by Mike Masnick
Tue, Nov 19th 2013 3:44am
by Mike Masnick
Fri, Nov 15th 2013 3:34am
from the uh,-guys... dept
Unfortunately, it's not clear that other companies are following suit. When asked about this right after the infiltration was revealed, Yahoo gave a non-committal answer:
"We have strict controls in place to protect the security of our data centers, and we have not given access to our data centers to the NSA or to any other government agency."Yeah, but that doesn't say they encrypt the links between data centers, or even that they're planning to do so. Since then, Yahoo has basically said nothing as far as I can tell. Over in Europe, however, Microsoft has now admitted that it still is not encrypting those links, and is only now investigating the idea.
Dorothee Belz, EMEA VP for Legal and Corporate Affairs made the remark when answering a question from Claude Moraes, MEP during a meeting at the European Parliament on Monday.Sure, it's not something that can be done overnight, but large internet companies who use multiple data centers now need to assume that all of their data is compromised if they're not encrypting the links. Whether or not it's done yet, these companies have a responsibility to get that process started as soon as possible. Hell, they all probably should have started doing this as soon as the news broke that Google was rushing to do this, since it was pretty clear they'd figured out what was going on.
"Generally, what I can say today is server-to-server transportation is generally not encrypted," she said. "This is why we are currently reviewing our security system."
It's especially ironic that Microsoft is now admitting that it's not encrypting the data leaks, because the company has been on a rampage trying to present itself as protecting users privacy and that Google is a privacy nightmare. But, given these admissions, Microsoft has now basically said that its made all of your data available to the US government and it's still thinking about what to do about it, while Google has been rushing to protect its users privacy.
by Mike Masnick
Thu, Nov 14th 2013 12:57pm
from the really-now? dept
These companies have represented that user data is only disclosed to law enforcement subject to a lawful process. But there is every reason now to believe that millions of consumer records were unlawfully obtained by the National Security Agency. Of course, once the records are in possession of these firms there is nothing that users can do to limit the subsequent improper release or avoid the misuse. And there is clearly no benefit to users in the improper and unlawful disclosure of their personal information.Talk about taking a blame the victim approach. EPIC, CDD, Consumer Watchdog, Privacy Rights Clearinghouse, Consumer Federation of America, Public Citizen (?!?) and the Privacy Times, who all signed onto this letter look ridiculous. They're saying that the FTC needs to investigate Google and Yahoo for violations of their privacy policies, because the NSA hacked into their data centers. Go after the NSA and the rest of the US government for doing that. But blaming the companies who didn't even know about this isn't just ridiculous, it's counterproductive.
[....] Finally, the Commission should pursue this investigation because it routinely holds itself out as the defender of consumer privacy in the United States. It is inconceivable that when faced with the most significant breach of consumer data in U.S. history, the Commission could ignore the consequences for consumer privacy.
Given that the FTC and the NSA are both a part of the administration, it's not impossible to imagine a scenario where the only ones actually punished for hacking into these data centers are Google and Yahoo, while the NSA gets away with the whole thing. Is that really what these organizations want? EPIC, CDD and Consumer Watchdog in particular like to set themselves up as "defending consumers." But they're doing the opposite here. They're inevitably making life worse for consumers. Hopefully, as it has in the past, the FTC sees through these ridiculous arguments.
by Mike Masnick
Wed, Nov 13th 2013 7:31am
from the isn't-that-convenient dept
At least they didn't redact the page number
The government has submitted a response and supporting declaration for ex parte, in camera review. It has given the providers only a heavily redacted version of its submissions, and it has rejected all requests for greater access.The whole thing is really quite incredible. Our government is so focused on the secrecy of its secret laws and secret demands that it won't even tell the companies fighting the secrecy the secret reasons it's telling the court it has to keep stuff secret? How is that possibly consistent with basic due process under the law?
Unless the government reconsiders its refusal to accommodate the providers' legitimate need to understand the basis for the government's response, the providers respectfully request that this Court strike the redacted portions of the government's brief and supporting declaration. The redacted version of the government's submissions does not comply with Foreign Intelligence Surveillance Court Rule 7(j) because it does not "clearly articulate the government's legal arguments," as the rule requires. If the government's interpretation of the rule were correct, the rule would violate both the First Amendment and the Due Process Clause. To avoid that result, the Court should construe the rule to require fuller disclosure to the providers.
Allowing the government to file an ex parte brief in this case will cripple the providers' ability to reply to the government's arguments and is likely to result in a disposition of the providers' First Amendment claims based on information that the providers will never see. The providers do not dispute that in some cases it may be appropriate for this Court to consider ex parte filings. In this case, however, such a course is neither justified nor constitutional. The providers already know the core information that the government seeks to protect in this litigation--the number of FISC orders or FAA directives to which they have been subject, if any. At issue here is only the secondary question whether the providers may be told the reason why the government seeks to keep that information a secret. The government has not argued that sharing those reasons with the providers or their counsel would endanger national security. Accordingly, unless the government allows the providers' counsel to access its response, the Court should strike the redacted portions of the response.
by Mike Masnick
Thu, Oct 31st 2013 4:13pm
from the more-of-that-please dept
Obviously, the news of the NSA infiltrating private network links between data centers should make these companies even angrier. It appears that Google is getting there, though Yahoo still doesn't seem to realize what just happened.
However, in an interesting move that at least hints at potential further realization from the tech industry that they need to support user privacy rights, the big guys -- Google, Facebook, Apple, Microsoft, Yahoo and AOL -- have all sent a letter to Congress in support of the USA Freedom Act. In it, they once again talk up the importance of greater transparency. But, also, for the first time that I can remember, they appear to be arguing for even more:
Transparency is a critical first step to an informed public debate, but it is clear that more needs to be done. Our companies believe that government surveillance practices should also be reformed to include substantial enhancements to privacy protections and appropriate oversight and accountability mechanisms for those programs.And, even with the letter being sent today, it was almost certainly written and approved before yesterday's revelations -- meaning that this was before they realized the NSA was trying (and succeeding) to backdoor into their networks without their knowledge. Hopefully they'll start pushing for even more significant reforms as well. Some have argued that the tech industry has been complicit in the NSA surveillance efforts, while others have suggested they were compelled, or even tricked/hacked into it. The evidence suggests a combination of all of those factors (in varying degrees across the different companies). But if they want to actually regain the trust of their users, they should stand up for the rights of their users and support the efforts to create real change and to stop illegal surveillance, rather than just increasing transparency.
by Mike Masnick
Thu, Oct 31st 2013 10:19am
from the no-comment dept
In a statement, Level 3 said: “We comply with the laws in each country where we operate. In general, governments that seek assistance in law enforcement or security investigations prohibit disclosure of the assistance provided.”That's not a definite confirmation, but you can see how it would raise eyebrows. As the NYT report notes, in an earlier story, concerning claims that Level 3 had helped the intelligence community spy on Germans, the company had denied the report. The fact that it's not denying it here, but rather pointing out that if it had helped there would be a gag order, certainly suggests the potential way in for the NSA. If so, Google might want to look rather closely at its agreement with Level 3.
by Mike Masnick
Wed, Oct 30th 2013 3:02pm
from the here-we-go dept
NSA has multiple authorities that it uses to accomplish its mission, which is centered on defending the nation. The Washington Post's assertion that we use Executive Order 12333 collection to get around the limitations imposed by the Foreign Intelligence Surveillance Act and FAA 702 is not true.Note what is missing from all of this. They do not deny hacking into the data center connection lines outside of the US. They do not deny getting access to all that data, especially on non-US persons. As for the claim that they're protecting the privacy of US persons, previous statements from Robert Litt, the general counsel for the Office of the Director of National Intelligence, have already made it clear that if they collect info on Americans, they're going to use this loophole to search them:
The assertion that we collect vast quantities of US persons' data from this type of collection is also not true. NSA applies attorney general-approved processes to protect the privacy of US persons – minimizing the likelihood of their information in our targeting, collection, processing, exploitation, retention, and dissemination.
NSA is a foreign intelligence agency. And we're focused on discovering and developing intelligence about valid foreign intelligence targets only.
"If we're validly targeting foreigners and we happen to collect communications of Americans, we don't have to close our eyes to that," Litt said. "I'm not aware of other situations where once we have lawfully collected information, we have to go back and get a warrant to look at the information we've already collected."So, for all the claims that this kind of information will be "minimized," it certainly looks like they've already admitted they don't do that.
Meanwhile, that Guardian article that has the NSA's response also has responses from the 3 other players in this drama. There's the UK's GCHQ, who apparently has partnered with the NSA in breaking into Google and Yahoo. It didn't want to say a damn thing:
"We are aware of the story but we don't have any comment."Google, however, was reasonably furious about this story.
In a statement, Google's chief legal officer, David Drummond, said the company was "outraged" by the latest revelations.Yahoo's response, unfortunately, was a lot more restrained and not particularly on point.
"We have long been concerned about the possibility of this kind of snooping, which is why we have continued to extend encryption across more and more Google services and links, especially the links in the slide," he said.
"We do not provide any government, including the US government, with access to our systems. We are outraged at the lengths to which the government seems to have gone to intercept data from our private fiber networks, and it underscores the need for urgent reform."
"We have strict controls in place to protect the security of our data centers, and we have not given access to our data centers to the NSA or to any other government agency."Yeah, but the story is how the NSA got around your security. Yahoo should be a lot angrier about this. One hopes that once the technical people talk to management, the company will realize just how bad this situation is.
Hopefully, this means that Google and Yahoo will stop just focusing on getting more "transparency" out of the government concerning NSA surveillance, and will start taking a much more active role. This includes: (1) pushing back hard against government surveillance, including going to court to stop it and (2) building much more secure systems that cannot be easily compromised by the NSA.
by Mike Masnick
Wed, Oct 30th 2013 1:22pm
from the servers-or-datacenter dept
Alexander, asked about the Post report, denied it. “Not to my knowledge, that’s never happened,” the NSA director said, before reiterating an earlier denial Prism gave the NSA direct access to the servers of its internet service provider partners.But, of course, in typical Alexander fashion, he's choosing his words carefully -- and thankfully people can more easily see through it at this point, since they're getting so used to it. The report didn't say they were accessing those companies' servers or databases, but rather hacking into the network connection between their data centers. That's like a report breaking of the NSA hijacking armored cars with cash, and Alexander claiming "we didn't break into the bank." Nice try.
“Everything we do with those companies that work with us, they are compelled to work with us,” Alexander said. “These are specific requirements that come from a court order. This is not the NSA breaking into any databases. It would be illegal for us to do that. So I don’t know what the report is, but I can tell you factually: we do not have access to Google servers, Yahoo servers, dot-dot-dot. We go through a court order.”
by Mike Masnick
Wed, Oct 30th 2013 10:05am
from the muscular dept
The National Security Agency has secretly broken into the main communications links that connect Yahoo and Google data centers around the world, according to documents obtained from former NSA contractor Edward Snowden and interviews with knowledgeable officials.There's even this wacky hand-drawn diagram:
By tapping those links, the agency has positioned itself to collect at will from among hundreds of millions of user accounts, many of them belonging to Americans. The NSA does not keep everything it collects, but it keeps a lot.
Either way, attacking the information flow appears to have been fairly effective for the NSA to spy on an awful lot of information, often on Americans:
According to a top secret accounting dated Jan. 9, 2013, NSA’s acquisitions directorate sends millions of records every day from Yahoo and Google internal networks to data warehouses at the agency’s Fort Meade headquarters. In the preceding 30 days, the report said, field collectors had processed and sent back 181,280,466 new records — ranging from “metadata,” which would indicate who sent or received e-mails and when, to content such as text, audio and video.It also appears that the way that the NSA is claiming this is "legal" is by only breaking into the Yahoo and Google datacenters that are outside the US, where there's significantly less oversight. That is, rather than being under Section 215 of the PATRIOT Act (the metadata collection of phone calls) or Section 702 of the FAA (PRISM and the tapping of the internet backbone from US telcos), this is done under Executive Order 12333 -- which some (especially Marcy Wheeler) have been claiming is where attention should really be paid. This latest report certainly suggests that the NSA is routing a lot of its snooping via this program -- which explains the "not under this program" language they often use around questions on 215 and 702 data collections.
The real question, now, is what Google and Yahoo do in response to this. They should continue (obviously) encrypting those weak points (and, really, everything), but they should also sue the US government. For all the talk (often from the NSA's Keith Alexander) about "cybersecurity" attacks on big internet companies, who knew that the biggest infiltrators were probably the NSA itself.
by Mike Masnick
Tue, Oct 8th 2013 3:09pm