Have you heard the news? Europe is up in arms about reports that the U.S. has been spying on EU countries! It's incredible! It's an outrage! It's ... March 17, 2000? Damn, did the Flux Capacitor go out of alignment again? Hmm. Thirteen years ago ... In fact, this super sensitive Top Secret document -- "The Wall Street Journal" for that date, published a little piece by a former CIA director, entitled Why We Spy on Our Allies. Golly, that's confusing, isn't it? I mean, to hear the politicians talking now, all this spying on communications and such is a new phenomenon that comes as a shock to everyone -- especially the politicians (vote for me!) themselves. It may in many ways be outrageous, but it is anything but new and anything but a shock -- to anyone who has been paying attention. When you really think about it, even NSA apparently didn't really consider this stuff to be as important to keep secret as the politicos are making out today. Otherwise, how would it have been possible for a relatively low level contract worker -- on the job for just a few months -- to dump so much data so easily into a thumb drive or two? Either you have to assume that NSA is utterly incompetent -- and that's not a good bet, they've got some very smart folks there -- or else you're faced with the facts of the matter -- it's all a big game of Spy vs. Spy, and pretty much everyone knows it (even though speaking this truth in public is an ultimate spook and political sin). You remember the Spy vs. Spy comic strips? The brilliant Antonio Prohías created them for "Mad" magazine in 1961. In the ensuing decades, the two spies, identical in appearance other than one being dressed in white and one in black, tried to gain the upper hand over the other (sometimes even as ostensible colleagues) with every possible bit of subterfuge and tradecraft at their disposal. They were sometimes cunning, sometimes inept. We never knew what countries they represented, and it didn't matter -- the whole point was that they were fundamentally indistinguishable from each other in terms of modus operandi. While their antics were humorous, some stories from the real world of spying are even more amusing. For example, back in 2002, a German intelligence operation, apparently tapping the phone lines of some 20K Germans, accidentally triggered the sending of telephone company bills for the tapping circuits to the targets of those taps! Oops! Paging Agent Howard, Agent Fine, Agent Howard -- nyuk, nyuk, nyuk! Of course, intelligence ops aren't supposed to be funny, and can carry enormous costs, potentially in terms of dollars, euros, and lives. But the point is -- and yes it's painful but the truth often is painful -- everybody with the resources to spy ... is spying. The U.S., Germany, UK, Australia, Israel, Saudi Arabia, France, and on and on. Likely even -- as speculated in 1968's "The President's Analyst" -- Canada. ("Canadian spies?" Oh my.) They spy internally and they spy externally. They trade data like kids used to trade baseball cards. They spy on their enemies and their allies, for one never knows when your current ally may become an enemy in a given situation, or an old foe a useful source of info someday, in the best tradition of "the enemy of my enemy is my friend." This is a truth that reaches back to the very dawn of civilization, merely updated for each new technology as developed and deployed in the continuing triumph of human ingenuity. The ancients, given a chance to observe today's intelligence and spying brouhaha, would likely assert that the gods are laughing at us, finding hilarious our public attempts at indignation not only over what is being done, but our laughable efforts to pretend that we didn't know about it all along. With Snowden's leaks we have more details now, some that make sense, others that -- given the limited context available -- have been wildly blown out of proportion by media and used to damage the reputations of innocent parties. But while U.S. politicians who approved NSA's ops via PATRIOT, and their counterparts in other countries who have supported their own nations' intelligence endeavors, will hem and haw and pontificate and lecture, mugging for the cameras and the voters -- they all know what's really going on and has always been going on. And so, frankly, do we. --Lauren-- |
Yesterday, in New Info About Google's Blogger "Adult Sites" Deletion Notification, I attempted to provide some clarity to concerns about Google's sudden announcement that adult-content Blogger sites containing ads or other monetization links to commercial porn sites were subject to shutdown starting only a few days later, and I mentioned that apparently all (not just adult-oriented) Blogger sites could be affected. I noted at the time (based on what I've been told by Google) that the short notice will likely (somehow) be taken into consideration, but there is no formal grace period, and no promises about what will actually happen after the deadline hits this Monday. Nor is there any explanation for why this incredibly short notice is in effect, given the logistical issues involved for users forced to alter their sites in such a rush. It's the point about all Blogger sites being affected -- not just the adult sites -- that appears to have triggered more panic among some Blogger users, judging from my inbox this morning. So below are a few suggestions and a request. I don't really think the panic is necessarily justified, but frankly there are more questions than answers about this situation overall. In a nutshell, Blogger users are asking me if their non-adult sites are vulnerable to shutdown under this new rule if any of their ads and/or affiliate links (perhaps served by ad networks that they don't directly control) happen to ever display porn-related monetization materials? And does this apply only to current content, or also to their older pages and accessible archive materials, which in some cases reach back for many years. Users are asking me how they're expected to "cleanse" all of those pages and links in a practical manner, especially over the course of just a few days. And they're very concerned that their blogging work of long duration may be suddenly wiped out by this new Google initiative, with limited avenues for appeal. These are all good questions. I wish I had good answers. But as I mentioned yesterday, Google is being uncharacteristically opaque about what is driving this sudden change and how it will be implemented. When real data is lacking, one is forced to rely more on speculation, and that's the realm we move into right now. My assumption is that since the initial notice about the Blogger content policy change was sent to adult content Blogger sites, not all Blogger sites, we can probably assume that the self-identified adult Blogger sites will be the focus of Google's initial enforcement efforts. So if you run a non-adult Blogger site, I'd recommend that you start cleansing your ads and affiliate links as soon as possible, but don't go crazy trying to get it done at warp speed. If you run an adult content Blogger site, I suspect you're much more likely to be in the bullseye rapidly, so I'd suggest you start cleaning up your ads and links (or get to your webmaster in a hurry if you don't maintain the site yourself) and meet the new guidelines as quickly as practicable. I'm also assuming, based on the rather cloudy info I have from Google about this, that nothing is likely (emphasis on the word "likely" since we don't really know) to happen immediately on Monday or the next few days at least. Again, this must be considered speculation only. Complicating the situation (beyond those questions related to the effective timing of enforcement) are unanswered questions like whether major or minor "offenders" will be the focus of initial enforcement efforts, whether any site-specific warning notices will be sent out by Google prior to actual specific shutdowns, what appeal procedures might be in place, and whether or not Blogger data will still be available for owner download via Google Takeout after a site is terminated under this new policy (Blogger data is normally available through Takeout). I don't really have more to add right now, other than a request. If you receive a notice from Google that your Blogger site is being shutdown under this policy, and/or if it actually is shutdown -- whether it was an adult site or especially if it was not an adult site -- please let me know with as much detail as you're comfortable sharing with me, via lauren@vortex.com. I'd like to track the deployment and evolution of this policy and situation. Hopefully together we can better understand what is actually happening, and why. Thanks very much. --Lauren-- UPDATE (10:51 AM): Addendum re Google Blogger Shutdown Issues / Speculation re COPPA In reference to the Blogger shutdown warnings discussed above, it has been suggested (and it occurred to me as well) that the timing of this sudden policy change by Google somehow relates to the new COPPA (Children's Online Privacy Protection Act) regulations coming into force on 1 July (Monday). Coincidence? Maybe. COPPA's primary focus in on collection of personal information (broadly defined, even including cookies, IP addresses, and processor or device serial numbers) from "child-directed" websites (not primarily sites that are not oriented toward children). And while the new COPPA regs do expand site owner responsibility to include any associated ad network practices, there is no direct connection between all this and adult advertising/adult affiliate links per se -- that I'm aware of anyway. So without an *extremely* broad reading of the regs that seems difficult to justify, there doesn't seem to be an *obvious* nexus between the COPPA changes and Google's actions. But even if there were (or is), the COPPA changes have been coming down the pipeline for quite some time. The sudden announcement of a policy change just four days ahead under such circumstances would seem nonsensical, unless somebody seriously dropped the ball somewhere, or a last minute interpretation caused a panicky decision to change the formal policies at the last minute. Overall, this isn't making a lot of sense. There's likely a missing factor, and whether it's COPPA or something else just isn't clear. Unfortunately, Blogger users affected by this sudden Google policy change are in the same boat pretty much either way. --LW-- |
Greetings. I had not originally planned to author a blog posting about this issue, but since yesterday I've received so many panicked queries that it seems best to address this now, especially because it does appear to reflect more broadly on concerns regarding how effectively Google communicates with its users. Be warned though that the situation still remains significantly cloudier than I'd prefer. Yesterday, as noted in this ZDNET article, owners of Google "Blogger" sites who had self-identified as hosting "adult content," received a somewhat cryptic and in some respects confusing notice from Google, informing them that if their sites contained ads or links associated with commercial adult sites, their Blogger sites were subject to deletion starting June 30th. That's June 30th this year -- just a few days after the notice was sent! The key change from existing Blogger content policy appears to be the striking of language that prohibited "substantial" monetization, and instead making the prohibition total and (for all practical purposes) immediate. Outside of hitting like a bolt out of the blue with an extremely short fuse, the notice itself was not particularly well worded. Was it talking only about adult ads or all ads? Ads running only on "adult" Blogger sites or all Blogger sites? And was Google actually serious about starting to shut down offenders in just a few days, with the notice coming just two days before the weekend? Many site owners couldn't even reach their webmasters in time to push through changes like this on such a truncated schedule -- or even make the required alternations themselves quickly enough, especially with the weekend looming. In response to my queries, a Google spokesperson has provided me with some more information, but not as much as I would have hoped. I'm told that the prohibitions do apply to all Blogger sites, whether labeled as containing adult material or not. To the question of whether there's any "grace period" associated with these actions, I'm informed that while "the team realizes this is fairly short notice and will take that into consideration," no promises can be made about what will actually happen this Monday (when the deadline is triggered). "Fairly short notice." Indeed. Frankly, this all seems a bit mysterious, and implies to me that there may possibly be some unusual factor involved that is so drastically compressing the notification schedule and choking off the availability of a better explanation. Be that as it may -- and even given my assumption that Google has reasons for this course that aren't merely arbitrary -- this strikes me as a pretty shabby situation overall. You (like most of us!) probably never have anything to do with adult content on your Blogger sites. But even if your sites on Blogger are squeaky clean, one would hope and expect that Google would at the very least more clearly explain what has triggered this rush and unusual opacity in responses, and (at least in theory, given that a grace period isn't being officially defined) how such a course could possibly be considered practicable for users, some of whom are of very long standing. I can theorize several generic possibilities about how this situation might have (at least apparently) popped into being, but I won't speculate about them here. And I'll let you know if I learn anything more useful that I can pass along. But for now, I will simply suggest that Google's users caught in this saga really do deserve to have been treated better. Be seeing you. --Lauren-- |
Barring dramatic revelations that would be out of character with the data released by Edward Snowden so far, it now seems possible -- with a minimum of emotion and a maximum of logic -- to foretell the Snowden endgame, and the ultimate results of this entire saga. Especially as Snowden has increasingly flirted with countries whose human rights and free speech records are overall and en masse vastly inferior to that of the U.S., many of his early vocal supporters have suggested that the focus on Snowden himself is inappropriate, and that we should be concentrating much more on the value of the information he has released. I agree, especially since Snowden's fate in fact will likely fall into one of four outcomes. He'll either be returned to the U.S. now -- or not. Or he'll be returned to the U.S. later -- or not. The first two possibilities represent a quite constrained set that we'll likely understand within hours or days. The latter two reach forward potentially for many years, and will vary with changes in the geopolitical situation that are impossible to predict today. All of this will be of most importance to Snowden himself -- the rest of us are bystanders in comparison, even given the fact that Snowden's chosen methodology to release this data -- complete with dramatic personal interviews -- guaranteed that he'd be the center of attention. So Snowden won't be mentioned again in this posting. In terms of information released and both domestic and international effects, the analysis is remarkably straightforward -- again, based on what we know to date. Despite some Congressional dissembling for political purposes now, it seems likely that everything revealed will be found to be legal under U.S. law as authorized by PATRIOT and other legislation, some of which reaches back far earlier than 9/11. The newer programs were all contemplated by and authorized by Congress, in many cases enthusiastically. Other issues, such as communications cable tapping, Internet Deep Packet Inspection (DPI), and other surveillance techniques -- including militarized cyberattack functions -- have long been known as practiced by all the major powers east and west, and probably by quite a few "smaller" powers as well. "Spy vs. Spy." So from the current vantage point at least, it appears that the actual value of the information was minimal to zero in terms of actual intelligence assets or tradecraft knowledge, and that its direct national security implications are in reality very low. However, since this entire exercise has been much akin to pouring gasoline on a smoldering fire, there are and will continue to be major impacts nonetheless. Exaggerations (e.g., related to the so-called PRISM project) -- which have already become oft-repeated memes associated with this saga -- have done significant damage to Web firms who have been falsely accused of massive collusion with NSA. The accusations are ludicrous and illogical, but play into the hands of conspiracy buffs and tinfoil hat aficionados around the world. The U.S. government has so far refused to allow these firms to transparently reveal the actual ranges of national security requests made by the feds. And since it's generally considered impossible to prove a negative, this leaves the firms in much the position of the fellow faced with responding to a rigged question like, "When did you stop beating your wife?" Beyond this, most of the effects are largely political, with complex politically-driven ramifications. Domestically, new opportunities have been created for conventional political attacks, such as by strong supporters of these programs under Bush who now have the opportunity to condemn the same programs under Obama. Ironically, these are many of the same people who condemned us as "un-American" when we warned about the dangers of these programs during PATRIOT's genesis. An opportunity has also been created for today's supporters of these programs to become even more entrenched, and demand even tougher measures and security, using the current situation as the justification -- and by trotting out all sorts of purported examples of where these programs supposedly stopped "terror" attacks as variously and expansively defined. In the international arena, these events have provided a new opportunity for countries with notoriously poor human rights records -- vast censorship regimes and media controls, blasphemy prosecutions, enormous secret trial apparatuses and much more -- to condemn the U.S. and further suppress their own internal dissent. And that, my friends, is the situation in a nutshell. We may see some very minor short-term movement to at least theoretically reign in a bit of the vast surveillance overreaches here (though other countries will likely continue their own massive surveillance efforts as before). But the history of this space over the last half century and more shows such reforms to have little if any staying power, and a single new attack on American soil could be seized on as an excuse for an even deeper and more pervasive surveillance regime. If you've come to the conclusion that my overall sense of these events is that they'll end up doing more damage to freedom than good -- you'd unfortunately be correct. In the long run, I suspect they will result in more deeply buried and impenetrable surveillance empires -- both in the U.S. and around the world -- and a determined sense by their proponents that in the future, the relative transparency we had this time around would be banished forever. In the short run, we may see some small victories -- like Web firms being permitted by the government to more effectively defend themselves against false accusations, and perhaps a bit more transparency related to the court actions that enable and (at least in theory) monitor these programs. But beyond that, while hope springs eternal, logic suggests that prospects for the masters of surveillance around the world have not been significantly dimmed, and in fact may have actually obtained a longer-term boost. Sorry about that, chief. Take care, all. --Lauren-- |
In one of the arguably most classic lines in any film, Strother Martin, in his role as "Captain" in 1967's "Cool Hand Luke," famously noted that: "What we've got here is ... failure to communicate." When it comes to the current mixed-up, confused, conflated, and contradictory mess of NSA-related stories now being deployed as click-bait on media sites around the Net, that observation couldn't be more true. It's difficult to imagine how the Obama administration could have screwed up the messaging any worse than they have on all this, unless they appointed Donald Trump as White House spokesman. More and more, this whole situation seems like the escalating madness of a Fellini movie, with a dash of Kafka and a pinch of George Orwell thrown in for good measure. A tasty treat it isn't. This evening, basing their blaring headlines apparently mainly on an out-of-context quote from a single Congressman, we have stories that range from NSA targeting specific phone calls without conventional court warrants (likely), all the way to the "every call is being recorded and no special authorization of any kind is required to listen in" (extremely unlikely on both counts). And of course, all manner of theories regarding email and other Internet communications surveillance are being haphazardly tossed into the mix as well. As this narrative has morphed to ever more dramatic levels in the absence of clear, concise, comprehensive explanations to the American people of actual capabilities and associated policies, we're faced with a mishmash of hearsay and rumors, bit and pieces of information that can be interpreted in myriad ways without context, and all manner of agendas being played out simultaneously like some sort of circus of the bizarre. Mass hysteria plays into conspiracy theories, and most observers don't have the technical background to even begin reasonable analysis of what's actually happening, even apart from the policy-related aspects. These are the spoils of secrecy, the ration of Tantalus, and unless the Obama administration puts its cards completely on the table now -- not in terms of operational data but regarding programs and policies actually in place -- we will shortly pass the point of no return for any sort of rational discussion about these important national security issues. We may, in fact, have already passed beyond the event horizon into a black hole of distrust from which we cannot readily escape. And such deep distrust is almost certainly far worse than the actual realities of the NSA and other national security programs that are now being revealed in disparate fragments, encouraging the most alarming, most conspiratorial assessments, no matter how exaggerated those assessments may be compared with the underlying realities themselves. Congress and George W. Bush created this PATRIOT Act monster, sleeping like Godzilla on the ocean floor, waiting to be awoken and render random destruction in his wake. Barack Obama and later congressional officials voluntarily chose to keep this nightmarish behemoth alive and well fed -- the responsibility now falls directly on their own heads. A vacuum of truth is easily filled with fear, hysteria, and insanity. Paranoia breeds where facts are sparse. It's time for the administration and congress to come clean with the American people and the rest of the world. The reality of what you're doing is almost certainly far less dramatic and invasive than the conspiracy theories you've allowed to flourish are now insisting. Tell us what you're doing. Tell us why. Make your case. No more pontificating. No more evasions. No more clever word games and dissembling that aren't fooling anyone. Treat us like Americans. That's all we expect. That's all we ask. That's all we demand. --Lauren-- |
In the latest chapter of the federal government's "we don't trust the American people to tie their own shoelaces" saga, we saw two major Internet firms ostensibly release new information yesterday about key national security (e.g. FISA) user data requests that they receive, but in reality the government has forced them to play the old "three card monte" scam on us all. You know the con? It's a classic version of the notorious "shell game" (only performed in this case with three slightly bent playing cards) where we're tricked into losing bets -- through diversion -- into believing a card is in one place, when it's actually somewhere else. This ripoff has its roots in antiquity. Here's how the federal government version works. Prior to yesterday, Google, Microsoft, and Twitter had released transparency reports about takedowns and government requests for user data. Google has been doing this on a rather detailed, routine basis for quite sometime, and has recently begun including some data regarding National Security Letter (NSL) requests received, in terms of broad ranges of numbers and users/accounts affected -- more specific data release was forbidden by the government. In the wake of false accusations and conspiracy theories surrounding the Snowden NSA saga, Google very recently wrote a letter to the Department of Justice asking permission to reveal aggregate range and scope for FISA requests, which are more directly related to NSA activities. Microsoft and Facebook followed up with similar letters within hours. Yesterday, with some fanfare, Facebook announced that it had reached an independent agreement with the government to release some FISA data, but -- and this is crucial -- it would be combined with all other law enforcement requests, everything from a local sheriff trying to find a missing child to -- we assume -- Dr. Evil demanding billions of dollars not to blow up the planet. Facebook released this combined clump of data yesterday -- their first "transparency report" of any kind, by the way. Shortly thereafter, Microsoft made a similar release, but noted that it was disappointed that they could not break out the FISA requests separately. Google -- which as we've seen has led the way in transparency reports -- late yesterday refused to play along. They noted that under the policy that Facebook and Microsoft had accepted, Google would be required to combine all law enforcement related data requests, including conventional, NSL, and FISA. Google asserts -- and I agree -- that this would actually be a step backwards in terms of transparency. Remember, Google was already splitting out NSL requests separately from other law enforcement requests, but accepting the government's terms for release of FISA range data would mean all of this information would now have to be aggregated. There would be no way to discern what parts of the law enforcement total related to NSL (or FISA) at all. Twitter immediately and wisely endorsed Google's rejection of the new reporting policy. It's critical to keep in mind that with all this data, we're only talking about approximate ranges, and no details about specific requests at all. Why is the government trying so hard to muddy and dissemble even this modest data? Our adversaries have long known that national security data requests (both NSL and FISA) occur. How can mere broad ranges for numbers of requests and users/accounts totals be a national security risk to reveal? There appears to be only one logical answer. They aren't a national security risk at all. But the government perpetually views us all as untrustworthy children. Of late, it appears that they consider most of us to be potential suspects as well. And in keeping with that pervasive secrecy mindset, they'll willingly allow conspiracy theories to flourish and to allow the reputation of important U.S. firms to be falsely dragged through the mud -- not actually in the name of national security, but in the name of protecting the power and funding of their individual intelligence empires. This attempt to play a fast and loose shell game with this data doesn't only reveal deep hypocrisy on the part of the government, but by any normal ethical standards should be deeply embarrassing to them as well. But just as that three card monte scammer is immune to embarrassment, it appears that our leaders are so sure of themselves, so positive of their superiority, that they have become similarly inured to criticism. In the long run, that attitude may be more dangerous to what makes America great than all of our actual and would-be adversaries rolled into one. And that's a very sad, but pretty sure bet, indeed. --Lauren-- |
NSA leaker/whistleblower Edward Snowden may yet have some real "bombshells" to divulge, but at least for the moment it seems possible pull back our vantage point a bit, and start thinking about the likely results of what he's done so far. Be warned, you may not enjoy this analysis very much. It's clear what he's done to his own life. From this point forward into the foreseeable future, he'll be on the run, in exile, or in prison. To hear administration, congressional, and other officials foaming at the mouth about the supposedly enormous damage he's done to USA national security, it's obvious they want to lock him up and throw away the key (we can discard the "they're gonna kill him with drones" ravings of Ron Paul, however). The fact is that -- based on what we know so far -- Snowden has done little if any real damage, because his "revelations" have been so relatively inconsequential for anyone who has been paying attention. Comparisons are frequently being made with Bradley Manning, but they are mostly inappropriate. Manning was a "data dumper" -- he basically grabbed all the classified materials he could get his hands on and sent them off to a third party. This included an enormous cache of detailed operational data. I won't argue here the intricacies of his case, other than to note that it's entirely different from Snowden's, except for the foundational fact that they both obviously did violate information secrecy laws associated with their clearances, which can carry very significant penalties even on a standalone basis. In contrast, Snowden (at least so far) hasn't released any specific operational data, only rather broad outlines (largely without context, and in some key respects subject to misinterpretation) about NSA programs that -- and this is the important part -- NSA watchers (and presumably our adversaries) have long surmised existed. And Snowden himself has muddied the picture by adding what are clearly embellishments and exaggerations to some of his stories, for motives known only to himself. Anyone who has followed the history of NSA, particularly since the PATRIOT Act, but even long before, would have assumed that telephone metadata records were easily available to NSA for analysis. Remember, these are the same records that the phone companies have been treating as a profit center -- selling to third parties for commercial purposes -- for many years! To assume the government couldn't get their hands on them -- when fly-by-night solicitation companies could -- would be nonsensical. Confirmation is interesting, but hardly revelatory. Other parts of his information are even less surprising. We already knew that FISA/NSL data requests/demands are routinely made of Web service providers. We could assume NSA maintains massive, advanced databases of metadata and other information. It's long been obvious that the U.S. engaged in offensive as well as defensive "cyberwar" operations, in the finest tradition of "Spy vs. Spy." The ostensibly most alarming parts of Snowden's "revelations" are where he obviously is -- let's be charitable in our choice of terminology -- exaggerating. There is no believable evidence to suggest that he had the wiretapping and email spying capabilities (or authority) that he has claimed. In fact, such capabilities simply do not exist in the form he described. There are technical as well as policy reasons to be quite confident about this. Similarly unsupportable on technical and policy grounds are suggestions that NSA or other outside entities have direct access to rummage around on fishing expeditions in Google, Facebook, or other major Web service company servers. Even if you bizarrely and with notable paranoia buy into discredited "they're all evil" conspiracy theories and want to assume that statements denying the existence of such programs are outright lies, there's simply no practical way the necessary engineering could have been accomplished and kept secret, and mass resignations would have been obvious at these firms had word of such projects leaked internally (as would be inevitable). Sticking with the facts that make sense (and not the paranoid ramblings) it still wouldn't be fair to say that Snowden hasn't moved the ball. He has indeed gotten the issues back into public discourse again, where they have long been largely ignored. Unfortunately, even this may not have the results that might be hoped. The logical, confirmable facts about NSA and other surveillance are bad enough. Articles and postings condemning them (including my own) are appropriate, but mostly could have been written two weeks ago (before most of us had heard of Snowden) or even anytime since the passage of PATRIOT -- or even earlier. And in fact, such essays have indeed been written, all along. Snowden's "revelations" have added little of overall note, relatively. The history of surveillance and intelligence in this country has long been one of constant oscillation. There are abuses revealed and Congress cracks down a bit, but over time this lightens up, and the pendulum swings the other way again. Over and over. In today's situation, there will be hemming and hawing, and perhaps a bit more transparency for a while. Unrelated to Snowden, a court decision suggests that we may be able to learn more about the rationale behind some FISA court decisions. We can hope that DOJ allows Google, Facebook, Microsoft and others to report aggregate data and scope information about FISA requests, as these firms have requested. But it's already obvious that NSA and the administration are going to stand behind their "these programs are critical to stopping terrorists" mantra, and will trot out just enough information (without sufficient details to understand if these events would have been thwarted without expansive access to phone metadata, for example) to keep their co-opted Congress on their side. In the end, especially in the long run, little will change. And given one major (or perhaps even minor) new successful terrorist attack, you can bet that we will move backwards in terms of civil liberties at an enormous rate, even though this will not stop terrorism, and will help the terrorists succeed in destroying our country's greatest ideals from within. In the meantime, conspiratorial wackos and political opportunists are thrilled with Snowden. They are spinning his information -- particularly his unsupportable exaggerations that play into their preexisting mindsets, to their full advantage. One need only look at a single video to get an idea of how this is playing out in the political sphere -- this sickly amusing compilation of FOX News' Sean Hannity vigorously praising the same PATRIOT/NSA surveillance programs under Bush that he is now condemning under Obama. And herein, unfortunately, may be Snowden's ultimate, most apparent long-range effect -- providing fuel for the conspiracy theorists and most hypocritically dangerous of politicians and their minions. We can reasonably assume that this was not Snowden's intention. It may, however, turn out to be his legacy. --Lauren-- |
The embers have been smoldering for years, but the coals are now catching fire -- and this time, all the hand-waving and government pontificating in the world is unlikely to tamp down a potential inferno. Ever since 9/11 and the Bush-era enactment of the PATRIOT Act, now with the complicity of President Obama, the U.S. government appears to have had two classes of adversaries in its sights. The first is the terrorists and other truly evil forces whose goal indeed is to maim and kill innocents. We applaud appropriate measures to root out such evil and bring it to justice. The second target, however, appears to have actually been the American people themselves. It's difficult to imagine an alternative logical explanation -- even given government's historical proclivity to stamp information TOP SECRET first and ask questions -- well, usually never. The proof is in the disgusting, absolutely insane amount of government secrecy that has hidden some projects -- as well as even broad data regarding activities that we already know about -- that involve our personal information. We've been talking about the truths and falsehoods told about some of these projects over the last few days, but the bottom line is that even when there is no possible national security downside to at least permitting the American people to know about the existence of particular programs and/or the broad scope of their activities, the government has arrogantly tried to keep them secret from all but a privileged and largely co-opted few. An obvious example is the use of FISA national security user data requests (a more appropriate word would be "demands") directed to the major Web services. The government has steadfastly sought to avoid public knowledge even in general terms of the true numbers of such requests -- which the receiving firms then vet and either approve or challenge. There is no rational way that transparency in terms at least aggregate numbers of (for example) FISA requests could possibly do any harm to actual national security efforts. Only one explanation seems logical. The government is afraid of us -- you and me. They're terrified (no pun intended) that if we even knew the most approximate ranges of how many requests they're making, we would suspect significant abuse of their investigatory powers. In the absence of even this basic information, conspiracy theories have flourished, which incorrectly assume that the level of data being demanded from Web services is utterly unfettered and even higher than reality -- and the government's intransigence has diverted people's anger inappropriately to those Web services. A tidy state of affairs for the spooks and their political protectors. Google has now taken a major step toward pushing back on this unacceptable situation. In a letter sent today to the U.S. Attorney General and FBI Director, Google's chief legal officer, David Drummond, has formally requested that the government give Google (and by extension, other firms) the right to at least include in Transparency Reports aggregate information regarding the number and scope of national security (including FISA) requests and disclosures that Google is required to process. The letter notes that permission was already granted for some transparency related to National Security Letters (NSLs), with no ill effects. The government's stance regarding FISA activities feeds the false memes that these Web services have something to hide. They don't, but the government -- in their desperation to keep us all in the dark -- has made it impossible for these firms to demonstrate their innocence. This must end. Nobody is suggesting that the details of these data demands be arbitrarily made public, only that the broad scope and scale of FISA activity be at least reasonably transparent. Stop treating Web services -- and the American people -- as your enemies. Stop behaving as if we're no more to be trusted than the terrorists and evil that you (and we) wish to neutralize. You can take a major step yourself toward demonstrating that you trust and respect the American people, by responding positively to Google's letter and request. Prove to us that you're actually on the people's side -- not only your own. --Lauren-- |
As the NSA/Snowden situation gradually comes into sharper focus (though not Snowden himself, who is apparently on the run after exiting his luxury hotel in Hong Kong) we are faced with an interesting dilemma. Some of what he has claimed is clearly true and has been acknowledged. Some of what he claims is obviously false. And various aspects of his claims (or at least how his claims have been interpreted) are logically false. There is a lingering sense that he may have grabbed and released some materials without necessarily ever having been "read into" all of the associated programs or understanding them in context. We know his stated, altruistic motives. There also seems a bit of "martyr complex" in his behavior, but psychology isn't my specialty. Nor am I in the "revenge, retribution, and punishment" department -- our public officials seem to have those aspects well in hand with rather bloodthirsty calls for him to be publicly drawn and quartered even before a full investigation and trial. In the Snowden "true column" so far, we have the telephone metadata collection programs, which authorities have now admitted have been long in place. A Republican congressman who was a key author of the PATRIOT Act has been making a lot of hay over the last couple of days claiming that the program is an overreach of PATRIOT authorization. It likely was not -- and he knows it. Such abominations in PATRIOT have been loudly protested by civil liberties groups at every opportunity. The congressman knew full well what he was authorizing. Known informally as "Mr. Impeachment," he was already calling for Obama's impeachment before any of these current NSA stories, and was a key force in pushing through Clinton's impeachment years ago. Now that he sees a political opportunity to try distance himself from the legislative monster he created, he's trying to change history. It won't work. Odds are that courts will find that the appropriate notifications were provided to the necessary legislators, and that the abuses of privacy represented by the NSA telco metadata program will be found to be legal. In the Snowden "logically false category" to date, we have the claims (or interpretations by media and others) that the major Internet companies have provided direct NSA access to Web company servers, allowing the intelligence community free reign to rummage through user data. The firms have all categorically denied this, and it seems clear that the PRISM program in question is actually a FISA/NSL compliance mechanism, with all data demands individually vetted and then either accepted or challenged by the firms. And then there's the "obviously false" category. Snowden claims that, "Any analyst at any time can target anyone ... I, sitting at my desk, certainly have the authorities to wiretap anyone -- from you or your accountant, to a federal judge, to even the President." Even if a 29-year-old outside firm NSA contractor had the technical means to perform such actions on such a scale -- which seems unlikely in the extreme -- we know with absolute certainty that he would not have had the authority to do so. Period. So on this point he is certainly outright lying, exaggerating, or is seriously misinformed. Take your pick. What this all means for Snowden's overall credibility remains to be seen, but we can still draw some useful conclusions from the situation even now. Some pundits have declared these events the "death knell" of cloud computing. This is not the case, though we can stipulate that government overuse of FISA/NSL authorizations appears to be a genuine problem. Cloud resource systems provide so much value to users, in terms of capabilities and reliability among so many other factors, that it is impossible to contemplate most consumers moving forward with alternative models, especially considering the ever more demanding requirements for features, storage space, and other functionalities that consumers and businesses are demanding. Having said that, I believe consideration should be given to providing cloud-based document and email systems the capability to provide at least limited locally-homed capabilities for special cases. Various systems already come close to this. Gmail and Google Drive now provide excellent "offline" access capabilities, allowing creating, reading, replying, and otherwise manipulating materials without an Internet connection, using later connections to synchronize data automatically. Perhaps an additional capability could be "local sync only" -- meaning that connections would only be used to sync the copies between local devices, but not leave copies on the central servers. To be clear, I don't see such an capability as being practical for more than a limited subset of overall use cases. Perhaps some users would want to tag some specific documents, or correspondence with particular parties, for handling in this manner, with the understanding that they'd be giving up major capabilities for those items by not being able to work with them via the full-featured Web interfaces on central systems. And I believe it would be entirely appropriate for services to set reasonable limits on the use of such "local" capabilities, at least for services being provided without fees. But the cloud is crucial to our computing and communications futures, and ultimately our main goal in this context must be to bring our laws back into a real balance, where government secrecy isn't an ever expanding default condition, and civil liberties once again attain the stature of overriding importance that our Founding Fathers so earnestly intended. As is so often the case, we must deal with these issues in both the technology and policy realms -- one or the other alone won't do, and the tasks involved will be anything but trivial, especially in the current political environment. Still, the first step on this road is a realization of the scope involved, and in that respect Snowden's NSA saga -- even given the apparent melange of his various truths and non-truths -- has served a useful purpose. Now the ball is in our corner, and there's hard work ahead. Interesting times, indeed. --Lauren-- |
In the nearly 10 years since I've been authoring this blog, I can't recall a previous period of so many lengthy posts, one after another on a single topic, as has been the case with the current NSA saga. We've already discussed the details as we know them at the moment, as described in NSA "Whistleblower" Snowden: Hero? Fool? Traitor? Or ... ? and its ancestor postings. So this morning I was trying to think of a unifying theme of sorts that I could use to wrap up the current round -- when an old "Buffalo Springfield" classic played forth from the music stream I had running in the background, and handed me the answer across the decades. In their 1967 song "For What It's Worth" -- often mistakenly thought to be an anti-Vietnam war piece, but actually written as a statement about civil rights in the aftermath of a notorious "riot" and police actions on the Sunset Strip here in L.A. -- Buffalo Springfield sang these words: Paranoia strikes deep. And therein resides the key -- not just to NSA and Snowden's story, but to so much in our contemporary lives and reaching back to the dawn of human history as well. Paranoia and its close sibling "conspiracy theories" in fact are the only real "winners" in the entire chain of events rolling out before us over the last few days, along with the historical genesis of those events. Paranoid terrorists and their attacks. Paranoid reactions to those attacks by Congress and yes, by the majority of Americans as well. Knee-jerk legislation like the PATRIOT Act that gave paranoia the force of law. Paranoid NSA programs. Paranoid claims about those NSA programs. Paranoid accusations against Internet firms. And on ... and on ... and on. Conspiracy theories thrive on paranoia -- the mother's milk of emotion over logic, of fear over reason, blurring the lines between real enemies, genuine abuses, and the unreal, fantasy theories that permeate our brains like so much booze on a drinking binge. And the recent NSA-related events seem virtually purpose-built to feed that paranoia, piling onto the inherent fears that so many persons have about the rapid pace of our technologies, so complex that it might as well just be magic as far as vast numbers of our fellow travelers are concerned. So we have fear of cookies, fear of Web ads, fear of tracking, fear of Wi-Fi, fear of malware, and again on and on -- mixing hard technical realities with the acid blend of paranoia itself, leaving especially the nontechnical observers in a dizzying spin, gasping for air, unable to separate any underlying truths from exaggerated claims and purposeful obfuscations. The nightmare demon, the terrifying "they" seems omnipresent, lurking in the shadows, ready to strike, feeding on a steady diet of misinformation. They are listening. They are lying. They are covering up something. They are out to get us. And no matter how many times it seems demonstrated that particular fears are misplaced, that only means we haven't dug deep enough, haven't considered every fanciful possibility, haven't allowed our phobias sufficient and full bloom. The negative stands proudly unprovable, while the path of paranoia seems clear by comparison. The glass stands half empty rather than half full, as our leaders with only the best of intentions remodel society and laws in the name of what's worst and most feared, rather than in hope for a better and brighter tomorrow. The red pill or the blue pill -- it matters not, for in the empire of paranoia, all paths ultimately lead to the inner circles of our own man-made hells. It's way too early to fully understand the entire scope and purposes of the NSA programs that are now in the headlines. But the odds are we'll learn that NSA, exercising its own paranoia, did pretty much exactly what a paranoid Congress and paranoid administrations wanted NSA to do in the wake of 9/11, as horror at the attacks quickly gave way to jingoism, and our Founding Fathers' dreams of ascendant civil liberties gave way to the kind of political madness that has destroyed an array of civilizations down the span of the centuries. And throughout it all, as the truths and conspiracy theories and exaggerations mix and mingle into a diseased, opaque pool of pestilence -- within yet above the fray, reigning as sovereign -- paranoia itself sits on its blood-soaked throne -- smiling, nodding in satisfaction, and knowing that in the end, it has indeed triumphed yet again. --Lauren-- |
Oops. I'd thought there was a good probability I could get through today without having to post again about the ever more confusing NSA mess. Not a chance, as it turns out. This saga is now taking on the various aspects of a 60s-era spy spoof film, and its bizarre twists and turns are making David Lynch's 1984 production of "Dune" look clear and easily comprehensible by comparison. Here's where we stand. Word is out that the NSA leaker, "whistleblower," or whatever your preferred terminology may be, is Edward Snowden, a 29-year-old former CIA tech assistant who (until very recently) was a contract worker at NSA on behalf of various outside firms, like Dell and Booz Allen. Snowden is now reportedly holed up in a hotel room in Hong Kong, and states that he hopes to achieve asylum in Iceland. He asserts that he has done "nothing wrong." There's already a video of him floating around, declaring how he leaked NSA documents on principle because he was so concerned about where NSA was heading and how it is violating the rights of Americans. It's quite stirring. As you probably already know by now, I am acutely displeased by the situation associated with surveillance in this country, as noted yesterday in Internet Shattered: Spies, Spooks, and Disgust. Snowden is already being hailed as a "hero" in many quarters, and comparisons are being made to U.S. Army leaker (or whistleblower -- again, your choice) Bradley Manning (whose trial, coincidentally, has just gotten underway). The comparison may be apt, but not necessarily in a straightforward manner. Both of these cases seem far from black and white, and Snowden's situation brings with it some real head-scratching questions. I'm immediately struck by Snowden's current choice of Hong Kong as a place of refuge. He says the choice was based on their "spirited commitment to free speech and the right of political dissent." I'm not entirely sure that he's talking about the same Hong Kong I know, which is actually part of China, operates only with China's sufferance, and -- we can logically assume -- is saturated with Chinese Intelligence. But hell, Snowden was doing work for NSA -- maybe he has special knowledge that makes Hong Kong/China a good pick, even if it wouldn't ordinarily be on most free speech advocates' short lists. We're also told that Snowden is "lining the door of his hotel room with pillows to prevent eavesdropping," and "puts a red hood over his head and laptop to avoid cameras capturing his passwords." I'll admit to being puzzled by such actions. Neither of them are likely to negatively impact skilled eavesdroppers in any significant way, given the tradecraft available today. Maybe this is just a cover story (no pun intended) and he's actually using an array of high-tech CIA/NSA gadgetry to protect himself. As James Bond knows, it seems like "Q" is never around when you really need him. But all of this is really only the kind of material that might make for an intriguing movie trailer. The core, most important aspects of this situation, relate to the actual information that Snowden leaked (or "whistleblew"). And here matters get murky in short order. We at least seem to have enough information now to make some broad characterizations. As much as I abhor NSA obtaining telephone call metadata and the scope of government FISA user data demands to Web services, it appears at this time that most or all of this activity has not only unfortunately been legal, but could reasonably be anticipated as logical outcomes of the PATRIOT Act and other related legislative and court actions. There was those of us who tried to point out these risks at every opportunity. We were routinely shouted down, sometimes being told that it was un-American even to bring up the issues. Nothing really to be gained now by reminders that "We told you so." But back to Snowden's data. The (sadly, unsurprising) confirmation of the "Phone companies to NSA" telephone call metadata connection is certainly useful, and indeed a cause for broad condemnation, concern, and even anger about our blossoming surveillance society, as I've noted in my postings over the last few days. And word about NSA's methodologies for organizing and indexing a broad range of globally collected metadata ("Boundless Informant" -- gotta love these names) is certainly intriguing, even though very much along the lines of what we would have expected and frankly, unless one buys into associated conspiracy theories, not particularly dramatic. More confirmation that NSA is collecting a lot of data, but we already basically knew that. It's in the PRISM documents that I feel the situation becomes most problematic, because I believe strongly that these have done real damage to innocent parties and have played directly into insipid, emotional, false conspiracy theories that have become a scourge, especially in our toxic political environment. The PRISM documents have been widely touted as "proving" that NSA has "back doors" into the servers of Google, Facebook, and other firms, through which NSA could query and extract personal user data without interaction or control from these firms themselves. A truly horrendous prospect -- if it were true. The named firms quickly refuted the accusations. They insist that there are no "back doors," that all data requests (e.g., via FISA mechanisms) are individually vetted, then either approved, appealed, or taken to court when the firms felt that the requests were overly broad or otherwise inappropriate. Of course you can never prove a negative. As I noted yesterday, the conspiracy fans have now run wild, convinced that the firms are outright lying, colluding, and worse. I can't say the following strongly enough. To believe these conspiracy theories is to assume that the individuals dealing with these matters at these firms are ethically vacuous, have no backbone, or are genuinely evil. This is all simply false. I personally know a variety of persons at these firms who by any rational analysis would have to know about such "back door" systems if they existed, and who would be unwilling to suffer their presence. The kinds of engineering that would be required to implement such mechanisms would be extremely complex at the global scale of these firms. I simply do not believe that they could be designed, deployed, or maintained without so many persons finding out about them that they'd be essentially open secrets internally. And while the government can use an NSL (National Security Letter) to prevent someone from revealing the existence of something -- for example by forcing them to stand mute to a question -- you can't force someone to outright lie in the manner that would be represented by these firms' explicit denials. What's more, I strongly believe that any attempt to push through such systems would have resulted in levels of resignations immediately obvious to outsiders. The folks I know at these firms are among the most ethically responsible that I've ever encountered. I do not accept that they would quietly play along with the kinds of NSA schemes that some are alleging. Period. And even those allegations are foggy. It can be easily argued that it was actually media misinterpretations and sensationalism that led to the "back door" claims. Those same NSA documents could even more reasonably be interpreted to be discussing exactly what these firms have said was the case -- providing properly and legally vetted responses to individual FISA and similar government user data requests. No "back doors" -- no direct, uncontrolled access to user data on servers. At this stage, it's impossible to easily ameliorate the damage already done by this set of hyperbolic, false allegations that will likely now take on a life of its own. Which brings us now to a fairly obvious query. Why were the PRISM docs dumped on the media in the manner that they were, especially when their seeming vagueness plays so neatly into conspiratorial mindsets? I don't know the answer to that question. Nor will I attempt here to answer the question posed as the topic of this piece. I don't know what Edward Snowden really is. Perhaps he is indeed a hero. Or a combination hero and fool. Or perhaps something else. You'll have to make up your own mind, in the fullness of time. I do know one thing absolutely. I'll take the word of the people I know at these firms, persons I like and believe -- over the word of NSA and all the spooks, ex-spooks, and contract spooks on the planet. We are dealing with a complex situation with fragmentary information being dribbled to us by the media out of context. Eventually we'll presumably have a more complete understanding of the various facets involved. The conspiracy theorists can whine, the haters can hate -- they can all get their jollies as they will. But for me it's all about what's logical, reasonable, and most of all about the individuals I trust and care about. Be seeing you. --Lauren-- |
I've spent literally my entire adult life (and even before) working on Internet technologies and policies, one way or another, reaching back to early ARPANET days at UCLA -- a project rooted in Department of Defense funding, it's worthwhile to remember. Over that time, there have been many related high points and low points, events joyful or upsetting, but never -- not even close -- have I felt so completely, utterly disgusted with a situation associated with the Net as I am today. The apparently true facts we're learning about our own government's spying abuses against its own citizens are bad enough. But we also are faced with stomaching the incredibly hypocritical and disingenuous pronouncements of intelligence agencies, administration officials, and Congressional leaders, as they point fingers back and forth about who knew what when, who approved which program, and why we citizens shouldn't be at all concerned. To make matters worse, mixed in with misinformation and purposeful obfuscations, these actions have played directly into the hands of conspiracy theorists who are now working overtime to damage the very parties most in a position to help hold back unacceptable government prying into our affairs. It is in fact the major Web services providers like Google, Twitter, Facebook, and others, who have become the most effective holding lines against government overreaching. Most smaller firms or individuals don't have the financial or legal resources to fight back against overly broad data demands and other government abuses. Thanks to the damage done by distorted dribbling of information over the last few days about telephone metadata collection, PRISM, and now new stories and government generated gobbledygook explanations just today, people all over the world are confused and upset, wondering how deeply the USA is spying on the Internet and its users, the telephone system, and perhaps their supermarket loyalty cards. Even though the major Web firms categorically denied providing "back door" en masse data access to NSA, and accurately asserted that all data requests are vetted by those firms (and sometimes pushed back against in court), the last few days' worth of false charges have led to a torrent of people flooding comments and postings (not to mention my inbox). Their rants proclaim that the firms are lying, they're in bed with the government, this is proof you can't believe anything these companies say, and gigabytes of other assorted paranoid rot. I won't even address these ravings here. They generally demonstrate a profound lack of knowledge regarding both global-scale software engineering and the legal process. They're illogical, irrational, and are most appropriately filed in Area 51, right next to the outer space aliens' rumpus room. The government has been feeding this conspiratorial mindset against these firms for years. It has tried its best to scare the hell out Internet users, by attempting to falsely convince them that cookies are evil incarnate, open Wi-Fi access ports are somehow to be considered private, and that anonymous ad personalization systems will kill the family dog, if not your children. All the while, we see now that the real abuses have been orchestrated and planned from within the Beltway for many years, by officials totally convinced that they are so much smarter, so much more worldly, so much more entitled than the rest of us, that they've evolved the art of political and bureaucratic hypocrisy and insanely exaggerated secrecy to a level unimagined by the most skillful con men and swindlers in history. In this case, we're not just being swindled out of uncountable hundreds of billions of dollars being sucked into black budget "everything is called terrorism now!" ratholes, but we've been cheated by the politicians, spooks, and spies out of something even more important in the long run -- trust. No matter how ostensibly laudable their motives, these officials and minions with their vast and secretive funding, are steadfast in their belief that the American people cannot be trusted -- after all, we're just the little people compared with the giant brains of Congress and the intelligence agencies. Pat us on the head, tell us some scary stories (leave out the inconvenient details of course), and scoot us all back to our rooms. Now hear this! We're on to you. Not just here in the U.S. but other governments around the world who are playing the same games with their citizens. We don't need any wacky conspiracy theories -- the facts that are demonstrable are sufficient. We know that you desperately fear an Internet that you can't control, where every byte of data and every activity log isn't unencrypted and available at your immediate beck and call. We know you want to control what sites are available and what sites say, dictate the results search engines may show, and generally treat the Net as your own global intelligence fetish supreme. How about this? If you believe you can honestly make the case that you need to know everyone we call on the phone, have access on demand to virtually everything we do on our computers, and otherwise treat us with such suffocatingly, "loving" contempt -- get out here and convince us. No more hiding behind vast secrecy that serves your own desire for agency empire building far more than actual national security needs. No more smoke screens blown at Congress pressuring them to approve your schemes without details or debate on the theory that they're just too secret for Congress to really trouble itself about. And enough of trying to turn us against the very Internet firms that have the ethical and legal stamina not to let us be flattened like worms under your national security steamroller. While we're at it, oh spies, spooks, and affiliated politicos, one other piece of free advice. Go grab or download yourself a copy of the Constitution of the United States. It's widely available, at least for the moment. Pay particular attention to the Bill of Rights. Take it home. Discuss it with your spouse and children -- your children in particular probably already understand it far better than you do. Those documents were written by a bunch of rather ordinary men of extraordinary vision and resolve. They knew that even a well-meaning government can easily descend into abuse and tyranny, and they knew that protecting fundamental rights requires not treating everyone as a potential suspect, or everything they do or say as subject to access and analysis by the King's representatives and sycophants. They knew what freedom meant, while your actions now -- regardless of your motives -- are treating their efforts with vast contempt. We are proud to be Americans, but we are also enormously saddened and disgusted by your behavior. And that's the truth. --Lauren-- |
Related blog posting: Inside PRISM: Why the Government Hates Encryption --Lauren-- |
Addendum (1:12 PM): Google's Larry Page and David Drummond are categorically denying that Google gives the government open-ended, back-door access to user data. This appears to confirm my speculation (for Google at least) that these firms are still tightly controlling data access by reviewing and addressing each data demand on an individual and responsible basis. And keep something in mind -- the government can use legal means to try force you to be silent about a matter, but they can't force you to lie, unless they're resorting to waterboarding and shock collars for Internet executives. Addendum (10:05 PM): Hangout On Air video discussion of this and related topics recorded this evening (55 minutes) is now available for viewing at this link and via the embed below. Yesterday in The Soviet Surveillance States of America we began connecting some of the dots associated with the new disclosures of the U.S. federal government's collection of telephone and Internet data. Since the initial reports, we've now been informed by officials that they only actually look at the telephone connection "metadata" in the course of specific, targeted investigations, and that the Internet data slurping associated with PRISM is directed at foreign nationals in foreign countries (though Americans can be accidentally sucked into the system as well). We're told by administration spokesmen and top members in Congress that this is all for our own good, presumably as are ubiquitous CCTV cameras, license plate readers, DNA swabbing of innocent persons, and all the other varied inputs (some of which we possibly don't know about) feeding to our law enforcement and intelligence agencies. Our fearless leaders seem startled that there's such a negative reaction to these new revelations. "Calm down children, we know what's best for you!" appears to be the common refrain. What they forget -- or more likely are conveniently ignoring -- is that we Americans are a historically rather strange breed when it comes to an innate distrust of government. Frequently these concerns go completely overboard, but when government actually does play into the hands of the conspiracy theorists it does nobody any good at all. (On the other hand, we continue to have evidence that our government is so leaky that keeping a really big secret for long is an intense challenge.) If you really want to incur the ire of most honest Americans, treat them all like they're criminal or terrorist suspects. Now, what's really going on with PRISM? The government admits that the program exists, but says it is being "mischaracterized" in significant ways (always a risk with secret projects sucking up information about your citizens' personal lives). The Internet firms named in the leaked documents are denying that they have provided "back doors" to the government for data access. Who is telling the truth? Likely both. Based on previous information and the new leaks, we can make some pretty logical guesses about the actual shape of all this. Here's my take. First, I believe it's reasonable to assume that significant targeted use of DPI -- Deep Packet Inspection -- is in place, most or all of it outside the control (or even perhaps knowledge) of major Internet sites (but quite possibly associated specifically with major ISPs and backbone providers). Just as I doubt that "all phone calls are being recorded," I doubt that a mass collection of non-targeted Internet data is going on. Not only would this be technically enormously difficult when you consider traffic patterns and volumes, but would not likely be useful from an analysis standpoint compared with more careful targeting of specific communications, even with the improvements in analysis tools we are aware of (and/or can speculate exist in the shadows). We do know for certain that the government has become very insistent on two fronts -- wanting virtually instantaneous access to specific stored and real-time user data on demand, and getting it in the clear (that is, unencrypted). So long as most people don't bother to encrypt their email and other data the latter point is largely moot. The government is mostly concerned that someday down the line ubiquitous encryption will take hold -- that is, strong encryption by default -- that would be time consuming for the spooks to crack on an independent basis. An intriguing outline becomes clear. The government likely doesn't have "back doors" into major Internet sites that would allow government access to those sites' user data on a "willy-nilly" basis. But it does seem reasonable to assume (especially based on the historical record associated with telephony, e.g. CALEA) that the government has pressured major Internet sites to deploy the means for rapid access to specific data requests that would be mediated by gatekeepers at those firms. That is, NSA (or whomever) would have an expedited means to present a firm with (for example) a court order or National Security Letter. If legal counsel at the firm determines that this is a valid and sufficiently narrow demand, the mechanism would be in place to immediately provide access (perhaps one-shot, perhaps ongoing for some period) to that specific data (likely related to specific user accounts). In other words, what we're likely talking about with PRISM isn't a "back door" for rummaging around through data in an uncontrolled manner, but rather a technical and legal protocol for the government to quickly gain access to specific data under order when the firm involved agrees that the order is valid and chooses not to challenge it. Overall, this regime would replace much slower, largely ad hoc systems for responding to data demands, with a pipeline that can provide that data to government directly -- but the firms still control the valve on that pipe and which data is permitted to flow into it, allowing the firms to fight orders that they do not consider reasonable, focused, or otherwise valid. This kind of scenario may help to explain the seeming contradictions of what we're now hearing about PRISM, and seems to sync well with the battles over government access to user data that we already know about, and with government demands that when they do get such access, they have some way to get the data in unencrypted form. But even if my speculation about the relatively constrained nature of PRISM is correct, the potential for government abuse of such deployed systems is still enormous. Such surveillance environments drastically undermine our own ability to criticize similar and worse abuses by other countries. And here at home, the "you have nothing to fear from surveillance if you have nothing to hide" argument does not play well with most honest Americans. Faith in cloud computing and storage models -- which I feel are enormously important to us all in so many ways and bring with them vast benefits to consumers -- are predicated on users trusting that their cloud data will be at least as safe from government abuses as their data would be on their own local hard drives. The rise of ubiquitous encryption will over time likely be unstoppable, and will change the face of these issues in major ways that we cannot predict with confidence. We can, however, predict with considerable assurance that any government and any officials -- regardless of political parties -- who insist on treating the American people as suspects, as ignorant children whose personal data should be available to government prying merely at its beck and call, are ultimately helping to destroy critical underpinnings of what has made this country great. If we continue to permit this, the ultimate fault and blame will not be with our government or our leaders, but rather with ourselves. --Lauren-- |
[Please note: Reference links associated with this item are at the end of the posting.] In Theodore J. Flicker's prescient, darkly comical 1967 film -- "The President's Analyst" -- there's a bit of dialogue I've quoted many times over the decades. A Soviet spy and an American spy, friends of long standing, despite being on opposite sides, are working together informally. When the object of their common search appears to have been kidnapped right under their noses, the American spy suggests that the phone booth they'd been using was tapped. The Russian is incredulous. "Are you trying to tell me that every phone in the country is tapped?" "That's what's in my head," replies the U.S. agent. "But Don! This is America, nor Russia!" exclaims the Russian. The film's parallels go even further. The U.S. is being essentially run by the bureaucrats of the law enforcement and intelligence agencies -- spying and wiretapping everywhere, while the president is implicitly relegated to the role of a largely impotent bystander. Needless to say, the movie did not go over well with the U.S. authorities in 1967. It's likely nobody would dare produce such a film today. For students of U.S. intelligence and law, the new confirmation that the federal government has been collecting phone call detail records en masse on Americans shouldn't come as a big surprise. The major phone companies have long considered such data a mere commodity, and built enormous businesses selling this kind of information to third parties, emboldened by a variety of court decisions. The knee-jerk PATRIOT Act legislation following 9/11 set the stage for even worse abuses in this sphere -- even though one of its authors is today claiming that this isn't what he actually had in mind. Apology not accepted -- the abuse potential of PATRIOT was obvious from day one. Still, the current round of revelations are obviously very upsetting, more so for how they help us connect the dots than for their specifics in this case. While we've only seen one leaked document so far in this round, we can safely assume that similar orders exist for every other major telecom carrier, reaching back to at least 2006 and the Bush administration. Given NSA's known proclivity for the "vacuum cleaner" approach to data collection -- essentially that they don't consider "mere" collection an abuse, or even really collection at all until specific data is analyzed -- such activities likely go back even further in at least some respects. We now also have confirmation that top Congressional leaders have known about this -- some of them likely since the very beginning. Their remarks today are enormously telling and troubling. We're told that this massive operation was justified because it "stopped a terrorist" attack. That could mean pretty much anything, considering the low threshold now employed to define violent acts as terrorism. But how are we to know if any sort of reasonable balance has been achieved between our civil rights vs. "preventing attacks" of any sorts? Would the same effect be achievable in a much less invasive manner? Why bother even figuring that out if you can just order the phone companies to give you everything. Leaders are now also informing us that there were no complaints from citizens about the program (unsurprising, given that it was, you know, classified) and that we shouldn't be concerned because it's been going on for at least seven years -- it's nothing new, we're reassured. (Why are you upset that you just found out I've been sleeping with your wife? We've been screwing each other since 2006!) The generally bipartisan nature of the "nothing to worry about" pronouncements today are quite noteworthy, and while we already knew pretty well how Congress operates, one might wonder why President Obama has been co-opted into such invasions of our civil liberties, apparently by continuing the abuses initiated by his GOP predecessor. I have a theory about that, which explains why political parties just don't matter in these situations. Remember that law enforcement and intelligence agencies are mainly bureaucratic organizations, desperate to protect their own turfs and funding. (In "The President's Analyst" the "FBR" and "CEA" were always at each other's throats -- the "real" initials were dubbed out in post-production after actual threats from the government!) My guess is that as soon as a new president is sworn in -- regardless of political party -- the heads of the various interested agencies march into the Oval Office and present the new head of state with "The Briefing Book of Doom (BBD)." The BBD would be designed to scare the president out his or her wits by drawing the bleakest, most alarming possible picture of world threats, and emphasizing how any attempt to reign in previous abuses by these agencies could (it is claimed) result in catastrophe ("and by the way, we need much more money, too!") Few persons are going to have the spine to stand up to such a collective onslaught from the spooks, designed to appeal to emotion rather than reason and logic. It matters not if your affiliation is Republican, Democrat, or Jedi Master. In this way, the unelected bureaucrats have usurped enormous power, in a manner eerily reminiscent in some ways of the old Soviet Union. Back to connecting those dots. Even as I'm typing these words, more new revelations are circulating today, about a highly classified program named "PRISM" tying the FBI and NSA directly into major Internet services to gather email, audio, video, photographs, documents, and connection logs. This appears to have also begun under Bush, and grown exponentially since then. Some in Congress have reportedly known about this all along also. PRISM is reportedly not a mass data collection system per se, but rather a means for the government to access specified data as quickly as possible. [Addendum: 5:34 PM - Most or all of the firms described in the PRISM story ("Washington Post" links - see below) are denying involvement.] Again, such a program has been long suspected, and helps to explain the government's push for extended CALEA access and their increasingly loud demands for easy means to obtain the "plain text" (unencrypted) contents of encrypted Internet data streams and associated services. [Blog Update (June 7, 2013): Inside PRISM: Why the Government Hates Encryption (What PRISM likely is -- and isn't)] We can also assume that most postal transactions have long been at least tracked. I'm frequently asked if it's likely that the government is collecting the actual contents of phone calls on a large-scale basis, bringing us back around to our Soviet and American movie spy friends. As far back as 2006, I speculated that the technology to do this was within reach, but that for practical reasons a "record every call" approach seemed unlikely. Even now, with the massive improvements in tech since then, I still suspect that actual call recording tends to be quite focused, rather than comprehensive, for technical reasons beyond the scope of this posting. In absolute terms though, it may still be quite large. We also now can begin to understand the depths of the threats and pressures that the government -- via National Security Letters and these various classified programs -- have been asserting against major Internet firms. Reading between the lines of the cases we already knew about, firms like Google and others have been trying to warn us about this -- the best that they could do given the constraints forced upon them by a secretive government. I also personally believe that we now can see more clearly the depth of hypocrisy and diversion involved in the government spending so much effort publicly attacking harmless, anonymous, personalized Internet ad systems, while at the same time engaging in such massive, secret, highly personal, and deeply invasive intrusions of their own citizens' lives. Beyond all this, there's a truly upsetting question. If our own government is willing to go this far at this stage in such a bipartisan manner -- republicans and democrats alike -- what might happen if someday a small nuke or dirty bomb is detonated in a U.S. city? Even if relatively few persons were actually harmed, how long would any of our remaining civil liberties be intact? You know the answer. I called this posting "The Soviet Surveillance States of America" -- but perhaps not for the reasons you might have suspected. While the old Soviet Union (and unfortunately, increasingly the new Russia) certainly have engaged in evil acts, it would not be truthful to suggest that all of their associated motivations were necessarily actually evil themselves. Much more dangerous than true evil itself is leaders who honestly feel that they are doing the right thing for their countries and people, and slide down the slippery slope of increasingly intrusive civil liberties decimations in the process. It is in this way that many of history's worst tyrannies were gestated -- pulled into a putrid pit via a chain of ostensibly noble deeds. The old USSR likely would have made many of the same pro-surveillance arguments that our leaders here are making today, if the technology in focus now had actually existed then. We've all heard it said that "The road to hell is paved with good intentions." It's something to remember, comrades. Something definitely to remember. --Lauren-- - - - References: NSA collecting phone records of millions of Verizon customers daily U.S. intelligence mining data from nine U.S. Internet companies in broad secret program |
Regular readers know that I'm no fan of Facebook -- I don't use it myself and I'm surviving very nicely without it, thank you. But common sense gave way to fuzzy thinking and rumormongering today, when a story spread like wildfire across the Net -- via Slashdot, Reddit, and an array of other sites, claiming that Facebook was now purposely blocking users from downloading their "timeline" (still often called "wall") postings data, as had been previously possible. This rumor may have started with an angry blog posting at a site which I'll not provide with link juice here today. The posting apparently wasn't inaccurate in describing problems that the author was having downloading their Facebook data, but rather in the implication that this was a purposeful policy change by Facebook -- and this latter concept became the tinderbox that set off angry comments and dialogue around the Web. I suspected from the outside that this was likely just a bug. I now have confirmation from two Facebook engineering sources that this is indeed the case, and that a fix is likely to go live within a few days. There were multiple reasons from the outset to suspect that we were dealing with an engineering glitch and not a policy change. Perhaps the most obvious of these is that it simply would not make any kind of sense for Facebook to make such a change! I've been pretty critical of Facebook's handling of various privacy matters over time, particularly in terms of their specific user-facing implementations. But to suddenly block this type of user data download would be ludicrous on its face and incredibly counterproductive to both Facebook and its users. The negative PR and in some countries regulatory blowback would likely be enormous. It would be utterly illogical. Other clues that this was just a bug were also apparent. The relevant Facebook help pages regarding data downloads and exports said nothing to indicate that such a policy change had taken place. There was enormous inconsistency in user reports regarding this situation today. Some users reported that the data in question was missing from their downloads. Some claimed they couldn't download at all. Others were able to export all their data -- including timeline/wall data -- completely intact without difficulties. While it's always possible that variations in user experience are the result of an engineering change being gradually rolled out across the platform, this just didn't seem to make sense in today's instance, especially given the other facts. I understand that it may be human nature much of the time to emotionally believe the worst, but seriously, today's policy change rumors should really have been suspicious to just about everyone, given even a bit of real thought. In an age when all manner of bizarre and inane conspiracy theories thrive, I can't say that I'm surprised when a false rumor like this gets traction bouncing around the Web's echo chamber. But let's face it -- if we're actually going to automatically assume evil decisions every time there's an operational issue in these highly complex systems, it's a pretty sad commentary about our society overall. I'm pretty sure we can do much better than that if we try. --Lauren-- |
Brace yourself. If you're not sitting down, I urge you to do so. There's devastating news afoot. The Internet is apparently running out of pornography. I know this comes as a shock. OK, it's not quite as bad as running low on cute kitty photos and videos, but it's pretty darned close. Now if you're like me, you may not have actually realized that the Net is in such a dire, porn-starved condition. After all, at first glance, it seems like any legal porn you might want to see (and considerable amounts you might prefer not to see) are easily and openly available from a vast number of Web venues. But appearances can be deceiving. And judging from some of the wailing I've been hearing since Google announced that they will not approve porn-oriented apps for the Developer Preview of Google Glass, I can only assume that a devastating porn shortage snuck up on us while we were busily building animated meme GIFs. The inevitable cries of censorship are already being heard. They're nonsense, of course. I'm about as strong a free speech advocate as you're likely to find, but censorship is the domain of governments, not other organizations or individuals. Just as your local supermarket isn't required to carry "Hustler" magazine, there's no legal requirement that any firm approve any particular sort of app. And so long as we're talking about legal content that is readily available from other venues, and we're not discussing ISPs trying to micromanage which sites their customers can access, the consternation seems misplaced. Decisions to keep mainstream app stores reasonably family friendly just don't really upset me. Let's face it, they're not the only games in town -- sideloading and other similar widely known techniques generally allow for users to obtain content and apps from other sources if they choose to do so. There's an important distinction here. Not wanting to be actively engaged in the distribution and marketing of porn-related apps and materials is utterly different than saying that you want to ban such items. Pushing porn at people who don't want to see it is another matter. If you look at the terms of use for most firms' social networking or app environments, you'll typically find provisions that relate in one way or another to this area, yet porn still prospers. I know how to find it. You know how to find it. But I think it's fair to say that most people don't want it slammed at them either. When I occasionally see unsolicited graphic sexual content in my Google+ notification stream, I usually report it much as I would any other kind of spam. I'm not condemning the porn per se, I'm saying that it is being inappropriately thrust upon me -- no pun intended. When it comes to Google Glass in particular, Google's deliberate, arguably conservative, go-slow approach that some observers find frustrating is actually entirely appropriate. Glass represents the first real steps into the mass marketing of general purpose wearable computing devices, and as I've noted in The Coming War Against Personal Photography and Video, Glass is already being targeted from some quarters as a proxy for forces who would like to greatly restrict public photography in general. Adding porn into the mix at this incipient stage would provide yet another target for knee-jerk reactions, and risk diverting attention from an array of extremely positive and innovative applications for this technology. The policy issues surrounding all this are inevitably going to be entangled with politics and politicians, and while I hesitate to say "Luddites" in this context, there is a definite impression that there are folks out there who would very much prefer that this whole area be dealt with through emotional haranguing rather than thoughtful and logical analysis. In any case, fear not -- the Internet is a very big place. Your porn cup still runneth over if you wish, the porn desert is not upon us, your prurient interests need not cower for fear of starvation. Rumors of the Internet Porn Apocalypse are unfounded. And now that we've settled that, we can all get back to the important work of churning out the cat memes. Meow. --Lauren-- |
A few days ago, in Die Passwords! Die!, I suggested that the venerable password -- despite the addition of extremely useful techniques such as multiple-factor authentication and other extensions -- is coming to the end of its usefulness in our 21st century computing and communications environments, and I discussed some possible evolutionary authentication regimes that seem likely to ultimately replace passwords in many venues. Most of the reaction was quite positive, but there definitely are dissenters within my inbox as well, largely paraphrasing Mark Twain from 1897, to the tune that "The report of the death of passwords is an exaggeration." This conveniently permits me to wring some additional mileage out the implicit horror movie motif of "Die Passwords! Die" -- and I'm not letting that opportunity pass by unrealized to its full potential. We need only look to the stereotypical vampire film for inspiration. Our heroes "the vampire killers" arrive in a small village. Usually there's a leader who has some sort of honorific prepending their name, like Professor Abronsius, Captain Kronos, or Dr. Van Helsing. The remainder of the crew are usually essentially the flunkies who sharpen the wooden stakes. Despite the often horrific attacks visited on the townspeople at intervals by the local vampire or vampires, the residents may simply want the vampire hunting visitors to just go away, leave well enough alone. They've learned to live with the vampires -- deploy plenty of garlic and an occasional sacrificed virgin -- and fear any "tampering" will just make matters even worse. To compare the "password protectors" with these terrified villagers is tempting but not entirely fair, since there are indeed arguments to be made in favor of preserving at least the outlines of our existing password system, though I personally don't feel that those arguments on balance win the day. It's suggested that hardware-based systems could isolate password-related data in a way rendering it at least theoretically invulnerable to the sort of password hash file breaches that have now become all too common. But buying and installing new specialized hardware like this seems like a non-starter for most environments, both from cost and an array of logistical standpoints. We're urged to find ways to get users to pick longer passwords and more random passwords. We're told we must convince them not to share passwords in ways that would allow a failure at a weak site to compromise authentication at a stronger unaffiliated site. We're reminded again about multiple-factor authentication, key management tools, one-time password systems, and other purported silver bullets. And indeed, all of these methodologies -- to one extent or another in different sorts of consumer and enterprise environments -- can definitely make a big difference toward improving authentication security -- if designed properly, if implemented appropriately, if deployed correctly, and if used responsibly and diligently by consumers. That's a whole bunch of "ifs" to deal with. But it's still all ultimately a holding action. You may be able to momentarily stall your friendly neighborhood vampire by holding a crucifix in front of their face, but you can't keep up that pose indefinitely, and vampires can be remarkably patient in such situations -- they usually have more time than you do. I understand why many persons have concerns about "federated" authentication systems, biometric or other personal identifiers, and various combinations and permutations of these concepts. And as I've acknowledged, doing these systems right -- in ways that provide appropriate compartmentalization and granularity of access to authentication credentials -- is an extremely complex task from both policy and technical standpoints. Yes, there are lots of "ifs" here as well. But there is a big difference with these non-password techniques, and while I don't want to sound condescending about this, the truth is that if we depend on most non-techie, busy users to voluntarily manage their password environments correctly in the long-term, we are actually doing them a grave disservice. It's easy for techies (perhaps like you, certainly like me) to forget that most users don't have the time nor inclination to be worrying about authentication details -- until something goes wrong, and panic sets in. It's not the techies I'm worried about -- we'll manage one way or another -- but it's the consumers who don't want to have to be security experts just to access their mail or bank accounts. The more complicated the demands we make of them -- choose the right passwords -- use the correct key management tools -- do this -- don't do that -- the less likely that we're going to see good outcomes overall. In the final analysis, this is why I feel that passwords have seen their day, why we must be moving on and finding our way to better solutions, albeit requiring a lot of deep thinking and hard work on our parts. You can try live with vampires, and you may manage it for awhile -- but in the long run it's going to be either them -- or you. I strongly believe that we have the technological capabilities to solve authentication problems in ways that will be better for consumers and everyone else involved, without leaning on password models that are increasingly problematic. We know how to solve such problems, if we set our minds to it -- it's very much part and parcel of what we do best. In other words, it's -- wait for it -- in our blood. --Lauren-- |