"The government's ability to perform surveillance even when armed with a court order depends in large part on the decisions engineers made when designing a product."
So it's up to engineers building new products to incorporate security from the ground up. No more lip-service to 'Your privacy is important to us' but actual technical changes.
The one thing I have not heard amid the denials from Internet portals, search engines, and social networks is any move at all to provide truly secure communications and storage. The only consumer-oriented service I know of that advertises the ability to encrypt your data with your own key is Carbonite, and they did so long before Snowden. They all could do it. They all could provide routine strong encryption, and they could make it simple. They all could have been securing your email from hackers and foreign spies, long before the NSA became an issue. By taking that step they could regain trust. And yet...
I consider helping the government that way worse than letting them get the data forcefully with their own equipment, because then the companies won't even protest against it anymore, since they will be "partners in crime" so to speak.
I feel the same way about ISP's handing over data for money and turning it into another profit center.
Perhaps, but the problem is that the FedGov's equipment may vacuum up far more than it's supposed to, or disrupt the network, or do a MITM attack not authorized by the court order, etc.
From my article: "A federal magistrate judge sided with the government, despite the fact that 'Carnivore would enable remote access to the ISP's network and would be under the exclusive control of government agents.'"
If you're running a company and care about your users' privacy, would you want an NSA black box with "remote access" -- remember, you can't log into it and don't know what it does -- inside your firewalls? It might be better to say: Okay, here's a process through which we'll give you a .tar.gz file of the account via Secure FTP. Just keep those NSA black boxes the hell away from us. Hello, PRISM.
That's a rationale for sure, but the risks you cite are likely to be present nonetheless if the firewall, networking, and SAN gear you are running has backdoors.
If you have evidence that the "firewall, networking, and SAN gear" used by Facebook, Apple, Microsoft, Google, Yahoo, etc. have supersecret government backdoors, we'd be delighted if you could share it with us.
I'm not sure if this what was originally referenced, and honestly I'd be very surprised if HP storage saw much use in these companies, but the tech support backdoors that have recently been revealed in two HP storage products have caused me personal concern.
All I know about firsthand is the LI interfaces in some kinds of infrastructure routers. The way the LI interface is controlled would enable its use without knowledge of the owner of the node. I don't have any reason to think the ones I know of are the only infrastructure nodes with LI interfaces.
In case anyone else is wonder WTF an "LI interface" is -- it is a "Lawful Interception Interface." A way for a 3rd party, nominally a law enforcement agency, to make direct copies of certain specific data that passes through a router. In the US it is the kind of thing that the CALEA bill mandated.
Top comment on the page Honestly I don't care if the government wants to vacuum up all this info, and they are using it for legitimate investigations and trustworthy people have access to it. My only concern is with the people who have access to this information and intend to do harm with it. Case in point - Snowden.
Is there some decent management tool that would allow tracking/commenting on popular news-websites? This is something where I would approve of a voting ring system.
So.... the answer to the question in the title is "by law".
The article seems to answer a different question: "Why do Internet firms invest resources in implementing software which aids the NSA's surveillance?" Because otherwise, the NSA will build it themselves, and force the companies to install it inside their datacenters.
I think a lot of outrage on this site and others is misplaced. Why are there more posts about boycotting than about affecting change in the federal government?
The efficacy of boycotting is pretty dubious given that prism is probably just one program of many being employed by the NSA and other governmental agencies.
Both can be effective. Boycotting simply brings about change by proxy, since it can prompt companies to use their legal counsel to lobby for changes. If there is one thing citizens have learned, it's that lobbyists are more effective than citizens because many of those in congress are lazy enough to accept bills written by others and pass it off as their own.
Personally, I think every bill that goes to congress should be written by the congressmen and women and their staff and not by any outside agencies and consultants. Showing that a law was not written by those that were elected should invalidate the law.
Except that advocacy groups the HN crowd generally likes also draft legislation for the congresscritters to introduce. Here's the Electronic Frontier Foundation's draft bill -- "Initial Improvements to Aaron's Law for Computer Crime Reform" -- from earlier this year:
https://www.eff.org/deeplinks/2013/01/effs-initial-improveme...
BTW I'm hosting an event in SF with EFF on this topic later this month. On July 22. Details TK.
Point is the writing-the-bills issue (and even the reading-the-bills issue) is a symptom of the problem, not the actual problem itself.
I think that is an acceptable price to pay for the benefit of requiring our representative to at least understand the issue enough to restate it in their own words.
That's the rule I have for my kids, if they claim they understand what I'm telling them, I require them to state it back to me in their own words. Seems like a reasonable expectation of the people hired to represent us.
These companies go to great lengths to avoid US tax jurisdiction, employing an army of accountants and lawyers to avoid giving money to the IRS. Perhaps they could work with the same dedication to avoid giving their users data to the NSA.
That is true, but numbers matter. There's a big difference between the NSA serving 10 FAA702/FISA orders a year on Microsoft for Skype intercepts vs. 10 million. It's targeted vs. wholesale surveillance. We know from companies' disclosures the upper bound is on the order of thousands, and is likely to be far less.
Put another way, there are some actual terrorists/spies/etc. out there, even if the number of terrorists is far lower than the government would like you to believe. If the NSA serves Microsoft with, say, 10 or 100 lawful orders a year to eavesdrop on those communications, is that something worthy of working with "dedication" to prevent? Probably not.
What the companies should be doing is encrypting what they can to frustrate wholesale surveillance. Which Microsoft isn't doing. Which I wrote about here:
http://news.cnet.com/8301-13578_3-57590389-38/
No, the Internet companies have said that's not what's happening. Facebook has said, for instance, it has received a total of requests covering 18,000 accounts over a 6-month period, which includes NSA requests and local cops trying to find a missing person:
http://news.cnet.com/8301-13578_3-57589461-38/facebook-micro...
While I agree with you that numbers matter, having the infrastructure in place and a secret court system which simply passes almost every request allows this to be used as much as the NSA decides is reasonable, and for that use to increase exponentially over time. That in itself is dangerous, because we have no idea what future administrations would use the data for.
A manual process would ensure that the number of requests is kept reasonable.
Tax structures are intentionally written to leave openings (like the double irish), courtesy of lobbyists. And it doesn't take much effort to do it. For every politician that wants to bust Google for dodging taxes, there's one that wants to give them huge tax breaks for putting a data center in their state, and so on.
When it comes to jurisdiction, the US Government has essentially no power, via the tax code or otherwise, to force Google to pay taxes on foreign profits unless the money is repatriated.
The same is not true about national security. Political alignment is almost entirely on the side of giving the government more power for 'security' purposes.
When it comes to national security laws, and having your corporation located in the US, you can forget about fighting back and winning. The laws are in place, and they can not be rolled back without a fundamental culture / attitude shift among Americans. It's arguable, in my opinion, that it's dangerous to fight the government on these issues (eg Joe Nacchio / Qwest). That's not to say someone shouldn't do it, but when your personal well being may be at risk, very few executives are likely to put their comfortable living on the line.
Lobbying about taxes? Half the government is likely to be on your side when you do. Nobody really cares if you do that by comparison to national security issues.
The article mentions that Microsoft’s systems support silently forwarding email to a “shadow account”. Here’s Google’s announcement of the same functionality, theoretically only available to Google Apps administrators:
