I can't believe anyone is surprised by this. Windows 10 came out of the gate completely weaponized in a way no Operating System ever was before (I was a Windows user, can't speak to the level of data-mining on the mobile OSes). So much work was put into all aspects of data-collection that it screamed class-action even to a layperson like myself.
Microsoft never states if their (unnamed, unnumbered) trusted 3rd-parties can also share data.
Microsoft does not release the names or the number of third-parties involved. They can be foreign, governmental, outsourced developers.
There is no language covering the release of this data to "non-trusted" parties.
Microsoft does not distinguish between personal and business data. This, additionally, puts businesses that are required, by law, to protect client/patient information (Law, Medicine, Finance) at further risk.
Microsoft does not distinguish between the (illegal) search/seizure and distribution of personal/business data. It does little to distinguish between adults and children. Captured data (including video) of those under 18 in legally questionable situations, redistributed to (unnamed and presumably large number of "trusted" third parties) may and should place Microsoft as distributors violating various child abuse laws.
Military and Politician data captured can (and should) be viewed as acts of espionage/treason by the US Government.
Their data-collecting scheme had immediate and obvious legal ramifications. I couldn't figure out why OUR government wasn't more responsive to this threat. It's becoming increasing clear that there has been lots of back-door collusion between the tech giants and our own government.
It did the same for me. I had been on Linux for about 6 months (because of some issues with Win7) waiting for the Win10 release. A new laptop was in my future.
A week after the Win10 release (still seeing red because of the privacy issues), picked up an older laptop (wanted something super Linux-friendly) with legacy BIOS and haven't been this happy with an OS in over a decade.
My biggest worry now is that Open Source Software with strong privacy rights policy might be pressured by government/politicians, commercial entities and general public apathy to engage in the same kind of illegal data-mining for so-called "national security" reasons.
I haven't seen any issues raised on the operating system itself, people seem generally happy, but you may have reasonable concerns about iCloud type services where data is hosted somewhere besides your own computer.
Apple and Tim Cook in particular have generally been on the side of user privacy, of sticking with encryption even when it's causing friction with law enforcement, but they have also unlocked phones and computers when compelled by a court order.
It stands to reason that they be forced to disclose personal information, that they may have to hand over cloud-hosted files, email, or messages, or unlock devices.
As far as I know Apple has never tapped into someone's system to retrieve information from the operating system. The equipment in question has always been in the immediate possession of law enforcement individuals.
This is a thorny issue, everyone's idea of "acceptable behaviour" varies considerably.
Plus, if in the future Apple is compelled by law to allow remote access to systems under certain circumstances, things will change considerably.
However, from my understand newer versions of iOS no longer give Apple the ability to bypass their own security even if they wanted to. However, Android phones are a totally different story...Google just resets the pass code upon court order.
This is incredibly bad. The amount of personal information large companies like these have on everyone is scary enough on its own, but now they're getting blanket governmental immunity to share it with not only other private companies, but also several government agencies? I think of myself as relatively pessimistic, but I did not expect something this insane for some reason. If this is as straightforward as that site portrays it, or worse, than I'm kind of speechless.
Edit: It looks like the NSA/Law Enforcement wouldn't even need due process since the companies are just giving away the private data. https://www.faxbigbrother.com/#whatiscisa
Is government compelling these companies to hand over data? Or is it voluntary?
If government forced me to hand over data on users, I wouldn't want to be held liable for that. So, I'm not sure why people are complaining to companies about it? Do they expect companies to break laws?
People forget that government is always the highest power of the land. You are forced to do what government decides it wants to do.
Participation in this program is voluntary. Section 8 of the bill prohibits this act from being construed to permit the federal government to require an entity to provide information to the federal government. Here's the money quote:
(i) No Liability For Non-Participation.—Nothing in this Act shall be construed to subject any entity to liability for choosing not to engage in the voluntary activities authorized in this Act.
Reading through the bill, it seems like this is a well-intentioned attempt to promote data sharing between corporations and security agencies in the event of a widespread cyberattack. There are definite use cases for a law like this. For example, if both Lockheed Martin and Boeing are hit by a cyberattack, under this bill they are allowed to coordinate and mitigate the attack using data from both parties. But the enormous flaw in this bill is that there are only vague restrictions on the type of data allowed to be shared. These restrictions are so vague that an unscrupulous company could send all their customers' private data to the government under the context of this law.
The US needs reform on its cybersecurity defense and this bill is a step towards change. But with the potential for abuse this bill is a huge step backwards. Hopefully there are other ways to improve US cybersecurity defense without compromising civil liberties.
You can find a copy of the bill, including a short summary of each section, at the link below:
Getting immunity will eventually make them as bad as the carriers once they form "relationships" with the government, or when they want to win some big fat government contracts.
Microsoft already "needs" to win multiple contracts with the government, and Apple is supposed to "win" Apple Pay integration with federal services.
If all the data requests would be legal then they shouldn't need immunity, should they? This is 90% of the way the encryption backdoor the government has been requesting. That's why it's "backing down" on that.
Much like what Microsoft has already been doing years before this [1], the NSA will get Apple, Microsoft, Adobe, Oracle and others' zero-days ~3-12 months before they are patched, as part of the "cyber-threat sharing" program. That's as good as having dozens of backdoors in tech companies' software that billions of people are using.
Michael Hayden, who formerly directed the National Security Agency and the CIA, described the attention paid to important company partners: “If I were the director and had a relationship with a company who was doing things that were not just directed by law but were also valuable to the defense of the Republic, I would go out of my way to thank them and give them a sense as to why this is necessary and useful.”
This is how they are thanking them, by giving them immunity.
Salesforce.com reserves the right to use or disclose information provided if required by law or if they reasonably believe that use or disclosure is necessary to protect their rights.
Apple may also disclose information about you if they determine that for purposes of national security, law enforcement, or other issues of public importance, disclosure is necessary or appropriate.
IBM may also use or share your information to protect its rights or property.
Based on what I'm reading, they don't require sharing of the information, they just give companies sweeping immunity to do plenty of illegal things while doing so. The government sort of incentivizes this behavior. The problem is, companies are now lobbying to get this pushed through, so yeah, that's the fault of both the corporate and government players involved.
Some companies already have legal contracts with you to protect your private data. Are you implying they can break those contracts?
I need actual scenarios written out, preferably based on an actual example EULA being violated. Not "maybe something scary might possibly happen in the future."
The whole point of providing immunity is that previous contracts such as privacy policies become null and void in this context... I'm pretty sure you didn't read the link...
I literally cannot find the exact contract violating statement in the law that you are referring to.
I see an exemption for anti-trust, and I see an immunity to other laws requiring disclosure (say, FOIA), but I do not see any immunity to violate previously established EULAs.
Section 6(b): No cause of action shall lie or be maintained in any court against any entity, and such action shall be promptly dismissed, for the sharing or receipt of cyber threat indicators or defensive measures under section 4(c) if ... (you follow the sharing rules and don't do anything provably sinister)
>If government forced me to hand over data on users, I wouldn't want to be held liable for that.
Government couldn't have gotten it if you didn't collect it. Why should you be held responsible for storing data in an insecure fashion (which given the long arm of the government, translates to storing the data at all). This is especially true of data the average user isn't considering as being captured/stored, such as Microsoft's grabbing everything you do and storing it.
It is? Please explain why other people should be prepared to go to gaol or businesses should pay heavy fines to protect my personal information from legal(1) government requests? Particularly when I apparently don't care enough about the privacy of said information to the point that I allow it to be stored in the US, where apparently these sorts of shenanigans go on?
Edit: (because I'm being downvoted to death, which I don't think the comment deserves)
These companies agree that our data should be private and protected. They are not prepared to take heavy penalties to protect those rights. Anger should not be directed at these companies, but rather at the completely fucked up US government approach to privacy. At the end of the day, whether these companies fight and get fined out of existence, or comply, the government will still end up getting your data. That's the problem, and it's the US government that has betrayed people, not the companies listed by this stupid site.
1. I'm personally dubious as to the legality of these orders, but for now the US judiciary don't seem to be opposing the executive on this one, at least for the time being, so hey, I guess it's legal...
A few years ago there was an IAMA on Reddit with an MS employee and he blatantly said that MS was funding anti-privacy propaganda so that their user base will be more complacent with their increasing privacy violations. I think this was when the cloud was still a new buzz word and Microsoft was coming out with Office 365 and in this case he justified it by saying that all these new bright technologies of the future depended on the users willingly giving away their privacy and so MS and Google were funding these marketing campaigns to prepare users for it.
So even if you look at it from a purely tech perspective, it is not in these tech giant's interest to safe guard your privacy nor do they want you to think that your privacy should be safe guarded.
And of course everybody is always drooling to data mine these user bases and who knows, sell the data to insurance companies maybe. I'm sure they will find some loophole to allow this.
Then there's the "PRIVACY IS DEAD" billboards which are plastered onto city busses in NYC. No business or advertisement mentioned, just "PRIVACY IS DEAD". Almost like it was trying to wriggle into the subliminal.
I think it's been fairly obvious for the past few years that privacy is being suppressed by malicious groups who have plans for user data. There's been really no resistance, except from niche groups who are encrypting everything-- but if it's only niche, it doesn't matter.
Google image search of "PRIVACY IS DEAD" + bus didn't turn up anything. Then I dropped the quotes and replaced dead with NSA, and got a bunch of bis pics with THANK YOU EDWARD SNOWDEN, so I don't think Google is part of this conspiracy.
I like the petition, I dislike the lack of sources. Please put sources for your claims, if they "began publicly lobbying Congress to pass the Cybersecurity Information Sharing Act (CISA)" then you sure have a source. Put it there! I guess this is the letter in question:
How do you boycott all those bastards at the same time? The last halfway viable option seems to be to build up alternative services outside U.S. jurisdiction. The shifting of revenue streams will be the only language those CISA fans understand.
One branch of the government authorizes another to force corporations to hand over all the private communications and information of a large number of citizens, and all foreigners; the majority of the public of that country agrees. Are the companies which are continually compelled to cooperate at fault for seeking to minimize the financial repercussions of this situation? How have these companies betrayed anyone?
The politicians, voters, bureaucrats, and judges involved in these actions have committed a horrible abuse of their fellow citizens, and (depending on your views on moral obligations to foreigners) an even larger number of other people. The companies they are forcing to cooperate have not betrayed the people any more than a taxpayer does when they (are coerced to) pay taxes that fund these programs.
They stance is basically "Hey government, how about we fuck our users over? We hand you their private data and you make sure they cannot sue us for that."
They betrayed anyone trusting them with their private data and anyone who believed their pro-privacy declarations.
In many ways, corporations have more power than local governments as well as more citizen interaction.
People use Google countless times per day for a plethora of purposes, many of which are smoothly functioning and immensely powerful tools which are given freely.
How many times do you interact with your city, state, or federal government per day? What about per decade?
Of course they do, this is a meaningless libertarian platitude. There are kinds of force beyond a gun to your head, and most of them are far more effective and commonly used.
For the millionth time, an EULA is not a contract. A business can try to force a contract of adhesion on you (that is, a contract you do not have the opportunity to negotiate, but until the elements of a contract are satisfied, it's just one party blowing hot air at the other.
Even if there was a contract involved, clauses of the contract can be judged to be unconscionable if they are obviously trying to take advantage of the other party in an unusual or misleading way, or if they try to extend the scope of the contract.
> Companies have to operate within the parameters of the law.
Tell that to Uber. Or AirBnB. Both of which violate the law, working to overturn the laws, or entice their users to ignore legally binding obligations. These are flagrant disregards for the legal ramifications.
And they aren't he only two. There are many companies out there who break the law. See Volkswagen and the emissions debacle they find themselves in.
History is rife with companies breaking the law. Just look at Apple. Microsoft. Google. All these companies have broken the law. And in each case, they've fought against what they think is wrong.
Do companies have to operate within the parameters of the law?
What do they mean by "....with the government and with each other" (emphasis on the 'with each other' part)?
The one I can understand - companies being compelled to share with the government. However is this act also giving these companies to share with each other?
If you work at one of these companies, and chances are some of fellow HN users are, please think how you would like the future to be - not only in terms of your product but also in terms of policy, freedom and privacy.
I'm actually one of the few people who seems to be scared of google, and probably rightly so- so far it's just been paranoia that "they have all this data" on me and so many others.
yet continually they seem to be actually fighting for privacy.
I admire that, but they're still an insanely large target, and, even if they don't share that information now- you can bet they're tracking/logging it... it's their business model.
All that data may be profitable in the future in some weird way we cannot even imagine at the moment. They have the resources to store and use it. Maybe even abuse it if they can find out some happy legal way to do so.
The grey zone between privacy and public keeps morphing. Problem is what kind of data/information should be public and what should not be public. And in what form? In what timeframe? Some information could be very benificial for one (company, person, government, institution, etc.) , but have horrible consequences for others.
But they seem to be orders of magnitude better at keeping it safe than, let's say, your government or health insurance companies that have orders of magnitude more data than Google.
I trust more my data with a business than with a government. Business have a lot to lose by leaking or selling your data, governments couldn't care less.
I can almost guarantee that the people that maintain TOR won't be happy to see something like this, since their lives are spent maintaining a tool that can give people anonymity.
Except that there's only so much bandwidth to go around. It's not that simple. More users (who don't run nodes themselves) means the same bandwidth among more users = slower for everyone = less usable for people who actually need it.
I had wondered, if companies are ordered by the Government to hand over the data and have little to no recourse to prevent it, are they then liable?
No doubt a number of people tried to challenge the companies liability in these matters after the Snowden leaks and I'm wondering if anything interesting eventuate from it.
The Wikipedia summary is a bit limited, but basically the security services OK'd (and indeed ordered, I think) the company to ship weapon parts to Iraq past an embargo.
However, nobody told the customs authorities, who spotted it and started to prosecute the directors of the company. Their only defence was their (classified) instructions from the MOD which it would have been illegal for them to mention in court. They might have gone to jail had the whole thing not collapsed publicly.
In the US, it's quite concievable that someone could be ordered to do something by an NSL that is illegal.
Internationally, maybe other countries will see this as a threat against their citizens who share information with these companies (because it is), and therefore accuse of treason to the local subsidiaries of those companies, and/or ban their products and websites.
But maybe I'm just optimistic and all play ball, nevertheless the world hate against the US will keep raising and being rightfully justified until one day the heat may be too much.
However EU nationals have rights under EU law, and data protection "safe harbour" rules require that information of EU nationals that's exported from the EU should be protected.
I believe the Microsoft case in Ireland is about this question.
Edit: see also curia.europa.eu/jcms/upload/docs/application/pdf/2015-09/cp150106en.pdf
"The Advocate General considers furthermore that the access enjoyed by the United States intelligence services to the transferred data constitutes an interference with the right to respect for private life and the right to protection of personal data, which are guaranteed by the Charter. Likewise, the inability of citizens of the EU to be heard on the question of the surveillance and interception of their data in the United States amounts, in the Advocate General’s view, to an interference with the right of EU citizens of the to an effective remedy, protected by the Charter."
=> therefore the "safe harbour" allowing the export of private data from the EU to US servers can and should be suspended.
I don't think so, and if any, it's worse if you're non-US. The main purposes of those bills is to allow things already used on non-US citizens (when the traffic goes through US).
I found this thread on the front page (#1 spot). I read all the comments and when I checked the front page again, it was nowhere to be seen. At the moment of this comment it has 270 points in 1 hour...
This law is necessary to protect companies when they submit data when they report breaches to the government. Without it, companies aren't going to stick their necks out by letting people know they were hacked. That's what this law is about.
It's nothing surprising. I hope we are all aware the controlling few are slowly but surely putting their agenda of total control to action. I've seen an attitude of some Rockefeler fellow in the movie Zeitgeist, who stated when asked what is their (rich people that control the world) goal, why do they grab more even though their families have more money that we could guess:
"Well, out final goal, is to implant a chip i every human being. That chip will be radio controlled. And when we don't like that person anymore, we push the button and the person die."
Now, this may sound cruel, but I agree with this guy. The smart, rich and capable people should have this kind of "swift justice contoll" of other people because most of people that I know, waste their lives. When you give an average person the freedom and power, most of them will not know what to do with it, and they would end up in corruption of the soul. They would turn bad, looking for hedonistics. Maybe, my country is just above average filled with "I don't know how to productively use my God given blesdings and learned skills" kind of people.
Cheers
I.H.
"Mow, this may sound cruel, but I agree with this guy. The smart, rich and capable people should have this kind of "swift justice contoll" of other people because most of people that I know, waste their lives."
I know that personal attacks are not allowed in comments, but what on earth were you thinking when you wrote this comment?
Edit: Ok, we'll restore it, but with a less inflammatory title that is taken from the article's top paragraph. If someone suggests a better title we can change it again.
I don't think this is the right choice when the titles are so different.
I did not read "Why we are leaving Heroku" because someone's gripes with a host I don't use is low-priority. Its effectively invisible to me. I am however interested in the broader story that impacts dozens of companies, changes to US law and the nature of privacy itself - so I read this one and it was clearly gathering more interest.
How about retitling the other story and merging the discussions?
Whether it's a duplicate is not a question of the titles but of the story's content. Two stories from the same site advocating for exactly the same cause are pretty clearly dupes by the usual HN standard. But since people seem to feel strongly about this one, we'll override that and restore it.
This reduces exposure for the story though. This was the no. 1 link on HN when you marked it as a duplicate completely removing this link from the front page.
The other story looks Heroku specific (I interpreted the other story title as something about bitter employees for one specific company leaving that company, not about a severe threat to privacy), this was the one that got attention. I think it would be a good idea to restore it, because it will probably loose a lot of exposure otherwise.
Microsoft never states if their (unnamed, unnumbered) trusted 3rd-parties can also share data.
Microsoft does not release the names or the number of third-parties involved. They can be foreign, governmental, outsourced developers.
There is no language covering the release of this data to "non-trusted" parties.
Microsoft does not distinguish between personal and business data. This, additionally, puts businesses that are required, by law, to protect client/patient information (Law, Medicine, Finance) at further risk.
Microsoft does not distinguish between the (illegal) search/seizure and distribution of personal/business data. It does little to distinguish between adults and children. Captured data (including video) of those under 18 in legally questionable situations, redistributed to (unnamed and presumably large number of "trusted" third parties) may and should place Microsoft as distributors violating various child abuse laws.
Military and Politician data captured can (and should) be viewed as acts of espionage/treason by the US Government.
Their data-collecting scheme had immediate and obvious legal ramifications. I couldn't figure out why OUR government wasn't more responsive to this threat. It's becoming increasing clear that there has been lots of back-door collusion between the tech giants and our own government.
This bill is a testament to that.