NSA Boss Asks Congress For Blanket Immunity For Companies That Help NSA Spy
techdirt.comThis is a brilliant end-run around the fourth amendment. Sure, the government isn't allowed to do mass warrantless surveillance, but they can order companies to do it illegally and then pardon them.
It might be an end-run around the 4th amendment if the government was ordering companies to do mass surveillance (though we can argue about whether the 4th amendment has anything to do with surveillance at all). But the government doesn't need to do that. The companies already do all the surveillance, and people happily hand over to those companies their data. Is it an end-run around the 4th amendment for the government to then compel companies to provide this data? It's not like the subpoena is a new and novel legal instrument. Even in 1790 the government could compel companies to hand over all the information they had about a target of investigation.
It doesn't matter if people are happily "handing over their data" - the government still needs a warrant to request the information. In United States v. Warshak it was ruled that a person has a reasonable expectation of privacy in his/her emails and that the government violated Warshak's Fourth Amendment rights by compelling his internet service provider to turn over his emails without first obtaining a warrant.
Warshak is only binding law in the Sixth Circuit, and I don't think it's good law in the face of the third party doctrine.
That's very true, but as long as the company is doing the 'surveilllance' and not the government, the warrant can be done on a just-in-time basis. This essentially all that Prism is, after all.
> It's not like the subpoena is a new and novel legal instrument.
Subpoenas are intended to recover specific pieces of evidence to prove guilt in a trial. They are not meant for blanket vacuuming of data, or for discovery.
Not true. Discovery subpoenas are well-established legal instruments; the term 'subpoena' just means 'under penalty,' in other words it carries the authority of the court or issuing agency to impose punishment for non-compliance with the terms. See for example http://www.weil.com/files/Publication/9f7ab3cd-f7d4-4eb5-b98...
The term 'discovery' has a specific legal meaning, and I'm not sure if that was what you actually meant.
Subpoenas are a basic tool of discovery, a very broad instrument for collecting relevant information. See: http://en.wikipedia.org/wiki/Subpoena_duces_tecum
True, but there isn't an 18th century analogue to a company that has all of your personal correspondence.It's not like the subpoena is a new legal instrumentThere were newspapers, which people would post open letters in. I seem to remember a Reddit post about some gentleman calling another one a "scoundrel" and a "coward" and challenging him to a duel.
Later (in the 19th century), there was Western Union...
I like this point, but I have some questions.
1. What information would the newspaper keep that isn't published? Would they file all the envelopes of regular correspondence?
2. How deep and old would Western Union's records be?
1. The envelopes, probably not. They would probably at least keep a log of correspondence received and sent, accounts payable and receivable, payment receipts, etc. If they have stories that make factual claims then they'd want to retain the journal/notes that went into each story for some nominal amount of time as well, if only to defend their name later.
2. Don't know, but the easy answer is "As long as the government required it to be". Even the NSA gets rids of their data after 5 years (or so they say).
In the 18th century as now you could have chosen to give all your personal correspondence over to some company.
But why would you? There's no purpose to having a company store all of your letters.
Using GMail gives me a free email account with lots of storage, search, and spam filters.
> Even in 1790 the government could compel companies to hand over all the information they had about a target of investigation.
I don't think they ever could compel companies by specifying the target as every customer on the off-chance that some where foreigners.
They don't need to do that.
They just need to say "retain all data for XX years". Retention requirements are by no means a novel legislative requirement, you see them everywhere.
Now that PhoneCo. is holding all the data instead of the NSA, the NSA can then just ask the phone company to provide data on an as-needed basis using standard warrants/subpoenas using some variant of the Prism automated FISA/NSL-compliance system.
It isn't a new one— it's the longstanding behavior with respect to information held in third party care.
Whats changing is how powerful a surveillance tool it is— especially with service providers intentionally blurring the boundary between local and cloud data for unrelated business reasons.
In 1787 there would have practically no reason for you to hand over your most personal papers and effects to a third party. Today its increasingly hard to avoid and can even happen without any real knowledge or consent.
The obvious fix isn't statutory: Keep your private data local, don't use software that will cloudify your data without your knowledge, and when you must use third party systems always use encryption. ... but this is complicated by the fact that there are multiple industries whos revenue is threaded by prudent behavior like this.
Hopefully they'll realize that taking the immunity only solves the lesser of the problems this presents and they'll provide the resources needed to create the legislative change to insure privacy for the data they hold in trust. But maybe it's just cheaper to convince everyone that they don't need any privacy?
"This is an interesting approach to the Fourth Amendment: pressure most everyone to agree, in advance, to waive their rights under it."
https://www.google.com/search?q=This+is+an+interesting+appro....
I'm honestly shocked that many of these companies aren't being sued in European courts. There is more than enough evidence now to support this. Hit every company on their bottom line. Europeans need to present the following dichotomous choice to every American tech company:
(1) Operate in Europe and make money here, but no spying on any EU citizen.
(2) Continue spying, but don't operate in Europe.
Alternatively, eliminate the tax evasion benefits of routing everything through Ireland. The tax hit of forcing many US companies to pay the full amount of US corporate taxes should be more than enough to change their tune.
According to the General Data Protection Regulation(GDPR) which is an expansion of the current Data Protection Directive and is planned to take effect in 2016, companies that are located outside the EU and that process EU citizen's data are supposed to be compliant with the GDPR. The GDPR allows much greater control over one's own data.
The current Data Protection Directive apparently does not take into account many of the foreign online services, but the new GDPR does.
On wikipedia:
The proposed new European Union Data Protection Regulation (a draft for which was unveiled in January 2012) extends the scope of the EU data protection law to all foreign companies processing data of European Union residents.[1]
I'm wondering if and how the EU will enforce this law?
Source: https://en.wikipedia.org/wiki/Data_Protection_Directive , http://en.wikipedia.org/wiki/General_Data_Protection_Regulat...
I wish this plan of yours made any sense. Btw, IANAL.
First of all, I strongly disagree with "enough evidence now".
Next, to sue successfully, you need to prove that the thing happened (and that it happened in a way or in a place where the relevant law claims jurisdiction). How will your imagined plaintiffs get actual evidence? Subpoena the companies? Seriously, imagine you're a successful, law-abiding, US company. And imagine that a European court orders you to reveal facts XYZ, blah blah blah. Normally, because you're law-abiding, you try legal ways to avoid it, and then you obey the court. But in this case, the NSA has a gun to your head, and it's a legal gun (both in the sense that the gun is not illegal, and in the sense that the gun is made-out-of-laws). What do you do? You can't obey both laws at once. What you do is obey your own country. So the only way they'd get evidence (assuming your unfounded accusations are true) is if there were enough whistleblowers inside each sued company. If those people existed, they'd probably be coming forward already.
ALSO, not counting the UK, profits in Europe are pretty small, overall. Not small enough to ignore, but way way way too small to threaten US profits. Even all of non-UK Europe put together, actually, but especially if you're talking about individual countries.
And finally, you seriously have no clue how tax avoidance (not evasion) works. If big companies were forced to move out of Ireland, they'd move to any of the dozens of alternatives. Even the UK and France, for example, when they're not hassling big-corps, literally brag about how good their tax incentives are. There are LOTS of tax havens. Many countries would rather have 10% of a lot than 50% of nothing. You can disapprove or whatever, but that's the world the the politicians have created, when they're not pretending to be angry about that very same world.
The thing is, although I think nearly every sentence of your comment is ill-conceived, I wish your plan made sense. Because I would like to see the truth come out, whatever the truth is. If my company is innocent, I'd like proof. If my company is guilty, I'd like proof, so I can quit, and pressure fellow-engineers to quit, to send a message that would actually affect the bottom line. But your plan will never help me to learn the truth.
I reckon you could use link honeypots to prove emails are being read. Send out enough emails from many accounts with links that aren't meant to be followed and see how many are followed and what IP addresses the links are followed from. If you do that across enough accounts, you should be able to figure out whose accounts are being wiretapped.
I'm sure there are other types of honeypots that could be set up.
Ah, hmn, that's a more-clever plan than any of mine.
BUT I'm still a little skeptical, though maybe the details could be worked-out. I mean, if you send the emails to fake users, then the NSA isn't likely to follow the links. And if you send emails to real users, then you have trouble proving it wasn't the real user (owner of the mailbox) who followed the link. I mean, the IP addresses do help... unless the snoopers use TOR, or equivalent. (In fact, what do you figure are the odds that the original TOR developers now report to Alexander, via USCYBERCOM, via the Tenth Fleet, via NETWARCOM? Where would you assign those guys, if they still work for the Navy?)
In favour of this honeypotting idea, though, if you set up fifty honeypots, and your opponent evades forty-nine of them but falls into the fiftieth, maybe you've still got something.
I reckon the admins of mail servers that are likely to be NSA targets (government mail servers or newspaper mailservers for example) could set up some sort of script that sends emails from American services (gmail, yahoo, etc) to many addresses on their own mailservers and then use another script on their mailservers to "clean up" those messages before it gets to the recipients. This would ensure that the messages get intercepted by the NSA, but never get to their intended recipient. If any link is followed, then they can be certain that the message was intercepted.
Generating messages could be done using Markov chains that learn from the content across many of their own mailboxes. Before that Markov generator is used, it could be scrubbed of any words that are particularly sensitive because they refer to classified or secret material.
That's just one idea. Now that the cat's out of the bag, I hope security researchers are already working on such honeypots. Personally, I think every major newspaper should be among the first to implement honeypots. Alternatively, people who thinks they are at risk for surveillance or suspect that they are already being surveilled should be able to submit their email to some watchdog group that can set up the honeypot on their behalf.
How do you discriminate this from auto-generated email addy spam? Am I missing something?
Russia promises legal action over NSA surveillance scandal -> http://rt.com/politics/internet-surveillance-western-prevent...
If the NSA is tapping fiber at providers, a la Room 641A, then the companies behavior is completely irrelevant to the spying, and the NSA watches all traffic in and out of their networks anyway.
So your choice, as a European, seems to be utilize networks that don't pass through America at all, or have the NSA spy on you. I apologize for the inconvenience.
> If the NSA is tapping fiber at providers, a la Room 641A, then the companies behavior is completely irrelevant to the spying, and the NSA watches all traffic in and out of their networks anyway.
Then why would the companies need blanket immunity?
Wrong, if they are tapping at the wires they only see that your using gmail, not the content of your email or who you are speaking to (Unless you turn off ssl for some strange reason).
How likely is it that these companies can be compelled to turn over their SSL private keys via FISA court?
Very likely. Even if it was for a specific case.
Isn't the whole point of all this outrage that NSA have equipment or data exchange arrangements with GMail etc. so that SSL is irrelevant?
"Isn't the whole point of all this outrage that NSA have equipment or data exchange arrangements with GMail etc. so that SSL is irrelevant" Yes which is why the NSA needs the cooperation of the companies, since this info can't be gotten just by listening on the wire.
The implications are more serious than immunity for NSA actions.
This law could circumvent the breaking of ALL and ANY laws by these companies. After such a law is passed, companies may not have to be accountable to anyone. When questioned, they can lie about it and say the NSA said so.
They don't need to release transparency reports cuz the NSA said so. Any tech company can lie to the Privacy Commissioner cuz the NSA said so. They can do anything cuz the NSA said so.
This is the mother of all loopholes. Good luck, world.
Except that they'd have to do so in court, and the NSA would have the option of filing an amicus curiae brief saying 'oh no we didn't.'
Except that companies would want to negotiate, lets say, a contract to include a gray area clause that serves as an incentive for the companies to keep doing this.
Once this thing becomes legal, companies have grounds to organize this as a trade with the NSA. The funny (maybe scary is the right word?) part is that they can legally lie about this because it's with the NSA.
Wildly implausible.
I find it to be the direct consequence of institutionalization.
We will continue to differ about this. I consider public institutions to be more responsive than you do, so I suppose we are looking at it from quite different perspectives.
It's not about responsiveness as much as it is about self-interest and bureaucratic thinking that is inherent in all institutions.
That neither contradicts my point nor validates your earlier assertion. This conversation isn't going anywhere so I'm abandoning it now.
It's not about validating an assertion as much as it is about exploring the truth.
"No comment. Ask the NSA", or, "By the 2013 Alexander Act, I reserve the right not to incriminate myself."
CISPA anyone? Now we know why that law was pushed so hard, and we now have another strong reason to oppose this tactic.
But Keith usually gets what Keith wants, so I'd bet money on it passing this time around.
Yeah, I was talking with some other activists about applying lessons from the SOPA/CISPA victory to the Patriot Act/FISA, and three people at the same time three time "it's all part of the same fight ..."
As if that will help public perception of these companies, I think after these outings of the companies in question, nothing stays the same, ever.
I personally will never ever trust any company with putting stuff into their systems.
For me the cloud as offered by them is dead and buried forever, even though I know that the NSA can capture anything with their split network rooms, the companies just lost my trust by lying as first.
It would have been less worse if they said that they were forced, but no, the arrogant adolescent nerd boys management thought it was ok to lie.
First of all, we don't know whether they were lying. Second of all, if they were, they may have been forced by the government to lie. The FISA requests they were getting also came with gag orders.
I have not read the law, but I think a gag order can't force you to lie. Lie to a directly asked question, gray area; issue a lying press release or blog post, not mandatory.
I am not a lawyer.
I'm disgusted to see our government still continues to operate however it wishes, confident that if they get caught breaking the law, the law can be promptly and retroactively nullified.
Argh. Important subject material, crappy article, lots of confusion, argh argh argh.
TL;DR: everything about the WAY this story was reported is an obvious deception.
First, methodology. This is blogspam that adds nothing to the original article at http://dyn.politico.com/printstory.cfm?uuid=EF9BC1BF-34EB-41... (at least they link it). That article, in turn, cites no sources. So I'm basing the following only on those articles.
Also, let me be clear that I'm anti-immunity in general, and I think that the UsGov behaviour in Hepting vs AT&T is reprehensible, and no one should ever vote for any lawmaker who voted in favour of FISA, for that reason alone.
Okay, let's take it apart.
If you read TOA, it specifically says Alexander specifically claims he's not asking for blanket immunity. So the title is linkbait. Fuck you techdirt, for sabotaging the cause of freedom; now if/when Alexander/NSA replies to this article, he can avoid the issue by denying your false allegation. Don't muddy the waters.
Next, the context is not explicitly about spying at all. Not at all. Zero mention of spying. Oh look, the headilne is linkbait twice over. Fuck you twice over, techdirt. I can only conclude that Mike Masnick is either illiterate, or a liar.
ALSO, while Alexander is the head of the NSA, and while the NSA and the USCYBERCOM are deeply in bed, they is still some distinction, and this really sounds more like a USCYBERCOM thing than an NSA thing.
Next, listen, the only legitimate reason for cops to exist is to protect the populace. And if there's ONE thing that I trust Alexander about, it's the fact that at least some people want to fuck with US companies and US infrastructure (he's probably lying about the scale, and basically everything else). If SinoGov, or crazy terrorists, or AnonSecOfTheWeek, or whatever, attack US Companies, and private enterprise can't cope, it's reasonable for USGov to fight on behalf of Americans and American companies, and that might include giving them advice on cybersecurity, and that might involve giving them the equivalent of virus definitions, and saying "block all traffic that matches this signature and you'll be in better shape". This is legit. This is a strong argument. He goes on to say that if companies obey the NSA and turn out to harm someone with it, they should be immune. Okay, this part I disagree with. But seriously, of all the horrible asshole claims the NSA has made lately, this one is about as reasonable as it gets.
That said, I'd argue against such immunity. If the companies act in good faith with due diligence, what do they have to lose? And if they don't do due diligence, fuck them... what kind of moron trusts the fucking NSA?
As for counter-hacking, sooner or later the law is going to have to address it. And it's going to be difficult. And they should fucking get started, and proceed slowly and cautiously.
EDIT: slight touch-up on TLDR
> ALSO, while Alexander is the head of the NSA, and while the NSA and the USCYBERCOM are deeply in bed, they is still some distinction, and this really sounds more like a USCYBERCOM thing than an NSA thing.
Keith Alexander is the Director of the NSA, Chief of the Central Security Service, and Commander of U.S. Cyber Command.
Yes, that was my point, though I may have been unclear. There's lots of describing him as the head of the NSA (both by techdirt and by politico), but I suspect that that was misleading, because I suspect that he made these statements as head of USCYBERCOM.
Maybe I misunderstand the division of responsibilities, but AIUI, the NSA limits themselves pretty absolutely to spying, and actually going out and doing things (like telling companies to block certain packets, which allegedly might cause that company to need immunity (ha!)) is not really an NSA thing.
Fuck you techdirt
I've had that reaction so many times now that I eventually stopped clicking on any story from there. All they ever do is pander to their readers' preconceptions. With friends like these, we don't need enemies.
With friends like these, we don't need enemies.
An online colleague once coined Japhy's Law. It says: "The facts you really want to be true are those you should be most skeptical of." It should be written on every blog.
Yep. That's my feeling about them in a nutshell--even if they might occasionally find something worth outrage, it's mixed in with so much other noise that I can't take them seriously.
If you see blogspam like this flag it. It doesn't deserve the traffic.
I applaud your zeal in the pursuit of fairness, but it's NSA that is on the spot. There's no fair game when it comes to national security. At least not for the public.
Alexander would not be heading the agency if he bluntly asked for blanket immunity or talked about spying on citizens. (How much was said about PRISM?) The article deduced what is possible within the proposal. And knowing some history, I say it's likely to happen.
So yes, it is biased and baity, but hardly prompts a "fuckety fuck" rant :)
Minor quibble #1: Alexander has roles other than the NSA, and techdirt invented the NSA connection without evidence. See my cousin comment about USCYBERCOM.
Minor quibble #2: "blanket immunity" and "spying on citizens" are deliberate fabrications of what was proposed. Separate paragraphs "deduc[ing] what is possible" would be well-and-good, but actually saying he said things that he definitely didn't say is not okay.
KEY POINT: When it comes out that Alexander/NSA/whatever didn't commit/advocate the particular abuses/crimes that some liar (e.g. Masnick) said they were committing, no one will believe you and me when we tell them the truth. And the truth is BAD ENOUGH!
Dishonest shysters posing as journalists always rates a "fuckety fuck" rant.
I think anyone who actually cares about this stuff has two simultaneous responses here.
1. Do you actually care if you get it?
2. Go f* yourselves
I knew we'd get some action from congress over this fiasco.
Doesn't this suggest that the NSA may have broader, more illegal actions planned for which their corporate partners want cover?
But he assured us everything was above board and legal.
To turn a phrase, if you're operating legally you don't need immunity.
Ah, see, he was referring to North Korean law, not American law. So he was technically making the most truthful or "least untruthful" statement he could make.
An interesting tidbit from this article is the quote of the quote of the quote of Gen. Alexander asking for an intentionally "ill-defined" law. I've never heard of such a strategy before. Is this a new thing, or are there documented examples of laws that were made intentionally vague in order to give their beneficiaries more power or latitude than anyone would rationally agree to explicitly? Off the top of my head, Florida's "Stand Your Ground" law might qualify.
Section 215 of the Patriot Act has a secret interpretation
But my question is: was it originally written with a vague wording with the intent of later interpreting it a certain way, or was the secret interpretation a later optimistic move given the existing wording?
This is fucking wrong.
What are you waiting for? Talk to your friends, talk to your co-workers, talk to your congressional representatives.
Or are you afraid that they'll rat you out to the police for being a 'dissident?' If you are then they've already won.
I've done exactly this and it's shocking how many people simply don't care or don't see how wrong this is.
Meh. To me this just seems like codification of what's already happening. If there are criminal charges against an NSA contractor, what's stopping the government from stopping it by claiming "state secrets"?
The only thing the NSA is accomplishing right now are encouraging innovations in privacy to help people avoid detection. And, gosh, I wonder who will be the first to seize onto that? Mmm, criminals perhaps?
Innovations like Tor, BitCoin, PGP, and TLS?
LPPNIOP MJDAOII CPFEGAA JOOEMEC HECPACE FALPLIC IEMLJMK BBCYNJN DFGCLGK GDMLEKM NMLBJDD AMDNPJE KPMGMME LDHDOAA CBAOKJF OFHIALD ... BPLLPYG KNDHLNA AFGLOIL LDIFGMO MCCCLAD ODMKNEH PMJDPJC JCAAINI JLGNBMP LEINPIP YCEHCBM PBKFOKG EMCOPGO KBPEEAP LOOMLEK DBICPJE
plaintext: "Don't you wished everybody used Ivory(tm) soap?"
A pretty clear historical prospective starts around the TIA discussion: http://www.npr.org/2013/06/19/192770397/the-watchers-have-ha...
We need (maybe not) a constitutional amendment that prevents
- retroactive legality - retroactive il-legality - immunity
I don't / can't even understand how immunity can be a thing. Sounds like some kids making up bullshit rules on the playground. To even suggest it points directly at guilt.
The best thing that can come from this is that each and every company name is published.
I don't think they will give the companies immunity by name.
They certainly would not, since that would add far to much administrative overhead when they want to add new companies to the list in the future.
Right, like dropbox which was "coming soon".
Again, this is nothing new, this move just extends it to more companies.
Join the cause (protests planned for July 4th on the right):
If companies are people according to the law, then wouldn't individuals be afforded the same protection, in some sort of legal reciprocity juju?
Why is everyone so angry at the companies for complying with these government orders instead of being angry at the government that's ordering them to do these illegal things?
Because 1) we want as many barriers to tyranny as possible. We should not be relying upon government self-restraint. And 2) "I was only following orders" is not a defense against wrong doing.
> instead of
A number of us are angry at both.
When are we sending this guy to jail?
Really? Probably never.
Really. We need to send him to jail, otherwise he'll keep breaking the law.
Edit: While he's in jail, maybe he could pick up a copy of the Constitution. :)
Let's wait until any of this has been definitively, objectively declared illegal first.
[edit] His Wikipedia page says he's expected to retire next year. I have a sneaking suspicion nothing touches him and he's left alone to ride off into the sunset.
[edit edit] Actually... lying to the House is kind of illegal isn't it....
Under oath with penalty of perjury, it is.