NSA Eavesdropping on Google and Yahoo Networks

The Washington Post reported that the NSA is eavesdropping on the Google and Yahoo private networks -- the code name for the program is MUSCULAR. I may write more about this later, but I have some initial comments:

  • It's a measure of how far off the rails the NSA has gone that it's taking its Cold War–era eavesdropping tactics -- surreptitiously eavesdropping on foreign networks -- and applying them to US corporations. It's skirting US law by targeting the portion of these corporate networks outside the US. It's the same sort of legal argument the NSA used to justify collecting address books and buddy lists worldwide.

  • Although the Washington Post article specifically talks about Google and Yahoo, you have to assume that all the other major -- and many of the minor -- cloud services are compromised this same way. That means Microsoft, Apple, Facebook, Twitter, MySpace, Badoo, Dropbox, and on and on and on.

  • It is well worth re-reading all the government denials about bulk collection and direct access after PRISM was exposed. It seems that it's impossible to get the truth out of the NSA. Its carefully worded denials always seem to hide what's really going on.

  • In light of this, PRISM is really just insurance: a way for the NSA to get legal cover for information it already has. My guess is that the NSA collects the vast majority of its data surreptitiously, using programs such as these. Then, when it has to share the information with the FBI or other organizations, it gets it again through a more public program like PRISM.

  • What this really shows is how robust the surveillance state is, and how hard it will be to craft laws reining in the NSA. All the bills being discussed so far only address portions of the problem: specific programs or specific legal justifications. But the NSA's surveillance infrastructure is much more robust than that. It has many ways into our data, and all sorts of tricks to get around the law. Note this quote from yesterday's story:

    John Schindler, a former NSA chief analyst and frequent defender who teaches at the Naval War College, said it is obvious why the agency would prefer to avoid restrictions where it can.

    "Look, NSA has platoons of lawyers, and their entire job is figuring out how to stay within the law and maximize collection by exploiting every loophole," he said. "It's fair to say the rules are less restrictive under Executive Order 12333 than they are under FISA," the Foreign Intelligence Surveillance Act.

    No surprise, really. But it illustrates how difficult meaningful reform will be. I wrote this in September:

    It's time to start cleaning up this mess. We need a special prosecutor, one not tied to the military, the corporations complicit in these programs, or the current political leadership, whether Democrat or Republican. This prosecutor needs free rein to go through the NSA's files and discover the full extent of what the agency is doing, as well as enough technical staff who have the capability to understand it. He needs the power to subpoena government officials and take their sworn testimony. He needs the ability to bring criminal indictments where appropriate. And, of course, he needs the requisite security clearance to see it all.

    We also need something like South Africa's Truth and Reconciliation Commission, where both government and corporate employees can come forward and tell their stories about NSA eavesdropping without fear of reprisal.

    Without this, crafting reform legislation will be impossible.

  • Finally, we need more encryption on the Internet. We have made surveillance too cheap, not just for the NSA but for all nation-state adversaries. We need to make it expensive again.

EDITED TO ADD (11/1): We don't actually know if the NSA did this surreptitiously, or if it had assistance from another US corporation. Level 3 Communications provides the data links to Google, and its statement was sufficiently non-informative as to be suspicious:

In a statement, Level 3 said: "We comply with the laws in each country where we operate. In general, governments that seek assistance in law enforcement or security investigations prohibit disclosure of the assistance provided."

When I write that the NSA has destroyed the fabric of trust on the Internet, this is the kind of thing I mean. Google can no longer trust its bandwidth providers not to betray the company.

EDITED TO ADD (11/2): The NSA's denial is pretty lame. It feels as if it's hardly trying anymore.

We also know that Level 3 Communications already cooperates with the NSA, and has the codename of LITTLE:

The document identified for the first time which telecoms companies are working with GCHQ's "special source" team. It gives top secret codenames for each firm, with BT ("Remedy"), Verizon Business ("Dacron"), and Vodafone Cable ("Gerontic"). The other firms include Global Crossing ("Pinnage"), Level 3 ("Little"), Viatel ("Vitreous") and Interoute ("Streetcar").

Again, those code names should properly be in all caps.

EDITED TO ADD (11/5): More details on the program.

Posted on October 31, 2013 at 10:29 AM • 127 Comments

Comments

JacobOctober 31, 2013 11:01 AM

You will not be able to change the NSA ways without hitting the politicians and making it a campaign issue.
When you have someone like Mike Rogers (R-Michigan), not the sharpest pencil in the drawer saying the following

"If you don't know that your privacy has been violated, it is not"

See http://c-spanvideo.org/clip/4470916 (2:10 - 2:50)

Citizens need to act and tell them that there will be a price to pay at the ballots.

Brian M.October 31, 2013 11:05 AM

The only way to "reign in" the NSA is to take a chainsaw to their budget.

The only way for an individual to keep their privacy is to keep one's own data on one's own device or network. It does no good to have an encrypted connection between you and your provider when the provider's back end is wide open.

The Register: Crypto protocols mostly crocked says euro infosec think-tank ENISA
The current protocols are mostly good, but of course some need to be revamped or retired.

The only technical solution to "fight back" against all agencies is, of course, for everything to be encrypted. But "everything" really does mean "everything," with no weak links in that chain. Here we see the weak links in the chain, that the unencrypted links between data centers are tapped. (Like, duh!!) If the NSA is doing it, then all agencies that can do it have already done so. I would expect that at some point, internal communication within the data center would also have to be encrypted. While a product may not ship with hidden port monitoring, I wouldn't put it past anybody that a router or switch could be surreptitiously modified by an advanced agency to provide that functionality.

And of course all this comes back to one thing: how much bang is the US public getting for their buck? Not much, not much at all.

Dimitris AndrakakisOctober 31, 2013 11:06 AM

I think the only hope -if there is one- to make a meaningful reform it to keep it simple : reduce the vast amount of money going into the NSA.

I am pretty confident that nothing else will work. Laws designed to address specific systems, programs or tactics will just make NSA et. al. shift tactics. A minor annoyance, if even that.

Dimitris AndrakakisOctober 31, 2013 11:12 AM

@Brian M : "The only way for an individual to keep their privacy is to keep one's own data on one's own device or network."

While this of course is technically correct, it becomes harder and harder to actually implement that, even for good techies. Your iPhone phonebook ? By default it's also backed up in iCloud. Your email ? Even if you set up and host your own mail server, by definition it has to travel to reach you. And as soon as you want to share anything, which a lot of people do, it's gone.

BryonOctober 31, 2013 11:26 AM

Alexander and Clapper have to be made examples of or our future will make the Bush years look like "Happy Days". Those two who have lied to Congress, the US People and most of our closest allies ... after having their ranks stripped from them need to go directly to prison. No Oliver North kind of BS, no wrist-slaps... prison for a minimum of 30 years.

This is not only an affront to every American it is a gut shot to every US tech firm. Europeans and Brazilians are waaaaaay overdue to take their snub little diatribes to the market mat. Alexander and Clapper need to be put behind bars, quickly.

Nicholas WeaverOctober 31, 2013 11:26 AM

Finally, since the Strategic Hypocrisy Reserve no longer exists, we can expect both adversaries (China, Russia) and "Allies" (France, Israel) to do the same thing.

cOctober 31, 2013 11:27 AM

There will be more encryption of intra- and inter-datacenter traffic. It's all of you who will suffer, though - even with hardware acceleration it'll slow down our cloud services. And I can't say I trust the hardware accelerators anymore either.

Bruce... PFS suites are still THE way to go, right?

MikeAOctober 31, 2013 11:29 AM

Reducing the NSA budget is not a magic bullet. Consider that when citizens refuse to pass local tax increases, it is not the mayor's children's PR firm that gets fired from doing "important city bulletins", it is the closure of libraries and fire stations. If you were running the NSA and had to trim staff, would you get rid of:

1) people doing illegal surveillance that could lead to useful blackmail material on powerful politicians
Or
2) people keeping track of mundane stuff like terrorists?
Or
3) people making sure that there are no "rogue operatives" doing (1)

WaelOctober 31, 2013 11:31 AM

@ Jacob,

If you don't know that your privacy has been violated, it is not
What a relief! I was puzzled for eons, until the "blunt pencil" graced us with his pearls of wisdom and answered the question of "unperceived existence"!

ChristianOctober 31, 2013 11:31 AM

Look at Forbes List of most powerful people.

Keith Alexander not being on the list is a big failure!
I would argue for putting him above Obama.

ScottOctober 31, 2013 11:33 AM

@Dimitris Andrakakis

Yeah, email really needs to be replaced with something more secure (i.e. something not even readable by the servers), the problem is people have moved to prefer browser-based email services over email clients. Even things like PGP don't encrypt the metadata, allowing anyone watching the email servers to see who is communicating with who (even if there is encryption between client and server, server to server may still be unencrypted). Even if all traffic is encrypted, you can't trust the email servers themselves unless you and the person you are communicating with both run their own.

Email is actually the perfect candidate for an onion-routed protocol. With instant deliverability like Tor provides, you are still susceptible to timing attacks. Since, with email, you don't care about a few minutes of delay, you could make timing attacks much more difficult by having every hop queue messages and send at fixed intervals, e.g. once every 30 seconds (and preferably sending in a random order, not FIFO/LIFO). Your email server would then have messages in which only the recipient is known; subject, content, sender, etc., all decryptable only by the recipient.

WaelOctober 31, 2013 11:37 AM

If you don't know that your privacy has been violated, it is not
If you don't know that your money has been stolen from your account, It's not! If you don't know that your ___ has been ___, it's not. Nice template!

Steve KalmanOctober 31, 2013 11:56 AM

We who rail against these abuses are comparing the loss of constitutional protections against the minimal security they provide and clearly see that the risk/reward ratio is unbalanced.

That's not how the bureaucrat does the analysis. If/when another terrorist strike on our soil, the public will blame the President, Congress, the heads of the three letter agencies and the secretaries of Justice, State, Defense and Homeland-Security. (And the next tier or two down). Their best course of action is to collect and analyze everything, look for needles and the constitution be dammed. If they find something, that's perfect because they can point to the success. If not, then they can say they did EVERYTHING they could, but the restraints placed on them were the cause of the omission. Their butts get protected. Risk (loss of protections) vs reward (keep job/avoid blame) is in perfect balance for them.

grisuOctober 31, 2013 11:57 AM

To clean up the mess, one "special prosecutor" will not be sufficient. One person alone -- even regarding his probably great staff -- isn't able to get the right answers.

Everbody has something to hide, some secret. Naturally, the burocratic inertia will end up in self defending its structure, hiding its own secrets. So it will desintegrate or blackmail the prosecutor with the help of this secret.

Public hearings in front of commissions (build of many of those "special prosecutor"s) may be a way out of this.

After all there remains one question to be asked: For what reason does a modern, liberate and democratic society need secret agencies at all?

WaelOctober 31, 2013 12:36 PM

Can't resist...

When you have someone like Mike Rogers (R-Michigan), not the sharpest pencil in the drawer saying the following
"If you don't know that your privacy has been violated, it is not"
From the abyss of dark a drawer
Came out a blunt pencil to holler
You aint gonna get no privacy
Even if you complain laboriously
Get used to it, you piddly father-mocker

Nick POctober 31, 2013 12:59 PM

Three birds with one stone...

Scott pointed out webmail is preferred these days so a solution might need to be a web app. Browsers have become mini-OS's with a presentation layer, networking, identification and even execution of untrusted programs (Javascript). That's a security headache for sure but there's still opportunities. Native Client is the most secure mainstream design. I've posted a few other secure web architectures here from academia that are superior to Native Client with low TCB & manageable complexity. They also allow safe execution of untrusted pages/code. (Last point is more for endpoint integrity than the email service itself.)

Web concept

What I'm saying is it's not ideal but we can work with it. The solution will be to extend the browsers with the few things they need like strong CRNG, crypto primitives, & user-control of which signed apps to trust. Cryptocat author already workout plenty details on these things. The endpoint crypto will be vetted, open code that runs in the browser. Messages will be encapsulated PGP-style or in a more protocol neutral format. The fact that it's a web application means it doesn't have to use the email protocols at all except when messages leave the app's userbase to be sent to legacy email users. Zixcorp already solved that problem in their solution in a way that I think is worth copying.

Desktop concept

I'd say a trustworthy desktop solution should be offered at the same time because who trusts browsers. (Not moi!) Nexor's email solutions show us that using a local proxy in front of a regular mail client is a good tradeoff for legacy users. It intercepts the mail, performs certain security checks, & transparently applies the crypto. Does this for incoming & outgoing. Can leverage a guard. Interoperable with major mail client(s). Easy to configure. That [proven] approach would be a start for the desktop version. It will also be easier to secure the proxy application or guards than a full desktop client using methods like MAC, control flow integrity, typesafe languages, CompCert-style compilation, etc.

Economics is important

Another issue is that the most important drivers of current insecure email situation are (1) need to support popular clients that use legacy protocols and (2) need to keep cost minimal. I just addressed (1). Point (2) is important as statements from the likes of Microsoft and Yahoo indicate they see email as a loss leader: it's more a financial drain than anything else. So, add all kinds of crypto operations & indirections you get even more of a financial drain.

So, whatever strategy is taken, it must be able to interoperate with legacy systems when needed & must cost almost nothing to operate. That's harder than designing a secure communication system by itself, yeah? ;)

The US govt threat

If it's in the US, assume NSA or FBI will get it. Law requires it to be turned over. They will take your keys, servers, etc. They might even imprison you. Post-Snowden, any users of US centralized services should assume the companies will cooperate. A centralized design with a master key (a la Lavabit or Silent) essentially requires that you trust owners/operators will do prison time for you. Quite the security assumption! Anyone doing centralized web-enabled service in U.S. might as well go ahead and build in a way to do selective intercept on targeted customers so he or she doesn't have to give up the key to *all* customers to do monitoring of a few.

The best thing to do is to not run such a centralized service here in the United States or just use US servers as untrusted middlemen in a distributed scheme. The distributed version might take some clever design for web apps so I see a foreign hosted centralized option being the better interim solution for them. If avoiding US jursidiction, then the people or entities running the systems must also not be citizens/controlled by America/allies and must be in a legal system with good connectivity + strong privacy/anti-spying protections. That's tricky to say the least.

Oh yeah: anonymity

And this is all just security: anonymity is a different beast altogether. Catch 22 with anonymity is few people will be using the secure, anonymous system meaning they can all be simultaneously observed by an NSA-like adversary. So, it probably won't work out in practice. A good design, though, would use proven components like mix remailer networks, transport layer encryption, and PGP-style endpoint encryption. All would be default settings with no opt out for users of the system. Endpoints would be airgapped, ancient/foreign hardware running strong, special purpose software.

Good luck getting a majority to do this. The anonymity components are consistently ignored by mainstream users & the abundance of old hardware on ebay shows people sell it more than buy it. I predict this won't change as it hasn't for 10+ years. So, the best goals for the next email system are confidentiality, integrity, authenticity, availability, optional legacy integration, decentralization, and low cost of operation. That's solves most problems in almost everyone's threat model. Enough emails look like that, then I can be semi anonymous when I use people's open/WEP wifi with a long-range cantenna and laptop. ;) Err, then we can further improve the anonymity aspects of the scheme.

Nick POctober 31, 2013 1:17 PM

@ MikeA

+1 re budget cut being a bad idea. I've considered the option myself.

Cutting NSA's Budget Isn't Going to Work

If their budget is cut somehow, they'll immediately have three options right off the top of my head:

1. Focus their resources on best sources of data.

2. Find ways to divert money into their operations.

3. Blackmail Congress to give them the funding back.

Option 1 will almost certainly include leaked capabilities. Tapping backbone, key providers, hacking smartphones, etc. I think can be maintained for anywhere from millions to tens of millions. (Most of hard work was already done.) That means a 90% budget cut to this area of operations could still not guarantee wiping out the capability. If anything, a budget cut would just force them to be more targeted about their operation.

Option 2a is all in govt accounting. The Pentagon has had accounting problems measured in the trillions. Last time I looked into it the comptroller had narrowed it down to around $800 billion in unaccounted for transactions. The NSA's entire budget is barely a fraction of it, so it would seem to be easy to divert money in their direction if the Pentagon wanted to keep NSA's capabilities.

Option 2b is SAP funding. It's common for the military to develop high impact and high secrecy capabilities via SAP's. SAP's, especially USAP's, allow the government to put billions into programs while (a) keeping their existence/purpose secret and (b) legally lying to everyone from Congress to taxpayer about what they do (with exception of those that *have* to know). It was my thought that a number of these capabilities were probably developed under SAP's anyway. So, Congress could publicly cut funding to these areas, declassify evidence that they had, and then fund them under an SAP.

Option 3. I've previously mentioned the risk of giving a secret, legally untouchable agency both a military and massive digital spying infrastructure. Too easy for them to use their capabilities to do a coup of sorts. If Congress threatened them, they could turn on Congress and threaten to use their capabilities to expose their secrets. Or worse. Some people think it's already happening and would explain why many in Congress who you'd think would oppose them won't even try.

So, we have Option 1 making the strategy only marginally effective, Option 3 making Congress to scared to even try it, and Option 2a-b giving Congress a way to pretend to do it while leaving the NSA very powerful. Congress critters are strong in the area of looking out for their own personal interests. This means that they will either (1) leave NSA alone or (2) choose Option 2a-b if forced to act. Even if it's dismantled, the capabilities will likely be maintained under a USAP w/out Congress's knowledge so one day they can be redeployed under a new administration that's more pro-"security." That's why any reform targeting NSA must target the entire legal underpinning of our classification (and declassification) system. Else, they have legal options for funding, operating, & lying about it all.

ScottOctober 31, 2013 1:19 PM

@Nick P

Personally, I don't expect anything to change overnight with regard to security of email, or the internet in general... Or even overdecade for that matter, but I personally feel that quick fixes on top of today's existing infrastructure are all we can do for now; BTNS IPSec, SSL as the default on as many websites as possible, SSL between MX servers, a campaign to teach people how to use PGP and Tor, secure email services where possible, etc. However, the long term goal should be to replace the infrastructure from the ground up with systems that have security, privacy, and anonimity in mind. Fully authenticated, end to end encryption of the internet protocol, email encrypted and decypted by the clients with minimal metadata and optional onion routing. The problem is that convincing people to make major changes in the first place is hard; the response "That would take 20 years to implement" (e.g. end to end encryption of the internet protocol) is taken as a reason why we shouldn't do it, not as a reason why we need an interim solution (e.g. BTNS IPSec for now).

anonymousOctober 31, 2013 2:14 PM

"The surveillance state is part of the state. Where surveillance is a priority — say, when political enemies are concerned — it’ll be ruthlessly efficient. The rest of the time, like when it involves protecting Americans from terrorists, it’s just another government job."

- Glenn Reynolds
April 27, 2013

instant.soi.green.October 31, 2013 2:19 PM

Your government, democracy and security agency is weak. They are utterly reactive and have completely lost their guiding principals, their character ethics if you will. Everything they do is based on fear.

Is this the end of democracy? The outer limits of what that way of life can achieve?

If I was one of the "terrorists" (they are really no more than the useful idiots who accelerate the fate of the world) I would hit the central powers harder than ever at this point. It would make them even more reactive, it would test the system even harder, and drive it towards its extreme points.

If that was to happen, the public would initially embrace all the activities now revealed and applaud new measures. At that point I would hit again, even harder.

In one way the "terrorists" have already won.

Muddy RoadOctober 31, 2013 2:55 PM

Re: Reforming the Law

I briefly reviewed the "USA FREEDOM" bill which among other things supposedly provides:

"PRIVACY PROTECTIONS FOR BUSINESS RECORDS ORDERS"


But it doesn't at all.

It's so full of exceptions and loopholes already it's virutally meaningless. Indeed collection of meta data will be deemed entirely LAWFUL if collected under color of the act.

Folks we are on our own in this. We cannot count on the government or the corporations to make it right.

History clearly shows they will not.

ScottOctober 31, 2013 3:09 PM

@Muddy Road

If we don't fix the problems with the government, privacy will be the least of our worries. Unfortunately, in most congressional elections you have two choices and both are backed by big money. In the Presidential elections, we usually have more choices, but we have convinced ourselves not to vote for a third party because they don't stand a chance; that's a self fulfilling prophecy, and that's exactly what has to change. It's easy to see what needs to be done, it's how to accomplish it that becomes the problem.

Somehow we need to convince enough people to stop voting for Democrats and Republicans entirely; of course, we would turn the system upside down when representatives and presidents start getting elected with an average of less than 30% of the popular vote, it's something that needs to happen before people realize how completely flawed our entire electoral system is; with a good electoral system, we can significantly weaken the power of the status quo, as well as the influence of money. With the current system, the status quo is only going to be further reinforced, and the influence of money is only going to get stronger (while the wants and needs of the people becomes less and less of a concern; and if they are, you can change that with a well-run propaganda campaign).

ZorroOctober 31, 2013 3:31 PM

@Scott "Your email server would then have messages in which only the recipient is known; subject, content, sender, etc., all decryptable only by the recipient."

The recipient can also be masked to some extent by using a group ID instead of a specific ID for the recipient.

For example, the sender encrypts using the recipent's key, but sends to the group ID destination.

The recipient picks up all mail for the group that he is a member of, but can only decrypt his own messages.

ScottOctober 31, 2013 3:49 PM

@Zorro

I am (or I was, until I got distracted) working on a scheme in which the sender and recipient are both completely unknown and all messages can be made completely public.

I'm calling it Confidential Offline Sequential Messaging (COSM). The idea is that each message has a unique identifier that can be computed by hashing a diffie-hellman shared secret and the previous message's MAC tag (or an agreed upon seed for the first message). An encryption and MAC key are then derived using the shared secret and the unique identifier to encrypt the message. Messages are fixed-length, and can be chained. This means that all messages are indistringuishable from completely random bits of equal length. It's not the most usable scheme and isn't intended to be a full email replacement as you can't send unsolicited messages (and doesn't cover exchanging keys, which can be done via public registries using chosen user-names), but it's about as private as you can get.

You actually don't need a service for it; I'm going to specify a base64 encoding format such that the first line is the message id (either 36 or 48 bytes per row, I haven't decided), so you could theoretically use google as your indexing service, and any-old-dead-blog that is indexed by google for storage.

this_is_our_chanceOctober 31, 2013 4:22 PM

Bruce has championed a two-pronged strategy, part political, part technical.

The technical prong needs to identify ways not only to protect data and anonymity, but also to make all forms of surveillance more costly and risky - without relying on end-user savvy.

The political strategy absolutely needs to start with an overhaul of NSA itself - with teeth - but we shouldn't become so focused on NSA that we lose sight of the wider Military-Industrial Complex ocean in which NSA is but one, medium-sized fish.

The best thing we can do to confront this monstrosity is to start pulling on the monetary choke-chain. Money is the lifeblood of an army and it is the lifeblood of everything that supports it, including intelligence services. But I think we need to brace ourselves for the backlash from the vested interests in the MIC - it will not always be within the limits of the law.

A special prosecutor will be ideal, as we need to put the fear of God into these DC cowboys. They have deluded themselves into believing that "national security" is a magical, open sesame that can be endlessly invoked - with utterly transparent motives - to spring themselves out of any trap. With this level of lawlessness in the most senior ranks of the largest intelligence agency in the world, there can be no doubt that there is a substantial amount of criminal activity occurring, not only in NSA but in other alphabet-soup agencies, and their private-industry cronies.

Remember that 2011 story about 5,200 Pentagon officials having child porn? Surely, the illicit proclivities of select officials throughout these agencies who have been led to believe that they essentially have legal carte blanche in the aftermath of 9/11 are not limited to the sexual abuse of children. In the words of Cofer Black, "after 9/11, the gloves come off". Looks like gloves are not the only clothing that have come off. I think it should be a fairly easy task for an investigative commission in combination with a special prosecutor to send a shockwave of moral and legal terror through these organizations - at least, through those portions of them which consist of bullies and abusers that seized the opportunity of the post-9/11 feeding frenzy within the national security establishment to give full expression to their base lusts, whether for blood, money, status or flesh.

ZorroOctober 31, 2013 4:22 PM

@Scott

COSM is an interesting concept, thanks.

A possible extension to the group ID server scheme for masking recipients might be something analogous to frequency hopping.

A user's encryption key could seed a pseudorandom sequence of group ID's that change on a calendar schedule. Thus, the binding of a recipient to a group is not static, but changes over time.

By knowing what day it is, both senders and receivers would have the information needed to locate the place where information can be delivered for pickup.

Depending on how long it's been since you last picked up mail, you might have to scan several groups to get up to date.

unimportantOctober 31, 2013 4:40 PM

@Brian M.: The only way to "reign in" the NSA is to take a chainsaw to their budget.

You cannot chainsaw a budget which you do not control. Even if the NSA does not get payed directly with tax money, there is always a hidden budget and a huge interest by a small uber-wealthy and invincible group to promote a global surveillance state (and possibly to put us all under slavery).

Clive RobinsonOctober 31, 2013 4:57 PM

@ Scott, Zoro,

    ... so you could theoretically use google as your indexing service, and any-old-dead-blog that is indexed by google for storage

There's nothing "theoretical" about it. I came up with this idea some years ago to provide a "headless control channel" for bot nets.

I outlined it on this blog, after building a trial system (that worked well).

The hard part (for what I was doing) was to come up with an identifier system that could not be easily subverted. The solution I used was based on some interesting work done by Adam Young and Moti Yung back in the late 1990's.

Pete S.October 31, 2013 5:17 PM

@c - "There will be more encryption of intra- and inter-datacenter traffic."

Inter-datacenter traffic, certainly. Not sure what intra-datacenter encryption would accomplish, though I suppose it couldn't hurt.

"It's all of you who will suffer, though - even with hardware acceleration it'll slow down our cloud services."

In 2010 Google implemented HTTPS on all public-facing Gmail systems. They deployed no additional machines, nor any special hardware. SSL/TLS added less than 1% of CPU load, less than 2% of network resources, and less than 10KB of memory per connection.

I'm pretty sure they can handle inter-facility encryption on a similar scale with minimal performance degradation.

"And I can't say I trust the hardware accelerators anymore either."

Why not? AES-NI in Intel chips performs standard AES using a key that you supply. It just does things faster and more efficiently than doing it in software.

Hardware accelerators for RSA and useful if you're handling a lot of negotiations (e.g. running a popular internet-facing service). However, if you're running bulk transfers between facilities then negotiating new connections only needs to happen relatively rarely. If Google implement it in a sensible way (and I suspect they would, given their history), it'd add negligible overhead.

"Bruce... PFS suites are still THE way to go, right?"

I'm not Bruce (obviously), but using PFS does provide more security than not using it, particularly if an adversary is saving encrypted data to pound on later. It's slower at negotiating new connections, but that shouldn't really be a big problem in this context.

JonSOctober 31, 2013 5:18 PM

@ Scott:
"I am working on a scheme in which the sender and recipient are both completely unknown and all messages can be made completely public."

Interesting, but ...

Conceptually, how is this scheme different to wireless (i.e., old-timey radio) communications? It sounds like you're basically broadcasting into the void, hoping that the right person will hear it, alng with everyone else who might be listening in. Even assuming(!?) unbreakable crypto on the message contents, the message itself still contains enough to be interesting due to all that pesky meta data. Furthermore, any broadcast send-and-receive system is vulnerable to traffic analysis. Given even modest resources (by current NSA standards), traffic analysis can yeild a tremendous amount of information.

ScottOctober 31, 2013 5:49 PM

@JonS

The difference between this and old time radio is that old time radio is unencrypted, in this the contents of the message are encrypted. As I said, the messages are encrypted; anyone listening in can't distinguish an actual message from a fake message created with a (CSP|T)RNG. It's really the entire point of the scheme: to eliminate all metadata.

Traffic analysis is not something that this scheme has to solve, it's up to the users to determine a protocol for their needs, whether it is connecting to Tor and dropping messages somewhere so it can be later found through google, or using an I2P based service to store these messages. This is designed for blog-comment-sized messages. Luckily for you, traffic analysis is something that becomes easier with the amount of traffic you have; even the NSA has difficulty tracking people through Tor as it stands now, which is why they rely on browser exploits.

Mike AnthisOctober 31, 2013 6:19 PM

1) Regarding the carefully-worded denials with truck-size loopholes: Talk to the ex-Soviet citizens about reading between lines. Anyone with a programming background can spot loopholes a mile away. Assume the loopholes are there for a reason, and you get lots more insight into what's going on. Haven't you been doing that already?

2) I always assume I'm being watched.

3) It's not safe to be an unusual person anymore.

RobertTOctober 31, 2013 8:13 PM

Bruce must be desperate for a visit from the little birdies that dont actually whisper.

I've got renewed respect for the man but I suspect he is over-playing his hand. Make no mistake about it these guys know how to fight dirty and what makes matters worse is that they actually believe in the righteousness of their actions.

Lets be honest most Americans can't handle the truth, they really prefer living their life "on the good ship lollipop", they have a comfy warm feeling that their all-knowing daddy is looking out for them. So a lots got to change at the grassroots level before Joe Sixpack demands restrictions on the NSA's activities.

CuriousOctober 31, 2013 8:18 PM

@Mike Anthis "3) It's not safe to be an unusual person anymore."

This raises some questions.

I wonder what template is used to define a usual person?

Would this just be a statistical average, or is there a normative specification?

Some government agency is the keeper of American symbols to make sure they don't get defaced. The Secret Service handles money.

Does the Secret Service also have a secret definition of what a usual American person should be?

Does this criteria drive psychological shaping operations, whether generalized or targeted?

Is the NSA part of a filtration and cleansing process?

ScottOctober 31, 2013 8:38 PM

@Mike Anthis

3) It's not safe to be an unusual person anymore.

When was it ever safe to be unusual? Anyone who strayed too far from the accepted definition of normal (and no one actually fits that definition, it's just put in place to exert more control over people) has always been ostracized from society. If it wasn't race, gender, or sexual orientation, it was clothing, hair length, or physical prowess. Still today, acceptance is hard to come by for non-Christians in the US, although not as much in the past (I'm not afraid to say I'm an atheist, I'm just afraid of my mother or employer finding out).

The thing that's gotten bad in recent years is the propaganda, especially from the far right. Socialist = evil (although good luck finding people who actually know what socialism is), poor people = lazy and greedy, etc. Although, the left isn't exactly innocent in this regard, either. Both parties are big on the "Support what your country does, even if you don't agree with it" mentality (because to do otherwise in unpatriotic).

“Patriotism is, fundamentally, a conviction that a particular country is the best in the world because you were born in it.” - George Bernard Shaw

Nick POctober 31, 2013 9:16 PM

@ RobertT

"Bruce must be desperate for a visit from the little birdies that dont actually whisper.

I've got renewed respect for the man but I suspect he is over-playing his hand. Make no mistake about it these guys know how to fight dirty and what makes matters worse is that they actually believe in the righteousness of their actions. "

One reason I argued for his trustworthiness in a previous thread. Takes some balls for someone in his position.

zOctober 31, 2013 10:20 PM

I agree with the posters who said budget cuts won't work. Unfortunately, we have seen that the government is perfectly willing to hold the public hostage to get what it wants. Just look at the recent shutdown. They actually spent extra money keeping police at memorials, parks, etc to prevent people from going there, all in an effort to try to get the public to pressure Congress to give them their money. They refused compromises designed to resume funding for these things simply to make it hurt.

The same thing would happen with the NSA. They would be on TV every day with dire warnings about how we are all going to be killed by terrorists. They would cite figures, show charts, and maybe allow a small scale attack. The media would lap it up, blame whoever decided to defund them for making us all unsafe, and they would get what they want.

And in other news, Senator Feinstein has introduced a bill that would legalize the NSA's domestic surveillance-- https://www.eff.org/deeplinks/2013/10/sen-feinsteins-nsa-bill-will-codify-and-extend-mass-surveillance

RobertTNovember 1, 2013 1:11 AM

@Nick P
I dont disagree, I just wonder if its wise.

WRT Bruce's idea that someone needs to oversee the NSA's activities, how is that ever going to happen? In my mind there are two logical problems.
1) Where would you find a person with the appropriate skills (Hint Hint its got three letters)
2) EVEN if you found an independent trustworthy person to lead such a team, where would you find the appropriately technical skilled personnel to staff the undertaking? How would you ever know who they really reported to?

As an individual I've moved all my email hosting to nonUS controlled interests. I've stopped using Google directly for anything, I figure if others take similar approaches then the value of information extracted will fall precipitously and the system will fail under teh weight of its own inefficiency.

Clive RobinsonNovember 1, 2013 1:56 AM

@ JohnS,

    Conceptually, how is this scheme different to wireless (i.e., old-timey radio) communications? It sounds like you're basically broadcasting into the void, hoping that the right person will hear it, along with everyone else who might be listening in. Even assuming(!?) unbreakable crypto on the message contents, the message itself still contains enough to be interesting due to all that pesky meta data. Furthermore, any broadcast send-and-receive system is vulnerable to traffic analysis. Given even modest resources (by current NSA standards), traffic analysis can yeild a tremendous amount of information.

There are broadcast systems that get around some of these problems.

The first step of communicating is "to make contact" in some way and it has to involve minimal communication.

One reason for this is that if everybody just broadcast messages to the rest of the internet then the internet would just be compleatly swamped.

Secondly if you are going to encrypt this message to prevent all but the intended recipient decoding it you would logicaly have to have contact with them directly or indirectly to get a PubKey etc.

The only way you are going to do that in practice is with some kind of directory service...

Now the problem with that is directory systems are generaly hierarchical and as such are subject to various types of attack and monitoring. But it does not have to be so with a little thought.

I mentioned one way to do this a few days ago and provided a more detailed overview which you can read,

https://www.schneier.com/blog/archives/2013/10/friday_squid_bl_396.html#c2120824

name.withheld.for.obvious.reasonsNovember 1, 2013 2:42 AM

-----BEGIN FISA/NSA HYPOCRISY ALERT-----
Version: pgg v0.2a

SOURCE: FISA
DOCUMENT: FISC OPINION Unconstitutional Surveillance
TITLE: MEMORANDUM OPINION, Apr 2011
SUBJECT: Intent versus Judge without a clue

// NWFOR: Yet again, the circular logic I believe is to match the
// configuration of the firing squad.


The FISC argued that "the intentional acquisition" of communications was converted to "unintentional" retroactively based on whether our not a determination was made as to the origin of the message. So if the message originated from within the U.S. and was also being delivered in the U.S., upon examination of the message it was determined to be a U.S. person, the collection was unintentional.
To componund the insult with some injury the NSA claims that it cannot determine if the persons in receipt of the communications is to or from the United States. What a bunch of bull what the hell is geo-ip for than?
-----END FISA/NSA HYPOCRISY ALERT-----

Clive RobinsonNovember 1, 2013 2:51 AM

@ RobertT,

I'm with you on your trust analysis, I realy don't think an ordanary overview process is going to work.

Like it or loath it spying is part and parcel of the great game of kings, and at a lower level that of the police in solving crime etc. Which makes it a "necessary social evil" and part of the glue that holds society together.

To get rid of it requires a major change in the way not just the US Society but nearly every society in the world to also make. Such changes would of necessity destroy nearly all of our current business models especialy what is called "cassino banking". As quite a large part of western economies are based on this sort of banking the effect would be to destroy those economies as they currently exist...

I don't know about you but such thinking tends to give me a major headache. All mankinds attempts so far have been doomed to extremist politics, it does not matter what political label you hang on it (extream left/right, fascist/communist etc etc) the result is a tiny minority of self appointed individuals dictating to the rest of society. Almost invariably such people are not those society in general would wish to have in charge, if they gave it considered thought. If for no other reason than the self appointed few are not normal in any sensible definition of the word (so much so that they usually need more acceptable pupets to do the public facing activities).

What does amaze me is not so much that authoriterian people will seek "high office" but the number of people who appear to want the authoritarian control yoke around their necks. It's almost as if being a "surf" is their chosen way of life, perhaps because it gives them the lazyness of not having to think for themselves or that they are as in the Wizzard of Oz frightened to look behind the curtain.

In such environments authoraterian figures thrive and they will lie, cheat, steal, maim and kill to retain their position in the hierarchy. In effect they regard morals as a weakness to use against those below them. It is abundantly clear from the likes of Ms Finkelstein that they will more than willingly alow such immoral and what was illegal activity to continue, by the simple ruse of introducing "token legislation" that when examined gives more loop holes for the likes of the NSA to use, and also legalise much of their activities.

I guess that people are easily misled by statments of the form 'I will regulate these activities for the good of the people' and other similar formulaic but meaningless sound bites.

They say "There are three sign posts to disaster, the first is only visable with hindsight, the second only visable to the perceptive few, and the third visable to all."

I'm guessing that the formation of the DHS should have been the third, but for some reason US society ignored it, maybe history will look on the Ed Snowden revelations as the third sign post... But I'm guessing the general us populace won't even see it as the first...

FigureitoutNovember 1, 2013 3:08 AM

Which makes it a "necessary social evil" and part of the glue that holds society together.
Clive Robinson
--It didn't use to be so; society just gets worse as time continues. Just when the population numbers are crowding the earth and tech. makes it possible for me to destroy physical objects all the way around the world.

I'll gladly be a "surf" so long as it contributes to the eventual downfall of the entire human race as we act like a bunch of idiots still spying/fighting each other instead of expanding out into the solar system. We (or I) just witnessed our gov't shutdown agencies like NASA (NASAtv) while some derp congress(wo)man still got paid and they spent even more money keeping WWII veterans out of War Memorials. Our society is going down the crapper. Maybe use all our resources up and cloud our atmosphere w/ crap so we physically can't leave w/o being destroyed.

Rolf WeberNovember 1, 2013 3:09 AM

I hope that now everybody realizes that the initial PRISM reports were just wrong and misleading. There never was a compony-provided "direct access", there never was "cooperation".

Yes, a technical reaction is encryption. Google already started, the others have to follow.

BTW, a much better story about DarkMail can be found here:
http://arstechnica.com/business/2013/10/silent-circle-and-lavabit-launch-darkmail-alliance-to-thwart-e-mail-spying/
How ever I doubt it will be a success story.

65535November 1, 2013 3:22 AM

@nickp

“…we have Option 1 making the strategy only marginally effective…”

I’ll take that option at this point. We are currently in a stinking police state! Anything would help.

“That's why any reform targeting NSA must target the entire legal underpinning of our classification (and declassification) system. Else, they have legal options for funding, operating, & lying about it all.” –nickp

That leads into my other point.

“It seems that it's impossible to get the truth out of the NSA. Its carefully worded denials always seem to hide what's really going on.” –Bruce S.

I fully agree. The truth must come out!

Times have changed with regard to “meta-data” and we must modify Smith v. Maryland and 702 plus 215.

Vacuuming huge amounts US citizen’s data under the ruse of “national security” against the fourth and first amendment.

We should be honest. We should either declare war and invoke martial law - or scrap the NSA's vast surveillance of US citizens.

Further, Obama’s secret “Presidential Policy Directive 20” must be disclosed to the public.

[See the FOIA for PPD 20]

https://epic.org/foia/nsa/EPIC-PPD-20-FOIA-NSA-Reply.pdf

[Now to Executive Order 12333]

Executive order 12333 makes clear that spying on Americans is not the goal! Take a look at executive order 12333 and its main goal.

Executive Order 12333

"b) All means, consistent with applicable United States law and this Order, and with full consideration of the rights of United States persons, shall be used to develop intelligence information for the President and the National Security Council."

http://www.archives.gov/federal-register/codification/executive-order/12333.html

Further, I think the Supreme Court of the US must take a closer look at the entire situation. That goes for the Legislators responsible for NSA oversight (Aka, those legislators that are not enjoying the privilege of fine grain information on their foes and those who have not be blackmailed into submission by the NSA).

[And]

“…we need more encryption on the Internet. We have made surveillance too cheap, not just for the NSA but for all nation-state adversaries. We need to make it expensive again.” –Bruce S.

Yes!

It would be nice to see an encrypted website for email away from the US jurisdiction that provides easy encryption for those people “stuck in the middle” of the tech spectrum.

Do any of you have a solution other than running a complex encrypted email server from your own web host service or from your house? I would like to hear solid solutions on encrypted email service.

CuriousNovember 1, 2013 3:32 AM

@Curious
Will you please consider using some other nick/handle? Surely you must have noticed that I have complained about this earlier, if not simply having noticed me using 'Curious' as a handle, probably before you ever did. :P Afaik, this is the third time you have used the handle 'Curious'.

Fyi, this 'curious' responding to Mike Anthis above is some other person entirely. I did write the comment about the "skewed" enemy combatant comment though earlier.

DavidNovember 1, 2013 4:51 AM

A special prosecutor without any ties and yet with all those privileges you describe is hardly imaginable.
But in one of your former posts you have written that American tax payers are spending 52 billion yearly for the NSA surveillance. Wouldn't it be a more realistic way to simply cut down massively on those spendings?

WinterNovember 1, 2013 5:21 AM

What I conclude from Bruce's posts and a host of other coverage is that the spying scandal is a political problem and should be solved using political means. Technology, cryptography, cannot protect you for long.

Underlying this spying scandal is an obvious political crisis in the USA that weakens the state. Whenever states weaken, we see the rise of the war-lords.

The NSA and other TLAs are simply some of these war lords.

WinterNovember 1, 2013 5:31 AM

"#BADBIOS - You Were Warned About This For Years!
http://slexy.org/view/s2BLnoBPxn"

So, we need modular computer hardware with parts that have well defined storage and processing powers. Storage must be constructed in such a way that each bit can be wiped (preferably using a hardware switch or as an isolated part). All processing parts must be constructed so that they can be initialized into a known (clean) state.

With such a system, you could take apart an infected computer, wipe every component. Replace remaining suspected parts, and reboot into a completely clean slate.

Probably a pipe dream. I guess even a simple disk drive has enough hidden storage and processing power to hide&execute malware and run over the rest of the computer after a complete wipe and reset.

AspieNovember 1, 2013 7:36 AM

@Figureitout

... instead of expanding out into the solar system.

Fortunately for the rest of the Universe we're trapped on this rock until we can learn to play nice with each other, stop looking at our own short lives and what we can get out of it without regard to future generations and put our indisputable talents into science for good - energy, physics, astrophysics, medicine, environment.

Oh, and discover a genetic test for sociopaths and megalomaniacs so they can be put to work appropriately as speed humps.

Bob TNovember 1, 2013 8:07 AM

What needs to happen is to have a full audit of the NSA and their illegal activities and prosecute those who violated the law. Oh what am I thinking... No one goes to jail or gets fired anymore. Well, except for whistleblowers.

SkepticalNovember 1, 2013 9:06 AM

Revisit the PRISM stories in which the initial claims were that the NSA had wholesale direct access to the servers of major internet companies, providing readers with the impression that the NSA could on a whim stroll and sift through every bit of data Google and Facebook have?

The PRISM stories that were quickly clarified, and re-clarified, to the point where the NSA's access became instead limited to an electronic delivery system for legally requested data?

Or perhaps we should revisit the recent stories in German, French, and Spanish papers alleging NSA collection of the phone calls of millions of ordinary citizens.

The recent stories which were then shown to be much less exciting - German, French, and Spanish authorities collected information themselves on signals intelligence from foreign countries, which they shared with the NSA.

And I could go on.

Once you realize that journalists are no less driven by self-interest than any other group of human beings, the common theme becomes easy to discern: take highly ambiguous documents; draw the most sensational conclusions possible; write the article to imply the worst, cloaked in vague language and hiding reservations several paragraphs in; and grab the attention of the world and the accolades of friendly advocacy groups - not to mention the gratitude of editors and publishers.

So at this point in the cycle, I'm taking the Washington Post story with a big dash of salt. What has been specifically alleged is that the NSA somehow intercepts data communicated to or by Google entities in non-US countries, and that the NSA "keeps a lot of it." Which countries? Afghanistan? Iran? Who knows. What are they looking for? Who knows. What do they keep? Who knows.

That's not enough to establish much of anything beyond those words. It doesn't establish mass surveillance of any population. It doesn't come close to establishing illegal conduct. But, it sells clicks for some and it furthers the agenda of others.

At a certain point, the credibility of those reporting on the leaks is going to become too strained to maintain. Glenn Greenwald once bragged, if I recall correctly which I may not, that their strategy was to report some of a story, allow the NSA to issue denials, and then report more of the story showing the NSA's denials to be false. It soon became apparent that this was just Greenwald's way of excusing the "evolving" nature of the facts in these stories.

Perhaps because of ego, I do not think that the architects of this campaign have yet realized that the governments involved have a deeper bench with more experience at this game than they do. The strategy they once bragged about seems to be the strategy to which they have become most vulnerable.

PetrobrasNovember 1, 2013 9:43 AM

These are the possibles solutions:
@Nick P: "1. Focus their resources on best sources of data."

Make it an offense to any entity to request more information than you need (forbidding TOR to get IP, ...).

@Nick P: "2. Find ways to divert money into their operations."

Vote that any agency will be closed if spending more than voted by Congress. Then, wait for next wisleblower to show the real budget and close the NSA.

@Nick P: "3. Blackmail Congress to give them the funding back.

Vote that any agency will be closed if it blackmail a congressman, and give real immunity to that offended congressman. Then, wait for next wisleblower to prove such a blackmail, or for a congressman to go public about a blackmail that offended him.

pdkl95November 1, 2013 9:47 AM

"Finally, we need more encryption on the Internet."

As someone who has been attempting to evangelize PGP/GPG from all the infamous Zimmermann-trial era to now... this has been incredibly difficult. I do find it interesting that in the last few months, I've probably taught more people the basics of public-key crypto than in the previous two decades combined.

Unfortunately, that's still a pathetically small number of people, and very close to "zero" people actually using it in the long-term. Many reasons for this failure (many good ideas discussed here, of course). In the end, though, there's an unfortunate conclusion,to these regular failures: it's simply not possible (at least at this time) to get people learn to use encryption, or even care about the subject at all. The fact that "man gpg" is so complex that even engineers used to reading technical documentation get scared away isn't helping.the situation.

So I'm thinking of taking a dramatically different approach. Instead of advocating the proper solutions that only get people to keep choosing their current "plaintext" habits, we should accept that it might take a few steps to introduce the idea of encryption, and that making progress toward the goal – even if it doesn't add any security – is a good thing.

The general idea is to cut features down to only message signing, in style to "tripcodes", but using real GPG keys. This even ignores the *actual* identiy of the owner of a key (and so also ignore all key-exhange, keysigning, and other trust issues. Instead, it verifeis signed postes when pages load (if you wait for the user to ask, it'll never happen.

Having the (local) browser do the work should allow signing to be done ad-hoc, anywhere. Webserver support is not needed, though it would useful (see #4 below)

Very brief outline of the idea:

  1. type it up in a proper protocol/RFC-like spec asap. To encourage adoption and other implementations)
  2. Let people *SIGN* textarea tags (or the equivalent). email? contenteditable?) .on arbitrary web forms, using an automagically-generated GPG key. (if you don't specify a key)
  3. Signing is inline. More or less, "gpg --clearsign" but with minimal output (i.e. use some short marker instead of "BEGIN PGP SIGNED MESSAGE".

  4. Include some well-defined protocol to allow websites to support this in a way that looks much nicer.: probably by allowing "{BEGIN,END} PGP SIGNED MESSAGE" to be written like: <div class="signed_post" data-signature="...">...message... </div>"
    (details here are still vague)

  5. Let the browser auto-download keys from the keyserver, cache them, and verify the hash on all of the posts in a page.

  6. zero user input for most of that, while allowing them to know that some post in a forum was actually the same person that posted the previous week.

  7. All real crypto work is done externally with GPG, This is to allow existing keys to be used and to not tie the authentication to any specific browser or implemtation.

The real goal, of course, is to get people using keys and warming up to the idea of crypto in general, and starting to pick something other than the current "plaintext-only" choice. After that's happend, should be a lot easier to then show how their key can actually do a lot more, and introduce encryption, Web of Trust, etc.

Any thought on this? Terrible idea? Already tried somewhere?

//wanders back to reading Firefox's "Add-on SDK" docs

bonus: Explicitly pushing a form a authentication into the browser might also server as a strong alternative to those identify-server/"single-sign-on" rent-seekers (e.g ms passport, facebook, etc)

Even better: being able to sign some random nonce with any given private key is likely a simpler and more reliable way of logging into a website than the current username/password. and email-with-link dance everybody does now.

PetrobrasNovember 1, 2013 10:06 AM

If closing is not possible, threaten at least to relocate the said Agency in Alaska.

mailboxNovember 1, 2013 10:51 AM

"If closing is not possible, threaten at least to relocate the said Agency in Alaska."

The NSA has a huge presence in Alaska already, Fairbanks if I am not mistaken. Used to be for OTH monitoring of the Soviets

@unimportantNovember 1, 2013 11:30 AM

"You cannot chainsaw a budget which you do not control."

Indeed, at this point, the only thing that they could really do is reduce the budget to $0. Thus knowing that if there is any further activity it is illegal.

alexNovember 1, 2013 1:01 PM

@Wael: I like that template...

So... If you don't know that your teenage daughter has been knocked up, she's not. Oh, how I wish things worked that way.

JNovember 1, 2013 1:58 PM

I wouldn't call Level 3's statement vague.

"In general, governments that seek assistance in law enforcement or security investigations prohibit disclosure of the assistance provided."

They're being as specific as they can when referring to National Security Letters without actually breaking the law by mentioning they received one. As far as admissions go that's generous.

Nick PNovember 1, 2013 4:02 PM

Interview with Lavabit owner:

http://www.democracynow.org/2013/10/7/lavabit_how_one_company_refused_to

Levison's presentation is all good except where he says why he's targeted. He said his network was too secure for them because he used some of the techniques from his work in banking. That's arrogant & reflects the problem I pointed out about how he views these things leading him to trouble.

It's FAR more likely that it was *easy* for them to use the legal system to attack his network and they get *more results* that way. It's also a strategy they had used on much larger, more influential companies with success, judicial approval, and criminal immunity. So, it's going to be one of the first things they consider for a privacy oriented email service hosted in the US. It's why I advocated for years even pre-9/11 that people *don't* trust Hushmails, Cryptophones, etc. for use against TLA's in the country hosting the service/manufacturer.

I said it before I'll say it again: anyone foolish enough to host a privacy service in the United States with US agencies in threat model needs to architect it with the assumption that the Feds will legally force it to be compromised. All the clever code in the world doesn't matter when SWAT is pointing a gun at your head, your face on the floor, and all your servers being seized. It's happened plenty times before. It will happen again. Congress & the American people aren't going to change that any time soon. Don't count on them.

This legal attack must be made harmless *by design* of the service's operation, the purpose easily explained in court along lines of carrier neutrality + privacy lines, and the effort the *highest priority* of the service's security engineering.

(Or just keep the service the hell out of America allowing one to focus resources on more important things...)

FigureitoutNovember 1, 2013 11:05 PM

Aspie
--Yeah unfortunately for us, we're stuck here. And yeah, thanks to all the old people for my great outlook at the state of America; more debt than we can ever pay off, I think that's slavery. Ever wonder as we look out at "dead" dry planets that they had life that grew into monstrosities that eventually killed themselves? Of course they could've been nuked by an asteroid, what a terrible way to go...

Rolf WeberNovember 2, 2013 2:35 AM

@Nick P, regarding Lavabit
Levison said in this interview, that he was approached in May, and then didn't here anything until the pen/trap-order end of July. This is not true. According to the published court documents, the first court order he got was from June 10, he received it June 11, and he answered to it (by mail, which received the government on June 27).

This is another example why we shouldn't blindly trust protagonists like Levison, Snowden or the press. They are all playing their own game, and their goals are not necessarily the same as ours (at least not mine).

SkepticalNovember 2, 2013 8:48 AM

Nick P, what jurisdiction do you think would be preferable to the United States? Simply in my experience, the laws and institutions of the US have allowed for better legal protection of both privacy and intellectual property than many others.

I do not know of any country in which the owner of a service known to be hosting an email account of a wanted fugitive who had fled the country with extraordinarily sensitive and dangerous information on ongoing intelligence operations would not be subject to legal compulsion. I do know that, in most countries, he would have been arrested himself the moment he was viewed as deliberately delaying or impeding the process.

Nick PNovember 2, 2013 10:52 AM

@ Rolf Weber

Good catch. Yeah, I don't trust the guy on some angles. His shutdown indicates something about his character. Most people think it's that he stands up for his principles where this would translate to the next service. With his statements & actions about other things, I'm not entirely sure that the shutdown tells us anything. There's many mental motivations that could have led to that choice that imply varying degrees of trustworthiness.

These kind of concerns are why decentralized models are best.

@ Skeptical

In the past, I would have told you Panama corporations and data in Hong Kong. Need to have a person in each country with good reputation with authorities, maybe payment, to back each aspect up. The thing is that a number of countries have historically had stronger privacy for corporations, less opportunities for you to be sued, and govt that looks the other way to bring in money. The US has 90%+ of the world's lawsuits, FBI's national security letters, & NSA's forced backdooring of everything. Which sounds better to you? ;)

To be clear, the country choice is only a step in the direction of maintaining OPSEC for the service. It's not the end all solution. And I'm currently updating my knowledge of offshore jurisdictions. The situation is complex compared to what it used to be. Some have caved publicly, some have secretly, & a few might still be good. So, it will take time before I'm sure but Iceland or Hong Kong seem to be a decent start if it's just a web service. It's also good to use at least two geographical areas in case there's problems in any one of the ocean cables.

(If Iceland becomes a major pain in US ass, I expect for their one transoceanic cable to have... problems. wink)

SkepticalNovember 2, 2013 6:16 PM

Nick -

I have a different view, but I understand your own viewpoint here. Panama companies can be private with respect to the investing public, but that doesn't mean they're very private with respect to the Panamanian Government or those it has close relationships with. Hong Kong, special status notwithstanding, is within a country where data privacy law is nonexistent and intelligence and police services of every level can work almost without restriction. Your IP is not secure there, and my guess is that companies with major operations in Hong Kong must view the Chinese government as the greatest threat to their IP. Iceland seems like a reasonable alternative to the US, but I don't see how Iceland is a more attractive alternative to the US.

You mentioned corruption. From my perspective, the problem with relying on corruption is that it's very unreliable and unpredictable. You're betting your wallet and whatever other leverage you have against every competitor. Unless you're very clear on what your relative advantage is versus competitors, prepared to be outspent, outgunned, and outsmarted.

While the US does have many lawsuits (in part because it relies on more on lawsuits and less on government to provide compensation when one party is wrongly injured because of another), it also has rule of law. That is, with a fair degree of predictability, I know what the government may and may not do, and I know what private parties may and may not do. I'm not as worried that tomorrow someone will bribe the head of the FBI to crack my company's network and give my intellectual property to a competitor. Indeed, frankly, because of the rule of law, I'm not concerned about US Government surveillance generally. In fact the USG provides protection against surveillance by governments which would happily give a company's IP to competitors.

Even if I were, the FBI has NSLs, but those are fairly limited, can be challenged judicially, and pose less of a threat to privacy or intellectual property than do the surveillance powers of most other governments. NSA backdoors? If those backdoors are as extensive as you say, then nothing anywhere is secure; I don't see much evidence of that. Given what Bruce has written about the NSA's fairly risk-averse approach to operations, I strongly suspect that the NSA would come down against a broad backdooring of security protocols that could be exploited by foreign actors or cybercriminals. Most importantly, NSA activities in the US are far more regulated than NSA activities outside the US. Perhaps the NSA can't legally compel a foreign corporation to do something - though you may be surprised - but the leverage and capabilities the USG can bring to bear against a foreign corporation are truly immense. Unless you have leverage and capabilities to match, your best bet is the rule of law, not the law of the jungle.

Or, let me put it this way. Assuming one's concern is privacy and intellectual property protection, and one is not doing anything outrageously illegal or immoral, then I'd find US law to be better or as good protection as the laws of any other country. But if the USG is in one's threat matrix because one is doing something outrageously illegal or immoral, then one is vulnerable and will at some point be screwed regardless of where information is hosted.

I'm not sure our views here are all that divergent, to be honest. Biggest differences likely on corrupt governments and degree of IP protection in US compared to other countries.

FigureitoutNovember 3, 2013 12:15 AM

Google can no longer trust its bandwidth providers not to betray the company.
Bruce
--I can't even trust a simple connector, the kinds of manufacturing that can happen now are too insane. Fricking insanity, the electronics are too good. It's too good and we aren't ready for it. Can't trust a small arduino board. Internet?--Lol you kidding me? Talk about the most untrustworthy. You can't keep improving them, eventually the boards will be all tiny pindrops of metal that will include a supercap or something freaky. The components are already too damn small! This is too scary and it needs to stop.

averrosNovember 3, 2013 1:42 AM

@Scott:

"propaganda, especially from the far right. Socialist = evil (although good luck finding people who actually know what socialism is),"

Socialism is the political ideology holding that violence against innocent people is acceptable means of achieving the equality of outcomes (and that this equality is desirable). It is pure unadulterated evil, which (in its different incarnations, such as Soviet international socialism, German national socialism (aka Nazism), Chinese Maoism, Khmer Rouge version of Buddhist socialism, and other variants in many many other places) murdered over 200 million people in 20th century.

And before you claim that I don't know what the socialism is, consider that I actually lived in a socialist country, and have As in my university transcript in subjects such as "Political Economy of Socialism" and "Scientific Communism". I spent enough time studying the drivel by Marx and Lenin to understand fully and completely what it is.

Clive RobinsonNovember 3, 2013 5:17 AM

@ Averros,

The violence you describe as a defining charecteristic of what you classify as "socialism" is found in many other forms of politics where the given myth is "everybody is equal" but the reality is some are considerably "more equal than others" and use various control techniques --often but not always by violence-- to remain "more equal". For instance a number of academic political theorists see it also as a charecteristic of Nationalism and Fascism, both of which take ideas from conservatism and socialism as those "more equal" see fit at any given point in time to ensure they remain "more equal".

I think Scott's comment about knowing what socialism is, is the fact that like fascism, marxism and many other polticial idiology related descriptors it has become not just diluted but also debased to the point of meaninglessness, especialy when it is used quite incorrectly as a synonym for other words such as "evil".

If you look at the works of George Orwell you will see that he clearly identified this "meaninngless" of words used as insults for propergander purposes back in the early 1940's and also used it as a basis of many of the themes in his more popular books such as 1984.

You will also find similar in the works of Noam Chomsky and Bertrand Russell.

Nick PNovember 3, 2013 9:43 AM

@ averros

Interesting that for "socialism" you quote the very few Nazi and communist groups that do massive damage rather than all the more benign socialist with a number of good metrics. You also fail to cite examples (incl in US) of capaitalist system that regularly leads companies to hide risks and kill hundreds of thousands in pursuit of profit. Monsanto, Ford's Pinto case, trans fat connection to heart disease... list goes on and on. Although I'm not about to start a long debate on such things here, I couldn't help but point out your very "fair" reporting on the issue.

@ Skeptical

more offshore vs US analyses

You mention good points about the offshore entities. Like I said, I didn't have specifics at the moment because it will take some research (and testing) to produce them. The places I mentioned worked in practice back when I was operating but that was... some time ago. I'm practically starting from scratch here.

"While the US does have many lawsuits (in part because it relies on more on lawsuits and less on government to provide compensation when one party is wrongly injured because of another), it also has rule of law. That is, with a fair degree of predictability, I know what the government may and may not do, and I know what private parties may and may not do."

It's actually a bit less so. I do recall one or two jursidictions I had back in the day used a "civil" law system rather than a "common law" system. Easiest way to illustrate the difference is that civil law is more by the book and to the letter, whereas common law is subject to plenty of interpretation. That US is common law makes it *less* predictable because people can get any kind of BS through at any time. We've also had massive corruption via lobbyists with many getting laws passed with much negative effect on privacy.

So, one thing to include in your analysis is "is the target jurisidiction a civil law system and how do its courts handle data requests on foreign online activity?" If US court sends a supeona, they will wipe their ass with it. If a civil judgment is obtained, they'll ignore it. This represents huge sums in US annually so it's already beneficial. How will they react to criminal investigations? How do they handle US requests for a non-US ISP or corporation operating in their country? How do they do this for their local companies? (extra backing?) The trick is to understand the country's laws and how they apply them in practice to see if certain structuring of your operations can use them to advantage. I found in the past that many were vastly superior to the US in areas such as remote control, copyright, privacy, taxation, etc.

"Even if I were, the FBI has NSLs, but those are fairly limited, can be challenged judicially, and pose less of a threat to privacy or intellectual property than do the surveillance powers of most other governments. "

Tell that to the Qwests, Lavabit's, colo's, etc of the world. I doubt they'll be so convinced there's so little risk. Remember that we're talking about services that put the US govt in their threat profile. So, they're likely to put a high amount of effort into any given tactic at some point. Most organizations comply with these NSL's and pen registers. So, I'll continue to make that a default assumption for US operations until I see convincing evidence that they can be consistently blocked.

(You also left off seizures. FBI has a habit of kicking in doors of homes and business's to take every single device they see. You then have the option of suing them to try to get it back. Results are usually seen over several months or... never.)

" NSA backdoors? If those backdoors are as extensive as you say, then nothing anywhere is secure; I don't see much evidence of that."

I say that the backdoors focus on major US products, services, networks, and standards. And certain foreign ones, esp using US supplied components. This is huge but leaves plenty of foreign fabs and tech to use. It also leaves open source software to run on such hardware. So, you could say NSA leaks only make things look hopeless for people that absolutely gotta have their Facebook, iPhones, Windows software, etc. ;)

"Perhaps the NSA can't legally compel a foreign corporation to do something - though you may be surprised - but the leverage and capabilities the USG can bring to bear against a foreign corporation are truly immense. Unless you have leverage and capabilities to match, your best bet is the rule of law, not the law of the jungle."

It's worth remembering that, when Snowden was on the run, he was said to only have 3 countries that he could be sure wouldn't turn him over. That means close to 200 were willing to turn him over. Were "compelled" in your words. That's a scary amount of influence, indeed.

(And remember in these discussions it's not just the NSA. I keep saying "US govt" or "feds" because it contains an assortment of agencies with their own specialties in dealing with US govt troublemakers. FinCEN or CIA's influence on SWIFT might come into play at some point, for instance.)

" Assuming one's concern is privacy and intellectual property protection, and one is not doing anything outrageously illegal or immoral, then I'd find US law to be better or as good protection as the laws of any other country. But if the USG is in one's threat matrix because one is doing something outrageously illegal or immoral, then one is vulnerable and will at some point be screwed regardless of where information is hosted."

I could see where this statement would come from. I'm going to address it in parts though as I think it combines a few different issues worth saying something about.

"one's concern is privacy and intellectual property"

The main people with US govt in threat profile (that are citizens) are criminals, political activists, whistleblowers, minority groups, libertarian types, etc. Except criminals, they're not doing things "outrageously illegal or immoral," yet they've each been targeted by US govt in past and some are targeted presently. This risk, plus maybe certain personal principles, means these people need/want privacy as a default in personal and business lives. For these people, that secretive agencies of a current regime have compromised almost every piece of tech in US & have extra-legal power is a very bad thing. It leads to ideas like using non-US tech, operating in offshore jurisidctions, or no tech period.

"and intellectual property"

There are two groups concerned about intellectual property: Americans and foreigners who compete with them. The Americans, despite NSA spying, are better off keeping their intellectual property here. The European, Russian, Middle Eastern, & Asian countries have a long history of using intelligence agencies to steal the IP. Russia & China are top offenders. The low cost of labor and nationalism over there can also make it easier for them to get spies into a foreign operation. So, my advice for US companies has always been to stay *on-shore*. There's some exceptions, of course, but that would be the rule for 99%+.

Foreigners doing business here with IP or sensitive info have a different outlook. There's been accusations before, with some support in leaks/declassifieds, that US govt has used intelligence to benefit certain well-connected companies. This would make foreign companies want OPSEC and INFOSEC that could resist US investigations. Our system has given Feds a huge amount of power over anything operating here. The environment, from the law to the Tier 1 networks, are designed for easy interception. So, they might naturally want to use non-US made equipment for INFOSEC over these networks & maybe keep all critical information out of US. Offshore/foreign options are once again superior here.

"then one is vulnerable and will at some point be screwed regardless of where information is hosted."

And yet many sites and organizations kept going for years on end. Your risk depends on how your operations are structured, where they're structured, what specific risk you pose to a nation state, which agencies you pissed off, whether well-connected companies are gunning for you, your priority to each, what protection the host state gives you, and so on. It was always complex like this. It's why some groups disappeared overnight, but others continued to piss of US govt or industry for years to come. So, one need not look at it totally defeatist from the outset.

The odds are against you, though, and it's easier to fail than to succeed if you play the international game against nation states. That much I'll surely concede to you. ;)

greg byshenkNovember 3, 2013 12:44 PM

Bruce, I'm coming in a bit late on this, but I'd suggest that a special prosecutor is probably not the way to go. The problem with such an idea is that the vast majority of what has been done "wrongly" is not (or at least not plainly) unlawful. Further, a large part of the point of "truth and reconciliation" groups is to separate information from prosecution, based on the idea that it is far more important to learn what has happened than to punish those who were involved -- recognizing that people are much less likely to be forthcoming if there is a threat of prosecution hanging over their heads if they do.

I'd suggest that such an idea applies in the case of surveillance. That is, it is far more important to learn what has happened than to punish someone for doing something that might be considered unlawful. Thus, I'd suggest that what is required is a Special Investigator, with full access to people, data, and technology.

JardaNovember 3, 2013 1:12 PM

>"Look, NSA has platoons of lawyers, and their entire job is figuring out how to stay within the law and maximize collection by exploiting every loophole," he said.

I never cease to be amazed by the type of being that a lawyer can be. These people with Spandex backbone would sell their own mother into dog cans.

>We need a special prosecutor, one not tied to the military, the corporations complicit in these programs, or the current political leadership, whether Democrat or Republican. This prosecutor needs free rein to....

I wonder how long that prosecutor would last. I presume he'd soon have a car accident or suddenly died of infarctus or drug overdose.

name.withheld.for.obvious.reasonsNovember 3, 2013 3:18 PM

@ greg byshenk
The problem with such an idea is that the vast majority of what has been done "wrongly" is not (or at least not plainly) unlawful.

I vehemently disagree, there are a multitude of charges that from just a surface examination can produce.

1. Conspiracy, perpetrated on the United States and citizenry
2. Computer abuse act of 1984
3. Whatever Aaron Swartz was charged with while syphoning data from a closet at MIT.
4. The civil rights, 1st, 4th amendments, of United States citizen, 350 million counts.

Some tongue and check, some not.

Nick PNovember 3, 2013 6:22 PM

@ name.withheld

It's not so clearcut. The problem is that there are laws that seem to allow it and laws against it. So... would that make it legal or illegal? Well, Congress supported each step of the surveillance state with what details they knew. That's an implicit agreement for it being lawful. And many courts ruled in their favor so that's case law in their favor. I've always maintained it was legal... enough.

So, criticisms of claims about NSA's "illegal" activities like the above commenter's are valid. Congress and courts have been too much a part of all this to totally blame NSA. I laid this out in detail previously. The solution will be to get to be bottom of what's going on and put it in America's view. Then, the nation will discuss/debate the situation to determine a consensus of how they want things handled. Then, we ensure they handle it as such with real oversight & accountability.

(Maybe even dismantling such programs outright due to their risk to democracy. That's my preference.)

I also agree with Greg that it might help not to punish the people involved in the organizations. Last thing a group investigating classified matters wants is for them to all go silent worrying about jail time. Give them immunity in exchange for coming forward with information and proof. Might get the bigger picture more clearly and quickly. However, the leaders who deceived the people and Congress (incl any Congress people) will be dealt with.

name.withheld.for.obvious.reasonsNovember 3, 2013 8:34 PM

@ Nick P

It's not so clearcut. The problem is that there are laws that seem to allow it and laws against it.

Yes, I am well aware of the fact that the DNC and RNC subverts representative democracy. They crowd out competition and undermine/cut local authority by funneling national funding into local races. I am well aware the the United States, for the most part, is full of idiots. This should be completely obvious to our British friends (often find myself at ox-bridge) where seats had been the constituency of friends and not council districts. I have had a surgery with one of the parliamentarians in Englad at one time. I believe that has changed, but is peerage still the privilege of the law lords? A general question not for you Nick. I'm sure you and Clive know the answer.

Dirk PraetNovember 3, 2013 9:22 PM

@ Skeptical

Iceland seems like a reasonable alternative to the US, but I don't see how Iceland is a more attractive alternative to the US.

You may wish to read up on the Icelandic Act of Protection of Individual; Processing Personal Data (Jan 2000) and the 2010 Icelandic Modern Media Initiative (IMMI), a brilliant piece of legislation about freedom of information, press, expression and speech. You can check out a more comprehensive list of data privacy and protection laws for individual countries here.

At least in theory, the best privacy and data protection laws can be found in Germany and other countries where the right to privacy is strongly enshrined in the constitution and in those European countries that have translated into national legislation the 1998 EU Data Protection Directive (DPD). Even when adding up a long list of federal and state laws that have provisions for data privacy, the US doesn't have anything that comes even close to the comprehensive privacy protection rules and regulations under the DPD. In addition, no European country I know of has a secret court that by means of secret orders based on secret interpretations of other laws can overrule existing privacy and other (e.g. CFAA) legislation on grounds of "national security".

So until you come up with even one impartial opinion of a legal scholar making a convincing case that US privacy laws are better or at least as strong as of, say, those of EU countries, your statement is wishful thinking at best.

That is, with a fair degree of predictability, I know what the government may and may not do,

Which we have Snowden to thank for. Before him, we had no idea at all.

Unless you have leverage and capabilities to match, your best bet is the rule of law, not the law of the jungle.

That rule of law being US law, I presume ? Pretty much the same sort of deal as Roman law extending to people that held full citizenship only whereas the rest of the world only had those rights their Roman masters would grant them as a matter of courtesy. A country that prides itself on its blatant disregard for international law, rules, covenants, UN resolutions and the laws of other nations in an international context is a nation under the rule of law only in its own perception.

If by your own admission, the USG an its IC have formidable means of coercing corporations and other nations into cooperation, than that's my definition of a rogue state applying the law of the jungle to all parties weaker than itself.

Assuming one's concern is privacy and intellectual property protection

Contrary to privacy, intellectual property protection is very high on the priority list of the USG that is trying to push for stronger trade secret protections and anti-economic espionage legislation and enforcement around the world. Congress is debating the expansion of the Economic Espionage Act to include a civil cause of action (Private Right of Action Against Theft of Trade Secrets Act of 2013) There's a Chamber of Commerce proposal aimed at creating tougher rules regulating the theft of trade secrets within the context of the Trans-Pacific Partnership (TPP). On the European front, American firms are lobbying to seek stronger trade secret protections in the EU-US Transatlantic Trade and Investment Partnership (TTIP) negotiations.

Snowden's revelation of the NSA's domestic and global surveillance dragnet has turned these international negotiations in a bit of an uphill battle. Even absent a smoking gun today, nobody in his right mind believes the US claims that it is using its vast spying apparatus on terrorist, military and political targets only and that it would never engage in intellectual property or trade secrets related espionage.

The Petrobras and Belgacom examples clearly show that foreign companies are being targeted. That may indeed have been for "political" or "strategic" reasons, but given the extent of the infiltration at Belgacom, it is laughable to assume that no trade secrets whatsoever under the USG's own definition thereof were acquired in the process. Which leads us back to the definition of "collection" or "theft". Would the USG under its own proposed trade secret protection laws be ok with Russia or China "unwittingly" hoovering up sensitive US corporate data as part of a non-economic spying program and agree that no theft has occured as long as the collected data has not been examined by an analyst ? I think not.


@ Nick P, @ name.withheld.for.obvious.reasons

It's not so clearcut.

I agree. Under the current FISC interpretations of certain FISAA and PA sections, the NSA's activities are legal under US law, full stop. Pending adoption of new legislation and/or the outcome of several court cases challenging the legality thereof, the existing framework will remain firmly in place. Personally, I think only a new Church Comittee with full investigative powers can end the current climate of FUD, followed by a public debate of what is deemed acceptable, what not, and under what conditions.

The main point of concern that most NSA apologists fail to see - or chose to remain in denial about - is the huge potential of the NSA's current surveillance capabilities to be turned against the people. We have seen the Bush administration engage in illegal surveillance activities and politicians rushing through Congress all sorts of new laws to "efficiently combat terrorism" in the wake of 9/11.

Those same people today are in a position to lift any and all currently existing restrictions using the same techniques and under the same veil of secrecy. If some day the ruling elite would feel seriously threatened by a political movement demanding real change or massive uprising as a result of a new and devastating economic or financial crisis, what would possibly stop them from doing so ? Some of the reactions to OWS protests were seriously over the top, so one can only imagine what they would be if some day the US is hit by an event with a much bigger impact and popular support.

However, the leaders who deceived the people and Congress (incl any Congress people) will be dealt with.

That's probably the last thing that will ever happen. From where I'm sitting, I'm seeing a plutocratic system with a political and financial elite that has placed itself above the law and where accountability is entirely non-existent. There's probably more than meets the eye to the Bo Xilai case in China, but I don't know of any high profile US politician having been indicted with and convicted of graft, embezzlement and abuse of power in recent history.

Clive RobinsonNovember 4, 2013 3:10 AM

@ Dirk Praet,

    That's probably the last thing that will ever happen. From where I'm sitting, I'm seeing a plutocratic system with a political and financial elite that has placed itself above the law...

Err the plutocrats are the law, I cann't remember all the numbers but one that stuck in my head was the 57 congress critters that were in the top 1% of wealthy Americans. This 1% apparently collectivly control over 90% of US (and other nations) wealth directly or indirectly.

As the saying has it "Birds of a feather, stick together" and it's noticable that the Democrates have a policy of waving through legislation that benifits the top 1% at the expense of the bottom 80%... Then there is the legislation for the 400 or so who have 50% of US wealth under their control who benifit realy nicely from various investment legislation for investment bankerrs, hedge fund managers and supposed funders of "start up" companies...

If you could get it through those vultures the figures from studies suggest that a 15% tax on ALL income and a 25000dollar personal alowance would provide a considerably greater tax take and provide basic social care such as health benifits for the poor (which improves everybodies health prospects) and do no end of good for the US economy.

But as I've said befor for the top 1% it's not about fiscal wealth, it's about "visable status". All of them would happily trade half their wealth in return for a doubling in the resulting "visable status" gap. Basicaly they want to "lord it" over all the other citizens in the US, where the Ducal and Baronial life styles are purchased along with local LEO's. It's a point Bruce appears to have not considered when talking about fudal behaviour in commerce.

name.withheld.for.obvious.reasonsNovember 4, 2013 6:00 AM

@ Dirk Praet

Your approach to skinning the NSA cat is sound and practical (my choice is Richard Feynman for the committee chair)...my issue is legislative answers have become ineffectually. The relevance of U.S. law is in serious question. If the basis for your operative theory is described by classic/Newtonian physics--you cannot decided that "Today, we in congress have resolved that gravity is no longer relevant") and is an example where the law is used to generate a frame orthogonal to plane of common sense (probably a strategy to keep lawyers employed). I see the legal system, in whatever country, lacks the formalism of the natural sciences (not that there isn't bias in science) and seems to be less rigorous than clinical research. Causation, causation, causation--I keep saying she's my mistress.

People here on this blog are more than generally aware of what's going on in the world, it is important that in speaking truth to power that we get beyond the vacuum of group think. A friend of my mother, Noam Chomsky, is an astute socio-political, socio-economic critic/observer. Chomsky has managed to stay asymmetric to the events (kind of a social Heisenberg) and probably has the most neutral hypothesis on governance and privilege.

For example, Wall Street created a series of instruments (CSO, CDS) based on securitized mortgages (don't even get me started on the flaw of capital valuations), knowing that banks were dumping risky loans to mortgage service companies; companies like Prime America, Country Wide, and others had a boat load of risk--and investors were leveraging the down side. Why, why isn't anyone in jail? Forty Trillion dollars in capital leverage--gone--it was the unwind that was the problem. Again, we are being screwed but I believe this time there's glass. The legislative answer, the Frank bill.

The SEC has done little or nothing to make this right. The Jamie Dimon stuff is a joke, it's the BofA, Leeman, and Goldman Sachs (good thing Paulson was at the helm of the Fed) and other big players that continue to milk the situation. What the hell is the Fed doing with 85 billion every month--their book is reaching 5 trillion dollars. Guess who's getting that bill?

Peter A.November 4, 2013 8:09 AM

@Clive Robinson:


They say "There are three sign posts to disaster [...] third visable to all." I'm guessing that the formation of the DHS should have been the third.

You've pinned that down, Clive. Looking back int the history, almost all the oppressive branches of governments had the word "security" in their names.

SkepticalNovember 4, 2013 2:59 PM

Nick -

I don't think our views are all that divergent. Re civil law vs. common law, most of US law is now based on statute, and statutes can be as subject to interpretation as judicial precedent in common law. I think the major difference between the US and the jurisdictions of some other countries would be better captured in the distinction between adversarial vs. inquisitorial systems rather than by civil vs. common law. Because the US relies on an adversarial system, because nearly everyone who thinks himself wronged must sue to be compensated, and because the filing of a lawsuit is fairly easy and cheap to do (perhaps the easiest of countries with adversarial systems), there tend to be a lot more lawsuits in the US.

Nick & Dirk -

Regarding intellectual property and the USG, I'd strongly disagree with any claim that the government plays a role in industrial espionage, i.e. stealing secrets from one company for the benefit of other companies. There has yet to be any case that I've read of in which this occurred, and no policy or program of allowing such has ever been reported. There have been Congressional investigations and hearings on the subject, and for a time during the 1990s some publicly advocated that the USG change its policy and begin engaging in industrial espionage. But the nature of multinational corporations in the US largely undercut those arguments, and they never won over policymakers. The US doesn't have state owned enterprises like Petrobras, and it doesn't have single companies that it champions.

And it would indeed be remarkable if the USG, which has now experienced leaks of operations in almost every type of endeavor, were to somehow keep entirely secret an endeavor which would be the more susceptible to leaks than many others.

As to the US persons vs foreign persons distinction, a firm registered and doing business in the US has all the protections of any other firm within the United States. Sony's intellectual property is no less protected than Apple's.

Dirk -

Nations in the EU have better privacy laws so far as enhancing an individual's power over his information against that of businesses (I hope the US follows at some point soon), but I do not think the laws of any country in the EU are significantly better in protecting the individual against government surveillance. I don't have any citations to articles in legal journals convenient, but I'd imagine that the latest story in The Guardian contains some helpful information.

I'm not sure I understand your point with respect to Icelandic free speech and press law, though. What does that have to do with this?

Appreciate all the good points you both are making by the way, and the discussion in general. I'm only sorry I wasn't able to address all of them.

Dirk PraetNovember 4, 2013 8:14 PM

@ Skeptical

The US doesn't have state owned enterprises like Petrobras, and it doesn't have single companies that it champions.

Correct. In the US it's actually the other way around where for all practical purposes corporations and special interest groups own the government. And which is exactly why the USG is pushing so hard for tough laws on copyright, intellectual property and other trade secrets protection while on the other hand opposing any hard and very much needed regulation on financial and other markets.

Despite the claims that it doesn't do industrial espionage, the USG through the NSA does engage in all sorts of economic espionage, and which is a proven fact (Petrobras, Belgacom, SWIFT). It's only a thin line from economic to industrial espionage. You may take your government's word for it, but even without any smoking guns, I don't, and which probably goes for much of the rest of the world too. With some US officials making the most absurd statements and others even getting away with lying about these programs in Congress, I don't see any reason why anyone would believe anything a US official is saying about them.

Any which way you turn it, the USG today has a serious image and credibility problem, and it is going to take more than the current denials and apologies to regain the trust it has lost on the world stage.

but I do not think the laws of any country in the EU are significantly better in protecting the individual against government surveillance.

Yes, they are. In general, surveillance in these countries can only legally take place after prosecutors secure a court order for a specific case, as opposed to the secret clearances for blanket surveillance issued in the US.

I'm not sure I understand your point with respect to Icelandic free speech and press law, though.

Strong laws about freedom of information, press, expression and speech are the foundation of any people's protection against its government. It's something your Founding Fathers had very well understood too when drafting the Bill of Rights, the Constitution and the first amendments to it.

averrosNovember 5, 2013 3:19 AM

@Clive Robinson, @Nick P.

Socialism is defined by this idea of equality of outcomes. There's no ifs or buts about that. This equality can only be achieved by either violent suppression of those who are for some reason more successful, or by making all people literally equal, like clones. Both approaches were tried by various socialist regimes - the second one never worked (except to serve as a Procrustean bed for those smarter or otherwise better than others - a Soviet saying goes like "The nail which sticks out gets hammered"), so the whole shebang immediately turns violent after it gets a free reign. Violence is inherent in the socialist idea, there is absolutely no way to get around this fact. This violence is always directed at the best - so the intellectual potential of a nation which turns socialist is quickly destroyed, by either attrition through out-migration, or through physical elimination of "bourgeoisie". History of *all* countries where socialism managed to become overwhelmingly dominant ideology is the history of massive atrocities.

So, socialism is evil. Not all evil is socialist, of course, but claiming that all these socialisms were somehow bad, and this new shiny American one is different is just ignorant. It is still evil, and the only reason this evil didn't turn murderous yet is because there's still resistance from those of us who didn't sleep through the 20th century history lessons.

Now, fascism and socialism are very close; and in fact, fascism branched out from socialist movements (esp. in Germany, let's not forget that Nazi stands for national SOCIALISM). The myth that socialists are left-wing while fascists are right-wing is just propagandist creation: the actual platforms of German communists and fascists were quite close, so fascists decided to differentiate by claiming "the third way" and by portraying themselves as aligned with the whole society, not just with proletariat. They did push that "right-wing" image quite consciously (and, besides, back then "right-wing" meant nationalistic; it still retains this connotation, even in the modern-day America). There's ample evidence that their electorate was one and the same, so the fascist/communist squabble was just infighting between close sects for dominance, not a principled ideological struggle.

Nationalism is also related to collectivism; the raise of nationalism was linked with democratization. During ancien regime, nationalism was completely pointless, since the rulers were members of the same family, and all these little wars were, in fact, family squabbles. For that reason it was quite common and acceptable for members of nobility to move between countries and choose the allegiance. Even military officers were known to choose the sides freely, and it was not considered a treason (for a stark illustration, consider that Dumas "Tree Musketeers" have plot line revolving about officers of a country at war visiting the court of the enemy and being treated not as combatants but as guests). As for the peasants, they couldn't care less who was the boss, unless the new prospective boss was known to be particularly nasty.

So the nationalism appeared when the parliamentary politics overwhelmed power of the Family, necessitating replacement of the system of allegiance to specific monarchs with allegiance to the idea of a nation - which was duly created by means of propaganda both fostering the sense of exceptionalism and portraying other nations as degenerates. Because most members of the public didn't yet develop any mental resistance to this kind of manipulation, the result of the raise of nationalist idea was the popular clamor for wars at the slightest "provocation" (and thus WWI has been ignited). Nationalism, just like its cousin socialism, is a fundamentally collectivist system of beliefs: while socialists sort people by classes (and believe that class affiliation overrides individual differences) the nationalists do the same sorting people by affiliation with nations. Both do not see individuals behind the collectives. So it is not surprising that there's quite a lot of common ground between these beliefs (including really schizophrenic combinations, like American neo-conservatives who manage to combine rabid nationalism with Trotskyist radical internationalism through the export of Revolution (er, democracy) by military means).

@Clive: Thank you for the advice to read Chomsky (I already did... though he keeps tripping my BS detectors). In some places he's solid, especially his critique of modern corporatist regimes. His prescriptions are insane, it is as if he manages to hold two completely compartmentalized views of the world, without any hint of undestanding of the links between his ideology and the reality which he critiques.

@Nick P.: The examples you provide is not failures of "capitalism" per se. They are failures of the corporatist system, in which government shields the people behind the artificial veil of limited liability: this, essentially, allows executives and shareholders to benefit from sale of dangerous, toxic, polluting, etc products while protecting them from the losses resulting from prosecution. I can bet that if the board members and executives were personally liable for damages in product liability cases, and shareholders were liable for compensating the victims out of their past gains, there would be a lot less Pintos, Vioxx-es, and other dangerous crap on the market.

SkepticalNovember 5, 2013 11:05 AM

Dirk -

I don't think it's a thin line from espionage to collect economic information, i.e. the gathering of information to enable a government to make better assessments of economic variables in a foreign country, to industrial espionage, i.e. the gathering of commercially valuable information from one company in order to give it to another company. I think it's a very bright and clear line. It's the same line that separates collecting political intelligence on Iran as part of a foreign intelligence mission, and collecting such intelligence in order to provide a company with a competitive advantage.

Incidentally, of the three examples you mention (SWIFT, Belgacom, Petrobras), only one likely involved the gathering of intelligence mainly to assess economic variables (Petrobras). The purpose of the SWIFT surveillance is to identify illicit money flows, particularly the financing of international terrorist organizations. Belgacom was to identify the means for additional intelligence collection (and was reportedly a UK operation, no?).

None of them has any plausible reported connection with industrial espionage.

As to whether anyone believes what the USG states with respect to industrial espionage, I've yet to hear of any non-US company pulling research and development facilities from the US because of such concern. Nor have I heard of any plausible case in which a non-US company had its IP stolen by the USG and given to a US company. So insofar as actions speak louder than words, I see very little belief that the USG engages in industrial espionage.

Re corporate influence in the US and financial reform, the US passed a raft of new regulations after the financial crisis, and its financial system is in very good shape. Businesses collectively can be very influential with respect to US law, of course, but that's beside the point: whereas the PRC can easily identify a state enterprise that would benefit from the theft of IP from, say, Google, the USG has no such easy choice. Instead there are competing companies, none of which will be happy if you use government resources to benefit one over the other. The outrage and outcry from such an event would be very loud.

Re surveillance in EU states vs US, within the US, the government cannot collect the content of electronic communications without a warrant. It can obtain metadata without a warrant. I don't believe (I'm happy to be corrected if wrong) that the situation is significantly different in any EU state.

Re freedom of speech, the only advantage I see in Iceland over the US with respect to this issue is the possibility of a journalist shield law, enabling a journalist not to be compelled to disclose a source. But it seems that Iceland is still moving to actually implement that law. In other respects, such as prior constraint, the US is actually a better alternative (it's almost impossible to prevent the press from publishing something in the US, though you can certainly ask them to refrain). Moreover, it is almost impossible to weaken those free speech protections in the US that derive from the US Constitution. It seems that such laws are much easier to change in Iceland. So, overall, I still view Iceland as a reasonable alternative to the US, but I'm not persuaded that it's more attractive.

Long story made short, the jurisdictional question is not clear-cut to me at all.

AnonNovember 5, 2013 10:28 PM

@Dirk

I don't what you consider a high profile US politician, but the Illinois Governor Blagojevich was removed from office in 2009 and is currently serving a 14-year prison term.

AnonNovember 5, 2013 11:34 PM

@Dirk

The US has stronger protection for freedom of speech than almost anywhere in Europe. The US 1st amendment is almost absolute, while the European free speech protections have numerous exceptions, such prohibiting insulting any of several protected groups.

Dirk PraetNovember 6, 2013 11:03 AM

@ Skeptical

The purpose of the SWIFT surveillance is to identify illicit money flows, particularly the financing of international terrorist organizations.

It was with this purpose in mind that the EU (reluctantly) approved the SWIFT data-sharing agreement with US authorities. But a while ago, Snowden docs showed that the NSA was still spying on SWIFT beyond that treaty. The secret monitoring at a non-US banking entity and on foreign soil of international financial transactions that have nothing to do with terrorist money flows in my book constitutes economic espionage, full stop. And which is why some EU politicians like EP president Martin Schulz have called for the suspension of the SWIFT treaty pending a full investigation.

Belgacom was to identify the means for additional intelligence collection

Belgacom is Belgium's partly state-owned largest telco and ISP. It is suspected they were targeted for their BICS telecommunications operations in Africa and the Middle East, and because some EU institutions communications traffic is going through them. Irrespective of the purpose, Belgacom is not a military or political but a corporate entity. It is also a fine example of how the NSA and GCHQ seem to be collaborating to work around certain legal restrictions. As apparently also in GCHQ on behalf of the NSA intercepting Google/Yahoo inter-data center traffic on UK soil, as recently claimed by a new article in the Washington Post.

As to whether anyone believes what the USG states with respect to industrial espionage ...

As I previously said, it all boils down to trust. I get the distinction you make between economic and industrial espionage, but for me they are just two different instances of the same sort of activity that is meant to gain an unfair economic advantage over another party. Whether that party be a corporation or a nation state to me is an artificial distinction only. Your mileage may vary.

the US passed a raft of new regulations after the financial crisis ...

I suppose you are referring to the Dodd-Frank Act ? That was definitely a step in the right direction, but in my opinion insufficiently brings back the former Glass-Steagall Act. You do know that DoDD-Frank remains heavily under fire by certain GOP members still trying to repeal it ?

Re surveillance in EU states vs US, within the US, the government cannot collect the content of electronic communications without a warrant.

The distinction between content and metadata so far is only made in the US. In the EU, metadata is also surveillance that requires a court order, and for specific cases only. The EU does not have an equivalent of the FISC that can issue secret orders for blanket surveillance through telco's like AT&T or Verizon.

Some German and Dutch politicians have recently tried to use the same line in defense of NSA spying allegations in these countries, and have been met with disbelief and outrage by media, the public and even members of their own parties. Dutch Home Secretary Roland Plasterk today was formally sued over his NSA "metadata" defense by a broad coalition of Dutch citizens and organisations.


@ Anon, @ Skeptical

The US has stronger protection for freedom of speech than almost anywhere in Europe.

Judging from the way the administration and LE reacted to OWS, some LEA's even comparing it to "domestic terrorism", I'd say that's probably only in theory so. I am open to specific legal references and comparisons, though. From where I'm sitting, much of your constitutional rights have been seriously eroded by the FISC's interpretation of PA 215, and which is exactly the basis of several ongoing courts against the USG claiming it is violating the 1st, 4th and 5th amendments.

I would agree the US privacy protections are more narrow in scope than many European privacy laws, but that hasn't stopped European countries from having their own spying scandals.

Most certainly so. And those responsible for them should be held accountable for their deeds just as any other criminal.

Illinois Governor Blagojevich was removed from office in 2009 and is currently serving a 14-year prison term.

I didn't know about that. Thanks for the heads-up.

SkepticalNovember 6, 2013 3:56 PM

Dirk -

All EU states have courts that can secretly order electronic surveillance.

Moreover, to my knowledge, many EU states can order electronic surveillance conducted for intelligence purposes without the involvement of any court at all.

I don't regard that as a significantly superior state of affairs to the United States. In fact, it seems far more susceptible to abuse and far less subject to oversight.

Re industrial espionage, regardless of whether the distinction is important to you personally, it makes a great deal of difference to companies. It means that a company need not fear that the USG is conducting operations against it in order to feed information to a competitor. And that's fairly important.

Re Belgacom and SWIFT, in both instances (again, so far as I am aware: I don't adhere to any of my claims as articles of faith), the ultimate object is foreign intelligence, not industrial espionage. That Belgacom is privatized doesn't really matter from an intelligence vantage.

Re metadata and content, I'll defer to you on the subject.

Re free speech, I disagree that Section 215 of the PATRIOT Act has eroded any constitutional protection of free speech. The collection of business records into a protected database prior to a government search is a novel extension of the USG's power in this area, no doubt, but the 4th Amendment doesn't prohibit it (and it'd be very hard to see how it violates the 1st Amendment). One of the difficulties faced by plaintiffs in bringing lawsuits against the USG alleging surveillance in violation of the First Amendment is the establishment of a chilling effect. That is, they can't show that government surveillance has suppressed or discouraged any protected expression.

Re OWS, some of the reporting on this subject is mostly hype. Protests in the US are subject to what are called time, place, and manner restrictions. So a local government cannot prevent neo-Nazis from marching through a town in which 1 in 6 residents is a survivor of the Holocaust simply because local government officials find the neo-Nazis repugnant (in fact they'll have to provide police protection to enable the march). But the local government can require the march to comply with rules designed to ensure public safety, allow for traffic flow, and so forth. What brought OWS into conflict with the police in the US was never the content of their views (very multi-faceted content at that!), but the manner of the protest. The occupation of public (leaving technicalities aside) parks for weeks and months on end almost inevitably ends up violating numerous local regulations concerning public health and safety. This isn't to lessen the importance of individual acts of police officers that were excessive (or to excuse the individual acts of some OWS protesters that were excessive), but to point out that the actual conflict between OWS and the police had nothing to do with free speech or viewpoints.

Dirk PraetNovember 6, 2013 7:02 PM

@ Skeptical

All EU states have courts that can secretly order electronic surveillance.

You are not listening. Of course there are, but only with a warrant, on a per case basis and never for the same kind of blanket surveillance as the FISC in the US. How many times do I need to repeat that ? If you believe otherwise, please be so kind as to back up your claims with factual evidence and/or references.

It means that a company need not fear that the USG is conducting operations against it in order to feed information to a competitor.

I repeat myself yet again: it boils down to trust. It's something you believe and I don't. Since obviously we are having irreconciliable differences on this topic and no one else is interested, I propose we lay it to rest for now.

The collection of business records into a protected database prior to a government search is a novel extension of the USG's power in this area, no doubt, but the 4th Amendment doesn't prohibit it

That's a FISC opinion only, until recently secret and currently object of several lawsuits brought against the USG as - I repeat myself - a violation of the 1st, 4th and 5th amendments to the US Constitution. Any which way you turn it, the blanket collection of metadata under PA 215 constitutes "seizure", irrespective of that being done by humans or machines and in my opinion is unreasonable with respect to the communications metadata of people that have done nothing wrong and are not suspected of any crime. Your mileage may vary and we will just have to wait how these suits turn out.

What brought OWS into conflict with the police in the US was never the content of their views, but the manner of the protest.

The entire world has witnessed on TV and other media how hard the police came down on some protests that were entirely peaceful and orderly. Remember the idiot who pepper sprayed some defenseless UC Davis students and instantly became an internet meme ? But morons are morons and that's not my point.

My point is that under the authorities granted by the PA, FBI and DHS - irrespective of the way individual protests were carried out - investigated and monitored a movement and individuals exercising their right to free speech as a possible criminal organisation and form of domestic terrorism. This was revealed from internal FBI papers obtained by the Partnership for Civil Justice fund via a FOIA request. Which tells me that freedom of speech in the US nowadays seems to be a very relative concept and a possibly dangerous activity to engage in, especially when you're going against Wall Street.

That said, I would like to propose a temporary recess for now. It is by now obvious that we have very different opinions on a great number of things and that neither one of us can convince the other. That's perfectly OK with me, especially because in my opinion you do a much better job defending the USG's views than many of its officials do. What I would like to ask you, however, is that in further discussions you would put in some extra effort in documenting and referencing some of the claims you are making. I know I do and it only makes for better reading and a higher level of discussion to bring on substantiated opinions than views we can only guess where they're coming from.

FigureitoutNovember 6, 2013 8:02 PM

The entire world has witnessed on TV and other media how hard the police came down on some protests that were entirely peaceful and orderly.
Dirk Praet
--Yep, this is why I say protests are going to the tech world. Those protests really...changed nothing besides being yet another indicator how pissed off people are getting. The latest LAX shooting, the guy only wanted to kill TSA/police. I used to joke about how routine traffic stops would turn into anal cavity searches, well it's no longer funny... Sure makes me want to leave this country.

AnonNovember 6, 2013 8:06 PM

@Dirk

I know we've been over this before, but why do keep repeating the same absurd claims about metadata. That metadata is not protected under the 4th amendment represents over two hundred years of judicial precedent, not just the FISC opinion. Phones have been somewhat common for ninety years now and a court has never adopted your novel theory that telephone records are protected under the 4th amendment.

Dirk PraetNovember 6, 2013 9:45 PM

@ Anon

That metadata is not protected under the 4th amendment represents over two hundred years of judicial precedent,

No, it doesn't, and for the simple reason that we are not just talking envelopes and phone records. The extrapolation from a telephone pen register (as in Smith vs. Maryland; 1979) or the outside of a postal package (as in Ex parte Jackson; 1878) to digital communications metadata in a context where communication has changed beyond recognition is a FISC only thing. And it's like applying rules about the use of bows and arrows to nuclear weapons.

I may also add that in the EU, The ECtHR’s ruling in Malone vs. the UK (1984) was that “envelope” information (traffic data) is protected by Article 8 of the ECHR.

If you want to continue this discussion, bring on facts and references instead of gratuitously calling someone's statements absurd.

Rolf WeberNovember 7, 2013 2:25 AM

@Dirk Praet
What's wrong about Smith v. Maryland? It was a Supreme Court ruling about phone call metadata, and the "blanket surveillance" you are referring (Verizon) is about phone call metadata, too. Of course Smith v. Maryland fits very well here, and as long as it is not overcome by another Supreme Court ruling, or the law is not adapted, everybody in the U.S. has to consider this as current law.

I agree with you that Smith v. Maryland doesn't necessarily fit for "modern metadata" like email metadata, but I'm not aware of any proof that email providers were forced to hand over bulk email metadata.
Interestingly, Apple recently said it never received such a request, and it would most likely challange it:
http://arstechnica.com/tech-policy/2013/11/apple-takes-strong-privacy-stance-in-new-report-publishes-rare-warrant-canary/
I assume others like Google or Microsoft to do the same, in case.

Dirk PraetNovember 7, 2013 5:54 AM

@ Rolf Weber

What's wrong about Smith v. Maryland?

You may wish to go back a bit on this blog where I comment on the origins of the current FISC opinion and the possible ways to get a SCOTUS verdict overturned. In short, the so-called "third party doctrine" is primarily based on Smith v. Maryland and United States v. Miller (1976), which involved subpoenas to two banks to produce a customer’s financial records.

I'm not aware of any proof that email providers were forced to hand over bulk email metadata.

They don't have to when the NSA/GCHQ for all practical purposes is directly tapping into internet back bones. As to the carefully crafted word games from Apple and the other PRISM associates, they have been discussed plenty of times before and I'm not going to comment on them again. As with a number of other issues, its a matter of trust, mandatory compliance with US LE requests and restrictions imposed upon them through gag orders.

Rolf WeberNovember 7, 2013 7:36 AM

@Dirk Praet

With "What's wrong about Smith v. Maryland?", I didn't ask if this was a good ruling or not. It is a matter of fact. The Supreme Court ruled that phone call metadata is not protected by privacy. Of course Verizon has to consider this.

Your other comments are hardly a reply to my points.
Besides that tapping into internet backbone is not sufficient, because nowadays a majority of email providers already support STARTSSL. And besides it is still not true that the companies PRISM denials were "carefully crafted word games" (fact is, the denials were strong and unambiguous): This were not my points here.
My point is that there is no proof at all that email providers are compelled to hand over bulk email metadata. And that if the government should ever try it, the companies had very good chances to challange it, because Smith v. Maryland is about phone call metadata, not email headers.

Dirk PraetNovember 7, 2013 9:56 AM

@ Rolf Weber

because Smith v. Maryland is about phone call metadata, not email headers.

The authority under which the NSA collects digital metadata in the US is derived from the FISC's interpretation of PA Section 215, and for "foreign" communications (metadata and content) from FISAA Section 702, and which is partly based on the precedents set by Smith v. Maryland and United States v. Miller. That's been said plenty of times. Try paying some attention.

And besides it is still not true that the companies PRISM denials were "carefully crafted word games"

That's your opinion. I beg to differ. Look up some 3rd party dissections of their denials, like for example here.

Besides that tapping into internet backbone is not sufficient, because nowadays a majority of email providers already support STARTSSL.

Which is relatively new, by the way. Try reading some technical articles on the subject and the dates when SSL and PFS were introduced. I suppose the Yahoo/Google intra-datacenter fiber snooping was not happening either and is yet another blatant lie by Edward Snowden ? Or the revelations on Skype monitoring and the NSA's interference with Hotmail/Outlook encryption ?

To cut a long story short: I believe you would definitely benefit from reading up on past threads on this forum that covered most, if not all of these topics. And there is of course plenty of other media too. It serves strictly no purpose whatsoever to keep revisiting the same discussions time and time and again without affecting your credibility or raising suspicions of some hidden agenda.

SkepticalNovember 7, 2013 12:04 PM

Dirk -

I bring up the fact that all states in the EU have courts with the capability to issue secret orders only because you referenced the "secret" FISC as a relative disadvantage of the US as a jurisdiction. My point is simply that the "secrecy" of courts is not any greater in the US than in the EU. Indeed, as courts in the US do not act as investigating bodies, directing law enforcement, as they can in some EU countries, I view the courts in the US as preferable in some ways.

As to the ability of intelligence agencies within the EU to conduct electronic surveillance without a court order, a quick search produces this page from Germany's domestic service, which contains the relevant information. I don't have a quick reference convenient for the DCRI, but perhaps French capabilities here are sufficiently well known that such a reference is not necessary? A search for DCRI in this 2011 report from the European Parliament (it's a PDF) would likely produce relevant substantiation.

Re industrial espionage, I don't think it boils down to trust but rather evidence. The complete lack of any indication of industrial espionage despite leaks of everything from covert programs aimed at Iran to clandestine monitoring of SWIFT to the 58,000 documents released by Snowden is, in itself, telling. And industrial espionage would be an item most vulnerable to leaks and discovery. A dog that does not bark can still convey information.

To all that, I would add the findings of Congressional investigations such as the Aspin-Brown Commission, which wrote in its final report:

The Commission strongly agrees with the current policy and practice prohibiting intelligence agencies from clandestinely collecting proprietary information of foreign commercial firms to benefit private firms in the United States. The role of the Intelligence Community is to provide support to the Government, not to the private sector. However, where intelligence agencies obtain information that U.S. commercial firms, through unfair trade practices such as bribery or "kickbacks," are being placed at a disadvantage in obtaining a contract with a foreign government, or where a foreign government is otherwise involved in the transaction, the Commission believes intelligence agencies should continue to report such information to the Departments of State and Commerce.

Congressional investigations, leak after leak, and the extremely consistent and adamant statements from those currently and formerly employed by the agencies of the USIC continue to hold up.

My conclusion regarding industrial espionage is based on the evidence, not trust. If that evidence changes, I hope that I would not hesitate to change that conclusion.

Re OWS, the FBI did some monitoring of the various protests to ensure that violent groups were not exploiting the protests for their own purposes, to determine what the intentions of the protests actually were, and, as the documents you link to show, often to protect the OWS protesters themselves against threats made against them. As I said in my original comment, I don't want to minimize the importance of individual acts of abuse (like that terrible incident at UC Davis you reference), but as a policy and overall, First Amendment rights were well protected. Much of the footage you're remembering likely derives from events when the police acted to evict the protesters from their encampments, a process which did include physical confrontations.

Re telephone metadata collection, there's not much question as to the constitutionality of the collection. For the Fourth Amendment to apply, the government must have intruded into an area as to which an individual has a reasonable expectation of privacy. Because telephone metadata is given to the phone company, and used by the phone company in billing you, the courts have long held that such metadata is not within the ambit of a reasonable expectation of privacy. The courts have applied similar reasoning in establishing why information given to others in a variety of contexts (accountants, friends, co-conspirators, and others) is not subject to a reasonable expectation of privacy within the protection of the Fourth Amendment. This part of the decision isn't a quirk of the FISC; it's settled law.

That said, and as Justice Sotomayor noted in US v. Jones, it may be that in the future the US Supreme Court will revisit the question of third party disclosures. Perhaps the revisit will occur in this context, though I doubt it.

First and Fifth Amendment claims here would have very little merit.

It's more arguable as to whether Section 215 actually authorizes such a broad collection, but the FISC is on solid ground in its ruling that it does, and overturning the ruling on appeal could be quite difficult.

Of course, to tie this back to our original discussion concerning the merits of different jurisdictions, if the US had a data retention law as do some states in the EU, such broad collection would be unnecessary.

And now I notice the (very polite) request for a recess at the bottom of your comment! I apologize for the lengthy response here. If you or anyone wishes to continue the discussion in light of the references I've provided here, please feel free. And if not, then my thanks for an interesting discussion, and for forcing me to re-examine some of my intuitions and ideas.

Rolf WeberNovember 7, 2013 3:57 PM

@Dirk Praet
You blame me I would "revisit the same discussions", but it was you who digressed to the PRISM discussion. My comments here were only about the metadata discussion, but you switched the discussion back to PRISM. If you don't want to "revisit the same discussions", my suggestion is to just don't start it.

Regarding the authority to collect metadata, I already told you that this authority is only clear for phone call metadata, but not for email metadata. NSA's or even FISC's interpretation is not settled law. My points are, and you did not yet respond to this points:
- there is no proof that any email provider received a bulk metadata request so far
- even if there is such a request, the companies had good chances to challenge and push back those requests
It is settled law that phone call metadata is not protected by privacy, but not email metadata. And I referenced this with Apple's statement.

Regarding the PRISM denials, I prefer to read by my own than to rely on others interpretations. The companies clearly denied the reports about a "direct access" unambiguously, even in the "official" statements, and for example David Drummond added "There is no free-for-all, no direct access, no indirect access, no back door, no drop box". This is all but a lame response. I wonder what response you would consider a unambiguous deny.

Regarding STARTTSL (sorry for my typo above), I recently read a report that 96% of all commercial German email providers support it. Other email servers do not perform that well, but it clearly shows that obviously already today big parts of email communications are transfered encrypted.
Your claim was that the agencies don't need to compel the email providers to hand over bulk email metadata, because they can just tap the internet backbone. But this claim is simply not true, because considerable parts of communications are already encrypted.

You further said:
> I suppose the Yahoo/Google intra-datacenter fiber snooping
> was not happening either and is yet another blatant lie by
> Edward Snowden ? Or the revelations on Skype monitoring
> and the NSA's interference with Hotmail/Outlook encryption ?

I'm at a loss. What do you want to say?
I never said the NSA didn't tap Google's internal network. Of course they did, I think this is clear, since Google engineers validated the reports.

AnonNovember 7, 2013 7:59 PM

@dirk

Some of your comments regarding international law seem odd. Contrary to your claims, the US is a very active proponent of international law in its role on the security council and by contributing troops to peacekeeping missions. However, great powers use many tools to control the actions of other states and international law is just one of the levers of power that the US can bring to bear.

Dirk PraetNovember 7, 2013 9:02 PM

@ Skeptical

As to the ability of intelligence agencies within the EU to conduct electronic surveillance without a court order, a quick search produces this page from Germany's domestic service, which contains the relevant information.

In Germany, permission for a wiretap in the broadest sense of the word needs to be requested from the Home Office, that in its turn relays it to the G10-Kommission, an independent body of parliament that examines the request. The G10 in a way is similar to the FISC, beit that it is not secret, that it can't differentiate between content and metadata, and that it cannot approve of any type of blanket wiretapping (AT&T, Verizon) because that would be in violation of Article 10 of the German constitution.

Any type of surveillance that may constitute a violation of someone's privacy rights is subject to additional legal restrictions as indicated in the link your are referencing: "In keinem Fall darf der Verfassungsschutz den Kernbereich eines Persönlichkeitsrechts, zu dem insbesondere die Intimsphäre gehört, verletzen."

Stricto sensu, you are however correct that the G10 is not a court or part of the judiciary branch, so surveillance in Germany can indeed be done without a court order.

perhaps French capabilities here are sufficiently well known that such a reference is not necessary?

A while ago, Le Monde published an article claiming the DGSE, France's external intelligence agency, is operating a vast domestic and international program of NSA-style surveillance. A serious embarassment to the French government, because if true these programs are completely illegal both under French and under European law. I have no doubt other European spy agencies are doing the same thing, but contrary to the US the legal basis thereof is extremely questionable. Unless of course there is stuff going on the public is totally not aware of, as in the US pre-Snowden.

Re. industrial espionage

I am familiar with the official US policy and I cannot offer any proof to the contrary of instances where the US IC handed over foreign corporate IP or trade secrets to US companies. There is however no denying that the US does engage in economic espionage which I believe on a state level can be just as damaging.

Re OWS, the FBI did some monitoring of the various protests

I believe you are overly minimising the FBI's (and other agencies) disposition towards OWS, but I guess that's a matter of opinion. Do remember that the 1st Amendment not only allows the freedom of expression, but also the right of the people to "peacebly" assemble. Historically, the US doesn't exactly have a pristine track record on the latter, especially when movements are involved that are perceived as a threat to the establishment. It was not different with OWS.

Re telephone metadata collection, there's not much question as to the constitutionality of the collection.

There is none. My problem is with the FISC's interpretation of PA 215 with regards to blanket metadata collection of other, digital communications (SMS, chat, email, social networking etc.). Then again, in the days of Smith v. Maryland, a phone was a simple landline. Today's smart phones are small and mobile personal computers revealing quite some more metadata information about their owners than 35 years ago.

if the US had a data retention law as do some states in the EU, such broad collection would be unnecessary.

Probably true. Although the 2006 EU Data Retention Directive is a bit of a mixed blessing in more than one way, at least a court order is required for LE to access any type of information. That's still a bit different from a government doing all the collecting itself and a public hoping the necessary checks and balances are in place to prevent abuse.

Thanks for the interesting pointers, by the way.


@ Rolf Weber

- there is no proof that any email provider received a bulk metadata request so far
- even if there is such a request, the companies had good chances to challenge and push back those requests

In 2008, Yahoo challenged a court order (probably an NSL) requiring the company to give out data without a warrant. They lost. What kind of data do you think that was ?

If - according to your own statements - there is no direct access, then the PRISM associates receive requests and hand over the requested data in one way or another. But which in this particular case begs the question: why would Yahoo fight any court order if it's a request pertaining to one particular individual (or series of persons) ? And why would such a court order have come with a gag that didn't even allow Yahoo to reveal or discuss ? I believe the answer to these questions is very clear. And how it all relates to PRISM.

You are also ignoring the Lavabit case (extensively discussed on this forum in more than one thread ; hint). Following Levison's refusal to hand over all pen register information pertaining to one account (Snowden's), they were pressured by the FBI to provide private SSL keys for all traffic, which would have meant access not just to metadata of one account, but full access to all its users communications. At which point he shut the service down. He too fought an NSL about access to bulk email data. And lost.

I recently read a report that 96% of all commercial German email providers support it.

They do now. Only in August - following the first Snowden revelations - a grouping of large and smaller companies – including state-owned Deutsche Telekom, GMX and web.de – started the "Email Made in Germany" initiative to vamp up all email services with TLS/SSL. More recently, Deutsche Telekom has also put forward new plans for a national internet network, where emails between German users would no longer have to go via foreign servers.

@ Anon

Contrary to your claims, the US is a very active proponent of international law in its role on the security council

Only when it suits them. Like all other permanent members of the SC. Since the dissolution of the Soviet Union, the US has become by far the most frequent user of the veto power. And on the other hand has a habit of pushing through its own agenda even if it can't get the rest to follow. Remember the 1st Iraq War ? A real team player and a very active proponent of international law in the UNGA and UNSC indeed.

anonNovember 7, 2013 10:14 PM

@dirk

I don't think lavabit is a good example of a bulk data request. If he had complied with the request for one user's data, they never would have asked for his private keys. To the extent that the government made a bulk data request due to lavabit, Levison is 100% responsible. If you believe that bulk data requests are wrong, then you must agree that Levison is an evil person for forcing the government to demand his private keys.

Rolf WeberNovember 8, 2013 2:02 AM

@Dirk Praet
Regarding Yahoo and the court order it challenged, I doubt it was an NSL requesting bulk metadata. I read the article, and I think it is much more likely it was about the content of one or more isolated accounts (without a warrant). But I confess it's hard here to argue in favour of the USG because of all this stupid secrecy. The USG does a lame job here and I really hope the companies will eventually overcome with their demand for much more transparency.

Regarding Lavabit, I second anon's reply. You are absolutely wrong with your claim that Lavabit received an NSL (I remember an interview with Levison where he said he _worried_ that he could receive a bulk NSL, that would have been one reason why he offered cooperation at some point).
The court documents about the Lavabit case were published in the meantime, so everybody can read by his own to see what really happened. I read all of these documents. Did you?
What happened was not what the press suggested in the headlines (why does this remind me on the "direct access" PRISM stories? ...). Only one person is responsible for the demand to hand over SSL-keys, and this person is Levison. If he had cooperated in a _single_ request for metadata, nothing else would have happened.
I already posted a summary about the court documents, but I'm sorry it's only in German:
https://plus.google.com/108398551666706493267/posts/heujbYnxxob

Regarding STARTTLS, I think its wide distribuation started right before Snowden's revelations, but either way: Deutsche Telekom's push for a balkanization is completely unnecessary, at least now and in Germany.

Dirk PraetNovember 8, 2013 3:38 AM

@ Rolf Weber

Re. Lavabit

My bad, apologies. s/NSL/search order . Brain farts and memory slip-ups sometimes happen at 4AM in the morning. But the outcome was the same. It started as a single request which for all practical purposes ended up as a bulk request, so there's your proof. Whether or not Levison called that upon himself is a side thought (although I do agree that he did).

Re. Yahoo

On December 14th 2010, Twitter received a DoJ subpoena accompanied by an NSL in relation to ongoing investigations of WikiLeaks. While only five people were individually named within the subpoena, the order effectively entailed the collection in relation to criminal prosecution of the personal identifying information of over 600k Twitter users, principally those who were followers of WikiLeaks. That's a bulk request, and a documented fact because Twitter was succesful in appealing the gag order.

Most analysts believe something similar happened to Yahoo, and you are probably standing alone in your opinion that the Yahoo request was for some isolated accounts. Unless of course their army of lawyers was as short-sighted as Levison in turning down a request for one or more single accounts knowing only too well that no matter what the DoJ would come back at them in full force, and with a vengeance.

Re. Germany

Check your facts. The "Email Made in Germany" initiative was post-Snowden.

Rolf WeberNovember 8, 2013 8:00 AM

@Dirk Praet
Regarding Lavabit, I don't agree that it ended up with a bulk request. The request was still only related to metadata of a single account. The fact that the government had the technical means to gather bulk data with the SSL-keys, doesn't turn the request itself into a bulk request. It would have been highly illegal if the government had misused the keys that way.

Regarding Twitter, I don't see any evidence that Twitter handed over bulk user data. I only see that you can interpret the order this way. I bet Twitter didn't, and I don't see evidence they were forced to hand over bulk metadata. Correct me if I overlooked something.

Regarding Yahoo, I don't rely on analysts, I only believe in clear proof. Especially if I assume a claim to be unplausible. I had been betrayed to often.

Regarding Germany, I didn't mean the "Email Made in Germany" initiative (which is, in my opinion, a waste of time even to think about it). I meant the widespread use of STARTTLS, which began right before the Snowden leaks.

SkepticalNovember 8, 2013 11:15 AM

Dirk -

Your description of the request served on Twitter is (unintentionally!) misleading I believe. First, just a small point, the numbers are 5 named individuals and 6,000 (not 600,000).

But more importantly, the 6,000 number (given by the attorney for one of the named people) derives simply from the portion of the request that asks for records concerning the origin or destination of any communications sent to or from the requested accounts. Copy of request.

That's no more a bulk request than if a subpoena were served on a phone company for records associated with a particular customer. The records will include the numbers of anyone who has communicated with that particular customer's number, but that hardly makes the subpoena into a bulk request.

I believe Twitter duly informed the 5 named people of the request.

A bulk request could be defined as a request that does not specify particular individuals, but rather asks for records associated with any individual falling into certain parameters. Even that definition might not capture what we want. Some requests, e.g. a request for the names of all persons who attended a particular event at which a homicide occurred, could be considered "bulk" but are also clearly well defined. The touchstones for grand jury subpoenas in US law, which also governs requests under Section 215, are among other things reasonableness and relevance.

Re Yahoo!, a redacted copy of the Foreign Intelligence Surveillance Court of Review (FISCR) decision on that company's appeal is already available. While the decision itself, available here, has been published (redacted) for some time, the moving party's identity was withheld until a few months ago.

Reading the lines that are visible, the order originally served on Yahoo! appears to ask for assistance in obtaining information about persons outside the United States who the Attorney General has probable cause to believe to be foreign powers or agents of foreign powers. The order was served on Yahoo! pursuant to the 2008 amendment to FISA, entitled the "Protect America Act" (which was set to expire, and did expire, a short period of time later). Essentially it allowed the government, by certifying that it had probable cause to believe certain things, to legally compel an electronic communications provider to provide assistance in acquiring certain information without first obtaining a warrant. Yahoo! refused, the government sought an order from the FISC, which was granted, and Yahoo! then appealed to the FISCR, which upheld the FISC's decision.

It is not clear from the FISCR decision as to what the technical nature of the assistance requested of Yahoo! was. However, in its motion to be permitted to publish precise statistics as to the number of different types of government requests, and the number of accounts affected by each type, Yahoo! states: The media has mistakenly - and repeatedly - reported that this program [PRISM] allows the U.S. Government to "tap...directly into the central servers" of providers to collect information. That the media reports are incorrect, and that Yahoo! (and the public) therefore have an interest in obtaining correct information, is central to their motion.

So I suspect Yahoo!'s challenge to the 2008 request under the PAA had more to do with the lack of warrant (the question focused upon by the FISCR) than any breadth associated with the request.

Re G10, in what sense are their proceedings NOT secret in the same way that the FISC's are? And, if I understand Article 10(2) of the Basic Law correctly in conjunction with the website I cited in my last comment, certain surveillance orders by the government may be reviewed only by the G10, and are lawful so long as the surveillance is for the purpose of national security. This is a system of oversight actually less rigorous than that in the US, where both the legislative and the judicial branches are involved and informed.

Dirk PraetNovember 8, 2013 4:39 PM

@ Skeptical

the numbers are 5 named individuals and 6,000 (not 600,000).

In which case one of our sources is wrong. I got the 600k from Wikipedia.

That's no more a bulk request than if a subpoena were served on a phone company for records associated with a particular customer.

That was not the way their lawyer Mark Stephens saw it, and frankly neither do I. It depends on how you interpret "records of user activity for any connections made to and from the Account, including the date, time, length and method of connections, data transfer volume, username, and source and destination Internet Protocol address(es)". Irrespective of 6k or 600k accounts involved, that sure is a huge number and of an entirely different magnitude as a pen request for, say, all folks a suspected murderer has been making phone calls with over a period of time.

So I suspect Yahoo!'s challenge to the 2008 request under the PAA had more to do with the lack of warrant (the question focused upon by the FISCR) than any breadth associated with the request.

That certainly is a valid assumption. The thing is that we don't know, and that either one of us may be right or wrong. The only way to get rid of the current FUD is for the government to come clean and grant Yahoo's and other companies requests for more transparancy. Which several of them claim as an infringement on their right of free speech and thus a 1st Amendment issue.

if I understand Article 10(2) of the Basic Law correctly

I don't know how good your German is but Grundgesetz translates to constitution, not basic law.

certain surveillance orders by the government may be reviewed only by the G10, and are lawful so long as the surveillance is for the purpose of national security.

Even when the G10 approves a request of the BfV or other agency, all their activities can be legally challenged in court. Based on the right of information, even the general public can direct inquiries and petitions at the BfV. That's an entirely different regime than the FISC, I'd say, court orders of which can only be challenged by the party served therewith, and under gag order. Whereas the activities undertaken by e.g. the NSA cannot be directly appealed by anyone when approved by the FISC.

@ Rolf Weber

The fact that the government had the technical means to gather bulk data with the SSL-keys, doesn't turn the request itself into a bulk request.

I see that entirely differently. Sorry. It's also one of the the foundations of the argument I'm having with @Skeptical over industrial espionage. It's not because at some point in time something is not legal or policy that it will always be that way. The moment I know someone has the technical capabilities of doing something and is know to engage in similar activities, I consider my security breached and it changes my entire disposition to the issue.

Let me put it this way: if I know that a 3rd party for whatever legal reason has a skeleton key not only for my neighbour's but also for my place, I will make very sure to have an additional lock on the door in case it ever falls into other hands or for when suddenly the conditions beyond my control change for the key holder to use it at will. In the end, that's just basic security precautions.

Regarding Yahoo, I don't rely on analysts

Which is your good right. I refer to my reply to @ Skeptical.

I don't see any evidence that Twitter handed over bulk user data

Twitter succesfully challenged the gag order that came with the NSL, so they could inform the 5 targets. That doesn't mean they could freely discuss what data was given up. So I refer to my previous point.

AnonNovember 8, 2013 11:31 PM

@dirk

The lavabit situation could have happened just as easily in Europe. If a German e-mail provider announced that they would refuse to comply with all German warrants and court orders, even after losing multiple appeals, do you really think German intelligence and law enforcement would give up and go home? Or do you think the German government would find some way to get the data?

Dirk PraetNovember 9, 2013 6:17 PM

@ Anon

do you really think German intelligence and law enforcement would give up and go home?

No. But that was not the issue.

Rolf WeberNovember 11, 2013 2:49 AM

@Dirk Praet
Regarding Lavabit, you are of course right that the security of Lavabit's SSL protection was broken. This was the reason why the SSL registrar revoked the certificate.
But this was not our discussion here. We discussed whether it was a bulk order or not, and of course it was not. It was still aimed at a single account. The attorney's argumentation was pretty convincing:
'It cannot be that a search warrant is "general" merely because it gives the government a tool that, if abused contrary to the law, could constitute a general search. Compelling the owner of an apartment building to unlock the building's front door so that agents can search one apartment is not a "general search" of the entire apartment building -- even if the building owner imagines that undisciplined agents will illegaly kick down the doors to apartments not described in the warrant.'

I know what you will reply, physical searches are a bit different from electronic searches, mainly because it is much easier to perform electronic searches undetected. But this doesn’t change anything on the fact that the order was still not broad.

I would agree with you if the government would straight demand the SSL-keys instead of trying other ways before. But this was not the case here, when we speak about Lavabit. The keys were demanded as a last resort, after all other options failed.

(Maybe I should add something here: When you read the court documents, you can see that the government thinks they are entitled to the keys just because of a pen/trap-order. They argued that the law requires the companies to provide all necessary assistance to install the pen/trap-device, and the device cannot run properly without the keys. When I read this, I remembered this report:
http://news.cnet.com/8301-13578_3-57595202-38/feds-put-heat-on-web-firms-for-master-encryption-keys/
So this fits, and I think it is quite likely that the government enforced keys in other cases, too. Especially from smaller providers which the government can impress much easier than bigger ones with good legal staff. However I also have to add that the Judge did not agree with the governments argumentation, the base for the hand over of the keys was the search warrant. I think it is an open question in U.S. law, what the circumstances are in which companies can be compelled to hand over encryption keys.)

Regarding Yahoo, I don’t think we need to continue our discussion, because we both can only speculate about what happened, and we agree that much more transparency is needed.

Regarding Twitter however, I think there still is sufficient evidence that it was not a bulk request. Twitter has a policy to inform affected users when they are compelled to hand over user data (and this was acknowledged by the court for this case). Twitter obviously informed only the five people mentioned in the order, not thousands of others. So it is save to assume Twitter only handed over user data of a maximum of 5 people.

Dirk PraetNovember 11, 2013 9:32 AM

@ Rolf Weber

But this was not our discussion here. We discussed whether it was a bulk order or not, and of course it was not. It was still aimed at a single account.

Rolf, I totally understand your point of view but we really are talking semantics here. I believe this has everything to do with a different mindset. From a legal angle, it was a single request targetting one account. From a security angle, being forced to hand over the keys compromised the communications confidentiality of ALL Lavabit users, irrespective of whether they were targetted or not. From the perspective of a security professional, that is the practical equivalent of a bulk request.

So it is save to assume Twitter only handed over user data of a maximum of 5 people.

Again, it depends on how you interpret the court order and which mindset you apply. If I would have learned through one of the 5 impacted parties (or the press) that their records had been subpoenad, and that the order extended to communications they had with other accounts, I would have considered myself a possible target if one way or another I would have been in touch with them over that medium. From a security perspective, and absent any formal statements that I wasn't, due diligence applies, even when there is no hard evidence that I was. Assumption that everything is hunky dory in such a context is the mother of all f*ck-ups.

I don't know what line of work you're in, but if you ever apply for a job as a security consultant, I would try to keep this advice mind. Strictly relying on your own judgment, the legal angle of things and hard empiric proof in this business is the best recipe to get you p0wned over and over again.

Rolf WeberNovember 11, 2013 3:35 PM

Dirk, I already said in my previous post, that if we would only consider the security point of view, than of course I would agree on your points. But it is not only about security, it is much more a legal and political issue. It is a fact without any doubt, that bulk Lavabit userdata had been compromised. But the more interesting questions are: "Who is to blame?" or "Was this a very special case, or could this happen to any U.S. email provider?".
With my posts, I tried to address these questions.

Quite similar our metadata discussion. I understand your security-focused view as well, but the more interesting questions is how good metadata is protected under U.S. law. And my point here is, that because of ancient Smith v. Maryland, phone call metadata isn't protected at all, so companies like Verizon and AT&T have no option but to hand over the data.
But Smith v. Maryland was not about email headers. If the government demands bulk email metadata from an email provider, it cannot flatly refer to Smith v. Maryland. The email provider had best chances to challenge such a demand.
And this is why I say I don't believe the government ever tried to force an email provider to hand over bulk email metadata. They know that it could be successfully challenged, thus eventually overturning the ancient Smith v. Maryland ruling. If the government is smart, they would never ever jeopardize the Smith v. Maryland ruling.


Dirk PraetNovember 11, 2013 7:31 PM

@ Rolf Weber

But Smith v. Maryland was not about email headers. If the government demands bulk email metadata from an email provider, it cannot flatly refer to Smith v. Maryland.

I believe we agree that under the reasoning of Smith and Miller previously discussed, (phone) metadata that is account information about how an account was used — but not call contents — is not protected under the 4th Amendment. An example thereof is United States v. Fregoso, 60 F.3d 1314, 1321 (8th Cir. 1995).

Do note that lower courts have applied the same principles to internet metadata too, as in United States v. Forrester, 512 F.3d 500, 510 (9th Cir. 2008) (IP addresses) and United States v. Perrine, 518 F.3d 1196, 1204 (10th Cir. 2008): “Every federal court to address this issue has held that subscriber information provided to an internet provider is not protected by the 4th Amendment’s privacy expectation.”

Equally important in this context is the Bush/Cheney area Stellar Wind program, that collected bulk email metadata of American citizens. Although downright illegal when it was started in 2001, it got formal FISC approval from FISA court chief judge Colleen Kollar-Kotelly in 2004 and was retro-actively legalised by the Protect America Act of 2007 and FISA Amendments Act of 2008. It went on for almost 10 years until Obama stopped it in 2011. This to me indicates that from a legal angle email metadata was either fair game too, or the USG/NSA for almost a decade was engaging in illegal/unconstitutional activities.

Also note that there is a contrary view on phone metadata collection drawing from the concurring opinions in United States v. Jones, 132 S. Ct. 945 (2012) to say that the collective acquisition and analysis of information about a person over time constitutes a search even if collecting individual discrete pieces are not searches. The proponents hereof claim that the government has made a mockery of 4th Amendment protections by relying on select SCOTUS cases decided before the era of the public internet and cellphones, to argue that citizens have no expectation of privacy in either phone metadata or in e-mails or other private electronic messages that it stores with third parties. I share this opinion, but I agree that it seems an uphill battle for now.

SkepticalNovember 12, 2013 1:24 PM

Dirk -

Here's one article from a law journal (behind a paywall, but if you google the article title you'll find authorized copies elsewhere) discussing differences between US and German telecommunications privacy law. Note that in the sections on German law, the author describes the ability of the intelligence services in Germany to conduct "strategic surveillance" (i.e. bulk surveillance) without court approval or review.

As to the ability of the G-10 to facilitate judicial review, I don't see how an individual subject to a secret surveillance order will be able to challenge the surveillance in court, unless it is at some point revealed to him or used against him in court. This is not significantly different from the American system. Moreover, the G-10 is far less independent of the government than is the FISC independent of the executive branch in the US. The G-10 consists of 4 members appointed by a parliamentary committee, none of whom need be either a member of parliament or a member of the judiciary. See section 15 of http://www.gesetze-im-internet.de/g10_2001/BJNR125410001.html

Re metadata & Smith, while I think that a bulk metadata request of email records would be the subject of skepticism by a court, I also think that there's a good argument for fitting various email and user records into Smith. So far as Sotomayor's dicta in Jones, it's more speculative than anything else. It doesn't carry any force of law, and doesn't necessarily indicate how she would decide on a particular case, but it could hint that she would vote to grant cert (i.e. to hear the case; not all cases appealed to the US Supreme Court are heard by the Court; the judges decide by vote whether to hear a given case; if a case is not heard, then the ruling of the lower court stands).

Dirk PraetNovember 12, 2013 6:24 PM

@ Skeptical

Here's one article from a law journal ...

Interesting. Some thoughts:

1. From the abstract: "... It finds that the U.S. Supreme Court has developed a restrictive vision of the Fourth Amendment that extends its protections only to telecommunications content, but not telecommunications attributes. In contrast, the German Federal Constitutional Court has interpreted Article 10 of the Basic Law, the postwar German constitution, as protecting not only telecommunications content but also telecommunications attributes." See also 775 of the article.

2. The article dates back to August 2003. Since then, a number of new laws have been adopted in the US (e.g. PAA, FISAA) and we have found out about new and until recently secret interpretations of sections of existing laws (e.g. PA), all pertaining to surveillance. It's probably fair to say that the article is up for a thorough revision, especially in Part V, "The limits of law and possible "X" factors".

3. Take a look at 761-762 and 774 where roving wiretaps and "consent" exceptions are discussed. You'll find much better constitutional protection in Germany than in the US.

4. Strategic surveillance by the BND or other agencies primarily applies to "foreign" communications, is only possible for very narrowly defined purposes and constitutional restrictions still apply on certain forms of "foreign" communications (777). Which is a huge difference with the US where under FISAA 702 all "foreign" communications are fair game and under PA 215/PAA/FISAA all domestic phone and internet metadata apparently can be legally collected.

The only field where the US scores marginally better is in that the statutory requirements for obtaining customer information from telco's/ISP's are higher. In Germany, these are free from judicial review.

5. With respect to connection data, I quote from the article (782): "Hence, a comparison in this area is easier than for customer information and leads to the conclusion that law enforcement authorities in the United States face lower hurdles in obtaining connection information than their German counterparts."

6. Data retention and erasure (786): "In summary, the current regime in the United States requires neither data erasure nor storage. Germany has no data storage requirement but does have a strong data erasure requirement."

7. Legal protection for telecommunications content: "Both the United States and Germany provide similar definitions for telecommunications content. In addition, both countries require judicial involvement in the issuing of surveillance orders unless there is an emergency."

Going through the conclusions on page 799-800, I think there is no reason whatsoever to claim that the US regime is as good as or better - in the sense of more restrictive - than the German one.

Moreover, the G-10 is far less independent of the government than is the FISC independent of the executive branch in the US.

The G-10 is not a judicial body, the FISC is. The G-10 thus is not a court, but neither is the FISC in the strictest interpretation of that word. I fail to see how either one of them is more or less independent from those who have appointed their members.

Re metadata & Smith, while I think that a bulk metadata request of email records would be the subject of skepticism by a court, I also think that there's a good argument for fitting various email and user records into Smith.

As shown in the Stellar Winds program, the USG obviously can legally collect bulk internet metadata. But you are right that one could argue that it fits in Smith v. Maryland. What I wanted to point out with Jones is that there are different legal opinions on the matter or that could be argued/argumented against this point of view.

LionelNovember 17, 2013 12:14 AM

** WELCOME TO DATA LAUNDERING **

Bruce wrote in an earlier version: My guess is that the
NSA collects the vast majority of its data surreptitiously, using programs such as these. Then, when it has to share the information with the FBI or other organizations, it gets it again through a more public program like PRISM.

What you are describing is data laundering.

DATA LAUNDERING (n): Data laundering is the process of concealing sources of data. Data evidently gained through surveillance is "dirty" data, and data that has been "laundered" to appear as if it came from a legitimate source is "clean" data. Money can be laundered by many methods, which vary in complexity and sophistication.

We are seeing data laundering in the behavioral advertising space as well. Companies claim to collect only anonymous data; they deanonymize, purchase dossiers of data, and link it all up, re-anonymizing it somewhat in the end. Using these complex overlapping sources, they can "launder" the personal information they have and claim that all they have is anonymous.

GRNovember 17, 2013 5:51 AM

> BT ("Remedy")

So BT, formerly British Telecom, works with the GHCQ. The GHCQ operates under even fewer restrictions than the NSA, and the two work together closely.

I wonder if Bruce can convince his employer (BT) to do more to protect their users' privacy?

Gary HibberdJanuary 15, 2014 2:39 AM

Like many here I don't expect anything to change anytime soon with regard to security of email, or the internet in general... There seems to be a general lack energy (or is that knowledge) by those who use these tools to do anything. There is a general feeling of 'so what' when this topic arises... until of course they themselves get hit or feel their rights are being infringed. As with all these matters it will remain the same until there is a swell of emotion to create action.

JimboMarch 3, 2014 9:21 PM

This is just an idea. ... The NSA is tracking keywords in our emails, voice, texts, etc. We all start sprinkling these keywords throughout our conversations. LIBERALLY. I send 15 - 20 emails a day. Some people send 50 - 100 texts a day. Multiply that by 100 million Americans. I don't care how powerful their super computers are, we can overload the NSA's capability to followup on leads. They will BEG the public to stop. And we keep it up until they agree to get warrants from a judge for each and every invasion of privacy.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..