Another Schneier Interview

Basically, the average user is screwed. You can’t say “Don’t use Google”—that’s a useless piece of advice. Or “Don’t use Facebook,” because then you don’t talk to your friends, you don’t get invited to parties, you don’t get . . .

Gee, Bruce, I got rid of my Facebook account months ago — before the Snowden revelations, even — and I still manage to talk to my friends, I still get invited to parties, and . . . well, I won’t comment about your third point.

I used to have a Google account, but I canceled that too. (I still use Google’s search engine.)

Martin • September 27, 2013 4:10 PM

Nice use of analogy. Sex & death in the same interview.

nice • September 27, 2013 6:43 PM

Great interview. You’re right that the average person is completely screwed, and that political change is the only thing that will stop this totalitarian police state in its tracks.

…My fear is that the people at the NSA who now have this enormous power over everyone else, are never going to give it up willingly. The massive store of data they have accumulated should be utterly destroyed, and all of the people involved in subverting the Constitution and the very rule of law in the U.S. should be put on trial. That is probably not going to happen until after a bloody civil war, and there’s no guarantee they will lose that war either.

Ben Richards • September 27, 2013 8:24 PM

I must disagree on giving up Google. The average user can easily switch to DuckDuckGo or StartPage.

name.withheld.for.obvious.reasons • September 27, 2013 9:49 PM

It was interesting to watch a field test for a millimeter RF gun mounted on a truck, the beam was pointed at a crowd and they dispersed. The water molecules on the epidermis vibrated enough to produce a burning sensation (and in a way it is a burn, though not much is understood about color change or and virtual particle interactions on the physiology). My immediate reaction as a target would be to grab the lid of an aluminum trash can and reflect the beam back to the source.

I imagine if it can be done in meat space, I am sure it can be done in other spaces.

P.E. • September 27, 2013 11:49 PM

Actually Google is (because of their main revenue source being advertizements) more dependent on a steady stream of users.

Anyway these revelations about the NSA fiddling with the standards must make it difficult for them to pass any crazyness as a standard in the future?

Unless USA starts silently giving ultimatums to corporations (after all most large US-based corporations are quite keen on government contracts) to accept them.

Rolf Weber • September 28, 2013 1:05 AM

Bruce, what do you mean with “We are seeing the NSA collecting data from all of the cloud providers we use: Google and Facebook and Apple and Yahoo, etc.”?
It is no suprise that the companies can be compelled to hand over individual user data.
Or did you buy Snowden’s “direct access” lie?

Gweihir • September 28, 2013 2:01 AM

Like the interview! Your statements have become very clear and polished.

@Rolf Weber: You seem to have missed the targeted taps and the SSL breaking. Also, how come you “know” that Snowden die lie? Sounds more like wishful thinking to me. Just keep in mind that direct access does not have to be official or even known to most of the company, and in particular management may not know. They are building police-state infrastructure, remember? That includes removing any and all control instances and that certainly includes keeping upper management of a target in the dark if they might object.

Cointelpro • September 28, 2013 2:59 AM

@Rolf Weber: “Or did you buy Snowden’s “direct access” lie?”

This sentence uses rules #9 (according to Gweihir) and #18 of disinformation.

Let’s see if rule #6 is also to be used.

Quoting http://cryptome.org/2012/07/gent-forum-spies.htm :

Hit and Run. In any public forum, make a brief attack of your opponent or the opponent position and then scamper off before an answer can be fielded, or simply ignore any answer. This works extremely well in Internet and letters-to-the-editor environments where a steady stream of new identities can be called upon without having to explain criticism, reasoning — simply make an accusation or other attack, never discussing issues, and never answering any subsequent response, for that would dignify the opponent’s viewpoint.
Play Dumb. No matter what evidence or logical argument is offered, avoid discussing issues except with denials they have any credibility, make any sense, provide any proof, contain or make a point, have logic, or support a conclusion. Mix well for maximum effect.
Emotionalize, Antagonize, and Goad Opponents. If you can’t do anything else, chide and taunt your opponents and draw them into emotional responses which will tend to make them look foolish and overly motivated, and generally render their material somewhat less coherent. Not only will you avoid discussing the issues in the first instance, but even if their emotional response addresses the issue, you can further avoid the issues by then focusing on how ‘sensitive they are to criticism.’

Rolf Weber • September 28, 2013 3:52 AM

Gweihir, the SSL attacks even disproof the “direct access” claim.

It’s not my intention to sound attacking. But I confess I’m frustrated to see how many people still believe in the “direct access” claim.
Why I think it is a lie, I outlined in detail here:
https://plus.google.com/108398551666706493267/posts/2yYL2gQk3Z4

I’m open to any factual discussion.

Gweihir • September 28, 2013 4:46 AM

@Rolf Weber:
The SSL attacks disprove exactly nothing, that is simplistic thinking. All good engineering believes in redundancy, and so does all competent and experienced military leadership. If you want a sustained capability, you will have the next way to get it operational while the first one still works and you will be working on additional ones while these two are still good. Never, ever put all your eggs in on basket on something you need. Anything else is utterly incompetent and ignoring reality and history.

You may be confusing the NSA with a commercial enterprise that is trying to save money where possible, so its bosses can line their pockets. That is not what the NSA is, it is very, very different and has very, very different objectives. It most certainly will attack on all fronts it can reasonably succeed on simultaneously and it will most definitely expect to lose some specific attack vectors and be prepared for that.

As you your “argument” in you reference: You have exactly nothing. You have absence of solid proof, but that is only a valid argument for a “only things solidly proven can be true” mind-set that borders on severe mental dysfunctionality.

Item 2, I have commented on above.

As to your Item 3, why do you assume “the company” actually knows? There is no reason to make that assumption. Companies have employees with clearances that must do things for the government they are not allowed to communicate to their own companies or their bosses. These people have split loyalties, or rather in fact their primary loyalty it to the government by contract and oath. (I just recently talked to a nice lady in this role and she confirmed it for me. She is an auditor though, so she is allowed to talk about her role, just not any secrets it involves.)

Item 4: Again, Item 3 applies. And who says “the companies” even have to cooperate for that access? There are numerous possibilities to get that access without cooperation if you are a very well funded TLA. There are numerous possibilities where cooperation of some individuals is enough. For example to get full access to NSA stuff, all that was needed was to just convince/coerce one Edward Snowden, no cooperation from the NSA required. Also remember all the technological sabotage the NSA is involved in.

Item 5: Irrelevant, also see above.

Item 6: First, would the technical staff even know? Would they tell at the risk to get sent to prison? Remember, this is a business secret as well, sentences and loss of ability to ever work in the industry again threaten without a NSL already. And second, there are such stories. Remember Lavabit, and what the experts at Silent Circle think?

In sum, you have nothing or rather less than nothing. You call somebody a liar on nothing, when what he said is plausible, feasible and consistent with the known facts.

What is your agenda here?

Rolf Weber • September 28, 2013 10:22 AM

@Gweihir
There is not only “absence of solid proof”, there is no proof at all. Or what proof could you offer?
The only evidence is Snowden’s claim.

And of course the existence of MITM attacks is good disproof. It makes no sense at all that an analysts, who wants to tap a target, launches a MITM attack when he could get the same information (and more) with just a query. This could only be true if the NSA would be absolutely clueless — the leaked documents however show that the NSA works surprisingly smart.

You mean there could be a “direct access” without all of the companies knowing about it? Besides I think this is a bold conspiracy theorie, it doesn’t matter here:
It was Snowden who claimed that the companies are providing the “direct access” knowingly: “And they give the NSA direct access so that they don’t need to oversee so they can’t be held liable for it.”
Snowden’s words.

Regarding Silent Circle, they closed for no comprehensable reason. They weren’t even approached by any agency.
And Lavabit most likely received a search warrant with the order to help to tap Snowden’s password. The owner rather closed than to comply with this. This is a completely other story.
Neither Silent Circle nor Lavabit can serve as an evidence for a “direct access”.

Filby • September 28, 2013 12:50 PM

@Rolf Weber

You document lists the following as “proof” as to why (according to you) direct access is not likely to exist:

The slide states “Dates When PRISM Collection Began For Each Provider”. The Washington Post however writes “Participating Providers” and “This slide shows when each company joined the program”. These are obviously different statements. There is no “participating” or “joined” in the slide!

Here your issue is with the choice of words used by Washington Post in reference to a pictured slide. The fact that the particular slide does not show the words “participating” or “joined” does not mean much when the newspapers had access to many more slides than what they show in their articles.

Further down you write:
i) A unit can be a device or a department, but unfortunately the Post chose the wrong one. Or does the Post think an FBI department is working in rented offices on the premises of Google?

Again, it could well be that there exists a department that has the responsibility of managing the direct access “interface” or “device”. So depending on the point of view, both can be correct. The department does not have to be physically present at Google – after all we are talking about networked surveillance here.

2. Why should the NSA deploy man-in-the-middle attacks when there already is a “direct access”?

Firstly it is a bit ridiculous to think that a department of US military only uses a single means to reach their goal when those goals can be multi-pronged. Just like any other part of the military they would use a multi-pronged approach because different approaches are needed in different situations. For example:

A. The direct access is well suited for retrieving email and other postings in bulk. This can be processed in bulk and thus does not need to be given individual attention.

B. Man-in-the-middle (MITM) attacks are not useful for mass targeting except in cases where you e.g. want to install malware on multiple machines.

An example scenario where MITM is useful: NSA has, through bulk profiling of retrieved G-Mail emails found a person of interest and they want more details on him. Through the information from Google they found out that he has logged in through an internet cafe in Indonesia. Since the target does thus not use (or even maybe have) his own computer (and may use many different computers at the cafe) NSA sets up to intercept the logins through fake certificates and MITM. When the person next logs to his Google account, the MITM can be used to provide a direct access to the specific computer he is using at that instance.

3. The companies denied it

Obviously Google has been one of the laudest in denying direct access, typically in words such as “we do not give anything to the government” (they do not have to) or “government has no login to our systems” (again, they do not necessarily have to). But then again Googles business model is different from the traditional IT companies such as Microsoft, IBM, HP, and others. Google’s main revenue source is advertizements (they have sometimes been referred to as world’s largest advertizing company) and this revenue depends on a steady stream of users.

Google, and also FB, are far more dependent (than traditional IT companies like HP, Oracle, etc) on a steady flow of profilable users that use their web-based services. This has a direct bearing on their revenue, their bottom line. For example, Microsoft users are far less likely to abandon Microsoft because it would require getting running some other OS on their computers. So this surveillance thing is in that sense far more potentially damaging on Google.

4. There is no reason for the companies to cooperate voluntarily
This you would know only if you are close friends with the Google board of directors. Whether there is a reason or not depends on what the company aims are, and your paper provides no proof of this either way. You can find information from Wikileaks to see how deeply Google is in bed with the US government.

5. There is no legal base to compel the companies to cooperate
This seems to indicate that you do not know much about US law (not just the Patriot act) or US corporations (such as Google that also do like to get those lucrative defense department contracts).

Here you write that:
…but I can see none to hand over (or provide access to) all user data. If you disagree, just show me. I cannot prove something that simply does not exist.

Your inability to prove what you are writing does not seem to stop you from believing into it. The information that shows that they are providing bulk access to data has already been provided.

6. There is no confirmation from technical staff of the companies

About 100K people in USA have a top secret clearance, but for some reason these are not freely and openly dislosing stuff about the government. During WW2 thousands of people worked in the Manhattan project and yet that was kept secret. Why do you think all these people would keep their mouts shut?

The fact is that those who have been informed about the surveillance are typically also under notice that it is a crime to disclose such information. It would be counted as disclosing government secret and would lead to incarcenation.

Actually I would never go to this sort of lengths of defending a company like Google against accusations, unless it had something to do with my own income.

Bottom line is that your document merely states opinions as to why (according to you) direct access is not likely to exist; it does not provide any actual proof that such access does not exist.

Are you able to prove that direct access does not exist?

Avaya • September 28, 2013 12:57 PM

@Filby
“Actually I would never go to this sort of lengths of defending a company like Google against accusations, unless it had something to do with my own income.”

I guess you are saying that about Rolf Webers document? It does seem very Google specific.

Rolf Weber • September 28, 2013 4:40 PM

Filby, I think I will answer to your post tomorrow. It’s late now in Germany. For now just this:

I cannot prove that direct access does not exist. I couldn’t even prove it if I both were a Google manager and technician. Just like you cannot prove that you are no child molester.
This is why those who claim something have the burden of proof. Snowden claimed it, but failed to prove it so far. This is why I call him a liar.

I have no relationship with Google. I’m not an anonym person, so you can check by your own. Google is just the best example for the absurdity of the “direct access” claim. If only Microsoft was accused, maybe I wouldn’t have wondered …

Figureitout • September 28, 2013 7:18 PM

Just like you cannot prove that you are no child molester.
Rolf Weber
–What? Maybe you’re German and something got lost in translation? Kind of a stupid analogy if you’re trying to make a point…Plus what is your definition of “direct access”? B/c if you have an army of agents whose sole job is to infiltrate and collect information, surveillance is easy; doing it w/o being detected is hard.

Gweihir • September 28, 2013 7:58 PM

@Rolf Weber:

If you call somebody a liar because he states something that he knows but cannot proof, you have a severe mental issue.

That is not how reality works. In fact, that is not even how theory works or how the concept of “lying” is defined. There is a world of difference between an unsubstantiated statement and a “lie”.

But by all means, live on in your fantasy world. Just do not expect anybody to take you seriously.

Filby • September 28, 2013 8:21 PM

@Rolf Weber:

Well maybe I reserved that analogy about being a child molester. I mean after all my long reply to you could be viewed as being a bit unkind(?). If that is how you view it, I apologize to you.

I do want to point out however a few things:

1) Snowden did not just come out with a verbal claim that Google provided direct access. He provided an amount of documentation regarding this. The authenticity of that documentation has been assessed by, among other people, Bruce Schneier.

2) Snowden also did he make that claim while hiding in the shadows as an anonymous person. He provided the documents at a great personal cost to himself. What did he gain out of it? It seems like he did not gain much of anything (unless perhaps he always wanted to live in Russia…with all respect to Russians I personally would have preferred staying in Hawaii).

3) Direct access to Google was not even the main point discussed in those documents (it was just one of many different issues).

So in summary I think the documents speak for themselves. Surely you can choose not to believe them (the US and German secret services* will likely love you for that). But with this in mind I think it is also unfair of you to call Snowden a liar – all he did was to bring to public attention information that the government had kept secret. In this sense he is more of a messenger of the information in those documents.

Why attack the messenger?

(I probably shouldn’t say this but…I think emotional aggression is often more commonly received from those who have something to lose.)

Rolf Weber • September 29, 2013 6:18 AM

Filby, with my analogy I did in no way intend any offending. Maybe it’s related with my poor english. My analogy only was to emphasize my argument: I, or Google, cannot prove the “direct access” wrong. You cannot prove absence of something. Just as if someone accussed you of being a child molester. You could not prove this claim wrong. This is why those who claim something have the burden of proof.

Which documentation do you mean, that Snowden provided? The PRISM slides do NOT prove the claimed direct access. If there is proof under the yet not published documents, then it should be published. I saw how the PRISM slides were heavily misinterpreted, so I don’t believe in any proof before I didn’t see it with my own eyes.

I don’t disagree with your second point. I welcome whistleblowers, and I admire Snowden for his courage. But I also have to realize that he lied in parts.

I don’t agree with your third point. Most of the other revelations were about things we all already knew, there was only no proof. But I knew before Snowden’s revelations that a spy agency spies.
The “direct access” story however was something that nobody anticipated (maybe besides a few conspiracy theorists). So this would be a really big story.

Maybe the secret services will love me for my words, but I doubt they even read it. 😉
I don’t care. I have my opinion, I don’t care if someone likes it or not. Maybe the agencies do not like when I say that I condemn them for weakining cryptographic standards and destroying trust in NIST. But this is not what we are discussing here.

To your first post:

The first point I already answered: If there is more evidence, then it belongs published. As soon as possible. It is often said that there is no more trust left. I think Schneier said it too. So please act accordingly.

Your second point: You mean there is both a department called “DITU” and a device called “DITU”? Of course I cannot rule this out for 100%, but then at least the Post should have clarified this. They did not, not until today. And that the Post obviously confused a device with a department, this is not a new argument of mine, it was mentioned soon after the report was published, see for example:
http://www.technovia.co.uk/2013/07/something-doesnt-add-up-in-the-lastest-washington-post-prism-story.html

Your third point: This is the best argumentation why Google or Facebook would never ever provide the government with a “direct access”.

Your fourth point: Of course I don’t know anyone of Google’s management. I just try to think logically. And again, I cannot imagine there is anything the government could give Google, a thing that is so precious that they would jeopardize their existence for it.
What exactly do you think could this be? Lucrative defense department contracts, which you mentioned later?
You said it by your own: Google makes at least 90% of their money out of advertising. Maybe Google gets lucrative defense department contracts, but this are no more than peanuts.
And, as I said in my document: Why should Google deny the “direct access”, when they know there is a “direct access” and there is a Snowden who has most likely clear proof? What sense would that make?

To your fifth point, of course I’m not very familar with U.S. law, this is why I asked: Show me the exact legal base! Could you please quote?
The example you provided does not help much. I don’t know much about U.S. law, but I know that metadata is not covered by privacy. But the content is covered.

To your sixth point, I highly doubt you could establish a “direct access” with only a handful of peole knowing about it. I doubt you could hide it from regular Google technicians, people without any relationship with the government. It wouldn’t be a crime for this people to blow the whistle — of course they would jeopardize their job, but we would only need one of a hundred …

Filby • September 29, 2013 7:48 AM

@Rolf Weber.

Your english is good enough for you to write and read more carefully, but as it is I think your word choices simply display your emotional state.

The fact stands that the current arguments in your document does not disprove much of anything in the Snowden documents. You need to work on your arguments and you need to especially work on your research. Most of the information that you are saying should be provided by others, you can find on your own.

Anyway as to your latest posting, here is my reply.

Which documentation do you mean, that Snowden provided? The PRISM slides do NOT prove the claimed direct access.

As I wrote, “Snowden did not just come out with a verbal claim that Google provided direct access. He provided an amount of documentation regarding this. The authenticity of that documentation has been assessed by, among other people, Bruce Schneier.” I am sure this has been available to you so why do you have to ask? You can search Bruce’s earlier postings or look at the subset of documentation discussed in these articles:

Washington Post:
NSA slides explain the PRISM data-collection program

The Guardian:
NSA Prism program taps in to user data of Apple, Google and others

Above articles do not just say “Snowden said [something]”; they refer to the documents. Even if he had verbally claimed something, why call him a liar when you admit that you cannot prove him wrong? Unless you have some emotional attachment to protect Google or something.

It should be needless to say, this is not about my inability to prove something. I do not need to prove you anything, even if I take Snowden’s side on this.

…and I admire Snowden for his courage. But I also have to realize that he lied in parts.
No problem. We just use your standard and since you are making that claim, the burden of proof is on you. Prove that he lied if but note that you will have to prove the documentation invalid.

Most of the other revelations were about things we all already knew, there was only no proof. But I knew before Snowden’s revelations that a spy agency spies.
That is a rather clueless statement. Most people were not aware that the spy agencies, especially the US-based NSA, was spying on their own citizens in massive, on-going, surveillance and profiling operations. Traditional spying involved one country spying on the most important people, industries, or military of their adversaries.

Your third point: This is the best argumentation why Google or Facebook would never ever provide the government with a “direct access”.

Actually the third point only proves why they would never admit to providing direct access.

Your fourth point:…Lucrative defense department contracts, which you mentioned later?
You said it by your own: Google makes at least 90% of their money out of advertising.
I did not write that Google makes at least 90% of their money out of advertizing. I wrote that their “main revenue source is advertizements”. This does not have to be 90% (it can be e.g. 55%) but it is the root of their business model.

As Julian Assange writes in Op-ed: Google and the NSA: Who’s holding the ‘shit-bag’ now?:
Google started out as part of Californian graduate student culture around San Francisco’s Bay Area. But as Google grew it encountered the big bad world. It encountered barriers to its expansion in the form of complex political networks and foreign regulations. So it started doing what big bad American companies do, from Coca Cola to Northrop Grumman. It started leaning heavily on the State Department for support, and by doing so it entered into the Washington DC system. A recently released statistic shows that Google now spends even more money than Lockheed Martin on paid lobbyists in Washington.

You write that:
And, as I said in my document: Why should Google deny the “direct access”, when they know there is a “direct access” and there is a Snowden who has most likely clear proof?

As Marissa Mayer, the CEO of Yahoo, recently said, if you have been informed of government surveillance, “Releasing classified information is treason and you are incarcerated”

To your fifth point, of course I’m not very familar with U.S. law, this is why I asked: Show me the exact legal base! Could you please quote?
By now you know enough about it to find it out on your own. Do your research and base your arguments on that and not just on your own opinions. The legality has been discussed here at Schneiers as well.

To your sixth point, I highly doubt you could establish a “direct access” with only a handful of peole knowing about it. I doubt you could hide it from regular Google technicians, people without any relationship with the government. It wouldn’t be a crime for this people to blow the whistle
You can see from the Mark Klein case with AT & T that it is fully possible to establish direct access with very few people knowing. Yes it would not have to be exactly the same way with Google, but it would not be all that different either.

And yes most people know that it is not a crime to blow the whistle, but doing so typically has consequences on a persons life (this is clear to most people without explanation). Considering also that the surveillance can be done without many people knowing, and revealing it can lead even to jail time (as I already wrote before), the amount of willing whistleblowers is likely further reduced.

Looking at the level of your arguments I think there is a risk this will degrade to just a shouting match. That would only distract from the larger issues presented in Snowden’s documentation and would not contribute to anything here at Schneiers. To avoid that this is my last posting here.

Rolf Weber • September 29, 2013 10:14 AM

I ask for prove and you answer I should look for. So no reason for me to extend this discussion either. It’s still fact that the only “proof” for the “direct access” is Snowden’s claim.

You cannot compare with AT&T. A mirror port or an intercept is completely different from access to backend servers. All you other points I already covered.

Dirk Praet • September 29, 2013 6:59 PM

@ Rolf Weber, @ Gweihir, @ Filby

Why I think it is a lie, I outlined in detail here:
https://plus.google.com/108398551666706493267/posts/2yYL2gQk3Z4

Rolf,

I believe yours is an honest attempt to question the in your eyes insufficiently substantiated belief that the NSA has “direct access” to the companies involved in the PRISM program.

ol>

From the PRISM-slides, all we know is that there is a type of “collection directly from servers” going on. It doesn’t say how this happens, or whether it implies mass collection or specific requests. It is not unreasonable to want some kind of proof for Snowden’s claims in this matter, but this may be a tad more difficult than it looks. Although it cannot be precluded that Snowden has other documents that go into more detail about how this is accomplished, sources and methods are usually at a higher classification level than overall program descriptions. He may or may not have had access to those. If he had, Greenwald and other reporters who have acquired them may not wish to publish them as this would put them on very shaky legal ground.

Although the freedom of the press is guaranteed by the First Amendment, journalists revealing operational details of military secrets may still leave themselves open to prosecution under the Espionage or Sedition Acts. That’s a faith that undoubtedly awaits Julian Assange if ever he is extradited to the US.

As correctly argued by @ Filby, there is no reason why a spy agency would limit itself to only one way of snooping. As the PRISM-slides show, they are doing upstream collection too, directly tapping into the backbones. Redundancy is key in any operation, and multiple methods make for multiple attack vectors suitable for specific purposes.

Examination of the statements made by several of the companies involved show these to be very carefully crafted word games that from a legal perspective can be defended as true – and complying with any pertaining gag order – while in essence completely deceiving the reader. Just like those of the NSA itself and as pointed out by the EFF. This was discussed earlier on this blog a while ago. As to the likes of AT&T and Verizon, they never even bothered to deny it.

With the exception of NSA front-ends and corporations who have made surveillance their business (Palantir, HBGary, Gamma International etc.), it stands to reason that the average company is not too keen on giving the government any sort of access to its infrastructure and user base. But coercion comes in many forms. Non-compliance can cost you big, fat government contracts and make you eligible for some unwelcome IRS scrutiny or other actions by the DoJ. That’s what former Qwest CEO Joseph Nacchio alledgedly found out the hard way when refusing to cooperate with the NSA in 2001.

Contrary to your statement, there is sufficient legal basis to force companies to cooperate. A simple warrant will do to obtain business and other records relating to a single person. But under the Patriot/PATRIOT Improvement and Reauthorization Act Section 505 government agencies like the FBI, CIA, DHS, NSA and even the Pentagon can issue National Security Letters (NSL) to make any company comply with much more intrusive requests. FISA/FAA Section 702 offers similar possibilities. Both are typically accompanied by a gag order that prevents a company from telling anything about it. Violating a gag order received from the FISC not only constitutes contempt of court, but can carry serious fines and jail time if the DoJ chooses to pursue the matter.

Both FISC orders and NSL’s can be appealed, and we know that at least Yahoo tried to (and failed). We also know that several PRISM associates like Google and Facebook have filed suit against the USG so they can be allowed to more openly talk about how they are cooperating. Basis for their case is that the gag orders infringe on their right of free speech under the First Amendment, a position that has been upheld before by lower courts.

Knowledge about government interference/surveillance in any form will typically be restricted to a very small circle of insiders within a targeted company, both at the management and the engineering level, and both under very strict NDA’s (non-disclosure agreement). Those with operational knowledge of these systems may be outsiders or folks holding specific security clearances that equally come with NDA’s.

When a company has significant dealings with a DoD entity, a typical setup is that it has a designated liaison officer who is coordinating any and all activity between the company and that entity, and is working out of an on-site secured office/other facility with secured communications, off limits to any other staff, except those with the right security clearances. Infrastructure-wise, any equipment and other resources required for their operations will equally be shielded from the rest of the company, with anybody asking questions being told that defense related company contracts and activities are need-to-know only, and as per company policy strictly barred from divulgence or debate. That’s how it was at several companies I used to work for.

Remember this: not everybody is a Snowden and willing to forsake his career and his life for violating an NDA and revealing “national security” related secrets. The Obama administration with its Insider Threat program and persecution under the Espionage Act of an unprecedented number of people has made it very clear that it is not in one’s best interest to leak sensitive information.

In conclusion, I’d say that although today we don’t know how exactly the NSA is data-mining its PRISM associates – and for the reasons I quoted under 1. – it is pretty safe to assume that they are, and under the authorities granted to them under the provisions explained in 5. . Nobody except those involved in the PRISM program knows if “collection directly from servers” indeed equals “direct access”, but calling it a lie in my opinion is not the appropriate term since neither of us can adequately prove Snowden’s claim to be either true or false.

One last remark is that with the exception of 2., most of your other arguments have been discussed in previous threads on this blog, and I believe the courteous thing to do would indeed be to do some on-topic research before posting your thesis. After all, that’s what you would do for any academic paper or press article too, and it does explain some of the animosity towards your post.

Dr Who • September 29, 2013 8:42 PM

@Dirk Praet
We also know that several PRISM associates like Google and Facebook have filed suit against the USG so they can be allowed to more openly talk about how they are cooperating.

Here I am wondering, if it is possible…considering lawsuits in USA…that Google or Facebook could be sued if they admitted that they have helped the government? Or is that less likely since they were only doing what they were told?

What I am thinking is perhaps they want openness so that they can incorporate that in their privacy policy (and thus make it the end users problem). Of course this is a rather cynic way of looking at those two companies.

And besides why wouldn’t for example Microsoft face the same problem?

Anon • September 29, 2013 10:15 PM

Snowden, allegedly has as many as 58k classified documents. If that’s true, then why hasn’t he or the Guardian released them? Is it just for commercial reasons to get as much “mileage” out of the story as possible or maybe to save some of the shocking revelations for a series of book deals?

Gweihir • September 30, 2013 5:37 AM

@anon: You seem to assume commercial motivation. There is no reason to do so, it does not fit known data. If Snowden were financially motivated, he would have progressed in a completely different fashion. In particular, he would have searched for a buyer, not somebody that helps him publish the data.

Releasing the documents over time has several reason. Some may well be:
1. The documents need to be sighted sorted, evaluated, etc.
2. Releasing them at once gives you a few weeks of scandal then things die down. That is not going to help.
3. There are things in there that the Snowden and the Guardian do not want to release. These need to be found and identified.

There is however good reason to expect that others have sold or are selling similar data, as the NSA has no working internal data security in place.

Clive Robinson • September 30, 2013 5:39 AM

@ Anon,

First off as far as I can tell the 58,000 documents argument comes from documents submitted to a UK court by UK Gov representatives in sworn affadavets saying that they had been told 58,000 UK documents. As a result of detaining Mr Greenwald’s partner who was in transit through UK’s Heathrow Airport.

So points to note,

1, None of the witnesses were credible.
2, All they were doing was giving “hearsay” evidence that in now way could credibly be called “Opinion” so should have been “inadmissable” as evidence.
3, These witnesses In effect claimed that the documents were of UK Gov origin.
4, The US Gov has not (publicaly) admitted what documents were taken to their knowledge, and past behaviour indicates they probably don’t know.
5, We don’t know if Ed Snowden has handed over all, some or a few of his trove to the journalists.

As for the reluctance to release documents by the journalists, it’s a dangerous game. It’s not just the US Laws they have to worry about. The chances are the trove contains documents from atleast five and upwards of ten countries (US,UK,Canada,NZ,Aus,Germany,Sweden,Israel,France…). The US has a history of persecuting journalists and others when it comes to embarising let alone illegal or moraly questionable behaviour by US gov personel that gets published, despite supposed press fredoms. The UK has little in the way of laws to protect journalists and much that can harm them. Thirty years ago Maggie Thatcher was pushing prosecutions untill it was beyond public ridicule. And we know Israel has a habit of sending out death squads and disapearing their own citizens. France has likewise sent out killers to use weapons of mass destruction against foriegn nationals in forign ports for the crime of protesting peacfully.

People find it silly to think that the Wikileaks founder is holedup in an embasy in the UK, until they find out just how much UK Tax payer money is being spent on doing it. When you start looking at it that way you will realise just how unplesant the respective Governments are, they are “sending a message” “no money spared”. The only thing realy protecting the leakers and journalists is public opinion and the consiquences of the US Gov crossing the line either directly or by proxie that will have on public opinion. If the journalists release information where by the US Gov can hold up pictures of dead children etc and lay the blaim at the leakers/journalists doors then public opinion will swing in the US Gov favour and the lives and freedom of the leakers and journalists will come rather rapidly to an end.

You can make an almost certain bet that the next terrorist attack directly effecting US personel/citizens the US Gov will start briefings blaiming Ed Snowden and the journalists involved because the leaks caused the terrorists to change communications tactics etc etc.

Some of the journalists are well aware of the “think of the children” asspect of this and just how badly the US Gov wants such a thing, you only have to look at how the pictures of gasping children in Syria moved US public opinion against Assad to see this.

The question arises just how bright are Guardian journalists? If you think back a little Wikileaks had a massive AES encrypted file of all the Manning leaks posted all over the place. Then one of the journalists involved published a book with the “key” in it apparently describing just how difficult it was to use encryption. Was this dumb stupidity or a blaimless way to get the key out to stop other activities?

Rolf Weber • October 18, 2013 3:55 AM

@Veritas
No again, the “direct access” is not shown in the documents. You mean the PRISM slides, right? Where the press transformed “Dates When PRISM Collection Began For Each Provider” to “This slide shows when each company joined the program”, and the Post even confused “DITU”, which is actually an FBI department, with a device. It cannot be your serious that this slides prove anything.

And yes, Snowden is the only one (besides people like you, who blindly trust him) who claims it. I bet even Bruce Schneier will not clearly claim it. And the press doesn’t claim it, they only make carefully drafted suggestions. I think it is because they know there is no proof at all for this claim, and they could be successfully sued if they make a clear claim.

Regarding the “emotional” word lie, why so sensitiv? You are not so sensitive when calling others liars. Don’t understand me wrong, I don’t mind if you call government or NSA officials liars. But this is not very credible when you work with lies as well.
The “direct access” is a very disgracing claim towards Google & Co. If you claim something disgracing about others, and are unable to prove it, then you are a liar. It’s that simple.

@Dirk Praet

Interesting. You have just nullified several thousands of years of religious debate.

Interesting. If you intend to say that the “direct access” claim is comparable to religious belief, than I would hardly disagree.

I didn’t call eavesdropping a high risk attack. I called MITM high risk attacks. And such MITM attacks against gmail had been detected. It was reported on this site, as well as on others.

I don’t mind if someone buys my arguments or not. I just express my opinion, I comment when I oppose. And I will do this as long as the site owner tells me that my opposing comments are not welcome here. If you are annoyed by my comments, just ignore me. I will not change my identity.

@Wael
I’m not an anonym person here. I linked here to my Google+ Account. You can do as much investigations about me as you want, I don’t mind.

Rolf Weber • October 18, 2013 3:59 AM

Sorry, I posted the above on the wrong place.

name.withheld.for.obvious.reasons • October 18, 2013 5:49 AM

@ Dirk, et al; my apologies if I am out of line here…

@ Rolf Weber

I am required to preface my feedback to your threads and comments on this blog, this is an observation–not a criticism. Believe me, my critiques are more thorough and frank than a general blog conversation.

My advise to you is;

refrain from chastising others for behavior you are engaged in (your comment about Dirk’s statement regarding religion was a statement more hyperbolic in nature, your response seems a bit “emotional”). You were the one that took offense and issue with the statement while claiming some level of tolerance. I must say, this is the behavior (classic by the way) of what is called a “troll”.
If you are going to take others to task for the credibility for a source or the need to have your own form of evidence and facts, don’t make the same mistake by saying “MTIM attacks against gmail had been detected.” My emotional response would have been…”Where’s your evidence?” “You are not satisfying me with your opinions!”
The nature of a blog is two-fold;
- their is a culture, flavor, character, and topic that is the central focus of the blog
- There is a community (having its own normative behavior, customs, expectations, and experiences) that can be inclusive, exclusive, or ambiguous. Pick one.
Your statements seem to have an underlying tone that can be described as “a propensity to dismiss others and a elevated sense of your moral position.
To let you know, I prefer to remain obscure to the audience/participants/community for several reasons–so please, just because you have no problem with exposing yourself on this blog, please have the decency and respect for other people’s preferences and situations. If I didn’t know any better, I am guessing you are my ex-wife.

I must discontinue this feedback–my admission is that my feedback is within the societal norm of “constructive criticism”.

Veritas • October 18, 2013 11:39 AM

@Rolf Weber
Regarding the “emotional” word lie, why so sensitiv? You are not so sensitive when calling others liars.
I have not called you or anyone else here a liar so why claim that? Perhaps you need to learn to read? It is only you who have used that term here (together with insuniating that another commentor in an earlier thread – who did not agree with you – was a child molester). So you are one emotionally loaded person.

What’s the cause of your emotions, Rold? Empathy towards a profit-making enterprise like Google? Does it stem from some notion that corporations are people and thus you feel bad when Google is accused of something? Yet you do not mind calling actual people liars and what-ever-else.

And besides that, if you have real proof that some “evidence” was mispresented, by all means post it here…

Rolf Weber • October 18, 2013 2:40 PM

@name.withheld

Why do I behave like a troll? Because I argue that the “direct access” claim is wrong, or because I “emotionally” call it a lie?
If it is just my argumentation that should be “trollish”, then I cannot help. It is my opinion, I think I did explain it seriously, and my opinion will not change until someone provides clear proof for the “direct access” claim.

If it is the latter: I still think emotions can help in discussions. You can emphasize your point with emotions. And I still think the “direct access” claim was or is a lie, for the reasons I wrote. But I will not repeat the word “lie” here anymore. Maybe I rose emotions with this here, kind of emotions I didn’t intend.

Really?
https://www.schneier.com/blog/archives/2013/09/new_nsa_leak_sh.html
You have to follow the links.
I thing the main nature of this blog is security. Security is where I stand.
I confess I’m not very paranoid about the agencies. For several reasons, I don’t want to elaborate. My enemies are criminals. With fighting the criminals, you fight government surveillance as well, so I still think I’m on the same side as you.
See 2., this kind of emotions were not intended by me. My point is that you should not blindly trust Snowden and the press.
I don’t mind if you or others chose to stay “obscure”. My comment was a follow-up to speculations I had affiliations with NSA or so.

@Veritas
Companies like Google are represented by real people. Disgracing Google means disgracing them.

All proof for the “direct access” claim was misrepresented. Show me a “proof” which was not misrepresented, in your opinion.

Wael • October 18, 2013 2:41 PM

@ Rolf Weber,

I’m not an anonym person here. I linked here to my Google+ Account. You can do as much investigations about me as you want, I don’t mind.

I don’t question that. Fortunately, I don’t have the curiosity or time to find out the real characters behind various posters on this blog, their Sockpuppets, or their Pantyhosepuppets (so we don’t leave out our cyber female populace ;))

ACruz • October 18, 2013 3:14 PM

As “Sceptical” said earlier, there could be some validity to Rolf Weber’s claims.

The problem is that, keeping in mind the wordplays etc, we do not know what is exactly meant with “direct access”.

So Rolf Weber could be correct. But he could also be wrong. After all Google may provide “direct access” but it is not what what it currently means to Rolf Weber.

Either way calling others liars if they support this idea of the not-yet-defined-direct-access is just ridiculous.

ACruz • October 18, 2013 3:29 PM

Just to clarify before this becomes further issues:

Direct Access does not have to be:
A direct link from NSA to a Google server hosting a persons inbox.

(Although, considering that Ed Snowden claimed that from NSA he could access any computer…then why could he not access the Google servers? Or if he cannot, should we question other things he said?)

For example, Direct Access could be:
Google likely has a backup process in place that backs up all emails to some data warehouses every so often. Direct access could be some mechanism that taps into this process. This does not have to be anything that requires cooperation by regular Google employees. Since the physical locations and network structures of Google are rather static, the Evil Government could have put in place some data copying mechanisms for that data.

Rolf Weber • October 18, 2013 10:41 PM

Just to clarify:

Snowden claimed there is an unrestricted “direct access”.
The PRISM slides don’t prove anything, no kind of “direct access” at all.
What I could imagine is an interface, over which Google hands over the data it was compelled to, and to which Google has full control of what can be accesses and what not.

Rolf Weber • October 20, 2013 2:05 PM

Thinking over it a little bit. I ask myself why Snowden claimed this “direct access”, a claim which is most obvious not true. I can imagine 3 explanations:

The first is, that he claimed it, fully knowing that it was not true, in order to get the most publicity. I confess I considered this to be the most likely explanation. But now I doubt. He had so many revelations, not just a one-trick pony. And why should he jeopardize his trustworthy, and thus his overall revelations, with a lie? This makes little sense.

The second explanation is that he was fooled by the PRISM slides, just like the Guardian and the Post. This may be.

But there is a third explanation: If you look at the PRISM slides, the process to demand user data from the providers looks very automated. And regarding Google & Co., they cannot refuse a FISC order, at least until it is not to broad, so most likely they automated the process on their side as well (I don’t think it is Google’s policy to hinder legal and isolated user data requests).
Snowden worked, according to himself, as an analyst. Maybe it was his experience, and that of his colleagues, that when he entered a query about a target, he got the results within a few hours — so maybe it really looked like a “direct access” for the analysts.

The crucial question remains: Is the “direct access” to isolated or bulk data?

search • October 22, 2013 10:42 AM

Thank you for every other informative web site. Where else may I get that kind of info written in such an ideal way? I’ve a mission that I’m simply now operating on, and I’ve been at the look out for such information.

Another Schneier Interview

Comments

Leave a comment Cancel reply