Hacker News new | comments | show | ask | jobs | submit login
New PRISM slides say the program allows NSA to eavesdrop on live conversations (gigaom.com)
282 points by llamataboot 1398 days ago | hide | past | web | 53 comments | favorite



I think this does clean up some of the language of Googles prism statement. [1]

    First, we have not joined any program that would give 
    the U.S. government—or any other government—direct 
    access to our servers. Indeed, the U.S. government does 
    not have direct access or a “back door” to the   
    information stored in our data centers. We had not 
    heard of a program called PRISM until yesterday.
So they did not hear of the NSA codename for FBI operated equipment. ( And note that they do not deny wiretapping, just 'direct access' and 'back door.')

    Second, we provide user data to governments only in 
    accordance with the law. [...] Press reports that 
    suggest that Google is providing open-ended access to
    our users’ data are false, period.
That seems to indicate that here Google defines 'provide user data' as a specific database access. Which seems to be reinforced by

    Until this week’s reports, we had never heard of the broad 
    type of order that Verizon received—an order that appears 
    to have required them to hand over millions of users’ 
    call records.
Note they talk about records, not about live interception. ( And the order against Verizon seems than to indicate that Verizon did not participate in live wire tapping.)

IMHO, this points in the direction, that there is FBI equipment in the Google datacenters. This equipment is tapping into the network connections and pipes them to the NSA. So the Guardians allegations [2] that

    "Collection directly from the servers of these US service 
    providers: Microsoft, Yahoo, Google, Facebook, PalTalk, AOL,
    Skype, YouTube, Apple." 
means that there is nothing between the servers and the wiretapping equipment. While the companies take the view, that only a account on a database server constitutes 'direct access.'

[1]https://news.ycombinator.com/item?id=5841228

[2]http://www.guardian.co.uk/world/2013/jun/07/google-facebook-...


The mirrored language in Page and Zuckerberg denials, focusing on denying direct access to servers and not on denying access to user information made it clear user information was being shared.

Nobody really cares about the how, yet that's what all the technical denials focused on. What matters is the what.

WaPo and The Guardian have played their hands well to let companies and government entities themselves reveal who is being straight with the public and who is tap dancing.


The reason they didn't deny "access to user information" is because it was common knowledge before the PRISM leak that they would send user information to the government on request. The only new accusation against these tech companies with the initial PRISM leak is that they were knowingly allowing the government to directly access their servers. That is why they denied direct access, because they were accused of supplying direct access. Just because Google and Facebook didn't deny these new accusation before they were ever levied against them doesn't mean they are automatically guilty of them. Let's wait to see how things play out before we starting making judgements.


FBI equipment ON COMPANY PROPERTY to transmit realtime information on whomever from a blanket approval order is pretty damning, and not at all consistent with the harsh language of the denials of google et al and their desire to share a specific (presumably small) number of warrants with us


They denied any hardware on their property as well:

> We refuse to participate in any program — for national security or other reasons — that requires us to provide governments with access to our systems or to install their equipment on our networks,” he said.

http://www.wired.com/threatlevel/2013/06/google-uses-secure-...


I don't disagree with how damning these new accusations might be. However, some people are taking the fact that these companies didn't deny FBI equipment being or their premise as admission that there is FBI equipment on their premise.

Looking at these slides, I see no proof that companies have FBI equipment on their property. That seems to be a claim made by the WaPo that is supported by other slides or sources. I am just suggesting we wait until more information comes forward before we start taking these accusations as fact.


I'm unaware of where "facts" will come from though. So far it seems as if the gov't says one thing, the companies say another, and the leaks say yet another. I don't see any companies rushing forward to clarify what exactly is going on, and the government isn't really a neutral arbiter of truth here. I would say we prioritize the information from the leaks, given their restricted nature and their intended audience, but that doesn't mean there might not be over-generalizations or mis-interpretations there either.

I really hope that tech company CEOs get their feet held to the fire for misleading statements though and journalists keep (or start) asking them direct and difficult questions to get answers on record before more leaks come out.

getspopcorn


> means that there is nothing between the servers and the wiretapping equipment.

There can easily still be no wiretapping equipment upstream of the servers; the companies are already copying the data directly to the collection equipment anyways, so that can be a parallel path. I'm not sure a place like Google or Facebook would ever choose to participate in something like this if their whole business were one misconfigured serial-path wiretap server away from being completely down.

I believe the NYT had mentioned a couple of days after the story broke that 'real-time' collection was possible. Even that is easy technically, you just send a copy of that instant message or video frame to the FBI collection server as it goes out.


By 'nothing between' I meant 'nothing that is worth mentioning in a newspaper article.' But you raise an interesting point, the entire wiretapping needs to handle a similar load as a large datacenter and should not impact the uptime, and therefore it should be quite an engineering challenge. So there should be documentation on the Google side, how to 'plug' it into a data center, which power requirements that stuff has, etc...


Which means that it's not something that Larry Page can just sneak into his datacenter without his squads and squads of Googlers never picking up on it, true.


Even the cheapest managed switches have a traffic mirroring port setting, no "prism" required.


Even if we assume that PRISM still needs to know what exactly to do with that inbound traffic, which it will need metadata for.

Of course maybe it's possible to setup a session and then just forward all traffic from a given company subnet IP:port to a PRSIM case file, but that's getting back into impl details for me.


This is an incredibly fanciful interpretation of language. If these reports are correct then Google is simply outright lying. If you have to strain to read a statement to mean the exact opposite if what it plainly says and that opposite is the truth, then what practical difference is there between that statement and a lie?

Statements from Google:

  we have not joined any program that would 
  give the U.S. government—or any other 
  government—direct access to our servers.

  Our legal team reviews each and every request, 
  and frequently pushes back when requests are overly 
  broad or don’t follow the correct process. Press 
  reports that suggest that Google is providing 
  open-ended access to our users’ data are false, period.

  Until this week’s reports, we had never heard of the 
  broad type of order that Verizon received—an order 
  that appears to have required them to hand over 
  millions of users’ call records. We were very surprised 
  to learn that such broad orders exist. Any suggestion 
  that Google is disclosing information about our 
  users’ Internet activity on such a scale is 
  completely false.

  We cannot say this more clearly -- the government does 
  not have access to Google servers--not directly, or via 
  a back door, or a so-called drop box. Nor have we 
  received blanket orders of the kind being discussed in 
  the media. It is quite wrong to insinuate otherwise.

  Google participates in that allows the kind of access 
  that the media originally reported. Note that I 
  say "originally" because you'll see that many of 
  those original sources corrected their articles after 
  it became clear that the PRISM slides were not accurate.

  There is no free-for-all, no direct access, no 
  indirect access, no back door, no drop box.

  We’re not in the business of lying and we’re absolutely
  telling the truth about all of this. Our business 
  depends on the trust of our users. And I’m an executive 
  officer of a large publicly traded company, so lying to 
  the public wouldn’t be the greatest career move.

  If by what has now been “revealed” you mean the allegation 
  that Google is allowing the NSA unfettered access to user 
  data or that we’re handing over data willy-nilly to the 
  government, again, that’s just not true. It’s not 
  rhetoric, it’s just a fact.

  QUESTION: Without giving any specifics which might put you 
  in violation of such an order, are you legally bound to \
  lie about anything to the public? (Yes or no is fine)
  ANSWER: Nope. No gun to my head.

  I’m really troubled if you’ve lost trust in us because of 
  this idea that we’re collaborating in a broad surveillance 
  program. We’re not, and that’s why we are pushing back so 
  hard on these allegations.
I really don't know how you could say NO more strongly. How would you say it? It is manifestly apparent at this point that there is no possible way that you could say it without someone who wants to believe otherwise reading whatever they want out of it.


In your examples, Google again just talks about 'servers.' There is no language which indicates that there is no wiretapping equipment in their datacenters, except for

    There is no free-for-all, no direct access, no 
    indirect access, no back door, no drop box.
Which is clearly wrong, since there is a indirect access to user data ( via court order). [1]

However at this point Google is trying to prove a negative, that it does not knowingly participates in covert surveillance of its users. ( With the added complexity, that AdWords analytics should qualify as surveillance.) So Google will have a very hard time to convince me. However a published privacy policy, verified by a third party, would go quite a long way.

[1] http://www.google.com/transparencyreport/userdatarequests/?h...


You seem to read only the lines that you can creatively contort to validate your belief and ignore the rest. I don't think you are intentionally doing this, but it seems quite apparent that it is happening anyway from my vantage point. The Google comments mention user data in addition to the servers themselves, and many of the comments refer to surveillance in general.

If the media claims turn out to be true nobody is going to think "Oh, Google was telling the truth the whole time!" As I mentioned, there is no practical difference between this statement being "true" in the sense that you creatively "read" it and an outright lie. No reasonable person would read these statements in the way that you have.

You seem to be having a really hard time simultaneously holding the idea that the media reports are correct and the idea that Google/the big tech industry is trustworthy, hence the mental gymnastics. You're going to have to drop one of those two ideas. You will eventually.


Of course I am discarding some texts and doing a hostile interpretation of others. The reason for this is, that not all texts are created equal. Some, like the Larry Page one, are created by lawyers and PR specialists in endless meetings. The Google blog post in particular has the purpose of limiting the damage to the Google brand. For this it needs to sound good first of all, but it also needs to contain a sliver of truth so that the company can not be forced to retract it, which would just further damage the brand.

So implying something, while actually reporting something different is a lie, but it is a highly specific type of lie. And it is quite often quite interesting to do these mental gymnastics to uncover the sliver of truth in these statements.


Or the precursor to their more-formal statement:

"What the ...?" Posted: Friday, June 07, 2013

Dear Google users—

You may be aware of press reports alleging that Internet companies have joined a secret U.S. government program called PRISM to give the National Security Agency direct access to our servers. As Google’s CEO and Chief Legal Officer, we wanted you to have the facts.

First, we have not joined any program that would give the U.S. government—or any other government—direct access to our servers. Indeed, the U.S. government does not have direct access or a “back door” to the information stored in our data centers. We had not heard of a program called PRISM until yesterday.

Second, we provide user data to governments only in accordance with the law. Our legal team reviews each and every request, and frequently pushes back when requests are overly broad or don’t follow the correct process. Press reports that suggest that Google is providing open-ended access to our users’ data are false, period. Until this week’s reports, we had never heard of the broad type of order that Verizon received—an order that appears to have required them to hand over millions of users’ call records. We were very surprised to learn that such broad orders exist. Any suggestion that Google is disclosing information about our users’ Internet activity on such a scale is completely false.

Finally, this episode confirms what we have long believed—there needs to be a more transparent approach. Google has worked hard, within the confines of the current laws, to be open about the data requests we receive. We post this information on our Transparency Report whenever possible. We were the first company to do this. And, of course, we understand that the U.S. and other governments need to take action to protect their citizens’ safety—including sometimes by using surveillance. But the level of secrecy around the current legal procedures undermines the freedoms we all cherish.

Posted by Larry Page, CEO and David Drummond, Chief Legal Officer


>This is an incredibly fanciful interpretation of language. If these reports are correct then Google is simply outright lying.

A huge corporation? Lying? About doing stuff that's harmful to their image -- stuff that they would have been pressured to lie about and deny them anyway?

Please. Next thing you'll tell us that there's no Santa Claus!


Wait until your phone call winds up on youtube. Think it can't go that far? Imagine an NSA contractor or employee with a gambling problem who needs cash. Your data is now their ticket out of trouble.


> Imagine an NSA contractor or employee with a gambling problem who needs cash. Your data is now their ticket out of trouble.

Even today there are NSA analysts who have tried to lookup their ex-wives, and been caught and terminated. And that's just leaving it to NSA's own accountability measures, imagine what we could do if we actually added real oversight!


A dumb analyst could inside trade large amounts by eavesdropping on privileged conversations with a corporation and its public auditor (and eventually be caught for the size of transactions).

A sophisticated NSA analyst could make many trades with inside information and avoid raising alarm by making off-the-radar trades.


"...Your data is now their ticket out of trouble..."

And their ticket into prison.


Indeed because addicts never make poor or irrational over the long-term decisions.


I doubt the NSA would build such a sophisticated system without layers of security and extensive audit trails to prevent misuse. If not only because misuse of the system would be a disaster for the NSA and potentially be a bigger national security problem than what the system is designed to prevent in the first place.


Yet by the very nature of a secret agency you will never know what safeguards they have or how effective they are. Plus there are a lot of really really smart people likely working there who know exactly how everything works. Aldrich Ames took advantage of his position and knowledge to out CIA spies for years.


If a budget is tight, one of the first things to go is accountability and oversight. Social Security Insurance is a perfect example of this. If the program had more earmarked toward tracking the cases of abuse taxpayers wouldn't be able to complain about those that exploit it (as much).


The FBI's Data Intercept Technology Unit is a group of people. See, e.g., this memo.[1] Does the Washington Post have some other information that the FBI's "interception unit" is technology on the premises of the private companies?

[1]https://www.eff.org/files/FBI_CIPAV-08-p9.pdf


The only thing I do on the phone now is yell into it "fuck communism" and hang up.


Does someone keep the raw materials somewhere (the slides and others non-article stuffs) a la wikileaks?


I think both the Guardian and Washington Post have them. Greenwald said before he had thousands of pages he wanted to analyze before posting more. It's better to do it this way, than post all in bulk. The latest WP article already seemed a bit overwhelming.


This way laying it out step by step federal government is covering itself in a web of incremental lies, discrediting itself every step forward. All in all looks more like a ginormous clusterfluff.


Snowden didn't 'make up' these slides. These are government slides. I would trust them over what the government is telling you now if only because the government decided to outright tell you nothing prior to Snowden revealing this information.

Whenever you want to know the truth, just go to original sources instead of someone's 'interpretation' of it.


The slides do not say that. They only show real time monitoring of chat login/logout and email send/receive. The content only appears to be accessible to the analyst through the paths on the right side of the slides, which are for accessing stored data, not live data.


Be sure to make a direct reference to the boys listening at some point in each call so that they can feel good that they're not being ignored. Remember, one of the most important aspects of networking is about establishing a warm relationship.

Right, boys?


If you are looking for a job, simply type into any comment field on the Internet "HEY NSA I WANT A JOB" and someone will contact you shortly.


This sounds like CALEA, to me. Inasmuch, it doesn't surprise me, even if it doesn't entirely please me.

https://en.wikipedia.org/wiki/Communications_Assistance_for_...

The questions I have are whether they are indeed doing it wholesale, e.g. widespread "phrase monitoring" and whether they are archiving (particularly, wholesale) the content [1] without a target/content specific search warrant in place.

P.S. Also, whether they are doing it to political and/or economic ends.

--

[1] We already know about the disposition of the so-called "metadata".


That's the one I have no problems with. Whenever I rant on the phone about politics, I hope someone of those I actually mean by that, instead of just a friend who did me no harm, is listening to it. The same goes for any other medium (as phone conversations don't seem to be included in this)

Well, let's say I would have no problems with it, if I wouldn't worry about the chilling effects it would have on others.


The politicians themselves aren't listening - and by being a surveillance target, you've already been othered to the point that your viewpoint will simply be taken as a sign you're untrustworthy and a dangerous element.

It would be nice if the politicians were required to hear complaints, but that only works if you're rich enough to make a difference in the Game.


Maybe not the politicians, but their staff:

http://www.thedailybeast.com/newsweek/2005/05/24/terror-watc...


Oh, I don't think it would change anything, I guess people deep into it are briefed on more arguments than I could ever dream of. They're probably perfectly aware of and okay with what they're doing, too. I still find this is one of the rare cases where narcissism actually is helpful, because I am not intimidated in the least by the idea of being spied on. I'm like fuck yeah:

http://www.sinfest.net/archive_page.php?comicID=2660

Being caught spying on others = super embarrassing, being spied on = hilarious. But then again, I never had anything used against me, I would sing a different tune real quick in that case. So I don't mean to belittle it in general. But if anyone can get a kick out of it while being against it and vocal about that, more power to them, right?


I have to agree!


What if the intent of these "leaks" was less (inform the public) and more (instil fear for the chilling effects?) It seems that every day we see stories about the govt or police getting away with this or that but the population never does anything about it. Pretty soon everyone is desensitized to it and a couple of weeks later everyone is joking about the whole thing by making memes about the NSA listening to this or that.


>* but the population never does anything about it*

And they won't -- until it begins gravely-affecting their normal life (eg. food, water, shelter, Kim Kardashian baby news). That's how oppressive regimes maintain control (I am not explicitly saying Obama is an oppressive regime).


And that's where HN readers come in:

We have more knowledge and therefor more responsibility.

It is up to each and everyone of us to educate our families and friends and to effectively migrate them towards complete encryption, on every level.

- OpenPGP for Email - RetroShare for Chat/Messages/File sharing/etc. - Hard drive encryption - etc...


It would seem the effect is to inspire confidence that our national secutiry apparatus is doing everything it can to head off threats before they happen. It seems that 90% of the outrage is container on reddit and HN.


> It seems that 90% of the outrage is container on reddit and HN.

Then you seriously need to expand your horizons on information intake, because human rights orgs are pissed off, Ecuador and Hong Kong are pissed off. Germany, and the EU as a whole are considering a wide range of actions, and so on.


   Ecuador and Hong Kong are pissed off...
Ironic given that in both of these countries, warrantless wiretapping is legal and routine.


Citation needed.


'Citation needed' is essentially 'I can't be bothered to Google' however:

Ecuador:

http://www.buzzfeed.com/rosiegray/exclusive-documents-illumi...

China:

http://www.nytimes.com/2013/06/27/world/asia/with-snowden-go...

"Security experts and democracy proponents say that mainland China’s domestic surveillance operations in Hong Kong are far more extensive than the American effort. But those operations have largely disappeared from public discussion as attention has focused on the many details released by Mr. Snowden."


Key US-EU trade pact under threat after more NSA spying allegations:

http://www.guardian.co.uk/world/2013/jun/30/nsa-spying-europ...

So it would appear there's some outrage elsewhere too.


There's outrage everywhere but I hear what you're saying and I kind of agree. This kind of opinion will get you ignored or looked down upon on Reddit and HN but I kind of dont care. What I see in those places is a lot of impotent rage and speculation that comes a lot like "how smart can I make myself sound here".

I personally am not okay with the alleged surveillance of practically everyone in the world who uses a phone or the web. That's just not okay. But is that really what's happening? What I'm seeing in the actual documents that have leaked is that the NSA has the ability to surveil anyone using most services but I'm not seeing anything that shows that they actually are just collecting these vast swaths of data and aimlessly looking for incriminating things. What I do see is that they use this ability to target certain individuals and that they're allowed to do this because of a rubber stamp process in secret courts. I also see that sometimes in the process of targeting on person or a group of people, other innocent parties get caught in that net. This is what I've seen in the evidence. Now the editorial that goes along with it, which is what everyone is loving to eat up right now paints a darker picture.

Is what we really know scary? It certainly can be but I'm of two minds about it. On the one hand I see law enforcement doing its job and doing it without breaking the law and, for the most part, ethically. I'm talking about capturing the data of known terrorists and such. Then there's the egotistical, kind of immature, smarter-than-everyone-else side of me who hates this and thinks its the devil. This power can be abused in so many ways its not even funny. But how narcissistic can I be to think that anything I do is being watched by the NSA. Even if I were an activist, would they really care? There are so many other ways to target free speech and stamp out political dissent that are already in use today that you don't even need the NSA's prism to do it.

What I guess I'm getting at is that I don't think either view is right. Those who think this is just fine and no big deal are naive and those who think this is a grand government conspiracy to create a police state are also naive. It's hard to take either group seriously. The truth is somewhere in the middle where PRISM can be a useful tool but at the same time needs to be just open enough to where citizens can have an intelligent discussion of where to draw certain lines and what kind of oversight is needed.

As for Snowden, he now comes off as a narcissist who got played by a reporter for a huge story. Is there an element of giving a shit to Greenwald's reporting? Of course. But to think Greenwald ran with this out of pure love of democracy or some other equally trite reason is hard to believe. And for Snowden to take so fucking many top secret documents then fly off to, so far, two countries who would absolutely love to get their hands on them for their own purposes only looks bad for him. Being a whistleblower would qualify him as heroic but taking all that classified info then flying to Hong Kong (regardless of how close their government is or isn't with China) and Russia would qualify him as a traitor.

I know this isn't the big bad government conspiracy story we all like to jump in on around here but I think its closer to reality than either of the other two ends of the spectrum that we normally hear the vast majority of the time.


You seem to be conflating PRISM with NSA's entire SIGINT operation, I see a lot of people doing that. PRISM is one out of 504 programs that collectively obtain vast amounts of information (approximately 350 billion telephone and internet records globally in the month of March 2013). That is 4 trillion records per year, after filtering the data.

PRISM is an inconsequential piece of the puzzle, and truthfully one of the most innocuous. Nobody is really disputing that it collects information on only a small number of people. However, other NSA programs very clearly do not - they collect everything on everyone, then look at the interesting parts.

As of right now, the NSA has a blank check to collect any data they want and can retroactively obtain warrants for accessing that data. You can argue about the merits of what they are doing, but I see very little basis in arguing that they aren't actually collecting vast amounts of communications.

Personally, I think there is absolutely no way to stuff this genie back in the bottle.


There is something we all have to do now:

Never give 1 cent to these companies, again.

Our only vote with them is our dollars.




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact

Search: