Still arguing with the NSA over their own capabilities?

I'm actually curious how you rationalize this worldview given the bizarre news over the last few days that the Fed is insisting on burying NSA FISA requests among requests from every other law enforcement agency when reporting statistics?

Leaving aside the point that aggregated and anonymized information seems to pose absolutely zero security risk and should not be classified in the first place, there seems a fairly obvious reason for the move that contradicts at least one if not more of your assumptions above.

See what I mean? This is the kind of comment that makes me think most HN people commenting on NSA think NSA has direct, unilateral access to Google Mail's servers --- as The Guardian (incorrectly) reported.

I don't see how you can possibly jump to that conclusion. But if you don't want to analyze the question from the position of the NSA (as you should be doing), then you are welcome to personalize it. So reiterating the question, which of your assumptions listed above do you think I suspect are wrong based on the kerfuffle over statistics reporting?

Put another way, why on earth does NSA seem to care so much about aggregating its FISA requests with other law enforcement agencies when reporting statistics to the public?

I'm having a hard time parsing your question but can I ask a different one: do you disagree with any of the bulleted points in my comment above? I don't want to waste a lot of time petulantly agreeing with each other.

Yes. My suspicion is that your first two assumptions are incorrect, and that (1) FISA requests are not personalized under PRISM, and that consequently (2) there is no manual review or check against the abuse of power by providers on an ongoing basis.

This is the only reasonable explanation I can think of for why the NSA would be trying to hide its request volume in the larger volume of overall requests from law enforcement: an attempt to massage the average user-accounts-compromised-per-request downwards when reported to the public. If there are any other explanations you can think of for why it matters how the aggregate statistics are reported, I would be curious to hear of them.

And obviously, abuse of the FISA process renders splitting hairs about what constitutes direct/indirect access meaningless. FISA abuse plus an automated dropbox provides exactly the sort of data access that Snowden and the NSA repeatedly insist they have, while reconciling Google's claims with those of the NSA.

I don't understand the (1) and (2) thing. What does it matter whether the requests are "personalized"? In fact, I think they probably rarely are; you can look at Facebook's numbers to see the aggregates suggesting that most requests are for sizable numbers of accounts, not just one.

My point isn't that NSA's FISA directives are surgical; like you, I doubt that they are. My point is that upon receiving them, a lawyer at Google approves or rejects them, not a SQL query.

If you read all my comments on this whole annoying story I think you'll find that I'm rarely (maybe never?) sticking up for NSA, but I am happy to stick up for Google anywhere that I can. Google is actually (in this instance) fighting for your privacy, and then getting shellacked on message boards like this; what's worse, they're prevented by the USG from explaining what's happening. They're being equated with companies like AT&T, companies that appear to be sharing bedding with NSA. That belief is wrong, it's unfair, and it's counterproductive.

> If you read all my comments on this whole annoying story

Your comments have repeatedly attacked the credibility of whistleblowers, derided their claims as factually and technically impossible, and asserted that NSA statements about NSA capabilities are wrong.

> My point is that upon receiving them, a lawyer at Google approves or rejects them, not a SQL query.

I don't think Google has much say in this, but what do I know? Only that your assertion otherwise is in open conflict with claims by Snowden and the NSA officials who have briefed Congress, both of whom tell us that authority over which targets to tap is in practice delegated to security analysts.

> Your comments have repeatedly attacked the credibility of whistleblowers, derided their claims as factually and technically impossible, and asserted that NSA statements about NSA capabilities are wrong.

I'm glad I'm not the only one who's noticed tptacek's tendency to defend "The Establishment" at every turn, whatever naughtiness comes up. There he goes again. I wouldn't be surprised if he had some ties to the government.

Not sure what you mean here by the establishment. I see him defending google, and rightfully so. I think google is one of the few companies who have been fighting for the privacy rights of users. It would be a shame if other companies saw the effort google puts into this, only to be tar and feathered for something they might not be guilty of.. Those other companies might decide its not worth sticking their neck out for users..

> I think google is one of the few companies who have been fighting for the privacy rights of users

.. While happily shitting on their privacy behind their backs by giving a copy of all their communications to the NSA? -That kind of "fighting"?

For fuck's sake. So you don't just disagree with (1) and (2), but with the whole thing. Why not just say that?

Yes, to whatever extent that slide deck said NSA has direct access to the servers that run Google Mail, I am arguing with the slide deck.

Two days ago you were arguing with a slide deck. At this point, you're also arguing with a NSA brief of Congress and numerous public statements by members of Congress.

Swearing at me isn't the solution in any case. If you want to stop taking flack on HN, you should stop attacking the credibility of whistleblowers on the rhetorical basis that you know more about what the NSA is doing than the NSA does.

No. You're making an unfounded assumption, which is that the interpretation Glenn Greenwald and Barton Gellman took of that slide deck --- an interpretation Snowden appears to share --- is also what NSA believes to be the case about their access to Google's servers.

It does not follow logically that because one interpretation of an NSA slide deck is that they have direct access to the servers operating Google Mail that that's the only reasonable interpretation of the slide deck. In fact, in the week since we found out about the deck, it's looking less and less and less likely that the original interpretation is reasonable at all.

I don't mind flak (as I'm sure you can tell), but I do mind being drawn into unproductive discussions; when I asked if you disagreed with the post I made above, and you disagreed with only a small part of it in one comment but then the whole premise of it in a later comment, I got frustrated, because why take the time to reply to your comments if you're just going to move the goalposts around?

Honestly, I don't really care about the "direct/indirect" distinction that bothers you: the only real opinion I have on that point is that if Snowden and some anonymous powerpoint junkie can reasonably characterize their access as "direct", then arguing over whether it is in fact "indirect" from some arcane technical perspective is a waste of time.

> when I asked if you disagreed with the post I made above, and you disagreed with only a small part of it

But I don't disagree with your third through fifth statements. I suspect you're wrong to assume that (1) the FISA process is providing reasonable judicial oversight over requests and that (2) providers manually review the appropriateness of individual data requests. As far as the rest goes, this statement of yours is the core point:

> It does not follow logically that because one interpretation of an NSA slide deck is [X] ... that that's the only reasonable interpretation of the slide deck.

Assuming you believe this, I do not understand why you are so hell-bent on attacking Snowden's credibility and dismissing the concerns many other people have raised about excessive surveillance. There are clearly reasonable interpretations of the released materials which make his statements (and those of the NSA and other whistleblowers) perfectly compatible with Google's own statements.

Congratulations everyone, tptacek just successfully diverted a big part of this whole thread into an argument about something that was supposed to be irrelevant to this thread.

Funny that you should mention moving goalposts. That seems to be the M.O. of the NSA apologists. First, the arguments is "It's not content. It's just metadata, which is no different from addresses on postal mail envelopes". That's already a terrible rationalization.

But, then, revelations come out that it is more than metadata being captured. It's actual call content and no warrant is required for a run of the mill "analyst" to listen to those calls.

So, now the goalpost is being moved to whether the NSA has "direct" or "indirect" accesss to gmail servers--a specious and inconsequential debate over some subjective semantics.

What will it take for the apologists to actually grow concerned about what's really happening here?

Probably never. A lot of us "apologists" think that this is actually a good thing, but many are unwilling to admit it, even to themselves.

For me, it's simply a matter of valuing truth over privacy.

It actually would be better for the apologists to come out and say that you want the government to have carte blanche access to all of our information. At least it's honest and doesn't waste people's time in these trivial non-debates about peripheral non-issues.

OTOH, of course, that posture is all the more stupefying. Which "truth", exactly, is so important that we should all be willing to give up our privacy?

And, how is it that you find it so easy to trust our government with such power? After all, if it is untoward human beings who make truth-finding so difficult that these drastic, privacy-defiling measures are necessary, then why do you have so much trust for other fallible human beings to wield this power?

It doesn't matter which truth exactly. The more information they have access to, the better the decisions they will be able to make (in theory, at least).

I don't trust them to wield that power because I don't need to trust them. I hope that by wielding that power, they destroy it by making it clear to the world that privacy no longer exists.

Sounds like you're not familiar with the rules of Calvinball, friend.

That comment made this whole thread worthwhile.

You misread the article - the briefing seems to only specifically mention wiretapping phone calls. The author goes on to say:

> Because the same legal standards that apply to phone calls also apply to e-mail messages, text messages, and instant messages, Nadler's disclosure indicates the NSA analysts could also access the contents of Internet communications without going before a court and seeking approval.

Meaning the US Gov't believes it has as much legal right to access e-mail as it does phone calls. Claims that they've done so in the same way (that is, in massive numbers with very little oversight or attention) are speculation. As more evidence begins to surface, it seems like telephone companies like AT&T and Verizon have been far more complicit in the NSA's indiscriminate surveillance programs than companies eg. Google that control e-mail - when's the last time you saw AT&T publish a transparency report detailing government requests for user data?

The NSA brief to congress wasn't referring to PRISM at all. Telecommunications interception != PRISM.

The slide deck was always very ambiguous. But it was very interesting that it said that analysts should use both methods (PRISM and interception)

> If you're telling me that this is the understanding most HN people have about what "direct access" means, I'd direct your attention to this very thread to rebut that argument.

I'm not at all saying that. I'm saying that most HN folks do not share your definition of what "direct access" means. I specifically said that it seems like most people are quite aware of the ambiguity of the meaning of "direct access" in a couple slides and that we can only guess at what it precisely means.

Your comment clearly indicates otherwise:

    Either way: the original notion that NSA had direct access to the servers that 
    actually operate Google Mail has been found to be unsupported by the evidence 
    published thus far.
    
    I call this out continuously and obnoxiously on HN because it is very much not 
    the mainstream view on HN

Which seems like you're implying that most here believe literally in some direct tap on a provider's servers. But that isn't my experience.

Bullcrap. When people saw "direct access", they concluded direct access - as was reasonable, at the time, from what the leak seemed to show; I did the same. Many of the people on this site have since realized that that is not true (although there were sure a lot of crazy theories about the specific wording of the initial denials), but most of those people are no longer saying "direct access", and there are people still saying "direct access".

> there are people still saying "direct access".

Undeniably. What tptacek thinks though is that those people are "most" people on HN.

burntsushi thinks this is plainly false, and I agree with him. I think tptacek is seeing whatever it takes to stroke his ego.

Personally I'm not sure we're reading the same HN. Maybe today the facts regarding Prism are finally catching up but it certainly wasn't the case yesterday or the week+ before.

Yes, that is exactly what I think most people on HN that comment on this issue believe.

Hear, hear if you thought about it long enough to know they didn't give the NSA a database console with read-only rights!

It's possible, I suppose, that most HN people think that Google has, somehow, given the NSA a way to access their Bigtable database directly and query it--thereby entrusting the information on the structure of their database, and subsequently their billions of dollars, to NSA analysts making a few tens of thousands of dollars a year--ignoring entirely the ridiculous notion that such access is even physically possible or enabled.

That doesn't change the fact that they're wrong.

Google couldn't possibly give the NSA "direct access" in the way you're defining it without creating a subsystem to service it--like, say, a secure staging server that requires being populated by processes which run and pull the data from disparate parts of their system, whose access would most easily be accesses via FTP. Anyone technologically literate who considers what "direct access" could mean deeper than a surface level should arrive at the obvious conclusion that "direct access" does not mean the Google equivalent of a MySQL console.

I think that's an excellent summary, but also: that SFTP-like access almost certainly keeps happening, for that targeted account, after the initial request. Perhaps it happens hourly, or even faster when relevant account events (login, message-received, message-sent, voip-call) occur.

For most of the world -- those who have never SSH'd into a machine, nor had machine 'root' access -- that rapid-batch-dump access still would be fairly described as "direct access". Word meanings vary based on context and the expertise of the discussion participant; the slide deck and the journalistic reports were all written at the level of fuzzy understanding, not technical precision. Practitioner nitpicks about the implementation details don't refute them.

The Guardian went out of its way to characterize the access not only as "direct" but "unilateral".

The Guardian reported what the NSA documents claims PRISM does.

You keep implying that The Guardian is making unsubstantiated claims, but their article is full of "NSA claims" and quotation marks, and it would take someone intentionally trying to read something else into it to ascribe these claims to The Guardian.

Are you claiming The Guardian is lying or mistaken about what the NSA documents says?

Because if you are not, then your beef should not be with The Guardian articles, but with the NSA documents.

It's possible the NSA documents are technically incorrect, but if that is what you believe, then complain about the NSA rather than attack the reporting, as in that case attacking the reporting just seems like a weak attempt at making your arguments seem more credible by attaching the claims about "direct" access to the reporters rather than the NSA.

So what? The subject of this thread is that the NSA admitted that analysts can listen to the content of all of our phone calls without a warrant. We are having this discussion because the Snowden link put the NSA front and center.

Yet, you are arguing some mundane semantics?

Instead of smearing the people responsible for these revelations, why not try to focus on the big picture? That is, all of this is leading to long overdue appropriate dialogue, that is engaging our representatives in the oversight that is required to uphold our Constitution. Big picture!

No, I am arguing that AT&T rolled over (and, as it turns out from today's Gellman piece in WaPo, took money from the USG to do it), while Google fought back. But commenters on boards like this are happy to shit all over Google because (a) any allegation that Google rolled over to the USG confirms their biases, (b) they're inclined to put people into binary "agrees with me entirely" or "disagrees with me entirely" buckets that presume anyone who argues with them must be apologizing for NSA, and (c) because it's fun to talk about big companies like Google being evil and less fun to talk about them working hard not to be.

You think these are mundane semantics. I think they're more meaningful than that. People on HN can't get me to shut over the right fix for a CSRF bug or how taxicabs can be licensed; why would anyone think I'd back down on an issue like this?

It's more that a lot of people are more inclined to trust a leaked NSA document that claims NSA does the type of things that people already believed NSA does, including when it implicates Google, than a Google PR denial of a very specific interpretation of the same.

In the absence of more evidence about what exactly PRISM does, what we have is guesswork, but guesswork where believing some interpretation of the NSA documents becomes easier the more revelations of extensive NSA surveillance via other channels that are coming out.

If they didn't want to be "evil" they shouldn't have been collecting these gigantic amounts of data without properly protecting them from parties such as the NSA.

For all the promotion they put into two-factor authentication for account-safety, "suspicious login attempt" notifications, etc, if they had done the same for GPG in GMail/Chrome, that would have been a huge step towards giving the mainstream a taste of actually being in control of their own privacy, I'm not saying we wouldn't have this problem right now, but we'd be in a way better position of dealing with it, for sure.

edit: to be clear, that is one of the many reasons why I think this arguing about whether this access is "direct" or whether it's "sorta kinda direct" distracts from the real issue: access.

Maybe I'm the stupid one here, but how does Google offer to provide people 4GB of email and storage... without actually storing that?

And like you yourself mention, to add security to prevent automated hacking scripts from 0wning accounts to add to a botnet (attempts that happen orders of magnitude more often than an NSL or FISA warrant) they have to add IP tracking for individual accounts.

You talk about GPG but there's little safe way to do that from client-side JS, would defeat most of the point of offering free email for Google in the first place, and is already supported just by offloading that onto a real email client.

I don't want you to shut up or back down. I am just baffled by your priorities and incoherent sense of scale.

Here we have revelations by the NSA, that analysts can listen to anyone's phone calls. In America. This subverts just about the entire spirit of the Constitution and some of the letter.

But, you would rather spend your time isolating some relatively minute detail that Snowden or others may or may not have gotten wrong.

And the thing is, neither you nor anyone here even knows enough to draw conclusions as to these minute details. A few weeks ago, we didn't know that the NSA was collecting metadata on so many calls. A few days ago, we didn't know that analysts were eavesdropping without warrants. Yet people like yourself would argue vehemently on behalf of the government. The more that comes out proving you wrong, the more you dig in and move the goalposts. It makes one wonder what the government would have to do to actually concern you.

And the thing is, while you argue things you couldn't possibly know, there are now enough solid facts coming out (including admissions by the NSA) that should be of grave concern to you. Yet, here you are again focused on trivial, unprovable details.

I won't argue the subjective notion of whether the details are mundane. That's opinion. But, I don't understand how anyone can have such a skewed sense of scale when comparing the relative importance of what you choose to argue versus that of the astonishing revelations being brought to light about our government.

I'd need to see the context to know if the Guardian was wrong where they used that exact word, or were simply describing something that exists with some companies or at another level of tapping.

A graf from Greenwald's original story:

When the FAA was first enacted, defenders of the statute argued that a significant check on abuse would be the NSA's inability to obtain electronic communications without the consent of the telecom and internet companies that control the data. But the Prism program renders that consent unnecessary, as it allows the agency to directly and unilaterally seize the communications off the companies' servers.

Every part of this graf appears to be false!

The 1st sentence seems fine: the companies have no practical way to withhold consent.

The phrasing "directly and unilaterally seize" seems exaggerated given the preponderance of current revelations and denials, but if Prism includes other not-yet-revealed acquisition methods, might still be substantially true. After all, the denials you're relying on are from company leaders who also said they've never heard of Prism.

I can believe Greenwald got overexcited in that phrasing, and trusted the slide deck (including as-yet-unreleased slides) too much. Just like perhaps Obama was a bit clumsy and overeager to reassure with his phrasing, "Nobody is listening to your telephone calls."

The companies can withhold consent simply by not consenting. Both NSA and the company then have to appear before a federal court and argue the case; a court then orders one side or the other (obviously: virtually always the company) to back down.

It bothers people that the USG virtually always wins these cases. But I think it shouldn't bother people as much as it does, for a couple of reasons:

* It's also the case that state governments win most attempts to get Title III wiretaps; in those cases, it's because getting a Title III wiretap is an expensive process that involves a shitload of paperwork, and prosecutors don't waste the time going for them unless they're sure they're going to win. It appears easier to get a FISA directive upheld, but it's not free.

* It's what you'd expect to see happen if the USG was only using FISA to conduct foreign surveillance, which, while I wouldn't take NSA's word for it, is not at all hard to believe; what is the motivation for them to set up a paper trail with the FISC of doing something else?

> but if Prism includes other not-yet-revealed acquisition methods, might still be substantially true

Yes, but that's close to being a tautology: what outlandish claim might not turn out to be true if in future startling new revelations supported it? In fact, direct access in the NSA-has-root sense is less likely in light of the PRISM slides: why file 702 orders and dicker with webco lawyers if you're able and willing to get whatever you want through some kind of back channel? Why create a Top Secret overview and training resource for Internet surveillance and apparently not mention this backdoor?

There's lots of evidence there's way deeper unrevealed stuff: hints from earlier NSA-careerist whistleblowers and Snowden. ~40 more slides in the PRISM deck that Greenwald has seen. Possibly thousands more documents Snowden has provided to Greenwald and perhaps other journalists. Representative Sanchez (D-CA) describing what's public so far as "the tip of the iceberg". Representative Nadler (D-NY) essentially acknowledging warrantless domestic wiretaps, at analyst discretion, in apparent contradiction to sworn testimony of General Alexander a few days ago, and President Obama's comments a week ago.

So while of course, we can't assume every covert acquisition method darkly imaginable is happening, it would also be foolish to assume that exactly what has been clearly documented so far is the full story.

Why the trouble of extra legal orders and a paper trail if the NSA already had deeper covert access? Well, the government isn't efficient and different levels can't always work together. For example, why did the DoJ use more normal procedures to get AP phone records, when the NSA already had all that data? Also, when you have a treasure trove of info obtained in illegal ways, or in ways you don't want to admit, and you want to act in ways revealing that you have that info, you can try to get it again in a second, redundant way: one that you can explain, and maybe legally rationalize.

And when nobody inside or outside your organization has the whole picture, the fact that there's some legal process for getting some info from, for example, Google, might serve as plausible cover deflecting questions about how exactly so much more info winds up in the system.

In fact, that's one possible mechanism for the PRISM slides' author thinking that the access to Google et al is so much more powerful and 'direct' than the companies' own measured response process can explain. They're each blind men feeling different parts of the elephant.

Greenwald's statement here about the Prism program is explaining what the NSA document claims. This is clear from context. If it is false, it is false in the same way as a book reviews that recaps events in a novel is false.

And unless I've missed some major revelation, it "appears to be false" on the basis of press releases from companies with an interest in not being caught with their pants down.

Forgive me for not being so willing to jump to conclusions about which claims to believe.

It's false in that it's technically inaccurate, even given nothing but the slides.

E.g. "direct and unilateral access". Unilateral means exactly that only one party needs to decide, the reality is that it is bilateral access (both parties must agree).

So that's at least one thing Greenwald managed to screw up in his "book review" of a single slide. The question is whether blame lies with Greenwald alone, or if Snowden mislead him into that by stupidity or malice.

> the reality is that it is bilateral access (both parties must agree).

How do you know this on the basis of the slides alone?

> No court order is required for NSA to issue directives under FISA.

As far as I can see (IANAL) most forms of FISA order do require a court order. FAA 702 orders are issued by the government rather than the FISC court, but still have to be reviewed and approved by the FISC. It's just that the nature of the court's review affords no protection to non-resident aliens (except by chance).

> For all intents and purposes USG never loses at FISC.

Well, it has lost at least one signficant case at FISC, it's just not letting us see the ruling.

As I understand it: FAA 702 certifications require FISC approval, but 702 directives don't; there's a 1:many relationship between certifications and directives, and directives are what companies see.

Yes, that seems to be the case.