Look I'm not a "big conspiracy guy", but how does knowing the number of user data requests create any additional transparency?
For all we know, there's only been one request, but maybe that request is something like: "Give us a plaintext copy of each email sent and received for all of your users for the last 10 years"
The only thing that will create transparency is to eliminate secret orders all together. That's what these guys should be arguing and I find it strange that they are not. Instead they are all fixated on just being able to show how many requests they've complied with and not what those requests were actually for.
There's nothing "conspiracy" about the NSA being able to access anyone's data on Yahoo's servers without needing a warrant. It's actually expected at this point.
What they're trying to achieve by making a public stink about this is good PR. The real fight -if there is actually a real fight between the tech giants and the government- will happen behind closed doors.
I think it's safe to assume they've requested pretty much everything for each request. And while just sharing the number of requests seems benign, you can see a disproportionate number of requests coming from certain countries in the report FB published (https://www.facebook.com/about/government_requests). Although, I do wish these reports had a 'request per 100,000 users' column.
And another request: "On an ongoing basis, give us a plaintext copy of each email sent and received for all of your users, within 10 seconds of it being sent or received".
How can every citizen of the country not have standing to sue the government about this spying, national-security-letter gags, and so on?
At the very least, shareholders of companies like Yahoo! are seeing lower shareholder value. That's a loss. They're harmed. There's a lot greater harm than that, but at least it's a starting point.
EDIT: come to think of it, I don't know why I wrote citizen of the country. Citizens aren't the only ones hurt. I'm no lawyer. Can non-citizens sue too?
The theory is that when a policy choice affects everyone in an indistinct way, the proper forum for the dispute is the political process, not the courts.
Re: non-citizens, no, for even better reasons. If one country's policy actions are hurting the citizens of another country, the proper forum isn't a lawsuit, but rather the battlefield.
>If one country's policy actions are hurting the citizens of another country, the proper forum isn't a lawsuit, but rather the battlefield.
Hold your horses there, fella. It's 2013, we invented this thing called WTO, and this other thing called UN... I think we could give them a whirl before we start going von Clausewitz on everyone's ass.
The U.N. is a way to keep a thumb on the little countries, not a way to enforce anything against the major powers (i.e. permanent members of the security council).
As for the WTO, international surveillance is not a trade issue, it's a security issue. It's totally outside the domain of the WTO. One country's maneuverings for its security interests impinging the citizens of another country is the classic use-case for war.
I'm not talking about enforcing, I'm talking about having a forum for heated but peaceful discussion and dealmaking. I'm pretty sure US and URSS in the '60s and '70s disagreed on more immediate stuff than a generic right to privacy, and they managed to resolve many such disagreements through the UN at various points in time. For all the corruption that goes on in ITU and similar institutions, these are venues where issues at the intersection of technology and politics can be debated and progressed.
Stuff like the monitoring of Petrobras for economic gain could also be configured as disruption of fair commerce under WTO rules. WTO processes, albeit very slow and clumsy, can have real repercussions on everyday economic activity.
I don't see anyone going to war with the US because of some overzealous spying. There will be stern words, and somebody might see it as a good occasion to do away with the American dominance of stuff like ICANN and IETF, but I don't think anybody wants to deploy tanks to defend their routers -- not yet, at least
You have to show proof that you've been harmed in some way. Unfortunately, and via circular logic inanity, because the "harm" that is befallen you is unknown to you, you don't have the ability to prove harm. Someone with more legalese skills could put it better than I but that's essentially the gist of it.
It doesn't need to be through the logical inanity, surveillance by itself is benign. If you choose to self-censor your online activities because you worry about surveillance then that would be your prerogative (the government didn't force you to change your expression of opinion to something less politically sensitive).
The inanity you're referring to is this: surveillance of the communications of any individual American would reveal that all Americans are under regular surveillance. It's not really as inane as you think, however that doesn't make it any less ridiculous.
Considering that US federal court can summon non-citizens under the Alien Tort Claims Act, non-citizen should be allowed to sue USA government as well. Till early this year, it used to even be possible for foreigners to bring suits in U.S. courts against other foreigners, for human rights violations in foreign countries: http://www.slate.com/articles/news_and_politics/view_from_ch...
The logic goes like this: You can't sue, because the actions aren't being taken against you. They're being taken against companies. Therefore the companies must sue.
So, the government is burning your house down, and rather than fight the fire directly, you sue them to allow you to reveal the exact amount of gasoline being used?
Why? Because it's an easier PR ploy. What these companies really should fight is the government's so far successful attempts to compel them to violate users' privacy.
1) They know their numbers. Not the numbers for other companies.
2) We don't know any of the numbers.
If my apartment was on fire, I'd like to know how many other apartments were burning, and so would my landlord. Yahoo is one apartment on the web, and we are the landlords of our government. Yahoo knows how much of their apartment is on fire, but they know nothing about Google across the hall from them.
2) Wrong again. We know ranges (see link above) and we don't need to know the exact numbers. All we need to know is that the house is on fire, and we already know that.
> they know nothing about Google
Sigh. See above.
The exact number issue is a red herring. Again, this is simply a PR ploy.
"Yahoo filed suit in the Foreign Intelligence Surveillance Court (FISC) this morning demanding the right to publicly disclose the number of user data requests that we receive from the U.S. Government under national security statutes."
This is either a first step or a smokescreen, depending on how one looks at it. It's good to know "the number" in order to determine the scope of the problem. It would be better if service providers could actually stop governments from using overly-broad requests to go after user data of indeterminate intelligence-fighting value.
Civil disobedience in the case of Yahoo means their company shots down ala Lavabit. I'm sure they would rather keep running under poor conditions than shut down.
You misunderstand. The government didn't shut down Lavabit. They (allegedly) ordered them to insert a backdoor. Not doing so could have caused the principles to face personal criminal charges. I love my customers, but I'm probably not going to go to federal prison for them.
Yes I know what happened at Lavabit. And seeing the Google/Yahoo execs going to prison to protect their users was exactly what I had in mind. I'm not saying I expect them to do it, but it would be admirable. We could get into hypotheticals about in which scenarios would this even help... and I admit that in many scenarios it would be futile, but for some scenarios, it would be an option, even though it would come at great cost.
I hope besides all these lawsuits asking for "disclosure", all these companies are also working (lobbying) hard to push the "Repeal of the Surveillance State Act" in Congress:
It's a much better and much more effective "fix" against all of this, for us individuals, and for the corporations, too, if they want foreign (and local) customers to trust them again.
The real prize is ending the mass surveillance, not just being able to "disclose" it.
This looks like a mostly PR move by Yahoo, but still, I'm happy for whatever momentum can be gained, even if mostly illusory.
The amount of economic damage that has been done to the national infrastructure will be measured in the tens of billions of dollars, at least, and the damage will go on for decades. Twenty years from now, people will be making decisions about technology and these issues will still come up, even if the public manages to wrest control over the ruling class and bring sanity back.
If you are first to market with strong encryption, web-of-trust, zero-knowledge, open-client email, you take all your competitors' customers who care about privacy.
Then you can tell me how many intrusions that thwarted.
Then the NSA tells you to put backdoors in all that nice crypto you put together, and keep mum about it. If you refuse, it shuts you down, either in court or by force. You think Yahoo execs want to get categorized as "enemy combatants" and go to Gitmo?
If you implement encryption client-side, have a web-of-trust to catch compromised keys, and have an open source client, how is that going to happen?
That's what "zero knowledge" means: You don't have to trust your own infrastructure. Your mail server could be in Fort Meade. The user's data is still protected.
Perhaps they could be ordered to shut down. But that wouldn't result in your data being compromised.
The problem is that this kind of technology is incompatible with creating a lucrative business. Investment seeks out prospects of creating a new middlemen for high-margin success. But if users don't have to trust the server, that means they can easily switch to a different one. So you're left in a highly competitive market of selling commodity storage and bandwidth instead of the scalable home run that VCs seek.
I do think this is where our technologies have needed to head for at least the past ten years. But real progress occurs slowly, and most of the tech community's attention is captured by the VC-fueled marketing circus.
Well sure, and hopefully progress will even speed up as people are forced to think about the fundamental insecurities of web toys and realize their hipster "disruptive" day job is actually just the status quo. But that doesn't mean things are suddenly going to change overnight, and the noise over these revelations will have long died down by the time privacy systems become popular.
The direct point I am making is that privacy preserving tools necessarily run on a user's computer completely under their control and need to be open source to be trustable. Which means they're incompatible with business unless you want to fall back on support and custom development. So they won't be promoted or purposely developed by established companies such as Yahoo, or VC-funded startups looking for a big exit.
For all we know, there's only been one request, but maybe that request is something like: "Give us a plaintext copy of each email sent and received for all of your users for the last 10 years"
The only thing that will create transparency is to eliminate secret orders all together. That's what these guys should be arguing and I find it strange that they are not. Instead they are all fixated on just being able to show how many requests they've complied with and not what those requests were actually for.