Let's all do a blogpost on PRISM and see how many eyeballs we can get.
Google takeout most likely has nothing whatsoever to do with PRISM or any other NSA programme, why go through a clunky one-user-at-a-time batch process when you can be comfortably sitting right where the action is, where updates are incremental and where information is available when it happens instead of when you ask for it.
User data export features as they have been common recently – Facebook und Twitter for example offer similar features as Google Takeout – could without any doubt be used to export data for all kind of other 'users'.
NSA might tap every single bit of communication worldwide but getting structured data for users of specific interest directly from Google etc. is still much easier.
Prism docs leaked put a huge accent on the fact that it is real-time.
On top of that google take-out is just google but a lot of other companies are listed as well. So, all things taken into account the two most likely have nothing to do with each other.
Rachelbythebay does not let any chance go by to diss her former employer and that's fine by me as long as it is based in fact, not in speculation. If she knows for a fact that this is the case that would change things considerably but from where I'm sitting this looks like speculation to me.
Google is not alone with this kind of user data export feature.
And just because systems like PRISM are in use, doesn't render data export for specific users useless:
PRISM might for example identify some users of specific interest. As a result, NSA might access all Google data in relation to this user in structured form. Legal interception ports in hardware and software have been known for years, they are mandatory in many countries. And while live surveillance can be important too, most results are gathered from structured user data and meta data. And in any case, why should the same work be done twice? Why should NSA do work that has already been done by Google etc.?
I am kind of surprised how many people on HN try to downplay the PRISM thing. The recent revelations and controversy directly affect the business prospects of any US firm that stores data.
A couple of months ago I was on an education business fair in Germany and the first thing I heared at the booth of many data-handling businesses was: "We don't store anything in the United States. All our servers are in Europe/Germany."
I now wonder if next year, some will advertise that they don't even have a US subsidiary and are thus not under US jurisdiction.
Google, Apple, Facebook and friends go to great lengths to evade taxes. When it comes to tax matters, those companies have no hesitation to use all the tricks available to a trans-national company. And they pay very smart people to invent schemes that ensure a maximum amount of money is kept out of the US IRS hands.
If Google, Facebook and friends were truly serious about protecting their users' privacy, they would. They would pay very smart people to invent schemes that ensure a maximum amount of user data is kept out of the US NSA hands.
It's one thing to have a bankaccount in the Netherlands, that's easy. A whole data-center? A data-center with all the infrastructure to support it and employees and it still needs to be fast enough that we can't see a slowdown from moving it out of USA? That's a different undertaking.
What if I insinuated that certain multinational companies already choose which data centers get certain products due to tax reasons? As in, "product X can go into building #1 but not building #3, and product Y can go into #3 but not #1".
Maybe you can have one but not the other. These guys contract big consulting firms to be the middlemen between them and the government when it comes to tax laws. But I suspect you have to "give" something in return.
I doubt this is really an issue. Maybe some knee jerk anti-American types might spew nonsense like this but Europeans with a little more sense and insight and who actually care about this stuff are well aware that:
1. By law all European telecom providers, including ISPs, are required to provide a backdoor for everything that goes on on their networks (the infamous Data Retention Directive)
and
2. All European security agencies cooperate quite willingly with their American counterparts. Some more so than others (the ones from the former Eastern Block are particularly notorious in this regard) so if an American three letter agency wants your data, it'll get it.
It's simple: if it's passed through the USA, if you store it on a server in the USA or if it contains tags served from the USA you can bet that it's being tracked by one or more three letter agencies. To assume anything less would be folly given the amount of smoke that has been generated to date. To infer there is a fire somewhere is no feat of deduction.
The fact that there is now proof that at least some of these programs are real is only going to convince the last hold-outs, or at least, so I'd hope.
...in Germany and the first thing I heared at the booth of many data-handling businesses was: "We don't store anything in the United States. All our servers are in Europe/Germany."
There is a very simple reason why that is a marketing point, and any of those vendors would have been happy to expand on it, and probably do on their websites. That reason is that compliance with German law requires certification that all steps you take with data comply with German law, which is much easier to do with a vendor which exists in a jurisdiction that has similar data privacy laws, and is easiest if that vendor is German.
Now before you cheer Germany for this stance, stop and think. Normally HN is very supportive of anything that reduces red tape barriers to small startups trying to innovate. The kind of regulations that we're talking about both protect users, and make life a lot harder for startups.
If you stored data in the USA, you were already subject to all these things - search warrants from the FBI, FISA requests for a user's data, etc. The law has not changed.
If your servers are in Germany, then they are the subject of German law - and all of their similar, respective search and data laws.
If you weren't aware of this before, you either weren't large enough for anyone to ask for your data, you were lucky enough to never have to deal with this request (or your software isn't really used for communication or data storage), or you were simply ignorant of the legal situation
Exporting every account on a daily basis can't possible work for Google or the government. To be scalable and useful, and to meet the "no direct access to our servers" mantra, they would instead need for Google to replicate all database updates straight onto the NSA servers.
That's no small feat, and it certainly requires explicit engineering effort, but it's not a hugely complex undertaking either. Maybe the infrastructure of Takeout can also be used to do that, but the data transmission itself would have to work differently. Again, I believe it has to be basically a data pipe that replicates every user action, probably in real time.
I'm not aware of a good reason to think that Google sends all user data for everyone (or even all non-US-citizens) pre-emptively (or at all) to the NSA. The Takeout system is doubtless used to comply with FISA requests targeted at specific individuals, but it's not at all news that Google receives and accedes to such requests fairly routinely.
The three questions which remain open are 1) just how many individuals are getting FISAed - and has it gone up sharply thanks to the shiny new infrastructure for streamlining the request process? 2) do the FISA requests being acceded to now also include "broad sweep[s] for intelligence" in addition to those "specific orders about individuals" which the Internet companies have acknowledged (and which everyone knew about already) and 3) to what extent are the CEOs still fully aware of the nature and extent of the FISA inquiries now that the nice semi-automated processes are in place?
PRISM means that internet companies like Google will be free from future FISA and NSL headaches, and so they can even truthfully say that they haven't received any requests.
Not unless the NYT report is completely wrong, and the Internet companies are lying very blatantly. By all accounts PRISM is a conduit for FISA requests and responses, each of which is still approved by Internet-company lawyers. If they were servicing extremely-broad FISAs like Verizon's "send us all your phone metadata" then the distinction would be academic, but both Google and the NYT seem clear that Google hasn't accepted anything on close to that scale.
"If they were servicing extremely-broad FISAs like Verizon's "send us all your phone metadata" then the distinction would be academic, but both Google and the NYT seem clear that Google hasn't accepted anything on close to that scale."
Maybe I read it wrong but Verizon was ordered by the court to do just that and to shut up about it. I doubt they were asked to accept, just the court ordered it and it is so because it became a 'legal request.' I have to wonder what Google, Microsoft and Facebook were asked to provide to NSA in large scale. If they can have all calls to see if anyone calls certain "terrorists," why not get a log of all Skype calls, FB likes, messages, Google searches etc to see if anyone is linked to "terrorists" or searching for related materials?
Until this week’s reports, we had never heard of the broad type of order that Verizon received—an order that appears to have required them to hand over millions of users’ call records. We were very surprised to learn that such broad orders exist. Any suggestion that Google is disclosing information about our users’ Internet activity on such a scale is completely false.
Now that could conceivably be a bald lie - or I suppose they could just conceivably have lost awareness of what their FISA/NSL/warrant-handling lawyers were approving, to a spectacular extent - but otherwise they aren't handling any Verizon-scale FISA warrants. However, you're right: there's a big grey area between Verizon-scale "megawarrants" and the "specific orders about individuals" the tech companies say they process. NYT said "FISA orders can range from inquiries about specific people to a broad sweep for intelligence, like logs of certain search terms" while the tech companies largely reasserted that they only process "specific orders about individuals". It seems that only one source can be accurate here.
BTW I assume that Verizon wasn't really just forced into handing over all its metadata: there was probably a bit of a gentleman's agreement in the government producing an omnibus FISA order and Verizon agreeing not to contest its legality. Everyone spends less time processing FISA orders, the government gets all the metadata it wants, and Verizon gets a sicknote to cover it legally.
But Google said it denies taking part in PRISM...that denial could be a lie, but nothing so far has substantiated that.
The NYT article that so incensed Michael Arrington, for example, exclusively refers to the FISA procedure, which Google has more or less already admitted that they comply with (lawyered requests for specific individual/groups data).
The only part of the NYT article that sounds like the alarming scenario outlined in the PowerPoint slides is this:
> In one recent instance, the National Security Agency sent an agent to a tech company’s headquarters to monitor a suspect in a cyberattack, a lawyer representing the company said. The agent installed government-developed software on the company’s server and remained at the site for several weeks to download data to an agency laptop
There's no mention that the company here is Google and there's really no reason to believe that it is Google (in this instance)...I mean, because if it was, then the procedure described here has vast implications about Google's software stack that would seem untenable for a company with Google's kind of infrastructure
(It's possible that the procedure described here is inaccurate, as it is third hand, but that only underscores the vagueness of this whole thing)
Did it really? It seems that PRISM is the software support etc. to semi-automate the FISA procedure at the Internet companies. Google claimed never to have heard the term 'PRISM' but that could easily be true-but-insignificant.
(It's possible that the "PRISM" name is also being used by the NSA to cover old-fashioned wiretapping of emails etc., but that wouldn't involve the Internet companies as opposed to ISPs.)
Well, yes, really, insomuch as can be expressed in typical human language:
> > First, we have not joined any program that would give the U.S. government—or any other government—direct access to our servers. Indeed, the U.S. government does not have direct access or a “back door” to the information stored in our data centers. We had not heard of a program called PRISM until yesterday.
That's a broad flat out denial. And in my opinion, it includes such options as reserving an omni-admin account for the government, and if such an arrangement exists, then Larry Page should be pilloried for issuing a lie. But until such an arrangement can be shown (and why couldn't it? If there's a NSA official who can leak about it successfully, why is it impossible to imagine that google has at least one such conscientious objector?), it seems a little unfair and counter productive to judge Google with inescapable circular logic.
But that's perfectly compatible with them being in PRISM. It seems PRISM is indeed not a backdoor or a means of direct access for the US Government, but is a conduit for FISA requests to be approved by Google's (and other firms') lawyers. They hadn't heard the term "PRISM" but that's because the US "intelligence community" hadn't used it to them when discussing the system.
They could be regularly piping filtered information to serve the US's Government's interests, as part of project they know by another name but happens to have the code name "PRISM".
There; no "back door", no "direct access", no "PRISM", not "broad", as said elsewhere in the release.
Good points - other things that mean something else in this light is the realname enforcing policy and the unification of Google accounts (that we got Google+ to blame for exclusively so far). Taking it further, I wonder what the information that Google's personalized search is based on, can be used for. It must be a good summary of your habits, interests etc., right?
Sometimes bad guys kill people and use the shovels from Home Depot to bury the bodies.
There was this really great Zombie movie from 1985, Return of the Living Dead, that took place in a funeral home. I'm not going to give any spoilers, but you really need to see it.
Shovels mean something else in light of this discovery. Sorry Home Depot, I think your shovels have been co-opted.
Even in the absence of this specific Takeout tool, Google would need a way to comply with legal requests for a user's data across all of their various systems.
What is more likely than not is that the majority of employees at Google have no idea how the surveillance system that Google would need to have worked and were ignorant that it existed.
I think the Palantir link is the most plausible, it's startling to see how many companies utilize their technologies (mine does, under the premise of being "AML-compliant"). The end goal of these cretins is to chain men with invisible, digital shackles.
When this came out, I remembered about that whole "you can never really delete your Facebook account, or the data from Facebook's server" situation. The whole NSA thing could also be one of the reasons why you can not.
Oh, and you can't delete your Skype account either. Not even in the UI.
I wouldn't be shocked if that happened. There was some other leak a while ago saying that FBI thinks you're "suspicious" if you don't have a Facebook account. That's the world we live in now.
Skype was another one of the services mentioned. Microsoft was also the first company to start giving data this way to NSA, according to the leak, since 2007, and they signed up Skype to it almost immediately after they bought it.
Google takeout most likely has nothing whatsoever to do with PRISM or any other NSA programme, why go through a clunky one-user-at-a-time batch process when you can be comfortably sitting right where the action is, where updates are incremental and where information is available when it happens instead of when you ask for it.
Push over pull any day for the NSA and the likes.