Here's an attempt at a quick translation for those interested. Note that 'De Telegraaf' is a tabloid-y newspaper, and the Algemene Inlichten- en Veiligheidsdient (AIVD) is the Dutch secret service.
---
Dutch secret services also receive information from the United States' internet wiretapping program, PRISM. When the Algemene Inlichten- en Veiligheidsdient marks an American e-mail address as being suspect, within five minutes everything is known, said an AIVD agent this morning in De Telegraaf. According to the paper the agent was working for the department tasked with monitoring Muslim extremists.
According to the agent many companies are actively collaborating in giving access to their data. 'All large commercial internet services are being forced to provide an application with which [secret] services can browse [their data]'. Together these applications make up the American secret service NSA's program for collecting private internet data.
'EVERYTHING IS BEING SHARED BY SKYPE, GOOGLE, AND FACEBOOK'
According to the agent Skype refused for years to provide access [to their data], but since it has become property of Microsoft everything is said to be shared, as is the case with Google and Facebook. Last Saturday the leading men of both companies said not to be aware of the internet wiretapping program.
Dutch companies are said to cooperate willingly as well. 'When a request comes in one is just given direct access to the data, everything on a silver platter.' When a company does not cooperate, an agent is 'activated' that has access to the information at the company. 'Within companies and organizations, everywhere there are agents that can be activated, who are waiting for an information request.'
> Note that 'De Telegraaf' is a tabloid-y newspaper
Note that although, yes, De Telegraaf is more sensationalist (and less 'left wing') than other Dutch newspapers such as The Volkskrant and NRC, you should not compare them to the NY Post, The Sun or the Daily Mail.
Isn't the NY Post regularly 'speaking out' on behalf of homeopathy? I think they even had a post about how you should be an anti-vaccer if you're a parent or some bullshit like that…
> but since it has become property of Microsoft everything is said to be shared,
I wonder what this tells us (or should tell us) about using a Microsoft OS for accessing or storing private/personal/confidential information. TrueCrypt is useless if Microsoft can send you personalized, silent Windows updates at any time and if they unscrupulously opened up Skype as claimed, why would they respect their Windows customers more?
> According to the agent Skype refused for years to provide access [to their data], but since it has become property of Microsoft everything is said to be shared.
I bet people won't think I'm so crazy now for posting before that the only reason Microsoft paid the incredible amount of $8.5 billion for Skype (and 2x as much as Google was willing to pay) for no good reason, is because they already knew they were going to make at least half of that money back from NSA:
So they were already preparing to make it a spy technology before they even bought it. Microsoft bought Skype in May 2011. Look at the PRISM slide. They adopted PRISM for Skype in June 2011, a whole month after they bought it (in a hurry much?):
Why would anything think you were crazy? That was widely discussed around the acquisition.
Then Microsoft completely altered Skype's design (from supernode/P2P to client-server) making it cost a LOT more to maintain while offering no obvious advantages, which more or less confirmed it.
As part of our ongoing commitment to continually improve the Skype user experience, we developed supernodes which can be located on dedicated servers within secure datacentres. This has not changed the underlying nature of Skype’s peer-to-peer (P2P) architecture, in which supernodes simply allow users to find one another (calls do not pass through supernodes). We believe this approach has immediate performance, scalability and availability benefits for the hundreds of millions of users that make up the Skype community.
I find it hard to believe that a huge amount of money can be quietly booked by a publicly traded company without it raising all kinds of hard-to-answer questions from employees in many departments, as well as the outside auditors. Even more so that it was actually the monetization strategy approved by the board for the acquisition.
Here's a more conventional theory why they bought Skype. Around 2010, Microsoft is already moving toward a huge investment in mobile, where they've been completely blindsided by the staggering growth of iOS and Android. Their investment in Bing has not really paid off, and fighting Google on search has arguably been a distraction while this new-fangled iPad is about to destroy their entire PC market.
One major gap for their mobile strategy is a messaging platform. Windows Live Messenger capped out and is on the decline. They can build a new platform from scratch, but Windows Phone needs a tool that drives preference over iOS or Android. I'm not sure what their plan A was before Skype became available to buy, but it made sense as a plan B when it was for sale. With over half a billion users, it starts to look like a $10 CPA for customers.
Mobile also helps explain the shift toward client-server (as questioned by UnoriginalGuy below). If you had used Skype for mobile before, you'd know that it was basically a battery testing app. I haven't touched Skype much in the past year, but I think it's clearly improved.
"I find it hard to believe that a huge amount of money can be quietly booked by a publicly traded company without it raising all kinds of hard-to-answer questions from employees in many departments, as well as the outside auditors."
I don't know anything about what happened, but Microsoft must be one of the easiest companies to send a gift in a hidden way. Lets say the NSA bought Windows Vista upgrade licenses for a couple of million servers, then upgraded them to Windows 7 and form there to Windows 8, instead of doing what sane people do (upgrade from XP to a mix of Windows 7 and Linux). If you also upgrade SQL Server, Active Directory, etc, frequently and buy copious amounts of Remote Desktop licenses, I bet you could get the bill into the billions. And you don't even have to install that software, or even download it from Microsoft's servers.
Yes, it would raise suspicion that the NSA buys Windows licenses, even more so that they buy them at retail price, but I doubt that the auditors at the NSA are 100% independent from the NSA, so they would just (be ordered to) ignore it, and the NSA could route the buys through quite a few shadow companies, making it hard to spot anything suspicious for those working at Microsoft.
Aren't NSA's full accounts pretty deeply secret http://www.wired.com/wired/archive/3.11/patton_pr.html ? so I think the only real issue would be tidying up the MS end. Another obvious way to funnel money into MS is through sweet deals on buying or licensing patents.
I know the advert is based around Internet Explorer rather than Microsoft as a wider organization, but that level of misleading advertising has to be in breach of trading standards (in the UK our trading standards laws are pretty strict).
While that argument might stand up in court, Trading Standards and ASA (Advertising Standards Authority) do take misleading consumers as seriously as outright lies.
The real question is whether they consider the PRISM leaks as evidence to challenge the tag line. Given the secrecy of the operation and Microsoft's denials, it the standards authorities might consider that evidence too much as hearsay to take definitive action.
Given Snowden's claims, they may well not know. He claims the NSA is so advanced that they routinely break the best encryption available and can literally access anything on the internet.
Assuming that is true, the NSA can access your PC at home and get anything they like form it. Have you noticed that happening? Has any one reported it happening? We get incredible third part analysis of the likes for stuxnet, but for this, nothing what so ever.
So, we could say Snowden is wrong or lying. Or, we could say the NSA is so good no one has seen it happen and hasn't analyses the attacks.
On top of that, how many employees for Google, MS, FB, etc are also working for the US government secretly? Would Page and co know that?
So, why would Page and co have any idea their systems are compromised. Apart from responding to legal requests, they may have no idea.
On the other other hand, if this were true, I'd expect Page and co to be bright red furious, and I dont see that either.
I dont know. I do think it is possible that they didn't know everything. Although, given their reactions, if I had to bet actual money, I'd have to say they did. Their reactions kinda suggest they knew full well.
If they didn't know about the NSA accessing their servers, they damn well better treat it like any other serious breach of their security instead of denying it is going on!!
Different sources from all over the world come out with credible information that the NSA and various other security agencies are routinely accessing your data. If a company truly did not know this was going on, they should now be in alarm code red, figure out which of your systems are compromised, try to find out which employees did it and fire those involved.
FB, Google, etc, if people got into your systems without your knowledge, then you got hacked. Not being aware of this doesn't make it better. Flat-out denying it within hours, before you even seriously looked into the matter, makes you complicit or at least suspect.
Did Google deny anything was going on when Chinese Intelligence infiltrated their servers? No, they rang the alarms, investigated and tried to fix it.
BTW before anyone points it out, I am aware it's pretty naive to expect the above behaviour. It's an intentional hypothetical example to illustrate they are complicit even if their CEOs are unaware of what is going on, by not treating it as the serious breach in security that it is.
Here's an interesting thought (to me). Supposedly there is a law that forbids NSA from using PRISM to directly spy on Americans. Let's imagine, for a brief, laughable moment, that this law is followed. It would be technically compliant with the law if the NSA could send a request to Dutch authorities, and ask that they send any information they have or can obtain on a US person. The Dutch have access to this system, and would know what the NSA is getting at, so the Dutch would query the system and send the info back. This could all be done via API in a matter of milliseconds.
The NSA could then tell their overseers that they have never used PRISM to spy on Americans, which would be technically true, while they would enjoy unfettered access to intelligence on US persons with absolutely no oversight or authorization from anyone. This seems to be one of only a few logical explanations for giving other countries access to the system.
That doesn't seem like a huge stretch of imagination at all. There have been rumors years ago that they're doing this with the UK, too, and probably other countries, too.
I wonder if that's why Germany is the most spied upon in EU. Does Germany have the same deal with US? You spy on us, we spy on you?
It can either be that, or US spies on Germany because they want all sort of information from their politicians, businesses, and so on. I doubt most terrorists reside in Germany. So those can be the only 2 explanations.
I don't see how your question follows from my post.
If you intend to imply that I agree with the NSA that Germany is a US possession, then you're wrong. In the 80's I protested American occupation personally.
However, it's useful to understand the mindset of the people in power in Washington. They really do regard everything as American soil.
Finally, from a logical perspective, the Germans didn't allow US military bases; it was part of the post-war occupation accord. The French and the UK got their sectors, too, as did the Soviet Union.
If you're talking about Nellis that's a US airbase with a few UK planes/pilots stationed there mostly for training purposes, which is clearly not the same thing.
Edit: I can't say what I am talking about, but I will say that we (the U.S.) ended up having to lease usage of the U.K. facility even though it was physically located here in the U.S. and protected by U.S. forces.
In fact if Americans weren't in general wary of the government I'd be wondering who kidnapped all of America and replaced them sleeper cell aliens. There's no finer American pasttime than distrusting the government, it's right up there with chopping cherry trees and baseball.
I think so long as the Germans allow the substantial US military occupation to continue, it's VERY likely much of the bureaucracy views Germany as a quasi-possession (ditto Japan and South Korea).
The way the US regularly gets various major countries to dance upon command, probably just helps reinforce that view (eg the US directly threatening Britain in regards to leaving the EU).
You're implying here that the NSA or the US government is somehow bound by laws. I haven't seen any repercussions for the US's inhuman prison camp in Guantanamo Bay, the civilians murdered by the thousands (in total) in Iraq and Afghanistan, or the secret CIA prison facilities where fuck knows what happens.
Actually downandout wasn't implying that the NSA was bound by laws which prevented them from spying on US citizens, in fact downandout went to great lengths to specify that the scenario was hypothetical and unlikely.
Pre-2001 from what I've read that is how Echelon worked. The UK would spy on Americans, Americans would spy on the UK, and they would both exchange intelligence to bypass each one's respective laws.
But following 9/11 there would be no way the UK could keep up with the US's new intelligence quantity/demands, so the US started spying on themselves and new laws had to quickly get penned to make that retrospectively legal.
Thanks for pointing this out. I've brought this up many times, but people seem to gloss over it. These more recent programs simply remove red tape. This has been going on at least since the Regan administration(perhaps before with Carter). While it may be "illegal" to spy on your citizens, there's nothing against spying on your ally's populace and then having them reciprocate the favor. Share intelligence reports and you are now successful in spying on the entire world.
Most companies don't collect nationality information, so there is no question in my mind that the program (if it collects more than metadata) has spied on Americans, in violation of the law.
If I sign up to Yahoo France, while in France, and give my French address, I assume the NSA (or Dutch AVID, in this case) would assume I'm French and could spy on me. But this may be incorrect, I could be an American... Yahoo never asked me nor verified my identity, let alone my nationality...
Even if they did, some people are dual nationals, and some people are nationals of the US and the US doesn't know about it (Children of Americans born and raised abroad, who have a foreign nationality as well, have no US birth certificate, never lived in the US, have no SSN, and have not yet asked for a passport). These unregistered people are Americans, too, the law says they cannot be spied on without a warrant...
The NSA would have to be able to prove that accounts do not belong to Americans (impossible, for many reasons).
This is an interesting point but I doubt any court would prevent the NSA from spying on foreign communications based on this argument.
Immigration and nationality are exclusively "guilty until proven innocent." The burden on proof is on YOU to prove that you are a US citizen, whether you're stopped by some police department or the border patrol. This is why you're supposed to always have your Green Card on your person.
In most states it is not required to have ID on you. Most US citizens do not carry proof of citizenship (passport or birth certificate), and a Drivers License is not proof of citizenship.
US citizens travel abroad, and it would be illegal for the government to intercept communications between a US citizen and someone else, regardless of location of either party, regardless of the location of the communications intercept.
Furthermore, based on your logic, the government could intercept all emails where someone's passport was not scanned and attached...
I believe that this was supposed to be how things operate (or at least used to operate during the cold war) between the UK and US. The US outsources domestic spying on the UK, the UK spies on the US in return.
I don't think the access is intentional just the sheer number of companies involved make it easy to have double agents placed who report to more than one intelligence agency.
Just another example of how the program is a complete failure and unnecessary.
All that personal and confidential information available to virtually any half decent intelligence agency.
Nothing new really, acting via proxies to stay within lawful bounds has been used for years, inteligence agencies do not hesitate to pay for or exchange services with sometimes very shady people to reach their goals.
The most common example would be the outsourcing of "interrogation" to 3rd parties.
Some reporting suggested that the NSA and FBI are working together in a way. Perhaps the NSA uses PRISM to spy on foreigners (freely) while the FBI uses PRISM to spy on Americans (with more restraint, hopefully)?
Possibly, although FBI tends to be shackled by a much more restrictive set of laws and guidelines. They tend to get warrants and follow the book because they know that in many cases their work will be eventually made public and scrutinized by skilled defense attorneys as part of a trial. They don't want their cases tossed out because they were based on illegal searches ("fruit of the poisonous tree").
By contrast, if NSA were doing what I have theorized above, they would have unfettered access to all PRISM data with no oversight, and it would be entirely legal.
Has 'fruit of the poisonous tree' ever shut down a line of evidence in a terrorism investigation? Will it? I don't really expect our security apparatus would tolerate a restriction like that. 9/11 changed everything...
If they can't get their way in the courts, who takes the fall for "letting a terrorist go free"?
Any government will do large-scale surveillance if they can. It's been said a thousand times before: do not use centralized social networks, cloud services, proprietary software if you value your privacy and freedom. This may be inconvenient, but we can't have freedom without paying its price. I had hard time explaining my friends and relatives why I am not on Facebook (or vk.com, which is more popular here in Russia) or why I would not use Skype, but at least I know that am not cooperating with those who are taking our freedom away.
I know I sound like the NSA shill here but I agree with this 100%. Stuff I've allowed to be on G+ or FB is done with the full knowledge that even the "Restricted" settings will not 100% reliably stop it from leaking to the Internet. Even without the NSA there are problems with corporate insiders, hackers, implementation bugs, countless other things.
Data I have that needs to be private is not stored anywhere on any cloud, except perhaps in an encrypted format sufficient for Data-at-rest.
In fact I was looking for a cloud service provider to use for some work-related stuff (PII) when I came to the conclusion that I couldn't actually trust any of the available cloud services, since it would always be possible for a cloud provider to gain physical access to the machine even if I use full-disk encryption.
What I'm hoping is that someday providers like Heroku will kind of meet-in-the-middle and setup a provision for setting up an enterprise cloud service (inside the protected WAN) that can be provisioned and managed similar to the public cloud SaaS services. Something where the enterprise would have the hardware and network interfaces but Heroku would provide the OS and management software.
>If a company does not cooperate, an agent 'activated' who has access to the information of the company. "Within businesses and institutions everywhere activate waiting for a request for information. Agents are"
In other words: the problem may be as much the fact that personal data exists in the hands of third parties at all as it is that there's any formal framework that enables law enforcement/national security agencies to legally access it.
I find the claims that moles within Google are responsible for this, to be, not impossible, but very improbable. The way Google's internal employee network is setup, the way the code reviews work, the way automated security audits work, the way the data is stored, there are lots of checks and balances that would make it hard to pull off without being noticed.
It's not like an employee can just hack in a device onto the network and start committing code with backdoors, putting trojans on servers, or slurping up network packets.
It's not really a matter of them fooling their co-workers. The access just isn't there, not to mention intensive logging and cross-checking. Google isn't your run of the mill web application where the Sysadmin/DBA is god.
Who says that some of top Stanford CS grads are not working as undercover agents.
The way secret services are shown in movies is a little bit different than the real world. All of them recruit top students from different universities. There is no "university for spies", where they teach agents all the skills they need to get the job somewhere. It's the other way around: they recruit people who already have those skills and teach them how to be agents. That's much easier because teaching someone how to become agent is their expertise.
So internal security has been ramped up after the China attacks. How? In part:
On 4 February 2010, the Washington Post reported, “Google
approached the NSA shortly after the attacks, sources
said, but the deal is taking weeks to hammer out,
reflecting the sensitivity of the partnership. Any
agreement would mark the first time that Google has
entered a formal information-sharing relationship with the
NSA.” EPIC rapidly submitted a Freedom of Information
request to the NSA requesting any documents pertaining to
this NSA/Google relationship. The NSA’s response was
Glomar – a refusal to confirm or deny that any records
exist.
So while rogue employees might become less likely, rogue (NSA) agents hardly become less likely.
I totally get it though: Security and operations at the largest search engine in the world is a matter of national security. I think this new Google-NSA relationship is inevitable, though it could be a bit more transparent.
It is unlikely Google was asking the NSA to help secure their data-centers, it is more likely that Google was sharing information on the attacks and asking if the NSA had any corroborating evidence about it's source in the People's Liberation Army.
When tech companies face a coordinated foreign attack like this, they are looking to share attack data with one another, as well as the government, in order to form a complete picture of the attacker.
Let's put it this way. I could let you sit at my desk, give you my password, even let you edit code and try to submit it, and you would not be able to do anything harmful except perhaps get some of my personal data off my own hard disk. I'd even let you install a keylogger and it wouldn't help. You might be able to see internal design docs of unreleased Google products, but you would not be able to invade user privacy. That ship has sailed.
I agree with most you say. For me the question was more "could the NSA gain access at Google?" instead of "would the NSA gain access at Google?". If the Chinese could gain access to version control from the outside, then the NSA being on the "inside" shouldn't face a lot more problems. Else they could always try it from the outside.
A lot of confusion seems to stem from "direct access" and "collected directly from the server" anyway. I personally don't believe the NSA would ever install a backdoor at Google. There are probably other ways that don't involve direct access that are more in compliance with the law (which should be the main focus).
I was trying to get this across to a few people in various forums.
The mere fact that data is gathered in places allows and ultimately engenders its exploitation. You can't fix the laws. You have to fix the humans somehow. Or write systems that, by construction (as in, a lot of research into dependent type systems where a "bad" program cannot be compiled) do not allow data to be abused.
It seems clear that the post 9/11 "you're either with us or you're against us" policy was directed primarily toward establishing a global, connected police state (at least as it pertains to surveillance / privacy). The US needed everybody on board, 9/11 was abused to serve that purpose.
At the time I just viewed it as generalized anti-terrorism, anti-Al Qaeda type coalition. In hindsight it seems comically obvious what they were really targeting.
And Pakistan still quakes under the thread of being bombed back to the stone age. I wonder how many other countries were threatened by the "leaders of the free world".
"They hate our freedoms"? What, as much as the US hates and compromises every one else's?
Now can any one help me with a definition of a Rogue State?
I wouldn't take detailed technical claims from a Dutch tabloid very seriously. Even Glenn Greenwald, who likes to be meticulous with his facts and who has spent months working on this story, seems to have gotten some details wrong.
(Yes, I said Greenwald is meticulous with his facts, notwithstanding his extremist and not always well-supported OPINIONS. That's one of the juxtapositions that makes him so interesting.)
The NRC is actually one of the top-rated newspapers in the netherlands, quite similar to the Guardian and far from a "tabloid". If this were published in the "Telegraaf", you'd have a valid point.
Edit: Seems the story was first published in the Telegraaf, which makes the parent a very, very valid criticism!
Maybe not 'news', but interesting since some of the founders of Kazaa also started Skype. I can understand their morale at first: "Skype wouldn't share any information at first with the agencies, but since it's owned by Microsoft they have full access"
> Also, if anyone is wondering, this article is actually from one of the most respectable Dutch newspapers.
Not quite. The NRC is one of the most respectable newspapers, yes. It is however citing another newspaper, the Telegraaf, which is not quite as respectable. That said, they probably wouldn't publish this unless they were somewhat confident about the story.
Thanks. A was looking for a quote while you probably referred to the following paragraph:
'Skype wilde volgens de agent jarenlang geen inzage geven, maar sinds het eigendom is van Microsoft zou alles worden gedeeld zoals ook bij Google en Facebook het geval is. De topmannen van die laatste twee bedrijven stelden zaterdag nog niet op de hoogte te zijn van het internet-afluisterprogramma.'
I don't really care what Larry Page says. The government says they have to hand over the data and make a way for the government to store it in real time. Of course Google is cooperating with them. Just like everyone else.
They aren't bound to tell you they are not doing that. Again, i'm not sure where people get this idea.
They may be compelled to be silent about it, but not compelled to lie.
Much has been made of the carefully-worded "direct access to servers."
I really do doubt that Google gives the NSA a shell login. It's also completely truthful that Larry Page never heard of Prism (it was a TS/SCI program, of course he wouldn't know what it's called.)
But giving the NSA a special "Spy-only portal" which allows the NSA to type in "Show me everything in Mr. X's Google+ profile" is not direct access, and could be given within 5 minutes of getting the legal request.
The Telegraaf may suck but that does not say anything about this particular news item and it would be good to look at the content and to address that instead of just looking at the reputation of the paper.
It wouldn't be the first time that the 'trashy' newspaper broke a story.
Serious question: How do we know PRISM is real? The only source I could find is The Guardian and the PPT of the so called PRISM project.
Some facts:
* The Guardian is the only source.
* We don't know how they verified the authenticity of the PPT.
* We don't know anything about Edward Snowden.
* All companies 'involved' never heard of PRISM and also don't know how the NSA does gather user information without a warrant.
Your bullet #1 is not accurate. WaPo was the first source Snowden contacted. WaPo lost its exclusive when they didn't agree to Snowden's timetable. Both WaPo and Guardian released around the same time.
But you do raise an interesting point. Does anyone know exactly what PRISM is, from a technical point of view? It seems that everything we know about it comes from the leaked powerpoint slides.
An interesting development, the Dutch minister of security refuses to expand on the details of the AIVD and NSA relationship, stating that it has to be discussed on an European level first.
When it says "within five minutes all known" does it mean that the ISP translates the IP address with the name of the person who signed the contract with the Provider?
I don't know about the US, but there's a project here in the Netherlands where ISPs can voluntary submit that information to a central databank where law enforcement can access it. There's some due process that has to be done before law enforcement may access it, but it's been shown that the process is faulty or not adhered too.
our minister (Ivo Opstelten) has just said that he hasn't had any complaints concerning prism.
probably because it was a secret... duh... the way our (as in netherlands and EU) politicians are responding to these issues are so laughable it makes me depressed.
---
Dutch secret services also receive information from the United States' internet wiretapping program, PRISM. When the Algemene Inlichten- en Veiligheidsdient marks an American e-mail address as being suspect, within five minutes everything is known, said an AIVD agent this morning in De Telegraaf. According to the paper the agent was working for the department tasked with monitoring Muslim extremists.
According to the agent many companies are actively collaborating in giving access to their data. 'All large commercial internet services are being forced to provide an application with which [secret] services can browse [their data]'. Together these applications make up the American secret service NSA's program for collecting private internet data.
'EVERYTHING IS BEING SHARED BY SKYPE, GOOGLE, AND FACEBOOK'
According to the agent Skype refused for years to provide access [to their data], but since it has become property of Microsoft everything is said to be shared, as is the case with Google and Facebook. Last Saturday the leading men of both companies said not to be aware of the internet wiretapping program.
Dutch companies are said to cooperate willingly as well. 'When a request comes in one is just given direct access to the data, everything on a silver platter.' When a company does not cooperate, an agent is 'activated' that has access to the information at the company. 'Within companies and organizations, everywhere there are agents that can be activated, who are waiting for an information request.'