Perhaps, in the end, the NSA has done us all a favor: they have shown us the fundamental insecurity of giving 3rd parties access to our data. With this move, Google and Microsoft clearly believe that there is demand for privacy, and understand that loss of trust has real, possibly severe, bottom-line implications. They act not of idealism, but out of fear.
The issue, of course, is that if someone wants to talk to me they need to connect with my physical equipment. In a perfect world, people would look me up with a simple IP address, and I'd have whatever services I wish to provide running on various ports from that IP. This machine could be my phone, or a computer I keep in my home. But what's funny is how the modern internet appears to conspire against this extraordinarily simple idea: the first problem is IPv4. There aren't enough IPs to give every internet-connected device a unique IP address, which means NAT, which is, AFAIK, fundamentally insecure when handling inbound traffic. The second is that virtually all internet providers forbid us, in their terms of service, from running "servers". Which brings us to this interesting syllogism:
1. Communication sent through third parties is not private.
2. All internet communication involves a third party
3. There is no private communication on the internet
Until the problems of IPv6 adoption and contractual restrictions on how you use your internet connection are solved, people do not have a viable alternative to using 3rd party hardware for communication over the internet.
Of course, if the "no fly list" is any precedent, the government argument will be something like, "then don't communicate with the internet".
I'm not sure I would go as far as saying it's impossible to have private communications on the Internet.
It's impossible right now for the masses, because they've decided they can trust these 3rd parties. So we never really put much thought into adopting "Trust No One" type of services. But having such services is probably doable, and now that we know these companies can't actually be trusted, perhaps we'll start using them.
Again, the main reason we didn't have private communications through 3rd parties, is because we thought we could trust those 3rd parties. But that has changed now.
> they've decided they can trust these 3rd parties
Most of said masses don't even realize there's trust involved, leave along making a decision on whether to trust vendors or not. They just swallow what's free without much thinking.
Just look at something like the real-estate business. You'd think that realtors would appreciate how much private information is passing through their hands and that they would conform to the privacy protection laws they are typically bound with. And yet, every single one of these retards uses Gmail and routinely email forms stuffed to the brim with delicious personal info in plain text. How can you realistically expect the masses to do any better?
Companies should not need to store data. They would instead make a connection to your data custodian or even your own machine and then use a 'personal data api' to fetch only the data they need.
Yes, but you can usefully protect point-to-point communications using Diffie-Hellman or similar. You can't if you know someone is decrypting in the middle, even if they are using a common symmetric key that can be recovered by subpoena or NSL.
Perhaps, in the end, the NSA has done us all a favor: they have shown us the fundamental insecurity of giving 3rd parties access to our data.
Let us not write now as if the Snowden leak effects are at their end. This is the start of whatever changes - good or bad, are going to come.
Especially, if the NSA gets the changes it wants from the situation, talking about the insecurity of a network would become illegal and bad security practices could be papered over. Security experts would be unable to speak openly and clever black hat hackers who kept their mouths shut could likely run rampant.
PR theater. After how these companies reacted to the initial leaks, I can't think of another possible scenario other than the CEOs sitting in a room with government officials discussing the best strategy for damage control, and the government giving them green light to sue. But I guess I'm just stating the obvious.
The EFF report was compiled prior to the Snowden revelations. There is no star rating for "Allowing warrantless access to a user's data in contravention to the 4th Amendment". I should think in the current climate only Lavabit would receive a positive rating from the EFF.
Also, remember the initial reaction of the NSA partner companies when they were confronted about their mass surveillance activities for the first time?
They lied straight to our faces and thought we would just accept that and continue to buy and/or use their stuff.
Please link to the lies. As far as I can tell, the line has always been "we comply with legal orders", "we do not offer direct access", "no one has our private keys/broken our encryption". The only contradiction is peoples' interpretation of vague "direct access" mention in a PowerPoint deck.
Microsoft reiterated their position, explained that yes, they review every order, they do not just dump data on all customers over some private link, the encryption is sound, but of course they need to hand over data they do have.
If I'm wrong on this, I'd certainly appreciate a correction.
They happen to omit that they got paid for delivering peoples private information to the NSA.
Its one thing to be forced to deliver some kind of information against your will. It something else if you do it like a shop, providing goods in return for revenue.
Did they deliver private information without a legal order to do so? If they were legally obligated to do something which has a non-negligable cost, they are entitled to compensation. In the same way that you might have to pay for a FOIA request, because it costs money to provide the data.
Yes, if a factory is legally ordered to make a weapon to be used against innocents, of course they should both make it and get paid for that. The law is the law, and it costs money to make the weapon.
If it walks like a duck... The NSA's Bluffdale UT facility is obviously built to handle more than a few thousand FISA requests. More like it could handle a quadrillion such "requests".
How do you know it's just PR theater, and that these companies aren't just trying to legitimately defend their reputation? You dismiss the entire story and claim that it's so obvious, but how can any of us know that right now?
And, in the face of not knowing, why default to an explanation other than what has been given to us?
When it comes to security, your default position should always be one of extreme scepticism. Believing "what has been given to us" is what got us in this mess to begin with.
I understand what you mean, but I'm not opposed to extreme skepticism. It's alternative explanations that seem contrived that I'm opposed to.
There is a difference between extreme skepticism in the face of one story, and postulating hypothetical scenarios that have equal or higher burdens or proof, and are less likely or more difficult to demonstrate.
In fact, in terms of logic, the two are diametrically opposed.
Well it's obviously both. Why are they fighting against it now and not before? Because they fear losing customers. So how do they win or keep the customers? With "PR battles" such as these.
I'm sure they want to win these cases, but they wouldn't do this in complete secret, would they? They want the public to know about it, hoping this way it gets them to gain a tiny bit of trust back.
The time to file a lawsuit was years ago when the programs started. Google and Microsoft are now in the same category of privatized government "partners" as Halliburton and Lockheed.
This goes beyond simple diffusion of responsibility, leaders at Google and Microsoft were complicit in the crimes the NSA committed and did nothing to stop them.
IBM was able to eventually live down its involvement in the holocaust. In today's world there is no excuse for a modern tech company led by wealthy, enlightened people to commit these kinds of wrongs. Ironically, it's as if Google's mantra became "Be Evil".
Such doings (empowering the NSA, IRS, etc. to snoop on innocent people for the express purpose of entrapping them or contriving other evidence) are pretty much the definition of exactly the kind of insidious evil that one would hope to be able to trust its service providers not to engage in.
My prediction is that within a few months as viable open source alternatives for Google and Microsoft services become available, we'll see lots of people leaving their cloud platforms/services.
What makes you think the majority of Google employees had any idea this was going on? We have the testimony of several Google employees who comment here on Hacker News that there was no indication any of this was happening.
Then there's the news report that corroborates this, implying not even the leaders of the companies had any idea.
I mean, again, they could all be lying...but Occam's Razor and all that.
Maybe the world is a bit more random than one in which overarching conspiracies rule everything. Snowden was pretty random, no? He could have stayed put and sold his data, or simply kept his mouth shut, but he did what he did when he did it. There are a lot of other people working there, and none of them were the ones to expose all of that crap. So maybe the people at Google valued their jobs more than doing the right thing. That hardly makes for some big plot.
Your statement only makes sense if you make the logical leap that Google does the things you are implying they do. The fact that none of Google's 100k+ employees and former employees have ever leaked anything of this nature is a strong indicator that it's not actually happening.
But this is the public debate that Snowdon called for. The leaks put pressure on tech companies to defend their reputation and when they do, each new development keeps the story going.
What public debate are you talking about? Look around you. Do you see anyone besides techies and the libertarian fringe talking about eternal and perpetual surveillance? I sure as hell don't.
This, Hacker News, is public debate. Don't discount that just because it's not CNN or The New York Times. (Or because pg or his minions can edit/delete content at their whim, which has happened to me before).
As time goes on the less and less reliable I find the media to be when gauging public sentiment. 90% of the people I've talked to about the NSA scandal, all across the political spectrum, have been horrified by the government's behavior. As depressed as I get watching the poor news coverage of the scandal, and the implication that people don't care about it, or are more concerned with "getting Snowden" than what he revealed, just simply talking to people makes me feel a lot better.
> Do you see anyone besides techies and the libertarian fringe talking about eternal and perpetual surveillance?
Just last night, I was asked about the leaks by a 50/60ish bus driver after mentioning I worked in tech - who as far as I could tell, had no particular previous inclination towards privacy activism or technology.
I just had a conference call with one of the clients on a project which he wanted to talk about. He wasnt very keen to share the docs on the google(he is into NDA and all that), but he was okay sharing that on Skype because skype is peer to peer. The point is everyone who matters enough knows about what was going on to make enough impact on the business of these tech companies. They may not be on the street demanding, but they are mulling over the consequences and alternatives regardless.
Skype specifically refuted that rumor after it came out. That being said, based on everything that has come out in Snowden's documents and other reporting, I now believe all Skype communications are compromised.
They would not be suing if they were expecting any sort of major defeat. It would destroy their reputation further. So yes, they have already consulted with the government on this.
We should expect a very limited amount of carefully parsed information to be revealed as a result of this suit. Nothing more, nothing less.
> Microsoft and Google are to sue the US government to win the right to reveal more information about official requests for user data.
Totally irrelevant, because:
We know for a fact that the NSA has installed hardware at all these companies (Microsoft/Skype, Google, Apple, Facebook, AOL, Paltalk, etc.). They don't need to put in any official requests for user data to get the data.
Furthermore, we also know that 75% of all communication data is being intercepted/covered by the NSA (today! Work in progress...). Why would any official requests for user data be relevant, given these circumstances?
Citation for "the NSA has installed hardware"? Google has explicitly denied this. If they've retracted that statement, I'd love to see it.
The NSA has installed hardware on cables, but that's been known for nearly a decade. Intercepting unencrypted communications isn't much of a feat. It just takes some time and money.
> Another newsletter entry stated that NSA already had pre-encryption access to Outlook email. "For Prism collection against Hotmail, Live, and Outlook.com emails will be unaffected because Prism collects this data prior to encryption."
> Microsoft's co-operation was not limited to Outlook.com. An entry dated 8 April 2013 describes how the company worked "for many months" with the FBI – which acts as the liaison between the intelligence agencies and Silicon Valley on Prism – to allow Prism access without separate authorization to its cloud storage service SkyDrive.
Would you honestly believe the NSA would want that from a company like Microsoft but not from a company like Google (whose main activity consists of the collection of data in order to build the most precise user profiles to advance the targeting of their ads = ROI)?
The installations were also mentioned in the slides published by the Guardian, you should read all of them.
I addressed that specific "example". There is nothing in there except spin. Do you think Microsoft should refuse a lawful order that compels them to hand over email?
This also in no way indicates any sort of hardware. Microsoft replied and made it clear they review each order, then comply as required. Perhaps they have a fast review and quick compliance system (if you got as many requests as they do, you'd do the same or close shop).
None of the documents released indicate any sort of hardware installation. Provide specific cites. As-is, you and other folks saying these things are muddying the waters. When the dust settles, it'll be clear there wasn't super-duper decrypto hardware secretly placed all over Microsoft's internal software. Then people will say "oh, they were just lying" and ignore the real issues of oversight, legality, and so on.
>> Microsoft and Google are to sue the US government to win the right to reveal more information about official requests for user data.
> Totally irrelevant ...
Irrelevant only to people who don't understand politics. The NSA isn't asking for cooperation from these companies because they actually need it, but because it provides political cover. In the * * itstorm that will surely result from future revelations of spying on U.S. citizens, the NSA can honestly say, "These companies cooperated in data collection."
> Why would any official requests for user data be relevant, given these circumstances?
As is often said, you may not care about politics, but politics cares about you.
Damned if they do, damned if they don't. It's really an impossible situation for the companies involved as their actions, as the comments so far state, will be viewed through the biases of the observer.
One way out, to appease the outrage over what happened, would be for a few CEOs to spill the beans on what took place at their organizations. But after they were carted away to jail the company would still be in the situation it was before. Another would be simply to shut up shop in the USA and move somewhere else - but where? It would need to be a county where the intelligence services did not have the capability - end of business. About the only realistic and probably credible response is not to sue but to put a lot of effort into supporting third-parties opposed to the situation such as the EFF. Then at least, despite what they were forced to do behind closed doors the company would at least have a visible position and be seen to be trying to getting of the handcuffs put on it by the government.
The tech industry needs to get over this underdog mentality. It dwarfs industries that people regularly claim somehow own the government (e.g. media industry).
If tech companies thought it was in their best interest, they could bury the DOJ in litigation for years and barely feel it in the pocket book. It happens all the time when it comes to other industries that have more balls.
Agreed. I'm always fascinated by how different industries punch above or below their weight in government.
The movie industry seems to more or less own half of Congress, and appears to be able to get industry-specific legislation created nearly at will. Yet total US movie industry revenue is in the neighborhood of $85 billion, which is about half of Apple all by itself, not even counting any of the many other valuable tech companies out there.
Calculate "total revenues"/"added value to society". The bigger this number, the more likely that the industry is heavily involved with the government.
I'm sure it was very tough for them, but this is why I wanted the tech companies to be allied against mass surveillance or censorship in all countries (if they thought getting revealed to the public would cause them to lose customers later). But instead some of them (cough Microsoft), would've much rather shut the door behind Google, in China for example, just for an extra percent in market share (which they never got).
If they would've started standing together on these issues, and get a lot more allies, they could've started to have a chance against the governments' demands for censorship, and try to win the public on their side, too. But no, instead they decided to backstab each other for a tiny piece of the market, thinking it's an "opportunity" to get rid of a competitor, rather than a long term catastrophe waiting to happen.
That's not viable. First, Google's business is built around data. Having unreadable emails kills half the features in Gmail as well as their targeted advertisements. No money and a less useful product means they go out of business (ignoring other products, of course, but I'm assuming you would advocate for similar models in those).
The other option is the government would just force them to bypass their own trust model to give them meaningful access, such as what happened with Lavabit.
I pay for some services from Google, presumably because you can't make enough ad money from free storage. Shouldn't I have the option to pay for secure storage and communication?
As for trust, there is no way you can trust cloud storage. You have to assume it's hostile, or that your data is crossing hostile territory to or from. The security model has to avoid trust, which is what I described: signed keys in a Web of trust, no CAs, and no closed-source clients.
Storage is a little different since there are some things you can reveal about files while keeping them private (filetype, size, last modified time) which are relevant to providers. Email is much more difficult, with the exception of the sender and the time there is very little information that can be provided from an encrypted email. That makes it harder to provide a feature-heavy client. You of course have the option for using something more light weight; Gmail does not have that option, it would be a completely different product and business model.
Using web of trust signed keys is all well and good for techies. How would Google possibly set that up for average folks in a way that they themselves could not circumvent? I certainly could not see my parents working with key pairs unless the vast majority of the work was done automatically.
If you had to compose your own email headers only "techies" could do it. There is nothing about secure communication that is harder, and their are examples of simple, secure systems.
Notes implemented secure messaging (except for that key escrow thing) that was as easy to use as any email client. Skype implemented ephemeral keys for real time communication that was VERY simple to use.
There is no excuse, and it will take less time than a lawsuit to provide customers with NSA-proof products.
Yep...we have no proof of Google or Microsoft being complicit in NSA surveillance.
Despite that, news like this is going to be analyzed in whatever light suits the reader's bias. People are going to argue and say that this is just a fake attempt at saving face, and that it's a conspiracy sanctioned by the government to allow these companies to regain their reputation. Then there are going to be counter arguments citing what the CEOs announced publicly. And so on and so forth.
People will believe what they want, one way or another. Occam's razor be damned.
They didn't really backtrack. Maybe on some kind of semantic definition of "direct access", but not on the whole thing.
They even wrote later from new leaks, how Microsoft was having a "team play" with the NSA to give them a lot of data from Skype, Outlook.com and Skydrive, in an almost "direct access" kind of way:
If by team play you mean they obeyed court orders for interception, well, yes. That article is incredibly deceitful in its wording. "Circumvent encryption" aka "hand over unencrytped data on disk". Using "pre-encryption" sounds intriguing, but it's nothing special and most companies are going to obey a court order versus shutting down. If you had to implement a wiretap, I doubt LE is going to accept you sending them the emails after you encrypt them. Pretty sure if you tried such a stunt, a judge would smack you back since it's obvious you're obstructing their order.
It may be that Microsoft really, really, loves to give the NSA everything, but so far, there's no evidence of anything beyond complying with the law. Just speculation and spin.
But this is what we're talking about here. Those "orders" give them almost unrestricted access to everything they want - for mass spying. All thanks to the so called general "warrants" from FISA.
Does that make you feel any better? I know it's not making me feel any better, because I know there's virtually no oversight, and the fact that you can even get a warrant for thousands or millions of people at once, is not right, and quite disgusting move from the government (regardless of how constitutional it is - there's such thing as human rights, too).
Microsoft has said there are no general orders to tap everything. There is a huge difference in a rubber-stamp, poorly-audited system, and a wholesale surveillance where Microsoft is giving the NSA raw data on everyone.
Trying to conflate the two for media impact will backfire by making people jaded after they discover the spin being put on things. The info Snowden has released is bad enough as-is (the lack of oversight, the scope, etc.) - there's no need to invent stuff.
The Guardian didn't backtrack but the Post did add some hedging language. Still, PRISM is something. From the reporting so far it seems to be some kind of program that requires technology to be installed at each service provider.
> "PRISM: Collection directly from the servers of these U.S. Service Providers: [...]"
Greenwald's interpretation:
> "The Prism program allows the NSA, the world’s largest surveillance organisation, to obtain targeted communications without having to request them from the service providers and without having to obtain individual court orders."
It is a fact that they don't need individual court orders to obtain communications.
As to "obtaining targeted communications without having to request them from the service providers", here's a quote by Gellman:
> In another classified report obtained by The Post, the arrangement is described as allowing “collection managers [to send] content tasking instructions directly to equipment installed at company-controlled locations,” rather than directly to company servers.
Regardless of whether it is actually accurate, that is what the NSA documents stated.
I think the whole "direct access" argument over semantics is a red herring and completely irrelevant by now.
> It is a fact that they don't need individual court orders to obtain communications.
Statements like these have no information value unless you back them up. For all I know, you learned this from the "The Guardian" article I just cited.
> [...] allowing “collection managers [to send] content tasking instructions directly to equipment installed at company-controlled locations [...]
I don't think a statement about having write access to your own hardware pertains to this discussion, even if that hardware is located in Steve Ballmer's office.
I hope these companies aren't delusional enough to think that even if they win this one, and are allowed to say how many NSL's they receive, they would score some kind of "big win" with us, the public.
This will barely register on my radar, if they don't take serious steps in not just fighting the government more aggressively over the mass spying (they should be fighting to declare NSL's and mass data collection unconstitutional, for starters), but also in securing their services end-to-end.
So even if we can't trust them anymore per se (which we won't), we could still probably use their services if they adopt that.
Now that their back is to the wall and their reputations destroyed.... now they will sue.
I think there is a point however where one has to accept the reality of surveillance at this point and that large companies are probably not going to be the best points of resistance. Open source and open infrastructure with strong crypto and chain of custody tracking on keys is what is going to be required in the long run. I am not even sure we can go back to trusting the certificate authorities here and if we can't do that then these lawsuits are way too little way too late.
Trust is a very delicate thing. I feel sorry[1] for these companies; this whole thing can't have been easy to deal with. We can talk could-have,would-have,should-have all day long. Bottom line is right now we've got what we've got. Does anyone on HN have any idea what could possibly be done at this point to rebuild trust? Or is it just completely wrecked? It seems that to trust big internet companies again we have to believe the USgov is trust-worthy. To be brutally honest that's something I cannot see happening without a very real revolution. I'm curious if there's anything else that could restore trust.
Here's a suggestion I read early on in the Snowden-storm that hit HN, and that I thought was reasonable:
If Microsoft and Google are really united and seriously hurting, why don't they each individually (not acting as a cartel) kick the NSA out of their data centers? There may be a lawsuit, yes, and there will likely be a hit to their share value, but it's that same old problem of trading short-term safety for long-term freedoms.
It's a good way for them to put the money where the mouth is. Yes, I'm aware of the "requirements" to allow monitoring equipment; I'm specifically calling for the executives of these companies to engage in civil disobedience. Politicians are famously sensitive to anything that actually gets the attention of the _masses_. Like, shutting down Google due to court-ordered monitoring and Google refusing to comply. How long would the NSA endure such a standoff before backing down with some weasel-words about "coming to an agreement"?
Google at least says that the NSA is _not_ in their data centers, and that there isn't and never was any "direct access". So how can they kick the NSA out if they're not there? Google admits to granting lawful requests for data, such as warrants and NSLs, but this appears to be by delivering the requested data via some non-direct-access means like CD or SFTP. Google is not a telecom and does not have to implement wiretapping like Verizon, etc., so there's no law requiring equipment or access.
Two giants whose revenue streams revolve around knowing their clients' personal business inside and out are suing the government because they want to get paid for turning the information over.
Just like the money PRISM brought to enable the monitoring, now they want per-use or even better regular rents from the government to keep the taps open.
The nice little side benefit is the puppet theater for their customers who still labor under the delusion that they have some shred of privacy with either of these for-profit corporations.
Why haven't they do this before? Cause now this looks like damage control, they have to show they care because they are losing money. But tooo late, compromised services opened significant area for others, only in question is quality, but quality is also defined by people using those services and lot of people want to use something not compromised -> if you ask me now is right time to get dirty and do the job.
What needs to happen is for these companies to place an intentionally insecure vulnerability on their website somewhere that leads to a full archive of NSA correspondence. Then sit and wait for someone to hack it and release it anonymously. Remember, according to the CFAA, security doesn't matter, and therefore 100% of the blame falls on the hacker the that found it.
If Microsoft really believed they had a "clear right under the US Constitution to share more data" they would step up and do it. Suing for the right to exercise constitutional rights looks more like a cheap dog and pony show to make the public think they haven't completely whored themselves out to the neo-stasi agencies. It's too late. They should get ready for a steady Exodus away from US based technology products and services.
The issue, of course, is that if someone wants to talk to me they need to connect with my physical equipment. In a perfect world, people would look me up with a simple IP address, and I'd have whatever services I wish to provide running on various ports from that IP. This machine could be my phone, or a computer I keep in my home. But what's funny is how the modern internet appears to conspire against this extraordinarily simple idea: the first problem is IPv4. There aren't enough IPs to give every internet-connected device a unique IP address, which means NAT, which is, AFAIK, fundamentally insecure when handling inbound traffic. The second is that virtually all internet providers forbid us, in their terms of service, from running "servers". Which brings us to this interesting syllogism:
1. Communication sent through third parties is not private.
2. All internet communication involves a third party
3. There is no private communication on the internet
Until the problems of IPv6 adoption and contractual restrictions on how you use your internet connection are solved, people do not have a viable alternative to using 3rd party hardware for communication over the internet.
Of course, if the "no fly list" is any precedent, the government argument will be something like, "then don't communicate with the internet".