So, the big story yesterday was clearly the report that Yahoo had secretly agreed to scan all email accounts
for a certain character string as sent to them by the NSA (or possibly the FBI). There has been lots of parsing of the Reuters report (and every little word can make a difference), but there are still lots of really big questions
about what is actually going on. One big one, of course, is whether or not other tech companies received and/or complied with similar demands. So it seems worth nothing that they've basically all issued pretty direct and strenuous denials
to doing anything like what Yahoo has been accused of doing.
Twitter initially gave a "federal law prohibits us from answering your question" answer -- and a reference to Twitter's well documented lawsuit
against the US government over its desire to reveal more details about government requests for info. However, it later clarified that it too was not doing what Yahoo was doing and had never received such a request. Microsoft's response was interesting in that it says it's not doing what Yahoo is, but refused to say if it had ever received a demand to do so. Google said it had never received such a request and would refuse to comply if it had. Facebook has also denied
receiving such a request, and, like Google, says it would fight against complying. This still leaves lots of unanswered questions about why Yahoo gave in. Again, historically, Yahoo had been known to fight against these kinds of requests, which makes you wonder what exactly was going on here.
Former GCHQ infosecurity guy Matt Tait has one of the more more interesting threads
about this news, arguing (in some ways) that it's both less and more than everyone is making it out to be. His basic argument is that this is an expansion
of the PRISM program to include "about" targets. This has been discussed in the past, but under PRISM, the NSA could give tech companies "selectors" in the form of specific addresses and the companies were compelled to hand over emails "to" or "from" them -- but according to the PCLOB's report on the Section 702 program it did not
include anyone emailing "about" the selector. Upstream collections (i.e., tapping the backbones from folks like AT&T) did
include "about" selectors (and this information also flowed into other areas, enabling so called backdoor searches
. And, as I speculated yesterday, Tait says that this latest news appears to be Yahoo now agreeing to use "about" selectors on its emails, which means that it's still part of PRISM, with a massive expansion.
Tait then notes that if James Clapper wants to clear this up
, he should state publicly whether or not "about" collection is a part of PRISM. And if that's the case, he should also explain when and why PRISM was expanded to include this. But, of course, Clapper and the Intelligence Community tend not to want to explain very much of anything, leaving lots of people in the dark.
And, frankly, that's stupid. The Intelligence Community thinks that this keeps "bad guys" on edge, not knowing what's safe and what's not. But that's dumb. They mostly know to use more encrypted/secret means of communication when they need to. Instead, what you end up with is keeping the public on edge
and not trusting services. I can almost guarantee that one of the early comments on this post will be some of you insisting that all the companies denying doing this are flat out lying. I don't agree with that, because the companies don't have a history of outright lying on things like this, but the way the NSA and other parts of the US government have repeatedly tried to pressure them and gag them, it's much tougher to take anything at face value any more. And that's not good for anyone.