I use DropBox and Google Drive a lot, but I have scripts to encrypt data into ZIP files for anything that needs to be protected. It really is not much of a hassle.
I have a SpiderOak account, but don't use it as often.
Speaking of protecting data: I am surprised at how many companies seem to keep their software in private repositories on github and bitbucket. That seems like a security hole, if software if the core of your business.
When I started using DropBox, I made an encrypted directory (using EncFS) for the stuff I cared about keeping private. This keeps the real-time sync element of DropBox, and avoids needing to reupload all of the encrypted files whenever one changes (although it does prevent incremental updates on individual files).
As an added bonus, these files are now encrypted on my machine as well.
The problem with your solution is that you have the closed source drop box app on your machine, and it could be reading anything, including the contents of those files before they are encrypted.
EncFS isn't supposed to be used against people who have access to the ciphertext at different times. Consider any file you've changed at least once as compromised.
EncFS, as you may be aware, only encrypts the contents of the files. The metadata (filename, size, timestamps) is available in clear, and a lot could be inferred from metadata if you don't want to trust others who could access the raw bits.
And for others, they'd rather entrust the crown jewels to GitHub than to their rotating cast of employees relying on server closets with unreliable power supplies and lackluster physical security.
GitHub does it full-time though. Also, for businesses, it's a real financial concern that it's not their problem anymore. Having someone for you and your customers to sue is a good position to be in and what drives a lot of B2B decisions.
"You expressly understand and agree that GitHub shall not be liable for any direct, indirect, incidental, special, consequential or exemplary damages, including but not limited to, damages for loss of profits, goodwill, use, data or other intangible losses (even if GitHub has been advised of the possibility of such damages), resulting from: (i) the use or the inability to use the service; (ii) the cost of procurement of substitute goods and services resulting from any goods, data, information or services purchased or obtained or messages received or transactions entered into through or from the service; (iii) unauthorized access to or alteration of your transmissions or data; (iv) statements or conduct of any third-party on the service; (v) or any other matter relating to the service."
The Standard .zip Crypto (know as "ZipCrypto") is 100% trash.
However, it is possible to use AES-256 encryption in 7zip (and even WinZip, not that anyone actually uses that anymore...)
Most big corps still use licensed WinZip, but we've had problems sending AES-encrypted-by-WinZip files to external MS Windows users because the built-in Windows Explorer dezipping algo can't handle AES.
The users double-click on the encrypted Zip file and receive some irrelevant error message ( 'could not create temp file' or thereabouts ).
So often one has to fall-back to the Zip encryption algo.
> I am surprised at how many companies seem to keep their software in private repositories on github and bitbucket. That seems like a security hole, if software if the core of your business.
More secure than open source projects. Many of them use public repositories on GitHub and Bitbucket!
Once again, I would like to recommend Tahoe-LAFS [0] (which anyone can install on their own on their servers or use the paid service from the creators of Tahoe-LAFS [1]). One can even store "shares" securely on Google Drive and Dropbox though it is a bit involved.
Premise: I'm not interested in setting up a server and maintaining it, but I am interested in storing my data on services that can promise, or even better, guarantee, privacy and security.
I have looked at Tahoe-LAFS for a few years now, along with the paid service. In my observations over the last few years, the paid service is getting almost zero attention from the creators. Initially they had it at an enormous cost (like $1 per GB per month) compared to other competitors. In the recent times it has moved to other schemes that are still expensive for many people ($25 per month).
Their products, or rather services, are rarely updated and remain in the TBA (to be announced) status for far too long while other competitors (the "privacy conscious" ones like SpiderOak that cannot truly guarantee it like Tahoe-LAFS can as well as the "what's privacy?" services like Dropbox, Crashplan, Box, Google, Microsoft and Apple, to name just a few) are moving ahead much faster and bringing down prices.
I'm willing to pay a decent enough premium to help privacy guaranteeing services survive and thrive, but this kind of pricing and sluggishness in introducing services from leastauthority.com makes it seem like they don't really want many users to sign up.
More importantly, you can host the storage over i2p, or a hybrid of clearnet and darknet. There's even an implement ion of free net over i2p using tahoe-lafs.
I have assisted a few people in implementing this for their storage needs. No complaints, either.
I won't be getting rid of Dropbox, Google services, or Facebook anytime soon. I disagree with government spying, and would like to see major reform, but (disagreeing with Snowden) I actually have nothing to hide. I'm not excusing the companies that provide data to governments, but I like the services they provide. They solve problems I want solved, so I will continue to use them.
Edit: Why all the down votes? If you disagree, let's talk about it.
You don't get to determine whether you have something to hide or not. That's not up to you.
It's up to whomever is targeting you to decide whether they want to turn something you consider irrelevant, into something that puts you in prison. For example, something not considered a crime today, such as having this conversation, can be a 'thought crime' tomorrow.
Oh, I see here film42, that back in 2014, you partook in a conversation that was negative of the regime's glorious goals. Guilty by association. 40 years hard labor.
All you need to worry about is being put on a terrorist watch list and black listed from being able to fly anywhere in North America easily.
Either way, the correct answer to "I have nothing to hide" is: you are not in control, and do not get to decide whether you have something to hide or not. You have no power over that matter. Once you understand that to be a indisputable fact - no matter what country you're in (as a citizen is never the one making that call) - then you'll stop saying that phrase, as it is equivalent to saying: "I am in charge of the FBI"
A friend who worked for an analytics agency once told me that insurance companies are very interested in having access to the purchasing histories of their subscribers.
We speculated why, and among several possibilities, we figured the most likely and obvious is this: what happens when you get cancer or have a heart attack at 72 and your insurance company denies all your medical claims citing the entire volume of ice cream, pork, beer, coffee and diet coke you've consumed in your life? Or cite all your family and friends that smoke, even though you don't?
I make what I think are quite responsible choices with my health, but that conversation has stuck with me as an example of how information about me, information I'm not trying to 'hide', information that I didn't consider especially 'private', might be used against me at some point in the future.
The issue is that the public discourse over this topic conflates the human need for privacy with the argument of "I have nothing to hide".
These two things are not the same thing. Whether or not you have something to hide has no bearing on our basic need or basic right to privacy.
Additionally, no one can really say "I have nothing to hide" and be intellectually honest. The honest statement is "I have nothing to hide yet, that I know of."
Why? Two reasons: number one, we live in an environment of selective enforcement. We all, knowingly or not run afoul of the law every day be it copyright law or something else. The corpus of legal code we exist under in this country is far to large for anyone to say with confidence that they have 'nothing to hide'.
Secondly: While it may be true that you have nothing to hide right now, how can you know what options, behaviors, or possessions might run afoul of future administrations? History is replete with examples of regimes cleaning house when they come into power, and the digital paper trial we leave makes that all too easy. I'm sure you can counter that argument by saying that could never happen here in the US, but there are plenty of less severe areas where it would be easy to see this happening. What if the federal gov. changes its mind on looking the other way when states legalize a controlled substance and your digital paper trial makes it clear that you may have partaken in the past? There are any number of scenarios where activities and opinions that you deem to be perfectly acceptable now are things you may desire to keep private in the future.
The point is, to say you have nothing to hide presumes you can predict the future, and have complete knowledge of the law, which no one person can reasonably posses. We have a system of warrants for a reason, and it is to protect you, as a citizen from these sorts of situations. Do not be so quick to give that up.
If everyone was constantly breaking the law then there would be no known criminals who haven't been arrested. There would no John Gottis or Whitey Bulgers. As soon as the government wanted someone arrested, they would just immediately arrest them for breaking copyright law or whatever. No need for the FBI to meticulously build cases, we're all guilty all the time and our only hope is to boycott Dropbox.
And if the government suddenly decides to start enforcing ex post facto violations of the law, we're all screwed anyway. There's no point in living your life by being afraid of what might be in and out of fashion in the future. If the government decides to start arresting people who have broken existing laws (not to mention future ones) there there are literally millions of people who have openly admitted to doing drugs or otherwise violating existing prohibitions. I can't think of many cases where the average citizen was prosecuted because they admitted to a minor crime on facebook, not to mention any cases where the government changed their minds on the law and started going after people.
I live a normal, boring life and do normal, boring things. I'm not going to get arrested for eating fast food while watching reality tv, or drinking beer and watching sports. I don't do anything that harms (or helps) anyone else, I'm the average American. I have nothing to hide and absolutely no fear of government intelligence collection.
There are over 3000 FEDERAL criminal offenses on the books. (As an estimate, even the gov can't tell you exactly how many. If you think ALL of these fall under common sense then you are kidding yourself. Have you read the thousands of pages that span dozens of volumes to be sure you aren't an offender?
You've conveniently side stepped my main first point, which is that we have a right to privacy, and that right has NOTHING to do with our presumed guilt or innocence. To use the argument "I have nothing to hide" misses the point entirely. If you want to walk around exposed, that's fine, but don't argue that the rest of us should be made to.
If everyone was constantly breaking the law then there would be no known criminals who haven't been arrested. There would no John Gottis or Whitey Bulgers. As soon as the government wanted someone arrested, they would just immediately arrest them for breaking copyright law or whatever.
The unquestioned premise in your argument is that the government wants all criminals to be arrested.
Even if you have nothing to hide, the ability to control that much information about you is a great power over you. The abuse of you personally might not be happening now, but the potential is certainly there. What happens when the abuse of that power comes to you? (abuse of that power is already happening)
I would very much rather have my own email server running local software to read that email and have something like a social network served much like email or through user-owned micro-servers. But software like that doesn't exist in high quality because it needs to be free and you can't get venture capital to make free things (and can't make money off non-cloud free services)
I firmly agree with you, these services can seem scary, and we're half way down that slippery slope. But it's hard for myself (the consumer) to leave a service (like dropbox) that makes my life easier. I can manage my own private dropbox like service, but I don't trust myself. Maybe that's even scarier.
So, I get what you're saying. I have no intention of abandoning Google either. In fact, I still see Google as the good guys as odd as that might be to many people. In the short term I understand what Edward is saying, but I'm about the long-term game. Doesn't matter what trendy tech company has your data. Yesterday it was Yahoo & Myspace. Today it's Google & Facebook, tomorrow who knows... but the one constant in all of this is a corrupt government. I'm only interested in fixing government and fixing(or destroying) the NSA. Avoiding the victims(Google,Facebook,Apple,etc) of bad laws I don't think solves things in the long term. But, if you're an activist planning a revolution or becoming another whistle-blower in the near future... then by all means do what Edward says so you can at least attempt your plan and not get preemptively stopped.
"But it's hard for myself (the consumer) to leave a service (like dropbox) that makes my life easier."
That's nonsensical and a strawman. No one is telling you to stop using such services. Just use an alternative that respects your rights. That's all there is to it.
>>tech companies choose whether or not they'll store user data centrally
...until the USgov/NSA chooses for them. Also, while it's all great the Syncthing tool is open source I see that they have precompiled binaries. Now I ask you, what percentage of people will compile themselves instead of downloading the readily available binary? Especially Windows users? In short, syncthing isn't immune to the USgov/NSA. We're talking about the general public; not just hardcore techies who can download & compile source code. I can just get GPG & rsync if I wanted... but that's not the point. Me and the person I replied were talking about "services"(tech companies), not stand-alone tools.
Anyways, Syncthing doesn't even replace Dropbox. Syncing files is just one of Dropbox's several features. And without a 3rd-party central server, Syncthing won't be able to deal with the person who wants their work computer to sync with their home computer. That central server is how you get around corporate firewalls, NAT and port-forwarding. If there's another way to deal with this, I'd love to hear it.
Local binaries can be -- and are -- audited. The USgov can't simply push new code (and this is why web-style pushed upgrades are a bad thing).
> Me and the person I replied were talking about "services"(tech companies), not stand-alone tools.
Goalpost movement. Services that control both client and server, and all the data involved in it, CAN NOT solve this problem; this is why we have (and need more of) well-defined protocols with more than one client and server implementation thereof.
SaaS, with their plethora of proprietary protocols, are the antithesis of privacy rights and a vibrant open internet ecosystem.
> When you say, ‘I have nothing to hide,’ you’re saying, ‘I don’t care about this right.’ You’re saying, ‘I don’t have this right, because I’ve got to the point where I have to justify it.’ The way rights work is, the government has to justify its intrusion into your rights.
I think there is a subtle distinction between the "if you have nothing to hide, you have nothing to fear; ergo privacy invasion is good" meme, and what was said above ("privacy invasion is bad, but I am not concerned with invasion if my privacy because I have nothing to hide"). Which is not to say there's nothing to object to in the latter.
I see your point, but I was addressing the Snowden quote from the article where he said, "When you say, ‘I have nothing to hide,’ you’re saying, ‘I don’t care about this right.’"
Also, I really don't like that counter argument. I think it's supposed to instill fear. Everyone has a blindless-window on the internet. Like, what happens when you google: "<username> freenode"?
Seafile is great if you dislike SpiderOak's closed-sourceness. Open source android and desktop clients, client-side encryption, can start with a free service then move to self-hosting when you're so inclined.
imho, it's the best option until we get a good user-friendly decentralized offering.
Dropbox was revealed as a participant of the PRISM program: anything you store there is searchable. The same is true of Facebook and Google and Yahoo, Apple, all cell phone carriers, all internet carriers and other cloud storage companies including Skydrive/Onedrive.
Dropbox is mentioned in the PRISM slide deck as being a desired participant, not an actual participant. I worked at Dropbox when those slides were released, and none of us on the operations team knew what it could possibly be talking about.
Every company that wants to continue to operate in the US has to comply with US government orders, that is just a fact of life. No one in the technology industry is super excited about going to jail or having their equipment seized. But the kind of compliance that PRISM implies is not something that you just sneak in without anyone noticing.
There was an internal accounting of every server and network connection -- it would have required a shadow ops team running shadow datacenters to sneak it by us.
So people should just upload unencrypted data willy nilly to 3rd party servers because they aren't mentioned in a leaked document? Sounds like a terrible security plan.
And re leaked docs ... I still don't understand the mindset that some people have (maybe someone can help me). When people say, "oh, but the US Gov isn't worried about you" all I can do is roll my eyes.
* How can you verifiably prove that? (they can't)
* How can you verifiably prove other governments aren't?
* How can you verifiably prove chaos agents aren't?
* How can you verifiably prove someone isn't silently watching you?
* etc.
Just because it was or wasn't in a leaked document does not mean that the ability does not exist nor does it mean that such capability is only in the hands of 1 government.
In my eyes, the leaked docs showed "this is the current level" re: security/privacy/surveillance. We have to assume all other governments, corps, & individuals have equally or more powerful systems in place. Why? Because it's the only safe assumption.
That assumption has no bearing on the merits of legality with how the NSA conducts its mission, nor bearing on how others act. The documents merely give evidence and a base-level run down of additional attack vectors. This has absolutely zero to do with a "legal vs. illegal"-action debate and everything to do with technological security and infrastructure.
I encourage everyone to consider RFC 7258 [1] in their future projects. Do it for your users, whomever they may be. Consider RFC 7258 your USSINT 18 (if you're American) ... that is, fucking read it, understand it, and internalize it. Maybe the gov is good, maybe they're bad - that is irrelevant when there is more than just 1 gov in the world.
> Every company that wants to continue to operate in the US has to comply with US government orders, that is just a fact of life. No one in the technology industry is super excited about going to jail or having their equipment seized
I understand this and it is not contrary to my point. I'm actually trying to point out that the companies Snowden mentions have been specifically mentioned by NSA slides/documents and I think this has colored his suggestions. He suggests moving to others - but ultimately anything he suggests will get subverted if enough interesting material gets stored there. Not that that in itself is a reason not to adopt new technologies.
> To sneak it by us...
They aren't sneaking it by you as a company. They cooperate with the corporation and its internal organizational model to create a solution that fulfills the requirements. Most employees, however, can be blissfully ignorant.
I think you overestimate your ability to know such things. I know plenty of Google employees that had no idea about Google's involvement, Facebook employees with no idea about Facebook's involvement, Apple employees with no idea about Apple's involvement and Microsoft employees with no idea about Microsoft involvement.
I also work at a large company, and would have thought I would have seen clear indications of PRISM (& other) activity. Unfortunately that is not the case.
Condolezza Rice (of all people) joined the board of Dropbox.
This is their full time job and their professional expertise. I'm sure that PRISM infrastructure (or beta versions) were accounted for in full.
Edit: It's not condusive to conversation to downvote something merely because you disagree with it. The downvote button (and upvote respectively) are for designating whether you believe something is irrelevant to (/contributes to) the topic.
It's always hard to be absolutely certain about what goes on at a company, but I'm pretty confident about Dropbox not participating in PRISM (defined as a government system that automatically collects considerable data from within a company's private systems).
I haven't been at Dropbox for a year now, but for most of the time I was there I was one of only two SREs that ran the production infrastructure. I knew every piece of server hardware in every datacenter, and what services ran on them. It was my job to qualify and deploy hardware, do the systems level automation, and run the user facing frontends. There is literally no way that something like PRISM could be put in place without my knowledge except by what would amount to sabotage.
Keep in mind that while Dropbox is large for a startup, it only recently surpassed 1,000 employees (150 when I joined). The vast majority of those people are in customer service, and the number of people with access to production is likely still well under 100. For the first five years of the company's life there was one datacenter manager and network engineer (the same person), one SRE up until I was hired, and so on. In operations, we did more with less.
However, this shouldn't make you feel like your data in Dropbox is guaranteed to be safe from prying government eyes. Dropbox can and does comply with government requests -- every company operating in the US does so, or they would not be operating anymore.
I agree with your distaste towards Condoleezza Rice joining the board. It doesn't look good, but I also doubt that she has any day-to-day authority or responsibilities whatsoever.
I'm still not confident. Don't actually answer these questions (NDA and all), but how much traffic do you guys get? Could you possibly inspect it all? Have you inspected the hardware itself? Can you trust the switching equipment?It's reasonable to think that collection happens at the pipes between data centers (like some of the Google collections - which didn't involve any of the hardware present although that collection program wasn't a cooperative one).
Some of the lengths they go for these programs are really impressive. It was revealed that AT&T had secret rooms built that blend into the building infrastructure but MITM every packet that gets sent through (what looks like) normal infrastructure lines.
At some point it feels like you're being asked to prove a negative. That's the thing about discussing secret operations. And it is why the documents are so important.
I wonder now that the Snowden leaks are getting dated about a year old (and it being a few since you've left Dropbox) how much has changed.
Finally, the other companies on Snowden's list are certifiably on the list of already onboarded products, so it's hard to trust them.
> I also doubt that she has any day-to-day authority or responsibilities whatsoever
For example she assigned a new CFO for Dropbox. I doubt she has day-to-day authority (she's a busy woman), but being on the board and selecting upper management is a lot of power.
You're right, there's no way to be completely certain. It's like the adage: "Two can keep a secret, if one of them is dead." When someone else has access to your data, there always exists the possibility that it can be used in some way you don't like.
What I wanted to convey is that user data was not used (at that time) in an untoward fashion by Dropbox. Everyone that I worked with took privacy and security very seriously, and we knew that user trust is tough to earn and easy to lose. Handing data to the government automatically, without a warrant or confirmation of authority, would not have been something that anyone was interested in doing. But the government does have ways of making you do things that you don't want to do (see: Yahoo).
The biggest problem that I have with all of the Snowden revelation stuff is this: people seem quick to blame the companies who are complicit rather than the government who is the root of the problem. The government's efforts against security and privacy are the biggest threat the technology industry has ever faced, and if left unaddressed I believe it will inevitably lead to the US losing it's leadership position.
One last point, regarding Dropbox's CFO. Sujay had been at Dropbox for over three years (since 2010) and was involved in the CFO search for a long time. That they picked him for the role says a few things, but I don't see it as Condoleezza stacking the deck.
Not too sure about the quote based on it's other implications - and I don't think it's exactly the appropriate analogy here...
As an aside the NSA keeps secrets between tens of thousands of employees (although I hear it's Orwellian and depressing to work there). You can keep secrets between small and even large groups of people. You just have to have the right processes and leverages.
'Punishing' companies that collaborate with the government has a few parallel goals:
1.) Wanting to use something that has not yet been purposefully subverted.
2.) Give the companies a real argument for resisting programs.
3.) Speak out against the practices (since it isn't on a ballot anywhere).
Yes, ultimately it isn't the companies' faults (however the complicit few with blinders on for profit motive should be shunned for not putting up a fight).
To your Edit: tell this to the socialist big time thought-police at the HN HQ that will not count your upvotes on your posts if they don't like them I.e.: I have almost twice as many upvotes on posts than the number appearing next to my nickname. Ah hh... "Land of the free" -- as long as they do and talk as they are told!
You left out half a sentence. "Anything you store there is searchable" if the US government has a court order for your data. This has always been the case. Other governments have similar systems for processing data obtained via legal requests, under different names.
Right, but the Snowden revelations showed that the FISA court was/is? a rubber stamp circle without any real due process - and in fact they can search the data and afterwards make a request via the FISA court. The data is also collected and stored and processed by algorithms without any court oversight, it is just when they want a contractor to look through the data manually that the minimal paperwork is involved.
It would be misleading to include that half sentence without also mentioning this.
"The data is also collected and stored and processed by algorithms without any court oversight."
This is false. PRISM doesn't get any data that wasn't specifically requested with a court order. It sounds like your understanding is still based on Greenwald's original reporting, which has since been shown to be inaccurate.
I'm talking about sent to the NSA, processed by algorithms and stored. That's not 'collected'. It's a word game they play. My original assertion stands.
And be careful of "not under the PRISM program". The "not this program" has been shown to be false over and over (in spirit) as there are many related programs that do joint work on shared datasets.
Regarding Greenwald's reporting, can you link to something comprehensive (and trustworthy) about inaccuracies?
Not under any program. None of Snowden's documents show that the US government has the access you think they have, and all the companies involved and the government have explicitly denied it. You're going with Greenwald's misinterpretation of a slide against all evidence to the contrary.
Yeah, that's not right (your document discusses PRISM almost exclusively).
To quote from your document "when you claim something, you should be able to prove it". Can you prove "not under any program?" Of course you can't.
That's a bit mean (there's no way you can prove a negative). But it goes to show the level of sophistry and equivocation in your analysis.
I looked through the document and was thoroughly unimpressed. I don't think you're engaging with the material at the same level others are (e.g. metadata = surveillance & NSA has direct access to metadata -> NSA surveillance by modus ponens). Nor are you considering the vast body of documents, just some choice ones related to PRISM.
I would very much like to believe that somehow Pulitzer Prize winning journalists with the endorsement of The Guardian and everyone who followed merely read some diagrams wrong but after having read your document I can't convince myself of that, nor would it be consistent with other leaks, whistleblowing accounts, policy objectives, etc.
Good work though, I think it's important for people to actually look through the slides/material themselves. I think it's great you're doing that.
Can you prove "not under any program?" No, but the preponderance of evidence (the denials from all parties, the laws that make it illegal, and the lack of any evidence to the contrary despite the fact that the release of this evidence would be a bigger story than any of the leaks so far by a country mile) shows that it is not happening under any program. Yet you still believe it is happening because you chose to believe Greenwald's thoroughly debunked misinterpretation of PRISM.
Where are these "other leaks" that show this is happening? There aren't any. You bought Greenwald's lie hook, line, and sinker.
I think we've exhausted this branch of this topic, but I'm sure we'll have an opportunity to discuss this further on other Snowden articles and I look forward to doing exactly that.
So you'll spout the exact same nonsense in another thread, I'll call you on it, you won't present any evidence for your nonsense, and suggest we do this again?
Your post is a classic example of shifting the burden of proof. You are the one with the belief that contradicts documents, leakers, whistleblowers, journalistic reporting, senatorial reports, US history, partner documents, and on.
Or if you need more direct links look through the other branches of this thread. Plenty of evidence, much of it directly from the Congressional oversight committee itself.
The nonsense comes from trying to reinterpret a small number of slides and to then broaden that interpretation to a expansive umbrella.
It is simply truly the case that the NSA and partnered agencies have broad access to sweeping untargetted collection of data.
Tempora has nothing to do with the companies giving the NSA access to their data. Try to stay on topic.
Shifting the burden of proof? You're the one claiming something illegal is going on without any evidence. I might as well call you a rapist and ask you to prove you aren't.
This is the actual legal definition of collected per DoDD 5240.1-R[1]:
"C2.2.1. Collection. Information shall be considered as "collected" only when it has been received for use by an employee of a DoD intelligence component in the course of his official duties. Thus, information volunteered to a DoD intelligence component by a cooperating source would be "collected" under this procedure when an employee of such component officially accepts, in some manner, such information for use within that component. Data acquired by electronic means is "collected" only when it has been processed into intelligible form."
That would include sent to the NSA, processed by algorithms and stored. The "read by a human definition" as far as I can tell comes from the EFF selectively quoting that definition[2] and drawing their own conclusions from their selective quotation, not the regulation itself. As the regulation itself states, as soon as any DoD intelligence components receives it and processes it, it is considered collected.
The misunderstanding is compounded by Clapper's June 9th 2013 interview with Andrea Mitchell, where he tries to explain that there's a legal difference between collecting content and metadata and fails miserably[3]. Mind you, Clapper is not part of the NSA. That's not an excuse, since as DNI he should know better, but it does explain it somewhat...
Regarding issues with Greenwald's reporting, here's a few:
- Stewart Baker, quoted extensively in the "NSA spies on porn" article, claims the authors omitted key parts of his quotes because it would make them look hypocritical: http://www.volokh.com/2013/11/27/understanding-enemy/
For a good rundown of various NSA programs, I'd recommend reading the Electrospaces analysis[4]. In particular, his analysis of PRISM[5] and BOUNDLESSINFORMANT[6] are really good, as is his recent Strategic Missions List post[7].
I don't know how to read that definition - it contains more legal jargon. What is "received for use by an employee"? When are electronic communications "processed into intelligible form"? Is a server that stores and processes data an employee?
And for 100% sure PRISM received and stored mass data about American communications - both internet records and phone records. There's no debate about that. There was even (faux) legislature proposing moving the storage site from NSA hands to partner hands.
These articles seem like minor quibbles, mostly to do with terminology, but not the broad implications of the program.
There are so many damning slides. Like...
"Of these 1,789 applications, one was withdrawn by the government The FISC did not deny any applications in whole or in part." (42)
"With all querying if you discover its in the US, then it must go to the OSC quarterly report... 'but its nothing to worry about'" (99)
Looked quickly through the articles, not sure if I saw anything really damning - they seemed like minor quibbles.
I must depart for non-tcp-mediated social obligations and consider this an incomplete reply - apologies for that. Hopefully the thread is alive later, and another poster can fill in the conversation here as it evolves. Adeiu.
I don't think any of those are particular minor quibbles. To summarize:
BOUNDLESSINFORMANT: Initial reporting show concrete number on just how much NSA was spying on a whole slew of European citizens. Shortly afterward, the actual intelligence agencies of those countries stepped up and said that those were not reflected NSA spying on those countries, but instead those numbers reflected communications that they themselves had gathered, mostly from areas like Afghanistan, and handed over to the NSA under intelligence sharing agreements.
PRISM: Initial reporting said that the NSA had direct access to the servers of Google, Yahoo, Microsoft, etc., and could conduct data-mining from them without any oversight. Actual story ended up being that those companies were handing over data on specific targets under court order - NSA did not have access to any of their servers.
XKeyscore: Initial reporting was saying that the NSA was sucking up all communications including Americans. The author to the story that I linked to was pointing out that Marc Ambinder had previously disclosed XKeyscore in his earlier book saying that it was a system to index metadata that was already collected using other means, and there was no proof shown by Greenwald or indicated in his slides he published that it had been used to collect American's communications.
The Stewart Baker article: Stewart Baker was interviewed over the phone for the "NSA spying on porn habits" article, but they subsequently left out the core of his argument in order to not undermine their own argument. I thought that spoke to Greenwald's journalistic integrity somewhat - it also puts into perspective the fact that most of the slides he's published have been heavily cropped and there's no way to independently verify the contents of those slides.
The long list of mistakes article: Just pointing that there has been such a rush to report most of NSA documents that most of the initial reporting has had numerous mistakes of varying degrees of severity.
> handed over to the NSA under intelligence sharing agreements
Right, there's a huge amount of intelligence sharing. That's one of the critical points. Domestic law can be skirted by International Law and International Law can be skirted by Domestic Law.
Need an American's data? We can't take it off the wire, store it, process it, and inspect it (in all cases). But Canada can, or Israel can, or Australia can, or New Zealand can (etc).
Need a foreigner's data that blocked by espionage laws? The country may itself be able to. Or a partner that doesn't have an agreement may be able to.
> PRISM: Initial reporting said that the NSA had direct access... NSA did not have access to any of their servers
Right, but this is one of those word games. First, the direct access the NSA DID have was not under the PRISM program. Reading "PRISM program did not give NSA direct access to servers" reads the same as "NSA has no direct access to servers" but it's not.
The 'targetted' collection of data itself turned out not to be very 'targetted' at all. Many requests were for large swaths of data and in many cases the NSA was given direct control of the servers that stored the metadata (as with phone records) but would need to request the companies for the content itself. Metadata = surveillance.
To extend the skirting laws above, the federal government is able to bypass laws on search and seizure by forcing private enterprises to do it and then requesting it as they see fit later on.
Why are these companies allowed to surveil and have access to my information? I don't trust employees at Google or Apple any more than a stranger on the street or any random government employee. Actually, as there are few to nil restrictions on what corporations can do with databases of my and other communications, in some sense it's worse. Aren't we guaranteed security in our persons and our affects? If a federal government forces a private company to censor you, or to surveil you, isn't that still censorship or surveillance - regardless of whether as feds they act on, collect, mine or process that information/data at all?
> XKeyscore ... no proof shown by Greenwald or indicated in his slides he published that it had been used to collect American's communications
But it did show that there were mammoth amounts of American metadata present in the database (however it was collected). Doesn't seem to matter whether XKeyScore was the collector or just a repository.
> The Stewart Baker article... porn
There is a lot that the NSA and CIA can do to influence people, their credibility and the credibility of an idea in groups (MINERVA, etc) - look at what the USAID Cuban Twitter program nearly succeeded in doing, and what similar efforts may have had a role playing in Hong Kong (and dare I say Scotland).
There is no doubt about the use of using Porn to discredit 'radicalizers' (a term used to refer to foreign and domestic targets). AFAIK there have been 0 revealed domestic cases of this, and IIRC only 7 or so foreign targets are known about (and 1 being a Westerner?)
The JTRIG stuff is creepy, real and looks like something right out of a Stasi handbook.
"Used to... discredit a target"
"Write a blog purporting to be one of their victims"
"Email/text their neighbors, colleagues, friends, etc"
"Get someone to go somewhere on the internet or in the real world"
"Can take 'paranoia' to a whole new level"
"Stop someone from communicating [by] bombarding their phone [...], delet[ing] their online presence, block up their fax machine"
"Stop someone's computer from working"
"Why do an Effects Operation?"
Answer 1: "Disruption v Traditional Law Enforcement" (presumably - it's effective and we can do it without the same paperwork/groundwork/courts/etc)
> Right, there's a huge amount of intelligence sharing. That's one of the critical points. Domestic law can be skirted by International Law and International Law can be skirted by Domestic Law.
These slides aren't an example of skirting domestic laws - they're examples of expanding collection on the NSA's target through partnering with other countries. Greenwald and company were trying to spin these slides as saying "look, the NSA collected 300 million German calls" and truth ended up being that the German intelligence service shared their own foreign collection with the US. None of the documents released has shown any indication that the NSA has ever asked a foreign country to provide them with collection on Americans. See [1], [2], [3] and [4].
> First, the direct access the NSA DID have was not under the PRISM program.
These are Greenwald's own words[5]:
The Prism program allows the NSA, the world's largest surveillance organisation, to obtain targeted communications without having to request them from the service providers and without having to obtain individual court orders.
The Washington Post backtracked on their reporting and took out the references to direct access. Greenwald has yet to issue any corrections to his report.
> The 'targetted' collection of data itself turned out not to be very 'targetted' at all.
Except that PRISM did end up being only for targeted communications. See the Privacy and Civil Liberties Oversight Board report on PRISM[8] (they describe targeting starting on page 7, but go into further detail in other sections). To date, the only domestic non-targeted collection has been the Section 215 telephony metadata collection (you can see the gory details here: [9]) and the Section 402 e-mail metadata collection which was discontinued in 2011 (details here: [10]). If Snowden just wanted to reveal either of those two programs, I wouldn't be so harsh on him. PRISM doesn't resemble those two programs in the least bit, though. Nor do many of the other disclosures, which focused purely on gathering foreign intelligence.
Note that contrary to what much of the reporting has suggested, the 215 program did not data-mine for indiscriminate call patterns, and there are restrictions on how they can search the database (see the PCLOB report[9] p.27-28, sections "Contact Chaining and the Query Process" and "Standards for Approving Queries"). I'm not going to argue and, in fact, would largely agree with anyone who says the standards don't go far enough, but most people I've discussed this with start off with a whole set of assumptions; it's only through looking at these documents and listening to congressional testimony that I've been able to figure most of this stuff out, and not many people bother putting that much effort into it.
> in many cases the NSA was given direct control of the servers that stored the metadata (as with phone records)
I haven't seen any reporting which said that, and the PCLOB report directly contradicts that statement (see the Section 215 PCLOB report[9] p.23-24, "Delivery of Calling Records from Telephone Companies to the NSA")
> But it did show that there were mammoth amounts of American metadata present in the database (however it was collected).
Here[6] is the report and here[7] are the slides that it was based on. Note the dramatic difference in the number of times Americans' communications are mentioned in the report (I counted 11) and the number of times in the slides (I count 0). It seems more like he just took assumptions from the Section 215 reporting and faulty PRISM reporting and applied those biases. I've noticed that's a common theme in most of the NSA reporting - there's a lot of fear-mongering about the fact that they could be doing using their tools to target Americans, but no actual evidence. You could make similar arguments about police and guns: they could use their guns to go door-to-door and indiscriminately kill ordinary, law-abiding citizens. But they don't. There's a big difference between having the technical capability to do something and having the legal authority to do it.
> look at what the USAID Cuban Twitter program nearly succeeded in doing
1) USAID isn't the NSA, and 2) the only thing it nearly succeeded in doing was giving ordinary Cubans a means of using the internet to communicate free of government censorship. I don't see what I'm supposed to be outraged at.
> The JTRIG stuff is creepy, real and looks like something right out of a Stasi handbook.
JTRIG is GCHQ, not NSA, and when I think of things straight out of the Stasi handbook, I think of things like making people disappear from their homes in the middle of the night never to be seen again, not discrediting them on the internet.
In any case, I guess my ultimate point is that this issue defies all journalistic norms and really needs to be approached with much more scrutiny than most issues. This isn't a situation where we have dozens of reporters from AP, Reuters, ITAR-TASS, etc. all on the ground objectively reporting independently verifiable facts as they see them. Instead, this is an issue where we have mountains of classified documents who were handed over to few carefully selected reporters by a leaker who is only available for softball interviews by carefully chosen interviewers. The documents are largely incomplete, and the reporters display their biases quite plainly (Greenwald himself is an advocate of 'adversarial journalism,' which embraces bias rather than seeking to minimize it). I've had plenty of people tell me not to trust what the government says, but you can't analyze the situation critically without also extending the same degree of skepticism to the Snowden and his small circle of journalists.
> > First, the direct access the NSA DID have was not under the PRISM program.
You did not provide a rebuttal to this. You quoted Greenwald about the PRISM program. I was making the claim that there are bulk data programs that are NOT PRISM.
> > The 'targetted' collection of data itself turned out not to be very 'targetted' at all.
From the NSA review panel:
"In May 2006, however, the FISC adopted a much broader
understanding of the word “relevant.”84 It was that decision that led to the
collection of bulk telephony meta-data under section 215. In that decision,
and in thirty-five decisions since, fifteen different FISC judges have issued
orders under section 215 directing specified United States
telecommunications providers to turn over to the FBI and NSA, “on an
84 See In re Application of the Federal Bureau of Investigation for an Order Requiring the Prod. Of Tangible Things
from [Telecommunications Providers] Relating to [Redacted version], Order No. BR-05 (FISC May 24, 2006). 5
ongoing daily basis,” for a period of approximately 90 days, “all call detail
records or ‘telephony meta-data’ created by [the provider] for
communications (i) between the United States and abroad; or (ii) wholly
within the United States, including local telephone calls.”"
"Almost 90 percent of
the numbers on the alert list did not meet the “reasonable, articulable
suspicion” standard."
"The statutory objection asserts that the FISC’s interpretation of
section 215 does violence to the word “relevant.”"
> > in many cases the NSA was given direct control of the servers that stored the metadata (as with phone records)
> I haven't seen any reporting which said that...
The NSA review panel:
"We recommend that legislation should be enacted that terminates
the storage of bulk telephony meta-data by the government under
section 215, and transitions as soon as reasonably possible to a system in
which such meta-data is held instead either by private providers or by a
private third party. Access to such data should be permitted only with a
section 215 order from the Foreign Intelligence Surveillance Court that
meets the requirements set forth in Recommendation 1."
"We recommend that, as a general rule, and without senior policy
review, the government should not be permitted to collect and store all
mass, undigested, non-public personal information about individuals to
enable future queries and data-mining for foreign intelligence purposes.
Any program involving government collection or storage of such data
must be narrowly tailored to serve an important government interest."
The rest of the objections are variations on a theme. If you think I missed something I'll be happy to reply.
Regarding adversarial journalism - journalists and judges are the watchdogs of democracy, as they provide the public with the information and stage that information in ways that the public can respond to. State owned media is a very dangerous thing and America and other countries have passed laws limiting the ownership and direct news bearing to citizens.
However, when certain leverage exists (especially in cases where the public does not pay for news media), and when journalists readily repeat whatever officials and PR spokespersons say as though it were fact, or even set the stage with a apologetic hearing, you end up with Judith Butlers and Ken Dilanians. You end up with uncited apologetic airings of Defense Industry officials on the major news channels (and no contrarian voice).
“It was the best story in my life, and I wasn’t going to let anybody else write it…The whole global war on terror has been classified. If we today had only had information that was officially authorized from the U.S. government, we would know virtually nothing about the war on terror.” - James Risen, top US Military journalist for the NYT, Pulizer Prize winner
We need adversarial journalism just like we needed the mud rackers. And what I've seen of Glenn Greenwald's reporting has shown every sign of due diligence, or it has become clear later how well prepared the issues and articles were collated.
How can I vote without knowing what's going on? I'm a supporter of the United States, through and through. But I need to know what's actually going on to be a politically engaged citizen.
Adversarial journalism is the best way to do that.
> These slides aren't an example of skirting domestic laws - they're examples of expanding collection on the NSA's target through partnering with other countries.
The NSA and Israel trade information about each other's citizens, circumventing domestic law. [1] [2]
"The memorandum of agreement between the N.S.A. and its Israeli counterpart covers virtually all forms of communication, including but not limited to “unevaluated and unminimized transcripts, gists, facsimiles, telex, voice and Digital Network Intelligence metadata and content.”"
Have you seen the memorandum between Israel and the US? [+]
Before you go excusing the memorandum as not being a backchannel, remember that Hoover famously left an official paper trail of "I'm sorry, but the information you requested can not be served without a court order" but would serve the memo to those who made an illegal request by sending a trusted FBI agent who also had a copy of requested documents.
Australia spied on US law firms and handed the data to the NSA (with no court/warrant process in US). [3] [4]
The NSA will spy on others' citizens for them and share results. [5] [6]
"Britain's GCHQ intelligence agency can spy on anyone but British nationals, the NSA can conduct surveillance on anyone but Americans, and Germany's BND (Bundesnachrichtendienst) foreign intelligence agency can spy on anyone but Germans. That's how a matrix is created of boundless surveillance in which each partner aids in a division of roles.
They exchanged information. And they worked together extensively. That applies to the British and the Americans, but also to the BND, which assists the NSA in its Internet surveillance." [7]
"NSA 'offers intelligence to British counterparts to skirt UK law'" [8]
GCHQ provides more internet surveillance records than any other nation in the Five Eyes (ATM) and shares this, including the NSA without a warrant system. [9] [10] [11]
There's a great breakdown the GCHQ case specifically. [12]
Of course it goes the other direction as well. [13]
Don't just take this from journalists, leaked documents, whistleblowers, and embarassed officials. You can trust watchdog agencies inside of Canada to give you the scoop too. Watchdog agencies 'chastised' intelligence programs for using allied partners to circumvent domestic law in a 51-page document. [14] [15]
These partnerships are extremely common. The NSA has (had?) 37 partnerships of varying degree of collaboration. [16]
Going to get back to other bits later, as it is far too late at the moment. It's very difficult to square your claims against "not this program", leaks and reports by others (e.g. Risen, Binney), Senate Reports and legislation that tries to move the data from NSA hands back to telecom hands.
A short preview though.
WRT "they could be doing it" - there's a sordid history with intelligence agencies expanding their capabilities, and not having technical limitations in an area so easy to be covert (computer systems) is a recipe for disaster. Especially when you create an apparatus that won't just be used today, but will both store data from today and continue to get access to tomorrow and will be inherited by who knows who.
Of course USAID isn't NSA. The ethics don't concern me. Neither of those are relevant to the point, left woefully neglected.
You round JTRIG down. They disrupt individuals lives and aggressively target inducing paranoia. Yeah that's not the same as a black bag (that comes later, for those who are unfortunate to become a large enough problem). Black bag programs exist. How often are they wielded? Rarely. Thank god. It's not reasonable to draw your line in the sand at assassination or concentration programs. You've also missed the bit about being notified of your rights and being given a jury of peers.
JTRIG location aside, certainly CIA have those capabilities. NSA and GCHQ partner heavily. US has programs for 'persona management' and astroturfing (they at least have defense contractors that provide that ability) and the HBGary leaks show US intelligence contract for it. We aren't just talking about the NSA here. We're talking about institutionalized surveillance. That means signals intelligence, but also partners, HUMINT, ELINT, traditional law enforcement, etc.
Regarding Greenwald. I would love to see more people get access to more document (depends on which - I would like America and allies to win the cyber intelligence war). I'm not sure the powers that be want any more people looking at the documents. We'll see.
Minor nitpick, but I keep seeing people get this wrong: James Clapper is the Director of National Intelligence. He has previously served as the director of the National Geospatial Intelligence Agency and the Defense Intelligence Agency. He has never been the director of the NSA.
I know that (1) because Snowden's documents say so and (2) because I happen to have met one of the people who worked on one of the communication systems involved in PRISM at one of those companies and implemented the DITU integration at the time indicated in Snowden's slide -- and has the FBI T-shirt to prove it.
What's worse with Dropbox is that it deduplicates data across users. So it's really easy for someone who "needs to know" (like the NSA) as well as people who "would like to know" to "takedown" a single user for something and identify every other Dropbox user who has the same content.
Is that your blog? I really don't think you've "caught him out" by saying his first paragraph contradicts his second. One paragraph is the present state of affairs, the other suggests future behaviour that can change the present state of affairs. Snowden doesn't have the luxury of communicating with people who have covered their tracks.
All of your bullet points thereafter merely describe the present state of affairs and do not in any way contradict the concept of using encryption to change them.
It's the defeatist attitude that I find the most defeating about this subject.
If i do all of these how do i share documents or search for information on the web? What ever the alternative is going to have the same issues as Dropbox, Facebook or Google. I cannot build my own versions of these!
Divide things very clearly between public and private. If you need to publicly share documents, then use Dropbox. This is a lesson a lot of people who used SnapChat are learning or are about to learn.
> You could build your own dropbox. It's not that complex.
It would be incredibly complex to build your own Dropbox. Maybe it wouldn't be "complex" to use rsync to automatically copy files over to some other drive if that's all you wanted, but Dropbox does way more than that and I don't plan on dropping Dropbox for some half baked solution that requires more effort to set up, maintenance and ends up in lost data because on the one in a million chance the FBI might want to look at pictures of my pets.
I don't know how I feel about government surveillance, but I sure as hell don't see it worth to trade some supposed imperceptible theoretical harm with tons of actual effort and inconvenience.
You don't have to write your own Dropbox. You just have to host one.
And even beside the question of government surveillance there is the advantage that it is under your control, not somebody else's. File sharing is so generic that the lockin opportunity is less than it is in other domains (like social networking) but there still can be advantage to being the owner and not merely a renter.
With owncloud if there's a fire in your house, or your cat knocks over a pitcher of water over your server, you lose your stuff. Plus it would be slow as dirt, since upload is limited by your ISP, and especially slow if you're traveling to some other continent. If you use a third party host you're basically as vulnerable as you would be on Dropbox, plus you have to maintain the thing and it's only a subset of the features. Again actual inconvenience for something (NSA snooping) you can't be sure affects you even in the least.
And beyond just being a subset of the features, it doesn't have Dropbox's ecosystem. Can you auto-sync your Oreilly Media books automatically with own cloud right from the Oreilly website? Does 1Password automatically sync with it? Is there a screen sharing app that automatically pushes to owncloud? Does it have a push API? IFTTT support? I, and others, use all these with Dropbox and it probably doesn't make sense to give them up because the NSA is the boogeyman FUD.
If you're specifically targeted by the state (especially extralegally), you're screwed. Personally, I just want to be in control of my data, and don't want others (government or otherwise) to be indexing or 2 clicks away from my data.
As you mention, hosting OwnCloud removes your cat/fire scenario. Even by hosting it at a US ISP, you are significantly reducing the likelihood that the government can index or be two clicks away from your data, and your host (unlike Google/Dropbox) isn't likely to be mining your data for future business models. Hosting it at an ISP in a country that respects individuals privacy (e.g. Iceland) means your data won't be in the government's hands unless you're directly targeted by a state actor.
A subset of the features is, for me, an advantage. Hosting my password database myself is a huge feature. My Mac's built in screen capture writes stuff to disk. I can set that to be the Owncloud folder. No third party app required! :)
Precisely my point. I don't / can't host in my house/office. And if i host on any remote servers, the servers themselves can be compromised or forced to. What guarantee they are not, if we look at the scale of revelations on NSA snooping so far.
I agree dropbox would be easier of these and i can live without Facebook but definitely not be able to build a google. But more importantly is it worth it? I have a feeling from hardware to layers of software in the tech stack we use is all compromised to give access in one way or the other or they can be cracked brute force with the enormous computing power these organisations have.
Are they not compromised or more likely easily compromised considering they don't even have the resources to secure and legally fight against government interferences?
Well, Diaspora* is open source and decentralized(somewhat anyway), so I think it would probably be difficult to compromise the majority of it. I'm not sure though. I suppose if a subtle error was submitted in a pull request(?)?
I suppose that any single pod could be compromised fairly easily, and some of the larger pods have a large number/portion of users, so just compromising some of the larger pods could be sufficient.
Also, iirc, Diaspora* has been said to have some security and privacy concerns,
But I thought it would be good to mention that there isn't really a single "Disapora*" which can be told to give up all the data for all users, because different users use different pods. (And I think a collection of pods can be somewhat isolated from the rest maybe? I'm not sure.)
If it was something intended to be public there is no harm in Google having it (they will scrape it off the web anyway) as the NSA are welcome to publicly access the content.
Most people don't treat Dropbox/Google/Facebook (non-public) usage as being equivalent to CCing the government but maybe they should.
Pro-tip: anything you put on any service can and probably will at some point scroll past the eyes of a random sysadmin who's debugging why the database keeps crashing under load.
Most people are worried about "disclosure" - which is something Uber violated for a PR stunt at a party recently - i.e. we're usually okay wandering past the window naked, because we assume it's extraordinarily unlikely that someone will be pointing a camera at it right then, or that it wouldn't be more embarrassing for them to try and yell "hey that person is naked in the window I saw them!"
Conversely, we wouldn't be happy if someone did take photos, then uploaded them to the web, and showed them to all our friends etc.
In a practical sense, this is how people act. It's how you have to act - it would be practically neurotic to act any other way.
There is an interesting branding question here. Imagine an alternate history where all our historical footage of Stalin or Hitler all had Google watermarks.
To be honest, he's not looking for privacy for this statement. He's looking for exactly the opposite, so using the thing that doesn't care for privacy doesn't matter for this instance.
"When you say, ‘I have nothing to hide,’ you’re saying, ‘I don’t care about this right.’"
How does he arrive at that conclusion? I have nothing to hide, but I still don't support the violation of these rights. Does he suggest that we instead support some other service or method under the illusion that we are immune from NSA spying?
"Even with that encryption, he said law enforcement officials can still ask for warrants that will give them complete access to a suspect’s phone, which will include the key to the encrypted data."
What, pray tell, is the mechanism by which the key will be obtained? Snowden is bloviating here.
If a key is stored on your phone, it can be obtained the same way any other data is obtained. If the key is password protected, a key logger would yield the password.
Edit: I forgot to check to whom I replied; "lern_to_spel" shows up on all of the Snowden threads.
The keys aren't stored on the phone - that's what's caused all of the recent controversy. A warrant to install a keylogger isn't very useful after the suspect has been taken into custody.
I watched the interview and when he said that, I assumed that he meant something like "getting the device when the subject was using it", giving them access to everything. But your reaction makes me wonder if I was mistaken.
I have a SpiderOak account, but don't use it as often.
Speaking of protecting data: I am surprised at how many companies seem to keep their software in private repositories on github and bitbucket. That seems like a security hole, if software if the core of your business.