The Full Story of Yahoo's Fight Against PRISM

In 2008, Yahoo fought the NSA to avoid becoming part of the PRISM program. It eventually lost the court battle, and at one point was threatened with a $250,000 a day fine if it continued to resist. I am continually amazed at the extent of the government coercion.

Posted on September 18, 2014 at 7:13 AM • 49 Comments

Comments

JacobSeptember 18, 2014 8:24 AM

Well, there is a better way going forward:

Gizmodo: Apple will not be able to turn over iOS 8's user data to the gov even when served with a warrant - data is encrypted by the user, who has a sole possession of it (unlike iOS 7 and below, where Apple have been holding a backup key)
Caveat: as long as the data stay on user's device and not uploaded to iCloud)

Yahoo can follow suit and have all user data encrypted at rest by a user-only encryption key.
Kim DotCom's Mega file service has been doing this for a couple of years now.

The earlier we recognize that the US government is an adversary in money(*) and privacy matters, the better we are.

(*) http://www.washingtonpost.com/news/the-watch/wp/2014/03/24/the-federal-structuring-laws-are-smurfin-ridiculous/

Charlie SavageSeptember 18, 2014 8:29 AM

(The above comment is a response to Rolf Weber's comment, not to Bruce's post. I should also not have used 702 as shorthand, since this was technically PAA not FAA.)

Rolf WeberSeptember 18, 2014 8:49 AM

@Charlie Savage
The PRISM slides are worded properly. There is no reason to blame the author, who didn't wrote the slides under the background that they will be revealed unauthorized.
Snowden and the press are the ones you should blame. They released and interpreted documents which they didn't understand.

As I wrote in my document, PRISM is an NSA-internal program. There is no reason to doubt that Yahoo! complied to earlier PAA requests.

DUHSeptember 18, 2014 8:53 AM

Rolf Weber seems to read the PRISM slides like an atheist reads the Bible. Anyone who has worked in any large corporate office (NSA surely is no exception) would have seen cases where a timeline or a project go-live date posted on some slide does not match the reality.

It could be a typo, it could be that who-ever wrote the slide was told to put the particular date because of some optimism that "that's the month we will start". Maybe they simply expected more cooperation and less legal wrangling from Yahoo.

It's the same with the direct access to Google and other service providers as well.


SkepticalSeptember 18, 2014 9:20 AM


re and at one point were threatened with a $250,000 a day fine if they continued to resist.

Sort of.

Actually the government filed a motion with the FISC requesting that, if the FISC should deny Yahoo!'s motion for a stay pending its appeal (after having lost before the FISC), the court fine Yahoo! 250k for each additional day that Yahoo! refuses to comply with the FISC's order.

There's nothing inappropriate about that. Yahoo! was able to challenge in court, but it also must respect the court's decision once made. The government was simply asking that the court ensure compliance.

By way of background:

Yahoo! received the government's initial request sometime in 2007. They refused to comply, and, according to Yahoo!'s own filing, the government met with Yahoo! over the course of several months to discuss Yahoo!'s concerns (see page 11 (numbered page 37) of Yahoo!
s Memorandum in Opposition
).

Finally, Yahoo! wrote to the Justice Department, reiterating its concerns and expressing its interest in briefing the matters of concern before the FISC.

The government then filed a motion to compel in the FISC, giving Yahoo! an opportunity to do so.

Sometime thereafter, the FISC decided against Yahoo!, and issued an order to comply on April 25, 2008. Yahoo! filed a motion for a stay pending its appeal.

On May 9, 2008, the government filed a motion requesting that, if the court denies Yahoo!'s motion for a stay pending appeal, then the court find Yahoo! in civil contempt and render a $250,000 fine for each additional day that Yahoo! does not comply with the court's order.

Cockroach, light switchSeptember 18, 2014 9:56 AM

Never underestimate the NSA reflex for coercion. Here it is in the flesh.

https://firstlook.org/theintercept/2014/09/17/irate-nsa-staffer-doesnt-like-filmed-public-reason/

These guys are Stasi, totalitarian psychos. We're going to have to storm their HQ like the Germans did.

Then turn it into a museum, like this,

http://qz.com/263808/peering-into-the-secret-spooky-world-of-the-stasi/

so nobody ever forgets and lets these criminal vermin re-infest our country.

IncredulousSeptember 18, 2014 9:58 AM

That durn Snowden!! VASTLY HARMING our intelligence efforts with information THAT HE TOTALLY MADE UP. What a scoundrel!! If only he had the integrity of our politicians and the oligarchs of our continuous government!!

I love it when the police state apparatchiks come out to play.

David LeppikSeptember 18, 2014 10:17 AM

I'd like to know how Yahoo would have reported the fines to shareholders in SEC filings.

My guess is, post-Snowden, companies might be a little bolder about taking a financial hit to protect their reputation with their customers.

KentSeptember 18, 2014 10:25 AM

What amazes me is that every single company continued to play by the "secret rules" long after it was abundantly clear that the entire game was rigged. Why did everybody think that some secret court using secret interpretations of the law was going to give reasonable rulings? When the government comes and demands total surveillance of its own people, you do not go to their own special star chamber, you go to the biggest newspapers you can find. Yahoo and others should have gotten front-page stories on The New York Times, The Washington Post, prime-time stories on CNN and MSNBC, everywhere. "New Stasi of America seeks total domestic surveillance" is a pretty amazing headline.

(I know, I know, the media would have refused to print the story. If The New York Times had any moral fiber left they would have printed the Bush domestic surveillance story before the 2004 election instead of a year afterwards.)

AnonSeptember 18, 2014 10:40 AM

Actually, it's not $250,000/day fine. It's a $250,000/day fine that the court has the option of doubling every week with no cap. To quote an article I read:

"Refusing the 2008 request would have drained Yahoo’s total revenue that year of $7.2 billion in three months. Two more months later, the fines could have paid off the entire U.S. national debt, at the time of $9.5 trillion."

"Eventually by the end of one year, the stack of $100 bills could travel to the sun and back 28,769 times, making for a total of $7.9 sextillion."

So, no, paying the fine was never an option for Yahoo.

BuckSeptember 18, 2014 11:50 AM

@Bob S.

And how hard would it be to include a 'security update' that passes iOS users' passcodes off to a third party..?

(Hint: I was able to figure that one out when I was 12! ;-)

Coyne TibbetsSeptember 18, 2014 1:47 PM

The truth will out. Despite the "assurances" of some of the shills right here in the blog, it turns out that the NSA has an effective gun to crush any company that refuses to comply with an NSA request.

For example, this from Skeptical now echoes hollowly:

But beyond that, the government cannot legally compel, say, a fabrication plant to alter designs and insert a backdoor. I don't see Intel, for example, agreeing to assume catastrophic legal liability, and a fatal business risk, by inserting backdoors into its chips.

So now we see the truth: If the NSA can impose a fine that, in Amazon's case, would exceed $109 quadrillion in 180 days, what company could possibly resist? What company would possibly dare to challenge in court?

(Note: That figure derives from a detail that was omitted from the Gismodo article. $250,000 per day was the initial fine; NSA had proposed that this initial daily fine amount would double every week of non-compliance. Reference More Yahoo vs. The NSA: Government Tried To Deny Standing, Filed Supporting Documents Yahoo Never Got To See.)

So the only remaining question: Just what atrocities has NSA compelled of companies?

Rolf WeberSeptember 18, 2014 2:18 PM

@DUH
It was not me who first referred to the timeline. It was the press who said: "Look, after Yahoo! lost its case, it had to join PRISM, and all the others had to follow". And here I say: No, this doesn’t add up.
I say that PRISM is an NSA-internal program, from which the companies neither knew name nor existance.
My explanation is compatible with the PRISM-slides, the declassified court documents and the statements of the companies.

@Kent
You speak as if the FISC ordered against the obvious law. You should realize that in the meantime the PCLOB reviewed the 702 surveillance programs. The PCLOB absolutely backs the FISC opinion, it too finds that PRISM is reasonable and constitutional.

JacobSeptember 18, 2014 2:24 PM

@Coyne Tibbets

Skeptical was right. There is a great difference between compelling a company to provide private user info (*) and to force a company to actively insert a backdoor into its products.

True, the NSA still has a very big stick in the shape of refusing to grant gov contracts to a refusnik company, but they can not force the company, by way of FISC, to insert a backdoor.
See for example the photos of the Cisco inderdiction - the NSA had to do it itself while the packages were enroute to targets.

(*) - in a highly dubious move, the gov considers such users records as "business records" - or, by some other twisted arguments and opinions - that such material is not encumbered by constitutional constraints and thus must be turned over.

SkepticalSeptember 18, 2014 2:35 PM


@Coyne: And my statement is correct. The law does not enable the government to compel a company running a fabrication plant to insert backdoors into its products.

Suppose there were a law that stated: upon request by the Department of Health (I'm making one up), a food establishment as defined in 82 USC 1001 (also made up) shall produce all records relating to the preparation (including the cooking and handling) of food for sale or distribution.

And let's say that the Department of Health issued such a request to a McDonald's franchise. The franchise owner thought the request outrageous, the law unconstitutional, and refused. So the Department of Health went to court, filing a motion for the court to compel the franchise owner to comply (a procedure which was provided by a different section of the made up law). The franchise owner filed a motion in opposition. And the court, after hearing both sides, issued an order to the franchise owner requiring that the records be produced.

Were the franchise owner to deliberately disobey the court order, the court could find him in contempt, and levy fines (among other things).

Does the above prove that the government can compel Intel to insert backdoors into its chips? Of course not. Neither does the Yahoo! case.

The fine that would have been imposed on Yahoo! would have been for civil contempt, as Yahoo! would have been deliberately disobeying a court order. This no more proves that government can compel chip manufacturers to insert backdoors than it proves that government can compel a cable news channel to report stories accurately.

If you can point to the law that would enable the government to compel a chip manufacturer to do so, I'll change my mind.

DonHSeptember 18, 2014 2:56 PM

@Skeptical - Didn't CALEA require that manufacturers of telecoms equipment modify their designs to include a surveillance interface for government use? I don't see any basis for saying that the CALEA requirement is legal but that a similar requirement for CPU manufacturers to include surveillance capabilities would be illegal.

Coyne TibbetsSeptember 18, 2014 3:03 PM

"Legal" is a weasel word in this case. "Do what we want or be destroyed," is compulsion, pure and simple.

Ned_flandersSeptember 18, 2014 3:27 PM

Apple's claim their new IOS somehow protects your personal information is not necessarily true.

Too many half-false claims from Apple, and intimate knowledge of product development cycles, and the way corporate treats infosec lead me to believe this does not do what they suggested it does to the press.

uh, MikeSeptember 18, 2014 3:34 PM

@Jacob, "The Government" is, indeed, an adversary. Note the United States Constitution, a document specifically outlining the ways in which the adversary may conduct its business.

When The Government says "Trust me," that's propaganda. When The Government says "We don't trust you," that's tyranny.

tedSeptember 18, 2014 4:15 PM

I would like to see these Prism members(yahoo,google,facebook,apple,etc) get together and turn off all accounts of FBI, NSA, FISA, DOJ, etc employees and their families.

I'm sure government employees getting screamed at by family members will be very unpleasant.

John FSeptember 18, 2014 4:56 PM

@Skeptical:


"@Coyne: And my statement is correct. The law does not enable the government to compel a company running a fabrication plant to insert backdoors into its products."

This is only true for the laws and the interpretation of those laws that the public is allowed to know about.

The US has been shown to have what amount to secret laws at this point. When you start from that premise, the possibility of the existence of a law allowing such compulsion can't be eliminated by anyone with credibility.

Absence of proof is not proof of absence.

jdgaltSeptember 18, 2014 6:47 PM

@DonH, @John F: The only law that matters here is the Fourth Amendment. CALEA and FISA are unconstitutional on their faces.

Therefore it is pointless to argue with them in their rigged courts.

The government's failure to follow the law merely shows that (1) they are not to be trusted, and (2) if we want privacy we will have to take it for ourselves -- by beating them technically -- and expect to become targets for doing it.

Bob S.September 18, 2014 8:21 PM

@Buck, Re: Apple Security, iOS 8.

Well,

How about this?:

"Apple cannot bypass your passcode and therefore cannot access this data. So it's not technically feasible for us to respond to government warrants for the extraction of this data from devices in their possession running iOS 8,...?

http://mashable.com/2014/09/18/apple-new-privacy-policy/

I think that infers security updates from Apple are also unable to access the passcode.

JacobSeptember 18, 2014 9:21 PM

@uh, Mike

I looked up what the term "tyranny" means, and came up with some interesting quotes from the great work of Alexis de Tocqueville, the French political thinker/philosopher from the early 19th century, who extensively studied the American political system at the time.

I think that the term "soft despotism" is a better term to describe the current governmental system in the USA.

From Wikipedia:
Soft despotism is different from despotism (also called 'hard despotism') in the sense that it is not obvious to the people.

Soft despotism gives people the illusion that they are in control, when in fact they have very little influence over their government. Soft despotism breeds fear, uncertainty, and doubt in the general populace. Alexis de Tocqueville observed that this trend was avoided in America only by the "habits of the heart" of its 19th-century populace.

In his book "Democracy in America", de Tocqueville explained "soft despotism":

"After having thus successively taken each member of the community in its powerful grasp and fashioned him at will, the supreme power then extends its arm over the whole community. It covers the surface of society with a network of small complicated rules, minute and uniform, through which the most original minds and the most energetic characters cannot penetrate, to rise above the crowd. The will of man is not shattered, but softened, bent, and guided; men are seldom forced by it to act, but they are constantly restrained from acting. Such a power does not destroy, but it prevents existence; it does not tyrannize, but it compresses, enervates, extinguishes, and stupefies a people, till each nation is reduced to nothing better than a flock of timid and industrious animals, of which the government is the shepherd."

Maybe the trend was avoided in America only by the "habits of the heart" of its 19th-century populace, but in the 21th century we sure see how the "habits of the heart" is succumbed to new sets of rules and regulations, some of them belong to a "secret body of law" as Sen. Weyden said in an interview:

"the American people would be extraordinarily surprised if they could see the difference between what they believe a law says and how it has actually been interpreted in secret," but that he "is not permitted" to disclose the difference publicly"

hermanSeptember 19, 2014 3:09 AM

Surprised? How can you still be surprised after the persecution of Joseph Nacchio of Qwest all these years ago?

Clive RobinsonSeptember 19, 2014 3:43 AM

@ Coyne Tibbits,

With regards Skeptical's,

And my statement is correct. The law does not enable the government to compel a company running a fabrication plant to insert backdoors into its products.

Is a little at odds with what is known to have happened in the US, and he knows it.

Some time ago an owner/developer of a software house was visited by an excessive SWAT which threatend not just his safety but that of his immediate family. He was then draged away and given a choice get what we would now call the Aaron option or put a back door in his software and operate it at his own risk for part of the US Government. The developer at first agreed and the paperwork went before a judge, then he changed his mind and went public with the paperwork, so the event can not be denied...

The reason I can say Skeptical is aware of this is I've drawn it to his attention in the past, and said he was going to look into it and get back to me on it with his views...

Andrew_KSeptember 19, 2014 4:57 AM

NSA is not Stasi.

People will not storm NSA HQ. Because they have no incentive to do so. Invasion of everyones privacy is bad, but no practical problem in everyday life.

Stasi did influence the everyday life. Every grown up in GDR knew how seemingly small crimes (lending a wrong book at the local library) influenced Promotion, getting a Job (losing a Job), studying, getting a car, being abducted and tortured, getting a new flat. The Stasi's influence was ubiquus. The NSA's influence, however, is not, not like this. There are only very few occasions when NSA hits you. Most times, you will have a hard time telling about it.

In a metaphor, intelligence is often referred to as "big brother". In this terms, the U.S. for a long time have had the ideal big brother. Caring, defending when mean kids approach to mock. The kind of bigger brother we all love (until we find out he reads his little sisters diary).
Germans on the other hand twice had the bad luck of having a really mean big brother. The kind that horasses the toddler, takes its sweets and throws stones at him when nobody is looking.

Ok, now Clive's post above this is just bad timing.

SkepticalSeptember 19, 2014 6:58 AM


@DonH: Didn't CALEA require that manufacturers of telecoms equipment modify their designs to include a surveillance interface for government use? I don't see any basis for saying that the CALEA requirement is legal but that a similar requirement for CPU manufacturers to include surveillance capabilities would be illegal.

Sure, let me quote the FCC on CALEA:

CALEA requires a "telecommunications carrier," as defined by the Act, to ensure that equipment, facilities, or services that allow a customer or subscriber to "originate, terminate, or direct communications," enable law enforcement officials to conduct electronic surveillance pursuant to court order or other lawful authorization.

So CALEA is a specific Congressional authorization requiring that a particular type of company facilitate access to a particular service.

The law under which the government requested certain information from Yahoo! would an example of a different, specific Congressional authorization.

But there is no such authorization that would allow the government to legally compel all microchip manufacturers to include backdoors. Congress certainly could pass a law requiring a manufacturer of any computer equipment, e.g. microchip manufacturers, to include some specified capability that would enable electronic surveillance. But Congress has not passed such a law. So currently the government does not have the ability to do that.

@Clive: you bring up a case where the sole proprietor and developer of software used by offshore gambling companies was arrested as part of an investigation into those gambling companies. The proprietor and developer was offered a plea bargain in exchange for his cooperation with the investigation, which included making changes to his software that would allow the investigators to conduct surveillance on their targets.

Obviously, such a case is quite different than one in which the government simply serves an order on a company demanding that a backdoor be installed. For example, as part of a plea agreement a defendant's cooperation might include placing a bugged object into the residence or workplace of a target. This does not mean that the government has the ability to compel everyone, at the whim of the government, to bug the homes of their neighbours.

Joseph_KSeptember 19, 2014 11:35 AM

Andrew_K

Every grown up in the USA knows how trivial crimes get you decades of imprisonment through the obscenity of plea bargaining, which no German judge would tolerate, and the treachery of parallel construction, which makes NSA everyone's secret accuser. Every US grown up knows how the government has privatized intrusive surveillance to evade legal constraints - NSA doesn't have to fire you, they just let their contractor rummage through your life and make your boss do the firing. It's the same. The credit rating agencies now control everything the Stasi did, and bankers are forced to be policemen. Your subsistence is contingent on compliance.

A smart guy like George Soros could make monkeys of the Nazis but he knows better than to take on this new totalitarian state. It's far more restrictive and sadistic. It tortures constantly, routinely, publicly. Watch the Committee Against Torture review the US in November, you'll see. This regime recruits and molds psychopaths. Listen to them, even here. They talk like brutalized kids with a magnifying glass roasting ants.

You're part of their axis. They're going to send you to war. You're making a fatal mistake if you think you were uniquely repressed. The USA is Germany in 1939, just moved across the sea.

JacobSeptember 19, 2014 8:28 PM

@ Skeptical

"@Clive: you bring up a case where the sole proprietor and developer of software used by offshore gambling companies was arrested as part of an investigation into those gambling companies"

This is what I consider not just a preposterous "long arm" policy of the NYC DA, but actually a "reaching for the stars" abuse of power.

The guy, Bob Stuart, who resided in Arizona, sold *legal* software for bets bookkeeping that he had developed to only overseas customers - also a totally *legal* act.
The NYC DA claimed that the software supported overseas gambling businesses (*legal* in their respetive jurisdiction) to which some unspecified NY persons were allegedly exposed (*illegal* internet gambling act in NY) - and this was enough to raid his Arizona home with a major show of force and give him the Aaron's treatment.

Since any legal software can also be used for illegal activities (I bet money launderes also use Excel), one can easily see the tyrannical nature of US prosecution. This, combined with the potential inter-agency data flow from the NSA, paint a very bleak picture on the face of the "greatest democracy on earth".

And the distance from trying to force someone to install a backdoor into his own software, while operating a *legal* business, to forcing a HW vendor to install a backdoor into its chips, is immeasurably small.

SpellucciSeptember 20, 2014 7:15 AM

In the Government's Ex Parte Merits Brief (https://cdt.org/files/2014/09/2-yahoo702-governments-ex-parte-merits-brief.pdf) it states on page 1,

As the attacks of September 11, 2001, have underscored, timely and accurate
foreign intelligence information on the intentions and capabilities of our
adversaries is a crucial tool in the fight against international terrorism.

We had information on our September 11 adversaries, and it didn't help. The entire foundation on which more surveillance is followed by even more surveillance is flawed. The overarching fear of foreigners is unfounded, and the law itself is flawed.

braunSeptember 21, 2014 12:15 AM

Why are you amazed?

Bulk data collection with by-catches is one aspect but it's not the important one. If you try to collect $_everything or at least as much as you can you have a time machine. And the quality of that peek into the past is ever increasing.

Just give it a few years and take an average individual in a heavily 'digitized' country.

In 10 minutes or less I have an excessive profile of you.

What are you reading on the web
Who are your peers and what's your relation to them
I know LITERALLY where you ARE and WHERE YOU HAVE BEEN in the last years in segments of 5 to 30 minutes.

I know where you've been on August 11th 2012 at 4 in the afternoon and I also know what you did...do you?

I know exactly which meetings with Alcoholics Anonymous you had and which you skipped over the past 5 years and I know exactly who Lola is who's living in the apartment you rented 3 years ago. I also know that you apparently meet with her each Thursday when your wife is bowling.

And I know that you keep in touch with your old buddy from college who's now back in Iran.

And you're amazed about the government's coercion?

They would shoot Marissa quite literally in the face if it would solve the problem with access to that data.

The only way to get out of Orwell's world is to prevent access at the root.

But virtually ALL OF THEM are making money off of this data. In a free service money needs to come from somewhere. The user is not the customer. He's the product and the governments are just a more or less imposed customer of raw data.

And don't get me started on mobile phones and baseband processors and what that means for Apple's 'privacy pledge'. It's pretty much worthless.

Clive RobinsonSeptember 22, 2014 5:23 AM

@ Jacob,

You and I appear to have similar thoughts on the magnitude of the issue of the abuse by a government employee. It has unfortunatly become clear that no action will be taken against that employee --except for probable promotion-- and the Aaron case confirms this as well as indicating this policy comes all the way from the Oval Office. Thus a degree of suspicion must go towards considering this behaviour as being a fundemental policy position of the DoJ and above across a far wider reach than most have thought about.

Further you now have the same knowledge as I do on the fact that another person is fully cognizant of the facts of the case. Thus I suspect you are probably having thoughts on why the person is avoiding the subject...

It will be interesting to see what happens when the subject is raised again by either you or I, and as to if the "person of interest" actually does respond in the way they do other subjects, or just obsfucates.

SkepticalSeptember 22, 2014 6:26 AM

@Jacob, Clive: The guy, Bob Stuart, who resided in Arizona, sold *legal* software for bets bookkeeping that he had developed to only overseas customers - also a totally *legal* act.

That's how I've read it reported as well. But matters may be somewhat more complicated. Here's a quote from the Manhattan DA's press release on the subject:

According to documents filed in court and statements made on the record in court, EXTENSION created and supported online gaming software called Action Sportsbook International (“ASI”), which allowed bookmakers to select the sporting events they would offer in their illegal bookmaking operations and manage their operations from offshore locations, such as Costa Rica, the Caribbean, and Canada. In order to use ASI, bookmakers paid a quarterly licensing fee to EXTENSION for an access key. For continued access, the bookmakers would make payments on the quarterly invoices they received from EXTENSION.

EXTENSION customers paid the licensing fee in three ways: (i) by U.S. and International wire transfers directly into EXTENSION’s bank accounts; (ii) by cash deposits made into EXTENSION’s domestic bank accounts; and (iii) by money orders deposited directly into EXTENSION’s bank accounts. The overwhelming majority of the approximately $1.1 million cash and $1.2 million in money orders deposited into EXTENSION’s bank accounts are alleged to be direct proceeds of illegal, U.S.-based bookmaking operations, including operations that conducted their activities in California, Connecticut, Florida, Illinois, Kansas, Massachusetts, Nevada, New Jersey, New York State, Oklahoma, Pennsylvania, Tennessee, and Texas. The investigation into this case continues.

So what the DA appears to be after is Stuart's knowledge of the company's illegal operations. If they can show that he knew how the company was deriving "the overwhelming majority" of the cash deposited in his accounts, then they can argue that he acted in violation of New York law.

As to whether that's a good argument legally, I have no idea. It sounds like a stretch, but it doesn't sound completely crazy either.

Since any legal software can also be used for illegal activities (I bet money launderes also use Excel), one can easily see the tyrannical nature of US prosecution. This, combined with the potential inter-agency data flow from the NSA, paint a very bleak picture on the face of the "greatest democracy on earth".

It's a bit ambitious to use small pieces of information on an obscure gambling case in New York to derive a picture of the size you're attempting.

Here's an analysis by a law firm on the case.

And the distance from trying to force someone to install a backdoor into his own software, while operating a *legal* business, to forcing a HW vendor to install a backdoor into its chips, is immeasurably small.

The distance between the case you reference and an attempt to prosecute, say, Intel for something similar, is actually quite enormous.

Clive RobinsonSeptember 22, 2014 5:31 PM

@ Skeptical, Jacob,

The NY DA is "trying it on" for all they are worth, the reason I suspect is the usuall US TLA and subsiduary agencies trick of "Find them guilty of something or anything even of 'jaywalking their drive' and try to make it related to the initial case to prevent them suing for or limiting damages against the State / US Gov.

From the site you give, we see, that the NY DA is going to have to argue,

Because cash and money orders are unusual methods of payment for software licenses, Mr. Stuart, it can be argued, should have been aware that the payments could have been made up of proceeds from illegal gambling.

Thus the NY DA is reliant on saying "guilt if he new, or pretended not to know" and is then claiming that accepting what the DA considers to be unusual methods of payment is proof positive that he must have known that not only was the money from an illeagal activity, but specificaly he must have known it was from bets placed illeagaly in the NY area. That is a difficult ask at best.

But what the web site you quote does not quote is US company law which for the much famed "shareholder value" is required to accept profitable business unless it can be positively shown it involves illegal activity.

Further nor does the site show that for small businesses accepting cash or their equivalent of money orders is far far safer than what the NY DA considers in their opinion more nomal --and far riskier-- methods of payment. Actually if you think about the way most small software house software (indi games, phone apps and quite a bit of MS OS&Office software as well) is payed for it's not by what the NY DA considers normal...

As I said it's the NY DA "trying it on" to protect their future political or otherwise career, and or limit any payout on damages, you see it over and over again in the US jurisdictions, where in some cases those who can be shown as innocent of what they have been jailed for are refused freedom or the method of obtaining it unless they plead guilty to something...

Thus the US Justice system positively encorages DAs and the like to go out well beyond the acceptable edge. Such as SWATing a family home with overwhelmingly armed and numbered paramilitary forces and then threatening unsuportable legal action to try to get another to carry out a known --by the DA-- illegal act, thus turning an otherwise innocent individual into a criminal, not just in a foreign jurisdiction but actually in the US as well....

The fact a judge was prepared to oversee such a "plea deal" says much about how far the US judiciary has sunk into what is turni g a blind eye to lawless activities by TLAs etc, that the likes of the FISC and other secret courts are known to nod through...

So no I don't think it to be an over reach of probability that US TLAs would try to coerce other businesses into illegal activities such as backdoors if they think they can be preasured by their lack of size and thus inability to fight the TLA and it's Kangaroo Court activities.

The fact that Apple has not updated their warrant canary might suggest that a US TLA has decided they "are not to big" or want to send out a message to others...

SkepticalSeptember 22, 2014 10:20 PM

@clive: Thus the NY DA is reliant on saying "guilt if he new, or pretended not to know" and is then claiming that accepting what the DA considers to be unusual methods of payment is proof positive that he must have known that not only was the money from an illeagal activity, but specificaly he must have known it was from bets placed illeagaly in the NY area. That is a difficult ask at best.

I have no idea. There's a lot about what the DA is thinking, and obviously a lot about what Stuart is thinking, that simply won't make it to the papers.

Odds are that the DA considers, given the totality of the circumstances, that Stuart knew where the money was coming from. Perhaps he was also reliant on a few customers who were all, or mostly, criminal enterprises; perhaps his business contacts with them went beyond that of selling them something.

I do find it somewhat of a stretch to say that this all of this thereby makes Stuart into an accessory, but it's not crazy. It would depend on how much he knew, and how disposed the jury was to believe the case.

But neither you nor I know enough to judge.

So no I don't think it to be an over reach of probability that US TLAs would try to coerce other businesses into illegal activities such as backdoors if they think they can be preasured by their lack of size and thus inability to fight the TLA and it's Kangaroo Court activities.

Clive, this isn't a typical American business, and the effort to surveil other people would be subject to the same standards of judicial oversight. Let's get real for a moment, shall we?

As to US courts being Kangaroo Courts, :) I'll just savor that one for a while for the humor of it. The US tradition is one of distrusting government, and it is a tradition that runs deeper in the US than any other developed nation. Courts in the US are adversarial, open, and the defendant can get a very fair trial.

FigureitoutSeptember 22, 2014 10:45 PM

skeptical
Let's get real for a moment, shall we?
--Please don't patronize someone who is way more knowledgeable than you will ever hope to be. The court system as well as the rest of the country is deeply sick, and headed towards a future of tyranny and mediocrity due to the legal threat of SWAT teams that the justice system has gotten way too comfortable using for extremely petty reasons. People are scared to experiment, unlike "traditional pioneering Americanism", due to legal reasons. So advances die w/ the people capable of discovering them.

Pull your head out of your insincere ass and smell the roses. The main thing holding this country up by its frail skeleton is the cheap labor from Mexico and some from elsewhere. Otherwise, sewers backup, water/power systems shutdown, roads crumble.

Clive RobinsonSeptember 23, 2014 7:42 AM

@ Skeptical,

With regards,

Clive, this isn't a typical American business, and the effort to surveil other people would be subject to the same standards of judicial oversight. Let's get real for a moment, shall we?

You are making three statments there,

1, That the business is not typical of an "American business".
2, That the surveillance would be subject to judicial oversight.
3, Let's get real.

So in reverse order and "getting real" as you so put it, let's look back at what has been said and what you are claiming for the case and elements involved.

Your second point is,

the effort to surveil other people would be subject to the same standards of judicial oversight.

There is absolutely no evidence given by any of the involved parties that this would be the case. Worse the judge overseeing the plea bargin, did not stop what was blatently an illegal act the NY DA was coercing the business owner into. That is the business owner was being coerced into,

A, Installing software against not just NY statute, US Federal statute, but also against the statutes of many other nations. That is the software was illegal and the NY DA would be blatantly aware of that.

B, Running the illegal software to collect the data illegally and then to hand over the illegally collected data to the NY DA, illegaly without any oversight to that point.

Now the NY DA knowingly having coerced the illegl instalation and operation of the illegal software back door and the illegal collection of data without any oversight is then going to subject it to judicial oversight? That is the NY DA knowing that the data is illegal and illegally gathered and thuss to be "fruit of the poisoned vine" and compleatly inadmissible and thus not usable in court or for any legaly correct judicial process, is going to present it as such to a court where a defence council will have a field day with it?

You realy believe that the NY DA is going to do that?...

Because most here would consider it highly unlikely, because it would fail the simple sanity test of "why force the illegal collection of illegal data for a legal process, knowing that it would be at best reject by a court, through having a case dismissed, and probably also having the NY DA subject to censure that could be both career and liberty restricting for a sizeable period of time for the NY DA and others involved.

Thus you would further have to assume that either the illegally collected illegal data is not going to be used in an oversighted legal manner, or the NY DA and their department like wasting tax dollars for which they are accountable. Thus some would say "Parallel Construction" is the most likely cause of the NY DA coercing the illegal installation, operation and collection of the data.

With regards your first assertion of,

Clive, this isn't a typical American business,

First of all for that to be true, American businesses would have to be very homogeneous --which they are not-- for such a comparison to be made. Even in the software sector that comparison cannot be made for similar reasons. Importantly there are very very few American software businesses that only sell their product abroad or licence abroad, so comparison even with them is going to be difficult at best.

But what we can say is there are a large number of small software houses that use payment methods that are considered unusuall by other more "staid or traditional" American businesses (that because of this staid attitude are losing business opportunities because of their lack of diversified payment methods).

I know that the US has a peculiar view on "cash transactions" in that I've actually heard American tourists say in other countries just how "un-American it was to not accept credit cards", effectivly implying that such cash only businesses were as repelent to Americans as Communism. There are many countries in the so called Western World where more people have Mobile Phones than have Credit Cards (very much the opposite of the US). And in general most European countries regard credit card payments especialy US ones as a very poor security risk and actually refuse to accept any that are not of a specific home nation bank.

So whilst America where by far the majority of it's citizen's don't have passports let alone travel more than a few hundred miles outside of US boarders has it's views on "cash", most other countries regard them as downright odd if not mad. An American business only trading abroad would to survive have to accept the norms of the countries it does business in not the norms of untraveled American citizens limited and prejudiced viewpoint.

And I would be prepared to make the usuall bet, that it's this difference in societal norms the NY DA is going to exploit should the case ever finaly come before a jury of untraveled and prejudiced US citizens, that don't have the slightest clue as to how the rest of the world functions or why.

For instance, outside of the likes of gold and other physical valuables, do you know how the likes of Iraqi's and many other nations citizens who cannot just "go to the bank" trade on a day to day basis? Most are surprised to find that amongst other odd methods mobile phone unit / topup cards are used as a currency --instead of the unavailable or untrusted local money-- as are the likes of packets of tabacco / cigarettes and other small light luxury items.

Clive RobinsonSeptember 23, 2014 7:54 AM

@ Figueritout,

I don't know if you have seen another "over extended long arm of justice" case Jacob has mentioned on another thread,

https://www.schneier.com/blog/archives/2014/09/friday_squid_bl_442.html#c6679180

But it looks like the facts are stacking up on the viewpoint of "judicial abuse of power" via poorly written or over encompasing legislation that gets used as a "political tool".

If I remember correctly, you've traveled a bit in Europe, how do you think those Europeans you have met would regard the security of a cash payment over some insecure US credit card or other insecure US credit instrument?

FigureitoutSeptember 23, 2014 10:46 PM

Cliev Robinson
--Yeah read it, another person gets a nice experience w/ justice system. A classmate was wanting to make a bitcoin miner on campus and first thing I mentioned was a previous case involving an MIT researcher using their network to mine coins and he got kicked out. Never really got into it, don't trust it enough.

On the credit card stuff, probably not a good person to ask as I was a young teen and some of my friends (quite a few) were pretty spoiled from daddy's diamond trading or stock trading. Credit card security wasn't a big deal to us then. Got there while Belgium was still transitioning to the euro. I mean most Europeans would scoff at just about anything American, so they'd probably scoff at a US card too.

And now I have some more crap to do just to order parts and I'm not sure longterm how I'm going keep a card w/ money in it as pretty much my whole family's cards have been compromised before...

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.