>If a company does not cooperate, an agent 'activated' who has access to the information of the company. "Within businesses and institutions everywhere activate waiting for a request for information. Agents are"
In other words: the problem may be as much the fact that personal data exists in the hands of third parties at all as it is that there's any formal framework that enables law enforcement/national security agencies to legally access it.
I find the claims that moles within Google are responsible for this, to be, not impossible, but very improbable. The way Google's internal employee network is setup, the way the code reviews work, the way automated security audits work, the way the data is stored, there are lots of checks and balances that would make it hard to pull off without being noticed.
It's not like an employee can just hack in a device onto the network and start committing code with backdoors, putting trojans on servers, or slurping up network packets.
It's not really a matter of them fooling their co-workers. The access just isn't there, not to mention intensive logging and cross-checking. Google isn't your run of the mill web application where the Sysadmin/DBA is god.
Who says that some of top Stanford CS grads are not working as undercover agents.
The way secret services are shown in movies is a little bit different than the real world. All of them recruit top students from different universities. There is no "university for spies", where they teach agents all the skills they need to get the job somewhere. It's the other way around: they recruit people who already have those skills and teach them how to be agents. That's much easier because teaching someone how to become agent is their expertise.
So internal security has been ramped up after the China attacks. How? In part:
On 4 February 2010, the Washington Post reported, “Google
approached the NSA shortly after the attacks, sources
said, but the deal is taking weeks to hammer out,
reflecting the sensitivity of the partnership. Any
agreement would mark the first time that Google has
entered a formal information-sharing relationship with the
NSA.” EPIC rapidly submitted a Freedom of Information
request to the NSA requesting any documents pertaining to
this NSA/Google relationship. The NSA’s response was
Glomar – a refusal to confirm or deny that any records
exist.
So while rogue employees might become less likely, rogue (NSA) agents hardly become less likely.
I totally get it though: Security and operations at the largest search engine in the world is a matter of national security. I think this new Google-NSA relationship is inevitable, though it could be a bit more transparent.
It is unlikely Google was asking the NSA to help secure their data-centers, it is more likely that Google was sharing information on the attacks and asking if the NSA had any corroborating evidence about it's source in the People's Liberation Army.
When tech companies face a coordinated foreign attack like this, they are looking to share attack data with one another, as well as the government, in order to form a complete picture of the attacker.
Let's put it this way. I could let you sit at my desk, give you my password, even let you edit code and try to submit it, and you would not be able to do anything harmful except perhaps get some of my personal data off my own hard disk. I'd even let you install a keylogger and it wouldn't help. You might be able to see internal design docs of unreleased Google products, but you would not be able to invade user privacy. That ship has sailed.
I agree with most you say. For me the question was more "could the NSA gain access at Google?" instead of "would the NSA gain access at Google?". If the Chinese could gain access to version control from the outside, then the NSA being on the "inside" shouldn't face a lot more problems. Else they could always try it from the outside.
A lot of confusion seems to stem from "direct access" and "collected directly from the server" anyway. I personally don't believe the NSA would ever install a backdoor at Google. There are probably other ways that don't involve direct access that are more in compliance with the law (which should be the main focus).
I was trying to get this across to a few people in various forums.
The mere fact that data is gathered in places allows and ultimately engenders its exploitation. You can't fix the laws. You have to fix the humans somehow. Or write systems that, by construction (as in, a lot of research into dependent type systems where a "bad" program cannot be compiled) do not allow data to be abused.
In other words: the problem may be as much the fact that personal data exists in the hands of third parties at all as it is that there's any formal framework that enables law enforcement/national security agencies to legally access it.