Two things about the submission title, which is currently: "WaPo: Execs From Internet Companies Acknowledge PRISM"
1. The original title for the article is "U.S., company officials: Internet surveillance does not indiscriminately mine data"
2. The excerpt that the submitted title refers to is this: "Executives at some of the participating companies, who spoke on the condition of anonymity, acknowledged the system’s existence and said it was used to share information about foreign customers with the NSA and other parts of the nation’s intelligence community."
Some, not all of the companies involved. So too soon to conclude that the public statements were lies...but Zuckerberg and Page, at the least, could be said to have lied if the companies referred to in the OP are them (both Page and Zuckerberg said that they (they as in "we") had no prior knowledge of PRISM at all)
"government employees cleared for PRISM access may “task” the system and receive results from an Internet company without further interaction with the company’s staff."
What does that mean? Does the company have any oversight over what's being requested? It doesn't sound like it. How does that square with the statements from the CEOs that each request is carefully considered and restricted?
“The server is controlled by the FBI,” an official with one of the companies said. “We do not offer a download feature from our server.”
This is a very fine distinction that doesn't matter much. Word games are being played here.
> What does that mean? Does the company have any oversight over what's being requested? It doesn't sound like it. How does that square with the statements from the CEOs that each request is carefully considered and restricted?
> The data shared in these ways, the people said, is shared after company lawyers have reviewed the FISA request according to company practice. It is not sent automatically or in bulk, and the government does not have full access to company servers. Instead, they said, it is a more secure and efficient way to hand over the data.
So, it seems, there are Google-lawyer mechanical Turks clicking "OK" or "Contest" (or whatever) for each FISA order in the Google FISA-order queue. If the lawyer clicks "OK" it seems the requested information is slurped automatically from the Google user-data servers into the PRISM server's outbox (and/or a live data feed is set up). If the lawyer clicks "Contest" then presumably something messier and more manpower-intensive happens. A system like this raises plenty of questions - but it doesn't at all automatically conflict with or falsify what the tech CEOs said.
EDIT: Actually there's apparently a direct conflict between the NYT's version and what WaPo appears to be saying here:
> According to a more precise description contained in a classified NSA inspector general’s report, also obtained by The Post, PRISM allows “collection managers [to send] content tasking instructions directly to equipment installed at company-controlled locations,” rather than directly to company servers. The companies cannot see the queries that are sent from the NSA to the systems installed on their premises, according to sources familiar with the PRISM process.
That seems to imply that there's no Google-lawyer mechanical Turks reviewing the individual FISA orders. Given that that would contradict both the NYT report and the statement from (for example) Page and Drummond http://googleblog.blogspot.ie/2013/06/what.html this is a big deal. Given the WaPo's demonstrated ability to misunderstand information from NSA sources, for the moment I'm inclined to assume that the Post has got this wrong, too - but let's see. (Another possiblity might be that some companies are waving FISA orders of the form "give us the personal data of Suspect X" through automatically, while others still have a lawyer clicking "OK".)
> According to a more precise description contained in a classified NSA inspector general’s report, also obtained by The Post, PRISM allows “collection managers [to send] content tasking instructions directly to equipment installed at company-controlled locations,” rather than directly to company servers. The companies cannot see the queries that are sent from the NSA to the systems installed on their premises, according to sources familiar with the PRISM process.
Could refer to queries on accounts/targets that have already been approved. In that sense, it's not much different from a traditional wiretap...once it's in place, the government investigators want the ability to monitor it continuously...the difference in this context is that this "wiretap" encompasses Internet activity, which may require active querying beyond passive listening.
Could well be. (Though I'd assume that as long as a "virtual wiretap" is in place on an individual the NSA gets a firehose of everything which happens to that user account (or at least everything the FISA order permits) and then just filters out whatever doesn't interest it.) For my part I wouldn't be surprised if "The companies cannot see the queries that are sent from the NSA to the systems installed on their premises" just turns out to mean "The connection between the on-site server and Fort Meade is protected by SSL" (and probably dedicated fibre). To someone looking at the NSA as the bad wolf here it sounds like an odd thing to emphasise, but from the perspective of an actual NSA agent the security of these off-site servers handling top-secret material (in an environment full of highly-technical leftists and libertarians!) must be an obvious concern. Just for a start, you wouldn't want anyone at Google other than the appointed lawyers taking a look at what you're requesting surveillance on... But that's just a guess of course.
> Zuckerberg and Page, at the least, could be said to have lied if the companies referred to in the OP are them (both Page and Zuckerberg said that they (they as in "we") had no prior knowledge of PRISM at all)
How so? They said they had no system for direct access, and indeed PRISM is apparently not a system for direct access. They said they hadn't heard of PRISM, but it's at least quite possible that they weren't familiar with the NSA's "PRISM" moniker, as opposed to the system itself.
This is not direct access in the sense which the Guardian and Washington Post suggested yesterday and the tech companies denied. OP is the Washington Post (which has access to the full PowerPoint) backing down from that claim, something it had already started to do yesterday http://www.forbes.com/sites/jonathanhall/2013/06/07/washingt... . In the context of the latest slide it's clear that direct collection probably means collection from the endpoint - Google, Facebook etc. - as distinct from "upstream" collection by wiretapping IP traffic through US telcos' networks.
If PRISM means the NSA has unsupervised access to any records they want from these providers, that's pretty disturbing, irrespective of word-games over the meaning of 'direct'. The scope for abuse of this sort of unregulated access rubber stamped by a secret court is huge, and there doesn't appear to be any effective supervision as people like clapper are happy to lie to congress about the extent and methods of the various surveillance programs, and the companies are obliged to lie about the program and conceal its existence.
Secret court orders only apply for data related to US citizens. FISA allows warrantless surveillance of foreign powers. The amount of warrantless data these companies give out is unknown.
>The presentation claims Prism was introduced to overcome what the NSA regarded as shortcomings of Fisa warrants in tracking suspected foreign terrorists. It noted that the US has a "home-field advantage" due to housing much of the internet's architecture. But the presentation claimed "Fisa constraints restricted our home-field advantage" because Fisa required individual warrants and confirmations that both the sender and receiver of a communication were outside the US.
>"Fisa was broken because it provided privacy protections to people who were not entitled to them," the presentation claimed. "It took a Fisa court order to collect on foreigners overseas who were communicating with other foreigners overseas simply because the government was collecting off a wire in the United States. There were too many email accounts to be practical to seek Fisas for all."
If I were a Chinese official reading this, my #1 priority would be to try to get access to PRISM.
No matter what checks and balances the US may employ to make sure legitimate access stays within bounds, any time you have an automated system, you're open to the possibility that someone can get access and automate it in ways you don't like.
Just to clarify. Prism is separate from the Verizon data dump. We're talking access to information that Google, Facebook, and other internet giants can track about you. Including emails.
China is demonstrably interested in this. When they broke into Google's network, they went straight for the private emails of Chinese dissidents. (With, apparently, much less success than they would like.) When they broke into the NY Times, they went looking for any information about dissidents that the NY times might have.
From the sounds of it, access to PRISM gives them that, all nicely gift wrapped and correlated with other signals of interest, tools to locate known associates, etc.
Why are they interested in this? The Chinese leadership apparently do not see a war with the USA as their top risk. (Though they do prepare for the possibility.) That is because they know that the USA is not in the habit of lightly invading nuclear powers which could easily level multiple US cities in retaliation. But overthrow by revolution is something they are terrified of, with good cause.
One of the things that's probably in PRISM is a list of people who are currently suspected of being Chinese agents. That's very important information if you're China.
China's also known for doing indirect attacks, where they try to compromise one system in order to get clues on how to compromise another. Having access to PRISM, depending on how it's implemented, would potentially open up access to all sorts of information collected by American tech companies. Heck, if they had access to social-graph data, they could determine who is friends with a lot of employees of the targeted company, and that would be a likely person to try to mine for trade secrets.
I wouldn't rule it out. According to the reports from early this year, China appears to be very interested in finding sources and dissidents, which is why US journalists have been hacked.
They simply don't get it: I DO NOT BELIEVE THE US GOVERNMENT HAS ANY RIGHT TO VIEW MY DATA THAT I ENTRIST TO PRIVATE COMPANIES. In the event they somehow have stumbled upon the right, I should be notified that my data has been examined.
That's great, but it's not the law. If you would like it to be the law, work on repealing the Patriot Act and rolling back the worst abuses of the post-9/11 surveillance state. Or donate to the EFF and ACLU, who have been raising alarm about these laws for over a decade.
But don't blame the companies involved. They're following the law, as laid down by duly-elected representatives. The alternative is that their executives go to jail for contempt of court.
How can you trust the US government less than private companies?
Data mining exists at every company because of its value.
I'm much more concerned that private companies (Lexis Nexis I'm looking at you) have access to so much of my data and have no obligation to inform me of what data they have.
The US government exists to protect the United States and its citizens. If we put left vs right politics aside, why is there inherit distrust of the government? What would make you trust them? More transparency?
If anybody is to blame it is congress. As elected representatives, they should have ultimate responsibility as to what happens in this country. They should also be held liable for ALL of their actions, but good luck getting them to approve that. How can congress enact laws that only affect themselves or give them more power? That is corruption and should be considered treason.
The purpose of all bureaucracies eventually becomes the furtherance of the bureaucracy itself. It's like a rule of nature: regardless of their stated purposes, the actual purpose of an organization eventually becomes the growth and survival of the organization. Organizations that do not follow this rule do not survive.
The incentives of private companies tend to be fairly transparent, and they can be replaced (not necessarily easily) when no longer aligned with the welfare of the public. The incentives of the government are not nearly so transparent, and there is no escaping them. That makes many people quite wary of the government.
(That said, yes, more transparency would make me much more inclined to trust them.)
How much further does the US government want/need to go before they have enough power/security to effectively and efficiently manage and protect its citizens?
I hate the idea of prosecuting whistle-blowers. On the other hand, I definitely realize the importance of protecting national secrets and information in an ongoing investigation.
In my mind, it's not a battle between the US govt and its citizens, this is a battle between nations. Some activists, political party supporters, extremists, criminals, and innocents might be targeted/embarrassed/prosecuted by these programs, that that is not only unacceptable, but disgusting. The US govt simply cannot be as transparent as citizens would like it to because information is available globally. We do still have a significant amount of room to allow for transparency in the govt and we are slowly (too slowly) working on it, but please understand that SIGINT and foreign relations is complicated as shit. The US has it's nose in every other countries business, they befriend questionable sources for information, they deceive (can't deceive another country without deceiving our own citizens), and they do what it takes to maintain world stability and US dominance in all areas (economic, information, military, "freedom").
I don't know of an easy fix-all solution. Online voting might help, that would remove power from congress and give it back to the people.
> How can you trust the US government less than private companies?
The US government can throw me in jail, private companies cannot. The US government can sick the IRS, FBI, and Secret Service after me; private companies cannot.
Congress has a lot of the liability, but so does the President. Read up on FDR's use of the IRS and what happened to the various Tea Party groups in 2010 with 501(c)4 status[1]. This is why the expansion of federal government reach is feared.
1) someone will argue about the nature of 501(c)4 so just remember that Obama's reelection campaign relaunched as one to advocate for his political agenda for his 2nd term.
And, at the end of the day, if I'm not a fan of a private company's practices, however painful it might be, I can choose not to utilize their services. But as long as I live anywhere on this planet, I'm subject to the choices of my government.
What is your point about the Tea Party groups and 501(c)4? In my opinion, that is just another loophole that needs to be closed, same as religious organization tax exemption.
One side was treated different than the other. Pure and simple failure to follow the rules. When government agencies don't follow the rules and treat all as equals then we have problems. Clearly having a 501(c)4 with a political bent isn't the problem or else Obama's reelection campaign relaunch would have seen the same scrutiny and rejection.
> In my opinion, that is just another loophole that needs to be closed, same as religious organization tax exemption
Regardless of your wish to close loopholes, the current law needs to be followed: equally and fairly. Going back to how taxes should work is a side trail and not relevant to how the government has acted against different parties.
Because clearly the US government is doing much worse stuff than the private companies right now. And when someone discovers it, they try to put him in jail. I don't know about you, but that scares me more than if I found out the private company sold my info.
The best thing the government could do to legitimately appease citizens is pass a statute that nothing gathered through these means will be used to prosecute anything but terrorism or threats to national security. If that's the real purpose, then they should have no problem putting it in writing.
That's what happened with RICO. When it was passed they told us racketeering was only organized crime. Now you can get RICO charges doing just about anything.
I'm guessing you're referring to something at the level of discussion of vulnerabilities as opposed to actually breaking into some government resource or an enterprise with enough leverage to affect the nation in some way. Yes, enough lawyer-speak combined with general ignorance could probably make a jury believe any kind of security talk is somehow threatening. I suppose that's where careful wording comes in, for example limiting a threat to include intent to act on at least some specific class of target.
You can use the information in ways to harass and intimidate even without using it for prosecution; e.g. the FBI threatened to publicize MLK's extramarital affair (which they'd discovered by putting him under surveillance (authorized by the then-Attorney General RFK)) if he didn't give up his civil rights work.
Sounds like we'd all need a broader term than prosecution in addition to clearly defining an actual threat. All documented by the same personalities who are often tasked with finding holes in such statutes.
1. NSA goes to Facebook and tells them to install a server/rack in their data center. The server needs to be on a port that can "see" all traffic unencrypted. The servers then transparently record data and analysts on the backend parse it into something useful.
2. NSA puts servers on premises but instead they are pushed formatted feeds of data. This would require them to work more closely with the company to make sure they provide a feed that is workable. They would store the data and as requests for data came in the server would feed it back.
You're assuming that the NSA requires physical access to unencrypted data.
The NSA has been in the IT security game for a very long time, they employ the best of the best, and have practically unlimited funds. I'd imagine that very complicated algorithms determine who to monitor and what keywords to look for. Images from the middle east or a VPN are likely more heavily analyzed than images from a college campus inside the US.
Why set up shop at specific social media companies when they have physical access to backbone routers and root certificate private keys?
Yes, it would be easier to just ask FB/Google/Apple to give them unlimited read access to their databases, but that would be a scandal waiting to happen.
The slide with the explicit formulation was published, written by NSA, that made claims of "not inside companies" much less believable:
"Collection directly from the servers of these U.S. Service Providers: Microsoft, Yahoo, Google, Facebook, Paltalk, AOL, Skype, YouTube, Apple."
This supports the claims of Glenn Greenwald's article and is exactly what companies claimed not existing.
Read the slide: they explicitely name the collecition on the "fat pipes" under other code names. As they have the access to the big pipes, the real time data (c.f. the other slides, earlier) from the inside of companies is certainly unencrypted.
Ok, so the one thing we have figured out in the past couple of days is that the NSA undoubtedly has the ability to collect almost all user data and internet traffic, even for US citizens.
Now, what do they do with it? The guardian is claiming that 77,000 reports have referenced PRISM but it is also the name of an internal accounting program (http://www.dot.gov/individuals/privacy/pia-prism)
We have a long way to go with this NSA issue. I believe that they are a great agency but have a very difficult job to preform, and unfortunately their mission sometimes requires questionable actions. They're powerful enough to make anything they want legal retro-actively, which isn't necessarily a good thing.
Many people assume that the NSA has been "spying" domestically for decades, because it's arguably necessary in order to sufficiently protect the country. I love technology but am already tired of this debate. You are not going to prevent the NSA from data-mining, end of story.
The Federal Aviation Administration's "PRISM" is obviously not the one discussed now in public, and not the one ending in the reports to the president. I invite everybody once again to read the Post and Guardian, they obviously have so much material and try to post only as much as to make the public aware of the legal aspects of the system: the blanket special court orders, allowing companies not to do anything, not even track what is being requested, the orders valid for months and practically automatically renewed. It is "legal."
The slides may have come from within NSA, but they were created for a non-technical audience of analysts. Suppose for the sake of argument that the reality is that the NSA has hardware adjacent to company servers or on the internet backbone nearby that can collect messages in transit that match some search query. That's not really direct access, and it's not indiscriminate -- all the subsequent statements from company execs and government sources would be correct. But it's easy to see how some mid-level worker in the NSA, trying to convey to analysts that PRISM enables them to retrieve emails, phone records etc. from various companies, would make an over-simplification and suggest that there is direct access to company servers.
"Never attribute to malice that which is adequately explained by stupidity." --Robert Hanlon. Despite the duplicitous and overly narrow statements about PRISM that skirt the truth, there's no reason to suggest they are all overtly lying, when a much simpler explanation is that some NSA employee overstated their technical capabilities on an internal powerpoint.
Read the articles by Post and Guardian. They published enough leaks to make clear how it works: the special court gives a blanket order, valid for as much as one year, but at least three months, under which the inteligence comunity can operate from their servers at the company site for up to one year without the company even knowing (or wanting to know) what is being requested from their servers. The court order is what's making the operation "legal" so the companies can't be held legally responsible. But that can't mean that the system doesn't exist.
> Until this week’s reports, we had never heard of the broad type of order that Verizon received—an order that appears to have required them to hand over millions of users’ call records. We were very surprised to learn that such broad orders exist. Any suggestion that Google is disclosing information about our users’ Internet activity on such a scale is completely false.
It would also be hard to square Microsoft's statement that
> In addition we only ever comply with orders for requests about specific accounts or identifiers.
"As the law stands now, the authorities may obtain cloud e-mail without a warrant if it is older than 180 days, thanks to the Electronic Communications Privacy Act adopted in 1986."
Closer to 2, but with the additional restriction that information only gets copied to the NSA on-premises server after the server makes a specific request/demand for it. All the reports seem to be saying that PRISM is a workflow-automation system for FISA orders.
Gotta love a headline that's worded in such a way that it looks like a fact. Thirty straight days of these on every major outlet and most people who were not already concerned won't be doing anything differently, if they ever did. As a bonus, no need to worry about breaking the story anymore.
Seems to indicate the NSA is performing some sort of MITM, or running intercepts from inside the datacenter after the traffic has been decrypted:
"PRISM allows “collection managers [to send] content tasking instructions directly to equipment installed at company-controlled locations,” rather than directly to company servers. The companies cannot see the queries that are sent from the NSA to the systems installed on their premises"
"From their workstations anywhere in the world, government employees cleared for PRISM access may “task” the system and receive results from an Internet company without further interaction with the company’s staff."
One question: Where is Anonymous in all this? I was expecting all kinds of DDOSing going down in the last 48 hours, but they have been unusually quiet.
Analysis of text related to subjective ideas can make anything bunk ("What do they mean 'all men are created equal'? Isn't our individualism what makes us great", etc.). Line by line analysis are particularly insidious because any idea can be proposed and appear to be a reasonable response without any likelihood of response from the original party.
If you want to find problems with the various companies' responses, you sure can. I am positive things have happened with Google, Microsoft, Yahoo, Apple, etc. and the government that most people would find offensive. But playing semantic games that push particular agendas without the full story is misleading and imprudent.
But he makes some good points, especially about the heavy use of the word "volunteer" and also "give", all which imply Yahoo! isn't freely giving access to the NSA. Yahoo! never said that they were disallowing NSA lawful requests for bulk data, which is the topic of concern.
(Of course Yahoo! isn't volunteering information, that is not concern at all, if the NSA demands then its not volunteering information)
The issue is that all the PR from Facebook, Google and Yahoo! are using very specific non-broad language to say they are not doing a very certain thing, a thing that is not the concern. The concern is about lawful access to all servers and not one piece of PR said this was not happening.
(In the current definition everything the NSA is doing would be considered lawful as the Government post 9/11 is able to use its various provisions to allow for a whole manner of things that we might disagree with, but we are not writing the law, they are.)
Can anyone say exactly what this paragraph is supposed to mean (or really mean, if there's a difference):
Intelligence community sources said that this description[direct access], although inaccurate from a technical perspective, matches the experience of analysts at the NSA. From their workstations anywhere in the world, government employees cleared for PRISM access may “task” the system and receive results from an Internet company without further interaction with the company’s staff.
So they get data from an ad-hoc query without interaction with the company's staff. And yet it is not direct access? I've read the other back-and-forths but I'm still not sure what this could even trying to imply.
Edit: and read - According to a more precise description contained in a classified NSA inspector general’s report, also obtained by The Post, PRISM allows “collection managers [to send] content tasking instructions directly to equipment installed at company-controlled locations,” rather than directly to company servers. The companies cannot see the queries that are sent from the NSA to the systems installed on their premises, according to sources familiar with the PRISM process.
But that the meaning is no more clear. Or the meaning is, we buy an "indirect access cable at Best Buy and so everything is OK", ie, the distinction is nothing but word games.
There's a major apparent contradiction between that second quotation and other sources (the NYT, Google itself) - see my other comment https://news.ycombinator.com/item?id=5847846
1. The original title for the article is "U.S., company officials: Internet surveillance does not indiscriminately mine data"
2. The excerpt that the submitted title refers to is this: "Executives at some of the participating companies, who spoke on the condition of anonymity, acknowledged the system’s existence and said it was used to share information about foreign customers with the NSA and other parts of the nation’s intelligence community."
Some, not all of the companies involved. So too soon to conclude that the public statements were lies...but Zuckerberg and Page, at the least, could be said to have lied if the companies referred to in the OP are them (both Page and Zuckerberg said that they (they as in "we") had no prior knowledge of PRISM at all)