It also needs to be said that another leak is coming soon that details a program that collects/stores the contents of 1 Billion cell phone calls every single day . I submitted the link earlier but it got buried after only a few upvotes.
But hopefully this event will start getting people together to keep the pressure on as new revelations come out. Protesting matters, phone calls matter, emails matter---I've seen it. Generally the rule is for every one constituent (that's key) call there's 100 more who think that. Right now you can start to see the official line fraying a bit with various actors attempting to cover their own asses. Maybe they don't care about the big picture, but they care about legacy, career, and ego. And no one wants to be on the wrong side of history.
My page for my New England city has nothing except a link to a conversation with half a dozen folks planning a preliminary meeting, with no follow up info posted. I could drive to Boston, but what's the point: the Boston group is only predicting an attendance of 40. I doubt it will get media coverage, and at that size I honestly hope it doesn't.
This defeatist attitude is why the predicted attendance is so low.
Only organizing among Redditors, not bothering to reach out to people with more experience organizing protests, and not partnering with affiliated organizations (Tea Party, Occupy, various student groups) who might all come together to rally around this is why predicted attendance is so low.
Update: Added first sentence to emphasize point.
I believe we are both frustrated that more is not happening, and unfortunately that frustration is being directed at each other instead of the real issue. I do applaud your enthusiasm and stepping forward to help advertise this.
US citizens make up less than 50% of the world population. So given any target I can be more than 51% confident that they are not a US citizen, knowing nothing about the particular target whatsoever.
The only way that makes sense is that they whitelist the people they like, and simply don't give a flying fuck about anyone else, American or otherwise. Spy first, deny it later.
Sure, you might have to tortuously stretch the legal wording here to justify collection of any particular target, but if there's one thing this Administration has proven adept at it's tortuous stretching of the law.
I don't know if that "tortuous reading" thing is really specific to this administration. And anyway, I'm still having trouble figuring out how this whole PRISM thing was unexpected given the laws that congress passed. It seems like a rather straightforward reading of the law to me.
"The program is court-approved but does not require individual warrants."
So does this mean that the number of government requests released by Facebook, Microsoft, etc. within the last few weeks are essentially meaningless in regards to PRISM and most likely other top secret government spying programs?
The reasonable expectation one would have about statistics released by (say) Yahoo pursuant to this process is that they would capture every directive received by the provider, since providers don't get the certifications.
Just a quick reminder: the USG does not need and has never needed and probably will never need a warrant to spy on a foreign entity not on US soil. I'd be interested in hearing about any country that had a signals intelligence capability (Germany, France, Israel, UK, China, Japan, Brazil, &c) in which a warrant was required to conduct foreign intelligence.
The older i get the more these artificial boundaries of nationalism bother me. Nationalism is cultural racism. I'm convinced that people will at one point look back on it the same negative way we perceive genetic racism today.
Yet we need a good protocol for experimenting with different models in order to arrive at a good system.
A balancing act. We certainly need more fluid borders in the world, like between the borders of our states.
Furthermore, Google etc. didn't just provide the number of directives, warrants, etc. served on them (within a range), they also listed the total number of accounts affected (again within a range, of course). The latter numbers were higher, but not 10×+ higher.
> Just a quick reminder: the USG does not need and has never needed and probably will never need a warrant to spy on a foreign entity not on US soil
And again, it's not actually super-obvious to most people that this applies to US cloud data. The USG apparently (IANAL) can't search the empty New York bachelor pad of a Russian oligarch or Saudi oil prince without a warrant - that apparently it can nonetheless turn over their GMail account (basically) at will is therefore pretty surprising.
There's also the matter that US cloud-data firms have been making true-but-misleading statements apparently calculated to give their users the impression that they have the ability (as well as the willingness) to contest demands for individual users' data without a court finding of probable cause or something like it, when for a large majority of the PRISM-company users this is not the case.
Finally, US citizens might like to check out the FISA appeals court's opinion about a foreign-intelligence exception to the Fourth Amendment. https://news.ycombinator.com/item?id=5923606
There is going to be a huge market in replacing essentially any/all of these services with ones physically and legally outside of the USA, with companies that vow to never voluntarily cooperate with the American surveillance state.
I agree. Also companies that fully embrace encryption and not having access to your data. I deleted my Dropbox account the first day they were implicated as a "work in progress" or whatever. I've been using BitTorrent Sync and it's working pretty well. There is still some work to be done, though. I've been meaning to take a good look at SpiderOak.
No. This shows the opposite. It shows that we can't place trust in jurisdiction anymore, and it shows that we can't trust companies who "vow" not to be evil.
If there is a "huge market" it is in replacing services with ones that provide cryptographic assurance that my data and communications are secure from any third party, and ideally, from the hosting company itself.
I think the uniformed response from the carriers is a diversion from the NSLs which they cannot speak about for the metadata or specific requests for information they have not obtained via fiber splitting.
I don't think that many people knew about the fiber splitting. Only the telecoms were granted immunity.
Is it just me or is this a fairly bold claim? I don't see anything about government equipment on private company property in the slides... wondering if this is additional testimony from Snowden, or info from supplementary docs that they haven't released.
Also: "The Foreign Intelligence Surveillance Court does not review any individual collection request." Could I get some perspective on this statement? Is this as bad as it sounds? Or are they saying the court approves monitoring on an individual and doesn't need to give approval for every single collection request on that individual?
In January 2009, the FBI, at NSA's request, assumed responsibility for the Domestic Content Order and became the declarant before the FISC.
And yes, the NSA tells the FISA court it wants a court order to spy on Al Qaeda in Pakistan or Chinese spies. Each one of those is a "court order". If it sounds like a general warrant, well, that's because that's what it is.
Given the interface already laid out in what we knew about PRISM before, that's mostly an implementation detail. Maybe the company didn't want to have to send the data over the open Internet on their own (even encrypted) and wanted to pawn off that responsibility to the NSA?
I don't know where the info came from but I remember it being talked about when the news first leaked so it may have been sent by Snowden with the initial leak of slides.
I suppose the question is really how embedded into the company's subnet is the government equipment?
> The Foreign Intelligence Surveillance Court does not review any individual collection request
Basically this part from the article introduction: "The program is court-approved but does not require individual warrants. Instead, it operates under a broader authorization from federal judges who oversee the use of the Foreign Intelligence Surveillance Act (FISA)".
Keep in mind this is where the US/non-US inequality is at its most severe. Almost the only reason the FISC really cares about this at all is to prevent monitoring of American citizens in a way that violates the 4th Amendment. The program as constituted is less worried about ensuring the right person has their data collected as it is about ensuring that a U.S. citizen does not have their data collected.
So from that perspective such a warrant might appear rational on the part of the court.
That's admittedly a pretty large inequity between US and non-US persons but that's how the existing case law seems to approach it.
I can't wait until the documents come out showcasing the ties into carriers. I've been waiting years for that validation.
In retrospect, the retroactive immunity thing should have been a hint...
I first saw this in followup articles from the NYT and Washington Post quoting unnamed government sources.
I think something is inferred there that isn't necessarily true: there being 117,675 PRISM records does not necessarily refer to 117,675 different people being targeted. The slides imply that there would be two different records for the same person's Gmail account and their Facebook account. So the number of individual people being targeted would actually be a good amount less. Yes, still tens of thousands of people... but less that 117,675.
But who really knows, I guess.
It's easier when you can associate IP addresses with multiple accounts, of course, but there are a lot of traits (and I'm sure NSA has more than I am aware of) that can be used as similarity metrics to create a probabilistic hierarchy of account agglomeration.
Throwing clique analysis into the mix, which is of course where the most important analysis goes, also helps establish the probability that multiple accounts may be controlled by one person.
If the annotations are correct, they basically confirm the worst and most extreme interpretations people could come up with when this story broke. But there's no evidence presented in these slides, at all, to support the notes they've "helpfully" added. Where's this information coming from?
Queries ('selectors') go in one end, are presumably translated into appropriate queries at each of the external 'data sources' (best-effort translation of the original selectors into whatever the source supports query-wise) and then the results are either alerted on in real-time (surveillance) or kept longer-term (stored comms).
Content returned varies on what the provider can support.
Finally there is a search interface on top (although it looks very basic in this case - simple boolean AND/OR) to provide historic search over the data collected.
Facebook joined PRISM on June 3, 2009.
Tech: All the companies listed have multiple sites/datacenters. While they use SSL/TLS to encrypt client-server connections, they may not be using encryption to protect server-server connections. Most of the database replication systems don't use encryption by default. Companies use circuit switched connections between sites, they don't own the fiber between two datacenters. That fiber is owned by the big telco providers, and passes through equipment owned by the telco providers.
We know big telco providers like AT&T and Verizon are very willing to give the NSA access to everything without putting up a fight. It seems very possible to me that the NSA is surveilling these companies without their knowledge.
For example it was reported that Dropbox was "coming soon" to PRISM. I don't believe for a second that Dropbox is knowingly giving access to the NSA. "Coming soon" may mean that the NSA has tapped Dropbox's communication, and they are working on decoding it, and converting it into a usable format for PRISM.
No one is denying PRISM exists, it just needs to be abolished, and all things like it should be subject to public scrutiny. Obviously it's not ineffective when it's not a secret, so there is no reason for secrecy.
That's not true, the slides describe a system that receives a raw data flow and decodes it. Google and Facebook have both explicitly denied giving access or even receiving a request for blanket or bulk access. They both say the have only received requests for specific individuals, and every request is individually reviewed by their legal team.
There's nothing to see here, people. The participating companies are not actually participating at all, and a damage control press release is absolute, unquestionable confirmation of this fact. Nothing is more truthful than a press release.
It makes even more sense when you consider the name of the program "prism" is an object that's capable of splitting light into it's colorful components, i.e. decoding the data streams into visible readable more colorful data streams. Each company is a color exposed by prism.
It's not an acronym. It's a play on words.
So far as I can tell, this article from 2007 is the only comprehensive look at the FBI's private spy architecture.
These slides look to be from the same deck. I wonder if there are more yet to come.
And though I'm dying to know just how deep the rabbit hole is, I'm thankful that the slides are being steadily released. In today's world I guess that's the only way to grab attention and gain momentum.
I'm wondering what this theatrical sleight of hand is keeping us from seeing elsewhere. We've probably invaded Iran or sent another trillion dollars to the banking industry.
Washington Post - The FBI uses government equipment on private company property to retrieve matching information from a participating company
The statements by Google seem to contradict this on first reading:
Larry Page - "Second, we provide user data to governments only in accordance with the law. Our legal team reviews each and every request, and frequently pushes back when requests are overly broad or don’t follow the correct process. Press reports that suggest that Google is providing open-ended access to our users’ data are false, period. Until this week’s reports, we had never heard of the broad type of order that Verizon received—an order that appears to have required them to hand over millions of users’ call records. We were very surprised to learn that such broad orders exist. Any suggestion that Google is disclosing information about our users’ Internet activity on such a scale is completely false."
David Drummond - "Now, what does happen is that we get specific requests from the government for user data. We review each of those requests and push back when the request is overly broad or doesn't follow the correct process. There is no free-for-all, no direct access, no indirect access, no back door, no drop box."
The slides and accompanying commentary from the WP imply that these statements above are at best misleading and misdirection, but not necessarily untrue in a strict sense. There are various qualifiers and ambiguities in the Google statements which mean they could still be claimed to be true - the placement of the apostrophe on users’ data, which could be taken to mean all users as a plurality rather than just a few tens of thousand, the use of broad, and on such a scale to limit the denial to activities similar to those at Verizon which was reporting all activity. They may well not have heard of a PRISM program as there would be no reason to share the codename with them. Taken together those denials could be taken to be simply denials of participating in complete surveillance (with broad being defined as every single user) or giving access (in some limited sense) to their servers - I'm not sure they've ever denied access to data. The only thing which does puzzle me is that they've claimed their legal team reviews each and every request - that would be hard to do in an automated system or one in which the NSA has their own equipment, though perhaps they do it in bulk or retrospectively.
So these statements could be true in some limited sense, but it'd be nice if Google didn't feel the need to couch their denials in lawyerly evasions. The main reason they have to do this and cannot release more data is that they're not allowed to talk about these secret programs - that enforced secrecy is the most damaging thing here, both for Google and for public debate - we can't talk about them because they're secret, and neither the people affected, nor even the US Congress are given the facts to decide whether they even approve of this behaviour by the NSA/FBI, because the programs are secret. No-one can have a meaningful debate on these programs without more information.
- The "direct access" claim is replaced with "FBI interception unit" which is "government equipment on private company property to retrieve matching information from a participating company" that detail isn't mentioned in slides but provided in annotations.
- The case format notation points to "real-time notification" when a target logs in or sends emails/IM/VOIP etc:
"Depending on the provider, the NSA may receive live notifications when a target logs on or sends an e-mail, or may monitor a voice, text or voice chat as it happens (noted on the first slide as "Surveillance").
The "Depending on the provider" bit is interesting as it suggests that there are potentially different levels of "participation".
- "On April 5, according to this slide, there were 117,675 active surveillance targets in PRISM's counterterrorism database." can a FISA order cover a target across service providers or each provider requires its own order? the number of targets could dramatically be revises downwards depending on that.
Edit: Also note that Apple is a late addition on their graph and Microsoft is the first. Don't mean I think that says much about one versus the other, but if MS has been a provider since '07 they probably have much better access either through influence or better understanding than they do at Apple at the time this was presented.
In the case of activity timestamps (which I'm sure legally don't get the same protection as content) they would be sent by the companies to the FBI/NSA not have their actual servers monitored by them.