- Bill 1: The FISA Improvements Act, from Feinstein and the Senate Intelligence Committee. In short it legalizes most of what the NSA has been done.
- Bill 2: The USA FREEDOM ACT, from Sensenbrenner and Leahy, currently being considered by the House/Senate Judiciary committees. It amends §215 of FISA to end bulk phone metadata collection and fixes some of the problems with §702 of the FISA Amendments Act (under which PRISM is run). But it doesn't fix §702 fully, does nothing to end BULLRUN (undermining encryption) nor the surveillance that happens outside FISA (MUSCULAR, for example, and god knows what else).
Obviously the Feinstein bill can't be allowed to pass. But some really big names (ACLU, CDT) have thrown strong support behind the Freedom Act. I'm wondering what we as the Taskforce(.is) should do. It's clear to me that it doesn't go nearly far enough. And there's some chance that if it passes, Congress will view this whole thing as "dealt with" and not revisit the issue for years to come. But unfortunately the Freedom Act barely has the votes to get out of the judiciary committee, and getting it to pass through both houses requires a lot of momentum.
We've been working on a campaign asking folks to call and oppose Feinstein, and potentially to support the Freedom Act. But I'm not sure if that's a right move. Unfortunately, the public doesn't understand why privacy is important, and Americans aren't nearly angry enough for Congress to do anything more substantial than the Freedom Act. We might be able to push for amendments, but it's a long shot.
tl;dr - We've got two bills in Congress. One is terrible, one is mediocre. But we don't have the political momentum to do anything better than the mediocre bill. What do we do? Tech advocate conundrum.
Nor should it. Undermining the encryption used by legitimate surveillance targets and intercepting their communications is what the NSA is for. The point of legislative solutions isn't to stop having a signals intelligence agency. It's to limit that agency to spying on people it legitimately believes to be terrorists, agents of hostile foreign powers and the like.
Not that this is a very robust intellectual defense, but the US is far from the only country to do this. Just two days ago the NYT had an article about Brazil spying on Americans within its borders:
If we shut down the NSA tomorrow we would be an an international disadvantage.
Look, my eyes are open. I'm spying on you. Everybody spies!
I doubt the NSA cares about negative publicity. Deep inside the NSA it's business as usual.
Leahy has sat on modest surveillance reform (requiring search warrants for email, cell phone location) for over three and a half years without advancing it to the Senate floor. One proposal he circulated a year ago included an exception allowing dozens of federal agencies to access email without a warrant (http://news.cnet.com/8301-13578_3-57552687-38/). Then, after Snowden's revelations, when the political tide was moving toward significant reform, Leahy's first instinct was to handcuff companies from challenging NSLs (http://news.cnet.com/8301-13578_3-57592778-38/).
I suspect that, after all the likely political compromises and conference committees and markups, any bill principally authored by Leahy will follow the same pattern as CALEA and the Patriot Act. One obvious solution, of course, is to avoid limiting yourself to looking at a pair of existing flawed bills and find a politician willing to back real reform.
Another solution, better for HN, is to work toward technical solutions that will work in the likely event that our esteemed leaders in Washington, D.C. get it wrong once again. Trust math, not laws.
Remember, the NSA is tasked with spying on Russian, Chinese, (and everybody else's) systems, and given that the Russians and Chinese have great mathematical and computing minds, is should be assumed that the NSA is employing equally great minds in the USA in order to penetrate the military (including nuclear and biological weapons systems), government, commercial, and individual systems of these foreign powers.
That the NSA turned the sophisticated looking glass inward to spy on the citizenry, in such an insecure manner, is the problem.
The other problem is that, well, citizens of the United States can be terrorists. If the NSA is tasked with stopping terrorism, then they, of necessity, need to monitor everyone, including US citizens.
So the answer lies in the terrorism part: Everyone went bonkers wondering why the government agencies were not able to stop the Boston bombers, yet when they do try to collect information and analyze it in a manner consistent with stopping this threat, they are then denounced as violators of the Constitution.
I have a sobering proposal: We tell the NSA to not worry about terrorism.
On the other hand, we come to terms with the notion that terrorists do what they do because it does terrorize us, and we make a conscious decision that we are going to not care anymore and accept a certain amount of casualties in exchange for the government not spying on us.
We accept that 30,000 Americans die on our roads each year in car accidents. We accept that another 30,000 Americans die of gun violence every year. Could we not accept that 30,000 Americans die of terrorism related incidents every year?
I lived in France in the 1980's. We had a lot of terrorism. Bombs in malls, bombs in restaurants, bombs in the street in front of synagogues. After a while, callous as this may seem, the French just stopped caring anymore. It had become routine. Then the terrorists stopped. There was no reason for them to keep doing this, because the French would just put it on page 4 of the paper, next to the political scandal section. The police would close the street, clean up, etc.
Yes, these were tragedies for the families, but not more than the tragedies for victims of gun violence, drug overdose, and horrible car accidents that mangled the bodies of children beyond recognition.
Taking away everyone's car is not the solution to car accidents. Taking away everyone's guns, swords, pick-axes, chainsaw, power drill, kitchen knives, and banning boxing, wrestling, and martial arts is not the solution to murder.
Likewise, taking away everyone's freedom is not the solution to terrorism.
Because taking away everyone's freedom's been tried before, and the human spirit of freedom asserts itself, and people die on both sides as they rebel and attempt to overthrow the oppressors.
And that is why the NSA and other agencies that spy on Americans must be muzzled.
Firearms were used in 19,392 suicides in the U.S. in 2010, constituting almost 62% of all gun deaths
Analogy with not using encryption?
Now using encryption or not using encryption does not matter in the context of being monitored by the NSA.
My reference re: not using encryption is that it is akin to suicide.
It may be the reason suicide's illegal.
For example, Mike Hearn says: "Bypassing that system is illegal for a good reason." Illegal under whose law? Obvious things like the Wiretap Act simply don't apply outside the U.S. And this is by design: Congress and the courts are primarily domestic institutions. The executive, by design, has primacy when it comes to activities outside the U.S. Maybe this design made a lot more sense back in the day before the advent of trans-national corporations, but it's the design we have, and we're talking Constitutional-amendment level fixes to change that design.
Internally, you might see fixes without a Constitutional amendment. E.g. the Supreme Court might at some point weaken the third party doctrine, which is what makes a lot of the NSA's data collection not a violation of the 4th amendment. But they won't touch the activities of the NSA internationally.
That's the minimum issue here--Google ships the data of U.S. citizens around the world, and the NSA knows it. They are trying to play a cute game by pretending to assume that if the GCHQ collects the data in the UK, the NSA can safely treat it as foreign data. We need to call them on it.
Your example is a bad one, because in your example the law is broken by conduct in the U.S. In this case, the splicing of the leased lines happened outside of the U.S.
You may have noticed it getting thrown out the window already, what with American citizens in danger of being declared "enemy combatants" and locked away indefinitely without trial, or just droned to death on the spot and all.
Then there's Mr. Snowden, enjoying his Constitutionally protected right to freedom of speech.. in Moscow.
The law has to observe physics. You can get a court order to "compel" someone to float off the ground, but that doesn't mean it's going to happen.
 I think as it is it might be a 4th amendment violation, but it's not contrary to any statute that I'm aware of, at least not any American statute.
I agree with you completely, but when the political will is there, Congress can dive head first into separation of powers fights. Look at the War Powers Resolution. It's almost certainly unconstitutional in a strict sense, or at least extra-constitutional. But the Supreme Court will likely never touch it, and Presidents take its requirements seriously.
One potential avenue for limiting foreign intelligence gathering short of an amendment would be ratifying a treaty to that effect. But that seems as unlikely as any other route, since, as has been pointed out a few times, most Americans care not a lick about foreign SIGINT, and to the extent they do would like it to be as effective as possible.
Congress can very well pass laws that dictate foreign policy: You shall/shall not bug the Germans.
Though it's dubious, Congress can also say "You shall not spend money on fiber taps. You shall have money for satellites."
The bottom line is that the Congress can get into NSA's pants as much as they want to.
They can pass them, but they'd almost certainly be as unconstitutional as a law from 1944 that mandated the invasion of Calais rather than Normandy.
Just to point out, neither of these are actually big names to congress, or more importantly, particularly effective at getting things passed when push comes to shove.
If you want these things passed, never rely on advocacy orgs to do the work of the people.
My take on it is as runs:
Fundamentally, what's needed here is the ability to have confidence that the intelligence system is not overstepping its bounds. The US founders' framework for building that confidence is to have multiple parts of power, whose interest is roughly aligned with countering each other. So in the case of the TLAs:
* The judicial system for warrants needs to be open. No secret courts. Cases' contents might be sealed; the existence of cases should not be. Secret courts are not new, and they have been a bad idea for a long time.
* The policies for data collection need to managed by Congress; no policy about this should set by the executive branch. The policies need to be open and debated. Should we take foreign intelligence on our own citizens?
* Comprehensive reports to Congress. I believe Zoe Lofgren cited a report that was under a page about the NSA activity. That's entirely disingenuous and disrespectful of the representatives of the people.
The other thing that needs to be done is in the polls: Legislators that seek to legalize snooping need to be replaced with ones that don't.
And finally, the thought process needs to be that there's a 4th Amendment rights protection movement and organization, which will work over a long timeframe (generations). There's no band-aid act that will fix this once and for all, this entire thing is an upswelling from overprotective and anti-risk mindsets. It comes out of deep into the roots of what's considered acceptable risk. The privacy/4th amendment movement is going to have to plan for advocating higher risks, more freedom, more liberty, combined with more laws about privacy, along with determining how to build change in mindset over time (it's called propaganda or, more politely, marketing). Privacy implications need to be worked out, discussed, brought to light in fiction, philosophy, law, debates, etc. The mindset of fear and "never again" and "risk is unacceptable" has to be broken in order to make mass surveillance a non-starter.
Worse - The reality is that privacy is going to be dead with the Internet of Things coming online. The question is, what is acceptable and legal to monitor and record? For myself, I believe that we need to have stringent personal data laws forcing deletion of consumer data unless required for a service, as well as requiring warrants for any data collection not already given to the government (i.e., irs filing).
The 2nd Amendment groups are in this for the long run. I don't see how the privacy groups can afford to do otherwise.
edit: I would enjoy discussing this with interested parties, particularly activists and activist-leaning people. My email is in my profile.
N.b., I don't really like to frame it as "attacks on democracy". That is (1) hyperbolic and (2) not obviously true. Words must be chosen very carefully in this debate (and it is a debate!) in order to not mislead or scare people away. I would argue that TLA snooping leads to the "Chilling effects" idea, where debate and discussion are chilled from freedom due to awareness of snooping. Obviously there are follow-on and side effects as well, as well as long-term risk of political persecution. But let's focus on the visible problem today without speculating on the worse potential problems.
Further point with respect to word choice and bringing the mainstream awareness up: tinfoil hatters do not speak for me, and they don't speak for the mainstream. They poison discourse by being radical and not bothering to look at conventional reality. Same for conspiracy theorists. Reasonable and respectable people can move the needle, infowars/alex jones/coast to coast types really are no ally in the effort to make this a real issue.
It seems to me fairly self-evident that actions which chill debate or discussion limit political expression and an informed electorate, thereby fundamentally impinging on democracy. Why then distinguish between 'chilling effects' and an attack on democracy?
Let me frame the thought by giving an example: if I am talking with someone, I might not say a few things because, hey, the TLA might care enough to pull the record and listen in. Or we take care to communicate with GPG or something. It inhibits what we do. We can still vote; our vote actually has meaning; our votes actually change the elected officials, etc. We still can run a socialist candidate (c.f. Kshama Sawant 2013 in Seattle) and they aren't shut down via police action or other hardcore discrimination.
This is in contrast against what it could do: it could be always used to harass and discriminate against those dissenting from the Two Parties and the State. Anyone who said anything would be looked at and actions taken to shut them up and limit the expression and formation of dissent.
While the database of communication could be used against people to significantly disrupt everyone who speaks out, it is not, and in my opinion, it will take a few emergencies like 9/11 to actually alter the mindset of the US to make that acceptable. Of course, people are harassed; some people are okay with that. It doesn't mean there's general acceptance of that, and it doesn't mean everyone is harassed.
Thus I draw the distinction: people self-censoring vs. the heavy hand of an apparatchik forcing change. The first is very immediate and to-hand; it's reality today. The other is possible, possibly even probable given certain courses of events, but fear-mongering is not the best way to go; let's deal with the clear and present threat at hand- chilling of free speech, chilling of dissent, chilling of the business interests of United States citizens, (frankly, these all apply outside the US as well, and hopefully the debate within the US around privacy and data capture also places the operations of TLAs on non-US citizens & non-US soil within the public purview of the United States citizenry via their elected representatives).
Fear does work as a campaign tactic, but the reality is, fear is not something people want to work for. People are willing to work for hope (didn't we all see that in 2008?), and I really would prefer the pro-privacy, pro-4th amendment activists focus on the positives and hope of what we can do rather than performing the traditional stick of the Republicans & Democrats (vote the other way and the free work and the US will END!!!11!oneoneone). It is in hope of being not being tracked against my will, not being monitored in every phone conversation, not being advertised at without my consent that I advocate for these changes to come to pass. It is in hope that I can say thoughts and perform actions online and offline and feel the liberty of not having peeping government Toms and raucous advertisers know anything about me.
So there's my distinction and my spiel. :-)
See, my theory, call me a tinfoil hatter if you will, is that we are on the brink of losing our votes. 1) Collect extensive data on any and all citizens. Any especially politically active citizens will receive extra scrutiny. Ones that are further up in local, state and federal politics will receive even more. This information will be used secretly to ensure that, besides a few outliers who are either allowed to be subversive for the sake of maintaining a smokescreen, all politicians can be controlled. Russell Tice, a prominent NSA whistleblower has alluded to exactly this process occurring under the NSA of today, as it did under J Edgar. He ominously refers to a young man who now resides in a nice white house as one of these who received extra attention. (To me, that explains a whole great deal. And think about it - one of my google searches released to the press would destroy any political career I had, and would be quite enough to turn me into someones puppet, or force me out of politics all together.)
2) With the political market cornered, to an extent, step two begins. Militarise the police. Use infiltration and subversion to delegitimise, split and turn public opinion against activists, whilst also using techniques to track and monitor the most influential ones. Again, there is evidence that the NYPD and other departments have undertaken actions like this. There is a wealth of technology to aid them - tracing FB profiles, using false cell towers, facial recognition tech combined with surveillance cameras, etc. This will have a chilling effect, as mentioned above - acitivists movements are accused of vandalism, of violence, suspect motives, etc, and are also brutally put down. Public sympathy fades, and the support for and involvement in protesting and other forms of activism begin to wither.
Congratulations, you have the makings of a great authoritarian state!
Note that nothing I referred to above is beyond the realms of possibility - in fact, please point to anything I said and I will try to dig up some solid evidence for it.
Quite simply, we are going past the point of no return. It will become progressively more difficult to have an impact on the political apparatus. At some point, it will come down to one thing: a fight.a very bloody fight. it happens every few centuries when an existing political and social order becomes stagnant, and the citizenry are pushed out of fear, hunger or anger to act. When we the people have nothing to lose, that is when things will change. It may not happen tomorrow, or next year, or next decade, maybe not even this century, but it will happen.
EVERYONE has dirt on them that they wouldn't want a hypocritically moralistic press to publish to the world with the worst possible spin on.
Either Presidents get access to some scary ass shit that makes them all immediately move hard to the right when they get in office or someone shows them their phone calls to their dealer in 1986 or the abortion clinic in 1997 or an email to an illicit lover or a gay experience at college or or or.
Occams razor would suggest that with the overwhelming superiority of the USA militarily and economically that there isn't some massive scary vulnerability that requires the maintenance and expansion of the security state therefore the second posit is more likely. Dirt. Lots of it. J Edgar Hoover with access to all of your inner most thoughts. That's what a google search is after all.
How many times have you heard something or read something and done a quick google, something that out of context would be dreadful? I for example ended up following some links from Reddit and ended up on a white nationalist site (the post was taking the piss out of their idiocy), I immediately clicked away from it thinking 'fuck, if the govt were to see that' (I am on a work visa here and have essentially no 4th amendment rights when seeking entry), pretty chilling already.
Now imagine being a politician. 'Candidate goes on storefront!' But I was just curious, following an internet thread...yeah right. Racist.
Remember, a great number of people have to be on board with restricting the TLAs in order for effective change to happen at the national level. While YOU might not want monitoring of influential activists, others might (and probably do). So your possible future might be a wanted one for segments of the population. Confine yourselves to facts and positives and you have a stronger base to work with rather than pushing fear (no one wants fear, everyone wants hope).
Understand that I'm not denying your hypothetical future. I'm simply convinced that a narrative not focused on "what-ifs" and fear will be more successful at winning support.
I would argue that imagining what-if scenarios and disseminating that fear are the only way to prevent us from crossing the threshold where there's no turning back. Waiting for direct evidence of a police state is a losing battle. Just take a look at what a decade of the All-Seeing-NSA-deniers have brought us? Relying on the next Snowden to bring us hard evidence about intelligence activities is a losing proposition.
You didn't see any diret evidence of massive surveillance either. Yet it is quite clear it exists. All that means is you are willing to wear blindfolds. By not preparing yourself for the worst, you simply let it happen.
Bullshit! This is the exact thing we have been demanding proof of. There is none.
Not a single event has been proven to be thwarted by these activities.
Boston? Sandy hook? Aurora? Lax? Mall?
All actual attacks, he'll they took days to ID Boston guys and even then couldn't do a decent job in tracking locating them after they found them out!
The NSA is a criminal organization. Period. Tyre is no grey or legal area here. They need to be shut down.
It's almost certain that the TLAs generally tries to keep within the law as they see it, and push the boundaries as far as they can - this is the trend of the executive branch. I would expect them to have batteries of lawyers hired to find out exactly what is permissible, and then to do all of it.
It'a also entirely disingenuous to say that the TLAs have no purpose. To riff off of @leashless from Twitter - they are a reaction - an immune response - to some entities which do and did some very bad things covertly, and are now being an autoimmune disease on the host state. The truth is, 9/11 gave a rather large blank check to the industrial/ security/intelligence companies and agencies in the US, and most people were not in the mood to worry about civil liberties too much at the time. "Never again" was the refrain, and that sort of perspective removes all ability to do a cost-benefit analysis. So they expanded with that attitude and that check... then, like beauracracies do, they entrenched and began to expand power and capabilities. This is not new behavior in any bureaucracy. This sort of eventuality was, as I recall, predicted quite loudly after the Patriot Act was passed.
The response is utterly disproportionate to the risk.
Which is where this whole conversation goes to hell - the trailed off sentences where people assume they actually have a clue what dangers they're talking about.
Because if your problem is "oh, someone might find out about someone's mistress and tell the media..." well - the problem begins and ends with the fact that their voters turn out not to be ok with that. But they're still voters who's votes matter.
Easy. You use government power on them. You "coincidentally" hit them with an IRS audit, one that's incredibly hostile and refuses to resolve itself. You hit their business with every inspection possible, held to the most stringent of standards. Even if, and perhaps especially if, they don't own it, and you find a way to sufficiently hint to the business why exactly they're having these troubles. You have a cop follow them and nail them with every petty infraction in the book. Any government program they may be on, you inspect their compliance to the n-th degree. Layer heavy bureaucratic red tape on at every opportunity. Find ways to make them need a lawyer. Find a petty excuse to claim you suspect them of drug trafficking and inspect everything they own, which basically allows you to take everything they own, and effectively destroy or hold on to everything for years.
And that's if you have a goal of staying plausibly legal. If the mask is off for some reason, there's even more you can do. And these are just examples; if one truly took a survey of what the government could do to you without even stretching the law, I think we could produce a very thick and scary book.
Unfortunately, I don't think the capabilities of the NSA are bounded by your imagination.
You then postulate the US government just ignoring the law altogether.
You see the pattern right? All these are things where the US government does some questionably legal, pretty highly visible stuff to you. It's not unintrusive electronic surveillance.
Or to put it another way: the Soviet government didn't start out surveilling their citizens before they just murdered all the ones who were considered dissidents. They started doing it after they needed to get better at murdering the dissidents. But the real problem, was the fact the government was willing to murder dissidents. Has the US government killed a bunch of your neighbors? Disappeared them?
No, he just mentioned things that could be currently done. However, only on a small scale. To truly disrupt anyone's life like that, and to do that for thousands or millions of suspects or dissidents or what have you, you would need an equal amount of auditors, cops, and so forth.
Now, if you were to automate that schema, you would have yourself a system capable of much more. And by doing it illegally to the extant that even elected representatives are not allowed to have oversight, you could achieve a very great deal.
>was the fact the government was willing to murder dissidents. Has the US government killed a bunch of your neighbors? Disappeared them?
1) The signs are that we are eroding the legal safeguards that at least made it very difficult and very risky to do this. Now, however, dissidents (call them traitors if you will, that is your opinion) can be whisked to secure holding facilities the world over and subjected to torture, and it is technically legal. US citizens can be assassinated legallly. And now we hear that we have been watched for decades, illegally. Clapper commits perjury, but walks free. Torturers are given clemency, but Snowden is wanted for esponiage. All of this tells me that currently, our freedom is a facade, and soon even that will be able to be dispensed with.
2) You could subscribe to the view that we don't need to be murdered or dissapeared, just convinced that keeping our mouths shut and our eyes on the TV are the safest option. Pepperspraying OWS protesters, militarising the police - I can see why political engagement is dropping, and I'm sure you know who benefits from that. Hint: not us.
"Has the US government killed a bunch of your neighbors? Disappeared them?"
No, not yet. However, I believe there's a "there" there with the IRS scandals, which is definitely headed in that direction very, very strongly. Which is to say, it's riding your line, it crosses a lot of other more realistic lines already.
Your faith in human nature is disarmingly naive. Remember Hitler has been elected. What keeps a democracy alive is not the people at its head or the people that elect their rulers but the structural foundations and laws. You can't trust men. Most of these foundations and laws have already been circumvented by the NSA with the benediction of the US government. That the government seems "nice" to you doesn't matter. As soon as the rulers can disregard laws, they will.
OTOH, systems with greater proportionality in representation also tend to have higher public opinion of how well the local government works, which is probably not coincidental; for a good general survey, see Lijphart's Patterns of Democracy.
Maybe they tend to, but when they drew that graph, Italy is definitely an outlier. People are not at all fond of how the government works, putting it mildly!
Very proportional systems have large problems of their own too, including all the "horse trading" that goes on to form a coalition. This can and does involve a party that got, say 10%, driving a very hard bargain with the party that got 45%, giving far more relative weight to the people who voted for the 10% party.
You're right that the media is not The Problem, no argument there.
Granting that, why bring Italy up them?
> Very proportional systems have large problems of their own too, including all the "horse trading" that goes on to form a coalition.
Horse trading goes on to form a winning coalition in two-party systems, too (the major parties in electoral systems that create a two-competitive-party dynamic are, invariably, coalition parties); the difference is that, in such systems, the disporportionate power of the needed-to-win segment is less than in two-party systems, because its much easier -- because the factions are formal parties that you can negotiate with -- to swap coalition partners and form a new majority coalition if a minor partner wants too much.
(That's also, really -- outside of systems like the US where you've got an FPTP electoral system forcing pre-election coalition building -- a bigger issue in unitary parliamentary systems vs. separation of powers systems -- because having a majority coalition in parliament is a more significant issue in unitary systems whereas in separation of powers systems, ad hoc coalitions on particular issues can function in the legislature without requiring a stable "ruling" coalition in the legislature. So, if you are looking at an FPTP separation of powers system like the US, its a problem that moving to a proportionally-elected but still separation of powers system alleviates rather than making worse.)
Because I live here and it's a very good example of proportional systems not being strictly better than what we have in the US.
> swap coalition partners and form a new majority coalition if a minor partner wants too much.
Easier said than done in many cases.
Today there are so many people who have this weird belief that somehow the lack of change due to their extreme apathy is a justification for that apathy. It's not. If more people spent the time to educate themselves deeply on issues and candidates. If more people spent the effort to have legitimately worthwhile political discussions instead of merely agreeing with those who already agree with them and shouting down those who don't. If more people decided to take the risk and enter politics. Things would be a whole lot different.
Today the biggest problem isn't entrenched power structures, or gobs of money in political campaigns, or the lack of good candidates. All of those are symptoms. The biggest problem is that the primary ways that people learn about and discuss political issues are horribly broken. Most major news media outlets are horrid, only a few steps away from outright tabloid journalism. People decry fox news all the time but CNN and even the New York Times are, on the whole, little better, just different flavored output from fundamentally the same machinery. And people don't tend to realize this because every once in a while there will be something of legitimate quality that leaks through, and that event will serve as a rationalization for continuing to feed from those sources of information. These are precisely the same processes that keep people attached to religious institutions as well.
Ask yourself, how much effort do you, personally, put into researching political issues and candidates? What about your friends? Do you hold them to account for being low information voters? Do you ever have serious, non-shouting, political discussions with people who have different views than your own?
Of course new movements are under resourced. If it was easy to make that kind of change, it would already be done!
Example: I used to work for BigCorp. BigCorp had a PAC to which they would gently encourage employees contribute. They ran an annual contribution campaign, sent emails, made phone calls, etc. It was not mandatory, just encouraged. Many employees did so. The PAC in turn contributed to any politician who supported BigCorp.
So the net result is a bunch of people who ended up contributing to politicians who they otherwise may not have supported, and they did so out of a vague fear that doing so was important for their jobs. There was strong social pressure at work in this situation. I.e., left to themselves, these people would not have given a dime to these politicians.
The PAC in turn, spoke on behalf of these people, but only about issues that BigCorp cared about, not the issues the original donors cared about.
And that's why them is not us.
Lobbyists are unregulated employees or contractors, whose budget is only limited by the largesse of the sponsor. Its goal is to affect legislation and regulation through swaying the votes and actions of elected officials, political appointees and to a lesser extent career bureaucrats. In this regard they are limited by anti-corruption and bribery laws.
Campaign finance is a highly regulated system through which politicians amass money to fund campaign to sway the votes of the public. PACs and other organizations channel money to candidates whom they believe will be sympathetic to their causes.
Regardless, forget about the PAC money and the campaign finance. I assume BigCorp has lobbyists, and those lobbyists look out for BigCorps interests. As an employee of Big Corp, you are a beneficiary of those lobbyists.
As to your last statement, largely it is the shareholders and executives who are the beneficiaries of the lobbying they do. You can argue that the employees are beneficiaries in the sense that they have a job, but that misses the point: the benefits of lobbying fall asymmetrically. Again, it's a leverage thing. They leverage the desire of the little guy to have a job and raise his family and in turn reap huge rewards for the shareholders. So although you can say everyone benefits and gets what they want, the result is really a distortion of power and influence.
The Chinese wouldn't do that to me. They don't have a dog in this fight.
Also, the US has proven experience in smearing political characters. Heck, even John fucking Lennon had an FBI file full of personal information.
Airbus might disagree with you there, I can't see the NSA ratting Boeing out for supplying bribes.
You can't packet-trace a cloned switch port you don't know about.
Nobody is more distrusting of each other than two communist countries.
I'm sure lots of botnets use China servers as well.
Of course the Chinese gov is able to do so without any repercussions. The difference should be that in a democracy you can't abuse your power without repercussions.
Do you see the irony? Western governments are abusing their powers.. and they are getting away with it. Democracy means nothing if the government doesn't hold itself accountable.
Relying on the government to hold itself accountable makes democracy no different from monarchy.
I'm not saying the US doesn't do that, but the evidence is not as clear.
Further, the break-in to Greenwald's residence and theft of his machine.
As well as the visit to the Guardian and destrution of machines....
The evidence is crystal.
And given how the UK government loves nothing more than to be the lapdog of the US, I have no doubts it was done entirely voluntarily.
Eagerly even, as an opportunity to show off just how extra exceedingly loyal minions they are.
Frankly, I have little doubt that the UK government participates so eagerly that just occasionally some of their US counterparts must be a little bit embarrassed on their behalf over seeing their total lack of self respect in trying to impress.
Which you know - is still illegal to have. Though it's funny how the Guardian thoroughly underreported that fact.
It is, however illegal for someone with a clearance to mishandle classified material. "Mishandling" includes "Permitting access to classified material to non-cleared personnel.". If you mishandle classified material you may be reprimanded, have your clearance revoked, be fined, or go to jail for a very long time.
In the case of the Chinese hackers, they were spying on reporters to discover their sources.
What they appeared to be looking for were the names of people who might have provided information to Mr. Barboza.
AFAIK we don't have evidence of similar US spying for the purpose of blackmail, harassment, etc. because my concern is whether the NSA might use its sources for those ends.
Miranda's detainment, confiscation of the memory sticks etc was to be expected - as far as the UK Government is concerned he's carry stolen state secrets.
What I don't really understand is why he flew through London carrying them, I believe Madrid has more routes to South American - I wonder if he was routed so he would be picked up for massive publicity.
Huh? There's nothing in the Post's information that would preclude both from having happened, so it's would be a stretch to call it a lie even from that article. But in fact, the original blog post talks about multiple goals of the main attack, including listing the targeted attack that the GP is probably referencing as independent from the attack that "resulted in the theft of intellectual property from Google". I think it's you that's confusing incidents.
> Third, as part of this investigation but independent of the attack on Google, we have discovered that the accounts of dozens of U.S.-, China- and Europe-based Gmail users who are advocates of human rights in China appear to have been routinely accessed by third parties. These accounts have not been accessed through any security breach at Google, but most likely via phishing scams or malware placed on the users' computers.
edit: ah, and the GP wasn't even talking about the gmail accounts.
Also, what kind of spy uses gmail? Sheesh.
The kind that is trying to maintain cover as a non-spy so uses the same email services as everybody else.
Of course, that means the joke's on them, because the NSA was listening to everyone...
On the other hand if you want to read people's mail, then hacking into the provider is certainly an option.
On the other hand, we don't really know what the Chinese knew, or thought they knew, about Google and how it functioned WRT government surveillance. If they had reason to believe that Google would be cooperating with authorities and would have infrastructure in place to monitor email accounts that they could look for and identify if it was monitoring the accounts they were looking for, then this explanation makes a bit more sense.
I think US journalism is causing us to misprioritize. Everyone is talking about the NSA so everyone assumes it's the biggest problem.
At a minimum the U.S. and UK spying needs to be balanced against the fact that U.S. and UK citizens invented the core technologies of the Internet, and gave them to the world for free.
Our biggest trading partner is China, and we have a free-trade agreement with the US.
Who exactly is our ally again?
Sent aircraft carriers, ships and soldiers to help depose a democratically elected president, just because he wanted closer ties with China and wanted to do agrarian reform.
Disappeared lots of people (I don't know any personally, because I am too young, but I DO know personally lots of people that still want disappeared people back)
Spied on us (erm, that part still applies, no?).
Sabotaged our agriculture (ie: some plagues started after US agrarian engineers visited us to "help" with our agricultural technology).
Supported and funded very repressive crazy dictators that killed boatloads of people.
What the USSR did for us during the cold war: Gave us some really cool technical books in spanish (yes, our language is portuguese, but spanish is good enough), I still have a bunch of them, they are really good, somewhere around my house there is calculus books, structural engineering, and lots of other cool stuff, russian books but written in spanish, targeted at Latin America.
USSR borrowed us some scientists (Russia and Ucraine still do, by the way).
Helped our exiles, not only left wing ones, but right wing ones too.
Sold us some very interesting stuff, even if shitty sometimes (example: during the cold war Lada cars were very popular here).
Computers! (for example when some companies here tried to develop a computer compatible with the Macintosh, US government helped Apple in forcing them to stop, while Russians borrowed us some engineers and books)
Now, who were our real enemies in cold war again?
It is just that this is what happened to us in Brazil, and USA never gave any clear indication that it wants to improve its behaviour.
So, why should we trust it now, if we could never trust it in first place?
Stopped us getting nuked or invaded by the USSR
The fact is reality is much more complex than your simple statement which is further skewed by Hollywood.
Stalin was a mad man on a par with Hitler, but even under later leaders it was still a repressive regime with Gulags.
When you say that you doubt it, is that code for having no idea of the impact of Soviet funding in South America, but not being willing to say that you don't know? Or is it just that you know that everything bad that the US did was to counter something even worse that the evil USSR was doing?
However, Cuba is a repressive dictatorship which will was funded by the USSR for many years.
It hurts a lot more because you are meant to look out for each other, not distrust and stab each others back.
But who is to speak for tomorrow? None of us can tell what the future brings. Not me and not you. So who is to say that in ten years, when that data is still there, that the US is still worthy of your trust?
It is the future we should distrust, even if you trust the past, and the present.
P.S. I am sure I will get smashed in the comments, so let me say right away that NSA actions should be controlled and audited by the public (e.g. through our representatives in Congress). I think that the biggest "evil" here are the members of Congress who either approved NSA actions or failed to do their job and monitor/audit NSA properly. In particular, I would point my finger at Sen. Dianne Feinstein [D-CA] who should have been ousted from the office long time ago.
The assumption isn't bad - it's a private network line, not a public internet connection. Nobody else had access to that line, at least they weren't supposed to. Splicing a fiber line is a bit outside the scope of your random attacker. You can't blame Google for not anticipating a hostile break-in by the government. The discussion should absolutely, 100% be directed at the NSA here. To accept that a private network connection is open season for the government to tap is batshit insane.
> Moreover, it is not clear if other governments or criminals also had access to the users' data (e.g. in Google's data centers located outside of the US). So far Google did not produce any public post-mortem thus we have no clue how bad was the problem.
How is Google supposed to tell you if they themselves didn't know?
Although from the leaks it sounds like everyone is fucked thanks to the GCHQ and the NSA getting friendly with each other.
If indeed Google does not know then it's just another sign of security failures at the company. Nobody is perfect and security incidents do happen. A good security will have in-depth defense and built-in monitoring/audit measure that would at the very least allow you to determine what have happened post-factum.
Do you have your own data center building? And if you don't have your own data center buildings, how are you guarding against physical attacks? Because just saying "encryption" doesn't actually mean anything. Encryption isn't free, and at Google scale that can add up. Useless encryption is just wasted power
> For example, I don't want our system administrators to have an easy way to look at the traffic: yes, it is still possible to do but it is harder and requires some very unusual actions that will trigger alerts everywhere.
That can be accomplished in many ways that don't involve encryption. And your servers are all capable of decrypting the data at some point, so you still have to trust your sys admins and/or have alternative systems in place as they still have access to the unencrypted data.
> A good security will have in-depth defense and built-in monitoring/audit measure that would at the very least allow you to determine what have happened post-factum.
How, exactly, do you detect cable splicing? Much less audit said splicing? You seem to be asking for a hell of a lot more than "good security"
Some types of encryption are pretty cheap actually. I used to use special SSL cards in the servers 10-15 years ago but today my laptop would outperform these cards and wouldn't even get hot :) Plus you need to remember that relatively expensive public key encryption needs to be done only for key exchange. After that you run block or stream cyphers and those algorithms tend to be really fast.
So far I haven't seen any evidences that there was cable splicing. Thus using occam's razor I would assume that the hack was much simpler than that. To detect the issue, I would start from reviewing the visitors log to the data center (assuming there is a visitor log).
I'll re-iterate that security should be built on defense-in-depth principle. Every single protection layer will fail or someone will go around it. The assumption that a data center is "safe" is a bad assumption period. You have to play "what-if" game and think for the attacker.
What? The evidence totally points to cable splicing. What hack involves getting all the inter-DC packets but nothing else? Obviously the machines weren't compromised, or they wouldn't have cared about reverse-engineering the wire protocol. So what are you proposing was hacked?
> I'll re-iterate that security should be built on defense-in-depth principle. Every single protection layer will fail or someone will go around it. The assumption that a data center is "safe" is a bad assumption period. You have to play "what-if" game and think for the attacker.
And I'll re-iterate that you're asking for a goddamn magical pony.
Side note, if your data center isn't safe go get a new one. Seriously. Most DCs have tons of security to make them safe. That's not an assumption.
I don't think there are any evidences at all. As far as I know, the only known thing is that NSA was able to obtain the un-encrypted google traffic. For example, it could have been backdoor in the router, one extra cable in the switch, or a few other similar low-tech options.
> Most DCs have tons of security to make them safe.
Don't disagree. But this doesn't make them invincible from other attack vectors (e.g. rogue employees). I actually heard the same argument from quite a few people during interviews and I usually don't hire them because you have to be paranoid to get security right :)
And "discussed" is not accurate. It was proposed by a few but rejected by most as paranoid.
So when someone says: "You're just being paranoid", my reply will be: "Better paranoid than wrong."
You don't use telnet when you access your home server(s) from your laptop ... that's basically what they were doing.
They skipped over a zero-cost, obvious best practice, and I think we should be suspicious. Either they've run that part of their network in a stunningly negligent fashion ... or this was the ingress they gave to the NSA which could be plausibly denied later.
This was a point-to-point cable. The only access possible was physical, by digging it up and splicing it.
Obviously that attack was possible, but arguing that this is somehow "the same kind of attack" as running tcpdump on a router to sniff packets is just insane, sorry.
"The" government? The lines were also being tapped by organized crime, China, France, etc. Google severely failed at data protection.
Basically, I think Google's decision to do not encrypt the traffic is a gross negligence and I would love to see how someone would sue Google for it.
Wow. Just wow.
If the courts get involved it should 100% be at the hacking perpetrator, not to the victim.
(And this is why some of us were concerned about CISPA, which uses the identical language. Note CISPA's proponents have quietly faded into the woodwork post-Snowden revelations.)
1. Data at rest (Adobe) vs data in travel (Google).
2. Software Hack vs Hardware hack
The Adobe data was sitting on a server in a datacenter, it was accessible from the internet on some level. The Google data was taken, apparently, from a dedicated, google owned, unshared link (quite likely a fibre-optic tap)
The methodologies, skill levels and required hardware for the penetrating the above two types of setup are wildly different.
I blame adobe for getting a server hacked, it happens a lot and and they ignored a lot of body of knowledge built up over the years. I do not blame Google for getting their inter-datacentre links physically compromised by a security agency of the US government.
Nor do I blame them for (incorrectly, as it turns out) deeming that an unlikely scenario and therefore giving it low priority.
I would blame them for not doing anything about it now that
they know it is happening but that does not seem to be the case.
(I fully expect companies to encrypt data between datacentres if they are not on dedicated unshared links)
Indeed they do! From personal experience, Cisco was hawking its TrustSec inter-DC encryption solution five or six years ago, even over dark fibre.
There are numerous network devices that can handle AES-256 on 10 Gbps links, as a matter of routine, whilst doing 'mundane' switching for the day job.
If you have the money there are dedicated hardware that can handle the same at 100 Gbps. IP Cores is one from memory that produces the circuitry for that. They can throw compression in there as well if you like.
Encrypting data links isn't magic. Google just didn't do it.
You don't need appliances here as they can't handle the load, build the encryption into your application.
"Google’s encryption initiative, initially approved last year, was accelerated in June as the tech giant struggled to guard its reputation as a reliable steward of user information amid controversy about the NSA’s PRISM program,"
* Database: SSL connections for MySQL
* Memcached, Gearmand, and other tools that don't have built-in SSL support: simple home grown message level encryption (AES256)
And of course, there are VPN tunnels between data centers in addition to the above.
> And of course, there are VPN tunnels between data centers in addition to the above.
Could you please be more specific on the VPN solution that you are using? How do you manage the shared keys? How do you make sure 'system administrators can't easily read the traffic?"
Which could be done legally via 'Cisco Service Independent Intercept (SII)' built into IOS to comply with CALEA (Communications Assistance for Law Enforcement Act). And not so legally via user-escalation exploits within the same service.
Anyway, props for making the effort. I too am interested in your key exchange methods.
Phone is I think an obvious (and now clearly wrong choice) although maybe always suspect if you are concerned with dark fibre . The endpoint security of a device generating and transmitting the key now also being a risk. How far up the chain do you worry?
An airgapped device to generate the key and a single person travelling between datacentres seems the secure (although costly) solution. Obviously if TSA/customs remove device from them for inspection or connect it to anything it needs to be thrown away (or moved to insecure duties) and the setup process restarted.
Google has the best OpSec team I've ever known, it is my hope that they close this 'loophole' as completely as possible.
Even if this is a leased private line, non-Internet routed, whatever, it is trivially easy to encrypt the communications and is absolutely a best practice. I see this as great big egg on their face.
In fact, it's such a cock-up that one wonders if this is the plausibly deniable ingress that they agreed to provide for the NSA, et. al
This is akin to using telnet to access your home server because you're "on your own network". Nobody does that and I can't believe they would have either.
I can forgive someone for thinking that if they dug trenches in the street, bought some fiber, and ran it between a couple of buildings, in a country where the rule of law was in effect, they might consider it a reasonable assumption that the fiber is laying in the street unmolested. Even if the distance is such that they can't see the entire length of the ground above the conduit.
Prior to Snowden's disclosures, it was the common belief amongst the security community that in 'safe' countries, the government in power would not subvert your infrastructure through physical access. They might do some network tricks, but not tap your fiber. In 'bad' countries counter measures were taken. And the network setup in say Russia or China was different than it was in the US and the UK. That your own government would illegally subvert your infrastructure  through the use of a technicality was not considered a "likely" threat . Given that not it has been exploited it is rewriting a bunch of assumptions. I am not surprised in the least that they are now deploying the same hardening they use in hostile environments world wide.
 The NSA cannot legally tap into communications infrastructure in the US (that is the FBI's job) and when the FBI does it they need a warrant. By doing this in the UK they sidestepped those constraints.
 In classic vulnerability analysis you deploy your resources against both the probability and damage potential of a given threat. So for example datacenters are vulnerable to being bombed by aircraft, the probability of that is low enough that you don't defend against it, bombed by cars you put a security perimeter around the building.
The only people who think this is "trivially easy" are people who don't have to do it.
The fact that routing hardware exists means you can pretty easily tap it.