particular search, intercept, or program because the activity is appropriately targeted.

You're both right. In the general case, FISA warrants are court orders sufficient to require a third party to disclose information in their possession. However, any given FISA warrant may not meet the requirements for a warrant that must pass muster under the 4th amendment. They are, however, sufficient for activity that does not require a warrant under the 4th amendment.

So the question is: what requires a warrant that meets the strictures of the 4th amendment? Not every kind of data gathering or information collecting activity requires a warrant.

A good hypothetical to think through is a Tesla car. Tesla has the capability to track you via GPS, though the functionality is apparently disabled on retail models. But say it was enabled, and Tesla collected and stored information about where you went to optimize your ownership experience. Do the police need a warrant to get that information?

On one hand, the police do require a warrant (meeting 4th amendment strictures) to put a GPS on your car (because it is a physical invasion of your private property). On the other hand, police don't need a warrant to ask your neighbors what they know about where you've been.

So: what do the police need to get your GPS information from Tesla? On one hand, you can say that the police shouldn't be able to do indirectly what they can't do directly, and say that they require a warrant meeting 4th amendment strictures to get that information from Tesla. On the other hand you can point to a crucial distinction: the police did not need to invade your physical property to put a GPS bug on you--you did that part yourself and voluntarily told Tesla exactly where you were going. If you had phoned Tesla, and told them exactly where you had went, and they wrote that down and stored it in a file, the police would not have required a 4th amendment warrant to get that data. Just a lesser court order in the event Tesla did not cooperate.

>I don't think there's a single factually accurate statement in your comment. A FISA order really is a warrant in the legal sense, so it's not a misnomer. There's no substantiated evidence that the government is failing to comply with its legal obligations under FISA and other relevant laws here.

Er, um, no. FISA warrants and courts are different than regular warrants and courts for a very good reason. Most of them are issued post de-facto and as mtgx and I have pointed out, are literally rubber stamped. ZERO were declined last year.

I'd love a citation for the last sentence of your post. I'll work on background info on FISA warrants. Like I said, wish I had my debate evidence I cut years ago. Rather ironically, it's actually remarkably hard to refind some of that evidence 10 years later. Google loves to emphasize more recent publications.

A FISA warrant is as much a warrant as an FBI agent wiping their ass on a piece of paper and calling it a National Security Letter makes it a "legal warrant". (Yes, field FBI agents can issue them, and they're issued in the tens of thousands every single year, AND a single letter can apply to a person, team, family, or entire workplace.)

You might call it "legal" in that a law passed by Congress with secret interpretations and special addenedums tells them they can... but yeah, I'm going to keep on calling FISA warrants and NSLs used on US Citizens what it is: unconstitutional and thus practically, illegal.

You genuinely have no idea what you're talking about and you're adding nothing to the discussion. I'll leave it to you to look up the definition of a warrant if you want to verify my statement.

A "warrant", "FISA warrant" and "National Security Letters" are all distinct things that are used to circumvent the Fourth Amendment. By definition only the FIRST of those three are allowed for by the Constitution; the others do NOT meet the same standards and probably or at least fortunately maqy exist primarily for that reason.

Literally hand picking any of these keywords pretty much leads to the same Wikipedia page discussing at least some of these things. I'm still reading it to see how complete it is. Again, where are you getting this information that the government has been more conservative or particular about these directives?

Ironically it actually has a fairly good record dating back to 2006 in several places when some of this stuff got stirred up that time. http://en.wikipedia.org/wiki/NSA_warrantless_surveillance_co...

The whole thing is insightful. (I edited this comment to be far less rude, my apologies, I should've slowed down)

Let me channel our resident conservative lawyer, raynier.

The 4th only applies to US citizens. Therefore a FISA warrant targeting people outside of the USA who are not believed to be US citizens does not have to meet the standard of the 4th.

A National Security Letter targets third parties (your email provider, your library, etc) and fails to search, seize, or directly affect any of you, your house, person, papers or effects. It therefore does not violate the 4th.

Channeling myself for a moment, this is not how I personally understand the clear intent of the 4th. I'm sure you agree with me. However I am forced to admit that multiple courts have sided with the interpretation that I just described.

Under common law, I don't get to decide what the law is. Judges do. Since they seem to be consistently accepting this line of argument, the 4th simply doesn't mean what I want it to mean. (I'm all for a better amendment, but that does not seem to be happening.)

Thank you. I wish more of the commentary on this subject was like yours. It's a refreshing to see someone who can disagree with a position but accept that it is still legal if the courts have upheld it.

I made it pretty damn clear that I was talking about it at a constitutional level and it's kinda irksome to watch you find the only person who barely-even-doesn't-really-agree with you and act like they're the only respectable person in the thread. It's not my god damn fault you refuse to read the wikipedia page and inform yourself.

edit: Look, all over the front page this morning. MORE sources and allegations describing MASSIVE domestic surveillance that occurred without any sort of oversight or warrants. How can you just ignore story after story after story and push your anecdotes?

Do you happen to be paying any attention to any of the top stories right now? Or does your anecdote answer back ALL of them too?

> Wait, are there actually people in the US who still assume that there someone has to get a warrant to investigate them under the auspices of terrorism or National Security?

What's amusing is how many people assume that the police ever needed a warrant to "investigate them." The police need a warrant to search your person or your property. The police don't need anything to investigate you, and need nothing more than a court order to subpoena documents from people who might have information about you. This has always been the way our system worked.

Depending on what exactly PRISM does, it may very well not require a warrant, any more than the police require a warrant to get your bank records or other kinds of information about you held by third parties.

> soooo...

For some reason, it's not really been refreshing to see people paying more attention now. I thought maybe it was a holier than thou thing but hitting blogs where we were talking about it back then I see the same thing. People who were outraged then are doing what they were then - trying to read between the lines and figuring out how it really works while still being legally compliant. Try commenting on that, and you're called a sheeple and told how it's all un-constitutional, yada, yada.

I don't mind when my outlying beliefs become hip, but I do get annoyed when they jump the shark.

This document doesn't say that somebody in the U.S. can be targeted without a warrant. It says

For these reasons, we hold that a foreign intelligence exception to the Fourth Amendment's warrant requirement exists when surveillance is conducted to obtain foreign intelligence for national security purposes and is directed against foreign powers or agents of foreign powers reasonably believed to be located outside the United States.

Not the same thing.

Aka, FISA warrants and FISA courts which in practice haven't been limited to foreign spying for... decades? now?

The NSA has specifically stated that they have the ability to preliminarily gather data through PRISM a week before going to FISC for a warrant. What is presented to the judge as evidence is usually that very collected data.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact