The gulf between these slides and the issued denials and other theories represented by the likes of the NYT (an automated system to speedup compliance) is widening.
Could it be that the slides were made by a non-technical person who was over-selling this? "direct access" could mean "straight from the source".
Couldn't "the companies" be unaware of direct access to user data, but individual employees could be NSA moles providing data access? What kind of privacy protection do companies like Google and Facebook have in place to keep user data secure from company employees?
I think that's a really important question in this current debate...several years ago, Google fired a senior site reliability engineer who had allegedly stalked teens and read their inboxes...apparently, his role was of one that required deep access into these databases:
That was three years ago though...a lot may have changed about Google's infrastructure...I'm thinking, for example, whatever work has been done to unify login systems between Google Apps, GMail, Youtube, and of course, Google Plus. Presumably, as complexity has arisen, so has the need for better access-control infrastructure, which would (hopefully) prevent someone even at Eric Schmidt's level to lose his wits and trample around in the system without many, many flags going off first.
So with that said, that's why I'm skeptical (in the layman sense of, this is all more complicated than I can dream of) that this surveillance alleged in the PRISM reports could occur with just a few dedicated employees in the know (or a few moles).
It's not just the data transfer that has to go unnoticed, but the successful navigating of the access control infrastructure. And even if Google were to be completely in cahoots with the NSA and built a backdoor, wouldn't there have to be a testing suite that would make sure whatever normal changes to Google's code base also didn't inadvertently restrict (or reveal) the back door logic? And then wouldn't there also have to be at least one layer of oversight to make sure that that testing suite itself was maintained but otherwise unnoticed?
But I'm speaking as a layperson here who thinks that the kind of infrastructure Google has would require a framework that would make backdoor access awkward to implement. Just so many things could break across all of Google's servers, otherwise...like this fun incident that most people probably still remember, if you happened to be awake early one morning 3 years ago:
> If you did a Google search between 6:30 a.m. PST and 7:25 a.m. PST this morning, you likely saw that the message "This site may harm your computer" accompanied each and every search result. This was clearly an error, and we are very sorry for the inconvenience caused to our users.
>
> We periodically update that list and released one such update to the site this morning. Unfortunately (and here's the human error), the URL of '/' was mistakenly checked in as a value to the file and '/' expands to all URLs. Fortunately, our on-call site reliability team found the problem quickly and reverted the file.
The 'back door' system support isn't as complicated as you make it out to be. Centralized administrative access to user data must exist for support, maintenance, and legal purposes, and it will be implemented throughout the organization without anyone batting an eye.
In addition, internal analytics systems will have reason to tap into data streams/events, as will content-based advertising systems.
All of these things are often designed to provide general interfaces; locking them down is done through generic privilege levels and access controls. The people managing those access controls are few, and may not even know the true purpose for the controls they've authorized. Indeed, someone could requisition the insertion of a content analysis system that was fed user data, appeared to be a legitimate deployment, and yet was actually a core service used to push data to the government.
Yes, that is what I think. The slide is making a distinction between passive listening posts and direct collection from companies. "Collection directly from the servers" could simply be a nontechnical phrase that contrasts with wiretaps of telecommunications data.
Agreed. The reticence of the leaking reporters to release the entire powerpoint in an effort to control the debate is scary. The world is now primed to accept more documents titrated from the Guardian.
If the most powerful country in the world is getting trolled with one pdf and five powerpoint slides, this is a masterwork. It would appear that the phone tapping is real, or functionally real, based on the reaction of the Senate and the telecoms. The internet companies replies, especially Google's, are quite different. Simply causing FUD is sufficient to disrupt a lot of US companies' dominance in the internet market.
A lot of countries stand to benefit from a crippled United States position in internet architecture. One of them is holding an internet security summit with the President today. All of them have powerpoint, and many of them have active intelligence programs of their own.
Skepticism is warranted... The long term effects of this hubbub should act to strengthen privacy and security worldwide.
The implication that the powerpoint slides were concocted by China in order to discredit and weaken US internet based companies is absolutely ridiculous.
It puts any conspiracies I've heard involving the US government to shame. You may not like the Chinese governments, but you need to look at the facts here: the slides were released by the Western media, the US has not denied their legitimacy or the existence of PRISM, and there is zero evidence for Chinese involvement.
The Washington Post reporter claimed that they carefully selected what to release in order to protect people/programs that they thought were worth protecting.
The order, signed by Judge Roger Vinson, compels Verizon to produce to the NSA electronic copies of "all call detail records or 'telephony metadata' created by Verizon for communications between the United States and abroad" or "wholly within the United States, including local telephone calls".
The order directs Verizon to "continue production on an ongoing daily basis thereafter for the duration of this order". It specifies that the records to be produced include "session identifying information", such as "originating and terminating number", the duration of each call, telephone calling card numbers, trunk identifiers, International Mobile Subscriber Identity (IMSI) number, and "comprehensive communication routing information".
This court order and the extremely wide net makes me believe the worst for the rest.
Google went on record as saying that they'd never even heard of any FISA order remotely as broad as that before the Verizon story broke, let alone acceded to one, and other tech companies said something similar. That doesn't answer every question about just how much ground the orders moving through the tech companies' streamlined new FISA-order pipeline cover. But does mean that either the tech CEOs are orchestrating a brazen and elaborate lie, or they're not sharing information on anything close to the Verizon scale.
Or their marching orders are to provide live data collection on specific government-identified suspects, rather than live data collection on all users.
In which case, they could claim to be lawfully complying with information requests that are "not as broad", even if the system as designed makes it as easy for the NSA as hitting a "monitor this person" button.
It also wouldn't take vast systemic corporate knowledge. All centralized systems have centralized administrative control that allow for in-depth view and analysis of user accounts and data, and most large-scale systems have relatively powerful and easy-to-use tooling (especially to support customer service, sales, etc).
Complete access to those systems is generally restricted due to the likelihood for abuse, but there remain valid internal management reasons for such access.
Adding to those systems to allow the NSA unfettered (or barely fettered) access could be done without having to alert the entire organization that their internal management systems, which they built knowingly, and have no reason to distrust, have been subverted to allow for on-demand government spying.
If a non-technical person can reasonably understand the service to have "direct access", perhaps the technical distinction between "direct" and "indirect" access that everyone is using to CYA is meaningless semantic babble.
How do we realistically expect companies and government to react for these revelations if they would turn out to be true? Is it realistic to assume that they go "Oh, you caught us, here is what we are doing"?
PRISM is not system handling common law enforcement issues. Those documents reveal very large scale secret government intelligence collecting tool. If companies are involved, they are forbidden to reveal it and there will be spin, of course.
Then how do you explain the difference between Verizon's statement (http://publicpolicy.verizon.com/blog/entry/from-the-desk-of-...) in which they basically acknowledge the reports and point to their gag-order and tech company execs going on record to strongly deny the reports?
Verizon is not mentioned in that PRISM document. Phone record tapping is different issue withing the domestic spying program and Obama has already admitted it.
http://www.guardian.co.uk/world/2013/jun/08/nsa-surveillance...