Hacker News new | comments | show | ask | jobs | submit login
More on the NSA Commandeering the Internet (schneier.com)
222 points by qubitsam 1564 days ago | hide | past | web | favorite | 64 comments

I know nothing of Lavabit, but let's say he did comply with the order and then months or years later the company simply isn't profitable and he needs to shut it down. Could he shut it down then? Or would he suddenly find himself hosting lots of paid government accounts - enough to make it financially viable? (But define viable... Does "I'm not pocketing $1m/year from this business, so I don't care any more. Turn it off!" count?)

Could he sell the business? If so, at what point does the new owner get to find out they have extra non-negotiable obligations to the government?

An NSL simply cannot be included in any due diligence.

That's absolutely brilliant and insightful - there are 192,499 (1) NSL's issued - which either will represent a huge and uncountable liability during due diligence or a massive impact on M&A work in the future.


I would think he could quit saying it was not profitable. The argument is that because he mentioned an order he violated the gag order.

It is stupid. It is blatantly Unconstitutional. I would hope he'd be suing for declaratory judgement that his conduct did not violate the law (now that he has been threatened with arrest he has standing to sue, I think).

Best example I know of something like this is Carpathia's conundrum in the Megaupload case: https://en.wikipedia.org/wiki/Megaupload#Data_retention

That's why the government is paying the companies to access the data. So it's much easier for companies to just comply with the order. The carrot and the stick.

Well, the government is paying for some degree of predigestion of the data. The alternative for the company is having a government black box installed in their machine room doing who knows what....

"Once they do that, you no longer control that part of your business. You can't shut it down. You can't terminate part of your service. In a very real sense, it is not your business anymore."


I feel like we've identified this problem to death.

I think now the real question is, as an internet community, what are we going to do about it?

Are we going to build something that 'routes around' this? Are we going to protest? Or are we just going to keep identifying the problem and complaining about it on Twitter?

I'm not saying that I'm not one of those people too - I'm just saying we need to start thinking about action and not identification.

I'm hoping that's the next article Bruce writes.

It seems to me that the only way to bring about real policy change in the US is to organize politically. If you can deliver votes in November, then you can get things done.

Part of the problem is that other than the EFF and ACLU, there isn't really a "privacy lobby" in the US. And neither of these organizations are effective in shaping election outcomes.

What is needed is something like the 2nd-ammendment lobby or the "Family Values" lobby--one that not only talks about policy, but one which also rewards allies and penalizes enemies at the ballot box. The way that the NRA and the Christian Coalition do it is through grass-roots organizing, and a massive donor base that they basically direct in a centralized manner, which puts them in an unassailable negotiating position on Capital Hill.

Don't look at the "Family Values" lobby, they get lip service but no serious favorable actions in return for their votes. One reason they're fading away (the main other one is that Carter's attacks on their schools are a distant memory).

The concept of the applying the lessons of the 2nd Amendment lobby was extensively discussed here: http://news.ycombinator.com/item?id=6185138

Here's the contents of my top comment, which I think frames the concept well:

"Until we have specific, actual, real privacy atrocities I can't see this effort getting the traction of any of the groups you've specified. Labor had company towns and less but still specifically abusive employers, with plenty of specific people maimed or killed in unsafe workplaces or labor actions. Environmentalists had deformed children from Japanese industrial mercury dumping, and, oh, the Cuyahoga River catching on fire. Gun grabbers have killed, maimed, or otherwise grossly abused thousands of people and that continues to this day.

"What specific incidents, with victims most will empathize with, can the privacy effort point to?"

Martin Luther King was spied on and blackmailed by the FBI. It's a bit dated, but a good place to start.


Oh, there's a whole bunch of pre-Church Committee, especially J. Edgar Hoover (died a few years before the former) ... incidents, but the current authorities can and will say they aren't like those abusive folks 4 decades ago.

And in e.g. the case of MLK they were famously unsuccessful. I claim you need atrocities committed upon "victims most will empathize with"; the latter excludes "rioting hippies" and the like, especially after the Weather Underground and company started bombing and killing people.

E.g. I was just past the threshold of becoming politically aware when this happened: https://en.wikipedia.org/wiki/Sterling_Hall_bombing and it shocked and appalled the nation.

It's interesting what external events are formative. For me, it was the SSC being cancelled (thus, wanting to be in private business and then funding science vs. government-funded big science at risk always to Congress), the MOVE bombing in a nearby city (learning that even a black mayor can be racist, as well as incompetent), and Challenger ("perfect systems aren't", kind of the Rumsfeld thing).

I think 2A/RKBA, drugs (== black/latino community, generally; white people rarely go to prison for drugs and white/asian communities aren't torn apart by the drug war), and maybe people with garden-variety secrets (cheating on a spouse, cheating on taxes, looking at questionable porn, etc.) are the strongest natural allies in terms of turning out the votes. These are pretty evenly split left/right.

Funding could be from cloud providers who are getting screwed; even Google probably loses a marginal $100mm due to this issue, so for them funding a PAC with $25mm would be a rational choice. Plus, being anti-NSA is a great recruiting/retention thing for employees, so any worthwhile tech company could probably justify PAC support just as an HR and marketing expense.

You could probably get the tea party side, and civil libertarians in general, for free, but they're not a meaningful political bloc. The problem is at least some of the tea party side would be pro-military and might view support of NSA as supporting the military.

Such implicit pessimism is a bit premature. We've already had one legislative wack at the problem and the results were close and extremely promising, e.g. they didn't break down in any conventional way (by party, region, etc.)

We already know from history that the American system can draw back from this sort of thing (https://en.wikipedia.org/wiki/Church_Committee), it's way too early to assume that won't happen again. (One caveat, the Church Committee did its work after the death of J. Edgar Hoover.)

We also won the Cold War/Clinton era "Crypto Wars"; this account is U.K. centric (I'm amazed at their success), I'll note we won earlier in the US: http://wiki.openrightsgroup.org/wiki/Crypto_Wars (HT betterunix in this current discussion: https://news.ycombinator.com/item?id=6302520).

On that point, I think some of the best action right now would be raising general awareness to the population, particularly the extremely negative consequences this could have on the nation. Despite what some may believe, I feel the US is still a popular sovereignty. These government programs persist because there is a very large (if not majority) portion of the USA that believes these programs are good because they keep us safe from terrorism. Until you change that view point, no 'routing around' is going to solve anything.

I think you make a good point.

I think we must also assume that protesting (both to our peers and our so-called "representatives") won't achieve much, at least for the foreseeable future. There's too much money being poured into the right pockets, and too many of the wrong people in the wrong places in government to dislodge. And even if this particular group of authoritarians are removed, there are plenty of replacements waiting in the wings to take their place.

For this reason, I think your first option ("build something that 'routes around' this") is the best. Granted, it's easy to hand-wave and say that this can be done -- but we cannot otherwise assume that the people and agencies which have lied to us in the past will quickly turn over a new leaf and respect our Constitutional rights. We must assume that they will continue to snoop on us, and respond appropriately: peacefully, and cleverly.

I'm not a big fan of Bruce. He does have some valuable technical things to read though, you just have to take his personal opinions with a grain of salt.

Agreed. I've found him to be startlingly ignorant in declaiming on real world stuff I'm a domain expert in; he just doesn't realize it when reciting generic talking points.

In this article, he made a very clumsy attack on the current Internet ecosystem; there's a good case to be made for it (see other comments in the topic), but he didn't make it and sounds like a generic anti-business crank.

Which might be the truth, the really startling omission in this article is the ultimate fate of Joseph Nacchio, who was convicted of the very nebulous crime of insider trading. Even if you think government was or might have been right about him, you ought to accept that a lot of executives will assume in this Three Felonies a Day legal environment that the government will get them some way, some how if they resist like Nacchio indisputably did.

I wouldn't read anybody that you would not have to take his personal opinions with a grain of salt.

Middle of the road, all-too-careful opinions are totally off base with reality.

Wow, I didn't realize that the lavabit guy had been threatened with prosecution for opting out of continuing his business. That makes me incredibly angry. The sheer audacity of it is baffling.

Many people do not realize how bad things have gotten. (They have gotten very, very bad.) That is a big part of the problem.

The idea of a National Security Letter, a device which strips the recipient of several basic human rights, is so blatantly unconstitutional that it should have never been allowed to exist at all, let alone persist as long as it has. It's a device straight out of the Cold War east bloc.

Several months ago that tone would have sounded conspiracy crazed nutty. But post-Snowden and given that it's schneier, it's sad to realize we've come to realize how bad the situation is. I'm still inclined to not change any actions on my part because I'm not worried about being under surveillance. I'm neither interesting, nor engaged in anything interesting. However, I would like it if the spying were reduced to remove the bulk tapping of the internet.

I have changed my behavior a bit. There is something about feeling a big brother presence looking over your shoulder when you type. This is particularly present in private conversations.

With comments to HN or public comments on blog posts, etc. I think that the government could have gotten it anyway. If the government wants to snoop on things I say publically there isn't much I can do about it. But with private emails, it's a different matter. The question is, "what will someone think if they read this?" And so those emails end up self-censored, not discussing big controversies, and I put the political thoughts out there front and center for all to see.

So it means that for HN, no difference. I will say what i would say before. Same for any other public comment area. But there are things now that I would say in public that I am not sure I would say in private.

> I'm still inclined to not change any actions on my part because I'm not worried about being under surveillance. I'm neither interesting, nor engaged in anything interesting.


Link not working, looks like the last period was not included in the URL. http://en.wikipedia.org/wiki/First_they_came_....

I'm not worried about being under surveillance. I'm neither interesting, nor engaged in anything interesting.

That's probably the feeling of most people. Martin Fowler wrote an insightful post about this subject:

Privacy Protects Bothersome People …and isn't about me (or probably you) http://martinfowler.com/articles/bothersome-privacy.html

He argues that privacy on the internet is important, not because normal people have something to hide, but because journalists and activists (or other counterpowers in a well-balanced democracy) need a certain level of privacy in order to work.

There's a lot these days that, in years past, would have sounded like something out of a tinfoil hat convention.

Yet, even some of the nuttiest, worst-case scenarios that people feared about in the wake of the Clipper Chip debacle have been surpassed by reality.

It boggles the mind.

"I'm neither interesting, nor engaged in anything interesting"

You are missing a word: yet. You are not interesting yet. You might become interesting some time in the future, and discover that what you thought were uninteresting conversations today can be used against you. Here is a famous example:


The problem is the National Lawyers Guild was a notorious Communist front. If you have any doubt, this line in their Wikipedia entry is utterly damning:

"Following the Nazis' invasion of the Soviet Union, the Guild gave its support to President Roosevelt's wartime policies, including that of Japanese American internment."

Would people say the same if Ficher's "youthful indiscretion" if he'd worked for a Nazi front after, say, Kristallnacht? (See the above quote, they wouldn't have between 23 August 1939 and 22 June 1941.) Was it that difficult for Ficher avoid working for a cause dedicated to the violent overthrow of the US government and the liquidation of its "capitalist" classes including the wealthier farmers?

Exactly. "I'm not interesting" as a statement of safety has to mean: "I'm going to be very careful to spend the rest of my life not being interesting, and to make sure my family doesn't become interesting either." Otherwise it's just being an ostrich.

Of course, that's one of the aims of a surveillance state: if any word or action could be used against you, then people mainly police themselves.

"Sir, he commented on a blog post from that annoyingly smart Schneier guy saying he's not interesting. Plus his last email places him within 100 miles of the attack so we should be able to justify it later."

"Right. Send him to Guantanamo!"

It's too bad the NSA didn't want to spy on Google Reader...

Maybe they did...

"That was before the Patriot Act and National Security Letters. Now, presumably, Nacchio would just comply. Protection rackets are easier when you have the law backing you up."

Reminds me of this old chestnut:

Q: Why does the government prosecute the Mafia?

A: They don't want any competition.

I still cannot see any solution, other than total loss of privacy for all. If the NSA records were made publically accessible, then its a new Nash Equilibrium, but one where no-one has power by dint of secrecy.

But other than that, regulation? Even if it worked in the US would the Chinese or Russians agree?

I think perhaps its all or nothing.

> To be fair, we don't know if the government can actually convict someone of closing a business.

The Thirteenth Amendment makes it pretty clear you can't force a person to work, unless they've been convicted of a crime. There may be an argument that he violated the NSL, but that's not the same thing.


I really wonder if that would directly apply. The most relevant case law I'm familiar with didn't use it, although that was complicated by the Feds requiring state government agents to do things: https://en.wikipedia.org/wiki/Printz_v._United_States

You read where companies cannot divulge that fact that they have received a NSL? What if they all started reporting that they did NOT receive a NSL? Then when the reporting stopped, you could draw your own conclusions. Wouldn't work for large companies that might get them frequently, but would be an option for the smaller ones like Lavabit.

That's called a warrant canary:


Rsync.net does this:


It's not clear whether the secret courts that enforce NSLs could consider this a legitimate loophole or too cute to get away with, but I wouldn't hold my breath.

Never seen one, but I imagine the NLS reads along the lines of "not giving any indication" -- so if you stopped telling the world, you'd be going against it.

The people who do this for a living aren't stupid, and most of them probably don't even think they're being evil.

By stopping reporting that, they have divulged that they received a letter. So once you receive one, in order to avoid prosecution, you need to keep your notification up as a continuous lie.

No way. You can be compelled by the courts to actively perpetuate a lie? I don't think so.

The deal with the warrant canary is the guy signs a new message every (day?), actively affirming that he hasn't been served with any such secret warrants.

What if he gets tired of it? Same with running the business? You can't be compelled to work forever, neither for free or otherwise.

> You can be compelled by the courts to actively perpetuate a lie?

tl;dr Yes, these NSL have compelled people to directly lie.

And I don't see why the courts couldn't do that, as lying isn't even a crime. Maintaining the posting isn't even actively telling a lie, you're just not changing anything from the way it was before. So I could definitely see the same court that authorized these sweeping movements also supporting prosecution if you tip your hand on these matters; it's national security on the line, after all!

And even if the courts wouldn't force you to lie, the FBI could still attempt to prosecute you for not lying, and for taking action that directly reveals your receipt of the letter. Even if the court is opposed to it, it will be a lengthy process, and because of "national security!" you may not even get that far. From the government's perspective, you're enabling terrorists through secret and underhanded messaging, so you're already behind the ball both in the judicial court and in the court of public opinion.

Take, for example, the necessarily anonymous writings from 2007 from an NSL recipient:

> Living under the gag order has been stressful and surreal. Under the threat of criminal prosecution, I must hide all aspects of my involvement in the case -- including the mere fact that I received an NSL -- from my colleagues, my family and my friends. When I meet with my attorneys I cannot tell my girlfriend where I am going or where I have been. I hide any papers related to the case in a place where she will not look. When clients and friends ask me whether I am the one challenging the constitutionality of the NSL statute, I have no choice but to look them in the eye and lie.


So yes, even the person who has done the most to stop NSL, has been compelled to lie directly to his friends and colleagues.

>No way. You can be compelled by the courts to actively perpetuate a lie? I don't think so.

Sure you can. For one, what about people pleading guilty, when they are not, just because their case looks bad and they want to avoid a trial that can put then in jail for decades and get a plea bargain?

That's actually encouraged by the DAs.

I hadn't considered that at all. You are right, I have heard of this before. That one is even under oath.

You can when you're in jail

What if you set up a Dead Man's Switch of sorts, that you were unable to disable, that would go off and notify a trusted journalist/blogger/etc if you ever tripped it? Tripping it would happen as a result of whatever rules you put in place that make it overwhelmingly likely you're snooping around in your user's data.

The logistics behind this might be hard to pull off. I really don't know enough to know whether something like this is feasible, but if the concept was feasible to implement, it seems like you can just publicly announce ahead of time that the system is in place, and it's out of your hands.

I think everyone is missing the most important point, the one that history teaches. The enormous power surveillance brings (not the least being the fact that a little "creative editing", ala the Nazis, will allow <anyone> to become both interesting and guilty of <something>). With that much power, even if <bad stuff> is not happening now, it will happen sooner or later; and then it will be too late!

I agree that it's ultimately a policy issue that needs to be mended by congress, what I disagree with is the needless "dig" at companies that store and analyze large amounts of data, as if that somehow is invalid conduct. The problem is the government demanding access to that data, not that the data is there in the first place.

...what I disagree with is the needless "dig" at companies that store and analyze large amounts of data, as if that somehow is invalid conduct.

The argument against building systems to amass huge databases of personal information has always been that the very existence of such systems would almost inevitably lead to abuse, through inappropriate expansion of the collection activity and through inappropriate uses of the resulting database. It's simply too tempting a target to leave unmolested.

From that point of view, storing and analyzing large amounts of data is "invalid conduct."

Current events are just history proving this out yet again.

Arguably the collection of large amounts of private data is a fundamental property of the internet and impossible to avoid. In a world of government back doors into hardware and software the difference between cloud and local is an increasingly mute point for most people; making privacy a technical improbability. If any connected device can be accessed how can invalid conduct ever be avoided?

The fundamental property of the internet is connection. Everything else is in how we use it.

The fundamental property of land is spatial relation. Using that, you can build a town of little houses, where everybody has a modest and equal helping of privacy. You can build a giant open agora, where everybody can see everybody's business. Or you can build a panoptic prison: http://en.wikipedia.org/wiki/Panopticon

That is an extreme point of view that I don't agree with. I'd like to point out that these abuses weren't committed by the data holders but by the government, the same entity tasked with regulating data abuse, also as long as the user has control over their data and the ability to opt out, much of the potential threat is neutralized.

That is an extreme point of view that I don't agree with.

That's your prerogative, of course, but we're talking about the past now. It's not theoretical anymore. It has really happened, it is really happening.

I'd like to point out that theses abuses weren't done by the data holders but by the government...

You are drawing a sharp line between private enterprise and the government, but it seems like an increasingly irrelevant, imaginary distinction.

From a practical point of view, for the average user on the modern web, there never was such a distinction worth making, as it turns out. The "data holders" will rat you out to the government and the government will give orders to the "data holders" that they simply have to comply with. In many respects, the "data holders" may as well be another government office, from a privacy-minded point of view.

Wait, why is it better for part X rather than party Y? both are likely to abuse the data, absent non-naive controls or incentive structures. 'take my word' or 'trust me' etc are not such structures AFAIK.

These companies can't detain you in an airport or throw you in prison, there are massive benefits to be had from this data for the user, not to mention that you have a contract in place with these companies that don't have with the NSA.

These companies can't detain you in an airport or throw you in prison...

Neither can the NSA.

Remember this? (http://www.theatlanticwire.com/national/2013/08/government-k...)

Cops searched this family's house at a private corporation's behest, more or less. The fact that a large database is privately held isn't going to protect you from the government.

Actually, that story was later proven to be false and hysterics drummed up by the woman who was searched.

Skip to the update: http://watchdog.org/98870/feds-raid-home-after-couple-search...


Her employer tipped off the FBI after seeing suspicious searches show up in their logs. Not Google.

Please check your facts and leave the tinfoil hat hysterics at the door.

I'm worried about what the NSA is doing too, but making shit up doesn't help.

Her employer tipped off the FBI after seeing suspicious searches show up in their logs. Not Google.

Yes, that's what I said in my comment, that's what it says in the link you just posted, that's what it says in the link I posted, and that is the story you are telling me now as some sort of correction.

It's not hysteria to say that they got their house searched as a result of a Google search, or as the ultimate result of the actions of a private corporation; those are facts we apparently agree on, facts that every single media report on the incident agreed on, AFAIK. Its the consensus view.

Weird, why were her husband and son using her work computer? Maybe she brought it home, and they used it, and her company monitored her in her home?

Other branches of government can, relying on NSA intelligence.

Just to be clear that example you offer is a case of an employer monitoring employee activity on company equipment, which is another can of worms: http://www.wired.com/threatlevel/2013/08/pressure-cooker/

Also it's not an account of action taken against consumers or users, nor is it any example of a "large database".

And, most importantly, you can leave.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact