US tech giants knew of NSA data collection, agency's top lawyer insists
theguardian.comAs davesean points out below, this isn't talking about fiber tapping and whatnot, this is talking about FISA orders
> Neither De nor any other US official discussed data taken from the internet under different legal authorities. Different documents Snowden disclosed, published by the Washington Post, indicated that NSA takes data as it transits between Yahoo and Google data centers, an activity reportedly conducted not under Section 702 but under a seminal executive order known as 12333.
So the companies knew that they were receiving secret court orders to disclose data. Well, duh.
Edit: he even says so explicitly:
> “All 702 collection is pursuant to court directives, so they have to know,” De reiterated to the Guardian.
Thanks for saving that for the last line. All the rest is just trying to connect dots they have no new evidence for.
First, even if the companies did know, there was probably a tacit agreement with the NSA that the NSA would always allow them plausible deniability. "Not only are you doing your country a great (and legally-required) service, but everyone involved will go to their graves with the details. Have you heard about how [competitors/famous-companies X, Y, Z] have fully cooperated for decades? You haven't? Exactly."
The NSA seems to have been forced by events to break that likely mutual-understanding.
Second, what does it mean for a "company" to know something? What if one compartmentalized group of employees know – perhaps ex-military/intelligence people themselves – and believe they are both compelled to comply and to keep the full details from upper management (for everyone's protection)?
Does that count as the "company" knowing? I could see the CEOs saying, as they have, "no", and the NSA saying, as they are here, "yes".
Internal corporate collaborators unknown to the executives speaks to a failure of corporate security/infosec. I'd imagine current CEOs are increasing their organizations security measures to protect not only against corporate espionage but also state players. If you are CEO and you are forced to comply that is bad, but not nearly so bad as complying without knowing it is happening. Not knowing doesn't allow you to leverage legal, oversee the extent of compliance or plan for the contingency of the compliance becoming public.
How many CEOs view their interests as separate and opposed to their home-country security services? That's who protects them from terrorism, sabotage, blackmail, and kidnapping! A corporate infosec policy that keeps out everyone except a few quasi-official security-state moles may be exactly what they want. Earn brownie points, avoid paper trails, "everyone" wins.
Probably, helping the security-state even makes keeping other security threats out, easier: if you play ball, they want their secret, exclusive access to be unique. They fortify the holes behind them, and can use their many, many vantage points to warn you about other emerging threats. Otherwise, you're on your own.
Do you want to be friends with the best-funded, legally-advantaged infosphere apex predator, or enemies?
So your first post seems to say"the CEOs could plausibly not have known" and this post seems to say "of course the CEOs went along with it!" Which is an entirely different claim. Could you clarify?
It's not binary. I'm considering a range of situations which explain both the denials and the NSA lawyer's report.
The CEOs might know, and think it safe to lie. (That's the "First" part of the topmost post.) They might not know because the NSA only approached targeted lower employees, and the combination of the law and the company's own structure prevents the full decision/compliance from every being told to the CEO. (That's the "Second" part of the topmost post.)
And the reason that the don't "know" could be that the NSA is really good at a targeted approach, or that the CEO has helped by making sure enough people to make the NSA happy are empowered and compartmentalized to do so, without it getting back to him. In such a case, he honestly doesn't "know" exactly whether or how much the NSA is poking around, but that's ignorance-by-design.
If the government were angry at a CEO engineering such ignorance to avoid criminal liability, they'd prosecute under the theory of willful blindness:
http://en.wikipedia.org/wiki/Willful_blindness
But since the CEO is in this case doing the government a favor, the government will "look the other way" about the CEO "looking the other way"...
>How many CEOs view their interests as separate and opposed to their home-country security services?
Probably most in the tech industry now...
Correct. Companies are not monolithic. How many people do you need to know about it, in order to hide something from the monitoring systems and management alike? 10? 2?
The lawyer quoted in the article appears to contradict this: “Collection under this program was a compulsory legal process, that any recipient company would receive.” That's not a black bag job.
Joe who used to work at Ft. Meade – totally stand-up patriot! – is a senior employee in the company's operations department. He is served the compulsory process, and it is implied that under the process, he should not tell anyone else at the company, including superiors and company counsel. In fact, the senior executives may have even tacitly employed Joe for this role for this very purpose: he's been pre-vetted by the security state.
That's not quite a 'black bag' job. Nor is it completely legitimate. It's something in-between, which most of the time lets everyone work under convenient fictions, getting on with the rest of their jobs.
Really? Can the janitor respond to a warrant being served?
The example is "senior employee in the operations department". Probably, the same person who'd be asked to implement the tap if it went through CEO-counsel-VP-etc. The NSA might just be doing everyone a favor by fast-forwarding past those steps, since they can't say no and only face more risk for knowing more anyway.
But to consider another variant, I could absolutely see a janitor becoming convinced by men with badges that he must cooperate with their investigation, perhaps by planting a bug or offering out-of-hours access. A janitor could also be convinced by official-looking (and perhaps even truly official!) judicial paperwork that says he's not allowed to tell others.
In the case of my hypothetical 'Joe with Ft. Meade experience', the cooperation is cheerful because he believes in the mission and legitimacy of the request. But under the strange logic of compelled secret compliance, lower-level employees might be coerced into cooperation. (That'd be more likely to be seen as a true corporate infosec failure, rather than a "wink, wink, 'failure'", from the perspective of top executives.)
This caps off some pretty amazing reasoning.
Earlier, the government insisted that simply collecting information in their databases was not a 4th ammendment violation, because the actual 'search' only occured when they _search_ the database, not when they collect and put in their database.
(I think maybe they even defined 'collect' so it somehow only applied when they did a search, not when they actually collected?)
Now they:
> ...strongly rejected suggestions by the panel that a court authorise searches for Americans’ information inside the 702 databases. “If you have to go back to court every time you look at the information in your custody, you can imagine that would be quite burdensome,” deputy assistant attorney general Brad Wiegmann told the board.
> De argued that once the Fisa court permits the collection annually, analysts ought to be free to comb through it, and stated that there were sufficient privacy safeguards for Americans after collection and querying had occurred. “That information is at the government’s disposal to review in the first instance,” De said.
Combine them both, and, well, you see where you get.
If the companies knew about the data collection but were prevented from speaking about it due to being served with national security letters, does this admission change what they can talk about? And/or does it indirectly confirm the existence of NSLs?
No. They were only prevented from speaking about how many they received, and still are except in broad buckets. The existence of NSLs and the fact that they were about collecting certain users' data have both been directly confirmed by all parties since NSLs existed.
> “If you have to go back to court every time you look at the information in your custody, you can imagine that would be quite burdensome,” deputy assistant attorney general Brad Wiegmann told the board.
Come again...? So we're breaking the separation of the three powers because otherwise the authorities have to be inconvenienced with the "quite burdensome" task of "going back to court"? He can't be serious.
I suppose if at some point Larry Page himself confirms that they did know all about NSA surveillance and actively participated, people will still find ways to acquit the beloved company :) I'm not sure if it's the force of the "no evil" brand or maybe inherent dislike of the government, but user loyalty in PRISM companies is quite remarkable.
That's because PRISM deals with court orders for specific users' data. Every company in the world complies with those court orders. Why should we demonize these companies for doing something everybody else does and that everybody has always known they do?
Why single out Page and Google?
They singled themselves out with "don't be evil". Which was an implicit critique of other tech giants.
Sheryl Sandberg has received a lot of press coverage, most of it pretty positive, for her book "Lean In".
As COO of Facebook, she must have known a great deal about what was going on... it would be very interesting for me, given her talk of leadership, if she were asked some questions about this....
Simply disgusting.
Throwing the tech companies under the bus...
Well, they're all playing in traffic together.
It's like their mothers never told them to look both ways before crossing the street, or to not play in traffic, for that matter. Or maybe their mothers hated them and told them to go play in traffic and that's why they hate the world. There are so many ways this allegory works. Ultimately, they're all going to get paved over by a road crew, if not hit by a very large bus. (cough, ahem, HD video, excuse me my digestion hasn't been right lately).
No one denied complying with 702 orders. The main contention about PRISM isn't that the entities receiving data requests knew that they were receiving these requests, the main contention was/is about the "direct access" allegations which is what these companies actually denied, that and knowing the government codename for the program.
Bad reporting.
The second paragraph of the article claims that companies knew about "upstream" collection as well. This is, from my understanding, the main point, as the Google engineer Brandon Downey issued the very harsh statement, and I quote, "fuck these guys", when the infamous smiley-face slide leaked.
EDIT: Apparently the "upstream" collection does not refer to the third capture method in question, which exploited the fact that Google did not (at the time) encrypt its internal communications.
iirc "upstream" refers to collection out on the Internet - the "fuck those guys" program is MUSCULAR, which is the tapping of private interdatacenter links.
http://en.wikipedia.org/wiki/Upstream_collection vs http://en.wikipedia.org/wiki/MUSCULAR
I am assuming that this
> After the hearing, De said that the same knowledge, and associated legal processes, also apply when the NSA harvests communications data not from companies directly but in transit across the internet, under Section 702 authority.
doesn't imply that Facebook is informed when an "upstream collection" request is made to a telco in relation to a Facebook user, but rather that the telco is. It's pretty unclear though.
The "fuck you"s were directed at interceptions under executive order 12333 which as the second to last paragraph makes clear was not a subject of discussion.
PRISM and UPSTREAM featured in the same slide which would explain them being discussed together, but UPSTREAM isn't subject to tech firms' whims so the discussion might have been concerning telecom firms as well.
The reporting isn't clear, best read the transcript when available.
I stand corrected. Thank you for clarifying.
Of course they did (do). Just like telcos.
What is amazing is the carelessness that the government shows w.r.t. protecting the interests of American tech firms. NSA could hardly have done more to destroy worldwide trust and credibility in our tech industry.
I suppose the grass is greener on the other side. As a Canadian I trust the US tech industry. Everything that has been exposed in the US has been happening here too, and then some. The options are: spend lots of money to be spied on here; spend much less money to be spied on in the US.
Couldn't agree more.
This is what should be the central point of the discussion here. NSA treats it's informants about as badly as some hick county sherriff does to drug snitches. Except the stakes are $100s of billions in revenue from sovereign governments and economic competitors who would prefer not to just bend over for getting back-doored.
The other side of the coin is that the companies collaborating in these programs seem to put themselves at the mercy of the government rather than making products that can be verifiably trusted.
Ooops this universally installed and standardized language is universally installed and standardized, how did that happen?
Tl;dr: They ALL knew. They were ordered to comply. The denials are lies.
No, it appears this is only talking about the FISA court orders
>> “All 702 collection is pursuant to court directives, so they have to know,” De reiterated to the Guardian.
So, yes, companies knew they were being served with FISA warrants (that they complied with) but AFAICT they were unaware that the NSA was tapping their data lines like the example where they tapped data lines between Google's (and others) data centers. [1]
[1] http://www.washingtonpost.com/world/national-security/nsa-in...
It would be nice if these were illustrated. It's hard to keep track if who said what in context to particular directives/warrants etc.
> Section 702 is not the only legal authority the US government possesses to harvest data transiting the internet.
The existence of other legal authorities does not imply that tech firms are voluntarily working with NSA to help NSA harvest their data transiting the Internet.
It doesn't even make sense anyways; what does Facebook have to do with surreptitiously tapping into a router in Belgrade or Quito?
Whether cooperation is voluntary, or not, is not the issue. Nor is tapping the carriers, with or without their cooperation. The article says that cooperation can be compelled.
The issue is that some of the participants in PRISM denied providing "direct access" to their data. Some people here are saying those denials are meaningful when we do not have a complete picture of how cooperation is compelled.