> There are of course other avenues available to obtain your data. Our colocation providers could be compelled to give physical access to our servers. Network capturing devices could be installed. And in the worst case an attacker could simply force their way into the datacentre and physically remove our servers.
> These are not things we can protect against directly but again, we can make it extremely difficult for these things to occur by using strong encryption and careful systems monitoring. Were anything like this ever to happen we would be talking about it very publically. Such an action would not remain secret for long.
> Ultimately though, our opinion is that these kinds of attacks are no different to any other hacking attempt. We can and will do everything in our power to make getting unauthorised access to your data as difficult and expensive as possible, but no online service provider can guarantee that it will never happen.
This kind of frank disclosure should be highly rewarded. I provided similar frank disclosure text (elsewhere) only to have it whitewashed.
When everyone is underplaying the real limitations it's impossible for people to choose alternative tradeoffs— "Why should I use this slightly harder to use crypto thing when foo is already secure?"— because the risks have been misrepresented. Underplaying the limitations also removes the incentives to invent better protection— "Doesn't foo already have perfect security?".
"This kind of frank disclosure should be highly rewarded."
Yep, definitely. I think even more important than the information itself is the spirit of honesty and integrity that it demonstrates. This stands in stark contrast to the ambiguous slimeball statements issued by the likes of Google, Facebook, Apple, Microsoft, etc.
When Big Brother comes knocking, which companies are going to take a risk to stand up for you? It's as much a question of character as policy.
Note that G, FB, A and MS are not in a position where they can write such disclosure. I am not arguing with your main point, I applaud FastMail for taking a stand - it's just that USA companies must use "ambiguous slimeball statements" to at least appear clean (because they are not).
I would argue that if FastMail were an USA company their statements (if any) would be just as ambiguous as those of G, FB, A and MS.
I understand your viewpoint, but I don't accept that as an excuse.
Remember how quickly SOPA sank after the Silicon Valley establishment turned against it? Do you think the government is going to put the CEOs of some of America's most popular and profitable companies in jail for an act of civil disobedience that the majority of the country and the world would support wholeheartedly?
SV is more powerful than it realizes, and has little to fear in the current climate. The American national security state, on the other hand, is weakened and vulnerable. Now is the time to take a stand. Not doing so is equivalent to complicity.
SOPA was easy to turn against and I would argue, didn't cost anything to oppose. Fighting the NSA on warrantless wiretaps is a completely different animal in that there will be real money involved in fighting it. Potentially millions of dollars duking it out in court(s).
I think it's already been established that the NSA has HUGE financial resources (from the part that we can tell) and to top it all off, fighting the NSA on it's grounds would most likely pass through the FISA court. A court which in and of itself, is shrouded in secrecy.
The NSA has financial resources but it's short on political capital. If all the big tech companies were to collectively and publicly decide as a matter of principle to stop adhering to gag orders and cooperating with wholesale monitoring regardless of what FISA says, what is the administration going to do? Shut down Facebook? Shut down Google? Could you imagine? Public opinion is already firmly against them on these issues. Actions like those would make them utterly despised.
I strongly agree with you. It is not clear to me how a billionaire like Larry Page is being forced into anything. It is not conceivable that he personally would be jailed if Google were to defy the US government.
It would be interesting to see what would actually happen if one of the big American internet companies just said the truth. "We have received 35 NSL's and we gave them your data."
What would actually happen? Would their stock go up or down? Would they gain or lose customers? Would anyone be prosecuted and jailed?
> Do you think the government is going to put the CEOs of some of America's most popular and profitable companies in jail for an act of civil disobedience
If you support the rule of law, you should expect and demand that if it comes to legal consequences that's exactly what will happen. You can fight the law in parallel and use the trial to challenge it, but expect the consequences anyway. Otherwise you're calling for the rich and powerful to be held to a different, weaker standard just because in this case you might like the outcome.
You can treat it as the lesser evil, acknowledging that they're already held to weaker standards and that happens to be useful here, but you'd still be helping to entrench a system which is ultimately bad for you unless you're also very rich.
Unfortunately, Mark Zuckerberg, Eric Schmidt, and all of those other guys are surveillance poster boys. It's best just to not use their services, and vote with dollars.
Your vote is worth about five bucks a year to Facebook. Not really a huge deal, considering most people aren't concerned about surveillance and a very tiny fraction is concerned enough to give up social networks.
At the moment it is weakened and vulnerable compared to how it was a few years ago. It has not been destroyed or dismantled by Snowden's revelations, far from it, but it is a definite factor the NSA cannot ignore. Five years ago, no one would even think of shutting the NSA down over their abominable deeds, because their abominable deeds were not widely known.
At the moment, there are many people shouting for them to be shut down. Will it happen? Probably not. But at the moment, that is something for the NSA to worry about and to try to do damage control over. In that sense, they are certainly in a quite worse position.
I dunno, if the US government can't figure out if it wants public healthcare by the end of this month, they are gonna have to sell off some of those datacentres to pay the national debt...
The US Government operates on an extralegal basis (ie they're willing to cross any line), and roughly 85%+ of all new debt is purchased by the Federal Reserve. What very specifically is not going to happen, is the shut down of the military industrial complex of which the NSA is such an integral part.
So long as the dollar (Federal Reserve Note I should say) remains the global reserve currency, the national debt is a trivial problem (as is paying the interest on it). The dollar is the real linchpin, to everything. All else is a sideshow of political gamesmanship.
Dollar being the global reserve currency is the real linchpin to everything, but right now US Government seems ready to undermine that with their squabbles over healthcare. I mean, the upcoming default wouldn't destroy the dollar, but it would somewhat reduce the role of dollar reserves and treasury bonds in global markets.
If a credit card company refuses to raise your limit, that is not a default. A default is when you stop making payments on your debt. As long as the government has enough tax income to pay interest on its debt, there is no default. Calling it a default is a scare tactic to get their credit card limit raised.
The solution is for governments to spend only the tax revenue they receive - no more. Not only should the debt ceiling not be raised, it should be slowly lowered to zero over the next 10 years. If the government had to explain to everyone how much their taxes would need to be raised in order to invade Syria, etc., people might actually pay attention. Just my opinion.
This is a bit confused. The US needs to pay about 0.5 trillion interest a year, or 1/5th of tax revenue. They borrow about 0.5 extra per year (which is why the budget ceiling needs to go up).
If the US wanted to instantly achieve a balanced budget, they would have to spend 3/5ths the current amount. When a government cuts the amount it spends, it shrinks the economy, and reduces tax take.
In the UK, a limited form of this strategy seems to be working, but in Southern Europe, a strong 'austerity' strategy is creating a spiral of reducing tax take (requiring ever greater cuts).
So the sharp reduction in the deficit you mention is not possible. It would need to be gradual.
The elephant in the room is that, in the US, China, and Europe, the aging population is coming. As the proportion of contributors to consumers of public spending shifts, more debt is inevitable. It's going to suck pretty bad for everyone, but if we (all of us) can't achieve a balanced budget before that hits, then things are not going to be as gentle.
The best solution might be to spend only the tax revenue they receive; however, the idea is purely theoretical because they are not going to do that.
Currently government isn't able to pass a "normal budget" much less a very radically changed budget + huge and rapid changes in government agencies - if USA doesn't rise the debt ceiling, the actual effect will be not paying the interest due which is called a default.
I never understood this rationalization for what is essentially a corrupt behavior. People find excuses to keep the corrupt system going. I see it as a collective madness.
Those companies, being a huge influence on the internet culture and economy, a trend-setter, one might even say the internet gatekeepers - I think they not only should disclose and vehemently oppose any attempts on user rights, but it is their moral obligation to do so.
How is it that individuals and small parties are scrutinized and put down for a single misstep or a character flaw, while enterprises are forgiven, or worse - go unnoticed, for systematic violations of our rights.
Also, keep in mind, that being a big business like Google, inevitably puts you in a close proximity to government and politics. One thing is certain, they do not lobby on our behalf. Though they could. If Google and other giants had a moral compass resembling one of Lavabit or FastMail, perhaps PRISM would fail or never happen.
True, but that obligation is often misinterpreted. The legally binding definition of "shareholder value" includes more than the short-term stock price. Since bad corporate behavior carries a risk, with potential consequences up to and including a catastrophic loss of custom, it's a liability even when it's perfectly legal and boosts near-term profits. Corporate officers who take on such risk without adequate disclosure or contingency plans can be removed and/or sued for it.
Keep in mind that these companies' only obligations are to their shareholders
Your statement is mostly true but completely hollow. Just because your primary obligation is to your shareholders doesn't mean you go along with (arguably) illegal acts committed by your government that run counter to your users. Because if you do that long enough, your users will leave and you will have screwed your shareholders in an attempt to look out for your shareholders.
This is why your comment is hollow. Because it attempts to excuse any behavior that provides short-term gain regardless of mid-term or long-term pain.
I don't think so, as the NSLs are received and acted upon by Google US. Of course, when operating in a country, you have to respect the legislation of that country. However, companies like Google are in a really tough spot on this one, which is why the NSA spying is so poisonous to US businesses and why you should fight against it.
Definitely. I am actually really worried about the effect of NSA Surveillance and data collection on industrial espionage. How does a small and growing company know that a big company/interest group that feels threatened by it won't get access to NSA data on the company by using their connections?
If Snowden, an individual contractor, can dive deep into the data how do we know that others are not doing the same for other purposes?
It's nice that they are frank about it, but it is also pretty clear that any company hosting in the US, even if they are based elsewhere, is less of an appealing option to the truly security conscious (or paranoid, depends on how you look at it). Sometimes these aren't necessarily the more technical people either.
The problem is that for most services, it is hard to tell where the company is from and where they are hosted, unless you're technical enough to run a traceroute. At StartHQ we've been trying to make that easier to find for non techies and the fact that FastMail host in the US became quickly apparent via their app profile page when we first added it: https://starthq.com/apps/fastmail - there was a pretty lively discussion on FB about it at the time as well.
I don't understand what you're trying to say with the Russian example.
You can for example trust the Finnish government not to look at your data or let other governments do the same. A number of companies here in Finland are emphasizing that point in their marketing nowadays.
"This kind of frank disclosure should be highly rewarded."
With all due, Im sorry but, no.
Had it come before the Snowden leaks, absolutely. But it didn't.
After the event, facing a danger of customer loss or loss of confidence, it can only be seen as too late and defensive move. All these companies must have known something about these risks, yet remained in a passive conspiracy of silence. Not one stood up until Snowden did. By then, too damn late.
How could they have talked about it if they never knew about because they were never in bed with the NSA?
You are assuming they were cooperating with the NSA behind the scenes like Google et al, but they are saying they were not and could not be compelled to do so by Australian Law.
The problem of this "disclosure" is that to the people writing the text the implications of Australian laws aren't clear, as seen in other thread here, started by westicle:
I agree that this is a nice gesture, but it's not a "frank disclosure". What did they disclose?
When they actually have a security breach and they promptly "[talk] about it very publicly", that will be something commendable. Right now we have words, not actions.
Though honestly I'd much rather have such words than not.
> These are not things we can protect against directly but again, we can make it extremely difficult for these things to occur by using strong encryption and careful systems monitoring. Were anything like this ever to happen we would be talking about it very publically. Such an action would not remain secret for long.
> Ultimately though, our opinion is that these kinds of attacks are no different to any other hacking attempt. We can and will do everything in our power to make getting unauthorised access to your data as difficult and expensive as possible, but no online service provider can guarantee that it will never happen.
This kind of frank disclosure should be highly rewarded. I provided similar frank disclosure text (elsewhere) only to have it whitewashed.
When everyone is underplaying the real limitations it's impossible for people to choose alternative tradeoffs— "Why should I use this slightly harder to use crypto thing when foo is already secure?"— because the risks have been misrepresented. Underplaying the limitations also removes the incentives to invent better protection— "Doesn't foo already have perfect security?".