Until this week’s reports, we had never heard of the
broad type of order that Verizon received—an order that
appears to have required them to hand over millions of
users’ call records. We were very surprised to learn
that such broad orders exist. Any suggestion that Google
is disclosing information about our users’ Internet
activity on such a scale is completely false.
I'm not sure how much more strongly you'd like that worded. It seems pretty complete to me.
There's 2 different things going on, under different legal authorities and Google is confusing them.
Verizon was given a Patriot Act order for business records, metadata; no names; no content, but all citizens or foreigner.
Google and other tech companies are said to have gotten orders under section 702 of the FISA Amendments Act of 2008. That allows the government to compel communications companies to furnish lots of metadata and CONTENT on NON-U.S. persons. This was Congress legalizing warrantless wiretapping ala AT&T, but limiting it by requiring it to be targeted at non U.S. persons.
Compliance is mandatory, under contempt of court and companies must provide facilities and help. They also get reimbursed.
So it's likely Google never got an order like Verizon did, they likely got one that involves content, but is supposed to exclude intentional targeting of Americans.
I don't buy it. What I quoted above doesn't say anything about US persons or non-US persons, about content or metadata, about this law or that one. It just says,
Any suggestion that Google is disclosing information
about our users’ Internet activity on such a scale
is completely false.
Now, Page may well be lying, but he definitely isn't weaseling. I'm pretty sure that denial covers both of the possibilities you're referring to.
Of course it's weaseling. Maybe they disclosed such information on a slightly lesser scale. That passage doesn't say.
They all said stuff about "direct access", without discussing what would and wouldn't qualify as "indirect". They didn't deny doing all kinds of different access that could be called indirect in some way.
Of course they don't deny indirect because that would be a lie. Everyone provides data indirectly via a thing called "warrants". Google publishes how many indirect requests they comply with right here: http://www.google.com/transparencyreport/userdatarequests
The thing is we can't trust any statement by anyone because of the gagging component of NSLs. I've heard it said that the above information is for FBI requests under the patriot act and doesn't include NSLs. For all we know NSL gags could explicitly forbid that kind of reporting and may even compel the recipients to lie if asked.
The last sentence he made, that the government needs to be far more transparent about what they're doing is the only sentence I can really trust as honest, especially given that the alternative to lying could be being thrown into Guantanamo for 'assisting terrorists'.
>The presentation claims Prism was introduced to overcome what the NSA regarded as shortcomings of Fisa warrants in tracking suspected foreign terrorists. It noted that the US has a "home-field advantage" due to housing much of the internet's architecture. But the presentation claimed "Fisa constraints restricted our home-field advantage" because Fisa required individual warrants and confirmations that both the sender and receiver of a communication were outside the US.
>"Fisa was broken because it provided privacy protections to people who were not entitled to them," the presentation claimed. "It took a Fisa court order to collect on foreigners overseas who were communicating with other foreigners overseas simply because the government was collecting off a wire in the United States. There were too many email accounts to be practical to seek Fisas for all."
I think there are a lot of possibilities that could be consistent with Page's statement that also involve the NSA spying on Google users. For example, perhaps the NSA asked Google to disclose their SSL private keys; then, if they are willing to do an active attack with their own infrastructure, they could transparently perform a MITM attack on all requests to gmail, and it would be virtually undetectable.
Another possibility is that the NSA could have served orders on Google employees directly, and they are compelled not to tell their managers about what they did for the NSA.
Or you just follow standard operating procedures for foreign intelligence collection.
You hire a foreign national, working for a foreign division of Google to be your spy. Unless every US citizens mail server is domestic, lotta a loopholes to be found.
People should also not assume the credit card statement from their bank is a batch job run on US servers by their bank. I've been told this stuff is outsourced, probably to the lowest bidder. Which if I were an intelligence service, I would be more than happy to subsidize.
>I've been told this stuff is outsourced, probably to the lowest bidder.
You have been told incorrectly. (Source: I work for a major US credit card company.) Certain pieces of the development and maintenance may be outsourced (under the supervision of US employees), but we (and, as far as I know, all our major competitors) own the data centers where they are run.
| they are compelled not to tell their managers
| about what they did for the NSA.
This seems problematic. What if another employee discovers what was done? What if it goes all the way up the chain? When they ask the employee why the created a backdoor, is the employee then obligated to lie? Get fired for the lie? Go to prison while maintaining it's not a NSA secret program?
The key issue here is that Google and the other companies may have no idea this is going on. My read is that the NSA has managed to gain access to the data centers either through inside help, spy craft, hardware/router back doors, or some other means we have no idea about.
AT&T and Verizon are two of the most powerful companies in the US, and have massive lobbying power. The notion that those companies were compelled to sign on to huge espionage programs, with their chiefs being fully aware of it - but yet somehow Facebook / Google / Microsoft / Apple etc. did not have to sign on to anything related to Prism (which has been openly admitted to exist by the Feds), nor were they aware of anything, is just about impossible.
<conspiracy theory>
We haven't seen posts from the CEOs of Cisco/Juniper/Dell/HP or other manufacturers of datacenter grade network equipment. Who needs Google/Facebook's "knowledge" if you've got root on all the border network gear (and SSL termination hardware)?
I know here in .au, Huawei have been excluded from the government-deployed National Broadband Network due to suspicions that the Chinese government has too much control/access to Huawei newtwork hardware.
an old time option - a few employees "compelled" to provide access and keep mouth shout.
a new time option - Larry is lying because of the gag order.
in between - Larry said "on such scale". Well, Google probably is of a bigger scale than Verizon.
Anyway, once the data is out there, it is only a matter of time and determination for a government (or any financially well backed up player) to get to it.
This scandal will be a great boost for any services involving "crypto", and probably would spring a new ones like an encrypted phone exchange/switch service, where one can see incoming and outcoming phone numbers, yet not which one connected to which :)
This was my initial assumption, that Prism referred to fiber optic prisms that are used to duplicate data with zero interference.
These can be installed at the trunk level with virtually no one knowing about it (maybe a couple of on site managers). They can handle massive data and pipe it directly to the NSA. The problem of course is you're dealing with raw data which isn't nearly as easy to work with then if you had direct access to internals.
These are already installed on every major backbone so I also don't see why they would bother to involve anyone, so there must be more to it.
ps. It would be nice if another whistleblower came out with the data on optic splitters and how the NSA uses them.
possible the timeline on the slide is when NSA successfully began making sense of the raw data they could be collecting at internet backbones? also possible that the document purposefully threw the public off track by implicating these players, thus limiting the legitimacy of the claim if it ever came to light?
Consider the sheer volume of data we're talking about here. Unless you think these companies would miss a fiber optic trunk running out the back door of their data centers, does that make any sense?
The Feds have direct taps into every major telecom carrier in the US. You can't fire off a search query to Google without the Feds technically being able to pick it up.
Access is trivial, volume is a much more interesting problem.
>>Any suggestion that Google is disclosing information
about our users’ Internet activity on such a scale
is completely false.
If you consider that PRISM is not a 'dragnet' but rather an automated system that processes FISA warrants on company premises then the denial wouldn't be wrong. There is no 'scale' that you wouldn't be able to get using regular data requests to internet companies. PRISM could just make the process a lot easier for everyone involved.
So instead of sending a warrant over, having the company verify and send the data to the NSA, then finally transforming the data into a reportable format PRISM automates the whole process.
If you read some of the media descriptions it almost looks like PRISM is more of a data aggregation and portal system that sits on top of a data source and allows analysts to explore content.
But if they were give similar court order terms as under the Verizon court order wouldn't he legally have to lie or violate the court order? Or just not give a comment, but no comment on this would implies guilt to a lot of people so lying could seem like the correct path.
I don't see how they could have gotten an order under the Patriot Act. The section that deals with this is section 215, which amended section 501 of FISA.
It specifically states that such an order can be made "provided that such investigation of a United States person is not conducted solely upon the basis of activities protected by the first amendment to the Constitution".
If they have been violated, then there are a number of members of Congress and the Senate who are falling down on their job - the Attorney General must inform the Permanent Select Committee on Intelligence of the House of Representatives and the Select Committee on Intelligence of the Senate. On top of this, every 6 months the Attorney General must also provide a report to the Committee on the Judiciary of the House of Representatives and the Senate which details the total number of applications made for orders approving requests for the production of tangible things and the total number of such orders either granted, modified, or denied.
I've read and documented the USA PATRIOT Act on Wikipedia incidentally. Took me two years to read and understand the thing. Possibly things after the Patriot Act changed FISA, I wasn't going to spend any more time on writing up about this subject. I'm an Australian citizen, after all.
I should note that I'm not thrilled about the fact that the U.S. government can read my communications. Not that I have anything to hide, nor am I of any interest to them, but hardly the point.
The two parts to read on Wikipedia, incidentally are:
>This was Congress legalizing warrantless wiretapping ala AT&T, but limiting it by requiring it to be targeted at non U.S. persons
But how would you determine on the internet that an account holder was a US person or not ?
If I claim to be the person X who is a US person by registering for an account in their name, am I then a US person and therefore supposedly exempt from monitoring? Even IP-based clues are not enough as those are not full-proof.
I suspect that both US persons can be just as susceptible to tracking from the Government.
Unless I am mistaken US and most European countries are based on Democracy.
Wikipedia defines Democracy as a form of government in which all eligible citizens have an equal say in the decisions that affect their lives. Granted, wikipedia is not the oracle but it gives a good definition in my opinion. Does, the gathering of my personal data, affect my life ? Well in my personal opinion it does, therefore I should be informed about it.
What's become very clear is that there is a lot of careful parsing going on. Careful parsing of the constitution, careful parsing of various laws, very very careful interpretation of the words on the page.
Does Google give anyone, any company, any entity, anyone at all direct access to their data? They've specifically excluded NSA. Does NSA subcontract that to Booz Allen Hamilton? Google claims that no government has this access, what about one of the 1200+ Top Secret cleared contracting companies?
Can these companies officially comment on this stuff yet? Or are they violating court orders if they talk about it? I like Google, I really want to trust them and I think they've moved the needle in our industry in some very positive ways. Honestly though, I think they could make much much stronger statements about this stuff. I expect them to say stuff like this to keep up with appearances.
> Careful parsing of the constitution, careful parsing of various laws, very very careful interpretation of the words on the page.
There is no "careful parsing" of the Constitution going on. Just people who never read the document very carefully other than what they thought the teacher said in 8th grade.
This is the entirety of the 4th amendment: "The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized."
If any "parsing" is going on, it's creative parsing to make the argument that information you freely handed over to Google and AT&T, or indeed information that was never even in your possession but was generated by AT&T (e.g. call data records, web server logs) is somehow your "papers or effects." Tell me how that is anything other than creative parsing? How is a document that you never even had in your possession somehow your private information?
To follow up even the Supreme Court ruled in 1928 that a wiretap did not constitute a search under the 4th Amendment so there was no need for a warrant.
Wiretaps themselves became illegal and the information from them inadmissible under the 1934 Communications Act. This didn't really stop wiretaps. Instead they were used as a method of intelligence gathering to go and find stuff that was admissible. Note that this was not a reflection on the Constitutionality of wiretaps, but instead the sense that they just weren't needed to convict criminals.
By the 1960's wiretaps were again brought to the Supreme Court and they outlined how a wiretap statue could pass Constitutional muster. The Katz case is where the "expectation of privacy" language was introduced. This resulted in wiretap statues passing in late the late 60s and that's basically what we had until the PATRIOT Act of 2001.
Really? You don't think of information in your Gmail or Google Drive as personal "papers or effects"? Would you be fine with a Google employee reading through your email or your spreadsheets in order to figure out whether you were working on a product that might compete with one of Google's, or maybe because they ran across your profile on a dating site and wanted to check up on you? If so, I think you're unusual.
In a world where important documents are increasingly electronic, and electronic stuff is increasingly routinely backed up, transmitted through, or just stored on remote servers, people's personal papers will be increasingly in the possession of others.
I won't argue that it's impossible to read the Constitution so that it becomes a set of meaningless restrictions on outdated technologies--legal text is never deterministic and always subject to multiple interpretations--but it's certainly not unreasonable for somebody to have "read the document very carefully" and found it more robust and relevant than you do.
> Would you be fine with a Google employee reading through your email or your spreadsheets in order to figure out whether you were working on a product that might compete with one of Google's, or maybe because they ran across your profile on a dating site and wanted to check up on you?
Wouldn't I be pretty stupid if I had a problem with these things, yet still uploaded these documents in clear text to Google's servers where absolutely nothing stopped Google from doing these things? Especially when they tell me point blank that they do indeed sift through the documents (for ad targeting)?
We routinely rely on social codes rather than technology to protect our privacy (as well as our property and lives). There's nothing physically preventing my building super from using her key to go into my apartment and look through or steal all my stuff, but I'd be upset if it happened. What's more, 99.9% of Google's users are in no position to evaluate the cryptographic security, or lack thereof, of their documents. Finally, Google has actually said no humans read your email, in response to that Microsoft campaign. So no, hypothetical you wouldn't be stupid, and you are wrong to imply that the millions of Google users who would have a problem with those things are being stupid now. Making a series of decisions that we will at some point regret, perhaps, but your condescension is unwarranted.
* Just as the NSA claims that collecting data doesn't count until a person reads it, Google affirms that humans do not read user data without permission.
* Documents are are encrypted in transit, not uploaded in clear text.
Google Drive is very much like a safe deposit box in a bank, in terms of user expectation of privacy, and vendor promises.
If my secretary holds my briefcase, is the government allowed to seize it without any warrant or judicial approval?
Email is slightly more complicated, due to automated ads scanning.
How is a document that you never even had in your possession somehow your private information?
Have you been to a doctor? Have you seen that folder full of your medical information? Have you ever possessed it? Most likely not, but that is your private information and there are very strict rules about how it is handled and who can access its contents.
First, third party doctrine is more limited than that, and in the event where a party is compelled to retain information and disclose it, third party doctrine becomes quite questionable (because they end up acting under the color of law).
The thing is that usually CDR data doesn't require a warrant. The court ruled that since people are typically aware that the existance of CDR's and may rely on them for services from the telephone company, and because they are relatively non-revealing they do not constitute a search.
The point is that the user of the telephone service discloses the calling information to the phone company and in such a way as to expect no privacy over the information. A similar case might be IP packet header information over routers, or photocopying address/return address/postmarks on the outside of envelopes passing through the USPS. None of these are considered to violate any reasonable expectation of privacy because, for example, we can expect that the address on the letter we drop of at the post office is publicly visible.
Roe v. Wade was a pure exercise in legislating from the bench, and even many of its supporters will admit that.
O'Connor got it right in Casey when she distanced the right to abortion from the right to privacy: "That is because the liberty of the woman is at stake in a sense unique to the human condition and so unique to the law."
From Roe:
"The Constitution does not explicitly mention any right of privacy. In a line of decisions, however, going back perhaps as far as Union Pacific R. Co. v. Botsford, 141 U.S. 250, 251 (1891), the Court has recognized that a right of personal privacy, or a guarantee of certain areas or zones of privacy, does exist under the Constitution. In varying contexts, the Court or individual Justices have, indeed, found at least the roots of that right in the First Amendment, Stanley v. Georgia, 394 U.S. 557, 564 (1969); in the Fourth and Fifth Amendments, Terry v. Ohio, 392 U.S. 1, 8-9 (1968), Katz v. United States, 389 U.S. 347, 350 (1967), Boyd v. United States, 116 U.S. 616 (1886), see Olmstead v. United States, 277 U.S. 438, 478 (1928) (Brandeis, J., dissenting); in the penumbras of the Bill of Rights."
That handwave-y language ("does not explicitly mention", "a right of personal privacy, or a guarantee of certain areas or zones of privacy", "at least the roots") doesn't exactly inspire confidence in the existence of a broad, fundamental right to privacy in the Constitution. Also, it uses "privacy" in a somewhat different sense than the surveillance debate. In Roe, it's used more like "liberty."
I'm not saying otherwise. But flaming the government for acting Unconstitutionally for activity that is not contrary to the text of the document is lame and misleading.
If you think there should be a right to privacy of electronic communications, then convince people of it. Get an amendment passe. Don't twist the Constitution to say what you wish it said.
Your disagreement isn't with my definition of "papers" (we both probably agree that "papers" can easily be read to encompass both physical and digital documents). Your disagreement is with my assertion that handing your "papers" over to a third party robs you of any 4th amendment interest you might have had in those documents.
No, the quote is still vague and I agree with Nelson69. He could easily say that "we don't provide any access to gov, nor to their subcontractors nor to any other entity,..." - if that would be true.
Based on the sentence two lines before it, it likely means "millions of users":
> we had never heard of the broad type of order that Verizon received—an order that appears to have required them to hand over millions of users’ call records. [...] Any suggestion that Google is disclosing information about our users’ Internet activity on such a scale is completely false.
> Honestly though, I think they could make much much stronger statements about this stuff.
They can't really, though - they do cooperate with the government on a ton of properly-filed, fully-legal subpoenas. And that's fine, that's what they have to do, and it's what every other company in the world would do - though we should all push our government(s) to be more transparent about what they're requesting and why.
I did read it, with the dozens of other articles and such it's blurred together. He did rule out the US Government, does that rule out contractors? Does that rule out Verizon? What if Google has data in someone else' datacenter? That's specifically what they said the US government doesn't have direct access to.
Do they give carte blanch access to their data to ANYONE? Regardless of the datacenter. If they don't they can say that.
And yet this still misses more important issues. While it is fantastic that Google does not give the USG a free pass to the whole enchilada, Google still collects and stores this data, and gives it when compelled, if they truly had the users best interests in mind they would reduce the data collected to only what they MUST have to do what they do, and not use Vacuum cleaner like methods to get and keep everything they can, if Google did not keep it, the USG would not want it. So the best way for Google to be a part of the solution would be to reduce what they intake and keep, burn the rest.
That's moving the goalposts, though. The initial assertion -- that this is a cleverly-worded non-denial -- doesn't hold up with the text. Page is clearly and unambiguously denying that Google supplies any information to the government on a millions-of-users scale.
Saying that denial is a lie . . . is a completely different charge.
Google could be searching email for certain series of characters, like "xxxx obama" and handing that over. Perhaps NSA supplies google a list of phrases to look for.
A better carefully worded response is still a carefully worded response. Google is in a difficult place because we all expected this to be happening, there are now documents suggesting that it has been happening, and no one takes at face value anything that sounds like a lawyer wrote it.
EDIT: I mean: (a) No one cares if they have heard about a program called "PRISM" when the point of that program is to aggregate data from other programs. (b) Anyone who is actually innocent in this needs to stop mentioning "direct access to servers": no one expects this program to be directly accessing servers. (c) We also don't care whether actions were "in accordance with the law", as the constitutionality of the surrounding laws is part of the debate.
I will say that "Any suggestion that Google is disclosing information about our users’ Internet activity on such a scale is completely false." is a good statement to make. It sounds broad in a good way and doesn't appear to have many weasel words, other than specifying "Internet activity" and not email or general activity. Are Google searches even "Internet activity", or is he referring to Google Analytics / Google +1 / 8.8.8.8 DNS?
"direct access to servers" looks suspicios to me as well. However, maybe several dozen lawyers had no clue how to react today, and they just copied one another's text?
More likely: the first paragraph from the Guardian and the Washington Post both emphasized "direct" access. See the picture here: http://cl.ly/image/2S3i1g2W2R2k
If you're refuting claims of behavior X, it's natural to say "We don't do behavior X."
The problem is that Obama himself has acknowledged the program both exists and is very active, the only limitation being 'Internet monitoring is only for those outside United States'- no comfort for Google users like myself outside the US[1].
I don't mind targeted surveillance against genuine suspected terrorists. What frightens me is broader intelligence collection especially commercial intelligence. Over time programs broaden and if we're not really, really careful we'll find gmail being read by intelligence analysts who can brief our US competitors.
If non-Americans can't trust Google with their information that is an existential risk to its future. I think the Google leadership needs to do a lot more than this one short post!
[1] From Obama's comments:
Now, with respect to the Internet and emails, this does not apply to U.S. citizens, and it does not apply to people living in the United States. And again, in this instance, not only is Congress fully apprised of it, but what is also true is that the FISA Court has to authorize it.
So in summary, what you’ve got is two programs that were originally authorized by Congress, have been repeatedly authorized by Congress.
That seems pretty clear - there is a congress-approved spying on non-US citizens Internet and email.
"I don't mind targeted surveillance against genuine suspected terrorists."
This kind of language bothers me - "suspected terrorist" requires no proof at all, while sounding authoritative (65% of Americans support the remote execution by drone of 'suspected terrorists').
I know roughly what you meant, of course, but where that line is drawn is a discussion that needs to be had. I'd say that with the level of surveillance that goes on, we are all suspected terrorists now.
I find it fascinating that Matt Cutts didn't bother to address any of this in his defense of Google. Obama and James Clapper have both admitted to what is obviously Prism, a large scale spying program targeting Internet users and their data.
It rather makes it clear that Google is participating in espionage programs for the NSA. Supposedly, maybe, it isn't directed at Americans (har har).
I don't think they are. I think ISP's allow government equipment on their networks to capture traffic as they see fit. If every ISP participates, then they have Google data, Facebook data, Yahoo data, and on and on.
Obama has acknowledged that federal law allows FedGov to obtain emails of non-citizens without a search warrant but through a court-overseen process. This is part of a 2008 law that we all know (if you've been paying attention) does this.
The president has not, however, confirmed that the news reports about "PRISM" are accurate. All he's done is summarized the law.
The last couple lines of his blog post seemed to convey, at least to me, that he was posting truth but perhaps not as much as he'd like.
"We post this information on our Transparency Report whenever possible... ...we understand that the U.S. and other governments need to take action to protect their citizens’ safety—including sometimes by using surveillance. But the level of secrecy around the current legal procedures undermines the freedoms we all cherish."
In the transparency report, Google can only report wide ranges of numbers, not actual numbers (i.e. 1000-4999). They have always said they wished they could provide the actual numbers of requests as well as copies of the requests themselves, so this is consistent with that.
Hey teawithcarl, I appreciate that. I'd be interested in hearing what you think the right thing is. I suspect that we're actually in agreement on most points. If there's something you think we should be doing differently (and I agree with you :), I'm more than happy to lobby for that within Google.
I do think Google is working hard to protect our users from unwarranted government requests. Just speaking for me personally, I really dislike provisions in the PATRIOT Act and FISA that compel secrecy. One thing I did like in Google's blog post was that we spoke out against the "level of secrecy around the current legal procedures." I was encouraged that Facebook later said something similar. In my opinion, a lot of the frustration about the current situation would be best applied to changing some laws in the United States.
While I honestly think _you_ believe Google is doing "the right thing" - there's a nagging suspicion that there's some NSL-style legal (or possibly extra-legal) compulsion being used at the very top levels. Even if I believe that Larry is 100% "on my side" against the government - I'm also under no doubt that Larry and Google are effectively powerless against the pressure the various US government agencies could apply if they so chose.
While explanations of the similarity between Larry's and Mark Z's posts based on direct rebuttal of the WaPo article are plausible, when combined with Apple's, AOL's, and Yahoo's suspiciously similar structure and wording - cynical-me can't help but wonder if all 5 CEO's are being compelled to disseminate the same government supplied message (and are possibly intentionally using almost word-for-word similar language as a plausibly deniable way of telling people that).
I'm not sure if there's much Google can say or do - given the depth and seriousness of the seeds of suspicion that've already been sown… (Having said that, I was pleased to read Yonatan's G+ post earlier today…)
When AT&T was asked politely by the NSA to open its networks under the warrantless surveillance program, the company refused to confirm or deny. They actually offered arguments like this one from an AT&T attorney:
http://news.cnet.com/Legal-loophole-emerges-in-NSA-spy-progr...
Federal law may "authorize and in some cases require telecommunications companies to furnish information" to the executive branch, said Bradford Berenson, who was associate White House counsel when President Bush authorized the NSA surveillance program in late 2001 and is now a partner at the Sidley Austin law firm in Washington, D.C. Far from being complicit in an illegal spying scheme, Berenson said, "AT&T is essentially an innocent bystander."
And a sealed AT&T document I obtained tried to offer benign reasons why there would be a secret room at its downtown San Francisco switching center that would be designed to monitor Internet and telephone traffic:
http://news.cnet.com/2100-1028_3-6077353.html
What Google and Facebook are doing today is precisely the opposite of what AT&T did.
Hi Matt - Thanks for answering. I genuinely appreciate your earnest communication. To answer your question, I sincerely believe Larry should do the right thing irregardless of the law, which means telling the American public the truth.
What Sergey (and Google) bravely did in China gave Google years of priceless respectability. This is one of those situations where civil disobedience is best. I realize you can't just "pull out of the United States", yet Google is looking like liars, and that just doesn't work.
For what it's worth, if Larry summoned the courage to speak his conscience completely, he will not go to jail. Far from it ... Google will be the true statesman, showing courage and leadership.
Indeed, I believe it may help Google the most, by catalyzing people's courage to do what's right. It's simply wrong to associate yourself with this.
It must come from Google first, Google is the strongest. Please consider the honor in doing this. Done genuinely, the public will rally behind Google, just like SOPA/PIPA. And don't forget, you have the world's largest bully pulpit.
Thanks for posting this. Here's something I wrote to someone recently: "I view talking about FISA (see http://en.wikipedia.org/wiki/Foreign_Intelligence_Surveillan... ) like handling radioactive waste or juggling chainsaws: it has to be done carefully." The reason is that FISA orders come with a gag order: see https://ssd.eff.org/foreign/fisa . So I understand why official company blog posts, even from Larry, have been carefully worded so far, even if that comes across as legalistic or weaselly-worded to some.
Thought twice about posting this, but am I the only one who feels really queasy about someone like Matt Cutts jumping directly into conversations about their own company on HN (especially when it could be connoted as being part of damage control)? He's hardly rank-and-file. I think it is plain old creepy, YMMV.
Heh, did you get out of the wrong side of bed today? I don't spend all day reading HN comments - sorry if my knowledge of responses to Matt Cutts' posts isn't as comprehensive and magnificent as your own. When I posted this, nobody else had said anything.
ashleyblackmore, the initial news stories seemed to imply voluntary, wide-scale, direct access to Google's (and other's) data by the NSA. I genuinely thought that sounded wrong and against the bent of Google--both its execs and the rank and file employees. In the last few days, more recent stories have indicated that it's more like compelled, limited FISA requests, which all US companies are legally required to respond to. See Yahoo's recent post at http://yahoo.tumblr.com/post/52491403007/setting-the-record-... which also points in this direction.
Compelled and limited is a very different story than voluntary, wide-scale, and direct. Do I like FISA? No, I think it sucks. FISA orders come with a gag order, and laws that compel secrecy like that should be struck down, in my opinion. But in recent days, you've heard the CEO of Google say that they haven't gotten the sort of broad requests that (say) Verizon got, and that Google can and does push back on requests that they consider too broad.
I think the proper response to this issue should be frustration with bad laws, and calling your Senator or Representative in Congress to tell them that.
"We cannot confirm or deny the existence of such a program,"
or
"It is not our policy to comment on national security topics"
or
"No comment."
or even
"We'll wait for the results of the investigation."
I don't think the government generally asks civilians to lie so enthusiastically, because . . . well, as a rule, they just aren't good at it.
No, I think it's most likely that Page doesn't know of any such program. Now, it's always possible that such a thing is being carried out on the scale everyone fears by a rogue, loyal-to-the-NSA employee, or a group of them. Or it's possible the original Powerpoint slide including Google as an information source is oversimplified or even inaccurate. Such things do happen when presenting overviews of program capabilities.
And many other things in between are possible. It's concerning, but . . . I'll wait for the results of the investigation. ;)
It's also possible that Larry is concerned about his share price, and what would happen to it if Google was revealed to be completely in bed with the NSA (My guess is it would fall quite a bit). He has real money at stake in limiting the damage that comes from this revelation.
The fallout in such a case has to be smaller than it would be if it comes out later that, not only were they in bed with the NSA, they (and the other companies in this situation) blatantly lied about it with their statements today.
I guess keeping an eye out for Larry (et al) cashing out shares over the next few weeks/months might be a good indicator of the likelyhood of exactly that "coming out later".
I've never heard it said that anyone was required to deny involvement. Did you mean that exactly as you wrote?
I think there's a world of difference between a gag order where you are not allowed to confirm, and an order to explicitly deny involvement. I'm not saying the former is "good", but there's a difference.
I think there's a non-zero probability that there are US government agencies who can and have compelled people to explicitly deny something that they know is true.
Realistically, it would boggle my mind to discover they'd done that to all the founders/CEOs/legal departments of all the companies involved here (at least Google/Facebook/Apple/Yahoo/AOL), but given the stakes in this game - I have no doubt that it _could_ be done.
I agree, but what could Page say to convince us otherwise?
Either the government is coercing them, and they have to issue lies as denials, or they are participating voluntarily and are voluntarily lying, or they are not participating. The second option seems unlikely to me.
I don't know why we'd expect the truth to be in the middle. If the NSA document is genuine, the information the NSA is collecting from Google is part of a Top Secret program as described in the leaked internal document.
If that is true, why would we expect that Google officials would be able to make any public confirmation of the Top Secret program? And, given that, why, in that case, would we expect the truth to be "in the
middle"?
Conversely, if the leaked document is not genuine, then I still don't see any basis for expecting the truth to be in the "middle" between the false document and the Google denial.
Did I miss some information? I only saw two slides. One that show the potential data accessible and one that show when the companies were added. It doesn't say exactly that they had access to everything.
As far as we know PRISM can simply be there to centralize the information that the NSA got in legals ways. We do know that the government ask about 100 users account information each day to Google, we can guess that they do the same to every company on that list and they were all added to PRISM at the date you can find on the slides.
I mean that slide contains one of the most important information that we currently have to guess the magnitude of PRISM, the budget. They only need 20 millions $ every years. True data mining is much more expensive than that.
I'm 100% with you. I don't know what Page could say, and I agree that it's extremely likely that the truth is somewhere in the middle, but damned if any of us have any ability to actually suss out what that is. It's very frustrating.
I just think it's important to not be entirely cynical here, and to keep in mind what such a statement might look like if it were being truthful. I don't know how much different it might be, which generally makes the statement only as good as Larry Page's word, and only then if he doesn't have a gun to his head.
> NSA says it's getting data in some form from Google, Page says no direct access.
Page says no direct access and not even legal access at that scale (verizon). He doesn't say they don't have any access -- in fact he says they comply within the bounds of law, but it's not at the Verizon scale.
I don't know how many of us served as officers in the military, but the requisite action in this situation is pretty clear. If one is interested in day to day security, speaking from a strictly tactical perspective:
You assume Google is giving the NSA information and act accordingly.
Doubts are like bothersome flies...
until they are crushed...
you will never be comfortable at your current position.
We obviously stil have a lot to learn about PRISM... But with that said, I have some conflicting instincts & feelings about all of this and the company responses.
On one hand, I would think a very-visible CEO of a major corp would keep their name off of a press release, if the press release was a lie that they were compelled to tell by the government.
On the other hand, I feel like each company's response and their use of the exact same terminology ("direct access", etc) feels like a wink and a nod.
I completely agree, and I don't know how to reconcile the two.
If I was going to go completely conspiracy-nutter, I'd say that Page has been kept out of the loop intentionally for plausible deniability, and the actual incursion happens at a much lower level, where the people involved are coerced into keeping their mouths shut. That way, the bigwigs get to tell what they think is the truth, the NSA gets their data, and nobody is the wiser.
Granted, I think that belongs more in the plot of a thriller novel than in this actual world we're living in, but given the revelations of the past couple of days, fiction doesn't seem that implausible.
"A US government-mandated backdoor allowed China to hack into Gmail"
"In order to comply with government search warrants on user data, Google created a backdoor access system into Gmail accounts. This feature is what the Chinese hackers exploited to gain access."
> or they are participating voluntarily and are voluntarily lying, ... seems unlikely to me.
Their business is based on user's data. If you do not feel comfortable giving them your data, it might hurt their business. Hence, IMHO, they do have some incentive to deny PRISM, regardless of the facts.
No, it's not. Gag orders can also be satisfied by saying "no comment" or just not saying anything at all, which is differently then actively denying something.
This is a false assumption. AT&T did not deny opening its networks to the NSA during the EFF litigation. It simply declined to comment, and offered suggestions (which I wrote about at the time) about how the law allowed it to comply with such a secret court order.
No, it's not. What little we've had about super-secret legal requests isn't that companies have to lie about them. It's that they can't acknowledge them at all.
So the answer they give when asked, and they do get asked, is "no comment."
If they were voluntarily part of PRISM, and legally required to keep that quiet, I'd expect them to say "no comment."
Doing the opposite make so little sense. It means they're having to flat-out lie to their users, something very hard to recover from.
The thing is "no comment" would basically confirm that 'something' is happening that's secret. Everyone would go conspiracy wild and pull everything they have away from Google.
They probably want to confirm it, but in a completely open and transparent way that assures people there's nothing they should fear here, which they can't do because it's all cloaked in secrecy.
What about the strategy you hear about of getting around this? Where they say "we're not under a gag order" (or whatever) each day until they are, until they go under a gag order, at which point it reveals they are.
Now, I'm not so naive to think that if someone tried this, the government and courts would just say "Herp, derp, you sure outfoxed us there!" But has that strategy ever been tested in court?
This scheme is not infallible. Although signing the declaration makes it impossible for a third party to produce arbitrary declarations, it does not prevent them from using force to coerce rsync.net to produce false declarations. The news clip in the signed message serves to demonstrate that that update could not have been created prior to that date. It shows that a series of these updates were not created in advance and posted on this page.
Google doesn't have to actively disclose...the government just needs to know where to "listen" to get the same data that's moving around Google's data centers.
1) They didn't, and
2) Even if they had, unclear, inaccurate, or misleading information regarding Google's degree of cooperation or the mechanics of acquiring tha data in a document prepared for consumers of the data for which information on the details of collection was not essential actually makes quite a lot of sense in a highly classified program (whether its classified for appropriate, security related reasons, or for political reasons.)
Consumers of the data need to know where it comes from and its scope, they don't necessarily need to know whether its acquired through cooperation or coercion or infiltration of the providers.
Also, that's what they were doing for more traditional wiretaps and you should be sure that they have access to siphon off live traffic for analysis if they want.
Is that even possible if Google's SSL certs have Extended Validation? They'd have to have cooperation all the way down to the browser vendors and I can't see Mozilla caving that easily.
There are several governments (Spain, France, Netherlands, Japan) who publicly have Root CAs in the trusted browser list[1]. It seems pretty likely (cf say, Prism) that the NSA has a CA cert where they can generate whatever certificates they want in order to MITM browser SSL communications...
The Verizon order explicitly applies to calls within America between American citizens, which is why it was so novel. PRISM, as described, only incidentally collects information about Americans. This statement does not preclude the direct access to user data that the PRISM reports describe.
Prism has been admitted by the government to exist.
The notion that it exists, and Google isn't involved in it, is pretty absurd. That'd be like talking about tapping the telecom companies, but leaving out Verizon and AT&T.
See:
"The top intelligence official in the United States condemned as “reprehensible” leaks revealing a secret program to collect information from leading Internet companies and said a separate disclosure about an effort to sweep up records of telephone calls threatens “irreversible harm” to the nation’s national security."
Mr. Clapper said in a statement that the classified program to collect information from Internet providers is used to “protect our nation from a wide variety of threats” and he condemned the leaks of documents describing its existence.
Also, this is very interesting from a NYTimes article on the matter: "But instead of adding a back door to their servers, the companies were essentially asked to erect a locked mailbox and give the government the key, people briefed on the negotiations said. Facebook, for instance, built such a system for requesting and sharing the information, they said."
They didn't give the NSA "direct access" to their system but created a front end for them instead... LOL.
I'm curious why we're satisfied with an anonymous leaker and some shoddy looking powerpoints.
I'm not going to comment on what's true or what's not, but I know a few things:
1. Having been "in the news" or when I've had firsthand knowledge of an event in the news, I'm always shocked by how inaccurate the news is. Usually not in broad strokes, but in lots of details. I have learned to take everything I read in the media with a healthy grain of salt. I'm not dissing journalists here, but that's what they are: journalists. They are not tech experts. What we are reading could very well be inaccurate. We've not vetted their source either. At least Google is known entity.
2. This whole "we scan everything" business just seems farfetched. That's a lot of data to just double.
3. This program has been subject to oversight. I haven't lost that much faith in my elected officials, or government employees for that matter.
Do you all remember when the "news" was "leaked" by "anonymous hackers" who claimed to lift Apple user data from a hacked FBI laptop? The Internet lost its mind frothing against the surveillance state.
The minority of critical thinkers who suggested that maybe the claims of anonymous hackers shouldn't be taken entirely at face value were either ignored or shouted down. Blanket denials by the FBI were met with retorts of "we know they're lying!". News outlets -- many the very same covering the PRISM story -- repeated uncritically the accusations of the FBI harvesting Apple user data.
Do you all remember what the actual outcome of that story was? Spoiler alert: the allegations were grade-A bullshit. The only part that was true was that it involved (old) data lifted from a hack (against an app developer). Everything else was bogus self-aggrandizing, and the Internet loudmouths played right into it. Why? Because it confirmed people's existing fears.
The sad reality is that everything that has hit the news about this PRISM story -- and the Verizon story -- has actually shed very little light on anything. We have a source with unknown credibility providing incomplete and possibly even misunderstood information colliding with large corporate and government interests. Maybe everyone is lying. Maybe nobody is.
The only thing that is certain is that people unquestionably believe claims that confirm their existing beliefs.
You know, there's a conspiracy theory angle here.
A tactic I have observed for dealing with awkward leaks is to allow the speculation about the unknown aspects of the leak ramp up to extreme levels, then rebut the more ridiculous theories without addressing the sensible ones. Joe average reads the rebuttal, feels let down that the story wasn't quite as inflammatory as the hype had led him to believe, and moves on.
This PRISM business (of which there had been no hint before) is a massive one-up on the seriousness of the Verizon scandal, and its timing in relation to it is deeply suspicious. It wouldn't be too difficult for someone in the intelligence services to make a pithy PowerPoint presentation about how the NSA slurps data from all and sundry (what was it supposed to be for again? "Training"?) and fake a leak to a few newspapers.
I predict that this story will turn out to be a complete wash, and in the meantime everyone will have forgotten about the not-as-sexy but much-more-true Verizon leak.
Either way, if Google has troves of info of everything you do online, NSA will get it. One way or another, front door, back door, in-direct access and what not
