Correspondence Between the NSA and Google Leaked

Al Jazeera is reporting on leaked emails (not leaked by Snowden, but by someone else) detailing close ties between the NSA and Google. There are no smoking guns in the correspondence—and the Al Jazeera article makes more of the e-mails than I think is there—but it does show a closer relationship than either side has admitted to before.

More articles here.

EDITED TO ADD (5/7): The correspondence was not leaked. It was obtained via a FOIA request.

Posted on May 7, 2014 at 6:19 AM33 Comments

Comments

Wiffle May 7, 2014 7:13 AM

Remember that this is before the Snowden disclosures. This is when everyone thought Alexander had the best interests of everyone in mind for security. Alexander has a very likeable personality and before the Snowden disclosures began, there was little reason to distrust him. He’s very genuine in his passion to want to make us safer, but as the saying goes…. The road to hell is paved with good intentions.

Ra6bit May 7, 2014 7:21 AM

I hate to burst anyone’s bubble, but briefings on threats from the NSA is hardly unusual in infrastructure industries. It’s kind of their job.

Philip May 7, 2014 7:35 AM

I did participate (as an industry rep) in the ESF meetings on measuring BIOS security. The result was NIST SP 800-155. At the time, I thought that the fears of widespread BIOS tampering was overblown, but after the Snowden leaks, I’m inclined to believe that the threat is more significant.

Yes, the resulting SP does not cover all conceivable attacks, but it raises the bar a long way. In particular, it only deals with the main system BIOS and ignores any other pieces of firmware (e.g. network controller microcode, fpga configuration memory etc). In most cases, there was no very obvious way to even measure these pieces of memory….

Ian May 7, 2014 7:35 AM

Actually, according to Al Jazeera, the emails were released under a FOIA request, there doesn’t appear to be any new leak.

Clive Robinson May 7, 2014 8:21 AM

This is only one smallish aspect of NSA – Google tieup that is moderatly old. If you think back a year before that there was the issues to do with supposed China MSS APT into Gmail etc looking for disidents as well as China trying to cut Google China out of the Chinese mainland.

William Entriken May 7, 2014 8:40 AM

How can one run a trustworthy organization in the US while leadership holds security clearances?

Isn’t this the same principle that says if you are running a rootkit on a system then it isn’t your system anymore?

maxCohen May 7, 2014 8:53 AM

I’m not sure what the issue is. Google had asked the NSA years ago for help with supposed infiltration from China. Of course they had close ties.

Ironman92 May 7, 2014 9:29 AM

Agree with most above – this article is not up to standards. The question isn’t whether Google ever collaborated with the U.S. government. The question is, did Google work with the U.S. government to support widespread electronic domestic surveillance. This article uncritically makes it seem the latter, until you click through and find that the (FOIA, not leaked) letters relate to collaboration that doesn’t relate to the domestic surveillance.

Randalf May 7, 2014 9:58 AM

One of the weaknesses in the Soviet system was that since everything and anything was always run by the government. People knew this and adjusted their behavior accordingly (this is the so-called Hawthorne Effect).

USA on the other hand has managed to do the same things as (and thanks to technological advances, even more than) what Soviet Union did but more underhandedly, among other things through what is referred to as the public–private partnership.

The benefit of this is that, as long as the government massages its own public image properly, the populace will continue pouring their internals onto the internet. This voluntarily released information is useful for the sort of profiling that the government needs to do in order to determine who their potential deviants are.

Software created by companies like IBM allows the states to run Fusion Centers that analyze traffic from social media for potential threats. The stored profiles are used to speed up the analysis work.

As to Google, there is not much money in running a search & advertising engine. Having the government as your partner is a great way to increase the longevity of such a business, but that leads to the issue that the desires of the additional stakeholder(s) will also have to be met.

There are already people in America who disagree with government policies but since these people cannot do much to change them, it is mentally easier (and physically safer, depending on how the person would try to change them) and less time-consuming for them to accept the policies.

Google of course supports the US government and its policies. This may not be much of a problem for residents in USA but is likely more of a problem for individuals living in ‘hostile’ countries.

I Verkfurthem May 7, 2014 10:13 AM

Years ago, I remember seeing a Google employment ad that practically mirrored an NSA employment announcement.

Gimli May 7, 2014 11:08 AM

@Randalf

Arguably this is worse than just the Hawthorne effect. The sudden absolute removal of trust and privacy in anything Internet related is cruel. For the Russians, they can’t miss what they never had.

Skeptical May 7, 2014 12:25 PM

@Randalf: As to Google, there is not much money in running a search & advertising engine.

oh?

Have to agree with other comments above re FOIA production, not leak, and nothing scandalous.

Randalf, I think you may be mistaken about what the Hawthorne effect refers to, but I haven’t seen any indication that the US is trying to alter political views by monitoring communications.

Now, for a real example of that kind of thing:

New York Times: Russia Quietly Tightens Reins on Web With ‘Bloggers’ Law’

Fibbernazi numbers May 7, 2014 3:07 PM

Just knew they’d get another skep from the shed to lie up a storm about US manipulation of political views which, we are assured, doesn’t exist except maybe for one lone DoJ OLC and OIRA Administrator ( https://papers.ssrn.com/sol3/papers.cfm?abstract_id=1084585 )
telling you how to think, or the Army banning myspace when the enlisted cannon fodder stopped their rah-rah hate speech and started to level with their friends back home, or these guys, http://www.rawstory.com/rs/wp-content/uploads/2011/03/personamanagementcontract.pdf

And that’s just the (U). I’ll tell you about the collateral stuff later.

Skeptical May 7, 2014 5:43 PM

@Fibber: I know that some countries consider free and open speech, like the article by two law professors you cite, to be a subversive effort to manipulate opinion. But there’s a stark line between open discussion and argument, and the type of manipulation being witnessed in Russia. Surely you must see the distinction.

Skeptical May 7, 2014 9:23 PM

@Fibber: I’m comparing policies, not flipping anecdotes or making silly generalizations. We’ve reached n in this particular sequence, Fib. Nice talking with you.

Thoth May 7, 2014 9:28 PM

Corporates follows the situation according to user demands. Before Snowden leaks happened, the demand was to keep China out of US servers and that was the game. The majority of the US state of mind was to protect themselves from other nations. Now the game have switched due to the Snowden leaks and the current demand is to fend off the devils (3 letter organisations) and those big corp simply chose what was more logical … to fend off the devils to suite customer demands.

I dont mean that these corps have no interest in the safety of the consumers’ privacy (wholeheartedly). They may have some people within their ranks and files who want everyone to be safe (with an altruistic intent) whom are the rare few. Most of it is a simple business sense …. follow where the money goes. Now the money is to try and recover lost faith in them so they drag along and played the same game.

To a corporate, all that matters is their business baseline. We all know the current business model is data and the corporates are the one who are collecting data and the 3 letter organisations simply used them in a symbiotic relationship [Schneier]. The main thing is how do we present data so that the corporates serve us better without us leaking private data where either the corporate or whoever the corporate’s partners us could misuse them.

One of the currently emerging technology is the Homomorphic Encryption technology which is still in it’s infancy. Distributed darknet style search is another area we had a long time but did not gain much headways due to it’s technical complexity. Duckduckgo, Startpage, Ixquick are some of the famous search engines that promise not to store our data (in good faith).

Technology have advanced so much faster than we can keep up that includes of view of the world and our concepts of morality and notions of norms.

With a rapidly expanding and advancing technological improvement in our current age, we need to define what is ‘right’ and what is ‘wrong’ while technology zips ahead of us while the courts and human notions of concepts lag way behind.

Using encryption (i.e. Homomorphic Encryption) and other advance technology will not solve our current problems. Humanity itself have begun melting with highly advanced technology and we as a species are way behind in trying to understand what is our place in this age of rapid technological advancement. Do we becomes slaves to high tech improvements while misusing trust and privacy or do we come to an age where we can use technology to aid us while preserving trust and privacy.

It’s rather easy to collect data and make judgement behind a screen and a keyboard because we are somehow disconnected to the fact that we are typing and someone’s reading it. Data is mindlessly and easily collected to a point, we don’t feel much consequence to what happens if we do something to data. What happens if we take chat logs we collected from our chat service and pass them around … etc …

It’s still the age old question, what do we do now when corporates and organisations collect a ton of our data that we voluntarily let everyone know who we are, what we are doing … thus ‘accidentally’ contributing to the fact that our data gets harvested for some use yet we want privacy and security.

If we carelessly leak data about ourselves from posts and tweets, expect those data to be compromised. Most people simply leak data and expect those data to be magically safe.

Putting pressure on software and hardware vendors to open up their designs and ensure that users have more control over their data has been an ongoing but weak effort due to the general public simply trusting these softwares and hardwares (and also their lack of technical understanding) and the software and hardware vendors simply wanting to know more (as data is the new currency [Schneier]).

On a side note, does anyone know how to allow chat apps (i.e. WhatsApp) to only see a partial list of Contact details which you choose to show it ? Once you give WhatsApp the access rights to your Contacts (or any other Chat Apps), you have to expect your Contact List to be compromised. I am wondering if there is some way to allow users to vet which app have access to which Contact details in a more fine grain mannner ?

Ooh, snap! May 7, 2014 10:22 PM

Oh I see. If it involves a human being, it’s an anecdote. If it’s state propaganda for chumps who’ve never set foot in Russia, then it’s… Policy, said in your deepest big-shot voice.

Your problem is, you live in a totalitarian state and you can’t handle it. You too would be broken and ruined and made to crawl and permanently silenced, if for once in your abject life you dared to step out of line. But there’s no risk of that, Is there?

Anon May 7, 2014 11:03 PM

@Bruce
Complete aside but I belive your RSS feed may not be updating. It’s still valid, but I’m not seeing the latest posts in my feed aggregator.

65535 May 7, 2014 11:32 PM

I would guess that FOIA requests for NSA documents only produce highly sanitized documents. Hence, I don’t think the average reporter is going to get any meaningful information from such FOIA requests.

As others have pointed out, Eric Schmidt’s government security clearance reveals a different story. That government security clearance combined with the fact that Google self-indicts by blowing smoke about never knowing that their internal site lines were being tapped by the NSA.

“Google’s executive chairman, Eric Schmidt, has insisted he had no knowledge of the US National Security Agency’s tapping of the company’s data, despite having a sufficiently high security clearance to have been told.” –The Guardian

http://www.theguardian.com/technology/2014/jan/21/google-eric-schmidt-nsa-tapping-knowledge

[and]

“Citing documents obtained from former NSA contractor Edward Snowden and interviews with officials, the Washington Post claimed the agency could collect information “at will” from among hundreds of millions of user accounts.” The Guardian

http://www.theguardian.com/technology/2013/oct/30/google-reports-nsa-secretly-intercepts-data-links

[Government sponsored airport for Google’s Jet aircraft]

“…the Google [767] jet is not your typical airliner. It has a custom cabin outfitted by Gore Design Completions Ltd. Of San Antonio, TX that few have seen – but according to Mr. Page the 767 is configured to carry approximately 50 passengers… At today’s prices for Jet A fuel the Boeing 767-200 costs about $16,000 per hour to operate when you factor in the cost of a Captain and crew.”

http://www.jetjit.com/google-jet/

“[the]…paper questions a decision by NASA allowing Google executives to use its Moffett Federal Airfield near Google headquarters. Although H211, a company controlled by Google top executives, pays NASA rent, they enjoy access to the airfield that other companies or groups don’t have, Simpson said.

http://www.pcworld.com/article/217550/google_watchdog_white_house.html

I am convinced that Google has very close relationship with the NSA and other governmental agencies – and most likely financial and intelligence ties.

Andreas May 8, 2014 4:58 AM

This does not surprise me. This is what general Keith Alexander meant with government working with industry to protect their nation from cyber attacks. This was the same topic as his DEFCON talk in 2012: “Shared Values, Shared Responsibility” ( https://www.youtube.com/watch?v=tz0ejKersnM ). General Keith Alexander also proposed cyber legislation to be able to do this.

I noticed something strange about general Keith Alexander. As the director of the NSA and the US Cyber command he can break into millions of computers and get information from billions of phones.

He deliberately tries to dismiss his competence by saying stuff like that he can’t even spy on his own daughters? (they use computers and phones too) And that he needs a little girl to get his slides working? (see his DEFCON 2012 talk) He simply didn’t know whether they were working with Apache or Adobe on their open source database software called Accumulo. Does he want us to believe that he does not know the difference between Apache and Adobe?

How does that suppose to sound believable?

DB May 8, 2014 7:19 AM

I hate to break it to you all.. but those of you who seem to think that it’s a horrible immoral thing to do mass DOMESTIC spying on every innocent human with no particularized suspicion at all on any wrongdoing… yet JUST FINE to do the exact same spying massively abroad…. you all have a nazi hitler-like way of thinking! You think that it’s just fine to ignore all kinds of basic human rights as long as it’s to “someone else” and “not your kind”… how is that any different than what happened in the 1940s in Germany? Sure it’s not yet AS BAD as it got near the end, but it’s the way of thinking that causes that to happen eventually! You are the beginning of a new holocaust… but there is still time to change your mind and avert it…. please do. pretty please.

a May 8, 2014 8:10 AM

@ DB:

The difference is the combination of spying and jurisdiction together multiply the damage significantly. Had Germany spied on New York Jews in the 1940s that alone wouldn’t have been a massive tragedy because they had no power of enforcement there. When China spies on Americans (and they do) it’s less bothering because they can’t enforce Chinese laws on Americans.

What is troubling is that the US’s allies have decided to share data with each other so that foreign out of jurisdiction information gets turned over to people that can abuse the information and also that the US has decided that its enforcement jurisdiction is anywhere within drone range.

DB May 8, 2014 8:24 AM

@a So it’s perfectly ok to look into my neighbor’s windows and watch them undress as long as their doors are locked so I can’t break in and kidnap them? You have a point, but then you describe exactly why it doesn’t apply. Additionally, a basic human right is a basic human right, regardless of jurisdiction. Just because someone is in another jurisdiction doesn’t mean they no longer should be considered humans anymore. That’s slavery.

Thoth May 8, 2014 9:03 AM

@Andrew:

Why encryption is not dead but it’s just abit more fragile:

1.) There is no exact ways to figuring out if XOR-ing first or AND-ing first is more secure because it’s a relatively new topic due to many years of exclusive use in the military and only in this age of technology does the masses get to know more about crypto. We are just at the tip of the iceberg.

2.) Encryption, application security, hardware security … if there is no disclosures, how would you know what went wrong ?

3.) Encryption is never perfect. The Ideal Cipher presumes true randomness and one time use of secret materials which will be a highly unlikely scenarios. Cryptography is a new subject and it’s hard to create proper definition. We need to research more before we can come up with something substantial.

4.) Cloud computing is getting cheaper and more accessible to the masses with FPGAs and GPU hacks trying to accelerate algorithms. That’s why there are many ongoing research to try to make it difficult for FPGAs, CPUs, GPUs to do their stuff. There are competitions to try and find more algorithms that are resilient to attack avenues (http://competitions.cr.yp.to). They are not perfect but at least there is effort going in.

5.) Specialized entry toolkits used by well funded organizations and agencies have their way to get in if they want in. If you have read about the Snowden leaks, their methods are highly robust [Schneier]. What we can use crypto for is to make it expensive for them to do a dragnet on all of us and to focus their efforts on individuals.

6.) Heartbleed and other vulnerabilities are inevitable. They are nasty when they occur but again, if someone really wants to bring another person down by all means, he would be able to do so. If there is any form of perfection, we wouldn’t even be attemtping to solve problems. We would already ‘be in paradise’. We attempt to learn and evolve along the way which is a good thing.

7.) Bad RNGs ? Try using something like Fortuna or improved form of Fortuna RNG. If you have access to the bad RNGs internal state, you would use random stuff like mouse and keyboards and temperatures to consistently seed it at certain intervals.

8.) The reason why X.509 certificates can be forged is because X.509 is not the most elegant way of proving identity and there are CAs who are still issuing MD5 certificates or people just use self-signed certificates. X.509 is a problem and there are many discussions going on recently on how to best handle it. Some have proposed an overhaul of secure connection infrastructures and some seek to improve it. Encryption is not a silver bullet that solves everything. If encryption is properly used and the keys are properly handled, it can be a pain to be dealt with that even the NSA finds it hard to overcome (i.e. Tor Stinks).

What is wrong with this article you have linked in my view is it’s full of generic presumptions and biasness. It simply is a sweeping statement trying to discredit cryptography rather than bring out proof that cryptography is useless. It is yet another of those doomsday predictions out there that would attempt to raise fear but would quickly die out and proof that it is wrong.

rogers sniffing all the panties May 8, 2014 9:59 AM

@DB, exactly. There’s a concerted government propaganda effort to distinguish between spying on Americans and spying on anybody else. The same law applies equally to foreign and domestic persons, but congress and the NSA Stasi are colluding to dupe the US public. The illegal fiction of foreign intelligence lets the government spy on US citizens from abroad. The government is fixating on technical minutia so they can flout the overarching legal requirements, which are these:

(a) take all necessary measures to ensure that its surveillance activities, both within and outside the United States, conform to its obligations under the [ICCPR] Covenant, including article 17; in particular, measures should be taken to ensure that any interference with the right to privacy complies with the principles of legality, proportionality and necessity regardless of the nationality or location of individuals whose communications are under direct surveillance;

(b) ensure that any interference with the right to privacy, family, home or correspondence be authorized by laws that (i) are publicly accessible; (ii) contain provisions that ensure that collection of, access to and use of communications data are tailored to specific legitimate aims; (iii) are sufficiently precise specifying in detail the precise circumstances in which any such interference may be permitted; the procedures for authorizing; the categories of persons who may be placed under surveillance; limits on the duration of surveillance; procedures for the use and storage of the data collected; and (iv) provide for effective safeguards against abuse;

(c) reform the current system of oversight over surveillance activities to ensure its effectiveness, including by providing for judicial involvement in authorization or monitoring of surveillance measures, and considering to establish strong and independent oversight mandates with a view to prevent abuses;

(d) refrain from imposing mandatory retention of data by third parties;

(e) ensure that affected persons have access to effective remedies in cases of abuse.

CallMeLateForSupper May 8, 2014 10:06 AM

@DB
“… you all have a nazi hitler-like way of thinking!”

Were you pointing at a particular person or persons, or just lashing out indiscriminately? I ask because I think I have not read any posts here that damn domestic spying while explicitly supporting spying abroad. There are countless posts that agitate against domestic spying and do not even mention spying on non-U.S. entities, but that does not necessarily mean that the posters support the pervasive spying on foreigners. Maybe some of them do. I don’t.

I have old friends in western Europe who are natives of the countries in which they live. I severed all postal and email contact with them after learning about NSA’s various data vacuums and “hops” policy, because I did not want to put them on NSA radar any more than they already were and because I wanted to avoid being “hopped” on if one of my foreign friends happens to say or do something that interests NSA. I read and hear references to the “chilling effect” of spying – always on businesses though, e.g. journalism or the cloud – but I’m here to tell you that it has had a very chilling effect on the correspondence of this particular private individual.

DB May 8, 2014 7:10 PM

@ CallMeLateForSupper

I specified in the first sentence that it was addressed to a certain class of people, not to a certain person. Since you are not in that class, it’s not addressed to you. You are welcome to agree with me though 🙂

Many posters here talk about the horrific nature of surveillance, and go to great lengths to specify only DOMESTIC mass surveillance… rather than just say mass surveillance in general (regardless of whether it’s domestic or not). This implies that foreign surveillance is perfectly fine. However, this is only an implication… YOU CHOOSE if this really applies to you or not. I’m very happy to hear it doesn’t apply to you in particular.

You may think that talking about such mere implications is splitting hairs, but when you add what @ rogers said about the government propaganda effort, I think we need to split these hairs in order to strongly push back against that effort.

I’m really sorry to hear about how the “chilling effect” has affected you. For me, it has had the opposite effect. It’s made me much more angry and outspoken on the issue than I’ve ever been before. I never used to participate in blog posts like this before, but I do now. It is my small personal contribution, trying to influence people’s minds so that together we can all fix the problem.

I think the main reason this has made me so angry is that it’s not just a simple matter of “xxx can be used for great evil, or great good” which applies to many things, and that’s overall good as a general freedom of choice (as long as laws exist to protect from infringing on others’ rights)…. it’s a matter of ALL technology, collectively, is now being used for great evil. Even MY OWN TECH DAMMIT! My choice is being taken away from me. This is a very different situation. Something’s not right with the world. We must fix this.

SchneieronSecurityFan May 9, 2014 12:04 AM

Weren’t there rumors as far back as 2005 that the NSA maintained facilities within the Googleplex, Google’s HQ in California?

notruescot May 9, 2014 7:56 AM

to SchneieronSecurityFan:

i don’t know ’bout nsa in 2005, but i recall a material ’bout “google in bed w/ cia” ca 2006.

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.