I can't understand the repeated use of "direct access". It's the kind of language a lawyer would use to qualify a patent clause.
- We do not provide direct access to our servers.
- We do not provide direct access nor is there a backdoor.
- O, but we do still pipe all of your data to external NSA servers. </sarc>
Every company named (I'm not just picking on Google here) has come out with the same overarching statement. "We do not provide direct access". It just smells of being rehearsed, and carefully coordinated to select such language.
Until this week’s reports, we had never heard of the
broad type of order that Verizon received—an order that
appears to have required them to hand over millions of
users’ call records. We were very surprised to learn
that such broad orders exist. Any suggestion that Google
is disclosing information about our users’ Internet
activity on such a scale is completely false.
I'm not sure how much more strongly you'd like that worded. It seems pretty complete to me.
OK, in an alternate reality, what would a clear, flat-out denial look like? I mean, how could we tell such a thing differently than what was in the OP?
First, we have not joined any program that would give the U.S. government—or any other government—direct access to our servers. Indeed, the U.S. government does not have direct access or a “back door” to the information stored in our data centers. We had not heard of a program called PRISM until yesterday...Press reports that suggest that Google is providing open-ended access to our users’ data are false, period. Until this week’s reports, we had never heard of the broad type of order that Verizon received—an order that appears to have required them to hand over millions of users’ call records.
I believe Google on this. The language is clear and non-weasel-y. Google does not hand over user data to the government unless specifically requested. There is no open-ended access.
But I also believe the government works with ISP's (all major ISPs) so that they can intercept traffic. Which would be a type of MITM attack allowing them to get data from all major web sites.
I believe everyone's using the term "direct access" in contrast to the access the government is already known to have, which is via warrant or other "indirect" requests.
Unfortunately for Google, the Director of National Intelligence himself has confirmed the program and publicly called its disclosure "reprehensible". However, Google and the rest of these companies are in an awkward position. This program is still technically Top Secret, even though everyone now knows about it. Because of the obligation to secrecy that comes with having received classified information through the proper channels, they are essentially the only people in the world that are required by law not to acknowledge the existence of the program.
That said, the canned "direct access" line - the exact terminology curiously arrived at by no less than 5 separate corporate PR departments within hours of each other - is a poor facade. They should have considered how using identical terminology would make these denials so transparent.
I interpreted the repeated use of "direct access" as a response to the media reports yesterday that used that same phrase. My memory could be mistaken but I seem to recall hearing reporters use that phrase over and over. So it would stand to reason that Google and other companies would use the same phrase in their press releases. That would be a simple explanation of the consistent language. That said, I wish Congress would appoint a special prosecutor so that we can get to the bottom of all this.
> It just smells of being rehearsed, and carefully coordinated to select such language.
Next time, hopefully they'll make it less clear so that you have to translate the company-specific jargon and feel better that it's spontaneous and careless. </sarcasm>
Are you alleging they are trying to avoid making untrue statements in this blog post? Then what about "Press reports that suggest that Google is providing open-ended access to our users' data are false, period."?
The first sentence of the WPo article which started this is "The NSA and the FBI are tapping directly into the central servers of nine leading U.S. Internet companies". I think saying "we do not provide direct access" is a reasonable response.
The term direct access was first used by the Guardian in their original story: "but the Prism program allows the intelligence services direct access to the companies' servers." - most of the early denials (where the companies presumably hadn't read the article) didn't include the phrase but the later ones did.
So it's reasonable to suppose that the article was the source of that phrase.
I re-read the Larry's response carefully, and he did NOT refute the claim, that they are giving data to some 3rd party (who then forwards it to the government). He just says that government do not have direct access to it. But the issue that someone else can have the access is avoided, and it is exactly the same as the Zuck's response.
The key word here is "direct". Based on the other thread speculating about Palantir its pretty likely there is a 3rd party contractor who does have direct access, and provides convenient plausible deniability to both parties
For all those complaining about the language of this and other denials, what could possibly satisfy you? This seems as blanket as possible.
"Second, we provide user data to governments only in accordance with the law. Our legal team reviews each and every request, and frequently pushes back when requests are overly broad or don’t follow the correct process."
"We were very surprised to learn that such broad orders exist. Any suggestion that Google is disclosing information about our users’ Internet activity on such a scale [as of the Verizon order] is completely false."
Finally, NSLs cannot compel an organization to lie like this, and doing so would be very legally dangerous for Google.
It's amazing how little critical thinking HN does when we see something that confirms our beliefs.
Huh? This is the direct result of the governments toxic conduct. They issue orders that forbid you from talking about having received any such order, they classify everything (to the point where a parallel society to the tune of 1M people exist that have access to (e.g.) cables, as became apparent during the WikiLeaks diplomatic cables row), they institute secret courts, laws with secret interpretations..
They have poisoned public discourse beyond repair, and you make it sound like a conspiracy theory.
Obama confirmed in a press conference that PRISM exists, so concluding the program is imaginary would seem to require a fair lack of critical thinking.
In order to consider the possibility that this is clever language avoiding the truth of the issue, can someone explain how a system might work where google maintains plausible deniability while allowing access to the information it collects?
I have a naive understanding of how the internet works at the physical layer, but it seems like it would be trivial to create a system that allows for this statement to be true and for the data to actually be captured.
For an oversimplified, spherical-cow-in-a-vacuum example: if the user is the source in a passive optical network[1] and both the nsa and google are targets, google has not provided access to their data to the nsa, the user has.
edit: And what would a statement of denial that is inclusive of all possible arrangements sound like? I think that any statement that asserts a one-to-one correspondence between you and google would be unrealistic.
Larry Page wants to live. And he wants Google to keep functioning as a company, and not e.g., to have sudden tax issues crop up with the IRS. He has plenty of incentive to tell an out-and-out lie in this case.
When I worked IT for a medium sized university we were asked by the DOJ to install switches that copied all internet traffic directly to an unspecified government server. We were told all ISPs (anyone providing internet to more than 100 persons) were told to do this as well.
We refused to comply obviously as the request was absurd, but in the small print of the request we were told we were not allowed to speak of the request and were to deny any involvement if asked under some unknown penalty.
I wouldn't be surprised if special terms of Google's interaction with any government agencies has a similar clause.
I don't want any more fluff "no direct access" emails. I just want these questions to be answered with a YES/NO:
1. Is there any way that someone outside of Google, can get a copy of an email I sent from my gmail to my own gmail, without a warrant that specifies my exact gmail address?
2. If I delete my Google search history, is there any way for anyone to access this history, with or without a warrant?
3. If I make a Google search from an incognito window, is there any way for Google to connect it to my Google account via my IP address? I know I've done this in the past to prevent spambots from creating fake accounts. Can Google connect these dots if someone sends them an NSL?
If the answer to any of this is YES, I am going to have to rethink my entire online life.
You're asking very broad questions with only negative (ie: unprovable) answers. I don't think any company could ever say there is "no" way anybody can every get your search history after you delete it.They don't immediately run out and shred all the hard drives storing your data every time you delete something. Data would always be recoverable with some extreme amount of effort.
2. If I delete my Google search history, is there any way for anyone to access this history, with or without a warrant?
I would think google has historical backups they could refer to to pull out data that you've recently deleted.
3. If I make a Google search from an incognito window, is there any way for Google to connect it to my Google account via my IP address? I know I've done this in the past to prevent spambots from creating fake accounts. Can Google connect these dots if someone sends them an NSL?
Why not? You should already assume that google and pretty much any site logs your IP whether you are using incognito or not. You should also assume that any time you log in to gmail your IP is noted. It's extremely basic to do a db search for all gmail accounts that have been accessed by a given IP.
Personally, I'm really glad that Google published such a clear, plain-spoken post to tackle this issue head on.
This whole issue makes me want to donate a bunch of money to the EFF. If anyone else feels the same way, you can donate to the EFF here: https://supporters.eff.org/donate and I believe a lot of employers will match contributions.
I'm sorry, but google's response was demagogical at best (what does 'direct access' even means!??!). In many countries the judiciary would already be in the case and the head of those companies (which didn't provide 'direct access' but there is obviously something happening) would have a lot of explanation to do.
General Clapper point-blank lied - or provided a legally-truthful answer so contorted it may as well have been a lie - to Representative Wyden when questioned about NSA phone-data collection just a few months ago. You can't take any statement by any authority figure on these types of programs at face value.
Obviously this opens the door to all kinds of unfalsifiable, paranoid conspiracy madness, but that is a direct consequence of the government's unrelenting commitment to maximum secrecy.
What a lot of people haven't considered is that it's likely that the NSA had a big breakthrough on Integer Factorization and their capable of breaking RSA public key crypto (used everywhere you see HTTPS)
Then they can just save all your encrypted traffic and break it on demand.
We all need to start considering moving to Elliptic Curve Cryptography.
I am going to guess that PRISM is a system which receives and parses the data files from those companies that are produced as a result of warrants/subpoenas/national security letters. So the excerpt from the NSA document that the Washington Post gave—"Collection directly from the servers of these U.S. Service Providers: Microsoft, Yahoo, Google, Facebook, PalTalk, AOL, Skype, YouTube, Apple" — may refer only to some kind of secure file transfer (private circuit with NSA hardware encryption, maybe).
It's just a guess, but it could fit with the relatively low cost figure given ($20 Million).
Aren't these the same words we've been hearing from the others, ones that ignore the concept of a front door, push mechanism to satisfy government demands that cannot be revealed without committing a felony?*
I'd be a bit happier if we were to hear from Soviet refugee Sergey Brin....
* That's one of the terrible things about doing everything in secret; we know that if Google is subject to a broad demand from a National Security Letter they can't tell us that without suffering terrible penalties. The government has set up a situation where we literally are not able to trust the words of Google et. al.---at least prior to a major figure deciding to pay that penalty for the greater good. Which history tells us requires a rare courage.
There's a new kind of Birther or Truther, let's call them PRISMers. No amount of denials or evidence to the contrary, no matter how they are worded or exposed, will satisfy PRISMers that Google is not uploading all user activity to the NSA. It's just impossible to repair the harm that's been done to the brand by the government.
For some people, I doubt trust can ever be regained. Companies affected by this PRISM program should sue the US Government for damages, or at least sue them until it is completely declassified.
Disclaimer: I don't know the truth about anything that's going on.
First, I'm not a US citizen. So, it seems I just have to assume that NSA is certainly tracking me.
Now to the topic of spying on US citizens, considering how no one seems to have ever heard about PRISM, the breaking of this story based on flimsy evidence seems to me like an attempt to side track from the real and confirmed story of NSA accessing Call Data Records from Verizon of millions of citizens (The industry calls it CDRs, why have we started calling it "Metadata" since yesterday).
I wouldn't be surprised (though I have no evidence at all) that the PRISM story was planted to change the public discourse.
> Second, we provide user data to governments only in accordance with the law.
Which is what is in question, no? If being in accordance with the law means keeping secret the requests you do serve, even if broad, means you're still handing out the information. You just don't have to put it in your, "transparency report."
Can't really say any of this is even remotely surprising given what we, in the industry of software development, know about what kind of information can be gathered and how vast volumes of it can be processed and analyzed.
In his remarks today Obama said "Now, with respect to the Internet and emails, this does not apply to U.S. citizens, and it does not apply to people living in the United States."
He's clearly stating that they do read non-American's emails. So how do they do it if they don't have access to Google's servers?
BTW, if you run a company outside of America you'd be crazy to rely on Google since the US could be reading your emails for corporate espionage purposes. I think in the long run these revelations are very threatening to Silicon Valley.
This was a TOP SECRET document that leaked out. Page may be well in position not only to deny any knowledge of PRISM, but even further publicly deny Google worked or works with PRISM/NSA.
The way the government bends the law for some years now just to punish everyone they feel like, either through imprisonment, scrutiny or simply by wasting years of their lives, savings of their lives and leaving them with a huge lawyer's bill, I wouldn't be surprised if Page had no choice than to lie on the record. And guess what; if, arguendo, he did, he will be pardoned later on. What would you choose? Admit to a secret program ran by secret agency and face brutal consequences (fines, imprisonment, charge with espionage or maybe capital punishment? (why not? why wouldn't government go after Page "proving" that by admitting US sees everything everyone types to Google, it tipped over some terrorist somewhere that stopped using Google and because of that government lost a track of him until he blew himself up in the middle of crowded street. You get the drift)), or perhaps come up as a good patriot and tell the truth. We already have one that told the truth. He spent 3 years in solitary confinement and may be facing life sentence or capital punishment.
People need to understand. This is too big of a secret even for someone like Page to come up and admit.
Okay, HN, how can Google provide a compelling denial that they're not participating in PRISM as described in the leak?
If we're to be a country where innocence is presumed and guilt is proven, we must consider what Larry Page would write in the case that Google is not supplying any sort of un-warranted feed to NSA. Would it be any different?
If this entire PRISM thing is fabrication, then it is the best thing to have happened to personal liberties and Internet privacy since encryption. Until the recent shooting in CA, all the major networks were going on and on about PRISM. No amount of money could have bought the kind of attention PRISM is getting.
Why is everyone so suspicious of Google to begin with? Is there a shred of evidence to lend any credibility to the accusations thus far? Given how Google's technology works, I imagine it would be quite an expense to provide the kind of access the govt. would want and Google hasn't been exactly overly enthused with having to comply with BS government requests(e.g. see how they deal with requests to scrub search results).
Regardless of the wording, no statement from Google (or Facebook, Apple, etc) is really going to be believed. A denial from innocence is indistinguishable from a denial which is legally compelled by the language of an order form the government.
But to be honest, I don't bear any ill will toward Google on this. Based on their behavior in the past, I'm willing to believe that if this program existed, they pushed back to the extent they felt they could... but if they eventually complied, it's difficult to blame them, given the threats the government is capable of making.
Unfortunately, the only place to resolve this is at the government level, if it can be resolved at all.
One thing I'd think about: If Google is lying or misrepresenting the truth here, then it would be phenomenally foolish to put out a denial under Larry's name as it just did.
Specifically, the personal integrity of the founders -- especially vis-a-vis these kinds of issues -- is one of the bedrocks of Google's culture. If a statement like this was proven out to be a deliberate misrepresentation (even if not an outright lie) it would cause IMO severe harm to Google morale.
[+] [-] chrisacky|12 years ago|reply
- We do not provide direct access to our servers.
- We do not provide direct access nor is there a backdoor.
- O, but we do still pipe all of your data to external NSA servers. </sarc>
Every company named (I'm not just picking on Google here) has come out with the same overarching statement. "We do not provide direct access". It just smells of being rehearsed, and carefully coordinated to select such language.
[+] [-] Dove|12 years ago|reply
[+] [-] DannyBee|12 years ago|reply
They say "we do not provide direct access", because as explained, any access goes through proper legal channels.
I'm not sure what you'd call it?
Remember language matters, and these are actionable public communications.
[+] [-] danso|12 years ago|reply
First, we have not joined any program that would give the U.S. government—or any other government—direct access to our servers. Indeed, the U.S. government does not have direct access or a “back door” to the information stored in our data centers. We had not heard of a program called PRISM until yesterday...Press reports that suggest that Google is providing open-ended access to our users’ data are false, period. Until this week’s reports, we had never heard of the broad type of order that Verizon received—an order that appears to have required them to hand over millions of users’ call records.
[+] [-] unreal37|12 years ago|reply
But I also believe the government works with ISP's (all major ISPs) so that they can intercept traffic. Which would be a type of MITM attack allowing them to get data from all major web sites.
[+] [-] tomkarlo|12 years ago|reply
[+] [-] downandout|12 years ago|reply
That said, the canned "direct access" line - the exact terminology curiously arrived at by no less than 5 separate corporate PR departments within hours of each other - is a poor facade. They should have considered how using identical terminology would make these denials so transparent.
[+] [-] packetslave|12 years ago|reply
[+] [-] danielhughes|12 years ago|reply
[+] [-] ceejayoz|12 years ago|reply
[+] [-] saraid216|12 years ago|reply
Next time, hopefully they'll make it less clear so that you have to translate the company-specific jargon and feel better that it's spontaneous and careless. </sarcasm>
[+] [-] jessaustin|12 years ago|reply
https://financialcryptography.com/mt/archives/001431.html
[+] [-] jlmorton|12 years ago|reply
[+] [-] andreyf|12 years ago|reply
The first sentence of the WPo article which started this is "The NSA and the FBI are tapping directly into the central servers of nine leading U.S. Internet companies". I think saying "we do not provide direct access" is a reasonable response.
[+] [-] ig1|12 years ago|reply
So it's reasonable to suppose that the article was the source of that phrase.
[+] [-] dragonwriter|12 years ago|reply
From the rest of your comment, I think that you understand it quite well.
[+] [-] greyman|12 years ago|reply
I re-read the Larry's response carefully, and he did NOT refute the claim, that they are giving data to some 3rd party (who then forwards it to the government). He just says that government do not have direct access to it. But the issue that someone else can have the access is avoided, and it is exactly the same as the Zuck's response.
[+] [-] rwhitman|12 years ago|reply
[+] [-] necubi|12 years ago|reply
"Second, we provide user data to governments only in accordance with the law. Our legal team reviews each and every request, and frequently pushes back when requests are overly broad or don’t follow the correct process."
"We were very surprised to learn that such broad orders exist. Any suggestion that Google is disclosing information about our users’ Internet activity on such a scale [as of the Verizon order] is completely false."
Finally, NSLs cannot compel an organization to lie like this, and doing so would be very legally dangerous for Google.
It's amazing how little critical thinking HN does when we see something that confirms our beliefs.
[+] [-] revelation|12 years ago|reply
They have poisoned public discourse beyond repair, and you make it sound like a conspiracy theory.
[+] [-] themgt|12 years ago|reply
[+] [-] akjetma|12 years ago|reply
I have a naive understanding of how the internet works at the physical layer, but it seems like it would be trivial to create a system that allows for this statement to be true and for the data to actually be captured.
For an oversimplified, spherical-cow-in-a-vacuum example: if the user is the source in a passive optical network[1] and both the nsa and google are targets, google has not provided access to their data to the nsa, the user has.
[1]http://en.wikipedia.org/wiki/Passive_optical_network
edit: And what would a statement of denial that is inclusive of all possible arrangements sound like? I think that any statement that asserts a one-to-one correspondence between you and google would be unrealistic.
[+] [-] bitwize|12 years ago|reply
[+] [-] d23|12 years ago|reply
[+] [-] tsunamifury|12 years ago|reply
We refused to comply obviously as the request was absurd, but in the small print of the request we were told we were not allowed to speak of the request and were to deny any involvement if asked under some unknown penalty.
I wouldn't be surprised if special terms of Google's interaction with any government agencies has a similar clause.
[+] [-] chime|12 years ago|reply
1. Is there any way that someone outside of Google, can get a copy of an email I sent from my gmail to my own gmail, without a warrant that specifies my exact gmail address?
2. If I delete my Google search history, is there any way for anyone to access this history, with or without a warrant?
3. If I make a Google search from an incognito window, is there any way for Google to connect it to my Google account via my IP address? I know I've done this in the past to prevent spambots from creating fake accounts. Can Google connect these dots if someone sends them an NSL?
If the answer to any of this is YES, I am going to have to rethink my entire online life.
[+] [-] zmmmmm|12 years ago|reply
[+] [-] badclient|12 years ago|reply
2. If I delete my Google search history, is there any way for anyone to access this history, with or without a warrant?
I would think google has historical backups they could refer to to pull out data that you've recently deleted.
3. If I make a Google search from an incognito window, is there any way for Google to connect it to my Google account via my IP address? I know I've done this in the past to prevent spambots from creating fake accounts. Can Google connect these dots if someone sends them an NSL?
Why not? You should already assume that google and pretty much any site logs your IP whether you are using incognito or not. You should also assume that any time you log in to gmail your IP is noted. It's extremely basic to do a db search for all gmail accounts that have been accessed by a given IP.
[+] [-] yuvadam|12 years ago|reply
[+] [-] muyuu|12 years ago|reply
Anything else involves trust.
[+] [-] Matt_Cutts|12 years ago|reply
This whole issue makes me want to donate a bunch of money to the EFF. If anyone else feels the same way, you can donate to the EFF here: https://supporters.eff.org/donate and I believe a lot of employers will match contributions.
[+] [-] chime|12 years ago|reply
Let me ask you this - do you feel 100% comfortable that nobody outside of Google can read your personal gmail?
[+] [-] eduardordm|12 years ago|reply
[+] [-] cloudwizard|12 years ago|reply
[+] [-] unknown|12 years ago|reply
[deleted]
[+] [-] rollo_tommasi|12 years ago|reply
Obviously this opens the door to all kinds of unfalsifiable, paranoid conspiracy madness, but that is a direct consequence of the government's unrelenting commitment to maximum secrecy.
[+] [-] danielpal|12 years ago|reply
Then they can just save all your encrypted traffic and break it on demand.
We all need to start considering moving to Elliptic Curve Cryptography.
[+] [-] kahirsch|12 years ago|reply
It's just a guess, but it could fit with the relatively low cost figure given ($20 Million).
[+] [-] hga|12 years ago|reply
I'd be a bit happier if we were to hear from Soviet refugee Sergey Brin....
* That's one of the terrible things about doing everything in secret; we know that if Google is subject to a broad demand from a National Security Letter they can't tell us that without suffering terrible penalties. The government has set up a situation where we literally are not able to trust the words of Google et. al.---at least prior to a major figure deciding to pay that penalty for the greater good. Which history tells us requires a rare courage.
[+] [-] cromwellian|12 years ago|reply
For some people, I doubt trust can ever be regained. Companies affected by this PRISM program should sue the US Government for damages, or at least sue them until it is completely declassified.
[+] [-] aniket_ray|12 years ago|reply
First, I'm not a US citizen. So, it seems I just have to assume that NSA is certainly tracking me.
Now to the topic of spying on US citizens, considering how no one seems to have ever heard about PRISM, the breaking of this story based on flimsy evidence seems to me like an attempt to side track from the real and confirmed story of NSA accessing Call Data Records from Verizon of millions of citizens (The industry calls it CDRs, why have we started calling it "Metadata" since yesterday).
I wouldn't be surprised (though I have no evidence at all) that the PRISM story was planted to change the public discourse.
[+] [-] agentultra|12 years ago|reply
Which is what is in question, no? If being in accordance with the law means keeping secret the requests you do serve, even if broad, means you're still handing out the information. You just don't have to put it in your, "transparency report."
Can't really say any of this is even remotely surprising given what we, in the industry of software development, know about what kind of information can be gathered and how vast volumes of it can be processed and analyzed.
[+] [-] guelo|12 years ago|reply
He's clearly stating that they do read non-American's emails. So how do they do it if they don't have access to Google's servers?
BTW, if you run a company outside of America you'd be crazy to rely on Google since the US could be reading your emails for corporate espionage purposes. I think in the long run these revelations are very threatening to Silicon Valley.
[+] [-] joering2|12 years ago|reply
The way the government bends the law for some years now just to punish everyone they feel like, either through imprisonment, scrutiny or simply by wasting years of their lives, savings of their lives and leaving them with a huge lawyer's bill, I wouldn't be surprised if Page had no choice than to lie on the record. And guess what; if, arguendo, he did, he will be pardoned later on. What would you choose? Admit to a secret program ran by secret agency and face brutal consequences (fines, imprisonment, charge with espionage or maybe capital punishment? (why not? why wouldn't government go after Page "proving" that by admitting US sees everything everyone types to Google, it tipped over some terrorist somewhere that stopped using Google and because of that government lost a track of him until he blew himself up in the middle of crowded street. You get the drift)), or perhaps come up as a good patriot and tell the truth. We already have one that told the truth. He spent 3 years in solitary confinement and may be facing life sentence or capital punishment.
People need to understand. This is too big of a secret even for someone like Page to come up and admit.
[+] [-] ISL|12 years ago|reply
If we're to be a country where innocence is presumed and guilt is proven, we must consider what Larry Page would write in the case that Google is not supplying any sort of un-warranted feed to NSA. Would it be any different?
[+] [-] chime|12 years ago|reply
[+] [-] dannyr|12 years ago|reply
There's nothing Google, Apple, Facebook, etc can say that some people won't poke holes into.
[+] [-] deelowe|12 years ago|reply
[+] [-] ajdecon|12 years ago|reply
But to be honest, I don't bear any ill will toward Google on this. Based on their behavior in the past, I'm willing to believe that if this program existed, they pushed back to the extent they felt they could... but if they eventually complied, it's difficult to blame them, given the threats the government is capable of making.
Unfortunately, the only place to resolve this is at the government level, if it can be resolved at all.
[+] [-] hammerzeit|12 years ago|reply
Specifically, the personal integrity of the founders -- especially vis-a-vis these kinds of issues -- is one of the bedrocks of Google's culture. If a statement like this was proven out to be a deliberate misrepresentation (even if not an outright lie) it would cause IMO severe harm to Google morale.