- Bill 1: The FISA Improvements Act, from Feinstein and the Senate Intelligence Committee. In short it legalizes most of what the NSA has been done.
- Bill 2: The USA FREEDOM ACT, from Sensenbrenner and Leahy, currently being considered by the House/Senate Judiciary committees. It amends §215 of FISA to end bulk phone metadata collection and fixes some of the problems with §702 of the FISA Amendments Act (under which PRISM is run). But it doesn't fix §702 fully, does nothing to end BULLRUN (undermining encryption) nor the surveillance that happens outside FISA (MUSCULAR, for example, and god knows what else).
Obviously the Feinstein bill can't be allowed to pass. But some really big names (ACLU, CDT) have thrown strong support behind the Freedom Act. I'm wondering what we as the Taskforce(.is) should do. It's clear to me that it doesn't go nearly far enough. And there's some chance that if it passes, Congress will view this whole thing as "dealt with" and not revisit the issue for years to come. But unfortunately the Freedom Act barely has the votes to get out of the judiciary committee, and getting it to pass through both houses requires a lot of momentum.
We've been working on a campaign asking folks to call and oppose Feinstein, and potentially to support the Freedom Act. But I'm not sure if that's a right move. Unfortunately, the public doesn't understand why privacy is important, and Americans aren't nearly angry enough for Congress to do anything more substantial than the Freedom Act. We might be able to push for amendments, but it's a long shot.
tl;dr - We've got two bills in Congress. One is terrible, one is mediocre. But we don't have the political momentum to do anything better than the mediocre bill. What do we do? Tech advocate conundrum.
Nor should it. Undermining the encryption used by legitimate surveillance targets and intercepting their communications is what the NSA is for. The point of legislative solutions isn't to stop having a signals intelligence agency. It's to limit that agency to spying on people it legitimately believes to be terrorists, agents of hostile foreign powers and the like.
Not that this is a very robust intellectual defense, but the US is far from the only country to do this. Just two days ago the NYT had an article about Brazil spying on Americans within its borders:
If we shut down the NSA tomorrow we would be an an international disadvantage.
Look, my eyes are open. I'm spying on you. Everybody spies!
I doubt the NSA cares about negative publicity. Deep inside the NSA it's business as usual.
Leahy has sat on modest surveillance reform (requiring search warrants for email, cell phone location) for over three and a half years without advancing it to the Senate floor. One proposal he circulated a year ago included an exception allowing dozens of federal agencies to access email without a warrant (http://news.cnet.com/8301-13578_3-57552687-38/). Then, after Snowden's revelations, when the political tide was moving toward significant reform, Leahy's first instinct was to handcuff companies from challenging NSLs (http://news.cnet.com/8301-13578_3-57592778-38/).
I suspect that, after all the likely political compromises and conference committees and markups, any bill principally authored by Leahy will follow the same pattern as CALEA and the Patriot Act. One obvious solution, of course, is to avoid limiting yourself to looking at a pair of existing flawed bills and find a politician willing to back real reform.
Another solution, better for HN, is to work toward technical solutions that will work in the likely event that our esteemed leaders in Washington, D.C. get it wrong once again. Trust math, not laws.
Remember, the NSA is tasked with spying on Russian, Chinese, (and everybody else's) systems, and given that the Russians and Chinese have great mathematical and computing minds, is should be assumed that the NSA is employing equally great minds in the USA in order to penetrate the military (including nuclear and biological weapons systems), government, commercial, and individual systems of these foreign powers.
That the NSA turned the sophisticated looking glass inward to spy on the citizenry, in such an insecure manner, is the problem.
The other problem is that, well, citizens of the United States can be terrorists. If the NSA is tasked with stopping terrorism, then they, of necessity, need to monitor everyone, including US citizens.
So the answer lies in the terrorism part: Everyone went bonkers wondering why the government agencies were not able to stop the Boston bombers, yet when they do try to collect information and analyze it in a manner consistent with stopping this threat, they are then denounced as violators of the Constitution.
I have a sobering proposal: We tell the NSA to not worry about terrorism.
On the other hand, we come to terms with the notion that terrorists do what they do because it does terrorize us, and we make a conscious decision that we are going to not care anymore and accept a certain amount of casualties in exchange for the government not spying on us.
We accept that 30,000 Americans die on our roads each year in car accidents. We accept that another 30,000 Americans die of gun violence every year. Could we not accept that 30,000 Americans die of terrorism related incidents every year?
I lived in France in the 1980's. We had a lot of terrorism. Bombs in malls, bombs in restaurants, bombs in the street in front of synagogues. After a while, callous as this may seem, the French just stopped caring anymore. It had become routine. Then the terrorists stopped. There was no reason for them to keep doing this, because the French would just put it on page 4 of the paper, next to the political scandal section. The police would close the street, clean up, etc.
Yes, these were tragedies for the families, but not more than the tragedies for victims of gun violence, drug overdose, and horrible car accidents that mangled the bodies of children beyond recognition.
Taking away everyone's car is not the solution to car accidents. Taking away everyone's guns, swords, pick-axes, chainsaw, power drill, kitchen knives, and banning boxing, wrestling, and martial arts is not the solution to murder.
Likewise, taking away everyone's freedom is not the solution to terrorism.
Because taking away everyone's freedom's been tried before, and the human spirit of freedom asserts itself, and people die on both sides as they rebel and attempt to overthrow the oppressors.
And that is why the NSA and other agencies that spy on Americans must be muzzled.
Firearms were used in 19,392 suicides in the U.S. in 2010, constituting almost 62% of all gun deaths
Analogy with not using encryption?
Now using encryption or not using encryption does not matter in the context of being monitored by the NSA.
My reference re: not using encryption is that it is akin to suicide.
It may be the reason suicide's illegal.
For example, Mike Hearn says: "Bypassing that system is illegal for a good reason." Illegal under whose law? Obvious things like the Wiretap Act simply don't apply outside the U.S. And this is by design: Congress and the courts are primarily domestic institutions. The executive, by design, has primacy when it comes to activities outside the U.S. Maybe this design made a lot more sense back in the day before the advent of trans-national corporations, but it's the design we have, and we're talking Constitutional-amendment level fixes to change that design.
Internally, you might see fixes without a Constitutional amendment. E.g. the Supreme Court might at some point weaken the third party doctrine, which is what makes a lot of the NSA's data collection not a violation of the 4th amendment. But they won't touch the activities of the NSA internationally.
That's the minimum issue here--Google ships the data of U.S. citizens around the world, and the NSA knows it. They are trying to play a cute game by pretending to assume that if the GCHQ collects the data in the UK, the NSA can safely treat it as foreign data. We need to call them on it.
Your example is a bad one, because in your example the law is broken by conduct in the U.S. In this case, the splicing of the leased lines happened outside of the U.S.
You may have noticed it getting thrown out the window already, what with American citizens in danger of being declared "enemy combatants" and locked away indefinitely without trial, or just droned to death on the spot and all.
Then there's Mr. Snowden, enjoying his Constitutionally protected right to freedom of speech.. in Moscow.
The law has to observe physics. You can get a court order to "compel" someone to float off the ground, but that doesn't mean it's going to happen.
 I think as it is it might be a 4th amendment violation, but it's not contrary to any statute that I'm aware of, at least not any American statute.
I agree with you completely, but when the political will is there, Congress can dive head first into separation of powers fights. Look at the War Powers Resolution. It's almost certainly unconstitutional in a strict sense, or at least extra-constitutional. But the Supreme Court will likely never touch it, and Presidents take its requirements seriously.
One potential avenue for limiting foreign intelligence gathering short of an amendment would be ratifying a treaty to that effect. But that seems as unlikely as any other route, since, as has been pointed out a few times, most Americans care not a lick about foreign SIGINT, and to the extent they do would like it to be as effective as possible.
Congress can very well pass laws that dictate foreign policy: You shall/shall not bug the Germans.
Though it's dubious, Congress can also say "You shall not spend money on fiber taps. You shall have money for satellites."
The bottom line is that the Congress can get into NSA's pants as much as they want to.
They can pass them, but they'd almost certainly be as unconstitutional as a law from 1944 that mandated the invasion of Calais rather than Normandy.
Just to point out, neither of these are actually big names to congress, or more importantly, particularly effective at getting things passed when push comes to shove.
If you want these things passed, never rely on advocacy orgs to do the work of the people.
My take on it is as runs:
Fundamentally, what's needed here is the ability to have confidence that the intelligence system is not overstepping its bounds. The US founders' framework for building that confidence is to have multiple parts of power, whose interest is roughly aligned with countering each other. So in the case of the TLAs:
* The judicial system for warrants needs to be open. No secret courts. Cases' contents might be sealed; the existence of cases should not be. Secret courts are not new, and they have been a bad idea for a long time.
* The policies for data collection need to managed by Congress; no policy about this should set by the executive branch. The policies need to be open and debated. Should we take foreign intelligence on our own citizens?
* Comprehensive reports to Congress. I believe Zoe Lofgren cited a report that was under a page about the NSA activity. That's entirely disingenuous and disrespectful of the representatives of the people.
The other thing that needs to be done is in the polls: Legislators that seek to legalize snooping need to be replaced with ones that don't.
And finally, the thought process needs to be that there's a 4th Amendment rights protection movement and organization, which will work over a long timeframe (generations). There's no band-aid act that will fix this once and for all, this entire thing is an upswelling from overprotective and anti-risk mindsets. It comes out of deep into the roots of what's considered acceptable risk. The privacy/4th amendment movement is going to have to plan for advocating higher risks, more freedom, more liberty, combined with more laws about privacy, along with determining how to build change in mindset over time (it's called propaganda or, more politely, marketing). Privacy implications need to be worked out, discussed, brought to light in fiction, philosophy, law, debates, etc. The mindset of fear and "never again" and "risk is unacceptable" has to be broken in order to make mass surveillance a non-starter.
Worse - The reality is that privacy is going to be dead with the Internet of Things coming online. The question is, what is acceptable and legal to monitor and record? For myself, I believe that we need to have stringent personal data laws forcing deletion of consumer data unless required for a service, as well as requiring warrants for any data collection not already given to the government (i.e., irs filing).
The 2nd Amendment groups are in this for the long run. I don't see how the privacy groups can afford to do otherwise.
edit: I would enjoy discussing this with interested parties, particularly activists and activist-leaning people. My email is in my profile.
N.b., I don't really like to frame it as "attacks on democracy". That is (1) hyperbolic and (2) not obviously true. Words must be chosen very carefully in this debate (and it is a debate!) in order to not mislead or scare people away. I would argue that TLA snooping leads to the "Chilling effects" idea, where debate and discussion are chilled from freedom due to awareness of snooping. Obviously there are follow-on and side effects as well, as well as long-term risk of political persecution. But let's focus on the visible problem today without speculating on the worse potential problems.
Further point with respect to word choice and bringing the mainstream awareness up: tinfoil hatters do not speak for me, and they don't speak for the mainstream. They poison discourse by being radical and not bothering to look at conventional reality. Same for conspiracy theorists. Reasonable and respectable people can move the needle, infowars/alex jones/coast to coast types really are no ally in the effort to make this a real issue.
It seems to me fairly self-evident that actions which chill debate or discussion limit political expression and an informed electorate, thereby fundamentally impinging on democracy. Why then distinguish between 'chilling effects' and an attack on democracy?
Let me frame the thought by giving an example: if I am talking with someone, I might not say a few things because, hey, the TLA might care enough to pull the record and listen in. Or we take care to communicate with GPG or something. It inhibits what we do. We can still vote; our vote actually has meaning; our votes actually change the elected officials, etc. We still can run a socialist candidate (c.f. Kshama Sawant 2013 in Seattle) and they aren't shut down via police action or other hardcore discrimination.
This is in contrast against what it could do: it could be always used to harass and discriminate against those dissenting from the Two Parties and the State. Anyone who said anything would be looked at and actions taken to shut them up and limit the expression and formation of dissent.
While the database of communication could be used against people to significantly disrupt everyone who speaks out, it is not, and in my opinion, it will take a few emergencies like 9/11 to actually alter the mindset of the US to make that acceptable. Of course, people are harassed; some people are okay with that. It doesn't mean there's general acceptance of that, and it doesn't mean everyone is harassed.
Thus I draw the distinction: people self-censoring vs. the heavy hand of an apparatchik forcing change. The first is very immediate and to-hand; it's reality today. The other is possible, possibly even probable given certain courses of events, but fear-mongering is not the best way to go; let's deal with the clear and present threat at hand- chilling of free speech, chilling of dissent, chilling of the business interests of United States citizens, (frankly, these all apply outside the US as well, and hopefully the debate within the US around privacy and data capture also places the operations of TLAs on non-US citizens & non-US soil within the public purview of the United States citizenry via their elected representatives).
Fear does work as a campaign tactic, but the reality is, fear is not something people want to work for. People are willing to work for hope (didn't we all see that in 2008?), and I really would prefer the pro-privacy, pro-4th amendment activists focus on the positives and hope of what we can do rather than performing the traditional stick of the Republicans & Democrats (vote the other way and the free work and the US will END!!!11!oneoneone). It is in hope of being not being tracked against my will, not being monitored in every phone conversation, not being advertised at without my consent that I advocate for these changes to come to pass. It is in hope that I can say thoughts and perform actions online and offline and feel the liberty of not having peeping government Toms and raucous advertisers know anything about me.
So there's my distinction and my spiel. :-)
See, my theory, call me a tinfoil hatter if you will, is that we are on the brink of losing our votes. 1) Collect extensive data on any and all citizens. Any especially politically active citizens will receive extra scrutiny. Ones that are further up in local, state and federal politics will receive even more. This information will be used secretly to ensure that, besides a few outliers who are either allowed to be subversive for the sake of maintaining a smokescreen, all politicians can be controlled. Russell Tice, a prominent NSA whistleblower has alluded to exactly this process occurring under the NSA of today, as it did under J Edgar. He ominously refers to a young man who now resides in a nice white house as one of these who received extra attention. (To me, that explains a whole great deal. And think about it - one of my google searches released to the press would destroy any political career I had, and would be quite enough to turn me into someones puppet, or force me out of politics all together.)
2) With the political market cornered, to an extent, step two begins. Militarise the police. Use infiltration and subversion to delegitimise, split and turn public opinion against activists, whilst also using techniques to track and monitor the most influential ones. Again, there is evidence that the NYPD and other departments have undertaken actions like this. There is a wealth of technology to aid them - tracing FB profiles, using false cell towers, facial recognition tech combined with surveillance cameras, etc. This will have a chilling effect, as mentioned above - acitivists movements are accused of vandalism, of violence, suspect motives, etc, and are also brutally put down. Public sympathy fades, and the support for and involvement in protesting and other forms of activism begin to wither.
Congratulations, you have the makings of a great authoritarian state!
Note that nothing I referred to above is beyond the realms of possibility - in fact, please point to anything I said and I will try to dig up some solid evidence for it.
Quite simply, we are going past the point of no return. It will become progressively more difficult to have an impact on the political apparatus. At some point, it will come down to one thing: a fight.a very bloody fight. it happens every few centuries when an existing political and social order becomes stagnant, and the citizenry are pushed out of fear, hunger or anger to act. When we the people have nothing to lose, that is when things will change. It may not happen tomorrow, or next year, or next decade, maybe not even this century, but it will happen.
EVERYONE has dirt on them that they wouldn't want a hypocritically moralistic press to publish to the world with the worst possible spin on.
Either Presidents get access to some scary ass shit that makes them all immediately move hard to the right when they get in office or someone shows them their phone calls to their dealer in 1986 or the abortion clinic in 1997 or an email to an illicit lover or a gay experience at college or or or.
Occams razor would suggest that with the overwhelming superiority of the USA militarily and economically that there isn't some massive scary vulnerability that requires the maintenance and expansion of the security state therefore the second posit is more likely. Dirt. Lots of it. J Edgar Hoover with access to all of your inner most thoughts. That's what a google search is after all.
How many times have you heard something or read something and done a quick google, something that out of context would be dreadful? I for example ended up following some links from Reddit and ended up on a white nationalist site (the post was taking the piss out of their idiocy), I immediately clicked away from it thinking 'fuck, if the govt were to see that' (I am on a work visa here and have essentially no 4th amendment rights when seeking entry), pretty chilling already.
Now imagine being a politician. 'Candidate goes on storefront!' But I was just curious, following an internet thread...yeah right. Racist.
Remember, a great number of people have to be on board with restricting the TLAs in order for effective change to happen at the national level. While YOU might not want monitoring of influential activists, others might (and probably do). So your possible future might be a wanted one for segments of the population. Confine yourselves to facts and positives and you have a stronger base to work with rather than pushing fear (no one wants fear, everyone wants hope).
Understand that I'm not denying your hypothetical future. I'm simply convinced that a narrative not focused on "what-ifs" and fear will be more successful at winning support.
I would argue that imagining what-if scenarios and disseminating that fear are the only way to prevent us from crossing the threshold where there's no turning back. Waiting for direct evidence of a police state is a losing battle. Just take a look at what a decade of the All-Seeing-NSA-deniers have brought us? Relying on the next Snowden to bring us hard evidence about intelligence activities is a losing proposition.
You didn't see any diret evidence of massive surveillance either. Yet it is quite clear it exists. All that means is you are willing to wear blindfolds. By not preparing yourself for the worst, you simply let it happen.
Bullshit! This is the exact thing we have been demanding proof of. There is none.
Not a single event has been proven to be thwarted by these activities.
Boston? Sandy hook? Aurora? Lax? Mall?
All actual attacks, he'll they took days to ID Boston guys and even then couldn't do a decent job in tracking locating them after they found them out!
The NSA is a criminal organization. Period. Tyre is no grey or legal area here. They need to be shut down.
It's almost certain that the TLAs generally tries to keep within the law as they see it, and push the boundaries as far as they can - this is the trend of the executive branch. I would expect them to have batteries of lawyers hired to find out exactly what is permissible, and then to do all of it.
It'a also entirely disingenuous to say that the TLAs have no purpose. To riff off of @leashless from Twitter - they are a reaction - an immune response - to some entities which do and did some very bad things covertly, and are now being an autoimmune disease on the host state. The truth is, 9/11 gave a rather large blank check to the industrial/ security/intelligence companies and agencies in the US, and most people were not in the mood to worry about civil liberties too much at the time. "Never again" was the refrain, and that sort of perspective removes all ability to do a cost-benefit analysis. So they expanded with that attitude and that check... then, like beauracracies do, they entrenched and began to expand power and capabilities. This is not new behavior in any bureaucracy. This sort of eventuality was, as I recall, predicted quite loudly after the Patriot Act was passed.
The response is utterly disproportionate to the risk.
Which is where this whole conversation goes to hell - the trailed off sentences where people assume they actually have a clue what dangers they're talking about.
Because if your problem is "oh, someone might find out about someone's mistress and tell the media..." well - the problem begins and ends with the fact that their voters turn out not to be ok with that. But they're still voters who's votes matter.
Easy. You use government power on them. You "coincidentally" hit them with an IRS audit, one that's incredibly hostile and refuses to resolve itself. You hit their business with every inspection possible, held to the most stringent of standards. Even if, and perhaps especially if, they don't own it, and you find a way to sufficiently hint to the business why exactly they're having these troubles. You have a cop follow them and nail them with every petty infraction in the book. Any government program they may be on, you inspect their compliance to the n-th degree. Layer heavy bureaucratic red tape on at every opportunity. Find ways to make them need a lawyer. Find a petty excuse to claim you suspect them of drug trafficking and inspect everything they own, which basically allows you to take everything they own, and effectively destroy or hold on to everything for years.
And that's if you have a goal of staying plausibly legal. If the mask is off for some reason, there's even more you can do. And these are just examples; if one truly took a survey of what the government could do to you without even stretching the law, I think we could produce a very thick and scary book.
Unfortunately, I don't think the capabilities of the NSA are bounded by your imagination.
You then postulate the US government just ignoring the law altogether.
You see the pattern right? All these are things where the US government does some questionably legal, pretty highly visible stuff to you. It's not unintrusive electronic surveillance.
Or to put it another way: the Soviet government didn't start out surveilling their citizens before they just murdered all the ones who were considered dissidents. They started doing it after they needed to get better at murdering the dissidents. But the real problem, was the fact the government was willing to murder dissidents. Has the US government killed a bunch of your neighbors? Disappeared them?
No, he just mentioned things that could be currently done. However, only on a small scale. To truly disrupt anyone's life like that, and to do that for thousands or millions of suspects or dissidents or what have you, you would need an equal amount of auditors, cops, and so forth.
Now, if you were to automate that schema, you would have yourself a system capable of much more. And by doing it illegally to the extant that even elected representatives are not allowed to have oversight, you could achieve a very great deal.
>was the fact the government was willing to murder dissidents. Has the US government killed a bunch of your neighbors? Disappeared them?
1) The signs are that we are eroding the legal safeguards that at least made it very difficult and very risky to do this. Now, however, dissidents (call them traitors if you will, that is your opinion) can be whisked to secure holding facilities the world over and subjected to torture, and it is technically legal. US citizens can be assassinated legallly. And now we hear that we have been watched for decades, illegally. Clapper commits perjury, but walks free. Torturers are given clemency, but Snowden is wanted for esponiage. All of this tells me that currently, our freedom is a facade, and soon even that will be able to be dispensed with.
2) You could subscribe to the view that we don't need to be murdered or dissapeared, just convinced that keeping our mouths shut and our eyes on the TV are the safest option. Pepperspraying OWS protesters, militarising the police - I can see why political engagement is dropping, and I'm sure you know who benefits from that. Hint: not us.
"Has the US government killed a bunch of your neighbors? Disappeared them?"
No, not yet. However, I believe there's a "there" there with the IRS scandals, which is definitely headed in that direction very, very strongly. Which is to say, it's riding your line, it crosses a lot of other more realistic lines already.
Your faith in human nature is disarmingly naive. Remember Hitler has been elected. What keeps a democracy alive is not the people at its head or the people that elect their rulers but the structural foundations and laws. You can't trust men. Most of these foundations and laws have already been circumvented by the NSA with the benediction of the US government. That the government seems "nice" to you doesn't matter. As soon as the rulers can disregard laws, they will.
OTOH, systems with greater proportionality in representation also tend to have higher public opinion of how well the local government works, which is probably not coincidental; for a good general survey, see Lijphart's Patterns of Democracy.
Maybe they tend to, but when they drew that graph, Italy is definitely an outlier. People are not at all fond of how the government works, putting it mildly!
Very proportional systems have large problems of their own too, including all the "horse trading" that goes on to form a coalition. This can and does involve a party that got, say 10%, driving a very hard bargain with the party that got 45%, giving far more relative weight to the people who voted for the 10% party.
You're right that the media is not The Problem, no argument there.
Granting that, why bring Italy up them?
> Very proportional systems have large problems of their own too, including all the "horse trading" that goes on to form a coalition.
Horse trading goes on to form a winning coalition in two-party systems, too (the major parties in electoral systems that create a two-competitive-party dynamic are, invariably, coalition parties); the difference is that, in such systems, the disporportionate power of the needed-to-win segment is less than in two-party systems, because its much easier -- because the factions are formal parties that you can negotiate with -- to swap coalition partners and form a new majority coalition if a minor partner wants too much.
(That's also, really -- outside of systems like the US where you've got an FPTP electoral system forcing pre-election coalition building -- a bigger issue in unitary parliamentary systems vs. separation of powers systems -- because having a majority coalition in parliament is a more significant issue in unitary systems whereas in separation of powers systems, ad hoc coalitions on particular issues can function in the legislature without requiring a stable "ruling" coalition in the legislature. So, if you are looking at an FPTP separation of powers system like the US, its a problem that moving to a proportionally-elected but still separation of powers system alleviates rather than making worse.)
Because I live here and it's a very good example of proportional systems not being strictly better than what we have in the US.
> swap coalition partners and form a new majority coalition if a minor partner wants too much.
Easier said than done in many cases.
Today there are so many people who have this weird belief that somehow the lack of change due to their extreme apathy is a justification for that apathy. It's not. If more people spent the time to educate themselves deeply on issues and candidates. If more people spent the effort to have legitimately worthwhile political discussions instead of merely agreeing with those who already agree with them and shouting down those who don't. If more people decided to take the risk and enter politics. Things would be a whole lot different.
Today the biggest problem isn't entrenched power structures, or gobs of money in political campaigns, or the lack of good candidates. All of those are symptoms. The biggest problem is that the primary ways that people learn about and discuss political issues are horribly broken. Most major news media outlets are horrid, only a few steps away from outright tabloid journalism. People decry fox news all the time but CNN and even the New York Times are, on the whole, little better, just different flavored output from fundamentally the same machinery. And people don't tend to realize this because every once in a while there will be something of legitimate quality that leaks through, and that event will serve as a rationalization for continuing to feed from those sources of information. These are precisely the same processes that keep people attached to religious institutions as well.
Ask yourself, how much effort do you, personally, put into researching political issues and candidates? What about your friends? Do you hold them to account for being low information voters? Do you ever have serious, non-shouting, political discussions with people who have different views than your own?
Of course new movements are under resourced. If it was easy to make that kind of change, it would already be done!
Example: I used to work for BigCorp. BigCorp had a PAC to which they would gently encourage employees contribute. They ran an annual contribution campaign, sent emails, made phone calls, etc. It was not mandatory, just encouraged. Many employees did so. The PAC in turn contributed to any politician who supported BigCorp.
So the net result is a bunch of people who ended up contributing to politicians who they otherwise may not have supported, and they did so out of a vague fear that doing so was important for their jobs. There was strong social pressure at work in this situation. I.e., left to themselves, these people would not have given a dime to these politicians.
The PAC in turn, spoke on behalf of these people, but only about issues that BigCorp cared about, not the issues the original donors cared about.
And that's why them is not us.
Lobbyists are unregulated employees or contractors, whose budget is only limited by the largesse of the sponsor. Its goal is to affect legislation and regulation through swaying the votes and actions of elected officials, political appointees and to a lesser extent career bureaucrats. In this regard they are limited by anti-corruption and bribery laws.
Campaign finance is a highly regulated system through which politicians amass money to fund campaign to sway the votes of the public. PACs and other organizations channel money to candidates whom they believe will be sympathetic to their causes.
Regardless, forget about the PAC money and the campaign finance. I assume BigCorp has lobbyists, and those lobbyists look out for BigCorps interests. As an employee of Big Corp, you are a beneficiary of those lobbyists.
As to your last statement, largely it is the shareholders and executives who are the beneficiaries of the lobbying they do. You can argue that the employees are beneficiaries in the sense that they have a job, but that misses the point: the benefits of lobbying fall asymmetrically. Again, it's a leverage thing. They leverage the desire of the little guy to have a job and raise his family and in turn reap huge rewards for the shareholders. So although you can say everyone benefits and gets what they want, the result is really a distortion of power and influence.
The Chinese wouldn't do that to me. They don't have a dog in this fight.
Also, the US has proven experience in smearing political characters. Heck, even John fucking Lennon had an FBI file full of personal information.
Airbus might disagree with you there, I can't see the NSA ratting Boeing out for supplying bribes.
You can't packet-trace a cloned switch port you don't know about.
Nobody is more distrusting of each other than two communist countries.
I'm sure lots of botnets use China servers as well.
Of course the Chinese gov is able to do so without any repercussions. The difference should be that in a democracy you can't abuse your power without repercussions.
Do you see the irony? Western governments are abusing their powers.. and they are getting away with it. Democracy means nothing if the government doesn't hold itself accountable.
Relying on the government to hold itself accountable makes democracy no different from monarchy.
I'm not saying the US doesn't do that, but the evidence is not as clear.
Further, the break-in to Greenwald's residence and theft of his machine.
As well as the visit to the Guardian and destrution of machines....
The evidence is crystal.
And given how the UK government loves nothing more than to be the lapdog of the US, I have no doubts it was done entirely voluntarily.
Eagerly even, as an opportunity to show off just how extra exceedingly loyal minions they are.
Frankly, I have little doubt that the UK government participates so eagerly that just occasionally some of their US counterparts must be a little bit embarrassed on their behalf over seeing their total lack of self respect in trying to impress.
Which you know - is still illegal to have. Though it's funny how the Guardian thoroughly underreported that fact.
It is, however illegal for someone with a clearance to mishandle classified material. "Mishandling" includes "Permitting access to classified material to non-cleared personnel.". If you mishandle classified material you may be reprimanded, have your clearance revoked, be fined, or go to jail for a very long time.
In the case of the Chinese hackers, they were spying on reporters to discover their sources.
What they appeared to be looking for were the names of people who might have provided information to Mr. Barboza.
AFAIK we don't have evidence of similar US spying for the purpose of blackmail, harassment, etc. because my concern is whether the NSA might use its sources for those ends.
Miranda's detainment, confiscation of the memory sticks etc was to be expected - as far as the UK Government is concerned he's carry stolen state secrets.
What I don't really understand is why he flew through London carrying them, I believe Madrid has more routes to South American - I wonder if he was routed so he would be picked up for massive publicity.
Huh? There's nothing in the Post's information that would preclude both from having happened, so it's would be a stretch to call it a lie even from that article. But in fact, the original blog post talks about multiple goals of the main attack, including listing the targeted attack that the GP is probably referencing as independent from the attack that "resulted in the theft of intellectual property from Google". I think it's you that's confusing incidents.
> Third, as part of this investigation but independent of the attack on Google, we have discovered that the accounts of dozens of U.S.-, China- and Europe-based Gmail users who are advocates of human rights in China appear to have been routinely accessed by third parties. These accounts have not been accessed through any security breach at Google, but most likely via phishing scams or malware placed on the users' computers.
edit: ah, and the GP wasn't even talking about the gmail accounts.
Also, what kind of spy uses gmail? Sheesh.
The kind that is trying to maintain cover as a non-spy so uses the same email services as everybody else.
Of course, that means the joke's on them, because the NSA was listening to everyone...
On the other hand if you want to read people's mail, then hacking into the provider is certainly an option.
On the other hand, we don't really know what the Chinese knew, or thought they knew, about Google and how it functioned WRT government surveillance. If they had reason to believe that Google would be cooperating with authorities and would have infrastructure in place to monitor email accounts that they could look for and identify if it was monitoring the accounts they were looking for, then this explanation makes a bit more sense.
I think US journalism is causing us to misprioritize. Everyone is talking about the NSA so everyone assumes it's the biggest problem.
At a minimum the U.S. and UK spying needs to be balanced against the fact that U.S. and UK citizens invented the core technologies of the Internet, and gave them to the world for free.
Our biggest trading partner is China, and we have a free-trade agreement with the US.
Who exactly is our ally again?
Sent aircraft carriers, ships and soldiers to help depose a democratically elected president, just because he wanted closer ties with China and wanted to do agrarian reform.
Disappeared lots of people (I don't know any personally, because I am too young, but I DO know personally lots of people that still want disappeared people back)
Spied on us (erm, that part still applies, no?).
Sabotaged our agriculture (ie: some plagues started after US agrarian engineers visited us to "help" with our agricultural technology).
Supported and funded very repressive crazy dictators that killed boatloads of people.
What the USSR did for us during the cold war: Gave us some really cool technical books in spanish (yes, our language is portuguese, but spanish is good enough), I still have a bunch of them, they are really good, somewhere around my house there is calculus books, structural engineering, and lots of other cool stuff, russian books but written in spanish, targeted at Latin America.
USSR borrowed us some scientists (Russia and Ucraine still do, by the way).
Helped our exiles, not only left wing ones, but right wing ones too.
Sold us some very interesting stuff, even if shitty sometimes (example: during the cold war Lada cars were very popular here).
Computers! (for example when some companies here tried to develop a computer compatible with the Macintosh, US government helped Apple in forcing them to stop, while Russians borrowed us some engineers and books)
Now, who were our real enemies in cold war again?
It is just that this is what happened to us in Brazil, and USA never gave any clear indication that it wants to improve its behaviour.
So, why should we trust it now, if we could never trust it in first place?
Stopped us getting nuked or invaded by the USSR
The fact is reality is much more complex than your simple statement which is further skewed by Hollywood.
Stalin was a mad man on a par with Hitler, but even under later leaders it was still a repressive regime with Gulags.
When you say that you doubt it, is that code for having no idea of the impact of Soviet funding in South America, but not being willing to say that you don't know? Or is it just that you know that everything bad that the US did was to counter something even worse that the evil USSR was doing?
However, Cuba is a repressive dictatorship which will was funded by the USSR for many years.
It hurts a lot more because you are meant to look out for each other, not distrust and stab each others back.
But who is to speak for tomorrow? None of us can tell what the future brings. Not me and not you. So who is to say that in ten years, when that data is still there, that the US is still worthy of your trust?
It is the future we should distrust, even if you trust the past, and the present.
P.S. I am sure I will get smashed in the comments, so let me say right away that NSA actions should be controlled and audited by the public (e.g. through our representatives in Congress). I think that the biggest "evil" here are the members of Congress who either approved NSA actions or failed to do their job and monitor/audit NSA properly. In particular, I would point my finger at Sen. Dianne Feinstein [D-CA] who should have been ousted from the office long time ago.
The assumption isn't bad - it's a private network line, not a public internet connection. Nobody else had access to that line, at least they weren't supposed to. Splicing a fiber line is a bit outside the scope of your random attacker. You can't blame Google for not anticipating a hostile break-in by the government. The discussion should absolutely, 100% be directed at the NSA here. To accept that a private network connection is open season for the government to tap is batshit insane.
> Moreover, it is not clear if other governments or criminals also had access to the users' data (e.g. in Google's data centers located outside of the US). So far Google did not produce any public post-mortem thus we have no clue how bad was the problem.
How is Google supposed to tell you if they themselves didn't know?
Although from the leaks it sounds like everyone is fucked thanks to the GCHQ and the NSA getting friendly with each other.
If indeed Google does not know then it's just another sign of security failures at the company. Nobody is perfect and security incidents do happen. A good security will have in-depth defense and built-in monitoring/audit measure that would at the very least allow you to determine what have happened post-factum.
Do you have your own data center building? And if you don't have your own data center buildings, how are you guarding against physical attacks? Because just saying "encryption" doesn't actually mean anything. Encryption isn't free, and at Google scale that can add up. Useless encryption is just wasted power
> For example, I don't want our system administrators to have an easy way to look at the traffic: yes, it is still possible to do but it is harder and requires some very unusual actions that will trigger alerts everywhere.
That can be accomplished in many ways that don't involve encryption. And your servers are all capable of decrypting the data at some point, so you still have to trust your sys admins and/or have alternative systems in place as they still have access to the unencrypted data.
> A good security will have in-depth defense and built-in monitoring/audit measure that would at the very least allow you to determine what have happened post-factum.
How, exactly, do you detect cable splicing? Much less audit said splicing? You seem to be asking for a hell of a lot more than "good security"
Some types of encryption are pretty cheap actually. I used to use special SSL cards in the servers 10-15 years ago but today my laptop would outperform these cards and wouldn't even get hot :) Plus you need to remember that relatively expensive public key encryption needs to be done only for key exchange. After that you run block or stream cyphers and those algorithms tend to be really fast.
So far I haven't seen any evidences that there was cable splicing. Thus using occam's razor I would assume that the hack was much simpler than that. To detect the issue, I would start from reviewing the visitors log to the data center (assuming there is a visitor log).
I'll re-iterate that security should be built on defense-in-depth principle. Every single protection layer will fail or someone will go around it. The assumption that a data center is "safe" is a bad assumption period. You have to play "what-if" game and think for the attacker.
What? The evidence totally points to cable splicing. What hack involves getting all the inter-DC packets but nothing else? Obviously the machines weren't compromised, or they wouldn't have cared about reverse-engineering the wire protocol. So what are you proposing was hacked?
> I'll re-iterate that security should be built on defense-in-depth principle. Every single protection layer will fail or someone will go around it. The assumption that a data center is "safe" is a bad assumption period. You have to play "what-if" game and think for the attacker.
And I'll re-iterate that you're asking for a goddamn magical pony.
Side note, if your data center isn't safe go get a new one. Seriously. Most DCs have tons of security to make them safe. That's not an assumption.
I don't think there are any evidences at all. As far as I know, the only known thing is that NSA was able to obtain the un-encrypted google traffic. For example, it could have been backdoor in the router, one extra cable in the switch, or a few other similar low-tech options.
> Most DCs have tons of security to make them safe.
Don't disagree. But this doesn't make them invincible from other attack vectors (e.g. rogue employees). I actually heard the same argument from quite a few people during interviews and I usually don't hire them because you have to be paranoid to get security right :)
And "discussed" is not accurate. It was proposed by a few but rejected by most as paranoid.
So when someone says: "You're just being paranoid", my reply will be: "Better paranoid than wrong."
You don't use telnet when you access your home server(s) from your laptop ... that's basically what they were doing.
They skipped over a zero-cost, obvious best practice, and I think we should be suspicious. Either they've run that part of their network in a stunningly negligent fashion ... or this was the ingress they gave to the NSA which could be plausibly denied later.
This was a point-to-point cable. The only access possible was physical, by digging it up and splicing it.
Obviously that attack was possible, but arguing that this is somehow "the same kind of attack" as running tcpdump on a router to sniff packets is just insane, sorry.
"The" government? The lines were also being tapped by organized crime, China, France, etc. Google severely failed at data protection.
Basically, I think Google's decision to do not encrypt the traffic is a gross negligence and I would love to see how someone would sue Google for it.
Wow. Just wow.
If the courts get involved it should 100% be at the hacking perpetrator, not to the victim.
(And this is why some of us were concerned about CISPA, which uses the identical language. Note CISPA's proponents have quietly faded into the woodwork post-Snowden revelations.)
1. Data at rest (Adobe) vs data in travel (Google).
2. Software Hack vs Hardware hack
The Adobe data was sitting on a server in a datacenter, it was accessible from the internet on some level. The Google data was taken, apparently, from a dedicated, google owned, unshared link (quite likely a fibre-optic tap)
The methodologies, skill levels and required hardware for the penetrating the above two types of setup are wildly different.
I blame adobe for getting a server hacked, it happens a lot and and they ignored a lot of body of knowledge built up over the years. I do not blame Google for getting their inter-datacentre links physically compromised by a security agency of the US government.
Nor do I blame them for (incorrectly, as it turns out) deeming that an unlikely scenario and therefore giving it low priority.
I would blame them for not doing anything about it now that
they know it is happening but that does not seem to be the case.
(I fully expect companies to encrypt data between datacentres if they are not on dedicated unshared links)
Indeed they do! From personal experience, Cisco was hawking its TrustSec inter-DC encryption solution five or six years ago, even over dark fibre.
There are numerous network devices that can handle AES-256 on 10 Gbps links, as a matter of routine, whilst doing 'mundane' switching for the day job.
If you have the money there are dedicated hardware that can handle the same at 100 Gbps. IP Cores is one from memory that produces the circuitry for that. They can throw compression in there as well if you like.
Encrypting data links isn't magic. Google just didn't do it.
You don't need appliances here as they can't handle the load, build the encryption into your application.
"Google’s encryption initiative, initially approved last year, was accelerated in June as the tech giant struggled to guard its reputation as a reliable steward of user information amid controversy about the NSA’s PRISM program,"
* Database: SSL connections for MySQL
* Memcached, Gearmand, and other tools that don't have built-in SSL support: simple home grown message level encryption (AES256)
And of course, there are VPN tunnels between data centers in addition to the above.
> And of course, there are VPN tunnels between data centers in addition to the above.
Could you please be more specific on the VPN solution that you are using? How do you manage the shared keys? How do you make sure 'system administrators can't easily read the traffic?"
Which could be done legally via 'Cisco Service Independent Intercept (SII)' built into IOS to comply with CALEA (Communications Assistance for Law Enforcement Act). And not so legally via user-escalation exploits within the same service.
Anyway, props for making the effort. I too am interested in your key exchange methods.
Phone is I think an obvious (and now clearly wrong choice) although maybe always suspect if you are concerned with dark fibre . The endpoint security of a device generating and transmitting the key now also being a risk. How far up the chain do you worry?
An airgapped device to generate the key and a single person travelling between datacentres seems the secure (although costly) solution. Obviously if TSA/customs remove device from them for inspection or connect it to anything it needs to be thrown away (or moved to insecure duties) and the setup process restarted.
Google has the best OpSec team I've ever known, it is my hope that they close this 'loophole' as completely as possible.
Even if this is a leased private line, non-Internet routed, whatever, it is trivially easy to encrypt the communications and is absolutely a best practice. I see this as great big egg on their face.
In fact, it's such a cock-up that one wonders if this is the plausibly deniable ingress that they agreed to provide for the NSA, et. al
This is akin to using telnet to access your home server because you're "on your own network". Nobody does that and I can't believe they would have either.
I can forgive someone for thinking that if they dug trenches in the street, bought some fiber, and ran it between a couple of buildings, in a country where the rule of law was in effect, they might consider it a reasonable assumption that the fiber is laying in the street unmolested. Even if the distance is such that they can't see the entire length of the ground above the conduit.
Prior to Snowden's disclosures, it was the common belief amongst the security community that in 'safe' countries, the government in power would not subvert your infrastructure through physical access. They might do some network tricks, but not tap your fiber. In 'bad' countries counter measures were taken. And the network setup in say Russia or China was different than it was in the US and the UK. That your own government would illegally subvert your infrastructure  through the use of a technicality was not considered a "likely" threat . Given that not it has been exploited it is rewriting a bunch of assumptions. I am not surprised in the least that they are now deploying the same hardening they use in hostile environments world wide.
 The NSA cannot legally tap into communications infrastructure in the US (that is the FBI's job) and when the FBI does it they need a warrant. By doing this in the UK they sidestepped those constraints.
 In classic vulnerability analysis you deploy your resources against both the probability and damage potential of a given threat. So for example datacenters are vulnerable to being bombed by aircraft, the probability of that is low enough that you don't defend against it, bombed by cars you put a security perimeter around the building.
The only people who think this is "trivially easy" are people who don't have to do it.
The fact that routing hardware exists means you can pretty easily tap it.
(People within these companies are also hackers, but they have more effect when they speak because they are part of a company)
The clash might be interesting to watch.
> "Bypassing that system is illegal for a good reason."
Yes, so is invasion of privacy. Yet Google has no problem breaking the law and violating civil rights for profit.
> "Unfortunately we live in a world where all too often, laws are for the little people."
Yeah, like tax laws and privacy laws...
If you want to get on this high horse, you shouldn't be working for Google.
This from the guy, who blacklisted CNN for reporting on him based on information found on Google.
Including account information and passwords on unsecured WiFi connections.
Even if the accusation of "violating laws" may be a tad hyperbolic in the great scheme of things it's not a stretch to deem Google one of the most hypocritical companies around.
The NSA on the other hand actively intends everything it's doing in this case. Comparing Google's Wifi mishap with the NSA's hundreds (thousands?) of deeply questionable operations driven by invasions of privacy and security is comparing apples with oranges.
Nonetheless, I doubt I'm naive to believe engineers are not always making mistakes. The trick is always in admitting mistake, learning from them, and fixing the future. In this case, Google acknowledged the -- lawful -- slip in privacy encroachments and assigned a privacy director to oversee engineering and product management efforts. Every Google product now maintains a privacy-design document.
Almost certainly it is, but would I be surprised if it were true? Would anyone be?
I'd be willing to bet the NSA had a good browse of the resulting data, either way.
I remain amazed at the ability of people to project their own biases (Google is Evil in this case, probably via extrapolation from Apple is Insanely Great) onto things that one would hope would be objective moral points (spy agencies shouldn't be attacking the networks of non-enemies!).
Sniffing unencrypted wifi packets and (apparently accidentally) storing them is just as bad as deliberately breaking into someone else's network to steal data? Come on.
Paraphrasing -, or quoting something that has absolutely no relation to what was really said is a pretty dishonest and low debating tactic in my book.
You can debate the ethics of it, but it wasn't illegal. And Google did get penalized for it.
Immoral? Yes. Evil? Yes.
I am gathering not a lot of people actually knew what was happening at the beginning, and the tools they were using for "valid" purposes were just refocused.
I do not think they were stupid, but just didn't see the entire picture, or were never given the entire picture.
Most programmers are very much unlike you or I. Think about those legions of DoD/DoD contractor engineers that trust government implicitly and totally, and really don't give a shit about more "hacker"/"technologist" subjects.
It is a very rare person who can see all the things wrong with the various Wars on Dignity (drugs, terror, etc) and yet has a nose so clean as to qualify for a top secret clearance. It's kind of like the saying about walking a mile in someone else's shoes before you criticize them - most people just can't conceive of what life is like for someone with an entirely different set of experiences and the logic of authoritarianism is so deceptively simple.
That's not to say that the people with clearances aren't perceptive, just that they are likely to have a focus on other, more technical, issues.
Incidentally, the U.S. system is strongly anti-authoritarian. There is no wise man or even thug running the show, just a parliament of whores tarting themselves up for the next election. We could really use some authorities in charge. Even a bad plan would be better than what we have if we just stuck to it.
There are some politicians, judges and journalists who agree with what they do - why should any other field be different?
Plenty of good engineers work on weapons systems, despite the use those systems are put to. The fact the systems are also used for national defence is often used as self-justification.
More directly: many good programmers build viruses and/or sell exploits for systems (and don't try and claim "they aren't from the US" - plenty are). Being a good programmer does not mean a persons moral code is the same as yours or mine.
1) terrorists - someone has got to stop them blowing up innocent babies and children
2) kiddie porn - someone has got to take the war on paedophiles seriously
3) organised crime - who knows? Selling arms to the terrorists? Laundering money. That's it. Laundering money and drugs. I remember now.
These 'reasons' can be trotted out like a mantra and working for them is a bit like being a soldier fighting a noble cause that everyone else has to respect.
As per other comment on 'The Cube', people at GCHQ are kept in little boxes and not made aware of what the big plan is. It is a system that works really well. So, even if someone's job has nothing to do with the war on kiddie porn, the war on drugs or The War Against Terror, they know that without their organisation's effort then we would be flooded with the evil stuff and democracy would be doomed.
The 'I cannot talk about my work' thing works really well. Although I am not convinced by it. I think that it is all too convenient to hide behind that rather than be honest about how dull/wrong a given job is.
I think you also place too much thought into the idea that NSA/GCHQ build these systems. Actually it is the guys at the contractors - Lockheed Martin - that build these things, the NSA/GCHQ guys are no more involved in things than the checkout staff at a supermarket are involved in all the evil things Walmart/Monsanto/whoever do. That is the saddest part of it. We uphold NSA/GCHQ to be omnipotent and omniscient, but they are not. The main contractor - Lockheed Martin - are upstream of what the NSA/GCHQ does and they are experts at getting government contracts. Since they can listen in to what all of the other contractors bid they can bid competitively if they really want the work. Since they also own most of the politicians and can promise so many jobs in so many states, they can own the entire government. NSA are not the enemy, Lockheed Martin and their rivals are. And, to answer your question, the dark side programmers work for them.
His reply: "Dude, all this shit comes out of Israel! its the whole tech/NSA bullshit used against the palestinians!"
It was a casual comment - but very interesting in that its a foregone conclusion that the surveillance state is just a function of the culture of Israeli tech development.
I think the point being that Israel happens to excel at this type of thing due to the simple fact that they have been surrounded by countries who have wanted to wipe them off the map for a long time. This has happened to breed the talent that is very useful to the NSA / surveillance industry.
About who made these tools, I would say that this was built through a combination of different people:
- very patriotic individuals: e.g. someone who joins the military and gets a military sponsored world class education in comp sci; or someone who gets recruited at an early age on the campus of berkeley/stanford/yale/mit/etc (remember how spies were recruited back in the days)
- consultants: Palantir, Booz Allen and many more
- buying outsourced tech (e.g. from startups in the Valley/Boston/Penn/Virginia/Maryland or Israel)
- captured black hats in exchange for softer sentences
- renegades from big tech companies: i.e. ex-google employees. You'd be surprised how pissed off some people can be at their previous employees and to what lengths they might go to hurt them
Not possible. You cannot unwittingly buy a house in Cupertino, fill it with 48 V batteries and wave division multiplexing transceivers, and trench the back yard. The maintenance techs driving the fake pool service van knew exactly what they were doing.
If you have a mobile phone, you can be tracked, even if there is no GPS on the device. Besides this if the NSA chooses, they can track practically ANYONE in the world, all they need is a mobile number. I would not be surprised if this is actually one of the tools they have.
Due to the nature of how GSM and mobile operators integrate when roaming. When a mobile operator signs an international roaming agreement, they setup signalling links between their switches and VLR's (Visitor Location Register).
The mobile operator in the visited country needs to authenticate you against your home network, this happens via SS7.
Once this link is established, it is assumed to be trusted, and most operators DO NOT apply any filtering on these commands. So with a carefully crafted SS7 command, you could request the location of a mobile subscriber, even if they have not even attempted to join your network.
Now here is where it gets interesting, get access to send ss7 commands from an operator with many international roaming agreements, and you can get details on practically any subscriber. Get access to 2-4 (i.e AT&T, T-Mobile, Vodaphone) of these massive tier1 operators, and you can get the location of practically everyone with a mobile handset.
You don't need one, really. Skype at work, landline at home. Why would I want to talk to anyone on the go?
I go out for beers and other social activities all the time. My social life is not suffering at all. The need of having a cellphone is a lie.
> "But I did have an interesting (unattributable, of course) briefing from someone very senior in one West Coast mega-corporation who conceded that neither he nor the CEO of his company had security clearance to know what arrangements his own organization had reached with the US government. “So, it’s like a company within a company?” I asked. He waved his hand dismissively: “I know the guy, I trust him.”
West Coast mega-corporation does not know what West Coast mega-corporation does.
For months Google's only public response was to lobby the government for permission to release stats(?) to prove that they complied with the law - nary a word of criticism for the law itself.
So now that Google's own autonomy has been breached by the NSA (all above-board and legal according to the NSA's legions of loop-hole seeking lawyers) instead of just Google's users, now they are mad?
I just made another post about how a lot of people are unable to imagine what its like for others to be in a situation until they themselves are in the same situation. But... I'm not so sure Google, as an organization, has fully recognized the scope of the problem here.
I had laugh-snort reading the discussion on that page - at one point the original author, Mike Hearn, tries to argue that ad-based services are actually a good thing for privacy. Does Kool-Aid have a google flavor now?
Besides, as Upton Sinclair was fond of saying, "It is difficult to get a man to understand something, when his salary depends upon his not understanding it."
His claim is that there aren't any viable anonymous payment systems for the web but that advertising is semi anonymous, so that's better.
(1) There are ways to make anonymous payments on the net, I can use cash to buy cash-cards in denominations up to $500 that work just like debit cards online, they are even branded with Visa and/or MasterCard. Until a couple of years ago you could buy even larger denominations but war on terror hysteria made it illegal to do without providing ID. None of the entrenched powers seemed to mind the new regulations all that much, which leads too...
(2) The rise of advertising as the primary source of online funding has choked out development of alternative online payment systems in the same way that an invasive species chokes out native species that occupy the same ecological niche. If it weren't for companies like google we wouldn't be in the situation we are now because a lot more work would have gone into the development of alternative payment systems.
(3) The entire goal of modern online advertising is to identify and track users as narrowly as possible so as to better "target" them. The more sophisticated online advertising systems become, the less anonymous the users become. Companies like BlueKai and hundreds of others exist to connect your real-life identity (and associated database entries) with your online activity. Even google does it with their real names policy for g+.
So instead of each vendor only knowing about the specific transactions they have with you, there exist multiple databases that amalgamate all of your transactions (online and offline) across multiple vendors into one central record that is for sale. I'm well aware that Google thinks their user records are super proprietary and that they would never make that data openly available outside of Google, but (1) they are far from the only holder of such data and many of the others see selling/renting that database as their main source of profit, (2) sophisticated use of targeted ad-buys can indirectly mine Google's data, it's not as easy as just buying access like you would from a place like Experian but it is feasible under the right circumstances and (3) who can say if Google will have a change in corporate direction tomorrow and start selling access to all that data that they have been collecting for over a decade?
So, in short, his claim was so blindered that it really was quite ridiculously naive/ignorant.
> There are ways to make anonymous payments on the net, I can use cash to buy cash-cards in denominations up to $500 that work just like debit cards online, they are even branded with Visa and/or MasterCard.
This still puts you at greater risk of exposure than creating a Gmail account through an anonymizing proxy. Prepaid cards can be traced to where they are purchased, which at least narrows your location geographically, if not the exact location. From there the NSA could probably catch you buying it in person by reviewing CCTV footage.
> The rise of advertising as the primary source of online funding has choked out development of alternative online payment systems in the same way that an invasive species chokes out native species that occupy the same ecological niche. If it weren't for companies like google we wouldn't be in the situation we are now because a lot more work would have gone into the development of alternative payment systems.
I don't really understand this point. You seem to be positing a world where online advertising didn't become the dominant mechanism for making money on the web, but you don't explain how this could come about. Perhaps if "companies like Google" did not exist? But there were advertising companies before Google and there will be long after Google is gone. Advertising is an inextricable part of the global economy. It would take a revolution to change that.
> So instead of each vendor only knowing about the specific transactions they have with you, there exist multiple databases that amalgamate all of your transactions (online and offline) across multiple vendors into one central record that is for sale.
I think this is deeply wrong and I wouldn't be working for Google if I thought we were heading in this direction. It's not my place to comment further on your other assertions about Google.
> So, in short, his claim was so blindered that it really was quite ridiculously naive/ignorant.
I don't see how your argument supports this claim. Nothing you have said would be news to Mike, who has been thinking about all this stuff longer and more deeply than most people. He just has a different perspective to you, that's all.
I note that you've specifically gone to the most extreme case of the state looking to track you rather than some other private entity. The NSA/FBI looking at camera footage at the point of purchase for a cash card is just as likely as the NSA de-anonymizing your proxy (well probably less likely given what the NSA has been up to). However, for private databases nobody is going to make those efforts. But what they will do (and do all the time) is cross-reference web activity to minimize anonymity and increasing "targeting."
Advertising is an inextricable part of the global economy. It would take a revolution to change that.
That's circular. My point is that the industry's overwhelming movement toward advertising as a payment system starved out the development of alternative payment systems, micropayments, e-cash, etc. Hell, paypal could be so much more privacy preserving simply by not disclosing your email to the seller but they don't make that trivial effort because they have no competition.
I think this is deeply wrong and I wouldn't be working for Google if I thought we were heading in this direction.
If you think I am specifically talking about Google, you are mistaken. Go install Ghostery and watch how simply visiting a web page like The Verge gets you into the databases of at least 7 different trackers other than Google. If Mike Hearn was arguing that google should have a monopoly on advertising because google currently doesn't deliberately share its secret stash with anyone, then that opens up a whole different line of disagreement.
PayPal are not a monopoly, by the way. I would not be surprised to see them unseated from their current position in the next few years.
I do have Ghostery installed. I'm glad it exists, and wish more people would use it so that they could see the extent of the tracking that's going on.
> If you think I am specifically talking about Google, you are mistaken.
I was responding specifically to your paragraph about Google.
That's really overly simplistic. It's a complex system and to assume that its the best system (as Mike Hearn stated) is to ignore the fact that there are competing interests at work and the ones who value privacy have significantly less clout than the ones that don't.
PayPal are not a monopoly, by the way.
That's just wordplay. Paypal has not faced significant competitive pressure for over a decade, if ever.
You could fund them indirectly, through sales of another product. Think about Apple giving away its software and Web services (funded by hardware sales), or Microsoft giving away its Web services (funded mostly by software sales), or even of Google's nonprofitable services and projects (the ultimate income source here is ads, but it needn't be).
Alternatively, you could accept some anonymous form of payment. Bitcoin is the obvious one, but there are plenty of others -- gift cards come to mind, and these have been pretty successful for iTunes and the XBOX arcade.
Or, of course, there's cash, Bitcoin, and other less convenient or mature technologies.
Finally, the argument is a little disingenuous, given Google's push, with Google Plus, to know people's real identity anyway. It is clear that "advertising = better privacy" isn't a Google goal, at the high level.
So all the defense community was raised on SIGINT, and anything seen as a curb on this - technical or legal, they will probably view it as some sort of existential threat. They would then fight tooth and nail to block any sort of reform. And the military industrial complex has quite a lot of legislative muscle....
The rise of technology, both its widespread use by the public and the ability to capture it by agencies, had made SIGINT seem much more attractive in the couple of decades prior to 9/11.
So, yes, agencies had become over-reliant on SIGINT over HUMINT, but for understandable reasons with the benefit of hindsight. Currently, they certainly don't view it as an existential threat and all agencies are working to re-establish HUMINT capability, the opposite of trying to block it. The trouble is that it is hard, really hard work.
They like to toss words like "Terrorism" around like frisbees hoping someone will catch it and toss it to someone else, however I personally think we can assume that direct diplomacy is dead. SIGINT is more consistent and dependable than engaging another nation's diplomatic apparatus, and all nations are clamoring for their own monitoring solution.
It's a new baseline measurement of international political power -- the cost is so low that it's foolish not to get it.
The submitted link is Mike Hearn agreeing with and elaborating on Brandon Downey's original thoughts on the matter.
I would probably be a single-issue voter if a candidate for congress were likely to win and was aligned with me on this issue but opposed on virtually everything else.
One essentially-fantasy is to run for Congress directly. Unfortunately I haven't lived my entire life to my mid-30s in trying to become a viable political candidate, so this would be difficult. Central or Eastern WA is probably the best bet, along with starting a 50-500 person business which employs a lot of local people (manufacturing of some kind) and generally being an engaged local citizen for a decade or more. But that's a long term goal.
But, even without that piece of the puzzle, reverse engineering a protocol that doesn't use encryption wouldn't be "extremely difficult". This is not an indication of an inside man.
You're talking about the NSA here, an outfit which has cracked the cryptosystems of foreign governments in a variety of foreign languages, and even cracked a Russian one-time-pad that they had accidental;y used more than once.
I don't think it's very hard at all for them to reverse engineer RPC serialization that is not even encrypted if they can crack cryptosystems.
I'm curious what 1622 represents here. 1622 different protocols, each with their different messages? Seems like a crazy amount. 1622 different message types for authorization? Even that seems like a stretch.
I know how hard it would be, I implement low level protocols (not Google's or of men in black).
I did that for fun and I was (and am) a mediocre programmer at best, the NSA/GCHQ has some of the best talent around I doubt they would find it much of a challenge to this on a bigger more complex protocol.
Unencrypted traffic is (relatively) easy to reverse engineer even without a protocol description (examples, the Samba guys, the Asterix folks) as most protocols are designed to be structured (that is kind of the point of having the protocol).
Either way, this is a good stimulus for rolling out deeper encryption.
The discussion of cable tapping and the NSA's apparent taste for doing things the expedient way instead of the legal way makes me wonder if the "vandalism" domestic underground fiber cuts in the years after 9/11 form an interesting pattern.
If you know the route the fibre takes (which should be public and certainly government knowledge) you can install the tap anywhere along the length of the cable, roll up with a van the equipment and two guys in high viz vests with a fake work order, who the hell is going to check....(think the Ghostbuster's scene where they close half the road).
The crazy thing is that so many smart people at Google and encrypting the data still wasn't done.
Over the next few years it will become more and more common for "in-flight" data to be encrypted. As the "low-hanging fruit" starts to disappear, state-level attackers will increasingly turn their attention from fibre to endpoint; with a corresponding increase in the number of attacks on mobile devices, apps, and embedded systems. This is, to put it mildly, incredibly challenging terrain for passive defence, where complexity all-but-guarantees unknown vulnerabilities and hidden attack vectors.
Now, I am not too sure about the ethics of active defence / networked HIPS, (Too similar by a long shot to the sort of malevolent behaviour it is supposed to defend against) but it might be something that we are going have to have a look at.
This is sort of the crux of it. We are degenerating into a true oligarchy and/or gangster state in which there are two different systems of law: one for the politically connected and one for the plebs.
Something along these lines:
"Look at the horrible way NSA treated our customers... We're gonna make sure the NSA can't get our data in the future, and protect everyone's data. Come use our services where we treat you right!"
It was always just a matter of time before a corporation had the ability to compete in the total information awareness arena with the three letters. Google is probably the primary candidate that has the capability, besides MS/Apple.
Of course the three letters win on the data side, but the company wins on the customer side. Win win. For them. Lose for us.
 111 Eight Ave in NYC (housing Hiberia's trans-Atlantic cable, Equinox, Deutsch Telecom, etc)
Day after day I see post after post around the tech web about how horrible the actions are of the NSA but few if any propose a workable solution to balancing both securing and obscuring actions taken to protect a nation, with the public's need for privacy and protection from abuse.
Oversight, oversight, oversight is all we hear yet nothing concrete to describe how the US (or any nation) is supposed to provide security and keep the enemy from monitoring the techniques and actions taken by intelligence services.
Maybe I'm naive but I don't see a way to keep spying (something all nations do and have done for centuries) with the public's need for complete disclosure.
(Note: All fields should take moral responsibility, but engineers seem to be worse than a lot of others.)
Feinstein is a joke and obviously isn't well informed on the subject matter she's supposedly overlooking.
Governments don't like challenge to its power. They will find ways to control the Jedi Council.
As someone working on a start up now dealing with crowd-sourcing/mining data on people/identities and leaving it public, it's very interesting to see the dynamics play out with online services especially with ones that create the perception of walled gardens vs those that position themselves as inherently public and the flak (or lack thereof) they take from privacy advocates and what not.
Wasn't there a Google break in not so long ago?
If anything, I'm actually pretty impressed it has gone on this long without seeing posts on underground forums offering access via cracked/leaked accounts and 0days, in exchange for money. Or maybe it has?
You can tap a fiber optic line without breaking it by bending it such a way that light leaks out: http://www.techrepublic.com/blog/it-security/protect-your-ne...
You have the resources to defend it, if you want to defend. You choose not to in many ways.
So please dont explode in profanity several times a day.