"We provide customer data only when we receive a legally binding order or subpoena to do so, and never on a voluntary basis. In addition we only ever comply with orders for requests about specific accounts or identifiers. If the government has a broader voluntary national security program to gather customer data we don’t participate in it."
One down, several to go. If I were Google/Facebook/Yahoo executives I would be very worried right now as to what soon-to-be-released revelations say about their NSA cooperation. Sure, they may have only done that which was compelled by FISC order, but that won't preclude them from being perceived as culpable.
The interesting conflict to me is that Google et al don't appear to be fighting this battle. When it comes to other things, they are in the streets, funding lobbyists, building protest websites, and so on. But this, which threatens their entire business model (essentially trust-based), they haven't made a peep about.
It may just be a gag order thing, sure. But with the level of access required for stuff like this, I don't think they could shut the whole team up. How many people worked on this Microsoft back door? It can't have been less than a couple dozen at least. And none of them raised the issue or let someone know, a journalist for instance, or publicly raised the question?
It makes me wonder about the true extent of the programs we're freaking out about. I mean, of course they exist and they're big and threatening, but I don't buy that they could combine complete access with complete secrecy. They need the cooperation of the companies, and the companies, by NSA standards, just aren't trustworthy enough. In fact, they're full of wild cards like Snowden, denizens of newsgroups, IRC, 4chan, etc, who would LOVE to be the one to blow up an NSA attempt to write a back door into Skype.
Maybe they did, and it all faded away. But it just seems strange to me that so little has been said about the elephant that must surely have been in everyone's room for the last few years.
The peculiar part for me with Google is that they seem to be somehow immune from all the revelations. People keep stand by it and get annoyed when reminded of their wrong-doings. I suspect at this point, they're not much different than Microsoft. But the "don't be evil" brand is still strong in the mind of many.
Speaking for myself, but I'm sure others share the sentiments, its not that i think google is somehow "good". They're obviously not, the difference is that they're still a cool tech company doing cool things on a massive scale (or potentially very disruptive).
self-driving cars, balloon network testing in NZ, google fiber, and more mundane things like Golang and angular.
I don't give them a pass, its just that in the bad column they're the same as all the other actors in this drama, on the good column they're a damn cool tech company that can realistically change the world in fundamental and positive ways.
EDIT: also for the most part their interests are selfishly aligned with ours. They want a fast easy open internet. That contrasts pretty sharply with FB/MS/APPLE - who are more about hardware/walled gardens. Though all these lines seem to getting blurred.
Google isn't above doing things that harm people to make them more money. Like the steadily decreasing background contrast and lack of borders separating ads from search results. Older people are far less cognizant of borders and thus would click on ads thinking they're search results.
The difference is that the negative Microsoft news tends to float on top of sites like HN more than positive news, and the reverse is true for Google so this alters perceptions of people.
Actually, the "they" that got "rapped" by the FTC were "AOL, Ask, Bing, Blekko, Duck Duck Go, Google and Yahoo as general purpose search engines and 17 'of the most heavily trafficked' shopping, travel and local search engines"[1].
These were reissued rules that clarified and enhanced the rules issued by the FTC in 2002 to make advertising clear. It likely came out of Danny Sullivan's letter to the FTC[2] showing how the competitors accusing Google Shopping of not disclosing paid inclusion well enough had no intention of themselves following the FTC's rules.
> The difference is that the negative Microsoft news tends to float on top of sites like HN more than positive news, and the reverse is true for Google so this alters perceptions of people.
You clearly visit a different HN than I do. While there is plenty of positive Google news here, the negative news in the top 10 is almost daily (Reader, account closing, PRISM, etc). Considering your account is 6 hours old (with 196 karma!), maybe stick around for a while before making pseudo-hypotheses about story dynamics?
"maybe stick around for a while before making pseudo-hypotheses about story dynamics?"
Ok I've been around for awhile and can vouch that what he's claiming happens regularly. Some links from the last time I bothered to comment on it can be found in the following:
And, as last time this topic was brought up, I feel obliged to point out that HN rank is more than a function of votes, flags, comment total, and time. The quality of the comments, likely determined by the speed and voting patterns, is also used. This, or a similar system, is also reputed to be used to hide the "reply" link during suspected flamewars.
So sure, you could blame some perceived Google bias on Google shills flagging Microsoft articles. You could also blame some perceived Anti-Microsoft bias on Microsoft shills being abrasive and causing comment sections to become toxic (for example, by filling the comment sections with comments complaining about HN rank compared to Google articles).
I see little to no evidence for either, I am not in a position to inspect the complete data to determine what is causing any perceived phenomenon (nor are you, I suspect).
It's pretty clear when an article has been flagged off the frontpage intentionally on hnrankings.info and in my experience every link of the type also "just happened" to be anti-google, pro-ms or pro-apple.
I have seen your links to hnrankings.info and cannot say that they make it clear flagging is the cause (much less organized flagging). Your (and others) assertions are too strong for the data that you have.
With hnrankings.info I believe you could establish a trend (so far I have only seen specific handpicked examples, not a trend. A trend is probably there, but nobody that I have seen has bothered to do the legwork to uncover it.), but there is not enough there to say that (as many have claimed) there are non-organic rings of flaggers targetting pro-Microsoft articles.
I haven't bothered to link many hnrankings I've done personally because (tangent) both HN search & hnrankings.info are blocked by the handsome and intelligent admins at my office (/tangent).
But here's a simple experiment that can be done in a few minutes: search for daringfireball.net links on HN, click on the ones with a decent number of points, put those into hnrankings.info and you'll see a clear pattern of flagging for pretty much every single one.
Now maybe Gruber articles are just terrible (ymmv) but I can say that every other article I've seen flagged down (fairly easy to tell from rank/points/time) falls into the same categories. And I don't see how it's a big conspiracy theory to apply occam's razor to the observation that "hey all these anti-google or pro-apple or pro-ms links have a graph that makes it look like they were flagged off the first page". The same mentality that would abuse this is not hard to find in the comment sections of many tech sites so I'm not sure why anyone would be surprised or think HN is immune.
And again if HN mods want to produce a list of flagged articles I'm confident it would back the assertions that I and others have made.
I might be just a single data point, but PRISM is the primary cause of my slow but persistent move away from Google services.
Oh, btw, I know many people over here in Europe who never use any Google service other than search out of general mistrust towards the company. Might not help them much, as the search history combined with the IP-address logs of all the G+ buttons is already a pretty encompassing profile, but nonetheless they exist and constitute a non-negligible fraction of the populace over here.
They still realease a lot of Open Source software, support open source projects (Google summer of code) and publish somewhat sensible standards like SPDY.
The last time Microsoft published a standard it used lobby power to push it through ISO fast track. It's horribly bloated and it was quite obvious that they only wanted to avoid to seem unsustanable as data format provider.
If Google turns evil, we have a big mess, but in the end we have also won much. Microsoft does not have much to show except for market opression and closed down products. They are still very, very far away from each other.
What surprises me is that for example Apple and Google don't simply ignore the gag orders, and just release what and how much they have handed over.
Google/Apple are not going to get shut down over this. They can afford lawsuits and penalties. So why not take a stand? Are they really that timid? Or is what they would reveal actually so grim they just sit by and hope they're somehow going to escape this?
This is the time to put cost/benefit analysis aside and take a stand. Show the world what kind of company you are. So far, its all whimps and pushovers.
While I would not bet money on it, it might be possible that the NSA has dirt on these companies, or on their high-ranking employees, keeping them from taking a stand.
This lawsuit was filed after NSA was found with its hand in the cookie jar. I think devindotcom means, why were these tech companies not fighting this years ago. I guess you cannot fault Eric Schmidt, because he has been dropping lines like these [1] for years.
We know where you are. We know where you’ve been.
We can more or less know what you’re thinking about
Just remember when you post something, the computers
remember forever
Are you implying that he's living in a google bubble? I just searched with multiple search engines, with different browsers, and even with different IPs and they all returned a link to the same effect. Different sources (prweb on most), but still the same story.
This information was brought to you by the Ministry of Truth division, MegaCorp-M. Have a fun, happy day, Consumer. And remember: relax, and don't think too much!
Developers only need to build some APIs - those APIs can be multi-purpose. They don't need to know that one such purpose is NSA spying - you can come up with dozens of other reasons for wanting a "back door".
The actual interface that's used for responding to legally binding orders or subpoenas and that uses the APIs in question can be built by people on NSA's payroll.
Besides executives, the only people slightly aware of what's going on will be some people from the legal department. And they'll get presented with an interface in which they have to double-check (in bulk) the validity of received orders.
As far as I understand from the other press coverage the current procedure is that people in MS legal department don't even have to "check" that specific orders exist, it's something that the API user is supposed to do on their side. The procedure specifically allows API requests and monitoring immediately and providing the orders in some-week time or if the order doesn't come "destroying" the obtained data that aren't metadata. Metadata can always remain because they are considered "public" in the current up-to-recently secret law interpretations. And for non-US-citizen-or-not-on-US-soil data the orders are never needed.
Give me 12 (a dozen) reasons to break the encryption and security of your users that could be acceptable to a non brain dead engineer and exclude surveillance and government snooping?
You're missing the fact that if a middleman does the encryption or has access to the decryption key, then encryption is already broken.
A service provider is the middleman in this case and encryption only serves the purpose of you making sure that communications are with this service provider and not with another middleman.
"Breaking the encryption" is not accurate. They don't need to break anything as your data is in plain text on their servers.
> "Breaking the encryption" is not accurate. They don't need to break anything as your data is in plain text on their servers.
While this is true, I don't think it was his point. His point, I believe, was that the software should protect the data, and the engineer should not install or create APIs that allow someone to circumvent the security and privacy of the user — for any reason. He was replying to someone saying that higher ups could lie about the reason or need for such an API; his reply was saying that even the lie should be so obviously privacy-breaking as to be unacceptable. (Hence, he asked for examples.)
That said: legitimate law enforcement requests, i.e., warrants, would be an acceptable reason to me to implement such an API. That said, it should be auditable, so that you can verify it isn't being abused.
It's possible companies run an NSA module on their servers and let backdoor hacks happen based on an understanding the NSA will get pissed if they investigate.
This provides full PRISM access and allows for deniability of direct access.
Oh what's that? There is an NSA module most big companies run on their servers? Right, it's called SE Linux. The question that remains how do you build a backdoor that cannot easily be spotted in the source code. Maybe a weakness in a random number generator used for encryption. Oh what's that? The NSA does that too?
It can't have been less than a couple dozen at least. And none of them raised the issue or let someone know, a journalist for instance, or publicly raised the question?
This speaks about the lowest level of ethics. Many things are more important than the shareholders Once I was working for the tax agency of my country and they wanted to hide tax information for specific politicians (that obviously were involved in corruption cases). I loudly spoke against the project and was ready to speak about it to the press. The project was cancelled at the end.
Honest question: how does that article contradict that statement? Everyone is bouncing off the walls about this but I honestly can't see where the story is. Microsoft + others enable NSA to access customer data when presented with court order. You can agree or not agree but is it really a shock?
I'm probably overly sensitive to this, being a "non-US person", but I'm constantly reading "with a court order" as "either with a court order, or with a 51% suspicion that one of the two parties to the communication is not a US citizen - in which case we can do what we like"
Well that quote may be a technically accurate statement. They don't "provide" data directly to the NSA with out a secret FISA order. But, the new leak article seems to suggest that they weaken their cryptography, perhaps turn over private keys, re-architect their topology, and adjust their technology to allow the NSA to trivially easily intercept/get the data of every single Microsoft technology user.
A little bird told me that Microsoft was the most "helpful" out of all the big tech companies. If this new article is accurate, I hope that statement also was. I'm rather pro-US/NSA. But, even I find this new leak very disturbing
if it's accurate and true.
Being realistic, I bet all the other big American tech companies are doing similar things. For example, my thinking is still that FB gives law enforcement a "god view" of all information and communications (even if it is in a round about way, like Microsoft allegedly does).
This latest release does not contradict that. They provide user data for accounts under surveillance in real time. To place an account under surveillance, the government needs a valid court order for that account.
This document just says that surveillance was broken for chats when they did the outlook.com upgrade, but that has since been fixed.
What's sad that I'm neither surprised nor shocked about Microsoft doing this. If we hear the same about Facebook or Apple I'm not likely to be surprised either. If/when we hear the level of Google's involvement, that will be very interesting, because although a lot of people suspect that Google invades people's privacy, we've never really had any concrete proof or examples of it.
I don't get Microsoft. Are they really that hypocritical to the core and so shameless? Why in the world would they launch a "privacy" campaign against Google when they're in a glass house themselves, and so vulnerable? Why the hell would they even put themselves on the spotlight like that?
Or are they really that comfortable with lying, that they have no problem attacking others over something, even though they are just as bad, or worse(as this revelation seems to imply) Giving pre-encryption access to NSA? Really Microsoft?
To make things worse, they've just put the guy who came up with that Scroogle crap in charge of their whole marketing department, so expect a lot more hypocritical/nasty stuff like that from Microsoft in the future:
The people making these campaigns may actually be ignorant. When I was at Microsoft (long, long ago), there were portions of some source trees that were covered by security or NDAs and nobody except for the very few people signed on (and builders) could look at or know about them. For example, when Intel had a new chip, the specific developers and testers working on them would be under NDA and the tree secured so that only they could see the work on the code generators until they were released. And that's just for NDAs - I can't imagine what happens for the code or infrastructure support required for the NSA. The only reason I knew about the chip stuff is I owned the source trees in DevDiv for a while.
So, it's entirely possible that the _entire_ Skype team except for a dev, tester, "security coordinator," and one partner-level person were in the dark about this support and actually believed their marketing.
It's still a terrible situation, but it's not necessarily hypocracy/lying/nasty on the part of the people making up the campaigns.
Is there any information that the marketing department at MS was even aware of the PRISM program? It's likely that that program was need-to-know, and anyone who did know couldn't stop MS marketing from doing a campaign based on privacy because that would be revealing a Top Secret program.
Microsoft often "competes" by trying to strangle competitors revenue streams even when outside their core business, where they are happy to lose billions on Bing and their online division if it also reduces Googles primary revenue stream: http://www.zdnet.com/blog/btl/microsofts-online-sinkhole-8-5...
Since Google's products are essentially "free" to end users, they don't criticize them on value, so they build an anti-Google campaign against how Google makes money, i.e. their strategy of targeted advertising.
> Microsoft often "competes" by trying to strangle competitors revenue streams even when it's outside their core business, where they will happily lose billions on Bing and their online division if it can reduce Googles revenues:
This is true as you point out. However it's worth pointing out that Google is the exact same.
They release free products that Microsoft charges for loosing money to reduce Microsoft's primary revenue stream.
Except Google's "free services" helps their strategy of keeping users on Google's services, enriches their Google profile and helps create targeted ads.
Couldn't that also be said when Microsoft started bundling Internet Explorer with Windows? Does it make it right? NO!
The truth is the tech industry politics is becoming as nasty as real politics. Smear campaigns by Microsoft against Google. Google trying to sabotage Windows mobile platform by actively excluding their core products. Apple and Samsung at copycat wars. Once the open world of computing is now turning into a war of ecosystems and we the consumers are the only ones standing to lose.
> Except Google's "free services" helps their strategy of keeping users on Google's services, enriches their Google profile and helps create targeted ads.
I get your point but the same sentence can easily apply to Microsoft. Microsoft wants to do the same thing:)
I would imagine that very few people in high levels of the company knew about this.
I can't exactly blame them for the marketing campaign... just imagine you work for Microsoft's marketing division... Apple/Google are completely destroying you and your company has missed the boat almost every major technological revolution of the last decade (internet, mobile, etc).
How would you exactly convince people to switch to your companies products? At the time, there was a lot of fear around Google's data collection and what they might do with it, so it's unsurprising this is the route they took (although anyone sensible would assume that Microsoft of all companies would be just as bad if not worse).
How is giving access to the government according to the law of the land the same privacy-wise as data mining personal emails to show ads?
The point of the privacy campaign was that Google mines the contents of personal email messages to show ads and to build your Google ad profile while Outlook.com doesn't.
What's hypocritical about it?
I don't like their campaigns either but lets call a spade a spade and not resort to hyperbole and needless namecalling.
What do you mean by "the" government? If "the" government requires Microsoft to give access in this form, there's something wrong with "the" government that needs urgent change.
"Microsoft and the FBI had come up with a solution that allowed the NSA to circumvent encryption on Outlook.com chats"
"For Prism collection against Hotmail, Live, and Outlook.com emails will be unaffected because Prism collects this data prior to encryption."
"analysts will no longer have to make a special request to SSO", "this new capability will result in a much more complete and timely collection response". "This success is the result of the FBI working for many months with Microsoft to get this tasking and collection solution established."
"One document boasts that Prism monitoring of Skype video production has roughly tripled since a new capability was added on 14 July 2012. "The audio portions of these sessions have been processed correctly all along, but without the accompanying video. Now, analysts will have the complete 'picture',"
Well, did you expect "privacy" to imply that your data would not be released to the government following legal requests for it? I always assumed it meant that they wouldn't share it with other businesses, but maybe that's just me.
Analogously, if one of the major phone providers started selling information to marketers, including what times of day I made phone calls, would it be inappropriate for a competitor to create a marketing campaign around "privacy" highlighting that they don't do similar things? Would you complain that since the government can still get a wiretap and listen to private conversations, there really isn't a meaningful privacy difference?
That implication is exactly what Colin provides with my tarsnap backups. He (or Amazon) can respond to legal requests with my strongly encrypted data, and Neither Colin/tarsnap nor Amazon can provide them with my private keys.
You can design your systems this way. It appears you're allowed under US law. It seems there's companies jumping through hoops on behalf of the NSA and/or FBI to build systems that _dont_ provide that guarantee.
Note that Colin _could_ conspire with / be compelled by the NSA to attempt to convince me to "upgrade" my local tarsnap code with a backdoored version - and I'm OK with that, if the NSA is looking for me specifically, I fully expect them to find out _everything_ - that's their job and I expect them to be world-class at it. What I _dont_ accept, is that they have any "right" to record and archive permanently anything I ever do online "just in case". And I can and am taking steps to make that harder for them, and I'm noticing which companies are apparently working agains my wishes. I'm curious to know if Dropbox are noticing an drop in de-dup rates lately? My Dropbox storage is now all encfs encrypted - including the folders full of grabbed funny-cat-pics and Internet meme images. My versions are no longer the same as the other several million of them stored on Dropbox. Same for my SkyDrive/GDrive/Jotta accounts.
Can they do that?
I assume there is a difference in law between the somewhat passive act of giving access to information already stored and forcing somebody to actively perform some action.
For example if you have private CCTV on your premises, a court can demand access to whatever footage they have captured but I don't think that they can force you to install hidden cameras on your property.
Isn't stuff like that usually done as part of a bargain, like having somebody wear a wire in exchange for not going to jail.
They persuaded a lot of big companies to collaborate actively (i.e. Microsoft, Blackberry etc subverting crypto). Personally I don't see it as legal or ethical, and would resist it, but a large government can bring a lot of pressure to bear. So if tarsnap got big enough to be a problem, then perhaps we'd find out.
I didn't think it meant they would give the NSA an un-encrypted firehose of private user data violating unlawful search and seizure implications that are a constitutionally protected right of American citizens, but maybe that's just me.
I can see how "but maybe that's just me" (and the entirety of the first paragraph) could be read as snarky, but that's not how I meant it. It was a non-rhetorical question: what should a company like Microsoft do when faced with a court order? Does compliance with such orders make "privacy" campaigns nonsensical, if they still have meaningful privacy protections compared to competitors? Also, IANAL, but as far as I know Microsoft can't violate the 4th amendment, only the government can.
No-one can violate the 4th amendment. The government is only seen to be violating it because they've chosen to interpret it under a different meaning that somehow allows them to collect private user data en-masse.
I think the best part is that Microsoft has been bragging about how they care about privacy so much more than Google therefore you should use their products/services, and now they just got caught red handed doing the worst possible privacy violations in the book.
On the contrary, it's exactly that sort of characterization that I object to. How could complying with court orders be the "worst possible privacy violation"? I'm sympathetic to the argument that the orders are overbroad, or that Microsoft should have appealed the orders and hasn't opposed the orders as stubbornly as it could have (though of course we know very little about what has actually occurred along these lines). But why would responding to a court order be a worse privacy violation than selling information about my online behavior to other companies (in addition to also responding to court orders!)?
To play devil's advocate here, what else would people have Microsoft do? Is there a scenario in which they can successfully resist enabling surveillance features in their products while operating in the US?
CALEA applies to telecommunications providers, which is a label that would seem to clearly apply to Skype. http://en.wikipedia.org/wiki/Calea
Are major companies based or operating in the US allowed to provide secure email and/or data storage without options for lawful surveillance from law enforcement?
If people do not like these policies and the cooperation from the companies operating them, I think the proper place to direct your anger is at the laws that require them to cooperate.
To play devil's advocate here, what else would people have Microsoft do? Is there a scenario in which they can successfully resist enabling surveillance features in their products while operating in the US?
Do you think the government would jail someone of Steve Ballmer's stature if he talked openly about what the government has asked of Microsoft. Because of his position he is much more protected from criminal action than almost anyone else. The reason he doesn't reject government requests is more likely that it would be bad for business not that he would suffer legal consequences.
... I think the proper place to direct your anger is at the laws that require them to cooperate.
I see the law as allowing them to cooperate. It gives them cover for not protecting the privacy of individual citizens.
Do you think the government would jail someone of Steve Ballmer's stature if he talked openly about what the government has asked of Microsoft.
Absolutely, but even if they didn't, if you were Steve Ballmer, would you take that risk? They certainly could prosecute you for leaking secret information.
That's even assuming that Ballmer knew about it. It could have been that they approached people who were in some position of power on the particular products they were interested in and served them with the order. Some random middle manager at Microsoft certainly has considerably less political pull than Ballmer and would likely go to jail if he/she came out about this, but could still be in the position to direct their team to build whatever features the government demanded.
I see the law as allowing them to cooperate. It gives them cover for not protecting the privacy of individual citizens.
If it came via a court order, it's definitely a demand. This isn't a marketing gimmick -- if you're served a lawful court order, you either obey it or risk the consequences, up to and including time in jail.
They don't even have to prosecute you for not obeying a secret order, they can easily use some other law to put you away, especially given they have legal access to any communication about, from and to you. I choose to believe him rather than the NSA on the reasons for that prosecution.
I imagine that case had a sobering effect on anyone high up in these companies who was inclined to stand up to the NSA.
They don't seem to mind taking risks when it comes to questionable tax deductions.
I don't think that's taking a risk. From all accounts, the tax deductions they're taking are perfectly legal. Leaking government secrets? Not so legal…
There's an obvious reward for taking "questionable" tax deductions: lower taxes. What does Ballmer, specifically, gain from releasing classified information?
And really? You want to compare questionable tax practices that aren't actually questionable legally to something that can be construed as espionage?
But they wouldn't. The type of activity the government is engaged in only works when people are passive.
Those two statements don't follow. The government may cease these practices if people find out and come out against them, but that doesn't stop them from prosecuting the person that brought them to light.
When was the last time anyone of stature went to jail for defending the public against the government?
When was the last time anyone of stature defended the public from the government via illegal means?
It's a risk. Full-stop. You can get prosecuted for releasing classified information. And let's not even take it all the way to going to jail. The government can make your life a living hell just by prosecuting you for a crime, even if they're unsuccessful in getting a conviction.
Which leads me back to my first question, why would Ballmer take that risk?
... you challenge it, pulling out from campaign contributions, and making noise in the press. Microsoft (and Google, and Yahoo, and and and) have billions of dollars they could use to resist pretty much any law they wanted to.
Every day we complain that modern democracies are captive to moneyed commercial interests, and now we should believe that actually, they're completely powerless, oppressed by Big Bad Government? I don't think so.
Except that you can't make noise in the press because doing so could get you arrested for leaking classified information. You can't ignore it, either, because that could also get you arrested. So what do you do? You follow it, probably.
Granted, Microsoft et. al could attempt to lobby politicians to get these sorts of laws reversed, but that's not the position I was arguing against. Specifically, the GP said, "Do you think the government would jail someone of Steve Ballmer's stature if he talked openly about what the government has asked of Microsoft." That's an argument that Ballmer clearly could've talked about these programs because they wouldn't arrest him, but that assumes two things: a) Ballmer knew about this, and b) Ballmer was willing to take the risk that he wouldn't go to prison if he talking about that. Neither of those are a given.
Talking about lobbying is attacking an argument I didn't make, but I'll address it anyway.
From the standpoint of the big companies, lobbying only makes sense before the law is passed if you have no interest in following it. Alternatively, you follow it while lobbying to get it changed. You now have companies attempting to get the government to allow them to talk more openly about what they do with regards to PRISM and so forth. To put it in perspective, if SOPA had've passed, do you think Google et. al would've just ignored it?
Except that you can't make noise in the press because doing so could get you arrested for leaking classified information. You can't ignore it, either, because that could also get you arrested. So what do you do? You follow it, probably.
The standard some have applied to Snowden should also apply to corporate executives: companies should oppose the orders publicly, and "face the music." Ballmer might be arrested, or his family harassed, but he would go from dancing developer monkey to public hero overnight.
You're making the assumption that Ballmer even knew about this, which isn't immediately clear. Someone at Microsoft certainly did, but so did people working within the government. You know, people working for US citizens, ultimately, if you still believe in the whole "government for the people, by the people" thing. So far, only Snowden leaked any of this stuff. I think it's unfair to lay the blame at Ballmer's feet in particular, considering both of those things.
Oh, they all have their fair share of guilt, of course. What I'm saying is that there are citizens and there are citizens. Billionaires like Ballmer, Ellison or Gates, and the corporations they run are, de facto, less amenable to legislative pressure, if anything because they have armies of lawyers ready to blow holes in every book thrown at them. At any point in time, they could have resisted this overreach in many, many ways, and they didn't, so they're as guilty as the power-crazy civil servants and lawmakers who started the whole thing.
> To play devil's advocate here, what else would people have Microsoft do?
In the US, my understanding is that companies lobby for things they want politicians to do. If any of these tech giants wanted less surveillance, wouldn't that be how they'd facilitate it?
> Is there a scenario in which they can successfully resist enabling surveillance features in their products while operating in the US?
Replace "in the US" with "in Nazi Germany" or "in Soviet Russia" and you'll see how chilling that sentence is. They're just following orders. It's the utter banality of evil.
"Are major companies based or operating in the US allowed to provide secure email and/or data storage without options for lawful surveillance from law enforcement?"
Compare 47 USC §1002(b)(3):
A telecommunications carrier shall not be responsible for decrypting, or ensuring the government’s ability to decrypt, any communication encrypted by a subscriber or customer, unless the encryption was provided by the carrier and the carrier possesses the information necessary to decrypt the communication.
Also, (b)(1):
This subchapter does not authorize any law enforcement agency or officer—
(A) to require any specific design of equipment, facilities, services, features, or system configurations to be adopted by any provider of a wire or electronic communication service, any manufacturer of telecommunications equipment, or any provider of telecommunications support services; or
(B) to prohibit the adoption of any equipment, facility, service, or feature by any provider of a wire or electronic communication service, any manufacturer of telecommunications equipment, or any provider of telecommunications support services.
Finally, (b)(2):
The [interception capability] requirements of [...] this section do not apply to [...] information services [...]
I agree that the pure VoIP parts of Skype should not be interpreted as telecommunications services under CALEA. I think we agree; I'm quoting these provisions to argue that Microsoft does not have any interception capability mandates for IP-to-IP calls under CALEA.
A telecommunications carrier shall not be responsible for decrypting, or ensuring the government’s ability to decrypt, any communication encrypted by a subscriber or customer, unless the encryption was provided by the carrier and the carrier possesses the information necessary to decrypt the communication.
Note "unless the encryption was provided by the carrier." Skype is the one that provides encryption here (a carrier) as far as I understand. No user can influence it. You are right that they are allowed to make the systems where users would provide keys themselves and that then the carrier wouldn't be required to assist in the decryption.
There's readily available examples of crypto software generating key pairs on the client end, and never exposing the private key to the server - GPG/PGP, OpenSSL, tarsnap - and the OpenSSL libraries are used by a whole bunch of other software too (encfs, browsers, web servers, CSR generation…)
Any "crypto" which doesn't do secure keygen on the client for "at rest" data storage is now significantly more suspect than before these revaluations. You can explain away whatever you like in terms of "usability" or "most users don't care", but now manyof us are going to read any excuses as "Yeah, the US government has got to our CEO… And he's not gonna be the next Qwest guy…"
Which is just a way of saying "we don't require you to do what you can't do." A truly good service would take advantage of that by ensuring they themselves have no access to the communications.
I agree that the anger should be directed at the laws, but the problem is that we are so woefully uninformed about those laws. And not just that we're not paying enough attention - these laws are being formed and executed in secret! How can you take action against something you don't know exists?
Secret laws are the death of democracy; not just that, they are the death of the Rule of Law itself. The whole point of having written laws was that everybody could know and challenge them in a fair way, without being reliant on the whim of rulers.
"Secret laws" are not laws, they are tyrannical pseudo-rules that belong in the Middle Ages.
In France you have a principle that says "Nul n'est censé ignorer la loi", ("no one should ignore the law") that has a double meaning: you can not escape your responsibilities by saying that you ignored a law, and, as a corollary, no law should be purposely hidden from you.
Still, I've no doubt that french secret services practice all kind of immoral if not illegal stuffs (at the widest scale they can afford), and they have "interesting" theories about what allows them to do that (or maybe they they are just crazy enough to don't care at all, like the recent declaration about the law not applying at all to those programs seems to says...)
> And not just that we're not paying enough attention - these laws are being formed and executed in secret! How can you take action against something you don't know exists?
You start by demanding that this process, this subversion of democracy, be made illegal.
This is the root of the problem: secrecy. Secrecy corrupts as much as power, and absolute secrecy corrupts absolutely.
To play devil's advocate here, what else would people have Microsoft do? Is there a scenario in which they can successfully resist enabling surveillance features in their products while operating in the US?
Take $5B out of the cash pile. Lobby to dismantle the laws or severely weaken it.
As a Microsoft contractor, I'm confused about how to feel and how to move forward. Sometimes I feel like I'll be enabling some of these practices by continuing be a contracted worker, and that this community will in part be blaming me for this situation.
Give it some time, clarify what exactly you're contributing. Then, if you want a clear conscious, work towards it in a practical way. Be as innocent as a dove, as sly as a fox!
That is, you don't need to quit your only mildly, indirectly enabling job right this instance, throwing your family into financial difficulties. But, you do need to work towards untangling yourself as much as your conscious demands.
These are some of the biggest corporations in the world, with resources to push back on behalf of their users---if they wanted to. Heck, at least Yahoo did something. At some point the PRISM collaborators took a calculated risk that their users would not find out, or if they did, it would be of no consequence to their business. Maybe it was the classified assurances, or maybe the whole "direct access" line for deniability. I may not have any say in NSA programs or secret courts, but I'm still a consumer and techie and can vote with my money and time. I'm gonna do my best not to support companies that actively build a surveillance state.
Protest. Lobby. Seek publicity. Take the government to court. Put up a fight.
Note that when the EU data retention directive (which is often used here under the header "see, others are doing it to", even though it doesn't even come close to what the NSA does) was initiated, that's exactly what many telecom providers and ISP's did, before and after this came into affect. It didn't stop it, but it least it has brought it out into the open, making it an (still ongoing) public issue.
The remarkable part of what's happening in the US is the utterly quiet and extremely forthcoming complicity of major companies who otherwise don't seem to have any problem throwing a lot of resources at manipulating governments foreign and domestic.
And in the case of Microsoft, in it's monopolists heydays, even up to the point of structurally breaking the law.
Also, it's not like they are only quiet about it because the law tells them so: they actively deny it, hell, they even advertise with pure lies about the privacy of their services.
These companies aren't victims anymore. They are complicit.
Lastly, it should be quiet obvious that with absolutely no restriction in the wiretapping of foreign nationals, they are breaking the law in every country they do business in. Those foreigners, like myself, have no voice in US legislation.
From my perspective as a non-American, Microsoft is complicit in a full frontal attack on our civil liberties. We can't stop the US government, but we can certainly stop Microsoft e.a. from doing business here.
they're can't be trusted, that's all that matters, how about us that that live outside? MSFT isn't putting a notice on it's homepage for people outside that it can't do anything about our rights, they sell the exact opposite image, and the internet is sold to everyone as a humankind treasure... if they can't do anything about it they could at least be honest, but they all just keep doubling down on the lies
I must be in the minority here, but I'm no more concerned now than before reading this, and I'm still not super concerned if it works the way I think it does. It doesn't answer the main question of HOW MANY USERS are being watched like this.
We already knew from Prism that Microsoft is providing data to the NSA, and we already knew that it included real time video, emails, messages, etc. So this is more of a behind-the-scenes of how it's done, but if you stopped to consider before what Prism meant then it sort of implies everything here.
BUT, I still don't know whether this tapping of Skype calls, providing of decrypted messages, etc, applies only to a few specific people who the government has warrants for, or for all of Microsoft's users. I still think it's the former based on that Prism slide that said it cost $10M/yr, which is clearly not enough to handle ALL of Microsoft's and Google's and Apple's data.
If anything, I applaud Prism in that it's just a more efficient way of doing what the NSA is already cleared to do.
I'm MORE concerned about the warrantless Verizon metadata tracking for millions of subscribers, Clapper's lies before Congress about said data, the DoJ classifying the FISC's rulings that something or other is unconstitutional, the inability of companies to discuss NSLs.
But this release is just clarification on what we already knew, and we still don't know whether PRISM is oh-my-god-the-government-is-tapped-into-everything or just a convenient front-end on the government's warrant-obtained data (which is a good thing, AFAICT).
On April 5, according to this slide, there were 117,675 active surveillance targets in PRISM's counterterrorism database. The slide does not show how many other Internet users, and among them how many Americans, have their communications collected "incidentally" during surveillance of those targets.
Yes, it's a fairly detailed description of how it's done, but to me this information doesn't seem to broaden the scope or intrusiveness of the surveillance apparatus that has been uncovered so far, the convenient interface for warranted querying that is PRISM.
Skype, which was bought by Microsoft in October 2011, worked with intelligence agencies last year to allow Prism to collect video of conversations as well as audio
This is pretty scary. When you talk about emails, it's sort of "impersonal". But collecting audio and video data from your casual chats on Skype is a fucking break in.
Think how many private business meetings have been conducted over Skype. Anything from board meetings, sensitive HR issues, acquisition or takeover discussions, to new product roadmaps.
Now think about all that corporate espionage material being in the hands of the government.
Think about how much private sexual activity between physically separated partners is conducted over Skype. Anything from a lonely grunt serving in the military trying to get a little private time with his wife back at home, to outright video sex between a prostitute or camgirl (or camboy) with a john (or jane).
Now think about all that blackmail material being in the hands of the government.
I'm sure the NSA can hardly wait for XBone's to start showing up in people's houses.
"The telescreen recieved and transmitted simultaneously. Any sound Winston made, above the level of a very low whisper, would be picked up by it; moreover, so long as he remained within the field of vision which the metal plaque commanded, he could be seen as well as heard. There was of course no way of knowing whether you were being watched at any given moment. How often, or on what system, the Thought Police plugged in on any individual wire was guesswork. It was even conceivable that they watched everybody all the time. But at any rate they could plug in your wire whenever the wanted to. You had to live- did live, from habit that became instinct- in the assumption that every sound you made was overheard, and, except in darkness, every movement scrutinized."
-1984, Book 1, Chapter One, George Orwell
>In a joint statement, Shawn Turner, spokesman for the director of National Intelligence, and Judith Emmel, spokeswoman for the NSA, said:
>The articles describe court-ordered surveillance – and a US company's efforts to comply with these legally mandated requirements. The US operates its programs under a strict oversight regime, with careful monitoring by the courts, Congress and the Director of National Intelligence. Not all countries have equivalent oversight requirements to protect civil liberties and privacy.
>They added: "In practice, US companies put energy, focus and commitment into consistently protecting the privacy of their customers around the world, while meeting their obligations under the laws of the US and other countries in which they operate."
Does anyone else get the impression that this is an attempt by the government to limit commercial damage to these companies that may result from the revelations and subsequent exodus of customers? I imagine that, while they're certainly lobbying for increased transparency, tech companies are putting a great deal of pressure on the government to take the blame for the programs and emphasize that the companies had no choice.
Allow me to be surprised this time, I don't see much new here, compared to what we already saw about Prism (all the slides). Maybe the only thing newsworthy this time is that additional documents confirm that Prism exist?
I applaud this article of course, as it gives less chance for unnatural interpretations of the slides that we saw by pro-status-quo writers ("it's not really a direct access") -- now we have additional confirmations it's a "query API" access and a "start real time monitoring" access.
Unrelated, I'm impressed with the absolutely perfect timing for an article on the day when Microsoft presents the new reorg. Heh.
My question remains can anybody recognize something otherwise new here?
I think the confirmation that NSA and FBI have direct and unfettered access to all communication streams, is pretty huge. As you say, all calm-down-dear interpretations are now proven false. We are facing the worst possible scenario.
If you haven't seen the Binney video made in 2012 by the same author that made the Snowden video, first note the date the video was published, then watch it.
Then try to identify the claims already public to those that watched the video then which most of us first became aware of just now by following the story about Snowden.
For me it starts around 3:20. A lot of it was presented before Snowden but almost nobody noticed.
The "nobody noticed" part is key -- documents carry more weight than statements made by whistleblowers. Whistleblowers can be discredited in the public eye more easily than documents.
I haven't read the article yet, but if what I'm gathering from the comments is true, what's new here is that Microsoft has been caught in a lie to the public and their shareholders.
Technically they didn't lie, they said they complied to the court orders. I'd say our real worry should be the secret orders and what they demand, not the companies that obey to them? But what's really true is that companies' "denials" were carefully crafted to give the impression that there isn't any API-level access, even if they didn't claim that, and now we have more confirmations that they give it that way and I'm sure Google isn't different in that aspect.
Also note that the "official client" is FBI, so MS can claim they don't know that NSA accesses the data of US citizens. But that "there will be more interagency sharing and cooperation" was publicly announced by G W Bush soon after 9/11.
"It has been suggested that as a result of recent architecture changes Skype now monitors and records audio and video calls of our users.
False.
The move to in-house hosting of “supernodes” does not provide for monitoring or recording of calls. .."
There are more paragraphs that follow, but they can honestly say they didn't lie, since obviously they had the functionality to monitor and record the calls even before they introduced the supernodes so it is false that they introduced the supernodes for that, but it is not false that the Skype conversations can and are monitored by authorities.
Note that it's by law the job of FBI to do such monitoring, when it's about US citizens, and it's NSA's job for non-US citizens. Microsoft is definitely not breaking any laws. So when they say that it's all lawful what they do it's also true.
On a related note, I don't know how many more documents there are that Snowden provided to Greenwald or that will be released to the public but I certainly hope that they keep coming for a looooong time.
U don't consider PRISM such a big deal, to be honest.
Yes, they spy on innocent people, in an attempt to flush out (or whatever the term is) the dangerous or potentially dangerous ones. However, I genuinely doubt my privacy is very compromised, because I refuse to believe someone is getting paid to sit and read through Facebook posts or messages about my obsession with Supernatural (great TV show on CW), or read through "IF YOU DONT SEND THIS TO 7 OTHER PEOPLE A PIANO FROM THE HEAVENS WILL CRUSH YOU INTO THE PAVEMENT" emails my neighbour is forwarding.
Also, I have a friend who talks in acronyms most of the time (over Skype chat) and I have a file called deectionary.txt (her name is Dee) with around 200 lines, I find it very amusing to think some analyst spent hours trying to decode her message because it contained "bomb" in what looks like "mtwbi bombing m/i shc play asg ol" which means (used near-real example) "my twat brother is lagging my Internet so he can play a stupid game online". She has no disability, she's just very "efficient," I guess!
Besides, I don't have anything to hide, so I don't really care. If I had some top secret business I needed to attend and would care to keep secret from the NSA or CIA, I would probably (as would many of you here, too I believe) make my own thing to do the job, because I wouldn't take someone's word that they give a rat's furry bottom about my privacy.
"ACLU technology expert Chris Soghoian said the revelations would surprise many Skype users. "In the past, Skype made affirmative promises to users about their inability to perform wiretaps," he said. "It's hard to square Microsoft's secret collaboration with the NSA with its high-profile efforts to compete on privacy with Google."
I have a feeling the FTC won't go after them for violating truth-in-advertising laws.
Having worked at the FTC for a year in the team that goes after companies for violating consumers' privacy, I can comfortably say that you are 100% right on that point.
The FTC (unfortunately) does not police deceptive statements about government surveillance.
A well placed (Russian) friend told me recently that the KGB (and whatever name it goes by now) still uses typewriters (yes, mechanical, ink based thingos) for all internal documentation and correspondence, and that electrical/digital devices are banned in most secure areas.
In other words, they realized decades ago that if you value your privacy, get as far away as possible from a computer, especially one connected to the internet.
No, I don't think you're right. I think, even if the article is right, people don't give a damn. People are not that clever to react to a thing like this.
This slogan now deserves to live on in infamy alongside other prominent examples of doublespeak, like Plays for Sure•, and Don't be evil°.
What concerns me in these responses from Microsoft is the distortion of the term lawful to include any request from the NSA. If you change the meaning of words like lawful, domestic and intercept, you can of course make anything legal in some sense, but distorting meanings like that is very dangerous, and using secret interpretations of it really damages our confidence and trust in the rule of law. That said I can't see any difference on this issue between MS and any other US tech giants, apart from Twitter, who are to be commended for staying out of this program. With the breaking of encryption on things like outlook chats and delivery in real time, it appears we simply can't trust any guarantees of privacy from these companies at all. Even if they did implement client-side encryption, they'd still feel obliged to break it for the NSA (and its many partners worldwide), so no offering from them is going to protect our privacy.
This was interesting too from one of the documents:
"enables our partners to see which selectors the National Security Agency has tasked to Prism...The FBI and CIA then can request a copy of Prism collection of any selector"
This indicates that any NSA PRISM search can be accessed by any one of these agencies, so once it is in the system, this information will spread widely. Given the guidelines on access of the NSA, that could include all foreign data being automatically available to any FBI or CIA agent. I wonder if they have any limits on access to 'foreign' data at all?
° As long as you're American, and not covered by a bulk court order by the NSA, and not encrypting anything, and not communicating outside the US, and don't have a 51% chance of communicating outside the US (what does that even mean?).
>>> What concerns me in these responses from Microsoft is the distortion of the term lawful
This seems really important to me. I grew up in a totalitarian regime and this kind of re-defining common language was one of the most powerful tools the regime could use to retain power and keep people in constant fear. For example the crime of 'disruption of public order' could be used to put basically anybody to jail because the term would be twisted to fit any behaviour that the regime did not like - for example when you criticised some official or communist party member or complained about something publicly.
Actually I believe that ability of the government or any other group of people to redefine common language and inability of people to force government to use their version of language means that the power distribution in society is seriously skewed and therefore is a strong sign of failing democracy. It's really scary to observe that in the US.
I bet that Microsoft engineer who told us Skype was not re-built for spying is feeling pretty silly right now.
I know his excuses seemed "reasonable" (if you're a smart liar, you don't try to blatantly bullshit someone on their face - you find a "good reason" to hide it), but it was no less of a bullshit excuse as Microsoft's earlier rejection of WebRTC (and they ended up supporting it anyway - guess they didn't feel that strongly about that security claim to begin with).
This was the same way. Yes, it may have improved Skype's reliability a little bit, but I honestly doubt that was the main purpose for doing it. As we learn in this revelation, they don't seem to have a problem with adapting their service to suit NSA.
"Located in Mountain View, California, Microsoft Research Silicon Valley was founded in August 2001 and now employs about 75 researchers. Our research work focuses on distributed computing and includes privacy, security, protocols, fault-tolerance, large-scale systems, concurrency, computer architecture, Internet search and services, and related theory."
The bigger deal here to me is the data sharing. Who cares if one agency isn't allowed to spy on Americans? Or if another agency has this or that court oversight? All the data collected is shared between the NSA, FBI, CIA, foreign intelligence, etc. This means regardless of who you are or what you are doing, there's someone who has the authority to spy on you, and now they have all your data as well.
I want to remember to all of you the campaing that microsoft was/is doing in the last months -> http://www.scroogled.com/
motto: "YOUR PRIVACY IS OUR PRIORITY"
Yeah, now it seems a bit mh... ironic. Not because i think that google is more privacy friendly, but surely microsoft is not at all.
I'm going to purchase a subscription to the Guardian out of principal. I invite you all to do the same. This is absolutely fantastic work they've done.
Microsoft made more fuss and put up a better fight against FOSS than here, for this, for its users, its core ideas and values nothing... oh right, money and power is above all.
Or is it just so that all these companies, Google, Facebook, Microsoft, Apple got something big in return for their cooperation with NSA?
Perhaps they will or got intel on their international competitors?
As so many people seem to be involved in this, at every company sysadmins, managers, developers etc, perhaps many of them want to leak but dont know how, they are close to the devil so to say and fear they cant really do anything about it as they already know the extent of the surveillence?
"We provide customer data only when we receive a legally binding order or subpoena to do so, and never on a voluntary basis. In addition we only ever comply with orders for requests about specific accounts or identifiers. If the government has a broader voluntary national security program to gather customer data we don’t participate in it."
One down, several to go. If I were Google/Facebook/Yahoo executives I would be very worried right now as to what soon-to-be-released revelations say about their NSA cooperation. Sure, they may have only done that which was compelled by FISC order, but that won't preclude them from being perceived as culpable.