The government has done irreparable harm to these companies, because even if they are telling the truth, they will never be able to prove it (like Obama could never prove he wasn't born in Kenya) Each new bit of evidence supporting their position will be met with just more questions. That's the problem with government spooks, their capabilities are boundless, anything the mind can imagine, and there's simply not way to erase doubt. Can the NSA break public key encryption? No? Are you 100% sure? Does the NSA have a fibre-tap on all cables? Are they running continuous keyword searches on transcribed conversations of every American, in real time? Can you prove they don't have some secret new $30 billion data center, paid for by the $60 billion in Iraq money that went "missing"?
10 years from now, people will still be talking about this.
They can prove it. Comprehensive independent security audits managed by well known privacy and human rights organizations. Considering the scale of Google they should have number of people auditing them all the time.
Google has way more data from a million little things we online than it should have. The government can easily get it, it can leak, get hacked etc. If the data isn't archived, no one can ask for it. Simple as that.
People are merging two different mechanisms here, and its important to distinguish between the two.
1) Access to users when provided with a "warrant" or someother legal instrument. This is where for example a divorce court orders the message history of a person from facebook to confirm/deny infidelity. This is your "Facebook secure room/portal" business. You don't want any tom dick and harry having access to this as its a massive security hole.
2) Snooping. This is where apparatus is placed between the public and a company which allows the interception of all data.
These are two very different mechanisms, 1) is a precision tool for getting information on a small amount of users. 2) is a blunt tool that allow people to stuff themselves full of information, it is also inherently very expensive(both in time, resources and analysis).
both method 1 & 2 have been going on for many years. Its also been fairly well known for many years (schneier and crytptome have been saying this for a very very long time)
So why did the NSA ask verizon (and most likley all the big players) for this list of who phoned whom, if they have all this information kicking around? two reasons: Its dirt cheap, and accurate.
Instead of having to infer who was on what IP at what time, you have the canonical proof.
The President himself acknowledged existence of the program, so that is no longer in dispute. I am, however, starting to think that perhaps the leadership of these companies truly didn't know that this has been going on.
I'm curious if these orders can be served directly to mere employees that have access to install the monitoring software/hardware, with confidentiality obligations barring them from telling their employer. Another explanation may be that NSA agents simply obtained jobs at each company, and those agents installed the monitoring software/hardware without the knowledge of the companies. This would explain the dismay, and the clear embarrassment of the NSA.
The problem with all the denials is that journalists say "Google is doing X" and Google responds "We aren't doing Y" and everyone debates whether Y = X, Y is a subset of X, or Y is something completely different.
I feel as if so much could be cleared up if they would simply respond line by line to the stories by the NYTimes and Washington Post.
It's not even that. The journalists say "Google is doing X" so Google responds "We aren't doing X" and suddenly internet commenters everywhere are taking that as evidence that Google is doing Y and Z because they aren't X.
Thanks, fixed. Looks like HN is over-escaping some values -- click the 'link' link to this post and see how the first line is over-escaped in the title bar?
Disclaimer: I'm an engineer on the Google+ backend infrastructure team. I am not a US citizen. I've been an HNer longer than I've been at Google.
These accusations are seriously getting out of hand. This is also seriously getting so illogical that I've considered whether it's even worth posting a response.
Is accusing someone with a badly created powerpoint presentation now enough for such a massive storm?
Yesterday, Larry gave a thorough point to point denial to the Washington Post article.
Conspiracy theorists@HN moved the goalpost and started talking about how if Google isn't doing X they must be providing data to NSA servers. Now that David Drummond has come out and denied that Google's not doing Y, some HNers start complaining that he's lying even though there's no evidence to the contrary.
Google has committed its fair share of mistakes but as employees inside the company we have always stood by our users and a lot of these attacks are indirectly questioning our moral character.
Larry and especially David have created a culture where we push back when the government makes overreaching user data requests. These push backs have been happening for years. Google has even gone to courts questioning the constitutional validity of NSLs. (source: [1]). There are times when courts uphold the Government request. Google publishes these in its Transparency report ([2]). The claim that these guys are willfully lying on this issue is completely out of character with what their actions have been till date.
You say that government has already admitted that they access the data. Where? Do you mean the Verizon CDRs? Or are you using the flimsy PPT as evidence? Maybe your source is one the myriad of articles that have used the powerpoint as their source. Or maybe your source is one of those of another articles that use other badly sourced article as their sources. Maybe you mean Obama's statement that the government does track emails. In that case, being in technology, I hope you realize that being a MITM email snooper is one of the easiest things to do. That's why you never ever use email for secure communication. Maybe you don't understand these "nerd-y" things (yes, I was a shocked too when a HNer threw that at me), but I implore you to logically think about this story.
Yesterday, there were a flurry of posts that were seeing a conspiracy in how Mark Zuckerberg's and Larry's response were similar. Why have we HNers turned into conspiracy theorists now? It was only later when some sane voices pointed out that they were each responding to the specific points raised by the original WaPo article, that that controversy died down. Of course no one seems to mention that the original WaPo post has retracted several claims especially about companies being in the know. [3]
Some conspiracy theorists@HN have even talked about spies infiltrating as Google engineers. Are you guys serious?
The level of control/monitoring/logging that happens to employees at Google when accessing any data at Google (even when you're just trying to debug why processing that data is crashing your server) is so huge that this just won't be a feasible strategy for these spies. Also, with all these checks in place it's impossible to get hold of information without a lot of flags being raised. Even if we assume that all US based engineers at Google are somehow government spies (a preposterous claim which I'm sure someone must have made on HN by now), Google has engineers outside US. Engineers who have access to the same alerting/monitoring systems that would alert them if such unauthorized data access was happening. Those engineers would not be bound by any US government imposed gag order that conspiracy theorists here seem to claim.
I've even had someone claim on HN that because Google worked with NSA to protect Chinese human rights activists from spying attempts/hacking attacks, Google's helping NSA spy on US citizens. This is so illogical that it makes no sense to me.
I've had the opportunity to have worked with Yonatan's team and I have immense respect for him. I also completely mirror his feelings [4]. Any massive data sharing/accessing would be really hard to do without this turning up in some shape or form in front of me and if this were happening I would not be at Google. Most of us engineers would not be.
Enough with the personal attacks questioning our values.
Now to the bigger question, if a democratically elected US "government" is making and forcing private individuals and organizations to follow extra-constitutional norms. Shouldn't you actually take this issue up with your local senator/representative?
Contact them: http://www.senate.gov/general/contact_information/senators_c...http://www.house.gov/representatives/
Doesn't being in a representative republic mean that that's how you solve the problems you're having with your government. I was one of those who were mystified by the current president's oratory. Yet, I also believe that if something is not right it's time to use the proper channels to have your voice heard.
How many of you are US citizens and have written multiple posts here on HN since yesterday but haven't called your local representative yet? Now is the time.
These witch hunts without evidence, all these conspiracy theories, the attempts to find fault with every statement being made; these are not what HN should be about. Let's actually do something to bring about some real change.
> Yesterday, Larry gave a thorough point to point denial to the Washington Post article. Conspiracy theorists@HN moved the goalpost and started talking about how if Google isn't doing X they must be providing data to NSA servers. Now that David Drummond has come out and denied that Google's not doing Y, some HNers start complaining that he's lying even though there's no evidence to the contrary.
The documents provided with the Washington Post and Guardian articles are not no evidence.
They just have to say "the governement does not have any kind of access to the data we host, in any other way than through a court order".
but i doubt they'd say that. they already seem to say they get very regular requests (which could be 10 or 100 000 or more) that are just "hey please give us that we need it".
This denial is fairly categorical. Any objection that centres on the idea that they're only saying this because they have to is in conspiracy theory territory. Nothing that Google says could possibly disprove that claim.
I will go on record as standing with Google and its denials, even if that's an unpopular position right now.
Here are a few facts:
1. The New York Times article did not specifically cite PRISM, it only cited FISA, which was already largely known by the public. It is true that this could be because PRISM is allegedly justified under Section 702 of FISA, but they are not the same thing.[1] It would be most appropriate to say that one encompasses the other, but they have two separate protocols, and as of right now, only one was discussed by the Times.
2. Let's say the NYTimes article is about PRISM, and they simply didn't mention that acronym for whatever reason. If that is the case, the information leaked therein also makes it very clear that it is entirely possible for CEOs, chief officers, and other high ranking employees to be completely in the dark about it. The only people allowed to know about the requests for information are those who receive and analyze the requests. That's not a conspiracy theory - it's leaked right along with the rest of the information.[2] Mark Zuckerberg, Larry Page, Dave Drummond, Yonaton Zunger, etc. might literally not know the extent of how far the government reaches in their companies.
3. It is unreasonable and unrealistic to expect the leaders of these named companies to stand together in righteous technological might against The Man. Nothing practical would be achieved by having Mark Zuckerberg or Larry Page penalized for what they said on record, in public against a government agency. Nothing would benefit the American people by having them put on trial or their companies sued for violating national security. The NSA designed a Catch-22 gag order that prevents those involved from even acknowledging the existence of government involvement or letter agencies, let alone detailing specific protocols or history.
I've said it before and I'll say it again. Stop getting distracted from the real problem here. The threat to privacy is the NSA. The threat is our government(s). We have the power to fight it if we consolidate our focus with precision. We may feel wronged by the apparent lies of public figures but they had no choice, if they were even in the wrong. We cannot know what pressures were put upon them at this point in time.
Lay down your pitchforks and direct your anger and incredulity to your government, who ordered this - the public entity that made this legal and hidden and nearly impossible to speak out against. That is your real enemy.
I'm glad you wrote this post. I've been echoing it for so long that I'm annoying myself....but if people spent half as much time inspecting the NYT's piece, they would see that it clearly describes then kind of FISA procedure that Google has already admitted and that the "directly tapping" incidents that the NYT alludes to are not attributed to Google or FB or any actual company.
But the key thing is to not waste energy on the side issue...the grab for power should always be scrutinized, and it is not an issue as simple as "Vote in a new president and live like Richard Stallman" (though neither of those ideas are bad, either)
Call me jaded...but remember how angry and energized everyone was over Aaron Swartz's death? Just six months later and we hear nary a peep about it, not even a boilerplate response to the White House petition. This is the way it is with so many issues involving the law, people get bored or conflate the wrong things...a few months later, no one really remembers.
This is generally true, but what is an issue from where I stand is that companies which are building their reputation on pushing back against too much surveillance are cooperating with the government to make such requests cheaper, faster, and easer, which is to say ensuring we will see more of them.
The responsible thing to do is to require a physical document, hand delivered to an appropriate corporate agent or officer, with a manual, hard copy review process.
If you're going to say your data not safe in Google's hands, then your data just isn't safe on the internet which I think is a needlessly extreme position to take. The OP is right, just focus your dissatisfaction on the government. It's not about is your data safe with Google; it's about your data safe with the government. If you can't trust your government, it doesn't matter where/who/what has your data. Yesterday it was Yahoo & myspace, today Google & Facebook, tomorrow who knows... the only constant is an abusive government. Fix that, then it won't matter what currently trendy company has your data.
> If you're going to say your data not safe in Google's hands, then your data just isn't safe on the internet which I think is a needlessly extreme position to take.
Google isn't the internet.
Dump gmail, FB and other spy holes. Use public key crypto. Take your own network back.
So basically communicating online only with people that will use pubkey-crypto? I think that's a needless extreme. Also, what happens when everyone does that and the government makes crypto illegal? You're back to the original problem, the abusive government. That being said, I did just suggest encryption in an earlier post today... but that was before I started getting the feeling this problem goes deeper into the government than just a small gov-agency & some cellphone companies.
The problem with PGP is that friction is in every message you send. For every email you have to make the decision about encrypting the message and entering your passphrase. It's a hassle.
The reason I recommend Bitmessage is because after overcoming the friction of installing it, it's frictionless. You don't have to remember passphrases or anything. It also has advantages over PGP-encrypted email like deniability, built-in spam minimization, broadcast messages (like Twitter), chan boards, etc.
If you believe this "PRISM" thing exists at all how the media is painting it, your data isn't safe in ANYONE'S hands. Google has way better lawyers to fight that stuff (and clearly DO fight this stuff - see the National Security Letters thing) than most other cloud companies.
The threat is from government and collaborators. Some collaborators are probably lobbying to have government surveillance programs expanded because they think it will benefit their bottom line. Other collaborators may believe that privacy of citizens is of no or little importance and willingly cooperate. Companies with business models that debase privacy could be suspected of this. Then there are companies who genuinely may not want to cooperate at all and who may even care about privacy. Companies with a squeaky clean history on the privacy front.
Unfortunately, it is important that all collaborators be punished. Especially since the government is trying to expand its surveillance programs to include a wider range of companies, and per reports many companies are reluctant to sign up out of fear of public backlash. There needs to be that public backlash. There needs to be negative consequences for those companies that participate.
That being said, I'd like to clarify that I don't think all forms of cooperation with government investigations are inappropriate. Very narrow and specific requests in response to explicit subpoenas being an example of something I think must be tolerated. On the other hand, blanket requests and requests for data access that would enable government to independently explore the records of millions of American citizens is something that can't be tolerated. Efforts must be made to change such policies at the same time that efforts are made to penalize the companies that collaborate and make it possible.
"Nothing practical would be achieved by having Mark Zuckerberg or Larry Page penalized for what they said on record, in public against a government agency. Nothing would benefit the American people by having them put on trial or their companies sued for violating national security."
Your post is well written and presents an interesting viewpoint, but this is completely wrong. A handfull of the most powerful and wealthiest companies in the world standing up to the US government wouldn't achieve anything? What? It would make a HUGE difference. If the people involved won't stand up for what's right due to personal fear, that's understandable. Most people wouldn't. But they shouldn't pretend it's for any other reason. To do so is a huge insult to those who do have enough courage to do the right thing in the face of huge risk--much greater risk than is faced by these frightened SV millionaires and billionaires.
I am not actually going to stand with them on their denials. I understand what you are saying but I think you are missing something simple, namely that the easier, cheaper, and more efficient you make the information sharing process, the more requests you are going to get. What Google is being accused of here is collaborating on making this fast and efficient.
As it takes less resources to obtain information you can bet that there will be more efforts to obtain information. If you want to avoid much of this, you just require hand-delivered documents from accredited agents to accredited agents, manual review of these documents (and perhaps shipping them between corporate offices for such review). Get a review for being thorough, pushing back, and not hurrying. Make sure it takes time, that lawyers go through them one by one, and send to another lawyer (preferably somewhere else) to cross-check. stall for as long as you can on every order you can. You will get fewer.
Google is essentially claiming transparency, while ensuring that the transparency report is increasingly meaningless because it is easier and easier to get info in ways that won't get into it.
Within Google's denials is more or less a confirmation that what the NYT is saying is true.
They also have an obligation to their users. I hope they realize that I will be actively be on the look out for alternative services from Europe in the future.
This means Google (and the other American companies, too) has a problem of loyalty now, and I'd say a huge one. It's only a matter of time before such services arrive, and I'd like to believe people will start quitting it in droves.
I see it much like with the ISP situation in US. People don't really have a choice of ISP's, but they've grown to hate them so much over the years, that as soon as a decent competitor is around, they'll be switching. I believe (and hope) the same will happen to the American companies, including Google - at least until this mess is fixed, and the Patriot Act repealed.
So I do believe the Patriot Act, and the uncovering of what it can really be done with it has caused irreparable damage to US companies. I received a Chrome update yesterday, and now I have to wonder "is it just a coincidence? Or is it to remove some tracking technology they had it until now, so people don't find out about it when all the spotlights are on them now?".
Could be a genuine question, or maybe I'm just too paranoid, but the point is these unveilings made me feel this way (the Google "privacy issues" never bothered me before, and I was actually waiting for Google Glass - not anymore obviously), and I don't think anything Google and others say in the future will make me feel otherwise, until there are concrete steps done, wide in the open, to stop this kind of surveillance.
Meanwhile you still pay your taxes and you vote for your sitting senator. Where's your responsibility here? Maybe you'll hate them so much over the years and as soon as a decent competitor is around, you'll vote for that guy?
These are big companies and putting pressure on them like this is both practical (just pick your data-hosting European country carefully, though) and could create economic leverage on Congress, but I think it's kind of bullshit when these transparency reports mention receiving between "0-999" National Security Letters, and Eric Schmidt is telling people about the PATRIOT Act requiring them to hand over information, and now you're saying "what?? they're handing over data because of an order that doesn't require probable cause established in front of a judge?"
I don't want to come off as too harsh here, but, yes, this is what we've been banging the drum on for years about. Jewel v NSA[1] is very nearly 5 years old now, and the executive branch is trying to drag it out even longer. Welcome to the fight; let's try to make our country livable instead of dreaming about jumping ship but doing nothing in the meantime.
I'd love to see someone check the Takeout logs and look for anything which seems out of place. Requests for user data which aren't correlated with normal user activity would seem mighty suspicious to me.
Go on, someone, make it so. Then leak it. Let's do this thing.
There is a big issue with as-need-bases systems. It requires security clearance on their google counterpart side.
Every time NSA, FBI requests user's private info from google they'll [the government] be divulging the identity of a suspect or a potential suspect. This leads to potential leaks or potential reputation damage. Imagine if a congressman or famous CEO is under investigation. So the person/people inside google ought to have the same clearance OR google would need to give a back door access to the government. Which is why I don't believe google.
If google is sincere about their position, they should setup their systems so that no one but the user(owner) would ever be able to access their private data.
If we assume that everyone is telling the truth and that there is no back door or drop box, couldn't they simply get the data with man-in-the-middle type software? Getting data from Google, Facebook, Yahoo, and co is nice because it comes to you in a structure way but that wouldn't stop me from trying to get information in many others way, including working with the internet providers to put servers that copy data and direct them to my data center.
Wild speculation, but what about TLS key misappropriation? In other words, NSA has access not through official channels but somehow got private keys through hook and crook?
(I have to admit I do not fully understand PFS and the implications here.)
So I checked out some of the user profile of people who are flat out proposing that google is colluding with the government and is lying right now to the users and they don't believe any official word coming out from google.
Not only are their google+ profile very active, I am going to assume they are still using and most likely will be using google products (or products from other companies who has been implicated) months from now even if nothing changes.
The question is, lets say you are absolutely sure beyond any doubt that all these companies willfully (or unwillingly but now lying to you) shared data with the government. What do you do now?
Do you accept it as it is and carry on?
Do you stop using their service?
Or do you campaign to stop these companies and government from doing this (seems highly unlikely to be effective or verify)?
I'm likely going to use their services in a reduced capacity whether they were complicit or not, simply because this incident has highlighted the risk of companies who store massive amounts of personal information consolidated together in one place. Even if their only reason for doing so is advertising, I'm less interested in participating in systems that collect and store so much information on me. This probably should've been obvious before (people have certainly been saying similar things for a while), but recent revelations have made me more prone to agree.
The problem, of course, is that some Google services are nearly irreplaceable, especially search. There are alternative search engines, but they simply aren't as good for the technical type searches that a programmer needs. Duck Duck Go is better than some older alternatives have been, but when using it I frequently find myself having to return to Google to actually find what I'm looking for. I wish them luck and hope very much they keep improving, as I'd like to use them, but so far I can't really.
Even if it did, imagine how awfully damaging that would be for Google's image worldwide. So I could see why their immediate knee jerk reaction about it is to hide it as much as possible.
If he is telling the truth, at least about this very specific thing (not having access to "Google's servers"), then it's still possible they are giving them easy access in some other way, such as copying the data to other servers that are "not Google's servers".
So worse case scenario, he's blatantly lying about it. Probably best case scenario, they're still giving them the data wholesale in some way, and he's playing word games and semantics.
I have a very hard time believing none of this is happening, at this point. I hope I'm wrong though, but even then, the NSA probably has direct pipes into the carriers and ISP's, and at the very least have access to all the data going through US pipes that is unencrypted (and the encrypted data is stored for later - i.e. the 5 billion terrabyte Utah data center).
> Probably best case scenario, they're still giving them the data wholesale in some way, and he's playing word games and semantics.
No, the best case scenario is he's telling the truth and Google only gives specific data in response to specific court orders that have been reviewed by their lawyers.
Normally I love reading the comments on HN, but I've just despaired over the last couple of days. People are assuming that out-of-context fragments from a Powerpoint presentation are 100% correct and when every single company gives a flat-out denial, then the companies must be lying or misleading or slippery.
The law does not require these companies to issue denials.
Just a reminder: we are not all US citizens. There is no American court order or warrant that makes it legal for Google Ireland to hand over data about EU customers to the US government. They have admitted to doing this already[1] years ago. It's likely illegal under data protection laws for EU businesses to use Google services (or any other US based web service) to store customer data.
Google has sent us a statement that reads: "As a law abiding company, we comply with valid legal process, and that - as for any US based company - means the data stored outside of the U.S. may be subject to lawful access by the U.S. government."
The real question clamoring for a clear statement is far more complex:
Does any government, US or otherwise, their agents, representatives, contractors or NGO's have access, directly or indirectly, through any means, to <insert company name here> DATA, FILES, COMMUNICATIONS, LOGS or any other information having any relationship whatsoever to <insert company name here> users?
This could be, and probably should be, refined, IANAL.
The point is simple: We don't care about "direct access to servers". We care about access to data. And this can be provided through many channels, direct and indirect. It can even be provided via daily tape backup dumps. Of course, it can be provided to organizations peripherally working for or with a government yet not directly to a government agency. And, finally, it could be provided to another government that, in turn, can pipe it back to US governnment agencies or collaborators.
The government would never need access to Google's servers; it would never need a back door. A front door API would work just fine.
Some people have correctly pointed out that if Prism is considered 'law' (falling under any number of national security laws), then all Google is doing is complying with the law.
And in that case, what Drummond just said in no way actually denies participation in Prism or a similar program.
10 years from now, people will still be talking about this.
We need to roll back the Patriot Act, period.