Eric Schmidt would be the last person I'd believe on matters related to privacy.
He's well-known for basically claiming that we're not entitled to any privacy ("if you don't want anyone to know blah blah ... ") and for later being a vindictive fool when CNET published some of his personal details found through Google.
Besides, he's not even CEO anymore, why would he know anything about highly confidential dealings with the NSA?
Wow, you're really going to still quote that out of context. Literally the next sentence out of his mouth was a warning that Google is subject to the PATRIOT Act and you should be careful what you use it for:
"But if you really need that kind of privacy, the reality is that search engines, including Google, do retain this information for some time. And it’s important, for example, that we are all subject in the United States to the Patriot Act. It is possible that that information could be made available to the authorities."
What context is added to his original statement by the subsequent sentence that changes its meaning? If anything, it strengthens his point by mentioning that Google retains the information, and that one example of its use is that authorities could request it.
My grandparents were telling me that since I was in middle school. Even Ben Franklin had a quote about that: "Three can keep a secret, if two of them are dead". Don't blame the weatherman for telling you that it's raining.
Whether you trust Eric or not has zero to do with if you trust CNet's claim that "The National Security Agency has not obtained direct access to the systems of Apple, Google, Facebook, and other major Internet companies, CNET has learned."
Inferring he is no longer CEO and might not know about these matters is just an informal fallacy and has zero to do with whether or not Google, Facebook, etc. is telling the truth on the matter. FWIW, I believe them when they say they aren't giving direct access to their servers to the government. That doesn't mean they aren't, and I'm willing to listen to any substantial claims that they are.
I don't trust the government to always do the right thing when poking around in our business, but I'm also not going to run around like a chicken with my head cut off when everyone gets their underwear in a knot over leaks like these.
I think it's as simple as a misinterpretation of the technical intel-community jargon being used by NSA.
They're saying PRISM gets them access to Google/Facebook/etc.'s data with no other middleman. That's not always the case; when working with international partners NSA might obtain intel from other (foreign) intelligence agencies, or their HUMINT might report data that is itself hearsay.
So the source/provenance of data is very important for an intelligence agency. NSA is saying this (with PRISM) is the best case as far as the source of intel goes, there is no better primary source.
That still doesn't mean NSA has embedded backdoors or that the company doesn't control access to the data though. Data Access is a separate concept from Data Source in intel.
We can still say that having this kind of access to data is above the capabilities NSA needs to have (it certainly seems ripe for abuse) but it's sounding like the reality is not quite as sinister as Greenwald or WaPo had been led to believe.
Allow me to quote from the NSA document we just
published defining PRISM: "COLLECTION DIRECTLY
FROM THE SERVERS"
Our story was written *from the start* to say NSA
claimed this, telecoms deny-we wanted them to have
to work it out *in public* what they do
We reported - accurately - what the NSA claims. We
reported - accurately - what the companies claim. It
conflicts. That's why we reported it
Just one more time: NSA on PRISM: "Collection directly
from the servers of these US service providers:
Microsoft, Yahoo, Google, Facebook.."
edit: It's just one new slide (http://static.guim.co.uk/sys-images/Guardian/Pix/pictures/20...) which says "directly from the servers"...but since Google is ostensibly arguing that the slides are poorly worded, hopefully the Guardian believes the other unreleased slides elaborate? The blog post ends with "A far fuller picture of the exact operation of Prism, and the other surveillance operations brought to light, is expected to emerge in the coming weeks and months...", which means that they will be releasing bombshell by bombshell, or that they think other revelations will be independently reported?
(original comment below:)
I immensely respect Greenwald, but he's setting up presumptions for his reporting that make it unassailable, no matter what the facts are.
1. Our reporting is accurate.
2. The fact that the companies involved deny it is proof that our reporting is accurate, because our reporting said that they would deny the report.
3. Therefore, our reporting is accurate.
It's possible that the reporting is accurate on its face, but the most relevant details (i.e. the ones that would separate this from, egregiously and surprisingly evil to, well, just more of the same) were not reported correctly. Has either the Guardian or the WaPo released the entire slide set?
>which means that they will be releasing bombshell by bombshell, or that they think other revelations will be independently reported?
Presumably, the Guardian is in possession of the full 41 page powerpoint. They'll likely release pieces of it at a time. Nice to see they're waiting for everyone to trip all over themselves first. I can't wait to see how this plays out in the coming weeks.
Funny. When Wikileaks did the same thing people said it was inappropriate and editorializing and dishonest. It seems that the Guardian and Wikileaks strategies for maximizing impact are on the same frequency.
That doesn't explain why the Washington Post hasn't released their copy of the slides, though...those two outlets are competing on this story (it's nice to have two independent established outlets compete on a story of such national and specific importance, fwiw) and the WaPo could have the scoop. Maybe they're waiting for the Sunday edition?
My guess was that the source feared that one or all of the slides have some kind of identifying tag, if not as a meta-watermark but as something tell-tale in the content...and so had requested the Guardian and the Post to release as little as possible.
they're not just maximising impact, they are most likely currently having discussions as to what they can legally release without getting into too much trouble or causing a national security problem (e.g. see redacted names on latest slide).
He explicitly states in those tweets that he reported the claims of both sides, which he was fully aware were in conflict, in the hopes that the truth of the reality would come out.
> The slide, below, details different methods of data collection under the FISA Amendment Act of 2008 (which was renewed in December 2012). It clearly distinguishes Prism, which involves data collection from servers, as distinct from four different programs involving data collection from "fiber cables and infrastructure as data flows past"...Essentially, the slide suggests that the NSA also collects some information under FAA702 from cable intercepts, but that process is distinct from Prism.
This specific paragraph seems like a non-sequitur...did the counter-argument that Google made rely on claim that the news reports conflated fiber optic tapping and PRISM? I thought the argument was:
1. The Guardian has slides claiming that the NSA has direct access to our servers
I've been wary of Greenwald for quite some time as he's often let his politics get in the way of his logical reasoning. I think this Tweet is another example.
NSA says that they can use PRISM to get information directly from a company's servers. That's true, but it happens through an intermediary (the company itself). But even with the intermediary the data being sent did come directly from the company.
In other words intelligence agencies like NSA are concerned with the source of intel and in this case there's no middle man. Access to intel is also important to NSA and in this case there is a middle man. "Access to" and "provenance of" intel are separate concepts though and it does Greenwald little credit to allow himself to be confused by it.
Edit: If I was Greenwald I would clarify quickly as well as otherwise he's going to allow the National Intelligence community to turn the debate into technical sticking points that Greenwald is going to lose on, while at the same time turning the debate away from the transparency of these types of intelligence gathering schemes and whether they're necessary at all.
Seems like the 'directly' could easily refer to the company-provided secure lockers that are referenced in the uncrunched article.
If true, that means there's no direct panopticon access, only an expedited, direct, digital means of getting the data, once retrieved, into the government's hands.
Ignoring whether I think a government should be able to ask for this information at all, I think the existence of such direct means is probably on the whole a good thing, because if the british government's repeated losses of laptops and DVDs full on private information are anything to go on, governments really suck at secure data transfer and I'd rather only a government had it than a government -and- whoever managed to steal the thing en route.
I still hope google will continue to challenge the NSL process etc. in court, but I can't say I mind them arranging things in the meantime so as to minimise the odds of the government screwing up the execution of said process.
"We reported - wrongly - what was actually happening in the real world."
The lede on Greenwald's story:
The National Security Agency has obtained direct access to the systems of Google, Facebook, Apple and other US internet giants, according to a top secret document obtained by the Guardian.
Then, just 1 graf later:
The Guardian has verified the authenticity of the document [...]
Later:
The NSA access was enabled by changes to US surveillance law introduced under President Bush and renewed under Obama in December 2012.
The access. Was enabled. No qualifications given.
Next graf:
The program facilitates extensive, in-depth surveillance on live communications and stored information.
The program now exists. The article no longer reports on the contents of a document, but rather on "the program" itself. Is he talking about PRISM, or about the change to FISA law? It's not clear. But it's clear here:
The participation of the internet companies in Prism will add to the debate, ignited by the Verizon revelation, about the scale of surveillance by the intelligence services.
Greenwald has now reified the program and the participation of the listed service providers.
He seems to go back to reporting on the document here:
Some of the world's largest internet brands are claimed to be part of the information-sharing program since its introduction in 2007.
But in fact, the "claim" he's referring to is the calendar date of the start of participation. Next graf:
It was followed by Yahoo in 2008; Google, Facebook and PalTalk in 2009; YouTube in 2010; Skype and AOL in 2011; and finally Apple, which joined the program in 2012. The program is continuing to expand, with other providers due to come online.
It is followed. It is continuing to expand. Not, "the document claims". Words mean things, as Greenwald knows very well.
The extent and nature of the data collected from each company varies.
Again: by this point in the article, the collection is happening, the way his interpretation of the leaked slide deck says it is.
A chart prepared by the NSA, contained within the top-secret document obtained by the Guardian, underscores the breadth of the data it is able to obtain: email, video and voice chat, videos, photos, voice-over-IP (Skype, for example) chats, file transfers, social networking details, and more.
It is able to obtain. Not "claims" to be able to obtain.
Greenwald can't now hide from what he actually wrote, and his attempt to do so is telling.
Forgive me, but I'm thoroughly confused. What objection is brought up here to Greenwald's work? That he's using the noun "program" instead of the noun "document" when discussing the program that the document entails? That Greenwald's tone is not sufficiently interrogative and peppered with "claims" and "alleges" and "supposes"?
There's no substantive difference between "It was followed by Yahoo in 2008" and "The document claims it was followed by Yahoo in 2008." The furor of the past 72 hours has given no reason to question the document's authenticity nor the existence of the program the document entails. The president himself has alluded to the existence of the PRISM program and attempted to assure us all that it was only to keep an eye on foreigners and not citizens.
There is a world of difference between a statement that something is happening and a statement that someone claims it is happening. The latter is specifically about a person talking, which is only evidence insofar as the person and all intermediate transmission channels are trustworthy. Those conditions might in fact be true here, but it is an important distinction.
tptacek is a supporter of Obama's program of extra judicial drone executions, so it goes without saying that he dislikes Glenn Greenwald. Additionally, he feels he can make attacks on the tone and minor details of Greenwald's reporting so he comments on that, but does not comment on this story for example: https://news.ycombinator.com/item?id=5844972 where it's more difficult to discredit the messenger.
How about this newer article [1], also by Ambinder, which the top post in your link links to? It seems to be speculation but it's the best reconciliation that I've seen of the leaked document and the denials of the tech companies. I also find it to be plausible, overall, if a little too trusting of the NSA's auditors and methods.
If I read an inflammatory and disturbingly arrogant comment, in which personal opinions are presented as facts, and contrarianism is practiced as an artform, there's a near 100% chance tptacek wrote it.
Wow! Just waiting for "directly doesn't mean direct access" excuse. He has posted the slide, and considering what happened with Verizon I am likely to believe that Google, Facebook and "we care about your privacy" Microsoft have given them just as much as Verizon. Or a lot, one way or another.
On another topic, oh to be a fly in the wall when Mr US Citizen Greenwald passes through JFK customs.
It's a shame, because it's the first responsible piece of reporting I've seen on this mess. The media has been trolled by a Powerpoint brief from self-important USG bureaucrats.
Yes, but it's still using the term "direct access", which we've seen is the antithesis of forthrightness.
Surveillance is tricky business and technology makes the boundaries of what's acceptable to reveal even trickier. It's true that the muddling of the Verizon/AT&T stories is being interwoven with this, which may not have helped. And the scope of the information requested falls well within acceptable procedure for "traditional" investigations I.E. who contacted whom at what hour on which day. But this isn't a traditional investigation anymore.
In essence, they tried to automate police footwork, which still doesn't fly with a lot of us.
> the term "direct access", which we've seen is the antithesis of forthrightness.
This seems unfair. There was a specific accusation or suggestion of direct access, so it's not (or at least not necessarily) misdirection for Google and friends to specifically deny it. It certainly doesn't answer all questions about PRISM, but between the denial of direct access, and the denial of any Verizon-scale order which would amount to direct access in all but name, you get a pretty forthright statement limiting the possible extent of the NSA data-gathering.
Yes, I read your previous excerpt and I've read this very post here before. Repeating it over and over (this is your 3rd post so far posting this link) doesn't make me believe it any more strongly.
Yet you keep hanging on that they only mention "direct access" and how the denials are similar, it's not about what you believe to be true or not, it's about the things you say that aren't true - here is an example of a denial that does not only include "direct access" but all sorts of access as well.
I don't want to start a flame war with you, but in lieu of repeating what others have already said to you regarding the "direct access" quote (I'm not "hanging on" btw, I have read the other reports as well), I'll just leave this here.
The whole problem with PRISM is that the government potentially can tunnel into company servers and take what they like, and that is being disputed by the accused companies.
I'm not sure what is rumored or not, or what is true or not. My point is that they deny involvement in PRISM, and by PRISM I mean the program that alleges access to company servers.
What are you talking about? Almost every story reporting on this originally said that. The Washington Post backed down, but the originating reporter is still quoting some NSA source(s) as saying it:
'Just one more time: NSA on PRISM: "Collection directly from the servers of these US service providers: Microsoft, Yahoo, Google, Facebook.."'[1]
That's what the leak said [1]. Are they not supposed to report it? I'd rather they did, made a big wave about it, and then we can find out if it's really true, or the slide is fabricated or whatever (seems unlikely).
I could not agree with your "responsible reporting" remark any more. Quite frankly, I'm disappointed with the majority of those other articles making it to the front page of HN.
"Collection directly from the servers" doesn't actually have to mean real time interception of data. It could mean "we send a National Security Letter, and when they comply, they send us the user's data in a TARBALL." That's application level data "directly from the servers" instead of upstream fiber packet traffic.
Greenwald pisses me off and I don't trust him. We know there are 41 slides. They are putting out 1 new slide per day it seems. Just release all of it and get it over with. This seems designed to maximize the Guardian's traffic by doling out the information piecemeal.
If the slide definitely said "Data from internal datacenter taps or backdoors" it would be clear and inarguable. All that would need to be discussed is whether they did this with HUMINT moles, or whether the companies knowingly cooperated.
As it stands now, PRISM could be anything from "Google Takeout NSA Edition" that lets the NSA get a ZIP file of account data after it's been requested via a warrant/NSA, or it could be a hack into Google's servers that somehow allows them to slurp up and intercept data and it flows around the data center.
We don't know, but if Greenwald has other slides that clarify this, just release them, the speculation right now is irresponsible and based on lack of knowledge.
Nope, according to a new tweet today by Glenn Greenwald (who broke the story): Allow me to quote from the NSA document we just published defining PRISM: "COLLECTION DIRECTLY FROM THE SERVERS"
If I take out a warrant against someone, and they then deliver the data on that person from the servers at Google rather than the user's device, what would you call it?
I would call it 'directly from the servers'. It's likely used to distinguish client vs server side. Not the actual technical mechanism.
There are two axis that seem to matter, by my way of thinking, whether this business is conducted via carrier pigeons or fiber optic cables.
1. What is the process.
What requests come from the government. What government entities make those requests. What entities within the internet companies process those requests. What parts of the request handling are done by humans with decision-making authority vs what parts are handled by machines or by humans following a rigid script. In either case, what policy drives those decisions. What proportion of the requested information is given or denied.
2. What is the speed and scale of the process
How quickly are these requests fulfilled. How much data comes back from a request. What proportion of this data is relevant to the target and the investigation vs “incidental”. How many requests are there per month or per year. How much data is gathered per month or per year.
Side-issues not covered above:
Is the access “direct”. Is there a “back door”. Is access given to “servers”. Is access given to a “network”. Is there a “beam splitter”. Is the government provided with a private or secret “key”.
There are many ways to construct such a system, and there are many ways to describe it (nevermind flat-out lie about it) by carefully parsing these side-issues. What matters is not the implementation details but the effect.
Any of you who have been reading Declan McCullagh's reporting regarding online privacy and civil liberties know he's the last person you'd expect to find writing a takedown of the WaPo NSA story. He's also a frequent commenter on HN.
I don't understand - was it not obvious from the get go?
The PPS lists various types of data the NSA gets from various companies. For some reason most commenters here chose to interpret this to mean the NSA has a direct pipe feeding it all of these companies data. The fact the PPS mentions it's a $20m program should inform that this is obviously not the case. Is it just a matter of wanting to believe the more outrageous version?
The real question clamoring for a clear statement is far more complex:
Does any government, US or otherwise, their agents, representatives, contractors or NGO's have access, directly or indirectly, through any means, to <insert company name here> DATA, FILES, COMMUNICATIONS, LOGS or any other information having any relationship whatsoever to <insert company name here> users?
This could be, and probably should be, refined, IANAL.
The point is simple: We don't care about "direct access to servers". We care about access to data. And this can be provided through many channels, direct and indirect. It can even be provided via daily tape backup dumps. Of course, it can be provided to organizations peripherally working for or with a government yet not directly to a government agency. And, finally, it could be provided to another government that, in turn, can pipe it back to US governnment agencies or collaborators.
Anyone can say "The US government does not have direct access to our servers" while still feeding them a firehose of information through alternative means.
The answer is "Yes" and has been since the Cold War.
I think the shocking part was that the NSA might have been able to essentially run grep themselves on a company's servers (though apparently it's not that simple), but that's not the question you're asking.
"have access, directly or indirectly, through any means" is a not a useful basis for the question, because a regular search warrant certainly qualifies as that.
Believe in yourself and take reasonable steps (use your judgment to discern what's reasonable, including my post) and take adequate steps to ensure your privacy by investigating as much as you can.
Provided you're of sound mind, you're the only person who can't let you down.
This is why they throw out all of this. They know a certain amount of people will just have to disassociate with the situation. I just assume it is happening. I think there are other ways we can help foster a safe environment though, without all of these controls and spying.
Occam's Razor is still good. Likewise for Hanlan's Razor (remember that Greenwald and WaPo both are drawing fairly specific conclusions from a couple of slides that are using jargon and not plain English).
The order has to be for account information or an intercept directed at a specific foreign person, and "you can't say everyone in Pakistan who searched for 'X'... It still has to be particularized."
FISA orders can range from inquiries about specific people to a broad sweep for intelligence, like logs of certain search terms, lawyers who work with the orders said.
. Maybe it's specifically there to contradict the NYT claim.
I don't buy it either. There is every single possibility that the person who leaked the document has a financial stake in CNET and the Guardian and made the whole thing up for pageviews. </s>
I'm not sure what you mean by "every single possibility." Do you just mean "it's possible"?
"It's not as described in the histrionics in the Washington Post or the
Guardian," the person said. "None of it's true. It's a very formalized
legal process that companies are obliged to do."
Please, please can we know about this "formalized legal process"?
The NSA does not need direct access to the servers to monitor activity.
Strategically placed traffic monitoring at major ISPs is enough to build a pretty complete picture. I can imagine SSL traffic doesn't even pose much of a hurdle to a well funded project. You don't need the data in real time.
The problem is "access to private data" as and when required. The problem is NOT "back door access" or any other such term whatever the hell it means. I see carefully worded statements by Internet firms without any evidence.
Apparently neither Eric Schmidt nor the Cheif Legal counsel for Google have sufficient security clearance to know whether or not they're involved in Prism.
We cannot say this more clearly—the government does not have access to Google servers—not directly, or via a back door, or a so-called drop box. Nor have we received blanket orders of the kind being discussed in the media. It is quite wrong to insinuate otherwise. We provide user data to governments only in accordance with the law. Our legal team reviews each and every request, and frequently pushes back when requests are overly broad or don’t follow the correct process. And we have taken the lead in being as transparent as possible about government requests for user information.
He's well-known for basically claiming that we're not entitled to any privacy ("if you don't want anyone to know blah blah ... ") and for later being a vindictive fool when CNET published some of his personal details found through Google.
Besides, he's not even CEO anymore, why would he know anything about highly confidential dealings with the NSA?