The issue, of course, is that if someone wants to talk to me they need to connect with my physical equipment. In a perfect world, people would look me up with a simple IP address, and I'd have whatever services I wish to provide running on various ports from that IP. This machine could be my phone, or a computer I keep in my home. But what's funny is how the modern internet appears to conspire against this extraordinarily simple idea: the first problem is IPv4. There aren't enough IPs to give every internet-connected device a unique IP address, which means NAT, which is, AFAIK, fundamentally insecure when handling inbound traffic. The second is that virtually all internet providers forbid us, in their terms of service, from running "servers". Which brings us to this interesting syllogism:
1. Communication sent through third parties is not private.
2. All internet communication involves a third party
3. There is no private communication on the internet
Until the problems of IPv6 adoption and contractual restrictions on how you use your internet connection are solved, people do not have a viable alternative to using 3rd party hardware for communication over the internet.
Of course, if the "no fly list" is any precedent, the government argument will be something like, "then don't communicate with the internet".
It's impossible right now for the masses, because they've decided they can trust these 3rd parties. So we never really put much thought into adopting "Trust No One" type of services. But having such services is probably doable, and now that we know these companies can't actually be trusted, perhaps we'll start using them.
Again, the main reason we didn't have private communications through 3rd parties, is because we thought we could trust those 3rd parties. But that has changed now.
Most of said masses don't even realize there's trust involved, leave along making a decision on whether to trust vendors or not. They just swallow what's free without much thinking.
Just look at something like the real-estate business. You'd think that realtors would appreciate how much private information is passing through their hands and that they would conform to the privacy protection laws they are typically bound with. And yet, every single one of these retards uses Gmail and routinely email forms stuffed to the brim with delicious personal info in plain text. How can you realistically expect the masses to do any better?
That way you know what was given out and when and it's always up to date. They wouldn't be allowed to store it either. ( https://github.com/samsquire/ideas#92-personal-data-api )
Let us not write now as if the Snowden leak effects are at their end. This is the start of whatever changes - good or bad, are going to come.
Especially, if the NSA gets the changes it wants from the situation, talking about the insecurity of a network would become illegal and bad security practices could be papered over. Security experts would be unable to speak openly and clever black hat hackers who kept their mouths shut could likely run rampant.
The post sought to position Microsoft and Google on the moral high ground, linking them to the values of the founding fathers.
If they wanted the moral high ground, they should have sued years ago. They've lost my trust, and no PR exercise is going to win it back.
Google has received high marks from the EFF for fighting for users' privacy rights in the courts and in congress for three years:
This lawsuit is just a continuation of what they have already been doing for years.
They lied straight to our faces and thought we would just accept that and continue to buy and/or use their stuff.
Microsoft reiterated their position, explained that yes, they review every order, they do not just dump data on all customers over some private link, the encryption is sound, but of course they need to hand over data they do have.
If I'm wrong on this, I'd certainly appreciate a correction.
Its one thing to be forced to deliver some kind of information against your will. It something else if you do it like a shop, providing goods in return for revenue.
And, in the face of not knowing, why default to an explanation other than what has been given to us?
There is a difference between extreme skepticism in the face of one story, and postulating hypothetical scenarios that have equal or higher burdens or proof, and are less likely or more difficult to demonstrate.
In fact, in terms of logic, the two are diametrically opposed.
I'm sure they want to win these cases, but they wouldn't do this in complete secret, would they? They want the public to know about it, hoping this way it gets them to gain a tiny bit of trust back.
This goes beyond simple diffusion of responsibility, leaders at Google and Microsoft were complicit in the crimes the NSA committed and did nothing to stop them.
IBM was able to eventually live down its involvement in the holocaust. In today's world there is no excuse for a modern tech company led by wealthy, enlightened people to commit these kinds of wrongs. Ironically, it's as if Google's mantra became "Be Evil".
Such doings (empowering the NSA, IRS, etc. to snoop on innocent people for the express purpose of entrapping them or contriving other evidence) are pretty much the definition of exactly the kind of insidious evil that one would hope to be able to trust its service providers not to engage in.
My prediction is that within a few months as viable open source alternatives for Google and Microsoft services become available, we'll see lots of people leaving their cloud platforms/services.
Then there's the news report that corroborates this, implying not even the leaders of the companies had any idea.
I mean, again, they could all be lying...but Occam's Razor and all that.
gut feeling based on existing evidence and experience.
As time goes on the less and less reliable I find the media to be when gauging public sentiment. 90% of the people I've talked to about the NSA scandal, all across the political spectrum, have been horrified by the government's behavior. As depressed as I get watching the poor news coverage of the scandal, and the implication that people don't care about it, or are more concerned with "getting Snowden" than what he revealed, just simply talking to people makes me feel a lot better.
Yes, it is "public debate" in the sense that it is a debate that is taking place on a public forum. That wasn't my point.
Just last night, I was asked about the leaks by a 50/60ish bus driver after mentioning I worked in tech - who as far as I could tell, had no particular previous inclination towards privacy activism or technology.
We should expect a very limited amount of carefully parsed information to be revealed as a result of this suit. Nothing more, nothing less.
Totally irrelevant, because:
We know for a fact that the NSA has installed hardware at all these companies (Microsoft/Skype, Google, Apple, Facebook, AOL, Paltalk, etc.). They don't need to put in any official requests for user data to get the data.
Furthermore, we also know that 75% of all communication data is being intercepted/covered by the NSA (today! Work in progress...). Why would any official requests for user data be relevant, given these circumstances?
The NSA has installed hardware on cables, but that's been known for nearly a decade. Intercepting unencrypted communications isn't much of a feat. It just takes some time and money.
> Another newsletter entry stated that NSA already had pre-encryption access to Outlook email. "For Prism collection against Hotmail, Live, and Outlook.com emails will be unaffected because Prism collects this data prior to encryption."
> Microsoft's co-operation was not limited to Outlook.com. An entry dated 8 April 2013 describes how the company worked "for many months" with the FBI – which acts as the liaison between the intelligence agencies and Silicon Valley on Prism – to allow Prism access without separate authorization to its cloud storage service SkyDrive.
Would you honestly believe the NSA would want that from a company like Microsoft but not from a company like Google (whose main activity consists of the collection of data in order to build the most precise user profiles to advance the targeting of their ads = ROI)?
The installations were also mentioned in the slides published by the Guardian, you should read all of them.
This also in no way indicates any sort of hardware. Microsoft replied and made it clear they review each order, then comply as required. Perhaps they have a fast review and quick compliance system (if you got as many requests as they do, you'd do the same or close shop).
None of the documents released indicate any sort of hardware installation. Provide specific cites. As-is, you and other folks saying these things are muddying the waters. When the dust settles, it'll be clear there wasn't super-duper decrypto hardware secretly placed all over Microsoft's internal software. Then people will say "oh, they were just lying" and ignore the real issues of oversight, legality, and so on.
> Totally irrelevant ...
Irrelevant only to people who don't understand politics. The NSA isn't asking for cooperation from these companies because they actually need it, but because it provides political cover. In the * * itstorm that will surely result from future revelations of spying on U.S. citizens, the NSA can honestly say, "These companies cooperated in data collection."
> Why would any official requests for user data be relevant, given these circumstances?
As is often said, you may not care about politics, but politics cares about you.
One way out, to appease the outrage over what happened, would be for a few CEOs to spill the beans on what took place at their organizations. But after they were carted away to jail the company would still be in the situation it was before. Another would be simply to shut up shop in the USA and move somewhere else - but where? It would need to be a county where the intelligence services did not have the capability - end of business. About the only realistic and probably credible response is not to sue but to put a lot of effort into supporting third-parties opposed to the situation such as the EFF. Then at least, despite what they were forced to do behind closed doors the company would at least have a visible position and be seen to be trying to getting of the handcuffs put on it by the government.
If tech companies thought it was in their best interest, they could bury the DOJ in litigation for years and barely feel it in the pocket book. It happens all the time when it comes to other industries that have more balls.
The movie industry seems to more or less own half of Congress, and appears to be able to get industry-specific legislation created nearly at will. Yet total US movie industry revenue is in the neighborhood of $85 billion, which is about half of Apple all by itself, not even counting any of the many other valuable tech companies out there.
Except for negative numbers, of course.
If they would've started standing together on these issues, and get a lot more allies, they could've started to have a chance against the governments' demands for censorship, and try to win the public on their side, too. But no, instead they decided to backstab each other for a tiny piece of the market, thinking it's an "opportunity" to get rid of a competitor, rather than a long term catastrophe waiting to happen.
How long would it take Google to implement key exchange with Web-of-trust using Google+ and enable encrypted email using open source clients?
Web companies could choose to blind the security state. or at least force the issue that they are compelled not to do so.
The other option is the government would just force them to bypass their own trust model to give them meaningful access, such as what happened with Lavabit.
As for trust, there is no way you can trust cloud storage. You have to assume it's hostile, or that your data is crossing hostile territory to or from. The security model has to avoid trust, which is what I described: signed keys in a Web of trust, no CAs, and no closed-source clients.
Using web of trust signed keys is all well and good for techies. How would Google possibly set that up for average folks in a way that they themselves could not circumvent? I certainly could not see my parents working with key pairs unless the vast majority of the work was done automatically.
Notes implemented secure messaging (except for that key escrow thing) that was as easy to use as any email client. Skype implemented ephemeral keys for real time communication that was VERY simple to use.
There is no excuse, and it will take less time than a lawsuit to provide customers with NSA-proof products.
Despite that, news like this is going to be analyzed in whatever light suits the reader's bias. People are going to argue and say that this is just a fake attempt at saving face, and that it's a conspiracy sanctioned by the government to allow these companies to regain their reputation. Then there are going to be counter arguments citing what the CEOs announced publicly. And so on and so forth.
People will believe what they want, one way or another. Occam's razor be damned.
The top secret internal NSA documents saying they were partners in PRISM with colorful logos and all weren't enough?
They even wrote later from new leaks, how Microsoft was having a "team play" with the NSA to give them a lot of data from Skype, Outlook.com and Skydrive, in an almost "direct access" kind of way:
It may be that Microsoft really, really, loves to give the NSA everything, but so far, there's no evidence of anything beyond complying with the law. Just speculation and spin.
Does that make you feel any better? I know it's not making me feel any better, because I know there's virtually no oversight, and the fact that you can even get a warrant for thousands or millions of people at once, is not right, and quite disgusting move from the government (regardless of how constitutional it is - there's such thing as human rights, too).
Trying to conflate the two for media impact will backfire by making people jaded after they discover the spin being put on things. The info Snowden has released is bad enough as-is (the lack of oversight, the scope, etc.) - there's no need to invent stuff.
Did you accidentally use the wrong word?
The quote Greenwald was using:
> "PRISM: Collection directly from the servers of these U.S. Service Providers: [...]"
> "The Prism program allows the NSA, the world’s largest surveillance organisation, to obtain targeted communications without having to request them from the service providers and without having to obtain individual court orders."
As to "obtaining targeted communications without having to request them from the service providers", here's a quote by Gellman:
> In another classified report obtained by The Post, the arrangement is described as allowing “collection managers [to send] content tasking instructions directly to equipment installed at company-controlled locations,” rather than directly to company servers.
Regardless of whether it is actually accurate, that is what the NSA documents stated.
I think the whole "direct access" argument over semantics is a red herring and completely irrelevant by now.
Statements like these have no information value unless you back them up. For all I know, you learned this from the "The Guardian" article I just cited.
> [...] allowing “collection managers [to send] content tasking instructions directly to equipment installed at company-controlled locations [...]
I don't think a statement about having write access to your own hardware pertains to this discussion, even if that hardware is located in Steve Ballmer's office.
> The procedures adopted in accordance with paragraph (1) shall be subject to judicial review pursuant to subsection (i).
... and the actual contents of subsection (i). You have to be more specific.
This will barely register on my radar, if they don't take serious steps in not just fighting the government more aggressively over the mass spying (they should be fighting to declare NSL's and mass data collection unconstitutional, for starters), but also in securing their services end-to-end.
So even if we can't trust them anymore per se (which we won't), we could still probably use their services if they adopt that.
I think there is a point however where one has to accept the reality of surveillance at this point and that large companies are probably not going to be the best points of resistance. Open source and open infrastructure with strong crypto and chain of custody tracking on keys is what is going to be required in the long run. I am not even sure we can go back to trusting the certificate authorities here and if we can't do that then these lawsuits are way too little way too late.
I could see pressure being on both of these companies to be more transparent as a result of this.
If Microsoft and Google are really united and seriously hurting, why don't they each individually (not acting as a cartel) kick the NSA out of their data centers? There may be a lawsuit, yes, and there will likely be a hit to their share value, but it's that same old problem of trading short-term safety for long-term freedoms.
It's a good way for them to put the money where the mouth is. Yes, I'm aware of the "requirements" to allow monitoring equipment; I'm specifically calling for the executives of these companies to engage in civil disobedience. Politicians are famously sensitive to anything that actually gets the attention of the _masses_. Like, shutting down Google due to court-ordered monitoring and Google refusing to comply. How long would the NSA endure such a standoff before backing down with some weasel-words about "coming to an agreement"?
Just like the money PRISM brought to enable the monitoring, now they want per-use or even better regular rents from the government to keep the taps open.
The nice little side benefit is the puppet theater for their customers who still labor under the delusion that they have some shred of privacy with either of these for-profit corporations.