Basically All Big Tech Companies Deny Scanning Communications For NSA Like Yahoo Is Doing
from the getting-more-interesting dept
So, the big story yesterday was clearly the report that Yahoo had secretly agreed to scan all email accounts for a certain character string as sent to them by the NSA (or possibly the FBI). There has been lots of parsing of the Reuters report (and every little word can make a difference), but there are still lots of really big questions about what is actually going on. One big one, of course, is whether or not other tech companies received and/or complied with similar demands. So it seems worth nothing that they've basically all issued pretty direct and strenuous denials to doing anything like what Yahoo has been accused of doing.Twitter initially gave a "federal law prohibits us from answering your question" answer -- and a reference to Twitter's well documented lawsuit against the US government over its desire to reveal more details about government requests for info. However, it later clarified that it too was not doing what Yahoo was doing and had never received such a request. Microsoft's response was interesting in that it says it's not doing what Yahoo is, but refused to say if it had ever received a demand to do so. Google said it had never received such a request and would refuse to comply if it had. Facebook has also denied receiving such a request, and, like Google, says it would fight against complying. This still leaves lots of unanswered questions about why Yahoo gave in. Again, historically, Yahoo had been known to fight against these kinds of requests, which makes you wonder what exactly was going on here.
Former GCHQ infosecurity guy Matt Tait has one of the more more interesting threads about this news, arguing (in some ways) that it's both less and more than everyone is making it out to be. His basic argument is that this is an expansion of the PRISM program to include "about" targets. This has been discussed in the past, but under PRISM, the NSA could give tech companies "selectors" in the form of specific addresses and the companies were compelled to hand over emails "to" or "from" them -- but according to the PCLOB's report on the Section 702 program it did not include anyone emailing "about" the selector. Upstream collections (i.e., tapping the backbones from folks like AT&T) did include "about" selectors (and this information also flowed into other areas, enabling so called backdoor searches. And, as I speculated yesterday, Tait says that this latest news appears to be Yahoo now agreeing to use "about" selectors on its emails, which means that it's still part of PRISM, with a massive expansion.
Tait then notes that if James Clapper wants to clear this up, he should state publicly whether or not "about" collection is a part of PRISM. And if that's the case, he should also explain when and why PRISM was expanded to include this. But, of course, Clapper and the Intelligence Community tend not to want to explain very much of anything, leaving lots of people in the dark.
And, frankly, that's stupid. The Intelligence Community thinks that this keeps "bad guys" on edge, not knowing what's safe and what's not. But that's dumb. They mostly know to use more encrypted/secret means of communication when they need to. Instead, what you end up with is keeping the public on edge and not trusting services. I can almost guarantee that one of the early comments on this post will be some of you insisting that all the companies denying doing this are flat out lying. I don't agree with that, because the companies don't have a history of outright lying on things like this, but the way the NSA and other parts of the US government have repeatedly tried to pressure them and gag them, it's much tougher to take anything at face value any more. And that's not good for anyone.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: about collection, about selectors, mass surveillance, nsa, prism, section 702, upstream
Companies: facebook, google, microsoft, twitter, yahoo
Reader Comments
Subscribe: RSS
View by: Time | Thread
My guess is $$$$.
They were unwilling to pay for even basic security upgrades & had another department create the software and deploy it without letting the security team know.
But hey, the upside is pretty much everyone (except Congressmen) will migrate off of yahoo to something more secure... like Aol.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
when wording matters
Absolutely, they're doing it differently.
[ link to this | view in chronology ]
Prove it
How exactly would you know if a company is lying about this or not? Have you seen their code?
Look, if Obama asks Zuckerberg to scan Facebook communications, he is going to do it with glee.
[ link to this | view in chronology ]
Re: Prove it
https://www.theguardian.com/world/2013/jul/11/microsoft-nsa-collaboration-user-data
[ link to this | view in chronology ]
Re: Re: Prove it
So that's Microsoft and Yahoo! so far, it really only leaves Google with the much bigger cache of communications - obviously the U.S. government wasn't going to leave that honeypot just sitting there. What secret orders has Google had to follow so far?
[ link to this | view in chronology ]
Re: Re: Re: Prove it
Google *already* scans all gmail, so all Google has to provide is a search interface.
So Google can deny with a straight face, while Eric Schmidt becomes the next Secretary of Defense (i.e., de facto heead of the NSA).
[ link to this | view in chronology ]
Re: Re: Re: Prove it
[ link to this | view in chronology ]
Re: Re: Re: Re: Prove it
Surely one of the doctors in the Tuskegee experiment would have blown the whistle over the 40 years it took place right?
MKUltra - Again not a peep
https://www.youtube.com/watch?v=KRTOB8JPwa8
Surely there was an honest journalist that got approached to participate in Operation Mockingbird that would have said something.
Sorry but I cannot buy into that line of thought. There are too many historical examples of atrocities that have taken place where nobody said a thing.
[ link to this | view in chronology ]
Back in the early 2000s, there was a staggering report released which showed the NSA and FBI had access to the internet in ways people couldn't imagine. This was the "first" the public heard about the snooping.
And just like this article does with the statement above, people instantly ignored it because they didn't believe it.
Fast forward nearly two fucking decades when a person walks out with powerpoint presentations that the world finally believed.
Here's the thing: Has anyone ever questioned how the original report in 2000 came to be?
At the time, the world's operating system was Windows.
Perhaps ask Microsoft how the information from the NSA was leaked.
As I said many times, what's the point in trying to address these issues when the very first thing people do is say "No way. A company wouldn't do that."
It was even said when Snowden leaked the documents.
Denial is not a river in Egypt.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re: Re: Re:
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Violynne comment re Report on NSA/FBI in 2000s
[ link to this | view in chronology ]
James Clapper statement??
[ link to this | view in chronology ]
Re: James Clapper statement??
That seems to happen a lot under the current administration. I have a feeling it will continue to happen if Hillary gets into office.
[ link to this | view in chronology ]
Re: Re: James Clapper statement??
[ link to this | view in chronology ]
Re: Re: Re: James Clapper statement??
Hillary is just a big fat criminal liar. Trump is clearly no politician and says whatever is on the top of his head. There hasn't been a good Republican option in YEARS. It's been RINO's and the country has being going more and more left.
[ link to this | view in chronology ]
Re: Re: Re: Re: James Clapper statement??
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: James Clapper statement??
Oh, dear.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: James Clapper statement??
[ link to this | view in chronology ]
Re: Re: James Clapper statement??
[ link to this | view in chronology ]
Re: Re: Re: James Clapper statement??
[ link to this | view in chronology ]
Re: Re: Re: James Clapper statement??
[ link to this | view in chronology ]
Re: Re: Re: Re: James Clapper statement??
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: James Clapper statement??
There is no Left. There is Right or less right.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: James Clapper statement??
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re: James Clapper statement??
If by "taking over healthcare" you mean "passed a requirement that every person in the country become a consumer of private health insurance or pay a fine, as originally proposed by the Heritage Foundation and previously supported by Republican Party leaders including Newt Gingrich, Bob Dole, and Mitt Romney," then yes, the Democrats definitely did that.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re: Re: James Clapper statement??
https://medium.com/@wendycockcroft/authoritarianism-is-everybodys-problem-3d9c12d29694#.lq9v31sq 0
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re: Re: Re: James Clapper statement??
I think my analysis of the ACA is on point: it was a Republican idea until the Democrats started supporting it, at which point Republicans immediately declared it to be socialism and refused to support it. It's not about the content of the law (which, for the record, I believe is deeply flawed but superior to the system we had before), it's about a two-party system defining itself in terms of "we stand for what they don't stand for."
It was a compromise bill. It should have meant compromise. But the only side that was compromising was the Democratic side. That's not how compromise works.
But we're pretty far off-topic at this point. Unfortunately, both major parties largely favor the type of surveillance the article is talking about.
[ link to this | view in chronology ]
Uh huh .. sure.
[ link to this | view in chronology ]
I said it yesterday and people much smarter than me have been pointing this since Snowden. The best comment yesterday was something like: assume everything is compromised and act accordingly. And I'm already doing it by encrypting whatever I find sensitive but can't remain in an offline storage for some reason.
Ironically this may push towards these services using open source, end-to-end encryption to have a good marketing point. So we may actually emerge in a better state after all this surveillance is scaled back (hoping it will).
[ link to this | view in chronology ]
Re:
TD is getting more frequent with its posting filters pre-blocking things. Not sure about objectivity around here anymore these days!
[ link to this | view in chronology ]
Take Yahoo... Oh, wait!
[ link to this | view in chronology ]
[ link to this | view in chronology ]
With RAID drives located in multiple jurisdictions, subpoenaing one country would only recover info of a single RAID drive, useless jibberish.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re:
With RAID drives located in multiple jurisdictions, subpoenaing one country would only recover info of a single RAID drive, useless jibberish."
Good, but not good enough, due to "3rd party doctrine".
You now have to "stripe" across multiple vendors -- e.g. Box, Dropbox, etc.
Also, erasure coding might be more appropriate.
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re: Re: Re:
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
They are just not doing it for the government....
They wouldn't have had to as they already have one. What do you think scans all of your GMail as part of their advertising operations?
Now I'm not saying that Google has been re-purposing their exiting software to serve the NSA or other LEO's, but it wouldn't be the first time government actors piggybacked on existing advertising infrastructure. Some of the documents released by Snowden outlined the NSA doing just that.
Perhaps Yahoo just found a way to get the government to pay for building the software to let them do with their email what Google's been doing with GMail all along.
[ link to this | view in chronology ]
Re: They are just not doing it for the government....
[ link to this | view in chronology ]
Typo?
[ link to this | view in chronology ]
Re: We aren't doing what they're doing.
Which means it is almost certainly true. Their surveillance infrastructure is probably quite a bit more sophisticated than Yahoo's was.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Mike Masnick
In my opinion, given the things I have already seen... there is just no way to square away the following comment with sanity!
I can almost guarantee that one of the early comments on this post will be some of you insisting that all the companies denying doing this are flat out lying. I don't agree with that, because the companies don't have a history of outright lying on things like this, but the way the NSA and other parts of the US government have repeatedly tried to pressure them and gag them, it's much tougher to take anything at face value any more. And that's not good for anyone.
Not ONLY do these companies have a history just outright lying, they have a history of outright lying ON THESE THINGS!
[ link to this | view in chronology ]
They just said they're not doing it like Yahoo is doing it.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Speaking untruthfully without lying
[ link to this | view in chronology ]
It's why I implemented by own email servers.
If this revelation bothers you give it a try. Don't get bogged down in the imaginary barriers professed by others.
Most guides cover spam, security, malware scanning, etc., so you aren't left hanging out there wondering.
The guide: https://www.exratione.com/2016/05/a-mailserver-on-ubuntu-16-04-postfix-dovecot-mysql/
[ link to this | view in chronology ]
Re: It's why I implemented by own email servers.
[ link to this | view in chronology ]
Re: Re: It's why I implemented by own email servers.
[ link to this | view in chronology ]
Re: Re: Re: It's why I implemented by own email servers.
It's true that "if he configured it with proper encryption the ISP isn't a concern" -- but in this instance "proper encryption" means a client-side solution like PGP. In which case it's irrelevant whether he's using his own server, his ISP's, Yahoo's, or anybody else's.
[ link to this | view in chronology ]
Re: Re: Re: Re: It's why I implemented by own email servers.
That said, I don't think the comment I was replying to was taking this nuance into account.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: It's why I implemented by own email servers.
https://www.techdirt.com/articles/20160826/11202735356/if-youre-learning-about-it-slate-runni ng-your-own-email-server-is-horrendously-bad-idea.shtml
[ link to this | view in chronology ]
Yeah, of course... and they're lying through their teeth.
Of course they do, Mike, and they're absolutely lying through their teeth when they do so. They've lied about it in the past, and they're lying about it now (especially Google)... So the question is not "why did yahoo give in", it's "why did they all give in and lie through their teeth later (including Google)". And secondly, "why do fan-boys of said companies go out of their way to believe the false denials (including those of Google)?"
[ link to this | view in chronology ]
Re: Yeah, of course... and they're lying through their teeth.
And as Christopher Soghoian of the ACLU said in response to that, either the companies are lying through their teeth OR the government has cracked into their server farms. That is if you believe the PRISM leak, like the author of this article does.
[ link to this | view in chronology ]
Re: Re: Yeah, of course... and they're lying through their teeth.
No. This is wrong. They denied what the initial Guardian & WaPo reports said -- that PRISM gave the NSA unfettered access to their backend systems. That turned out to be WRONG. The tech companies were correct and the original reporting was incorrect.
[ link to this | view in chronology ]
Re: Re: Re: Yeah, of course... and they're lying through their teeth.
As evidenced by what, exactly? Their say so isn't exactly evidence to the contrary.
[ link to this | view in chronology ]
Re: Re: Re: Re: Yeah, of course... and they're lying through their teeth.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Yeah, of course... and they're lying through their teeth.
All I really know about the Snowdon leaks is that they are far too possible.
That said today we sometimes have to trust a company's assertions, but it's my goal in life to get away from that. Plus I've found prettier software this way, and the only inconvenience I'm facing is telling people I'm not on Facebook.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Yeah, of course... and they're lying through their teeth.
But as Ken Thompson demonstrated, such verification is never truly possible; unless you not only audit the source of every program you use but actually write the bootstrap compiler yourself, at some level in the stack you have to trust somebody else when they assure you that there's no malware being injected into the program at compile time.
(For this we have the wisdom of crowds; if GCC, LLVM, et al were injecting malware at compile time, somebody would have noticed by now.)
Paranoia is a good default mode to be in. You should naturally assume that every website you go to is logging everything you do, and every E-Mail you send is accessible to malicious actors including governments. It's good to push back on this stuff, and to take precautions where appropriate (VPN's if you want to conceal the source of traffic, PGP if you want to send E-Mail that can't be observed by a third party, etc.). But somewhere in the chain you have to trust somebody other than yourself.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re: Yeah, of course... and they're lying through their teeth.
[ link to this | view in chronology ]
Did that hurt when you pulled that one out of your ass? THEY HAVE A LONG LEGENDARY HISTORY OF LYING ABOUT THINGS LIKE THIS!
[ link to this | view in chronology ]
blow back
Yahoo's poor finances might have motivated them to acquiesce. Facebook and Google don't have such burdens.
[ link to this | view in chronology ]
No Such Animal
.
Please!... no emails!
[ link to this | view in chronology ]
[ link to this | view in chronology ]
[ link to this | view in chronology ]
[ link to this | view in chronology ]
[ link to this | view in chronology ]