Since the modus operandi seems to be for the NSA to suck up everything it can and decide later it seems (wild speculation follows) that the NSA might be sitting on audio recrodings of all your phone calls for the past several years.
Can you imagine the number of divorce cases that would impact? Civil lawsuits? Proof of innocence or guilt in a crime?
Hell, get a decade or two of this and historians alone would have a field day with such material.
Oh, and by the way, it's completely fucked.
Back in the day, the FBI recorded folks that they suspected were subversives and it caused a huge stink. People were rightly outraged. It was considered a blemish on the FBI. Now we do the same thing -- only with everybody. And still 45% or so of the population hasn't figured out what the problem is. Amazing.
Part of the book 1984 was the complacence of the lower class. I am not targeting any class here but pointing out that a culture of complacency by division was a large warning in that book that is often overlooked.
It's really unfortunate that most people read 1984 as teenagers (I did). I went back to it as an adult, somewhat expecting it to be a let down. What I found was quite the opposite, there's a lot more nuance in that book than would really be absorbed by high school students being forced to read it.
"The object of persecution is persecution. The object of torture is torture. The object of power is power. Now do you begin to understand me?"
Do not stereotype teenagers. I am merely fifteen years old, and if you take a look through my comment thread you may find more insight than you expected.
Yes, most in my generation are shallow and passive; but that doesn't mean all are. There are some intellectuals on the fringes.
I agree that we should be careful not to stereotype based on age, but your comment made me think of this funny (yet poignant) bit by Louis C.K.: https://www.youtube.com/watch?v=rXcWeFn-YYM
"Older people are smarter, and if you get into an argument with someone who's older, you should listen. It doesn't mean they're always right; but even if they're wrong, their wrongness is rooted in more experience."
That's what I thought when I was 15. It's probably what most academically gifted 15 year olds think.
Go back and read some of your stuff in another 5 years, and then another 5. And tally the face palms. It's a good exercise in humility, something that is often hard to appreciate as a 15 year old
I went back recently and read some of the stuff that I wrote when I was 19 or 20. I came to the sad conclusion that I am getting thicker and more ignorant with age.
"Go back and read some of your stuff in another 5 years, and then another 5. And tally the face palms."
If you could run the experiment the other direction, I wonder how different the results would look. That is, what proportion is "growth" and what is simply "difference".
For context, I'm 34, and like many around here a bright teenager. One thing that I really missed was story coherency, the careful assembly of motivations, events, themes, and characters into a cohesive whole. I don't even know how to describe my standards for a good story as a youth, but they're wildly different than they are now, and in particular many of the things I enjoyed then I now consider incoherent nonsensical trash. Things like Star Trek Voyager, which I always found weak, but now I can explain that weakness, or Final Fantasy X, which merely slightly bothered me at the time, which I now realize is because it was so bad it managed to penetrate the thick fog of blissful ignorance I was living in, but only a little. On the other hand, many of the original Star Trek episodes actually make a great deal more sense to me now than they used to. (It's fun to read the Blish novelizations of them; without the campy 60s videography and terrible effects, the true quality of the underlying stories comes out more clearly.)
I woke up to this around 25 or so. It was actually Buffy the Vampire Slayer (the TV series, of course, not the forgettable movie) that tripped this for me; I realized I cared far more about the characters than any campy horror show had any right to make me care, and I began to wonder why, and poke into the mechanics of how that was done. That turned out to be a longish and interesting journey.
(I know I've mentioned several media that aren't "reading" here, but it trivially applies there as well.)
1. People are really bad judges of their own insight.
2. It's quite common that what seems to be brilliant insight at the age of 15 is perceived as obvious at best and really stupid at worst when the person is 35.
When I was a boy of fourteen, my father was so ignorant I could hardly stand to have the old man around. But when I got to be twenty-one, I was astonished at how much the old man had learned in seven years.
I hated most literature when I was 18, then magically fell in love with the same novels I hated when I was 24. Still, there is more nuance I can pick up now at 30 with more study of history. If you haven't read the Iliad and a majority of the Bible, then you simply can't understand most of Western literature and those things take time.
It's interesting to see that this is a universal experience. School gave me literature before I was able to appreciate it, and it nearly turned me off to the taste.
The “Knowledge Maps” used by sites like Kahn Academy [1] strike me as immensely helpful in deciding what to teach someone next, given what they've already learned.
I think it would be cool to replace the one-size-fits-all required reading assignments with something more tailored. Some way of answering the question, “what books(s) is this person likely to get the most insight from at this point in their education?”
Forgive me, because I'm sure you are as thoughtful as you say you are - but, as someone now a number of years past their teenage years (and who tried hard to be similarly thoughtful) I would argue that you will be even more so in a decade or two.
I don't dispute how you are now, but I promise you'll be all that and more. And that was the point of the previous poster, I believe.
I'm 16. I agree with the second statement, but I'd like to point out this: if you're in the public school system and you aren't "shallow and passive", chances are good you'll be given hell if you show it. (Or maybe it's just me. I don't know.)
I'm new to the public school system this year. I live in an area that has no shortage of gun ownership and advocacy, and, the weekend after Sandy Hook, I went to the guidance office to express worry that perhaps some connections would be made that aren't really there. (Not about me individually, but about some poor soul that would slip up and get caught in something)
I was called back to the guidance office later that day, only to be told that I was effectively suspended until I could be, and I quote, "Mentally evaluated". It was handled as a "School Crisis", and I was a "Threat to the school".
Lucky for me, my parents acted quickly enough so that the school system's psychologist could be contacted.
It turned out to be nothing.
(This is the third of four encounters like this. I'm fairly certain I have the high score for most school crises caused in a single year.)
That sucks, I'm sorry to hear that, but I'll make an observation and you can take it or leave it: You didn't properly evaluate their position and what is expected of them. They are held to a certain standard they may personally disagree with but their careers are on the line. Students have a hard time realizing this.
Apropos is Holmes's psychatrist over in Aurora, Co.
School faculty have to worry about their own little mini-9/11's every day that a kid walks in worried about a problem, because how would they ever be able to show their faces to the parents again if that worried kid ended being the 1/10,000 kid that would end up bring violence to their school, and the school had done nothing?
Stereotypes exist for a reason, they are convenient (and sometimes, highly accurate) generalizations. You are a prime example of another type of stereotype.
In my experience (and I am somewhat older than you claim to be) people who declare themselves insightful, aren't. People who declare themselves intellectuals are usually full of it ("most in my generation are shallow and passive").
You may think you're bright but for now, you are just another type of stereotypical teenager with very limited life experience pretending to know things you simply do not comprehend.
My god, when you are older, you will look back and wish that you pursued the "shallow" things in high school. Some of those experiences are not going to be available at any other time in your life. Being an intellectual is overrated; don't be so quick to judge your peers, many of them are wise in ways that you cannot see.
As someone approaching 30, but with very clear memory of their mdi-to-late teens, I will disagree. I did not pursue any of the "shallow" things in high school and I do not at all regret that.
I had only a few high school friends, I neither attended prom nor anther school-related party, never joined a sport-team[1]. Fast forward 11-15 years I have great friends (only a handful of whom were my classmates), am engaged to a wonderful woman, and have no dearth of hobbies.
What do I think was most important? Learning, pursuing things that were interesting to me and cultivating a passion for them (note how so many people are in a quixotic search for pre-existing passions, i.e., in a quarter-life crisis?), interacting with older individuals (they took me seriously, did not make fun of the way I dressed, did not mock my accent or my lastname, did not beat and otherwise bully me, etc...), taking AP classes as well as classes at near-by colleges (the last two activities opened my eyes to new subjects, taught me to learn, and convinced me to pursue a higher education), etc...
I regret not paying enough attention to academic subjects that I _thought_ did not interest me (in college, it turned out that they interested me a great deal), assuming that I had no chance of getting into certain colleges or paying for them, not cultivating an interest in topics like philosophy or history early enough (sticking to just computing, etc...), not participating in "nerdy" clubs (like robotics, programming competitions, etc...)
Yet on the "social" front I've zero regrets: it is much easier to make friends when you've got more in common with people then a school district boundary; dating is much easier when you're independent (not living with your parents, not reliant on a group of friends for all of your social outings), well read, educated (whether formally or self-taught), and otherwise interesting. I don't feel I've missed anything by foregoing that part of life.
[1] Caveat: if you do enjoy a sport, by all means join a sport team or play intramurally. Just don't play a sport for the sake of playing a sport or for a college resume (universities want well rounded student bodies, but they don't necessarily require that every student be "well rounded").
That's awesome, really. If you feel like you've got no regrets about skipping the typical teenager stuff, then great. I genuinely hope that if kunai continues on the same path that his experience later in life is like yours.
You seem to extrapolate something from his words and then make a judgement. Can you give an example of one "shallow" thing that shouldn't be replaced by "being intellectual" and makes peers "wise in ways"?
I just mean whatever he happens to find shallow. I can't read his mind, I can only speculate. It might be joining the football team. It might be doing donuts in the parking lot. It might be getting drunk at a party and having his first sexual experience. It might be shopping for cool clothing. It might be riding a skateboard. It might be skipping class, getting high, and failing the 10-point math quiz after recess. It might be joining student council. There are hundreds of things to do as a teenager that really have not much at all to do with intellectual activity, but that nevertheless require subtlety and nuance.
Yes, I'm projecting my regrets; it's a useful mechanism for making predictions. I was like that, and I certainly have regrets about high school experiences that I missed out on because I was too busy being intelligent. But mostly, high school got a lot better once I realized that intellectual superiority was overrated and I made an effort to fit in socially. The things I value most from that time are the "shallow" experiences, that I also looked down upon for a number of years.
It's only an anecdote, but when I was fifteen I was very confident in my insights - and two decades later, I have completely different insights. It turns out my fifteen-year-old self was a comical little prat after all.
You might be relatively consistent in your beliefs over time, or you might be like me. Just be aware that right now you can't be certain of either.
Homunculiheaded was not criticizing or belittling teenagers. Notice you yourself acknowledge most teenagers today are "shallow"- consider that Homunculiheaded is not concerned with the exceptional individuals, but rather the larger group. To attempt to illustrate, a question: "At what age ought citizens read 1984, that more of them will see the deeper meanings?"
I looked through a bit of your comment history. You are a freak of nature. You easily rank somewhere in the top 1/10,000th of teenagers, probably in the top 1/10,000th of all people of any age. Your abilities are not generalizable.
I think your subtlety missing the point - it wasn't a comment on current teenagers or even past teen generation, but a comment about how ones perception change with time. A different story emerges on reading it years later. It is more subtle and deeper than I initially appreciated. This happened to me also, and it completely changed my perception of the book re-reading it 15 or so years later. I may also have missed the point, but that's how I interpreted the comment.
You will get more insight reading it in another 5, 10, 50 years, true, everyone does, so imagine how much more you will comprehend in the future given your starting point today.
When I was 15, I let 'mature' people stop me from believing I knew anything, and then I was introduced to 'the more you know the more you know you don't know' - its good advice for anyone who thinks they know everything. But don't ever let it stop you from doing anything, believing anything or especially exploring anything.
If you are gifted, and if you believe you are gifted, look at the future for how much more awesome you will be, but don't forget how awesome you are now.
>Yes, most in my generation are shallow and passive
You seem very smart - maybe a genius. I've noticed that the smarter people are the more likely they are to denigrate their peers who don't hold the same values. And they're less likely to enjoy other parts of life due to the belief that these things are beneath them. It's not a cool attitude and it will not help you be a happy person.
Just like very strong people aren't usually aggressive, really smart people aren't socially aggressive. Once you get past the point of "I can bash your head in and you know it", there's no use for overt aggressiveness.
Really smart people are helpful, appreciative and generally nice. The almost smart are the dangerous ones.
I completely disagree with you. You're arguing purely off anecdotal evidence and my experience does not match up with your - for physical strength or intelligence.
Just because someone is smarter or stronger than those around him, does not mean he is confident enough to not rub it in their faces. I've known plenty of intelligent people who are quite aggressive. In fact, it's a bit of a stereotype.
Right, there is something no one here it telling you.
Older people are bare faced liars.
Why? They operate primarily out of fear. They are scared for their job, business, mortgage, possessions, status, kids (you!!), their investments, health care, etc, etc. But more than anything, they are scared for them selves.
Why? The more you have to lose, the more fear and paranoia you acquire.
The older you get the LESS wise you get. In fact, you become more bigoted, judgemental and finger pointy.
The problems in this world are NOT created by the young. Note how the world's problems get worse as average life span increases.
Only a few actually manage to avoid this. Note how they are repeatedly referenced here and other places.
The young are free to think freely because they have less to lose.
Im 40. My life is over. I see a world that is a total mess. I want you and your your generation to fix it. Not for me, my useless generation and the useless generations before me. Forget us. Do it for your selves. You see the disaster, correct? Get your generation together and create the world you need and want. Your generation , like no other generation, has the tools to do it. So, to quote bloody Nike, JUST DO IT.
When I was younger, nobody did as much for me as Noam Chomsky (information) and George Carlin (not going insane over said information) when it comes to these things, and both were way older than you are now.
I agree that there is a lot of potential and purity in youth, even in its follies. But I would like to point out that some people are kinda dead in spirit even when they're young, and some old people are rather lively up to the very point where they fall over and die... and urge you to not give up on yourself that easily. The very fact that you're this frustrated and outspoken means you ought not to. How alive you are is not JUST a function of your age. So stay alive, become more alive, pass it on and thanks.
Oh please, your comment is just as cringe inducing as the one you are responding to. 40 isn't even that old and you are talking like you are on your death bed, it's embarrassing. The world has, is and will be shaped by people of all ages, your ages are not your primary limiting factors here.
You're not disagreeing with the parent. He's making a generalization about teenagers, not claiming a universal truth. I think you got needlessly defensive.
For what it's worth, I've been quite impressed with your post history to-date (and today is not the first time I've taken notice).
The complacence of the proles in 1984 was carefully engineered - they were fed mindless entertainments (songs, novels, porn) and ruthlessly culled of anyone who appeared to show political awareness.
Indeed all states derive their power from the consent of the governed, do they not? What would have happened if even a third of Iraq decided to ignore their government under Saddam? The government couldn't have responded. Governments work because we agree to do what they say. Now things like drones centralize some of the power in ways that could not be done before but only to a point and the complexity overhead counterbalances that.
Complacency is how tyranny works everywhere and in all ages.
>Complacency is how tyranny works everywhere and in all ages.
I think your point specifically about Iraq is largely likely to be correct, but I have never been able to swallow this argument, which comes up just about every discussion of tyranny I see/hear.
A fundamental component of true tyranny is violence or an immediate threat of violence (as opposed to the somewhat more abstract monopoly on force that democratic governments have). At the risk of sounding trite: it's easy to call people complacent in the face of a tyrannical government when it isn't your family that will be the target of that violence. Resisting a strong and deeply rooted tyrannical government is not for the feint of heart or those with precious things to lose. To say those that don't give up the tenuous stability they have to attempt to foil the will of the government are complacent is dangerously close to shifting the blame on the victims of abuse.
I suppose it would be fair to say that in any tyrannical state that many are, in a way, resigned to their fate. For most people in that situation anything besides begrudging acceptance of the way things are is not far from suicide. In the case of the US I would wholeheartedly agree that apathy is a huge driving force behind our government taking power it should not. Implying that's how it works everywhere and every time seems very unfair.
It's not just that though. Tyranny usually works by doing three things:
1. Threatening violence against those who oppose them.
2. Propaganda purporting to show the exceptional nature of the dictator. North Korea for example portrayed Kim Jung Il as a genius mathematician, philosopher, writer, and much more.
3. Socially isolate resistance and ensure they cannot talk to eachother. This takes many forms, but in Iraq for example, a lot of effort was spent fomenting conflict between various small groups in Iraqi society.
The goal is an environment where nobody can effectively oppose not just because they are afraid, but because the images of the grand dictator are so prevalent and everyone is so preoccupied that organized opposition is just not possible. The result is that as soon as folks stop being complacent because organization becomes feasible, the dictatorship falls.
Having just watched yesterday's RealTime (Bill Maher's show) as well as the mainstream news coverage of the week, I have finally come to the conclusion that no significant number of Americans has a problem with living in a surveillance state, not even the host and guests on a faux liberal talk show.
Except when I'm on HN, everywhere I go there just are no people who see anything fundamentally wrong with the entire premise, so I think saying that only 45% don't care is a very low-ball estimate. From the look of things, it's more like 95%.
I saw that same show and I was similarly disappointed with it. However, my impression was that all of the guests and Maher himself were under-informed. Possibly even misinformed because there were echoes of talking points "Snowden is neither a hero nor a traitor." "Hong Kong is, after-all, China," "Snowden is delusional," "Snowden is a publicity seeker" etc.
Last week, when the story first broke, Maher was ambivalent about it and he justified his ambivalence by focusing on nuclear weapons - as in because nukes can kill so many people the risk is just too great so we need to do everything and anything to stop them.
Obviously he didn't know enough about the situation to understand that dirty bombs are the only nukes that it is even plausible to consider being used by terrorists (rather than foreign governments) and that dirty bombs are all about the dirty and not so much the bomb - fallout over a couple of city blocks and not an explosion that could destroy a city hiroshima style. Still enough to kill hundreds, maybe thousands if an attacker gets everything just right, but not the existential threat that obliterating Manhattan would be.
I'd like to see Greenwald on his show, Greenwald did a pretty good job of calling Maher on his BS regarding the arab spring the last time he was on there. Since he's right in the middle of this story I'm sure he'd do even better.
The only "liberal" group I'm particularly disillusioned with is mediaite - everything I've seen from them on the topic has been despicably underhanded apologisms.
A great quote from Sallust, a statesman of the Roman republic. Specifically, he lived toward the end of the Roman republic.
Another quote of his that seems applicable here:
"Yet many human beings, resigned to sensuality and indolence, uninstructed and unimproved, have passed through life like travellers in a strange country."
Very possible that there are people on HN that don't care as well. But because of the overwhelming amount of people who make their opinions known who do care, it would be karma suicide to admit otherwise except in the most delicate terms. Even if you don't need or care about karma points it generally doesn't feel good to have people load up on you.
I wonder at what point any issue within a group gets so lopsided in one direction that dissent almost never materializes. It becomes viewed as "so bad" on it's face that people rarely speak in favor of it. Or you have to walk on eggshells to even discuss the other side.
There are a few, i've seen their posts here and there, and they do seem to get downvoted pretty severely. It's unfortunate, not necessarily because I agree with them but everyone has the right to at least make their case.
That seems to be one of the downsides of the karma system - when a population of high karma users tend towards a certain point of view it creates social pressure for others to reinforce the orthodoxy. It doesn't help that once you get the down arrow, you're free to simply downvote opinions you disagree with rather than engage the poster.
I've wondered once or twice whether karma shouldn't be publicly visible anyway. After all, one should be able to judge a post on its own merit without having a measure of the posters' relative popularity to tell you how much you probably should agree with them or not.
"without having a measure of the posters' relative popularity"
I would add also that I'm sure there are people that don't realize that a high karma score can come not only from comments such as you describe but additionally simply because someone was the early poster of a story that got voted up.
So in a certain karma range we don't know how many points are from that vs. from agreement with a comment. (My guess though is that as karma increases most of it comes from comments and activity that is not related to posting a popular link).
Fundamentally, I have a great deal of sympathy for the security services, understand the difficulty of the job that they have been tasked with, and can see no other reasonable way of achieving the goals that they have been set. However, my opinion flips and flops back and forth as I read each new revelation, get caught up in the moral outrage of the crowd, write something incendiary and provocative, then sit back, think a bit, and regret (maybe) being so rash.
But then again ... I understand all too well the tremendously vulnerable situation that the general population is in with respect to the state, and comprehend the risk of abuse, not so much from individual analysts or the current administration as much as from the opportunistic acts of a future administration.
But then again ... It is foolish to expect answers to come easily when the questions themselves are so difficult, so it is natural to strike out in the wrong direction a few times before finding a good path.
As a former member of the diplomatic community living in the US, I am (now as then) almost certain that the NSA were recording all of my telephone calls and internet browsing activity, as well as bugging the apartment in which we lived. It did not then and does not now stop me from browsing for kinky porn, having massive stand-up arguments with my wife, and emailing the Samaritans about wanting to commit suicide. (TMI, I know, sorry - but they can only hold something over your head if you want to keep it a secret).
I chose not to care then, and I have to continue choosing not to care. (Not a decision one can undo easily, anyway). Living in a glass goldfish bowl or not, life goes on; and perhaps the best (or least worst) thing that can come out of all of this is that we become a little bit more honest about human imperfection and fallibility - I do not think that I am alone in being an imperfect, flawed human being.
Perhaps if we stopped pretending to be perfect (or at least not-as-deranged-as-we-really-are) we would be somewhat less vulnerable to those who would seek to exploit the information imbalance.
So, I guess I do not care about them invading my privacy, because that boat sailed a long time ago. I do care in principle about them invading everybody's privacy, because of hypothetical future abuses. I think that at least some of the potential for abuse can be blunted by being more open and honest with ourselves, and by coming to terms with our own failings rather than trying to hide them.
> I think that at least some of the potential for abuse can be blunted by being more open and honest with ourselves, and by coming to terms with our own failings rather than trying to hide them.
I thought the same for a long time. Then I moved - ironically - to the "big city" (actually, it's getting smaller by the year, but it was second largest in my country some years ago). I thought that living in a big apartment building would give me anonymity and that I could do as I pleased, without being a subject of neighbours surveillance. I was wrong. It took them literally a week to learn that I'm not frequenting the mass in a nearby church. That meant, to them, all out war; I had lived there for a few years, but then I had to move, because I realized that damage to my mental health is just too great.
I'm sure there were some normal people there and that they didn't care. OTOH there were a few old geezers who made a hobby out of bullying others. The point is that you don't care about what people know about you only until they start hurting you because of what they know. Then you wish they didn't know in the first place. You may be even correct that majority of people wouldn't care about you and your own life, but there probably will be someone who will care, and who will make your life quite miserable.
I have to admit: I am having difficulty parsing it all; and this difficulty is not limited to the current media circus around PRISM.
For example:- last year I heard my grandfather-in-law admit playing a part in a massacre, which I am pretty sure is this one, 60 years ago: https://en.wikipedia.org/wiki/Lari_Massacre. The story was coming via a translator, so I am not sure of the details, but I got the vague impression that he was one of the organizers. What do you do with information like this? How should I feel? Mostly, I feel confused. Ironically, my wife was working with the FCO legal advisers when the survivors of abuses committed during British rule originally sued - (http://www.guardian.co.uk/world/2013/may/05/mau-mau-victims-...). Funny how the tentacles of past misdeeds reach to the future! Perhaps blown by that ill wind of legend?
Moving on to more contemporaneous misdeeds, when I bore mute witness the UN happily paying off drug dealers in West Africa: http://reliefweb.int/report/guinea-bissau/un-peacebuilding-f... ... not that the alternatives were any prettier, but still: When you deal with all the evil and mess of the world, you get a bit tainted yourself. As per my grandmother's folksy aphorism: "When you throw a glove in mud, the mud doesn't get 'glovey'. "
Compared to all the evil that is out there, PRISM seems pretty sweet and innocent - and, to be honest, the revelations were hardly a surprise since the (phone metadata bit) was leaked (or obliquely hinted at least) to me over 12 months ago.
So: I think my sense of unease is more strongly related to our collective capacity for evil than anything else.
It's important to keep in mind that our national histories color what these words mean to us and what we think the implications are.
Another example of this is the massive paranoia in Germany about Streetview before it came out in that country. That one seems to have been unwarranted.
> the NSA might be sitting on audio recordings of all your phone calls for the past several years
I believe you would be interested in Laura Poitras (Snowden advisor and documentary filmmaker) and William Binney (NSA code breaker who designed some of this software and then got a friendly FBI raid-at-gunpoint and who spoke at the same DEFCON as General Alexander). Specifically, Snowden watched Poitras's documentary about Binney, The Program, before seeking her assistance in learning how to live the surveilled life:
I recall some months ago a seemingly fairly technical and generally informed commenter -- here on HN, I believe -- laying out their back of the envelop calculation of what it might take to archive all the U.S. voice traffic.
The resulting figures were currently readily achievable, and they became increasingly... "trivial" (my interpretation) with the already announced and in progress data center expansions.
And here, in this article, we have a description of Brewster Khale coming up with what is truly a trivial dollar amount to accomplish this.
It's increasingly apparent that there is probably no technical limitation to their accomplishing this.
The only question remains, is any other limitation stopping them?
A phone call can be compressed to 10 kbits/sec or less given a good speech codec and still be understandable, if not of very good quality. That means that if you are on the phone 20 minutes every day, it will be around a half a GB per year.
If every American is on phone that much, it will be bit less than 143 petabytes a year, or about 36000 4GB hardisks. That is a bit, but the datacenter in Utah presumably have a capacity of a yottabyte, or nearly seven order of magnitude more than what is needed to record all phonecalls for a given year. They would have capacity to store all phone calls for nearly a million years if the yottabyte figure is right.
The "yottabyte" estimate is absurd, but individual scientific computing centers have about half an exabyte of storage, so the NSA wouldn't have the slightest trouble storing a few exabytes (some GBs per person per year).
In contrast, total IP traffic is in the tens of exabytes per month [1], but much of it is re-transmission of content such as movies, that the NSA is not interested in storing. I wonder what sort of steganography detection they have in place.
> it will be bit less than 143 petabytes a year, or about 36000 4GB hardisks
4TB harddisks you mean ... But why stop at Americans? It's obviously feasible to record all phone calls made anywhere in the world, forever. Hooking into large network operators won't be such a big problem either.
You can record GSM encoded (9600bps) voice of all americans 24/7 for a year and still only fill up a couple of percent of the speculated storage capacity of the NSA's new Utah data centre. I don't know how long the average person spends on the phone each day, but clearly recording the phone calls will be just a small fraction of that again. So keeping a few years of recordings of all phone calls they can get their hands on would not be a storage problem.
It really is appalling that this isn't more rejected. A couple decades ago impeachment, resignations, firings would happen. Everyone thinks about how this affects us now, how will it affect everyone decades from now? Pretty soon warrants won't be needed at all because Executive Orders override them and are 'legal'. We may as well just remove the 4th amendment since everyone is so scared and complacent.
If they were obtained without a warrant, wouldn't they be inadmissible as evidence, especially if they were being used in an inculpatory rather than exculpatory manner?
The government lawyers' opinion is that they can later get a warrant to access the data, long after it was recorded (see the whole discussion on "collect" meaning to take a book off the shelf and read it). They also seem to think it's ok to datamine the recordings as long as it's done anonymously.
And in fact I'm willing to bet that explains the divergence of opinion that the Senator noted in the linked story.
He probably was told in his classified briefing that NSA could record and collect phone calls without a warrant.
Mueller, on the other hand, would be talking about actually tapping into that data, which would need a warrant.
I'm not sure I buy the argument that you can record a phone call without a warrant just because it's using VoIP or some equivalent instead of a physical wiretap, but it does sound similar to the other arguments that have been made to collect data for later analysis by warrant if necessary.
It doesn't need to be used as evidence. They can threaten to reveal things and blackmail you, leak to the press to discredit you or use it to know when and where to raid so that they can catch you read handed.
If they do go to court it gives them a list of witnesses a and the ability to blackmail them into cooperation.
There seems to be a lot of legal niggling regarding that, obtaining the data itself is perfectly well within all legal avenues -- including indexing it and organizing it into whatever manner -- however querying the resultant database is quite restricted (with apparently many levels of oversight).
Most American's don't care. They are too busy on Facebook or playing games on their iphone/android, taking pictures of themselves in the bathroom, etc.
The Native Americans gave their land away for beads. Modern Americans give their constitutional rights away for electronic gadgets that they can play with.
'The Native Americans gave their land away for beads.'
This is one myth sold to us in school. The tribe that sold the land for beads did not own that land. It was the territory of another competing tribe. I will sell you russia for $20, right now.
That 'might' seems much more like an 'is'. And they seem to be sharing that information with foreign governments as well.
As an aside, why is Silicon Valley not much more worked up about this versus say immigration acts? This seems to be more important than the immigration bills they are pushing. Talking about misplaced values... Thinking of more ways to make money while Rome burns.
There's something sick and wrong in the semantics of how the laws have been interpreted here.
The authorities seem to have decided that they can record anything they want, any time they want. The legal boundary is only crossed when somebody listens to the recording. So it is fine for them to slurp up every bit of data they can tap into and then retrospectively figure out which bits they were authorized to listen to (with almost no oversight, as indicated by this article).
But most normal people don't interpret privacy that way. They consider the act of recording without consent the violation of privacy. The listening afterwards compounds it, but the power of the third party comes from having the conversation recorded, not the listening.
This misinterpretation of privacy is a subtle but deliberate and totally corrupt act by the authorities.
It's not clear to me whether they were sworn in for this hearing or not, but if this new report is true, then this seems to be at least the second documented case of an exposed lie about the scope of surveillance during congressional testimony.
I don't follow your "of course, false". Maybe Snowden really could obtain wiretaps of federal judges and the President, either because he was given the discretionary permission to do so in the course of an investigation, or they were available to him with a little trivial privilege-escalation.
Alexander might have meant Snowden wasn't supposed to have that capability. Or that Snowden had it but wasn't supposed to use it that way, so he "couldn't" do it under the law (but could in practice).
It's hard to say; the testimony has often used obfuscatory weasel words and conveniently shifting definitions, and the avuncular grandparents in the Senate aren't exactly vigorous in their cross-examination.
What everyone misses about the comment on wiretapping the President is "if I had a personal email." There is no reason, none, that the President's Yahoo Mail account would be different from anyone else's Yahoo Mail account, so it's reasonable that that could be tapped without special permission. His statement did not preclude controls on tapping White House or other .gov emails.
They could have algorithms transcribing the sound into text, focus on keywords, show the text anonymized to analysts to check whether there's something there, and still claim they're not directly targeting or 'listening' to someone so can do all of that without a warrant.
You can see how that could be happening; NSA has trunk-level access to telephony circuits. Telcos are engaged in a long-running game of footsie with the government that makes billion dollar Internet companies look like anarcho-capitalists.
But I'm not seeing how we get from there to the contents of email. To have the email of arbitrary Americans without a warrant, the NSA would need direct access to the servers that run Google Mail. They do not have that access; Google has categorically denied it, and the Guardian walked the claim back. The "optical splitters on the Internet backbone" thing doesn't hold water either; most people need to go through some effort not to use strong crypto when communicating with people using Google Mail.
"The Guardian has not revised any of our articles and, to my knowledge, has no intention to do so. That's because we did not claim that the NSA document alleging direct collection from the servers was true; we reported - accurately - that the NSA document claims that the program allows direct collection from the companies' servers. Before publishing, we went to the internet companies named in the documents and asked about these claims. When they denied it, we purposely presented the story as one of a major discrepancy between what the NSA document claims and what the internet companies claim, as the headline itself makes indisputably clear:"
I'm not interested in the semantic argument. Emily Bazelon called The Guardian out this week on the Slate political podcast, as have many others; this is now a mainstream criticism of how The Guardian reported the story.
Either way: the original notion that NSA had direct access to the servers that actually operate Google Mail has been found to be unsupported by the evidence published thus far.
I call this out continuously and obnoxiously on HN because it is very much not the mainstream view on HN; most of the people commenting on the NSA story on HN say things that make it clear that they believe NSA continues to have the direct access to Google's systems that Google and the Guardian say they do not have.
> most of the people commenting on the NSA story on HN say things that make it clear that they believe NSA continues to have the direct access to Google's systems
You're mincing words. Your comments clearly indicate that you think "direct access" unambiguously means "access to servers that run GMail that the NSA can snoop on any time they like." But from what I've seen, most comments on HN adopt and acknowledge a more ambiguous definition.
The one you propose is the extreme. But other definitions include an interface for the NSA to request data and have it deposited in some "drop box" that can then be accessed by the NSA (all without a warrant). It's reasonable to call this "direct access", particularly if the audience is not tech savvy. (Which is something we don't know.)
Moreover, most folks here seem painfully aware that "direct access" really hasn't been qualified. It seems reasonable your definition isn't really true, but that doesn't mean the Guardian's reporting is incorrect. (The Guardian never put forward a precise definition---either because they didn't have one or were unwilling to release it.)
Personally, I think you are attributing way too much certainty to the HN crowd.
* NSA (or some other USG agency) issues a directive to the provider under authorization from FISA. No court order is required for NSA to issue directives under FISA.
* If the provider is Google, Yahoo, or Facebook†, that directive is reviewed manually by the provider.
* In at least the case of Yahoo, where this step is supported by court documents, but probably all the other cases too based on provider public statements, the provider has the option of refusing to comply with the directive, at which point they send lawyers to FISC.
* For all intents and purposes USG never loses at FISC.
* Some process happens at the provider in which data pertaining to the directive is collected, marshalled into some kind of bundle, and placed on a secure drop box server ("similar to an FTP server"); it is NSA's access to these servers that "PRISM" refers to.
If you're telling me that this is the understanding most HN people have about what "direct access" means, I'd direct your attention to this very thread to rebut that argument. I'm accused upthread of "mincing words" but would respond by arguing that any attempt to characterize the process in this post as "direct access" is a much finer mince; a brunoise of words, if you will.
† Because those providers have publicly stated that.
Still arguing with the NSA over their own capabilities?
I'm actually curious how you rationalize this worldview given the bizarre news over the last few days that the Fed is insisting on burying NSA FISA requests among requests from every other law enforcement agency when reporting statistics?
Leaving aside the point that aggregated and anonymized information seems to pose absolutely zero security risk and should not be classified in the first place, there seems a fairly obvious reason for the move that contradicts at least one if not more of your assumptions above.
See what I mean? This is the kind of comment that makes me think most HN people commenting on NSA think NSA has direct, unilateral access to Google Mail's servers --- as The Guardian (incorrectly) reported.
I don't see how you can possibly jump to that conclusion. But if you don't want to analyze the question from the position of the NSA (as you should be doing), then you are welcome to personalize it. So reiterating the question, which of your assumptions listed above do you think I suspect are wrong based on the kerfuffle over statistics reporting?
Put another way, why on earth does NSA seem to care so much about aggregating its FISA requests with other law enforcement agencies when reporting statistics to the public?
I'm having a hard time parsing your question but can I ask a different one: do you disagree with any of the bulleted points in my comment above? I don't want to waste a lot of time petulantly agreeing with each other.
Yes. My suspicion is that your first two assumptions are incorrect, and that (1) FISA requests are not personalized under PRISM, and that consequently (2) there is no manual review or check against the abuse of power by providers on an ongoing basis.
This is the only reasonable explanation I can think of for why the NSA would be trying to hide its request volume in the larger volume of overall requests from law enforcement: an attempt to massage the average user-accounts-compromised-per-request downwards when reported to the public. If there are any other explanations you can think of for why it matters how the aggregate statistics are reported, I would be curious to hear of them.
And obviously, abuse of the FISA process renders splitting hairs about what constitutes direct/indirect access meaningless. FISA abuse plus an automated dropbox provides exactly the sort of data access that Snowden and the NSA repeatedly insist they have, while reconciling Google's claims with those of the NSA.
I don't understand the (1) and (2) thing. What does it matter whether the requests are "personalized"? In fact, I think they probably rarely are; you can look at Facebook's numbers to see the aggregates suggesting that most requests are for sizable numbers of accounts, not just one.
My point isn't that NSA's FISA directives are surgical; like you, I doubt that they are. My point is that upon receiving them, a lawyer at Google approves or rejects them, not a SQL query.
If you read all my comments on this whole annoying story I think you'll find that I'm rarely (maybe never?) sticking up for NSA, but I am happy to stick up for Google anywhere that I can. Google is actually (in this instance) fighting for your privacy, and then getting shellacked on message boards like this; what's worse, they're prevented by the USG from explaining what's happening. They're being equated with companies like AT&T, companies that appear to be sharing bedding with NSA. That belief is wrong, it's unfair, and it's counterproductive.
> If you read all my comments on this whole annoying story
Your comments have repeatedly attacked the credibility of whistleblowers, derided their claims as factually and technically impossible, and asserted that NSA statements about NSA capabilities are wrong.
> My point is that upon receiving them, a lawyer at Google approves or rejects them, not a SQL query.
I don't think Google has much say in this, but what do I know? Only that your assertion otherwise is in open conflict with claims by Snowden and the NSA officials who have briefed Congress, both of whom tell us that authority over which targets to tap is in practice delegated to security analysts.
> Your comments have repeatedly attacked the credibility of whistleblowers, derided their claims as factually and technically impossible, and asserted that NSA statements about NSA capabilities are wrong.
I'm glad I'm not the only one who's noticed tptacek's tendency to defend "The Establishment" at every turn, whatever naughtiness comes up. There he goes again. I wouldn't be surprised if he had some ties to the government.
Not sure what you mean here by the establishment. I see him defending google, and rightfully so. I think google is one of the few companies who have been fighting for the privacy rights of users. It would be a shame if other companies saw the effort google puts into this, only to be tar and feathered for something they might not be guilty of.. Those other companies might decide its not worth sticking their neck out for users..
Two days ago you were arguing with a slide deck. At this point, you're also arguing with a NSA brief of Congress and numerous public statements by members of Congress.
Swearing at me isn't the solution in any case. If you want to stop taking flack on HN, you should stop attacking the credibility of whistleblowers on the rhetorical basis that you know more about what the NSA is doing than the NSA does.
No. You're making an unfounded assumption, which is that the interpretation Glenn Greenwald and Barton Gellman took of that slide deck --- an interpretation Snowden appears to share --- is also what NSA believes to be the case about their access to Google's servers.
It does not follow logically that because one interpretation of an NSA slide deck is that they have direct access to the servers operating Google Mail that that's the only reasonable interpretation of the slide deck. In fact, in the week since we found out about the deck, it's looking less and less and less likely that the original interpretation is reasonable at all.
I don't mind flak (as I'm sure you can tell), but I do mind being drawn into unproductive discussions; when I asked if you disagreed with the post I made above, and you disagreed with only a small part of it in one comment but then the whole premise of it in a later comment, I got frustrated, because why take the time to reply to your comments if you're just going to move the goalposts around?
Honestly, I don't really care about the "direct/indirect" distinction that bothers you: the only real opinion I have on that point is that if Snowden and some anonymous powerpoint junkie can reasonably characterize their access as "direct", then arguing over whether it is in fact "indirect" from some arcane technical perspective is a waste of time.
> when I asked if you disagreed with the post I made above, and you disagreed with only a small part of it
But I don't disagree with your third through fifth statements. I suspect you're wrong to assume that (1) the FISA process is providing reasonable judicial oversight over requests and that (2) providers manually review the appropriateness of individual data requests. As far as the rest goes, this statement of yours is the core point:
> It does not follow logically that because one interpretation of an NSA slide deck is [X] ... that that's the only reasonable interpretation of the slide deck.
Assuming you believe this, I do not understand why you are so hell-bent on attacking Snowden's credibility and dismissing the concerns many other people have raised about excessive surveillance. There are clearly reasonable interpretations of the released materials which make his statements (and those of the NSA and other whistleblowers) perfectly compatible with Google's own statements.
Congratulations everyone, tptacek just successfully diverted a big part of this whole thread into an argument about something that was supposed to be irrelevant to this thread.
Funny that you should mention moving goalposts. That seems to be the M.O. of the NSA apologists. First, the arguments is "It's not content. It's just metadata, which is no different from addresses on postal mail envelopes". That's already a terrible rationalization.
But, then, revelations come out that it is more than metadata being captured. It's actual call content and no warrant is required for a run of the mill "analyst" to listen to those calls.
So, now the goalpost is being moved to whether the NSA has "direct" or "indirect" accesss to gmail servers--a specious and inconsequential debate over some subjective semantics.
What will it take for the apologists to actually grow concerned about what's really happening here?
It actually would be better for the apologists to come out and say that you want the government to have carte blanche access to all of our information. At least it's honest and doesn't waste people's time in these trivial non-debates about peripheral non-issues.
OTOH, of course, that posture is all the more stupefying. Which "truth", exactly, is so important that we should all be willing to give up our privacy?
And, how is it that you find it so easy to trust our government with such power? After all, if it is untoward human beings who make truth-finding so difficult that these drastic, privacy-defiling measures are necessary, then why do you have so much trust for other fallible human beings to wield this power?
It doesn't matter which truth exactly. The more information they have access to, the better the decisions they will be able to make (in theory, at least).
I don't trust them to wield that power because I don't need to trust them. I hope that by wielding that power, they destroy it by making it clear to the world that privacy no longer exists.
You misread the article - the briefing seems to only specifically mention wiretapping phone calls. The author goes on to say:
> Because the same legal standards that apply to phone calls also apply to e-mail messages, text messages, and instant messages, Nadler's disclosure indicates the NSA analysts could also access the contents of Internet communications without going before a court and seeking approval.
Meaning the US Gov't believes it has as much legal right to access e-mail as it does phone calls. Claims that they've done so in the same way (that is, in massive numbers with very little oversight or attention) are speculation. As more evidence begins to surface, it seems like telephone companies like AT&T and Verizon have been far more complicit in the NSA's indiscriminate surveillance programs than companies eg. Google that control e-mail - when's the last time you saw AT&T publish a transparency report detailing government requests for user data?
> If you're telling me that this is the understanding most HN people have about what "direct access" means, I'd direct your attention to this very thread to rebut that argument.
I'm not at all saying that. I'm saying that most HN folks do not share your definition of what "direct access" means. I specifically said that it seems like most people are quite aware of the ambiguity of the meaning of "direct access" in a couple slides and that we can only guess at what it precisely means.
Your comment clearly indicates otherwise:
Either way: the original notion that NSA had direct access to the servers that
actually operate Google Mail has been found to be unsupported by the evidence
published thus far.
I call this out continuously and obnoxiously on HN because it is very much not
the mainstream view on HN
Which seems like you're implying that most here believe literally in some direct tap on a provider's servers. But that isn't my experience.
Bullcrap. When people saw "direct access", they concluded direct access - as was reasonable, at the time, from what the leak seemed to show; I did the same. Many of the people on this site have since realized that that is not true (although there were sure a lot of crazy theories about the specific wording of the initial denials), but most of those people are no longer saying "direct access", and there are people still saying "direct access".
Personally I'm not sure we're reading the same HN. Maybe today the facts regarding Prism are finally catching up but it certainly wasn't the case yesterday or the week+ before.
It's possible, I suppose, that most HN people think that Google has, somehow, given the NSA a way to access their Bigtable database directly and query it--thereby entrusting the information on the structure of their database, and subsequently their billions of dollars, to NSA analysts making a few tens of thousands of dollars a year--ignoring entirely the ridiculous notion that such access is even physically possible or enabled.
That doesn't change the fact that they're wrong.
Google couldn't possibly give the NSA "direct access" in the way you're defining it without creating a subsystem to service it--like, say, a secure staging server that requires being populated by processes which run and pull the data from disparate parts of their system, whose access would most easily be accesses via FTP. Anyone technologically literate who considers what "direct access" could mean deeper than a surface level should arrive at the obvious conclusion that "direct access" does not mean the Google equivalent of a MySQL console.
I think that's an excellent summary, but also: that SFTP-like access almost certainly keeps happening, for that targeted account, after the initial request. Perhaps it happens hourly, or even faster when relevant account events (login, message-received, message-sent, voip-call) occur.
For most of the world -- those who have never SSH'd into a machine, nor had machine 'root' access -- that rapid-batch-dump access still would be fairly described as "direct access". Word meanings vary based on context and the expertise of the discussion participant; the slide deck and the journalistic reports were all written at the level of fuzzy understanding, not technical precision. Practitioner nitpicks about the implementation details don't refute them.
The Guardian reported what the NSA documents claims PRISM does.
You keep implying that The Guardian is making unsubstantiated claims, but their article is full of "NSA claims" and quotation marks, and it would take someone intentionally trying to read something else into it to ascribe these claims to The Guardian.
Are you claiming The Guardian is lying or mistaken about what the NSA documents says?
Because if you are not, then your beef should not be with The Guardian articles, but with the NSA documents.
It's possible the NSA documents are technically incorrect, but if that is what you believe, then complain about the NSA rather than attack the reporting, as in that case attacking the reporting just seems like a weak attempt at making your arguments seem more credible by attaching the claims about "direct" access to the reporters rather than the NSA.
So what? The subject of this thread is that the NSA admitted that analysts can listen to the content of all of our phone calls without a warrant. We are having this discussion because the Snowden link put the NSA front and center.
Yet, you are arguing some mundane semantics?
Instead of smearing the people responsible for these revelations, why not try to focus on the big picture? That is, all of this is leading to long overdue appropriate dialogue, that is engaging our representatives in the oversight that is required to uphold our Constitution. Big picture!
No, I am arguing that AT&T rolled over (and, as it turns out from today's Gellman piece in WaPo, took money from the USG to do it), while Google fought back. But commenters on boards like this are happy to shit all over Google because (a) any allegation that Google rolled over to the USG confirms their biases, (b) they're inclined to put people into binary "agrees with me entirely" or "disagrees with me entirely" buckets that presume anyone who argues with them must be apologizing for NSA, and (c) because it's fun to talk about big companies like Google being evil and less fun to talk about them working hard not to be.
You think these are mundane semantics. I think they're more meaningful than that. People on HN can't get me to shut over the right fix for a CSRF bug or how taxicabs can be licensed; why would anyone think I'd back down on an issue like this?
It's more that a lot of people are more inclined to trust a leaked NSA document that claims NSA does the type of things that people already believed NSA does, including when it implicates Google, than a Google PR denial of a very specific interpretation of the same.
In the absence of more evidence about what exactly PRISM does, what we have is guesswork, but guesswork where believing some interpretation of the NSA documents becomes easier the more revelations of extensive NSA surveillance via other channels that are coming out.
If they didn't want to be "evil" they shouldn't have been collecting these gigantic amounts of data without properly protecting them from parties such as the NSA.
For all the promotion they put into two-factor authentication for account-safety, "suspicious login attempt" notifications, etc, if they had done the same for GPG in GMail/Chrome, that would have been a huge step towards giving the mainstream a taste of actually being in control of their own privacy, I'm not saying we wouldn't have this problem right now, but we'd be in a way better position of dealing with it, for sure.
edit: to be clear, that is one of the many reasons why I think this arguing about whether this access is "direct" or whether it's "sorta kinda direct" distracts from the real issue: access.
Maybe I'm the stupid one here, but how does Google offer to provide people 4GB of email and storage... without actually storing that?
And like you yourself mention, to add security to prevent automated hacking scripts from 0wning accounts to add to a botnet (attempts that happen orders of magnitude more often than an NSL or FISA warrant) they have to add IP tracking for individual accounts.
You talk about GPG but there's little safe way to do that from client-side JS, would defeat most of the point of offering free email for Google in the first place, and is already supported just by offloading that onto a real email client.
I don't want you to shut up or back down. I am just baffled by your priorities and incoherent sense of scale.
Here we have revelations by the NSA, that analysts can listen to anyone's phone calls. In America. This subverts just about the entire spirit of the Constitution and some of the letter.
But, you would rather spend your time isolating some relatively minute detail that Snowden or others may or may not have gotten wrong.
And the thing is, neither you nor anyone here even knows enough to draw conclusions as to these minute details. A few weeks ago, we didn't know that the NSA was collecting metadata on so many calls. A few days ago, we didn't know that analysts were eavesdropping without warrants. Yet people like yourself would argue vehemently on behalf of the government. The more that comes out proving you wrong, the more you dig in and move the goalposts. It makes one wonder what the government would have to do to actually concern you.
And the thing is, while you argue things you couldn't possibly know, there are now enough solid facts coming out (including admissions by the NSA) that should be of grave concern to you. Yet, here you are again focused on trivial, unprovable details.
I won't argue the subjective notion of whether the details are mundane. That's opinion. But, I don't understand how anyone can have such a skewed sense of scale when comparing the relative importance of what you choose to argue versus that of the astonishing revelations being brought to light about our government.
I'd need to see the context to know if the Guardian was wrong where they used that exact word, or were simply describing something that exists with some companies or at another level of tapping.
When the FAA was first enacted, defenders of the statute argued that a significant check on abuse would be the NSA's inability to obtain electronic communications without the consent of the telecom and internet companies that control the data. But the Prism program renders that consent unnecessary, as it allows the agency to directly and unilaterally seize the communications off the companies' servers.
The 1st sentence seems fine: the companies have no practical way to withhold consent.
The phrasing "directly and unilaterally seize" seems exaggerated given the preponderance of current revelations and denials, but if Prism includes other not-yet-revealed acquisition methods, might still be substantially true. After all, the denials you're relying on are from company leaders who also said they've never heard of Prism.
I can believe Greenwald got overexcited in that phrasing, and trusted the slide deck (including as-yet-unreleased slides) too much. Just like perhaps Obama was a bit clumsy and overeager to reassure with his phrasing, "Nobody is listening to your telephone calls."
The companies can withhold consent simply by not consenting. Both NSA and the company then have to appear before a federal court and argue the case; a court then orders one side or the other (obviously: virtually always the company) to back down.
It bothers people that the USG virtually always wins these cases. But I think it shouldn't bother people as much as it does, for a couple of reasons:
* It's also the case that state governments win most attempts to get Title III wiretaps; in those cases, it's because getting a Title III wiretap is an expensive process that involves a shitload of paperwork, and prosecutors don't waste the time going for them unless they're sure they're going to win. It appears easier to get a FISA directive upheld, but it's not free.
* It's what you'd expect to see happen if the USG was only using FISA to conduct foreign surveillance, which, while I wouldn't take NSA's word for it, is not at all hard to believe; what is the motivation for them to set up a paper trail with the FISC of doing something else?
> but if Prism includes other not-yet-revealed acquisition methods, might still be substantially true
Yes, but that's close to being a tautology: what outlandish claim might not turn out to be true if in future startling new revelations supported it? In fact, direct access in the NSA-has-root sense is less likely in light of the PRISM slides: why file 702 orders and dicker with webco lawyers if you're able and willing to get whatever you want through some kind of back channel? Why create a Top Secret overview and training resource for Internet surveillance and apparently not mention this backdoor?
There's lots of evidence there's way deeper unrevealed stuff: hints from earlier NSA-careerist whistleblowers and Snowden. ~40 more slides in the PRISM deck that Greenwald has seen. Possibly thousands more documents Snowden has provided to Greenwald and perhaps other journalists. Representative Sanchez (D-CA) describing what's public so far as "the tip of the iceberg". Representative Nadler (D-NY) essentially acknowledging warrantless domestic wiretaps, at analyst discretion, in apparent contradiction to sworn testimony of General Alexander a few days ago, and President Obama's comments a week ago.
So while of course, we can't assume every covert acquisition method darkly imaginable is happening, it would also be foolish to assume that exactly what has been clearly documented so far is the full story.
Why the trouble of extra legal orders and a paper trail if the NSA already had deeper covert access? Well, the government isn't efficient and different levels can't always work together. For example, why did the DoJ use more normal procedures to get AP phone records, when the NSA already had all that data? Also, when you have a treasure trove of info obtained in illegal ways, or in ways you don't want to admit, and you want to act in ways revealing that you have that info, you can try to get it again in a second, redundant way: one that you can explain, and maybe legally rationalize.
And when nobody inside or outside your organization has the whole picture, the fact that there's some legal process for getting some info from, for example, Google, might serve as plausible cover deflecting questions about how exactly so much more info winds up in the system.
In fact, that's one possible mechanism for the PRISM slides' author thinking that the access to Google et al is so much more powerful and 'direct' than the companies' own measured response process can explain. They're each blind men feeling different parts of the elephant.
Greenwald's statement here about the Prism program is explaining what the NSA document claims. This is clear from context. If it is false, it is false in the same way as a book reviews that recaps events in a novel is false.
And unless I've missed some major revelation, it "appears to be false" on the basis of press releases from companies with an interest in not being caught with their pants down.
Forgive me for not being so willing to jump to conclusions about which claims to believe.
It's false in that it's technically inaccurate, even given nothing but the slides.
E.g. "direct and unilateral access". Unilateral means exactly that only one party needs to decide, the reality is that it is bilateral access (both parties must agree).
So that's at least one thing Greenwald managed to screw up in his "book review" of a single slide. The question is whether blame lies with Greenwald alone, or if Snowden mislead him into that by stupidity or malice.
> No court order is required for NSA to issue directives under FISA.
As far as I can see (IANAL) most forms of FISA order do require a court order. FAA 702 orders are issued by the government rather than the FISC court, but still have to be reviewed and approved by the FISC. It's just that the nature of the court's review affords no protection to non-resident aliens (except by chance).
> For all intents and purposes USG never loses at FISC.
Well, it has lost at least one signficant case at FISC, it's just not letting us see the ruling.
As I understand it: FAA 702 certifications require FISC approval, but 702 directives don't; there's a 1:many relationship between certifications and directives, and directives are what companies see.
You may not be interested in a semantic argument, but it's a semantic point you're arguing. The title of the article in question[1] is:
"NSA Prism program taps in to user data of Apple, Google and others
• Top-secret Prism program claims direct access to servers of firms including Google, Apple and Facebook
• Companies deny any knowledge of program in operation since 2007"
The first sentence states:
"The National Security Agency has obtained direct access to the systems of Google, Facebook, Apple and other US internet giants, according to a top secret document obtained by the Guardian."
Emphasis on according to a top secret document obtained by the Guardian. If you read on, the content of the article supports this title and summary. It doesn't matter what Emily Bazelon has said, it don't matter what others have said, and it certainly doesn't matter what the mainstream criticism is when determining whether or not the statements in the article are accurate. The slides say the NSA can "collect data directly from the servers" of these companies. Guardian states the the slides state that the NSA can collect data directly from the servers of these companies.
That is a demonstrable fact. In fact, I just demonstrated it.
Now, I'm in the camp of people who think that whoever wrote the slides just didn't know what they were talking about. Neverthess, I'm also in the camp of people who think that the Guardian was accurate in their reporting--because the reporting is right there to be read.
We could, of course, argue over the congruace between the phrases "direct access" and "collect data directly from the servers," but you said you weren't interested in semantics.
> The slides say the NSA can "collect data directly from the servers" of these companies. Guardian states the the slides state that the NSA can collect data directly from the servers of these companies.
The slides do say the NSA can "collect data directly from the servers" of these companies. (Well, they say that the NSA uses "collection directly from the servers" of these companies, to get the quotation exactly right.) But the Guardian stated the the slides state that the NSA has root access (or similar) on the servers of these companies. It was wrong about this.
The Grauniad didn't publish a story saying "the NSA has a PowerPoint presentation in which the phrase 'collection directly from the servers' appears, but we do not pretend to offer any interpretation of what may have been meant by this". What it published was a story which said (in paraphrase) "the NSA has a PowerPoint presentation in which the phrase 'collection directly from the servers' appears. What the NSA means by this is that it has root access on Google, Facebook and friends." The NSA writer was correct; the Guardian's reporting of what he said was wrong, both in the sense that it misreported what the NSA writer was claiming, and the claim it misreported him/her as making was (unsuprisingly) untrue.
Where exactly did the Guardian or Greenwald claim the NSA has root access on servers? I haven't seen that anywhere? Please supply a quote of the part of an article you're referring to so we can make up our own minds about what was said.
It's quite possible Guardian journalists and editors summarised some points in a sloppy way due to lack of understanding (in particular using direct access instead of directly from), but the broad thrust of everything I've read from them has been surprisingly accurate (as journalism goes), and Snowden's claim to have access to any account at will (given enough clearance) is now sounding far more plausible after these recent revelations that calls recorded and can be accessed without a warrant by any agent with the clearance to do so, and according to cnet, perhaps emails too. To an analyst asking for calls/emails, this would seem very much like 'direct and unilateral access', even if from google's end they only respond to lawful orders and don't allow universal tapping as the phone companies do.
I'm surprised that people are talking up minor quibbles over the interpretation of one slide as if all debate hinges on them given the scale of the surveillance which has been exposed. We don't know for sure exactly how the PRISM process works, and what matters is not the process but the legal safegaurds in place (or lack of them), and the extent of surveillance. Why not debate facts we do know and have confirmed?
What Greenwald/Guardian said about "direct and unilateral access" is what is meant by the paraphrase of "root access".
The story made it sound like an NSA analyst could just open an xterm and copy any data about any Google/Facebook/Hotmail/Skype/etc. user, whether the company agreed or not. That is the part that is not only false, but which Greenwald has refused to back down on by just pounding the slides over and over.
I don't know why I'm so surprised that a writer reporting on tech-heavy privacy issues would be so clueless about technology but it just gives me even more reason to be jaded about activists in general.
> In a statement, Google said: "Google cares deeply about the security of our users' data. We disclose user data to government in accordance with the law, and we review all such requests carefully. From time to time, people allege that we have created a government 'back door' into our systems, but Google does not have a back door for the government to access private user data."
A backdoor pretty much implies unfettered (as well as clandestine) access - a limited-privileges backdoor is conceivable, but unlikely. Note that the Guardian didn't say 'here's a weaselly statement that doesn't deny what we're alleging' - it said 'here's a denial of what we are alleging'.
If we're to criticise journalists, we should hold ourselves to the standards we expect of the them. The article said:
'In a statement, Google said'
You paraphrase this as the article saying:
'Here's a denial of what we are alleging'
The article said or implied no such thing, as your direct quote shows, it merely attributed the quote, without comment. It didn't talk about back doors or denials, Google did, probably in response to more fantastic speculation around the Internet prior to this.
> If we're to criticise journalists, we should hold ourselves to the standards we expect of the them.
In the interests of precision, let me first amend the Guardian non-paraphrase and paraphrase above to 'here's a weaselly statement that doesn't deny what the NSA document claims' and 'here's a denial of what the NSA document claims'. This matters because the article deliberately sets out to report the NSA slides instead of setting out to explicitly report the NSA slides as accurate, and Greenwald later made much of this.
> The article said or implied no such thing, as your direct quote shows, it merely attributed the quote, without comment.
The immediately preceding paragraph is:
> Although the presentation claims the program is run with the assistance of the companies, all those who responded to a Guardian request for comment on Thursday denied knowledge of any such program.
This makes it clear that the next paragraph is, to the Guardian's understanding, Google denying knowledge of any such program.
I see what you mean now from this context, thanks for the clarification, however it is just restating that they are denying that they knew of prism, not all allegations. Part of the confusion here is that the slides say one thing, the article summarises it (perhaps loosely) and google denied something else altogether (back door etc). I would note though that the article did not say they had unfettered access via a back door, or root access or any such detail, those are things implied in the google statement, which curiously denied things the article did not allege.
Personally I thought the article did an OK (though far from perfect) job of summarising the puzzling gaps between the slides and the company statements, and didn't imply all the things people have read between the lines, but wish it had gone into more detail, however I don't feel that's a hugely important part of this story. It sounds like we might hear a bit more detail over the coming weeks.
That phrase says nothing about root or xterm and I think you're being misleading by attempting to paraphrase it that way though I think I see how you got there. That's one possible interpretation of it (though not one Greenwald has backed), but it's equally possible, given the assertions of Snowden in the video with the article (which we now know to be true at least for phone calls), that it was an attempt to describe the experience of an analyst using such a system, requesting full access to a user's account, and getting it without interacting with google staff (after what delay we don't know), possibly without any legal paperwork other than making the request. We simply don't know enough details to be able to describe the process any better, we don't even know all the possible sources of intel for it.
Since Greenwald provided the sources for his statement and the article clearly indicates which quotes are attribution and which bits are commentary I didn't interpret it the way you did, and do think it's highly misleading to characterise this as a fundamental flaw in the article, or as something the guardian has 'walked back' - the guardian is not a monolithic entity and features content from all sorts of contradictory viewpoints. The writer wasn't clueless about technology necessarily - remember this sort of writing goes through many hands on the way to publication, and attempts to synthesise knowledge from various sources for a non-technical audience, while not revealing damaging details which could leave them open to prosecution. That process is going to result in text which is not as precise or illuminating as we or the writer would like.
So I'm all for correcting reporters like Greenwald where they over-reach or imply too much, and I do think he should have clarified this particular detail which has been left very vague, but we should clarify or correct, not attack and patronise, reporters who don't specify technical details, and bear in mind that technical questions of mechanism are not the only story here; there are far more important legal and ethical questions.
>What the NSA means by this is that it has root access on Google, Facebook and friends.
This just simply isn't true. The article doesn't say that. Your support for this claim below is that this is what they meant by "direct and unilateral," which you cannot know to be true.
If Google et. al. setup dedicated servers which aggregate the relevant user data the NSA wants, and gave the NSA FTP access, then this would be--by definition--direct and unilateral access. FTP falls under any reasonable definiton of direct, and Google would not have to be involved in any data transmission, thereby making it unilateral.
And can't we all just agree that the idea of giving root access is so outright ridiculous that nobody would intend that as a meaning? Maybe read only access, but root access? Ridiculous.
I think you are making some poor semantic arguments yourself.
The simple case is that of the NSA document ("collection directly from the servers of these US service providers") against google ("The U.S. government does not have direct access or a “back door” to the information stored in our data centers"). These are two competing claims, neither of which have been supported by evidence and hence the burden of proof rests equally with both cases.
Anything else (By the Guardian, Slate, the 'mainstream view on HN' or yourself) is purely speculative.
You seem to place the burden of proof on one claim over another and hold a very specific view on what 'direct access' means.
You also seem to hold a strange interpretation of the Guardian's reporting, but I won't get into that as its largely immaterial to the real subject.
Steve Gibson has proposed a scenario that makes both claims credible: that the NSA has installed fiber optic splitters (hence the name "prism") directly upstream from Google, Apple, etc and therefore can sniff all the packets headed to their servers without their knowledge.
This scenario would be a large expansion of what Mark Klein testified was being done at AT&T in 2006 (https://www.eff.org/files/filenode/att/presskit/ATT_onepager...). It would also explain why the NSA slides showed service providers being added gradually: it would take time to carry out these secret installations.
If Gibson's analysis is right, Google et al would have no knowledge of the taps, yet the NSA would have most of their traffic.
Yes, SSL traffic is still impenetrable. However, 1) it can be stored for cracking in the future (perhaps in the Bluffdale facility) and 2) lots of traffic, like email traveling between hosts, is not encrypted.
For those keeping score, this is another of the kind of comment that lead me to believe that most HN commenters take the obvious interpretation of "direct access".
Thanks for the response. See my reply to tptacek above. I probably should have said 'appear to compete' or similar, as reading them together does not lead to an easy answer - and there are a number of possibilities as to how you could interpret them.
Certainly true that there are a number of possibilities. The one that seems to make sense per Occam's Razor and the mass of evidence we now have is that Prism is an NSA-side "facade pattern" against a set of company-specific FISA/NSL-compliance APIs.
In NSA-speak this is "collection directly from the servers of $FOO" because there is no wiretap or other SIGINT or ELINT shenanigans. They ask, or the FISA Court compels by warrant, for a company to turn over information they have, the company sends it over electronically.
Prism, on the NSA end, takes care to feed that information that is sent over to whichever analyst is working the case, patches up company-specific details so the analyst doesn't have to worry about it, etc. But they don't have feelers onto every datacenter owned by those 9 companies so there is no "direct access to data", as has been errorneously and loosely parroted around.
The two are not really competing claims; the argument over whether they are is the argument that NSA could in fact have direct access to the servers operating Google Mail.
Are you saying that the "collection directly from the servers" claim of the NSA document is simply the systems we already know about (FISA warrants or otherwise) until proven otherwise?
To me the terminology of the document probably (though not necessarily) indicates something more serious, but I'm not sure its necessarily 'cables into gmail' (which you seem to indicate as the only alternate). For instance, potentially someone working for Google may transfer selected records out manually without the knowledge of Google.
Thanks but I'm not so concerned to be 'singled out' as 'lumped in'. I want to get to understand your views more than simply disagree. I hope my previous posts haven't seemed too argumentative either.
Marc Ambinder, a reporter who has covered the national security beat for many years (before that he was a political reporter for The Atlantic, and before that the White House reporter for --- I think? --- CBS), reported that PRISM is a system of dropbox servers and a user interface that allows seamless access to all of those servers, presumably so that analysts don't have to keep track of which data is affiliated with Google and which data is affiliated with Yahoo.
Other reports have corroborated this.
Declan McCullagh, who has covered this beat for CNet for something like 10 years and is most notable on HN for jumping into threads and arguing the EFF's side of any given story against me (in other words: not a guy prone to support of the establishment), ran a story last week with sources that also denied that NSA had unilateral access to Google Mail.
The NYT just a few days ago ran a story with a linked FISA court order that documented Yahoo's attempt to push back on a FISA directive, a process that would not have been necessary (for the government) had NSA had direct access to Yahoo's servers; the court order demanded that Yahoo turn over data.
And, of course, Google categorically denies that NSA has direct unilateral access to their servers and, for that matter, that they've been able to obtain records for large fractions of their user base. Those denials have come from multiple levels of the company, from the CEO to the General Counsel to their tech leaders to people on their security team.
I'm not simply supposing that NSA doesn't have this access. Based on the evidence available, I am drawing the obvious conclusion that they do not.
The slides claim NSA has access to company servers. It does not claim they have free access to whatever they want. A system of "dropboxes" coupled with a system to get specific sets of data onto them - whether reviewed by humans or not - could fit with that.
That would not contradict the Guardian reporting, or even what the NSA's slides claim.
The rest of what you state also does not contradict Guardians reporting: They make specific claims about specific subsets of these companies data.
You keep arguing about an expansive interpretation of the reporting even when faced with much more restricted alternative interpretations.
When comes to relying on press releases with denials, I'm clearly more cynical than you - I assign them pretty much zero value as evidence. I'd expect these companies to issue denials whether the claims are true or not, so I don't see the press releases as containing any useful information to draw inferences from.
Hey! That's me! (I've covered this beat at CNET for 11 years and at Wired and Time and Wired a second time before that for about 5 years. It's not the EFF's side I'd argue, but I'm flattered that you think so.)
Anyway, I've disagreed politely with <tptacek> before, but he is 100% correct here.
If you look at the source of the "collection directly from the servers" terminology, the You Should Use Both slide http://www.guardian.co.uk/world/2013/jun/08/nsa-prism-server... , it's fairly clear that PRISM collection is being contrasted to "upstream" collection. In the context, it would be natural to describe getting someone's GMail account state (plus a live feed of account updates) through a FISA directive (and an API) as "collection directly from the servers": the stated alternative is recording the packets of someone's IP connections as they cross into and out of the US, a much more indirect and not-from-the-server(s) option. Then there's the fact that the slide heading is "FAA702 Operations". Using FAA 702 on Google requires the US Government to serve a FAA 702 directive to Google; getting a Google employee to hand over information without Google's knowledge would not be using FAA 702 at all.
(Further, the fact that Greenwald couldn't figure this out from looking at the You Should Use Both slide by himself - instead, actually producing the slide in the belief that it was evidence which undermines the FISA-API theory - and still can't or won't get it after having it explained to him, undermines the thesis that he's both able and willing to interpret the PRISM presentation carefully and accurately. Though he wasn't the only journalist to (apparently) misinterpret the "direct access" claim at first.)
Thanks for that. Best response I've seen on these issues - I hope others read it.
I'm not sure on the requirement for a FAA702 directive to be issued to Google however. Surely the upstream operations (which come under the same heading of FAA702 in the slide) don't require a FAA702 directive? I'm no expert but the directives seem to serve as a means to access the information, not as a necessity for disclosure of information should it be available by other means....
I'm not interested in the semantic argument about whether publishing a story that contradicts a previous story without issuing a correction on that previous story counts or does not count as a "walk back", that term having no specific technical meaning the argument can rely on.
So what? The NSA is harvesting data on an unprecedented scale. It might be legal but it is definitly unethical.
Whether the initial reports were 100% accurate or not is irrelevant. What does matter is that this now out in the open and hopefully something changes.
The ethics of data collection in the age of people sharing all sorts of information with Google, Facebook, etc, are not a clear cut thing.
Moreover, it's not meaningless whether its illegal or not. Indeed, it makes all the difference in the world. Laws can be changed if we don't like their outcomes--a government that's ignoring the law is something else entirely.
> The ethics of data collection in the age of people sharing all sorts of information with Google, Facebook, etc, are not a clear cut thing.
It is a peculiar brand of corporatism that thinks the privileges afforded to corporations should somehow be considered when talking about the privileges given to governments. Quite the opposite of what one normally sees, but still curiously the same.
I'm not talking about privileges, I'm talking about the nature of what is "private information." I don't think the ethics of the government collecting information you share with people on Facebook you might have met once, along with god knows how many employees at Facebook, Google, etc, are clear cut.
And I say that how we should treat Facebook collecting data and how we should treat governments collecting data (even data from Facebook) are entirely disjoint. Anything else is a peculiar brand of corporatism.
You realize that when you call something "a peculiar brand of corporatism", you're saying something equivalent to "a label that thus far exists only in my mind".
Is there a more direct, refutable way you could construct your claim? How would anyone falsify your argument otherwise? You know what else is a (very) peculiar brand of corporatism? "Not corporatism".
I suppose I did not spell this out clear enough for you.
A traditional corporatist could be accused of trying to bring corporations up to the same level as governments. Rayiner seems to be playing at the idea of bringing governments up to the level of corporations. Despite appearing to be opposing positions, it should not take a rocket scientist to find the common ground.
Of course if you have no interest in doing so, it should not be surprising that you won't.
As long as we're playing at labels, I am a socialist and you are a goddamned idiot. There is no such thing as a corporatist. You're just using it as a nasty word to accuse your debate opponents of malicious intentions.
Back to the point: people freely give their personal data to Facebook. Facebook now knows that information and can publish it, sell it, whatever. The people have no expectation of privacy which would be necessary for a 4th Amendment defense. Anybody can go to Facebook and just ask for the data, government agents included. It is Facebook's choice to give it away, set a price, or refuse.
I'm not talking about how we treat Facebook collecting data versus the government collecting data. I'm talking about how we treat the government collecting data that we freely give to Facebook versus how we treat data that we keep under our mattress. How do you define the ethics of privacy with respect to Facebook posts that have a wider audience than if you had posted something on a bulletin board in your office.
So the reporter says there was an elephant in the room, but instead of an elephant, it was two donkeys. The reporter gets it wrong, but what about the two donkeys? What the hell are they doing in that room?
> I call this out continuously and obnoxiously on HN because it is very much not the mainstream view on HN; most of the people commenting on the NSA story on HN say things that make it clear that they believe NSA continues to have the direct access to Google's systems that Google and the Guardian say they do not have.
Ah, I was wondering why you were doing this.
Personally I prefer to believe, when it is hinted that the NSA might have access to my emails, that this is true and later be proven wrong (which IMO hasn't been done conclusively yet), rather than the other way around: assuming everything is fine, and then piece by piece being proven wrong as more evidence trickles in.
Note that the above is a hypothetical example, since, being a EU citizen, I already know for a couple of months that the NSA in fact does have the ability to request any of my data without a warrant, given that it resides on a US server.
... Come to think of it, could it be that also influences your perception of what is "the mainstream view" on HN? A lot of people do not explicitly state they are not US-citizens every time they mention how upset they are the NSA can read their emails.
NSA has all the access they need. Which side of the property line their equipment resides on is a detail. Google is bound by what they're treating as a lawful order, to lie, as is anyone on NSA's team. If NSA doesn't have hardware inside Google, they have what they need to read the data at the boundaries of the Google system.
The gov't somehow manages to compel people to lie despite the absence of some "Federal Pants on Fire Act"
1. Place a Warrant Canary.
2. Receive NSL.
Even those who've conceived of the Warrant Canary know that it depends upon the notion that the gov't will not coerce the NSL recipient to leave the Canary unmodified.
We don't have to use the Warrant Canary hypothetical to see that the US gov't has in the past used force to compel individuals to lie in the furtherance of its goals. Police forced Rachel Hoffman to arrange a drugs buy and wear a surveillance device to the proposed exchange. This is a common police practice carried out by government agents at every level of government. If the government will use such tactics for drugs, they will most certainly use them for national security.
Well, if you place a warrant canary, and then receive an NSL, the warrant canary must be modified, as that is its sole purpose. If you leave the warrant canary in tact, then you've lied. The act of changing the warrant canary will by definition violate the (secrecy) terms of the NSL and possibly invoke gov't reprisal. Even without the warrant canary the terms of an NSL may compel an individual to lie through coercion, depending upon circumstance.
I didn't say that the NSL compels each recipient to lie, in every case. I said the gov't can and does compel individuals to lie. That's not a "fictitious belief" it's a fact. Then I offered a concrete example of widespread gov't conduct supporting that claim.
If you keep waiting to see it spelled out in black and white, "Be it ordered on this day the NSA under the authorization of Congress and President Obama (with all their signatures) that you shall go on the Today Show and Charlie Rose's show and tell everyone that we can't read everyone's email and that we're all a great bunch of guys." you're likely to have to wait a while. You're being obtuse and I think you know that. It probably works well in other areas of your life, but it makes you ill-suited to make judgments about non-trivial issues because it is rare that all relevant facts become obvious as an atomic operation.
For reasons which should be glaringly obvious, you're not going to convince anyone on HN that a view is the right one simply because drama-hungry mass media has decided it is.
>Either way: the original notion that NSA had direct access to the servers that actually operate Google Mail has been found to be unsupported by the evidence published thus far.
And that The Guardian ran a story contradicting it, and that Marc Ambinder reported a story suggesting that PRISM was a dropbox system and not direct access, and that Declan McCullagh ran a story with sources saying that NSA does not have access to Google Mail, and the NYT running a story with an attached court order from the FISC showing Yahoo availing itself of the opportunity to try to deny NSA access to its servers, and the idea that NSA having direct access to Google is an extraordinary claim requiring not just some evidence, but extraordinary evidence.
He's a reporter who has been doing reporting on this story with actual sources. His confirmation of individual comments of mine is useful, at least to me; don't worry, eventually I'll write a comment that will contain something he knows to be wrong, he'll notice it, call me out for it, and you can start jumping up and down again.
Imagine if you were designing a system to store massive amounts of intercepted email data for archival and occasional retrieval. The design would be quite different from gmail and it would require a lot less infrastructure.
I think your analysis is perhaps being biased a bit by the idea that dealing with all the email data would be massively expensive.
Also, consider that phone companies already have existing government granted monopolies, while companies like Google and Facebook are significantly more vulnerable to bad press or some kind of disruption triggered by public mistrust.
Hence one possible strategy for minimizing the impact of Snowden's revelations would be to admit to the phone aspect of the powerpoint and to drastically minimize the relationships with web companies.
Also considering the power of ad network cookies and the amount of information stored, the intelligence value of internet companies' data dwarfs the value of phone call data by several orders of magnitude.
You think the average American would be less concerned about direct access to Google Mail than they would about the NSA having the ability to listen to everyone's phone calls?
That is possible, though what we're seeing is the result of the PR response of the NSA taking effect. The NSA does not have any incentive for the truth to be revealed, only for the public to stop worrying about it.
Unless I have missed something, Guardian has NOT said the NSA does not have direct access.
The Guardian has reported that an NSA document says they do, and that Google says they don't. As far as I have seen, the Guardian has not made a claim either way.
You choose to trust Google. A lot of other people here choose to trust the NSA documents more.
If I'm on helm of NSA, I would recruit spys on important positions so that the agency can have access to any data on minutes notice. Of course, in accordance to the law. And I believe it is legal for NSA to recruit somebody in a company to spy / give NSA access to the data.
My point is that it is irrelevant whether it is true or not that NSA has capability to access to all our emails. The key is whether our legal framework allows that or not. My understanding is that NSA can collect all the data it needs (emails, phone calls, etc.) and they will not break the law - even without FISA court order. So maybe the law needs to be changed...
That quote IS Greenwald walking it back, while saying he's not walking it back.
Greenwald is saying, in effect, "Well, I'm not saying the NSA does or doesn't have direct access; I'm just telling you that I saw a powerpoint slide that says that." Uh huh.
Basically I'm agreeing with tptacek's downthread point: the slide deck claims "direct access", but other than that slide deck, there has been no evidence to support this, and some evidence against it.
As I've said before, I think we should assume that slide deck is a little hyperbolic. This is a deck that claims you can real-time monitor all communications in the world for only $20M. I'm not saying it contains no truth; I'm saying it's a _slide_ _deck_.
Also, btw, the Greenwald article you quote is not his finest. From what I've read in the last two weeks, I respect his agenda, and I respect his efforts to air this story, but some of his self-analysis is seriously lacking. If you're interested in my extensive dissection of that article, https://news.ycombinator.com/item?id=5884619
Dude. They have the content of email too. I'm going to make a wild guess here and assume it falls under the "required by law" category of the denials. Well, too bad for them, too bad for us. Welcome to the future, and there's scant chance that any of this will ever get rolled back.
Meanwhile, its also fairly obvious that some security folks sympathetic to the NSA have your ear. You like them, you respect their skills, and social heuristics dictate that you give their opinions due weight. They haven't been overly impressed with the recent leaks and reportage, and why not--we always bristle when the media covers something near and dear, and bristle again when it is sympathetic to the wrong parties.
Back to the contents of email again. How, precisely, it is done is of course very interesting but also an implementation detail. The fact is this kind of content would have been considered very valuable, and therefore effort would have been expended to a) explore the options and b) make it happen.
If you go back over the past few years of leaks, a recurring theme is, it has happened, and it appears to have been achieved via legal compulsion plus some fairly vanilla engineering. However, we may also assume that any serious collection effort would necessarily include redundancy of methods, so if for some reason legal compulsion were to end, the collection could still continue. And this is were we find ourselves today: legal collection at nominal risk, but the program itself secure.
And we know we are here, not from any one specific claim (possibly garbled, possibly wrong), but from the pointillist painting rendered by years of such claims, where the negative space provides as much structure as the positive. So yeah, you don't like Greenwald et al on aesthetic grounds. But Greenwald is also irrelevant to the overall narrative here, which is "when we became cognizant of our pervasive surveillance." Why would they not have the contents of email?
Dude. Provide evidence for extraordinary claim. I'm all ears. Also: this content vs. metadata thing? Also I think a red herring: they don't have full metadata access from Google Mail either.
This is an exercise in synthesis, not analysis--akin to reading tea leaves. By all means, keep two ledgers: a) claims with hard evidence, and b) suppositions on a tree of conjecture. Though again: having informed opinions on secret programs is structurally a fools errand. Better keep that ledger quarantined, and look for new fruit on the tree of conjecture. You would be well equipped to capitalize on it.
EDIT, quick, and not to make a thread of it: a) NSA is the referent to tea-leaves, not you; b) the rest is advice; and c) lol.
they don't have full metadata access from Google Mail either.
And you know this...how exactly? I can't say they do but it wouldn't surprise me. To say that they don't however is a different story. What's the difference between phone metadata http://www.slate.com/blogs/future_tense/2013/06/06/nsa_veriz... and email metadata? Why one is OK and the other is not, assuming NSA goes to court to get them? In fact, emails over 180 days have very little protection.
So far fact is that the NSA denied listening to U.S. phone calls without warrants.
Now we know that the Obama administration and NSA intentionally lied and mislead the public. I am certain that with a little bit of luck we will find out how NSA email hacking works in practice. So far the smoke seems long from settling.
Based on how the Obama administration and NSA is handling this issue I see very little reason to expect anything else than the maximum level of intrusiveness possible.
The Electronic Communications Privacy Act says all email stored on a server that is older than 180 days is not protected under the 4th Amendment.
Furthermore, the IRS appears to operate under the assumption that no email is protected.
> New documents released to the ACLU under the Freedom of Information Act reveal that the IRS Criminal Tax Division has long taken the position that the IRS can read your emails without a warrant—a practice that one appeals court has said violates the Fourth Amendment (and we think most Americans would agree).
I've always wondered if I delete the email, does it count as "no longer stored"? I should, as a user, reasonably assume so, but I know it's kept longer than that, probably indefinitely.
> the NSA would need direct access to the servers that run Google Mail. They do not have that access; Google has categorically denied it, and the Guardian walked the claim back.
Also, I don't necessarily buy this. I don't think Google's denials are lies, as Google is not a single brain, but thousands of individuals. Hard to prove a negative.
You think it's possible that NSA got direct access to Google's servers in a way that was invisible to Google's CEO, it's general counsel, its Chief Architect, Justin Schuh of their security team, and any of their thousands of employees, most of whom would immediately report such a thing if they discovered it?
Moreover, having obtained this illicit access, in direct defiance of the corporation that owns and controls those servers, their use of that access is so routinized that it appeared in a "USE BOTH!" Powerpoint deck for NSA analysts?
I think that some of those people have knowledge of a secret program that enables access to the data (maybe without direct access to the servers that house it). That would make it easier to manage without having to bring all the SREs and such into the conspiracy.
I think that most of those people would not allow their lives to be destroyed with federal charges (or maybe even extralegal harassment, who knows - they do run secret prisons) in the process of reporting such a thing.
Tens of thousands of others have chosen to keep quiet about NSA's extralegal collection practices (from the contractors at the IXes installing beam splitters, to the mechanics who welded the fiber grabber arm onto the nuclear sub). Why is it such a stretch to think that 3 or 5 or 10 at Google wouldn't?
It's not even a stretch to think that NSA would have done their homework to know _which_ people inside of Google would be both able to participate and could be coerced into keeping quiet.
I don't have to build a straw man. I'd just say people should read your comment, work out its narrative in their heads, and ask which is more likely: that PRISM is an elaborate scheme by which NSA gained illicit access to Google's servers, or that it is what other reporters have now reported that it is: a unified collection system for documents manually provided by Internet companies in response to FISA directives.
People that think the "manual" part in that last sentence doesn't matter should read the court order in the Yahoo case the NYT reported, where Yahoo went several rounds with NSA and the FISC to try to fight a specific FISA directive.
Note that Google, Facebook, and Yahoo have all taken pains to point out that they've pushed back on FISA directives. Which is something you can't do if the system isn't manual.
I never claimed it was illicit. I just said it was secret, and that disclosure of such secrets carries an incredibly harsh penalty. You're doing the strawman thing again, despite claiming otherwise. :/
Just because they've pushed back doesn't mean the system isn't automated. It could have been a matter of "implement the automated system now, per the FISA order, and then we can have a go-round in front of the FISA court with your objections after".
Where by illicit I mean "is occurring without the knowledge of Google's CEO or General Counsel, despite their publicly voiced opposition to any such program."
I'm not sure. It could be that they know about it and are gag-ordered (can't fight city hall!), or that they were intentionally left out of the loop for purposes of plausible deniability.
This is military intelligence we're talking about here, they take their mission very, very seriously. I wouldn't be surprised if there were multiple, independent, redundant programs for monitoring this data.
As 'DannyBee, himself a lawyer, pointed out a few days ago: no provision of any Federal law requires anyone to issue false statements. There are times you're prevented from saying things†, but there aren't times when NSA gets to put words in your mouth.
† ... we think; the ultimate Constitutionality of this is up in the air.
I'm sure the lying part comes automatically when you want to keep your job and you can't tell your boss that you just broke every rule the company has.
If you're saying some lower-level employee of Google was "turned" by NSA and then lied about it to their manager, we're back into "illicit access" territory.
1. Google is lying.
2. Prism (or the backend thereof) is genuinely unknown to most Google employees. Those few employees who do know of it are lying. The others (i.e. legal) are ignorant because they have no need to know, and because it provides plausible deniability.
3. There exist NSA agents capable of passing a Google interview and installing backdoors, perhaps with the collusion of other agents.
Companies the size of Google are, in software terms, Borg cubes of interacting systems. No one comprehends the whole thing, and some degree of secrecy between services is normal. Who would notice if, say, Gmail traffic was being replicated onto NSA-controlled hardware? A small part of a small part of the Gmail team. No one else would likely notice even if it was done in an obvious way.
Is it possible that through some elaborate conspiracy with specific unidentified Google employees unknown to Larry Page or Google's General Counsel that NSA has obtained access to the servers that operate Google Mail? Yes.
Is it plausible that having gained that access, their use of it is so routine that it has an official name ("PRISM") and a logo and appears in slide decks targeted at NSA analysts and is used a program whose existence is known outside NSA (there are DOD manuals that refer to the same PRISM program)? No. That is not plausible.
What about specific unidentified Google employees known to Larry Page, albeit not Google's General Counsel? (In the paraphrased, immortal words of Al Gore: of course it's illegal, that's why it's a covert operation.)
We don't know the intended audience of the slides, either, though with a data source as rich as all of Gmail, presumably there'd be tons of analysts capable of accessing it or else it would just be a waste.
Hypothesis: Page was lying; the General Counsel was in the dark for plausible deniability and genuinely believes to this day that PRISM doesn't exist, at least not in a way that involves Google.
I don't see this hypothesis as being anywhere outside the wheelhouse of the NSA. Even outright infiltration (i.e. the hypothesis that not even Page is in the know) is, well, kind of the point of intelligence services, but it's not necessary.
Given that your hypothesis is rather outlandish even by the NSA's own slides (which explicitly mention 702 compliance) and would require more Google employees than Page to know and willingly lie about it, I don't see why it should take priority over a hypothesis that actually meets all the Occam wickets.
Note that I am not taking sides in this argument in this particular reply, but the PRISM referred to in the leaked manuals appears to be an entirely separate program, for managing responses to emergency events.
I understood there to be references to both; to other DOD programs called "PRISM", and to programs called "PRISM" that probably are the NSA program. Other DoD agencies are clients of NSA.
Just to pick a nit, I assume by "Chief Architect" you mean Yonatan Zunger. He's the chief architect of Google Plus, not of Google at large. While I do value his public statements, he doesn't really have responsibility for the great majority of the systems where we-the-public care about surveillance.
Am I missing something? The telcos control many of the internet backbones, and Email isn't encrypted. If the telcos give you unrestricted access, it seems trivial to harvest the contents of email.
FWIR, Google enforcing HTTPS connections to gmail is pretty recent as well: since firesheep, so that's another vector for someone who can read data from the wires.
Email is encrypted, far more often than you think it is. If you send email to someone else at Google Mail via Google Mail, your message is never on the Internet except in a retail-level TLS connection to Google Mail. If you send email via Google Mail to someone at some other email provider and that provider does SMTP+TLS, it's also never on the Internet in plaintext.
But I'd be very reluctant to conclude that the NSA doesn't have clear-text for the vast majority of email that gets sent.
Google and other email providers have denied giving the NSA access to their servers, but if you think about it, that would be a lousy way to share data with the NSA, from a purely technical point of view. A company like Google is going to be constantly evolving their infrastructure. Giving the NSA direct access to the servers hampers that, because they'd have to break compatibility with whatever client software the NSA is using. It'd be easier to just send copies of all email that moves in and out of their system to the NSA and let them sort out how to process it. That would be more convenient for the NSA too.
Beyond that, all the denials issued by Google, Facebook et al mention that they do provide the government with information as required by law. We know that there are secret laws at work here, and if the law requires companies hand over everything, then that's what they're doing. The may even be required to lie about it. They're definitely absolved of any legal liability for doing so. I don't doubt that internet companies try to protect their user' privacy as much as they can, but that may amount to "not at all" where the U.S government is concerned.
The law is more than the statues. The rulings of the Foreign Intelligence Surveillance Court are classified, so we don't know how the statutes are being interpreted and applied. We do know, however, that the executive has a history of using bizarre legal theories to skirt the spirit of the law.
But even if Google isn't obligated to lie, it might still be lying.
Maybe Google is lying, not because it's obligated to by the law, but because it's immune from the consequences of lying and the government is leaning on them in other ways.
Maybe Google is afraid of the backlash that will follow if they don't lie.
Maybe Google has carefully written their denials to be technically true, but still hide the real extent of the data they're giving to the NSA. This was my original point, which you completely ignored.
And yes, maybe Google is being completely forthright.
We have very little information, and information we do have may be wrong. Given that, I don't think it's wise to conclude that transmitting email over an encrypted channel is enough to keep out of the hands of the NSA.
A copy of Google's SSL private keys, provided they don't use cipher modes that provide forward secrecy, would suffice if they'd already tapped all the transit fibers (though not gmail-to-gmail).
A copy of Google's private keys would be a more outrageous and damning discovery than NSA somehow having direct access to Google's servers. NSA doesn't have Google's private key.
Second, it's unfathomable to me to imagine the NSA isn't doing their damnedest to obtain all private keys. I have no idea how many they do have, but it seems foolish to assume they don't have a specific private key.
Why do you think the NSA would regard private keys as some kind of sacred ground? For example, they could go after it the same way the Chinese do - phishing attacks against employees. They most certainly use those techniques outside the US, how can you be sure they don't within the US?
I could never pretend to be sure they -are- doing it, but it seems a lot more difficult to be sure they -are not-.
Most SMTP does, but does most SMTP that originates or terminates at Google Mail? I don't think so.
(Here it's worth noting that mail between Google Mail users doesn't ever hit the public Internet in plaintext SMTP).
I do not think it's unfathomable that NSA has Google Mail's public key. I do think it's unfathomable that, having illicitly obtained that key, their possession of it wouldn't be one of the most closely guarded secrets in the agency.
Thank you for acknowledging that it is fathomable that NSA has Google Mail's keymatter, and that if they do, it would be one of the most closely guarded secrets in the agency, something they would burn other programs, and make other cover stories, to obscure.
The term "direct access" may have been fuzzy speak, and indicative of an "impedance mismatch" between what different concentric layers of the NSA knows. The author of the PRISM deck understood it to be "direct access" based on what he'd been told, and the low-lag operation he'd seen. But perhaps that was still be FISA-order based, just really fast: an analyst flags a name at their terminal. The name is forwarded the Google and the FISA court. Google does its "review" but knows a request of exactly this specific form always wins -- they don't get to challenge the reasons for the request, which they don't even see. Now it's 'reviewed', the SFTP dumps begin... but they aren't one-time, but perhaps daily... or even hourly or faster... to keep up with the target's ongoing mail activity. (They didn't go through the trouble of using one of their thousands of requests just to get old activity, did they?) To the PRISM deck authors, that still feels like "direct access" – and colloquially, it is.
But given compartmentalization within the NSA, what if some of the data is arriving via another, deeper capability? The PRISM deck author, the average analyst may just think it's from the other process. It's not their business to know more; the rows/records appear in their tool, and they get on with their work, happy for the bounty of info from other 'acquisition' programs which sometimes (often!) work in mysterious ways.
Since there's already a program (Ambinder reported on it) called PRISM that pertains to dropboxes used to handle data from FISA requests, Occam's Razor tells me that it's more likely that the slide deck author was referring to direct access to these dropboxes than it is that NSA would somehow have allowed it to become common knowledge within NSA that they had a capability to unilaterally take data from Google Mail.
Main point - I'd be willing to bet that the NSA collects as many private keys as it can. Can't prove it, don't need to. I'll conduct myself as if they have all the private keys. That's a loss of freedom, and that's not what the authors of the fourth amendment intended.
Some percentage. It's also been reported that one tactic used by terrorists or suspected terrorists was to share a login to an email account - editing unsent messages that live on the email provider's servers in draft mode. Email monitoring won't catch those.
The same technique used by former CIA Director David Petraeus and Paula Broadwell to communicate.
Plaintext mail is only encrypted in transit when both endpoints are using encryption. Google cannot transmit secure messages to an insecure endpoint because the endpoint wouldn't know what to do with them. I think nobody knows what percentage of Gmail gets sent to foreign servers without encryption, similarly for received messages, but I am surprised by the claim that most SMTP is unencrypted.
So is your logic basically that even if most SMTP is unencrypted, that doesn't affect most Gmail because most Gmail is sent between Gmail accounts? If that isn't your logic, and we discount internal mail, I cannot understand how the majority of mail originating or terminating at Google would be encrypted, provided the claim that most SMTP is unencrypted is also true. Further pedantry, SSL can be used instead of TLS.
SMTP between Google Mail and any server that supports TLS SMTP is encrypted. We seem to have identified one case --- inbound SMTP to a Yahoo MX --- where that TLS connection does't happen.
SSL and TLS are for the purposes of this discussion the same thing; the distinction between the two is actually less important in SMTP than it is with HTTP.
You keep confidently asserting that, but many of the exact same compartmentalization and security procedures which protect the private keymatter also make a secret private key disclosure easier to keep hidden.
How would we know otherwise?
As you note, that "would be a more outrageous and damning discovery" - so there's more incentive to keep it closely held. It would help the NSA do what it feels it must, simply by using its other network taps. And, it would help minimize the risk of discovery without involving extra employees and ongoing connections, all while retaining the ability for Page/Drummond/etc to deny involvement.
Those add up to making a key compromise more attractive for NSA and Google than the alternatives.
TLS client authentication allows the server to detect when an active MITM attempts to get into the connection[1]. This means that if you hold the theory that the NSA is acting as a MITM with Google's private keys, you also have to assume that they know they'll be detected the second anyone tries to use a client certificate to connect.
If you have the key from the server, and it's not using a cipher suite that supports forward secrecy, then you do not need to actively MITM to decrypt the traffic. All you need is the long term key and the intercepts. You can then decrypt the session key from the initial connection setup.
This is why the DHE/EDH modes exist. It uses DH to agree on a session key, then uses the long term key just to ensure the DH agreement hasn't been actively mitm'd. The session key is never transmitted or permanently stored, so once the connection cache expires, nobody can decrypt retroactively, not even the parties to the conversation.
It'd also be vastly easier to do once, covertly, and then keep secret, versus a live connection that mirrors them the plaintext copies. I'm not so sure they wouldn't just do both.
You're saying that despite the fact that everyone who hits Google Mail with Chrome uses a ciphersuite for which Google's private RSA key only works if you actively man-in-the-middle the connection, no matter how many hard drives you have in Utah, that NSA stole Google's private key, and then (I repeat:) documented that fact in a slide deck for NSA analysts?
You could more easily and credibly argue that NSA has solved the conventional discrete log problem.
I think you may be forgetting that it's not all-or-nothing. Not everyone uses Chrome.
I can't speak to a slide deck; We've only seen some slides for one program (PRISM). I am quite sure that NSA has several different programs variously encompassing collection and decryption. Hopefully in the next few days or weeks we'll see details about more of them.
I don't think it's beyond the realm of possibility for a nation-state adversary with a ca. $10bn annual budget (that happens to be the same country where Google lives) to get a copy of Google's key, no.
Far more than enough people use Chrome (or a different browser with cert pinning) with GMail that such an activity by the NSA would already have been tripped.
This is how other hacked SSL certs have been caught in the wild, remember? Do you think Iran has more GMail users than the U.S.?
Even my own S/MIME private key the NSA wouldn't be able to get a hold of without actually having to take my smartcard, and I'd certainly notice that.
Either way, there's something that the NSA has actually screwed up so I'm honestly a bit surprised that people are still arguing so much about a FISA compliance API. That horse is already essentially dead and buried. So dead and buried that others are saying that tptacek is tearing down a strawman for still mentioning it...
I am talking about entirely passive, offline decryption attacks, not MITM. Think beam splitters.
I'm sure there are browsers out there that won't negotiate PFS DHE modes with Google (which were only enabled a year ago serverside anyway). NSA has had long-haul and undersea fibers tapped for many years.
Then we should definitely consider DDG, a much smaller company in the same country, sharing its keys with NSA. They too might be under some gag order that not only stops them from saying that they are compromised but also gagged to say that their users are anonymous so that all the terrorists, law breakers and cheating husbands use this service because of a false sense of security. It is not beyond the realm of possibility.
And I agree with it. I was addressing a different view altogether. There seems to be a very widespread paranoia that the worst possible event is the one that is occurring and that all entities but the user are collaborating willingly to make it happen. What is surprising is that most of the people here are US citizens who at least have some of their rights intact, enough for the companies to fight back as they have publicly acknowledged that they do to as much extent as possible. I am more worried about the legal requests from US government for data about non US citizens. Does there even exist a legal system to prevent mass unmonitored snooping on them?
For HTTPS. I will bet you they don't use perfect forward secrecy for TLS with SMTP traffic. Not because they don't want to , but because it likely isn't supported for a huge set of the servers they connect to. A large number SSL terminators/ accelerators that e.g Microsoft uses, don't likely support it and who knows about other stuff.
Is the relay of mail between, say, Yahoo and Gmail using strong crypto? (I'm curious; I thought not but I haven't been keeping up on bulk email interchange practices.)
I can't find a reference and until recently would have assumed it was unencrypted SMTP like the olden days.
What gives you that belief, and if it's TLS-secured, would you assume it has the same forward-security as (eg) Chrome-to-Gmail? Or might it be something else, because it happens out of sight, that is a little behind-the-times?
Here is a data point; take it for what it's worth.
I run my own email service (Postfix) on 4 different domains. TLS is properly configured on all of my mailhosts, using certificates issued by StartCom. My servers routinely receive mail from Google, Apple, Yahoo, GNU, and other major email providers. Most of the messages are from various mailing lists.
I occasionally peruse the mail logs, and in the last 3 years, at least, I have never seen an unencrypted SMTP connection. I'm not saying it never happens, I've just never seen it. The most common protocol is TLSv1 with a variant of AES (nearly always 256-bit). Apple's listservs use TLSv1 with 128-bit RC4-MD5, but they're the exception.
> Edit: sorry, I reversed the polarity wrt. your question. This confirms the other finding, i.e., Yahoo sends via TLS but doesn't accept.
I am. I sent this message to my personal ___domain from my Yahoo Mail account just now:
Jun 16 01:46:01 shell postfix/smtpd[29319]: connect from nm4-vm6.bullet.mail.gq1.yahoo.com[98.136.218.165]
Jun 16 01:46:01 shell postfix/smtpd[29319]: Anonymous TLS connection established from nm4-vm6.bullet.mail.gq1.yahoo.com[98.136.218.165]: TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)
However, it appears that Yahoo's MX did not accept TLS for my outbound reply. That's concerning....
We've† already verified this downthread; I'm wrong about Yahoo (they do TLS for their retail SMTP servers but not for MX's), but Google does indeed do TLS on their servers.
† Where by "we" I mean "the guy who isn't me that found the app that gives you the SSL connection details for arbitrary SMTP addresses"
Thanks, so it seems likely that Gmail->Yahoo email is in plaintext.
That Google will "do TLS" is ambiguous. Are we sure Yahoo attempts TLS on their SMTP-connect to Google's MX? It seems unlikely if they don't support it on their own receives, and also unlikely that Gmail would reject all non-TLS SMTP.
If so, NSA wouldn't need Google or Yahoo's private key to record the plaintext of all email between them. And if the Google<->Yahoo interchange is representative, plenty of other email to or from Gmail will be similarly transparent.
tptacek why are you always defending ridiculous statements and behavior by the US administration and spy agencies? You seem willing to bend over backwards (or is it forwards) to justify any statement from the authorities but will attack the tiniest issue in a fellow HNers post.
Have you and/or your company ever worked for them? If so it would explain a lot.
We do no work whatsoever for the USG, or for any defense contractors. That's not an accident. There are other software security firms that do; Matasano does not.
Once again: I am not sticking up for NSA. I do not trust NSA. I probably share your opinion of NSA, modulo I might not mythologize their capabilities as much as other people on HN do.
I am sticking up for Google. I have friends who work there. I think very highly of their security group. From my vantage point, Google is in this instance fighting for the privacy of their users, at great expense, and getting shellacked in online forums by people who are happy to use the outrage over NSA overreach to tar Google, especially since Glenn Greenwald more or less defamed them in print.
When you say "that's not an accident" do you mean to imply you'd have ethical objections to it?
As you are one of the three most common defenders of the state that I have noticed on this site, that would be very surprising to me. But quite interesting if so, it would be some indication that your perspective on the issues and seeming constant defense is an indication of spiraling paranoia in counterparties to your arguments. Is this how you see it?
Yes, I have an ethical problem with doing the kind of work I do for defense contractors or for the USG. I'm not saying that doing work for USG, or even software security work for them, or even offensive software security for them is prima facie unethical; I only know that I don't feel qualified to navigate the ethical quagmire, and thankfully am not required to do so.
I'm also not a defender of the state. However, of the subset of HN users who are noisy enough to remember by name, I'm probably the most statist; believing in the utility of law enforcement probably puts me just slightly to the left of center among noisy HN'ers.
In the real world, I'm a liberal.
Be careful about assuming that you know what's in the heads of other people just from how they comment on HN. The things that spark arguments on HN aren't a realistic cross-section of policy debates in the real world.
Presumably doing Matasano-type appsec work for DoD if it were for internal DoD software would be fine (i.e. making sure the VA's medical records system is relatively secure against outside threats)?
I've had my differences with <tptacek> in the past -- I think polite disagreements over policy -- but he is quite correct here in what he says about Google.
I doubt that he has a professional conflict in this case. He is nothing if not consistent, his point of view here is exactly what you would expect from reading his past posts on other issues.
I think that the (theoretical) MITM attack is played out not between the user and google, but google and the other email provider. For example, a person on gmail sending mail to a yahoo account could be comprimised when google talks to yahoo.
EDIT: Yahoo does NOT use TLS SMTP[1]. Also, Gmail fails Cert verification...[1]
Nice catch. I based the Yahoo thing off message board posts with people getting TLS SMTP working, but from their mail clients, not server-to-server.
The Google Mail certificates don't validate because their hostname doesn't exactly match the host for which the certificate was issued ("mx.google.com"). I don't think that's a huge problem in practice.
If it's true, 'not good' is a very understated way of putting it. On the other hand, if there's anything this whole clusterfuck has reiterated is that it's best to be wary of uncorroborated, single-source statements. So far, the only source for this appears to be Congressman Jerrold Nadler.
> To have the email of arbitrary Americans without a warrant, the NSA would need direct access to the servers that run Google Mail.
Not really. They would only need to get every incoming and outgoing e-mail forwarded/copied to one of their servers. That's not strictly "direct access to Google's servers". At least for incoming e-mails, it would also simply suffice to listen in on some backbone node while having access to Google's private keys to circumvent the TLS encryption (let's ask Larry about those instead).
However, on the strict point of "metadata" (which would mean IP, time, and little more, but anyway, data), and only guessing, splitters would be useful, would they not? and at the same time make the "direct access" negation stand true, if I read correctly?
I know you are fighting a different battle (that Snowden does not mean this and he is wrong, on which I tend to agree more or less) but this idea would also be useful for the Gov't and not that much of a deal to implement.
Even more, come to think of it, this might be done at the Telcos level, might it not?
EDIT: Just realized this would only give one end of the communication, so not THAT useful, I guess. I see.
EDIT2: Well, with some analysis and some luck you might get the size of a mail, with care and timing and then with more statistics get an idea of who (IP) may have read it when (albeit just STATISTICALLY) but you may get lucky...
> I'm not seeing how we get from there to the contents of email. To have the email of arbitrary Americans without a warrant, the NSA would need direct access to the servers that run Google Mail.
Couldn't the NSA sniff packets the major internet hubs like MAE-West and MAE-East? I assume most email is sent as cleartext after it leaves Google's servers. Even if intermediate hops were encrypted, the NSA could easily man-in-the-middle any servers they wanted. I'm sure CAs like VeriSign would be happy to do their patriotic duty issuing forged certificates.
A huge portion of all Google Mail connections can't be MITM'd even if NSA has an SSL CA banked, because Google baked the identity of their public key into their browser (using public key pinning).
File that under "things you don't do if your goal is to cooperate with NSA surveillance", by the way.
They can get all unencrypted SMTP messages which means they can get all messages between gmail and outside mail servers. They would only be missing internal gmail to gmail messages.
Gallup should do a new poll: "Do you support or oppose NSA analysts being able to decide, on their own suspicion, to listen to domestic calls, before any warrants for those specific calls are issued? Please state your answer slowly and clearly for the NSA recording devices."
So did Obama blatantly lie to us in his statement, or is he not aware what's going on? I have to think, if they admitted it to Congress, Obama had to know.
This really is becoming like 1984. First we had a president arguing about the meaning of "is". Next we get the the DIA lying to Congress say "No" when the truth was "Yes" and then when caught explaining he answered in the "least untruthful manner".
Now when our president says [1]:
"nobody is listening to your telephone calls"
"if the intelligence community then actually wants to listen to a phone call, they’ve got to go back to a federal judge"
"nobody’s listening to the content of people’s phone calls"
"do not involve listening to people’s phone calls, do not involve reading the emails of U.S. citizens or U.S. residents, absent further action by a federal court"
It actually means this [2]:
"If the NSA wants 'to listen to the phone,' an analyst's decision is sufficient, without any other legal authorization required"
“The National Security Agency does not listen to Americans’ phone calls and it is not reading Americans’ emails. None of these programs allow that,” -Rep. Mike Rogers, R-Mich., chair of the House Intelligence Committee.
It is possible for that to be true, too: that to the best of anyone's knowledge, even though NSA retains the capability to listen to arbitrary calls, it has used that capability only in instances where they are reasonably certain that the calls weren't from Americans.
(Although half the site seems to think I'm an NSA supporter, here I'll again make it clear that the telco access NSA seems to have is an extremely bad thing.)
If you're going to make up a story - why would you come up with the whole 'two years ago' twist? It's a details that makes no sense to fabricate unless it actually happened.
This will play out exactly like the waterboarding thing:
1. The journalists probably already warned the administration about this stuff a couple of months ago.
2. In the near future, the wh press secretary releases a statement about how this is already old news and how the prez already put a halt to this back in February (or whatever) which explains how all the recent statements by wh and Google etc can be truthful.
3. NSA spooks spend the next 5 years whining internally how they can't do their jobs anymore because of all the bothersome warrants.
4. The next top secret program is started in 2018 that does away with all the "cumbersome" oversight.
Why are we only hearing about this now? From the House Judiciary Committee meeting on THURSDAY where Nadler questions FBI Director Mueller:
NADLER: You wanted to listen to the phone?
MUELLER: Then you have to get a special — a particularized order from...
NADLER: Particularized...
MUELLER: ... the FISA court directed at that particular phone of that particular individual.
NADLER: Now is the answer you just gave me classified...
MUELLER: Is what?
NADLER: The answer you just gave me classified in any way?
MUELLER: I don't think so.
NADLER: OK, then I can ask the — then I can say the following: We heard precisely the opposite at the briefing the other day. We heard precisely that you could get the specific information from that telephone simply based on an analyst deciding that, and you didn't need a new warrant. In other words, what you just said is incorrect. So there's a conflict...
MUELLER: I'm not certain that it's the same answer to the same question. I'm sorry, I didn't mean to...
NADLER: Well, I asked the question both times, and I think it's the same question. So maybe you'd better go back and check, because someone was incorrect.
I'm also quite curious about this. The article doesn't even seem to acknowledge the fact that Nadler disclosed supposedly classified information. The only thing I can surmise is that a "classified briefing" may contain unclassified information:
Rep. Nadler's disclosure that NSA analysts can listen to calls without
court orders came during a House Judiciary hearing on Thursday that included
FBI director Robert Mueller as a witness.
Mueller initially sought to downplay concerns about NSA surveillance by
claiming that, to listen to a phone call, the government would need to seek "a
special, a particularized order from the FISA court directed at that particular
phone of that particular individual."
Is information about that procedure "classified in any way?" Nadler asked.
"I don't think so," Mueller replied.
"Then I can say the following," Nadler said. "We heard precisely the
opposite at the briefing the other day. We heard precisely that you could get
the specific information from that telephone simply based on an analyst
deciding that...In other words, what you just said is incorrect. So there's a
conflict."
From TFA:
Mueller initially sought to downplay concerns about NSA surveillance by claiming that, to listen to a phone call, the government would need to seek "a special, a particularized order from the FISA court directed at that particular phone of that particular individual."
Is information about that procedure "classified in any way?" Nadler asked.
"I don't think so," Mueller replied.
"Then I can say the following," Nadler said. "We heard precisely the opposite at the briefing the other day. We heard precisely that you could get the specific information from that telephone simply based on an analyst deciding that...In other words, what you just said is incorrect. So there's a conflict."
Congresspeople have immunity for anything they say on the House floor barring treason. Mike Gravel read Ellsburg's Pentagon Papers into the Congressional Record in the '70s.
> Congresspeople have immunity for anything they say on the House floor barring treason.
This is true all up until the "barring treason" part, which is incorrect.
Congresspeople have immunity for anything they say on the floor, additionally, they can't be arrested while attending a session except on charges of treason, felony, or "breach of peace". [1]
A lot of people in recent discussions on HN have been confusing the exception that allows them to be arrested on certain basis while they are attending session as an exception to the immunity for legislative acts.
So now we have a single node from which all electronic forms of human communication can be read, listened to and analyzed. The decisions of any and all businessmen in the running of their financial empires, the conversations of all persons as they speak to their stockbroker, their mistress or their business colleague. And I am told to believe that this situation is OK, is normal, and that nothing untoward will be done with all of this information.
Yet I know that if I had access to this information I could make billions of dollars (e.g., by shorting stocks or by buying businesses or commodities), alter the lives of people who I do not like (e.g., get them fired for their hidden or unhidden human weaknesses), destroy entire organizations by revealing the contents of their communications to a selective person or persons. The list of possibilities is almost infinite and I cannot, do not, will not believe that such actions not only are possible, but have already happened and indeed are happening at this very moment.
The Roman Terence said: "Homo sum, humani nihil a me alienum puto", that is "I am a human being, I consider nothing that is human alien to me."
PRISM must be dismantled, it's backup volumes destroyed, it's creators punished. But we will never likely be able to put it back into Pandora's box: there will always be someone who saves a hard drive or a backup tape cartridge and who will sell it to the highest bidder. We will have to declare new laws rendering these acts illegal. We will have to hunt illegal data gatherers down and punish them the old-fashioned way using humans, knives, blood, sweat and tears.
"Nobody is listening to your phone calls." Oh, I presume that Obama was just addressing every American whose phone calls had not been listened to. This is outrageous, baffling. Somebody correct me if I'm wrong, but Obama did just outright lie about it, right?
>"That law says surveillance may be authorized by the attorney general and director of national intelligence without prior approval by the secret Foreign Intelligence Surveillance Court, as long as minimization requirements and general procedures blessed by the court are followed. "
So the numbers we recently got from Facebook and Microsoft don't mean anything.
No, I don't think it means that. As I understand it ('declan could correct me), a court order isn't required to issue a collection directive under FISA, but one is required to enforce such an order.
Declan, there seems to be skepticism[0] about this story in some quarters. Could you address the concern that Jerry Nadler is simply confused about what he heard?
There is one huge reason why this isn't as scary as it could be:
Tabloids.
If you read through the Tabloids, there is no doubt that some of the stuff in there is slightly true. But you, as the reader, have really no way of knowing what is true or not. So just the fact you have all this information really puts you in the same position of not having any information--not knowing what to believe is almost as bad a problem as not knowing at all. So you are really forced to ignore most of it.
Now, the NSA can read everything you say/write/browse/whatever. Ok, well, what about the people who know that someone is listening so they intentionally create fake stories? Part of being a good criminal or anything is misdirection. Maybe you portray over email (for, get this, years) that you have hideouts at x, and you are good at y technology, and you associate with z people---but in reality you only ever say meaningful stuff in person. Anyone doing anything actually wrong is doing this anyways. That's why there are private code languages in the first place.
So, no, the power is not in the hands of who can listen, it's in the hands of who can deceive--which is you.
This is just an unusually stark demonstration of how it really works: One party stakes out a set of statements and positions with which it will pander to a portion of the population, and then actually do WTF ever they want. Another party stakes out a different set of statements and positions with which it will pander to a different portion of the population, and then do WTF ever they want to do. What both parties want to do is often surprisingly the same.
We let them know what we want to be told, and then they cleverly tell it to us.
Well, clearly they thought that they could keep you in the dark about the fact that what they can do without a warrant actually extends this far. Obama's credibility is at an all time low.
That's their position, yes, and was even the position Mueller gave in the unclassified briefing right before the Senator told him there was a conflict in what was said.
I suspect that in the classified briefing the Senator was told something to the effect that phone calls are recorded without a warrant, possibly even that an analyst could flag someone's phone number to be recorded. Presumably whoever was giving the brief failed to make clear that the analyst would need a warrant to listen to the call, as I didn't see in the linked article a direct mention that the analyst could listen, only "tap in".
IMHO this would still run afoul of wiretapping law but certainly the difference between "collect" and "analyze" is an area where NSA has been pushing the boundaries between what is "search and seizure" and what is everything else, so it is at least consistent with their other information collection programs.
> "Rep. Jerrold Nadler, a New York Democrat, disclosed this week that during a secret briefing to members of Congress, he was told that the contents of a phone call could be accessed "simply based on an analyst deciding that.""
I wonder if this will temper the shrill cries of "this is all partisan!". Probably not.
As an extreme left-wing Democrat who opposes any attempt by government to acquire non-public information without a warrant, I must ask, what "shrill cries" are those?
As one extreme left-wing nut to another, let me suggest that you enter the word "partisan" in the search box below, sort by date, then start clicking back through the past few days.
Having now done so, I think your definition of "shrill" and mine are entirely unrelated, as are our definitions of the word "all".
I see annoyance with some clearly partisan statements and actions. I see people talking about the pathetic, even laughably bad polls done on the subject, and badly misinterpreting the statistics. And, of course, there's the idiot who decided that if half of Democrats support an action, that must mean all Democrats are mindless Obama supporters.
But I see no one suggesting that all outrage about this is partisan, much less shrilly.
In school I learned that we have the three powers - the legislative, judicial, and executive - are separated so that they keep each other in balance.
If any two of these are held in the same hands there are no restrictions. (if you can make laws and preside over trials you make bring anyone to jail, or if you can preside over trials and execute the sentence)
That's why (IMHO) individual wiretaps with a warrant are fine. Somebody had to make a law, a judge had to weigh the facts and issue a warrant, and an FBI agent/cop/etc executes the actual tap.
In this case the NSA analyst is both the judge and the executor violating these checks and balances.
Now maybe there might be temporary warrants for wider range of individuals, even t
Here we have a great tool at our diposal(internet) and all we can do is use it to bitch, moan and compare notes. Surprisingly, politicians feel they can do as they please. Its a shame we cannot organize and do something about it. I wonder what effect(s) striking for a week would have? Typically solutions are of equal proportion to the problem at hand. But its so inconvenient-i know. A less affected Hong Kong has held a rally but here those most impacted-nothing. Ughh im tired of reading this shit. We deserve everything we get.
Or we could take this as a challenge to see how many people we can get to strike. So much talent here... How will it end?
See? Now this is a problem. I don't see how you can interpret Court precedent and statutory law regarding telephone wiretapping to mean anything other than that you can't intercept that without a warrant.
I remember the other day saying that the "warrant canary" was far too cute to make it past a judge. This might be an even "cuter" argument... should it ever make it in front of a judge (I suspect NSA doesn't actually care about that, given that they're not generally trying to bring cases to court anyways as they'd have to give up their top secret methods on purpose).
The chain of command relies on trust, trust that officials will tell the truth to those who oversee them. It seems to me that the chain of command is broken.
NSA officials lied to the public.
They lied to Congress.
If the allegations of procedural abuse are true, they have lied to and deceived every single mechanism that has been set up to oversee and control their operation.
They have gone rogue.
If this supposition is true, their actions go beyond simple criminality. This is treachery; treason and mutiny against the people of the United States.
Let us raise the hue and cry! Traitors! Traitors in our midst!
I wonder what happened if the US put the estimated 10$ billion NSA budget into solar and other renewables and withdrew from all the countries where they are (to bring peace and democracy).
A friend of mine recently suggested that thousands of people around the world get on the phones once every week and just say words like "bomb" and "president" and "terrorist". If the US really is vacuuming up the actual audio (perhaps based on live keyword/phrase analysis) it would either send their systems into overdrive or at least make it harder for these analysts to get the real information they'd be looking for.
There seems to be some suggestion of confusion on the Representative's part about call content vs Subscriber Information, actual video here: http://www.buzzfeed.com/andrewkaczynski/video-congressman-cl... So this might not be the "gotcha" it first appears.
Most people don't realize that the NSA is about ten times larger than the CIA. This allows them to aggregate data on a scale that is unprecedented. Being such a large organization, they still don't have the manpower to process so much data. Thus, the solution is to acquire and store this data for future use. I would imagine that even they don't know exactly what they have.
You can argue about metadata and the third party doctrine, but this is completing against the Fourth Amendment. Unless you're going to say that phone conversations should not be considered 'papers and effects'. Or unless the phone companies themselves are recording the calls and keeping them around, which seems highly unlikely.
So, if I wanted to listen in on some phone calls, would the best course of action be to bribe one of these thousands of analysts, blackmail them, threaten them, or steal their laptop? Asking for a friend in a foreign intelligence service.
Please, somebody - who knows the URL (or the HN post) wherein the guy (IIRC, a lawyer) states the 10 things the government will do to reduce the fallout from this? I'm totally freaked out because the guy was right, down to the last step, so far. One of them was, "They'll admit to something not as bad" (as a method of deflection - and think about it, most people view "listening" as something that won't affect them directly, unless the NSA hired about 250k more employees just for this task), one of them was that the government will say they were within the law (which is contradictory, of course) - happened here: http://techcrunch.com/2013/06/16/u-s-government-denies-repor... and 2 more of the steps happened in the past few days. I want to find that article, so I can spread it to everyone know I know (about 10 people :)
Can you imagine the number of divorce cases that would impact? Civil lawsuits? Proof of innocence or guilt in a crime?
Hell, get a decade or two of this and historians alone would have a field day with such material.
Oh, and by the way, it's completely fucked.
Back in the day, the FBI recorded folks that they suspected were subversives and it caused a huge stink. People were rightly outraged. It was considered a blemish on the FBI. Now we do the same thing -- only with everybody. And still 45% or so of the population hasn't figured out what the problem is. Amazing.