Hacker News new | past | comments | ask | show | jobs | submit login
Project Shield (withgoogle.com)
159 points by ashishbharthi on Oct 21, 2013 | hide | past | favorite | 86 comments



Serious question: what happens if say Wikileaks or Snowden or the next important whistleblower uses this service, and then the head of DHS, FBI, DOJ, etc (not a Court) "gives a call" to Google? Will Google "protect their free expression", or comply with the order within hours, like Amazon did [1]?

Google may have great lawyers and a lot of money, but what if they tell them "hey, you know that tax-free money you're sending to the Bermuda [2]? Yeah, FTC will be knocking on your door tomorrow to ask you about that".

So I guess what I want to know is if Google will actually stand their ground and protect their users till the end by doing the right thing, or they'll "compromise" if the potential cost to their business is too great. Maybe in the past it was easy to believe Google would actually do the right thing, but it's becoming increasingly harder to believe that.

[1] http://www.theguardian.com/media/2010/dec/01/wikileaks-websi...

[2] http://www.cnbc.com/id/101104483


Google has been pretty explicit about the circumstances in which it will hand user data over to governments or law enforcement. Even if it is required to be done in secret (e.g. a NSL or FISA request), it still requires a valid court order or other legal process.

http://www.google.com/transparencyreport/userdatarequests

If you think any U.S.-based company is able to do better, I'd love to hear how.


Snowden mentioned Google as one of the companies that provides direct access to its backend to NSA - meaning that NSA can access information on Google users without needing a court order.

http://www.youtube.com/watch?v=ZLrPquNK1Mc


Which Google repeatedly vehemently denied.

>I’m not sure I can say this more clearly: we’re not in cahoots with the NSA and there’s is no government program that Google participates in that allows the kind of access that the media originally reported. Note that I say "originally" because you'll see that many of those original sources corrected their articles after it became clear that the PRISM slides were not accurate. Now, what does happen is that we get specific requests from the government for user data. We review each of those requests and push back when the request is overly broad or doesn't follow the correct process. There is no free-for-all, no direct access, no indirect access, no back door, no drop box.

We’re not in the business of lying and we’re absolutely telling the truth about all of this. Our business depends on the trust of our users. And I’m an executive officer of a large publicly traded company, so lying to the public wouldn’t be the greatest career move.

http://www.theguardian.com/technology/blog/2013/jun/19/googl... http://googleblog.blogspot.com/2013/06/what.html


Which Google repeatedly vehemently denied.

Probably because they're forced to do so by the authorities, like Lavebit was. So it becomes a question of who you are going to trust: Snowden (who has nothing to gain by lying) or Google (who is required by law to lie about it and risks losing a lot of money if their customers lose faith in them). I know who I trust in this case.


Can you please state what law you believe would force them to lie about it?

As i've pointed out in a few discussions, the law does not (and generally cannot constitutionally) require you to actively lie about something (IE compelled inaccurate speech). It can require you to not speak about something, compel you to speak truthful things (as a disclosure or otherwise), and require you to not tell someone something, but cannot require you to tell them something that is a lie.

AFAIK, Lavabit was forced to not disclose something to their customers, which fits in with what I said.

There are actually fairly important distinctions, legally, between different types of speech, and important legal distinctions between compelled speech and lack of disclosure. So you can't really paint all of these things with the same brush.

(note: The above is about the US, someone asked me privately, and I have no idea, about other countries)


According to 18 USC § 2709 (C)(1) it is illegal to "disclose to any person" [1] you have received a National Security Letter. Likewise, the FISA court order used to gather all Verizon call data bars Verizon from disclosing its existence [2].

I don't have the legal expertise to say whether one would be forced to lie about it, and the legislation doesn't explicitly use the word lie. However, according to someone who received one and received legal advice: "Under the threat of criminal prosecution, I must hide all aspects of my involvement in the case -- including the mere fact that I received an NSL [...] When clients and friends ask me whether I am the one challenging the constitutionality of the NSL statute, I have no choice but to look them in the eye and lie." [3]

[1] http://www.law.cornell.edu/uscode/text/18/2709 [2] http://www.theguardian.com/world/2013/jun/06/nsa-phone-recor... [3] http://www.washingtonpost.com/wp-dyn/content/article/2007/03...


1. As I mentioned, non-disclosure is very different from compelled speech. Compelled accurate speech is even held to a different standard than compelled lies. I have the legal expertise to tell you they are different. :)

2. This person seems to have missed choice b: "Do not comment". They are not compelled to lie, by the very law you cite. They are only required not to disclose. No court has ever held this to mean "lie when asked", rather than "say nothing when asked". If the government went after someone for not saying anything, that would be ... a tough case.

3. I am happy to admit the distinction between compelled lying and non-disclosure is, for some people, no distinction at all, but the law does make such a distinction.


What you say may be traditionally held by non-secret courts, but the revelations so far indicate the secret courts produce some astonishing rulings.

If the chap quoted in the Washington Post article was actively challenging the constitutionality of National Security Letters with the help of the ACLU, that makes me think he would probably have received reasonably reliable legal advice? Don't you think?


First, it is not secret courts who have produced any precedential rulings on the reach of NSL's (at least in the sense of binding any large group of people). It has been normal federal courts. Those that have ruled, have ruled the gag portion unconstitutional.

Here in fact, it says they verified he's the person through publicly available court documents, which must mean it's likely docketed in a normal federal court somewhere (the article pre-dates the FISC publishing their docket)

Second, there are two issues I do not expect he necessarily received reasonably reliable legal advice. The people who participate in these cases are often not specialists, and often not highly knowledgable about the area (especially at this stage of the game, when things get to SCOTUS or something they generally are willing to engage more competent people). They are just passionate.

Past that, he was not quoted, he wrote the piece. You assume the piece is, for example, not using hyperbole. It does not say the government, or anyone else, has actually made these threats. It does not say what legal viewpoint they take that makes them believe this (and again, given the only gag orders to be challenged have all been struck down, it seems a bit out there ...). There are no details or anything else to support or verify the legal reasoning or implications for what he says.

This is an opinion piece, meant to support his case. Reading it as an accurate view of the state of the law is, well, probably not a great idea (I certainly agree that reading it for the chilling effects part, fine. But to take everything he says as if his lawyer said that was the way it had to be, is a bit far)


They could get attempt to fight the court orders in a court more open than the FISC? I'm not sure how this could practically be accomplished, but it would be a good first step towards protecting the rights of users, instead of blindly complying with court orders that Google would hopefully have some moral problems with. I always find it so fascinating that tech giants will lobby for increased access to their services worldwide, but not more secure services here at home.


No they can't. They can fight the court order in FISC, but once the FISC process resolves, they will be required by law to honor the terms of the court order; they could then fight in other courts --- as I understand them to be doing to some extent --- but that would be a post-facto effort.


Probably handle the TOS violation/comply with the law just like Amazon did with Wikileaks previously.


On an unrelated note, I had never seen the withgoogle.com domain before and I did some searching and found all these other projects, initiatives, landing pages, and even online courses:

- Chromebook mobile site: http://us.chromebook.withgoogle.com

- Developer Bus: http://developerbus.withgoogle.com

- Full Value of Mobile: http://www.fvm.withgoogle.com

- Google Analytics Academy: https://analyticsacademy.withgoogle.com

- Google Expert: http://expertbrasil.withgoogle.com

- Google Wallet Instant Request Form: http://getinstantbuy.withgoogle.com

- Mapping: https://mapping.withgoogle.com

- Online Marketing 101: https://onlinemkt101.withgoogle.com/preview

- Royal Baby Congrats Card: https://royalbabycard.withgoogle.com

- Tour Builder: https://tourbuilder.withgoogle.com

- Web Accessibility: https://webaccessibility.withgoogle.com

- YouTube Creator Academy: https://creatoracademy.withgoogle.com

- Your Tour (Tour de France): http://yourtour.withgoogle.com

Non-English:

- http://vpered.withgoogle.com

- http://docchinogame.withgoogle.com/pc/

- http://minchizu.withgoogle.com

- http://ennovate.withgoogle.com

- http://brasilfreewifi.withgoogle.com


My guess is that everything on a .google.com domain requires loads of security testing. This let's them put up a marketing site with out tons of auditing.


Yeah that's absolutely correct. Google has more initiatives than they can produce internally and so a lot of work is contracted to external vendors/agencies, which can have security concerns. The withgoogle.com domain allows Google to host externally-created sites that do not have any access whatsoever to internal user data.


Seems like its just a straight up competitor to Cloudflare. There doesn't' appear to be any direct revenue gain from this, maybe this is more of a mafia protection kinda thing (as in protecting its interests, the websites hosting its ads).

Does anyone know what it takes to mitigate DDoS, at this kind of scale?


I see big time indirect revenue - with all of a sites actions/users moving through Google, they can gather way more (potentially private) information about a user - all the better to sell targeted ads on. Call me cynical, but that was the first thing I thought of when I saw this.


Call me cynical

Cynicism is warranted when it comes to Google. The fact that they gave NSA direct access to their systems; the fact that their Street View cars collected personal information through wi-fi networks, etc. means that "Don't be evil" is just a facade.


Wi-fi networks aren't private, you can stop a "broadcast" of the SSID, otherwise you "broadcast" it (publicly).

It's the equivelant of the the Streetview car capturing 'public property', if you want 'privacy', put up a big fence and don't broadcast your SSID.

As for the NSA issue, I'm not going to defend google too much there, but you've seen what happens to providers who didn't comply... I would put that down to more a 'The US govt is pretty hostile to privacy' more than "Google is evil".

On the scale of 'evil shit' happening in the world. Google collecting my Wifi network name ranks about similarly to 'J-Walking'...


They didn't just collect wi-fi names, they also collected other forms of data, some of which could be considered private. http://www.wired.com/threatlevel/2013/09/googles-wifi-wireta...


Please provide a source for your "fact" that Google "gave NSA direct access to their systems"

As opposed to the multiple vehement denials of that "fact" from Google's executive officers (see David Drummond's interview in The Guardian, for example)


Here's a Snowden video in which he explains it (scroll to the bottom of the article): http://politiken.dk/udland/ECE2108923/usas-spioner-overvaage...


There's Snowden flapping his lips, yes. No argument there. The problem is he's wrong and has presented no compelling evidence at all.

The other problem is your worldview is not falsifiable. Everything Snowden says is true to you and everything Google says is false because Snowden said they would lie about it.


I guess the main issue is that the timeline of events has gone like this:

Snowden/Guardian: NSA is doing X Govt/NSA: We are not doing X Snowden/Guardian: Here are some slide/proof Govt/NSA: Ok we are doing X, but it's for your own good.

Rinse and repeat each fortnight.

So each denial means less and less, and tips believability towards Snowden even where the proof is inconclusive in some cases.


The problem is he's wrong and has presented no compelling evidence at all.

The Guardian and every other major news outlet seemed to think his evidence was compelling.


The Guardian and every other major news outlet seemed to think his evidence was worth publishing. This is the same media circus we decry for unfounded false controversies and double-dealing, such as over the recent US government shutdown.

Not sure what makes you think that journalists are a legitimate authority to make appeals to.


Yeah I mean all those people who were broadcasting unencrypted information loud and clear to literally any device that receives wi-fi packets in the immediate vicinity, they have no culpability in this whatsoever!


Using your argument I could say that if you leave your laptop unattended, it's my right to steal it.

The people who left their wi-fi open didn't do it on purpose, and didn't want Google to access their information.


copying isn't the same as stealing.


This brings up an interesting point.

When referring to "content," (TV, movies, music) it is common for people on HN and Reddit to refer to digital information as something that should be freely exchanged, that ownership is a meaningless concept in a world where creating a copy of something is essentially free. It is common for those who seek to lock down or restrict access to digital information in the form of entertainment media to be referred to as "dinosaurs" who are desperately clinging to an outdated business model and refusing to move into the modern age of free and ubiquitous data sharing.

Then, of course, there is the idea that online privacy is a fundamental right, and that guarding our personal information from both nation-states and corporate interests is of the utmost importance. In this context, those who seek free access to digital information are cast as villains and reviled for using modern technology in a way that doesn't fit with our classical understanding of privacy rights.

I understand that there are multiple people on HN and Reddit and they don't think as one, but I think it's fair to say that both of these opinions fall on the same side of the political spectrum.

I wonder if there's a contradiction here? There's clearly a difference between downloading Game of Thrones episodes and reading everyone's e-mail. But is it a qualitative difference or a quantitative one?


In terms of personal information, it's a lot closer to stealing than copying. Consider the harmful effects of someone having your account login information or personally identifiable information (government ID number, etc).


Yea, so when you give a restaurant server your credit card and they copy all the details off it to use later, it's a) your fault and b) not wrong anyway?


Copying the CC isn't the main issue, using it is.


Why do you need to copy it if you're never going to use it?


If you have a copy and never use it, are you guilty of credit card fraud? The answer is still no.


Private citizens don't have IT staff, so their security is often unaudited. The law considers authorized access via a vulnerability to be similar, conceptually, to trespassing.


Except its not a vulnerability in the normal sense. It's the functional equivalent of playing a private recording with your speakers turned to maximum and the windows open - just in the EM spectrum.

I'm not contending that using that information wouldn't be a crime, but accidentally collecting it certainly should be held to a different standard.


Wow, Google is trying to provide DDoS protection and you figure it must be evil.

Can you think of one thing Google could do for you to think that they are not evil?


Yeah, how about fighting for users' privacy rights and spark an inevitable years-long court battle all the way to the Supreme Court and not taking NSA's bullshit? They have the funds to do so. They're possibly the only company that could stand up to the government in addition to banging enough pots and pans simply by putting up something on their homepage to alert users as to what they're fighting for.

But they won't. Continued and uninterrupted profits are too important.


They do to an extent they can. They fight for more transparency (http://gigaom.com/2013/08/22/google-and-microsofts-plea-on-n...) and fund organizations such as EFF.

You have to understand how US law works. If you are not an injured party, you can't sue the government for it. In other words, Google cannot sue the government for the injury government is causing to you. What they can do, however, is claim an 'injury' on First Amendment grounds, reasoning that their free speech is limited when they cannot disclose that John Doe is being surveilled (and thus John Doe is being injured). They do that with the hope that with transparency John Doe will have the information necessary to sue the government.


Yahoo! did try to fight. If they can attempt I'm sure Google could put an even bigger fight. Not to mention they have money for lobbying in Congress.


Their obligation to their shareholders actually means that their uninterrupted profits are too important.


Google's share structure[1] means this isn't actually the case at all.

[1] http://business.financialpost.com/2012/04/13/new-google-stoc...


That was my impression too.

The simplest way to mitigate a DDOS is to just have way more resources than your attacker. If you're getting hit with 10Gbps, and your site can handle 100Gbps, you're not going to go down. Google obviously has plenty of capacity.

On top of that there are filtering technologies that can block obviously fake traffic or well-known signatures like the LOIC.

The most sophisticated attacks occur at the application level. A Google service would not be able to help configure your install of Wordpress to resist this. But they could probably serve a static cache of your site. Interactive features like login or search would not work though.

Cloudflare does all of these things and more.

The way I read this, Google would not charge for this service. They would select "worthwhile" sites to protect out of the goodness of their heart.

The cynical take is that it is a PR project to help repair their "defenders of the Internet" brand. They built it up with SOPA, but it's been damaged by PRISM.


Did you seriously just accuse Google of "a mafia protection kinda thing"? Seriously?


I'm assuming the OP was referring to a protection racket: http://en.wikipedia.org/wiki/Protection_racket

>A protection racket is an operation where criminals provide protection to persons and properties, settle disputes and enforce contracts in markets where the police and judicial system cannot be relied upon.

Of course, Google isn't threatening anyone with DDoS, (even assuming that they somehow make money of you).

Otherwise though, it's somewhat of an interesting analogy. This is a form of protection (of online property). And you can't really rely on the police to protect you from DDoS. I suppose it would be more reasonable to just compare it to a security firm though.


> I suppose it would be more reasonable to just compare it to a security firm though.

That's why the analogy is not interesting; the use of "mafia" is silly because it implies there's some criminal element to Google's intensions. For example, here's the opening line of that Wikipedia page:

> A protection racket is a scheme whereby a criminal group provides protection to businesses through violence outside the sanction of the law.

The only word this has in common with what Google is doing is "protection". The analogy captures nothing useful that "hiring a security guard" doesn't. But it also captures a whole universe of other implications that are entirely unwarranted and laughably unfair. It's a terrible analogy.

"You're just like a mafia don in that you also drive a car."

I should disclaim that I don't think the offering is above suspicion and criticism, just that the comparison to a protection racket is absurd.


Thanks for clarifying, that's exactly what I meant.


> There doesn't' appear to be any direct revenue gain from this, maybe this is more of a mafia protection kinda thing (as in protecting its interests, the websites hosting its ads).

What? These websites are unlikely to be hosting their ads ("election sites" is one of the examples ffs). It's free while they're beta testing it with humanitarian/similar websites, it may be a driver for people to pay for the Page Speed service in the future when they roll it out to more people although they say they'd like to keep it free for non-profits.

All of which you'd know if you'd read the site rather than making ludicrous comparisons to the mafia.


I can already see the headlines: "Beginning January 1st 2016 Google will discontinue Project Shield"


You beat me to it. My first thought was, "now what sub-industry is Google trying to kill off and subsequently force the resurrection of in a couple of years when their product gets pulled?"


You make them sound like a forest fire.


Guess this is how it's done in the SaaS world? Watch out for repeat of RSS's story -- market got dominated, then the dominating service got plug pulled.

Microsoft really should have patented the `Embrace, Extend, Extinguish' business method back in the day ;-)


2016? You are an optimist.


Based on the wording, technology used is going to be a mixture of IP Anycast (traffic sharding) and cache proxying (serve content through), which is what CF does. Except google has all the cash and resources to throw at the problem without putting a dent on their bottom line.

But the interesting tidbit coming out of this project's going to be the internal packet/traffic scrubbing system they've developed. Will it be commercialized or will it spawn a new startup. So many positive outcomes however it ends up.


NVidia already has something named Project Shield -- although it has nothing to do with this. Wonder if this is confusing enough for a trademark case.


Project Shield was the code name, NVidia Shield is the real name.


Not to mention the S.H.I.E.L.D. Nick Fury will be pissed.


not to be mistaken with… The Shield! http://www.imdb.com/title/tt0286486/


There is Blue Shield (medical insurance company) in US


Isn't it a clear that they set this up to track users to those kinds of sites and feed NSA with that information? Also, they get to control what information they want to let out. Call me paranoid, but I don't trust Google a bit here.


You don't have to be paranoid to realize that information given to a third party can be abused or leaked to other parties. I'd like to believe that most of us are already past the whole "trusting an organization" thing and have already moved on to deciding whether the benefits of using a service outweigh the downsides of said service sharing your information with other people.


If you were really paranoid, you wouldn't post on the Internet where your data traces could be analyzed.


I think protect free expression online is too precious of an idea to be used there. But that's just my opinion.


Every time I see a new google product launch, in the back of my mind I start to wonder when it will be shut down.


"protect free expression online"? and who will protect us from google itself?...


Whoa, interesting Captcha (sorry to go on a tangent). Looks a bit like crowd-sourcing their street-view work (though could of course be sourced from all sorts of other things).


This started last year. Pretty smart usage, in my opinion.

http://techcrunch.com/2012/03/29/google-now-using-recaptcha-...


> Project Shield is an initiative to use Google's infrastructure to protect free expression online

How peculiar. The tech is DDoS mitigation, but the PR focus is on "free expression online", Syrian gas attacks, and evil Iran.

Wonderfully executed. The internet crowd is cheering the "free speech", the government approves of the Middle East angle.

Meanwhile, PRISM keeps working and very few care about it.


How will Google determine which opinions to protect?

As wonderful as Project Shield sounds, there is a fundamental risk of it being undemocratic.


Why won't it protect all sites regardless of content? Isn't that the point of free speech?


No, Google will decide what will be protected or the people that have the power to control Google in these regards.

Content that will certainly not be protected: - Content that violates the Digital Millennium Copyright Act

- Illegal pornography, snuff videos ...

- sedition,incitement

- confidential NSA stuff (you know, because it helps terrorist )


I am not being funny, however, shouldn't this form be https? Or did I miss something?


Kind of a bad name choice with NVIDIA Shield being a popular topic in tech and gaming circles right now.


Good goy, come host your government neglecting data with us, we promise we won't hurt you!


Great! Now the NSA can monitor every dissident of the world without the need to search for them.


Well, that's what Google is all about - providing good search solutions ;).


One more step toward Google creating a complete and comprehensive end to end solution


Which provides GOOGLE with even more connected data points about a user when he/she is surfing the net.


so this is like cloudflare but for people whom google like?


Hopefully this project will come with increased openness about Googles complicity in the PRISM scandal. It would be rather ironic if this ends up protecting free speech everywhere except in America.


It is quite ironic how the country that class itself the land of the free, and home of democracy, etc. exudes no fight for freedom within its own borders. Kinda ruins the whole freedom facade, when freedom is only given when it is inline with the government strategic plan.


There have been protests, haranguing in the news, even an attempt to defund the NSA's metadata collection program which almost passed. What do you expect, molotov cocktails to be thrown at Congress? It's a big country and most people simply don't care.


github needs this.


Wow, what a load.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: