Essentially the government has built a surveillance state by outsourcing it to private enterprise.
I think it would be interesting to know how people really feel about this. I would love to see a survey that actually truly explained the trade-offs and see how people felt about it, eg avoiding the “ should government be able to subpoena records from private business” but actually ask questions like “is it OK with you that with a subpoena that the government can get a list every website that you have visited?” And then present the trade offs and abuse cases. I really think that we’ve allowed the surveillance state to form without actually having a meaningful public debate about it.
> Essentially the government has built a surveillance state by outsourcing it to private enterprise.
This has been going on for a long time. A decade ago, Microsoft purchased Skype and converted it from secure peer-to-peer[0][1] to sending all user data unencrypted through their servers while giving the government access to everything. "The 2013 mass surveillance disclosures revealed that Microsoft had granted intelligence agencies unfettered access to supernodes and Skype communication content."[2]
Also skype harvested users computers. I noticed that when skype was running the harddrive will be constantly accessed, on an otherwise idle computer. Checking with process explorer showed that skype has a lot of disk reads (hundreds of MB). This was the reason why it got uninstalled.
But people are happy with microsoft products. - "They need telemetry to improve the product". - "But there is no improvement. The product is even worse". - "Maybe it's your experience, i already feel better using the new product". or - "I have nothing to hide. They are my friends". What happens when the regime is changed ? ( see Afganistan).
I believe Skype is dead by now for average users. Some still use it in business environments, but they sure did a good job in getting rid of it. Without much success though, since people just use other products.
There are so few actual terror attacks that the FBI has resorted to goading innocent buffoons into making incriminating statements so they can claim to have foiled something.
There was never a real problem for law enforcement to solve. All we ever needed were reinforced cockpit doors.
That seems to be something literally all governments, from Belarus over Turkey to China, the US and Europe can agree upon. Surveillance of ones citizens is good, consequences of this surveillance vary by country so.
I remember in the 2016 election Hillary Clinton's VP mentioned in a debate that their administration would make it easier for tech companies to share data with the government for "cybersecurity" and its obvious that what they wanted to do was legalize transfer of surveillance materials from corporations to government. And it's so frustrating because nobody seemed to notice that line and it feels like the public hears that and thinks "cybersecurity good" and doesn't think about it at all. Like if the democrats had come out and said "we're going to expand government surveillance by paying Microsoft and others for your data" it would have been extremely unpopular. But by using obtuse language they can actually claim a win while saying basically the same thing.
I don't think there is any big conspiracy there because it is already legal (and always has been) for companies to give surveillance data to the government.
The government can't take it by force without a warrant. But the company is free to give it to them if they ask nicely or otherwise.
The point is that they proposed expanding these relationships and they billed it as “security”. But anyone who really understands security knows that collecting more data and sending it to one big third party is the opposite of security. They wanted to expand surveillance while telling us they were protecting us.
"They wanted to expand surveillance while telling us they were protecting us."
The issue is that they (i.e. government) have always done this. I'm only 35, but I remember this being very clear immediately after 9/11. You just say the boogeyman is terrorism, and that is used to justify end-runs around the constitution via the "PATRIOT" Act, etc. etc. Before terrorism, the excuse was communism. Maybe I'm just cynical now or read too much "1984" as a teenager, but I feel like there will always be a new boogeyman that they use to justify more authority, more powers, and all the while saying it's for our own good and to 'protect' us.
Worse, most people do not even know what they are giving up. But I agree with your sentiment. It is deeply frustrating that the public does not know enough to care and even when they do they believe the government is really there to help us.
Do you think that only one US political party supports this crap?
What about the patriot act?
There are tons of other examples about how this isn't a partisan issue, and getting people to think of it as partisan only helps their goal in getting it through.
No, I do not think one political party supports this. Just because I mention something Democrats did that I don’t like doesn’t mean I’m a Republican. I mentioned it because I grew up a Democrat and when I realized it was all a sham and all the politicians are lying I got mad at all the democrat constituents who don’t notice this stuff. I’m a libertarian leftist now.
This is exactly how you get around those pesky laws that prevent you from doing it yourself as a governing body. You just let/encourage/look-the-other-way as private companies do it for you then you just buy access from them. All perfectly legal since those private companies are busy selling your private data to anyone and everyone else.
The advent of smartphones, social media, search engines, pervasive online shopping are all absolute boons for surveillance entities.
And the best part is that the users/public just gives all of this info up willingly and for free.
I think many users, even if they do know that their information is being sold around, don't care. They don't know how it may effect them negatively.
Especially since it's been happening for awhile now and nothing outright bad has happened to most individuals. They just enjoy using Instagram. They see a targeted ad and are like "oo scary... they know me" and then continue on.
> The advent of smartphones, social media, search engines, pervasive online shopping are all absolute boons for surveillance entities
The only way to avoid this would have been to design the Internet as something Tor-like from the beginning, which would have been impractical from an efficiency standpoint.
It's not your money they are after. Some advertisers are interested in your money. Other advertisers are interested in influencing your opinion.
If you are in the US: Should you support Israel?
If you are in the UK: Should you vote to leave the EU?
If you are in Germany: Should you support US troops in Asia?
If you are in Australia: Should you support economic treaties with China?
Advertising techniques can sway you - and large portions of the population - into supporting or not supporting many facets of policy. If the Arab states want to destroy the Jewish state today, they would not send troops. They would fund influence of opinion of the American and European population.
Not sure if it’s any worse than the pre-internet days, with print media making everyone believe that there was only one single truth. Nowadays you hear a lot more diversity of opinion rather than just ISRAEL GOOD (ie, Israel maybe isn’t the good guy here and their troops maybe shouldn’t be shooting kids in the street and sexually harassing Palestinian women).
> Essentially the government has built a surveillance state by outsourcing it to private enterprise.
Well, yes, that's essentially the whole point of silicon valley. The government and military fund the creation of startups that have tactical value. Those businesses become self-funding and improve the US economy, which also has military value since a robust economy is harder to attack. This has been explored in a few places, e.g. [0], [1].
But it's not like any of this was secret. The off-loading of government operations to private industry, combined with the lobbying for reduced regulations on private industry effectively gives the government carte blanche with the added bonus of plausible deniability.
Whether or not these trends are good has been debated for half a century in the US.
at least China is transparent in what they are, US does the same shit but uses loopholes. Before anybody says it isn't bad yet or comparing it to China is unfair, think about the fact that all this infrastructure is already in place, all it takes is 1 bad person to start fully abusing it. People in China are at least aware they should be careful, the average American has no clue they are effectively being tracked at all times
The US system isn't better because we don't have government officials who want to spy on us. The US system is set up assuming that's what all governments do eventually.
The US system is superior to China because we have checks and balances that actually: 1) uncover this stuff, 2) share it with the public, 3) have a system to provide feedback, 4) courts to uphold rights.
The US system isn't perfect and it isn't always fast, but the point is there is a system of checks and balances that hopefully bring it back to what the people intend it to be.
>The US system is superior to China because we have checks and balances that actually: 1) uncover this stuff, 2) share it with the public, 3) have a system to provide feedback, 4) courts to uphold rights.
1) surveillance of citizens in China it is public, no need to uncover anything
2) in China their government already shared it with the citizens since it's official policy
3) since when the feedback started to matter?
4) that it's very naive to assume that the laws and the courts will always be free of abuse and will always protect the freedoms of the citizens, protect their interests and protect the innocent, we are far from living in a perfect world: the only way to make someone can't abuse his power is to not give him that power. And they have courts in China too, if that matters.
That's my point. The US (and other countries) systems are superior because at least there is some mechanism to put a stop to it. In China there isn't - as you said it's official policy.
"we are far from living in a perfect world" well yes. And we never will live in a perfect world where privacy is never violated. There will always be people willing to break the rules to benefit themselves.
And since when has feedback mattered? It matters all the time? I mean the Democrats won an election and are now proposing a massive spending bill taking the country in a very different direction, just as one example.
> The US system is set up assuming that's what all governments do eventually.
What good is it when the fundamental principes arising from those assumptions are constantly being eroded? It appears some american states restrict even the bearing of arms now. If the founders of the USA were to resurrect today, I wonder what they would think about the nation they created.
> If the founders of the USA were to resurrect today, I wonder what they would think about the nation they created.
I don't understand the fetishisation of the US "founding fathers". What does it matter what a bunch of people who lived 200 years ago thought and wanted and how they would feel about today's version of that? Considering some of the things that were normal in their time, like slavery, the subservient role of women in society, power only in the aristocracy or rich people ( even the "bastion of democracy" US wasn't a popular democracy where everyone had a vote until after WWI), segregation, etc. of course they'd disagree. And so would Louis XVI, Franz Josef, Queen Victoria, Hitler, etc.. so what?
Who cares what those people would theoretically think and why?
Noam Chomsky talks about this in Manufacturing Consent. Under authoritarian regimes they can tell you about the bad stuff they're doing because you have no choice. In an apparent democracy they have to trick the public in to going along with the bad stuff by hiding what is really happening.
Meanwhile in China they're straight up mandating that companies transfer all data to state-owned storage platforms.
>A ministry supervising state companies, the State-owned Assets Supervision and Administration Commission, is mapping plans to set up more government-controlled providers of cloud services for data storage, people familiar with the agency’s workings say. Such services have been dominated by private companies, including Alibaba and Tencent.
>The city of Tianjin has ordered companies it supervises to migrate data from private-sector cloud platforms to state-owned ones within two months of the expiration of existing contracts, and by September 2022 at the latest, according to an official notice dated Aug. 12. More localities are expected to follow suit, the people say.
>Government-controlled entities are acquiring stakes and filling board seats in more companies to make sure they fall in line with the state’s goals. ByteDance Ltd., owner of the video-sharing app TikTok, and Weibo Corp. , which runs Twitter-like microblogging platforms, recently have sold stakes to state-backed companies.
"Essentially the government has built a surveillance state by outsourcing it to private enterprise."
There's a rather innocuous sounding name for this - "public private partnership" [1]. If you've ever experienced this scenario first hand, you'd truly be surprised how much government is run in partnership with private enterprise.
>Essentially the government has built a surveillance state by outsourcing it to private enterprise.
How long until the government finish outsourcing of all its attributions to private entities and corporations take ownership of governance? Then instead of voting, the citizens can manifest their interests through buying shares.
Government Alphabet agencies (see what I did there) don't just outsource, they run shell companies and real companies. They also invest in startups. Along with the revolving doors of regulation and regulated industries, nepotism, insider dealing one wonders if the labels such as Government and Corporate are just a distraction? The extent of this is probably unknowable but sometimes I wonder how much we all know for certain, because it is so obvious, is not actually so.
The "outsourcing" metaphor is mostly true but misses something important which is compulsion. Outsourcing implies a voluntary relationship, whereas a court order combined with an implicit threat of trouble if they don't follow, isn't.
It's optimistic to assume people feel anything at all. They'll just assume that the government won't actually target them with these powers. Just like violence seems like a distant reality until it happens to them.
This feels like classic Americanism. We’re so obsessed with freedom from the government and ensuring capitalism marches on that we never bothered to think our government might just buy it’s way into what it wants.
We kept the concepts separated, and weren’t paying attention.
>We’re so obsessed with freedom from the government and ensuring capitalism marches on
Then why is capitalism being killed and replaced with corporatism? Why is everything industry consolidating having one or few very big players and no medium and small businesses?
I have hope that we here in the U.S. will be able to get out in front of this one. Despite all the complaining the justice system still mostly works and we have a libertarian streak a mile wide. Perhaps the thing to do is show those in power that they haven't escaped the dragnet...
All politicians, high rank officials, and tech leaders are basically owned by foreign intelligence. This data can be analised carefully to build profiles and strategies to influence.
The US had a wiretap on Merkel. Do you think Russia, China, Germany, Israel, Iran and North Korea don't have the same on every other major political figure?
Let's face the truth: none of us is safe. Everything we do, even if we are just oedinary 9-5 office workers and not politicians or activists, is ending up recorded somewhere.
The only way out would be a nation-state effort of open source: everything from the VHDL of the chips over firmware to the OS, and enough money to fund audits of all components. At least, users could then somewhat trust at least their clients, and treat the network as a dumb leaky network of pipes.
>. Do you think Russia, China, Germany, Israel, Iran and North Korea don't have the same on every other major political figure?
Do you think US intelligence don't also have the same? We've already seen a sitting US president hire intelligence agents to bug his enemies and political rivals, it's not like there's any reason to suspect that was a one time occurrence.
Leaders under more authoritarian governments don't have to answer to rando voters. They only have to answer to their country's elites, who support what they're doing.
This may be a controversial opinion, but I think some level of surveillance can be good for people. If you are convicted for a crime, you should be able to use records to prove your innocence (eg. cell tower logs to show that you were nowhere near the murder and had an alibi). We already have this where traffic cameras can show who was responsible for car crashes.
However, a lot of current surveillance is more about snooping. That's where it crosses the line for me. I guess it comes down to ownership. I should own the text messages and call logs because I have access to them. AT&T can own the cell tower logs because they own the cell towers.
Not really controversial but ignorant of how real life law enforcement works. You will never find yourself using tracking data to prove your innocence, that is TV/Hollywood fluff.
You will find yourself on the short list of suspects because you were in the area of a crime. If you actually read some news you will also find that it is often because one of the law enforcement decided their "gut" feeling was you are most guilty loooking and now they have a solid starting piece of evidence to use against you.
It is certainly controversial, but also not very perspicacious. Towards whom do you need to prove your innocence? Against a encroaching state that convicts without evidence? Well, governments are guilty of that, sure. But then that is a problem in dire need of fixing, not tools that maybe provide you an alibi when stars align correctly. An alibi you shouldn't need in the first place.
When I did it, I could see they recorded IP addresses, time stamps and data transfer volume of every web site that I visited over their network, along with cell tower connections. It was fascinating.
Just out of curiosity do you use a VPN, I always browse with a VPN on my phone for precisely that reason and am wondering if it actually works to help protect my privacy.
I route all of my mobile data through a Wireguard VPN on my home's network, and everything on my home network is routed through PiHole where I block/disable a lot of tracking and extraneous junk requests.
Generally speaking, this makes me feel a better when using mobile data or any foreign network (public, friends, work, etc) since I know all of my outbound requests are coming from "one location".
I can reroute outbound access to an external VPN if/when needed, but it's really a crapshoot for who you trust to keep track of your outbound requests. I don't trust any VPN out there to be strong enough to say "NO" to an intrusive 3rd-party like the US gov. No more than my own ISP at least.
For someone overly paranoid about tracking, I would probably suggest just using Tor, but for basic consolidation of internet access, routing through a self-hosted VPN at home works great.
Using a VPN would protect the privacy of your IP sessions from Verizon, although your VPN provider would now be able to see all of your session information.
I suspect a VPN user would show up in the Verizon data file with many large TCP sessions to a very small number of IPs.
I suspect that the effort required to succesfully produce viable evidence from a VPN provider such as Mullvad are significantly higher than the effort we see here from ATT, T-mobile, Sprint, and Verizon.
I am my own VPN provider. EC2 micro instance on AWS running StrongSwan. Sure, feds could dig that up, but it would be messier. I wonder what in/out logs AWS keeps on its VPCs....
None? I've had this for a long time with no issues. That's weird. I'm on it now listening to spotify, reading WaPo and browsing HN. What sites complain? I'll try it?
You might have gotten lucky with the static IP / subnet assigned to your machine.
I set up a VPN on a Digital Ocean instance and got captchas all the time on various websites, especially ones using CloudFlare etc (I’m aware of Privacy Pass but didn’t bother setting it up as it was a temporary thing)
You can always use Privacy Pass as quite often you're dealing with CloudFlare protected sites.
That said, if you're using your own EC2/lightsail instance you won't see as many CAPTCHAs as, say, using a commodity VPN service.
Given you can't detect a VPN per-se (if configured properly) usually the way it works is that the destination node knows you're coming from a source IP from a known VPN-supplier's well-known IP-block.
If you go for this kind of setup (running your own VPN on AWS) you're simply changing your ISP to Amazon. They still might (and probably will) be monitoring egress traffic at the very least to perform any kind of incident analysis.
t3.micro = $0.0104 x 750 = $7.80/mo without taking your bandwidth into consideration.
Lightsail costs $3.50/mo with 1tb transfer bundled or $5/mo with 2tb.
If your setup is scripted then it probably makes sense to switch over to save a bit of cash. Others following the same path could save some money by using Lightsail as opposed to EC2.
I know I'm not selling my requests? I don't have to trust lightsail. Sure, I have to worry about AWS keeping logs of my requests but that seems less likely? Is that your argument?
Lightsail is basically an EC2 instance packaged with an ipv4 address, storage and bandwidth to compete with low cost VPS providers.
I personally use lightsail for most always on things and then just use ec2 for on demand workloads, because it works out far cheaper (these are just random personal projects so I'm heavily optimising for low cost)
You can't configure the lightsail instances as much as an EC2 instance, but otherwise it's essentially the same product (both operated by AWS).
It might not cost much for yourself, but when we're talking millions of people. Data points being recorded multiple times per day per customer, the size of that data would be huge.
The purpose is for time tracking. I am a developer but I go through periods where I work on _many_ different projects. And also I sometimes get pulled in (without warning) to support the team on client calls.
It is not uncommon for me to have 15-30 different time tracker entries for things I worked on in a single day. This is not an exaggeration. Then other days I will work on a single task for entire day.
So all of this unscheduled stuff gets lost pretty easily. Calls scheduled for an hour run only 30 minutes. Client A needed 10 minutes of support here, 20 minutes there, 5 minutes there. I want to be as fair as possible to our clients.
And related to client support, there is often the question of "who owns this bug" and who pays for the call. So I can use screenshots of the client environment to relate to the team and get more information about whether we should really be billing for the call or if that's something that needs to be improved in our software.
Also I support other developers. Skype calls with developers tend to be short. But boy can they add up. If I'm spending 3 hours a day on support overall, I really need to track that. That time needs to go into the right project at the very least.
So that's where the screenshots come in. This is not something the company asked for or have ever requested access to. They know I do this. So when I say I spent two hours supporting a client, they feel confident sending out that bill.
It actually started as one of those experiments into time lapse video. But I multitask way too much for these to be usable videos. Though I have hand picked select days and turned them into something very cool.
Quite the opposite here. I did this myself without any sort of request. This is one of the highest trust environments I have worked in. If this were forced (or expected) in any way I would be looking for a new place to be.
Is it? How do they bill you without knowing how much data you transferred? How do they debug what went wrong with your connection without logs?
This stuff is barely scratching the surface of the data those companies collect and maintain, likely for long periods of time, just to analyze and improve customer experience.
As if ATT gets on the line with end-users to debug site-specific issues!
Aggregate data usage is one thing, but retaining any kind of detailed logs on where one goes or how much data was used on a specific site is unnecessary for the base provisioning of network connectivity.
>This stuff is barely scratching the surface of the data those companies collect and maintain, likely for long periods of time, just to analyze and improve customer experience.
Heh, just to analyze and improve customer experience? Nothing else a bit more unsavory?
>> This stuff is barely scratching the surface of the data those companies collect and maintain, likely for long periods of time, just to analyze and improve customer experience.
> Heh, just to analyze and improve customer experience? Nothing else a bit more unsavory?
The point is this data would get captured regardless, surveillance or no. Mass surveillance (at least in this matter) often isn't so much about what gets captured, but how long it gets retained and who gets access to it.
I was curious about this. I knew that logged data has to be turned over if there is a warrant. I wasn't sure if logging was mandated.
I found this article [0] describing the situation in various countries, with the following info for the United States:
> Data Retention Period = 1 Year for Internet metadata, email, phone records
> Authorization required to access the data = Various United States agencies leverage the (voluntary) data retention practiced by many U.S. commercial organizations like Amazon through programs such as Prism and Muscular.
> Status Of Data Retention Regime = No mandatory data retention regime
I'm guessing the above means that metdata (user ip and also user web and email destinations) are held for a year, but retaining actual user data (email contents, etc) is not mandated.
I mean it may not be explicitly required by law but if you can't identify which customers broke other laws then aren't you opening yourself up to liability?
There is currently no federal rule, law or other mandate for US ISPs to develop, construct or keep CGNAT translation records. The laws that apply in this area only apply to records voluntarily created by the network operator.
"The slide also shows that AT&T retains “cloud storage internet/web browsing” data for 1 year. When asked what this detail entails exactly, such as websites visited by customers on the AT&T network, AT&T spokesperson Margaret Boles said in an email that “Like all companies, we are required by law to comply with mandatory legal demands, such as warrants based on probable cause. Our responses comply with the law.” The document also mentions that law enforcement can request records related to wearable devices from AT&T."
do you know what this “cloud storage internet/web browsing” data looks like?
Do you assume that the FBI does not have a similar document for Cloudflare (or any VPN or DoH provider)? I think it's probably healthy to assume that your accessed host history is semi-public regardless of how well you try to protect it. Note that even with esni your ISP or your VPN's ISP will still know the IP addresses you're getting to, and in most ordinary cases can do a reverse lookup.
CF doesn't retain much if any data from 1.1.1.1 so at a minimum you are protected from retrospective surveillance. I agree it's impossible to be perfect but let that not be the enemy of good.
>Is there any way to change dns servers on lte/3G?
probably doesn't matter because regular dns is performed in the clear. There's nothing preventing them from logging/intercepting your requests even if you changed them.
>Odd that iPhones let you change it for wifi, but not cellular.
>What about android?
AFAIK on both changing DNS can be done by using an app that acts like a VPN, and intercepts the DNS requests.
The legal aspect might change what AT&T 'has' to log, although they likely voluntarily include other passively-obtained port 53 traffic in their cooperation.
iOS works with opendns think of it like a cloud pi-hole—I was using the app which used to have issues with cellular, but has worked as expected more recently. Use the generated profile…
> Ping: The network sends a message to the phones internal GPS receiver to report it's location (must see min. of 4 satellites. GPS coordinates of device and suspected radius from tower e-mailed(or through L-Site website) every 15 minutes for 30 days. Can be done manually every 5 minutes.
I wonder if this is facilitated by one of those infamous "carrier app" backdoors included in stock OS but not e.g. in GrapheneOS:
You don't even need a traditional app backdoor to do this. The carrier can just send the message to the baseband radio itself, which has a direct connection to your GPS receiver, among other things (usually) like the camera and microphone. That means these peripherals are accessible (in theory, Snowden says it has been done in the past) even if the main app OS is shut down.
GPS in 3G or later is integral to Baseband Processor which is a separate ARM CPU that runs its own RTOS. If your adversary gets to push BP patch over SMS you're probably owned no matter what OS you run on Application Processor.
The oddly fascinating piece of trivia from all this is the following: voicemail has more protection ( requires an actual warrant ) than your internet searches.
Your point? Most customers in the marketplace are averse to change across any service. It’s not uncommon for users to stay with single providers due to momentum.
My point is that saying iPhone users are by default AT&T users rests on the assumption that people have stuck with the same decisions they made about mobile network and phone operating system that they made over a decade ago. That isn't even factoring in the growth of the market overall and the people who have bought their first smartphone within the last decade.
The churn rate for wireless carriers is around 2% per year in the US, give or take. There are about 300M wireless subscribers in the US. Meaning that around 6M wireless subscribers per year switch carriers.
Probably IPv4 is on CGNAT and Sprint doesn't keep the logs of the translation.
On IPv6 there's no NAT, and there might be a deterministic relationship between subscription and IP
That's neither ethical nor transparent. And the guy writing that post is ex-FBI.
An ethical and transparent way to handle such subpoenas would include:
1. If possible, not being a US company so you might be able to avoid the subpoena in the first place.
2. Have a policy of not keeping user data at all, or keeping it with a third party that is not legally bound by US government subpoenas, so that it can't (?) be subpoenaed.
3. Publish any subpoena you get from the government.
4. Moreover, arrange it so that subpoenas are published before being read, so that if you get a National Security Letter, you would not be able to comply with the non-disclosure requirement. Another way to go about this may be to only open subpoenas in a public forum, preferably with journalists present. Try to consult ACLU/EFF lawyers about this particular issue.
5. If the government somehow gets its hands on user data, inform the users immediately.
>4. Moreover, arrange it so that subpoenas are published before being read, so that if you get a National Security Letter, you would not be able to comply with the non-disclosure requirement. Another way to go about this may be to only open subpoenas in a public forum, preferably with journalists present. Try to consult ACLU/EFF lawyers about this particular issue.
I can't imagine this working more than once, the goverment can just verbally inform you of the non-disclosure requirement when they deliver any future documents in person.
It working once is enough, provided you're the first person it occurred to.
In Jujitsu, that's the way it works. You create a new technique, or rediscover it, you get one free shot at Sensei, and then it doesn't work the same anymore.
Can you elaborate how you think a tool like this is neither ethical nor transparent? And why is it bad the writer is ex-FBI?
You appear to be passionate about the issue at hand, but your knowledge on this process seems to be limited.
1. Not being a US company doesn't matter - international agencies send subpoenas just like the US agencies. US govt can send subpoenas to international companies just the same.
2. Not having PII or user data doesn't prevent subpoenas (i.e. Reddit, 4chan, Whisper, etc.)
3. Subpoena’s often come with Non-Disclosure Orders (NDO). Even without NDOs, publication of the actual subpoena is arguably more irresponsible just by the shear fact you could be publicizing PII, and subjecting this user to unfair, and non-contextualized public opinion. Big tech has adopted transparency reports for this reason. User notice is the goal - not publicly shaming your user just to make a point to the government.
4. Non-compliance and willful disregard for the legal order will not change the overall problem. Ironically, you're right that the best way to prevent data requests from the govt might be non-compliance...then the company would get shut down for said non-compliance...so there would be no company for the government to subpoena.
5. User notice is obviously a legal department best practice, but if there is a NDO it puts legal repercussions on a company for disclosing such info. Keeping this process clunky/messy/disorganized hurts the user, and the company. You say this company is not ethical, yet Kodex automatically informs users about data requests pertinent to them, and if there is an NDO, the user is notified immediately upon expiration rather than relying on a legal department employee to remember to manually do it months or years later. Would it be more ethical to keep the process unchanged and prone to human error?
These guides for Law Enforcement (LE) to get data are actually meant to streamline the process for the company, so companies don’t have to deal with non-valid subpoenas. The subpoena is coming regardless…why waste time/resources dealing with non-valid subpoenas when educating LE will help streamline things. Obfuscation is never going to prevent these legal orders…if the FBI wants to send your company a subpoena they are going to whether you tell them how to do it properly or not. Kodex is a best practice that standardizes how the govt can interact with companies, to keep the govt in check, while keeping companies compliant, transparent, and accountable about the process.
As the writer said: “There is a lot that can be fixed in government. This process is one of them. The goal is not to ‘help the FBI do their job more easily’… making the process easier for the company, forces the government to do their job BETTER, and helps society move forward.”
1. "International agencies send subpoenas" - which agencies? I doubt they send the kind of subpoenas described in the FBI guide. Of course, different world states may have this problem themselves.
2. Not having PII or user data may not prevent a subpoena, but if you're subpoenaed for data you don't have, then you just write back saying you don't have such data.
3. If your process of handling mail is transparent to begin with, the order is (probably, hopefully) moot. I had assumed only NSL's can have such non-disclosure orders, but I guess the USA has a slightly more repressive regime than I had assumed... as for subpoenas containing PII - do you mean about the people the government wants to spy on? It's morally necessary to publish who the government is spying on. I hope (though, again, not a US lawyer) that such publicizing this is protected by the first amendment anyways.
"You say this company is not ethical, yet Kodex ... informs users about ... an NDO ... immediately upon expiration"
So, the Kodex+its client would hide a subpoena from the user while it is in effect. This is most likely unethical, and certainly immoral.
4. Mass circumvention (or disregard) of government orders will most certainly change the overall problem. Just like general disregard of copyright infringement of file sharing platforms and applications has had significant effects on music distribution, academic publishing etc.
5. The process doesn't need to be clunky, messy, or disorganized - but certainly, a primary concern must be preventing the government from secretly spying on people.
You know, if you bring up the First Amendment in US, people usually stop listening. I haven't seen it brought up in court, though. But even in court. Unless of course there's something exceptional and sound in a strict sense about your argument (off the top of my head "I was born on the Moon. Because everybody who has ever walked on the Moon, and the only military on the Moon, were American, and the only country with a human presence on the moon, was America, therefore it is part of America, therefore I was born in America, and am therefore an American citizen." Suppose that's the truth, you were born on the Moon, and you say just what I wrote, and you believe it, and you mean it, oh man. American courts will, yeah, they'll really sympathize with you, and then yes, they will accept "freedom of speech" as an argument.
Lol woah - maybe I should check HN more than once a week. Let's dive in!!
1. “I doubt they [international agencies] send the kind of subpoenas…” - It’s a gross display of willful ignorance to assume things just so it agrees with your opinion. This is Facebook’s Transparency report (https://transparency.fb.com/data/government-data-requests/co...) They are just one example, with hundreds of thousands of requests coming from outside of the United States. There are 195 countries in the world…170 of them have sent them to Facebook alone.
2. You are literally proving the point of why those data guides were created…so no one asks a company for data that they don’t have and waste everyones time/energy. The reality is that every company has some form of data…if a company didn’t have any sort of data how in the world would they be able to display any information, or do literally anything ever? There is always something to ask for.
3. Lol so many absurdities going on with this bullet so buckle in:
3.1 - “If your process of handling mail…” - So do you not use email? Most people graduated from mailing addresses to email addresses because it was a better way of doing things and easier than mail…most companies use emails to deal with subpoenas…a tool like Kodex is easier than email and takes the burdens away from this legal obligation…keeping the process difficult only makes it difficult on the company, not the govt.
3.2 - “USA has a slightly more repressive regime than [you] assumed…” - NDOs are used so the subject of a case isn’t tipped off. For example, would you prefer pedophiles to be told “the FBI just asked for the CSAM on your google drive” and have the pedophile go dark/get away, and continue to abuse innocent children as a result? Is that “repressive” towards the pedophile? Or a necessary legal vehicle to protect the innocent? Would you rather the USA take the unfortunate approach that some countries do, and not do anything about heinous crimes like that?
3.3 - “Who the government is spying on…” - “Spying” and “investigating” are two very different things. Choosing to use the language “spying” for a subpoena is either ignorance, or a determined effort to fit the narrative you want and demonize what is actually going on. Subpoena’s are legal documents that go through a court. Spying does not. That NSA/Snowden scandal had nothing to do with subpoenas…that was all Top Secret spy programs that did not involve courts, or legal documents…Subpoenas are all unclassified information used for investigations, not on-going spy programs.
3.4 - “Publicizing…Protected by first amendment…” - You can’t yell fire in a crowded movie theater. Aka Free speech is moot when it is “a clear and present danger that they will bring about the substantive evils that Congress has a right to prevent.” You have a right to express your opinions, desire’s etc, but not to put others in harms way. These investigations are to prevent harms.
3.5 - “Hide a subpoena from the user while it is in effect…” - Kodex makes it easier for the client to follow the law, and allows them to ethically follow up with the user once the law no longer prohibits the company from doing so. Would you rather hope the company just remembers to go back to the mail room and fish through a file cabinet to see which user should be notified each day when that isn’t a priority for the company’s bottom line? Or would you want the company to be automatically reminded when such a date comes? Keeping this process more disorganized than it needs to be just for the sake of silently convincing yourself you live on a higher moral plane is what is more unethical.
4. “Mass circumvention…” - You seem to be willfully ignoring the fact that consequences exist, once again. You know copyright infringement/file sharing pioneers like Napster were ultimately shut down…right? You know, because it was illegal and the consequence was…being shut down? If you try to say that changed the music industry to help the onset of streaming/Spotify you might be right, but then why would you ignore that something like Kodex can be the same type disruption to subpoena processing that streaming was to music…making it easier and more accesible? Moreover, it wasn’t the general disregard for the rules that created Spotify, it was the realization of the desire for instant access to every song, rather than pay $1.29 for some songs.
5. “The process doesn’t need to be clunky, messy, or disorganized” - Thank you, I agree!
I’d encourage you to learn more about this topic, because you seem to have put little effort into understanding what’s really going on, and instead have chosen to just yell at the sky/internet about what you think is going on - simply for the sake of yelling.
So, I’m currently in North America but with a foreign SIM, so I have that country’s IP, most ads are in a language I can’t understand, and McDonalds app won’t let me login unless I switch to wifi with a local IP.
This is all great, but does this mean that the local provider has no access to my traffic? I guess DNS is all resolved overseas too? How does the tunnelling work?
That tunneling is created generally for billing and metering purposes (for telco's benefit). A lot of cooperation between carriers happen in order to create that tunnel. Don't assume it's an encrypted tunnel.
The tunnels between carriers could be encrypted. They don't _have_ to be. The LTE S1 link (eNodeB <-> packet core) may not be.
Like, if your eNB is a picocell or feeding a DAS, it probably is doing backhaul over IPSec over internet or dedicated circuit, but if it's normal carrier network, likely not.
The network you're on has theoretical full access to everything. If the network is hostile you're screwed, because even with the improved protection in 4G/5G they can still easily force a downgrade attack.
I guess that’s a part of the question: is my phone encrypting (with whatever gsm standard) to the overseas provider and the local provider can’t really see anything, or does it go to the local provider in the clear and they tunnel it over to the overseas provider?
My understanding is that the A5/1 (GSM) encryption is applied to the communication between the device and the local service provider. The local service provider then decrypts and routes the packets.
>FirstNet is designed with a defense-in-depth security strategy that goes well beyond standard commercial network security measures, providing protection without sacrificing usability. And now, we’ve gone farther than anyone in the industry to secure public safety communications. FirstNet will be the first-ever network with comprehensive, tower-to-core encryption based on open industry standards.
Which implies every other network doesn't encrypt that traffic (or does it with some proprietary scheme... which wouldn't give me a lot of confidence)
Telcos rarely do end-to-ends, usually they handle signaling out of band, strip headers, decipher payload and re-cipher with new session information each time your data switches medium. In-band signaling with E2E and recursive encapsulations like TLS over TCP over IP are very Internet/IP pattern.
I thought this was interesting and might involve some handset manufacturer involvement?
Under the "Location Based Services" chart, US Cellular is listed "No. However, you can force a call without a ring to the target device to determine tower/sector"
There seem to be several methods employed for use in a location tracking campaign by various entities. Some entities might not be able to get the approval for the real-time data, and others might have much better relationships and tools. I have found this EFF article(linked, try section 3.4 for your question)[0] to be helpful in understanding the possibilities.
It appears to be possible to do quite a bit of location tracking/location verification without any help at all from the telcos. The calls they are referring to seems to mean calling a phone and hanging up quickly. This causes the cell network to issue a high priority RRC paging request (someone is calling you!) which causes your handset to wake up and begin broadcasting to the cell network.
This enables passive eavesdropping and coarse location detection via monitoring the RF lansdcape for TSMI/IMSI collection and correlation. It is then possible to narrow down a large area to the specific cell, ~2km area, from there you can use another beacon or maybe regular direction finding and trilateration to pinpoint a signal. This sounds like an operation which requires 3-5 operators, but I don't know about the procedures.
Some cell network packets contain GPS location and other subscriber data, which could be intercepted and analyzed by this advanced threat.
With the aid of a Cell Site Simulator/Stingray, it seems to be possible to use this method to sense the handset and then use the CSS to hijack a handset's tower association turning coarse location data into a normal MITM. There are many other location sensing techniques such as a GSM Tripwire device or packet analysis.
Interesting stuff. The cell phones are rather evil.
a bit, but the calls are simply meant to generate a high priority gsm packet (normal cell tower behavior) which will cause the handset to emit data in response to the cell network, allowing location fixing to move forward.
It doesn't have to be a no-ring call, it can be anybody at all with a legit call, text message, etc. Its favorable for the operator to do so in a way that will not alert the user, hence the no-ring call stuff.
In my experience some handsets will report fast hang-ups as a missed call, and others won't.
You can probably enable airplane mode/rfkill to shut down this threat from the less spooky nerds who would use it. No GSM radio = no GSM packets.
The "force a call without a ring" is just basic GSM. I don't know, but I'm guessing 3G, 4G or 5G support requesting the GPS position from the ME/handset.
Yeah, by "basic GSM" I mean a common subset that is available regardless of 2G/3G/4G/5G, as in, you can still ping the mobile equipment to see which BTS it's connecting to. (And even if you don't get the TA with CDMA/OFDMA you still get signal strength and/or can force a downgrade if necessary, to get a rough location.)
I'm not sure if you're shadow banned or what, but every comment of yours I have encountered has been marked dead. I vouched for this and another one I saw elsewhere in the thread.
> The slide also shows that AT&T retains “cloud storage internet/web browsing” data for 1 year.
I never thought before that ISPs would really keep track of every user's browsing history, but apparently as cheap as the disks are today, this has become true. Can't think of any use of this data other than for mass surveillance.
I believe they can also sell the data, though there may be some regulations on anonymized, or sold as a group to develop profiles and understanding for advertising purposes.
Perhaps that's what you mean by "mass surveillance", but I took that to mean specifically government surveillance.
With all this information collected and available, and with pretty basic technology tools (keyword alerts, fast searching, location data to pinpoint pretty accurate positioning) - how come there is still crime and other "bad things" that happen?
I'm not talking about heat-of-the-moment things, but literally anything requiring any sort of planning or organisation (kidnapping, gangsterism, etc) should be solvable with this. So why isn't it?
*Note, I don't want an uber-surveillance state - my point is that we already have one, and any feeble excuses from law enforcement about solving 10s of thousands of crimes with "ooops we can't figure it out" seems utterly hollow and untrue.
My claims are without evidence, but it certainly seems as if this document was created with the intentions/hope that it would be eventually leaked.
The second slide seems rather suspicous in its placement of "CAST members are not qualified to testify after reading this"; almost as if they were not speaking to an audience of CAST members, but rather, the public.
Perhaps a decoy? to draw attention away from STINGRAY and other intricacies?
> The second slide seems rather suspicous in its placement of "CAST members are not qualified to testify after reading this"; almost as if they were not speaking to an audience of CAST members, but rather, the public.
Sounds like they are doing advance witness tampering by trying to get CAST members to evade calls to testify on material facts known to them should they receive such, not lobbying the public via anticipated future leak.
(I’m not even sure how the statement about testimony would be expected to manipulate the public.)
It’s pretty obvious the audience are consumers of the service. (ie other FBI agents)
If you’ve ever had to testify as an expert, it’s an art and a science. You need a lot of training to be able to respond to the traps attorneys will set for you.
My guess is that this looks like training material for low-level desk jockeys to help do all of the legwork gathering evidence that would be presented in court cases.
Stingrays you would think would be more of a targeted operation and likely handled by a different group of people.
USCC offloaded a bunch of spectrum and customers to Sprint awhile back but they're still independent.
Funny enough, US Cellular divested their Chicago holdings back in 2012 to Sprint but never moved their HQ. None of their HQ employees have cell service through them.
I'd consider stingrays one of the least useful tools since they require logistics: you need to have one installed somewhere or have logistics to deploy them quickly to an area.
If you aren't careful, your target could become aware of their presence.
If you are pulling data from the carrier, there's less logistics involved and your target shouldn't notice unless someone screws up.
In the US people are more pro-company and anti-government so retention policies tend to require the companies to retain the data for a period of time so warrants can request it if necessary.
In the EU people are more pro-government and anti-company so the government is more likely to have access.
The US process for access is sometimes tied to FISA.
I'm not an expert on this stuff, but I think I'd generally prefer companies handling retention and government having to request access rather than the other way around. Assuming (probably a big assumption) that the companies do it securely and don't fuck it up.
Indeed, often people have said the FBI runs this and that.
But this is not cost efficient, the agencies can just subpoena the businesses for data, simple as that.
No hacking, no developing etc.
It's pretty efficient, if the government announced they would save some files on all citizens, it would be widely unpopular.
So let the people use the services they consent to use, let the businesses collect as much data as possible, the more, the merrier.
And when the need for these resources arises, subpoena the business, they'll even do the search for them.
Metro is owned by T-Mobile, and operates using T-Mobile’s network. Why would it be any more secure than T-Mobile?
As far as I understand, there are 3 mobile networks in the US (Verizon, ATT, T-Mobile), and the MVNO’s are just a mechanism to price discriminate. Different customers are sliced into various priorities and willingness/ability to pay, so the 3 mobile networks can most accurately collect the most money according to each individual’s ability and willingness to pay for a certain level of priority on the network.
I love Metro, have used them for years. $60 for unlimited everything with 20GB tethered 4G hotspot data, and you get free Amazon Prime with your account. This chart has just solidified how great they are to me.
I've never understood why they try to "disguise" these things. They always stick out like a sore thumb. How would anyone know the difference from a normal cell tower?
Having lived a part of my childhood in a poor communist country from Eastern Europe and a part of my younghood in a poor country from Eastern Europe I had some moments when I asked myself if it wouldn't be better for me to move to US. I quit asking myself this some time ago.
>jailed for not complying with the illegal requests of the surveillance state
From the wiki page:
>On March 15, 2005, Nacchio and six other former Qwest executives were sued by the U.S. Securities and Exchange Commission. They were accused of a $3 billion financial fraud between 1999 and 2002 and of benefiting from an inflated stock price.
> In its case, the government stated that Nacchio continued to tell Wall Street that Qwest would be able to achieve aggressive revenue targets long after he knew that they could not be achieved.
Interesting that Nacchio was prosecuted for this but almost no one else is.
The very same article states that he was found to have produced false accounting records and talked up the company's outlook despite knowing it was losing business and selling his own shares. He got caught on the insider trading.
As I understand it, the explanation of the "false accounting records" and "losing business" had to do with expected government contracts vanishing because of refusing to cooperate about the NSA surveillance.
Losing a contract with the NSA because they didn't play with the NSA certainly sounds like a real thing. Telling the markets that they would continue to see national security contracts when he knew they would not is another. Presenting false accounting records is entirely unrelated and just banal fraud. Selling your own shares while doing these things is even worse.
This really closes the loop. If the Feds cancelled contracts because of Nacchio's refusal to do business and then indicted him on fraud because he probably could not tell others that those contracts were cancelled (as with other similar wiretap/NSL requests)...
That's ridiculous. There's no NDA in the world that prevents you from disclosing the true financials of your company. You don't need to specify who you're serving. His charge of insider trading is because he blatantly lied about the company doing well to inflate the price while selling his shares knowing it was not.
No, it absolutely is not. Not even close. Love for clever little hacker things does not carry any weight here. How could you possibly believe that it would have been illegal for this company to correctly state the amount of revenue it received?
You do not need to acknowledge that you received an NSL in order to acknowledge you are no longer providing services to the NSA. You do not need to reference the NSA or NSL at all in order to correctly state revenue, because you are not required to show all of the entities with which you're doing business.
It is fully possible to pretend you simply lost the NSA contract for non-NSL related reasons. His fraud is his own doing
So if I'm piecing this together correctly, he decided he wasn't going to help out NSA. This led to him losing government contracts, which would lower the value of his company. So instead of taking the stock price hit (which would be the principled thing to do), he created false accounting records to defraud investors. And while he was publicly preaching that the Qwest was just fine, he was unloading his own stock.
And this is the guy I'm supposed to be sympathetic of?
He could easily have just acknowledged what happened and not sold all of his stocks to avoid insider trading while the nsa situation still happened. It's nice that he refused the nsa. Doesn't absolve him of other fraud.
That does not prohibit you from being honest in your public statements about the financial health of the company, nor does it prevent you from following the same insider trading rules as everybody else.
It was well known why Google got rid of their "don't be evil" tagline... except now nowhere on the internet seems to have a record of the exact reason either...
These kinds of stories get 'forgotten' very quickly.
what on earth is this trying to imply? That google bleached the internet? Google got rid of the don't be evil tagline because it didn't fit with their corporate mission anymore, which was objectively more boring and more profit driven.
they're probably implying it was a sort of warrant canary or that they did not comply with overreaching government wiretap requests (the assumption being that now they do).
I find that to be a pretty charming belief. It's probably correlated timeline wise with when such things did change on that, but I highly doubt it was the reason for the mission statement change.
“Donald Trump is really dumb to take on the intelligence agencies. Let me tell you, you take on the intelligence community, they have six ways from Sunday at getting back at you,” Schumer told MSNBC
Imagine the founders' reaction if they heard a prominent senator saying that, not with regret, but exultantly, as though he relished the idea. I can't bring myself to accept that this was what they intended to launch into the world.
I remember often hearing pundits claim that "17 intelligence agencies had confirmed Russian meddling in the 2016 election"
Now, it turned out that "meddling" amounted to buying facebook ads. Not really a huge deal.
But more importantly, since you brought up the founders - what would they say about the fact that we apparently have at least 17 federal agencies dedicated to spying.
> Among other honorifics, George Washington—known as Agent 711 in the Culper Spy Ring—is often heralded as a great “spymaster,” and indeed, he was. Under Washington’s astute watch, several networks of spies operated in both close-knit circles and far-reaching societies.
> Washington recognized the need for an organized approach to espionage.
> The original Committee members—America's first foreign intelligence agency—were Benjamin Franklin, Benjamin Harrison, Thomas Johnson and subsequently included James Lovell, who became the Congress' expert on codes and ciphers and has been called the father of American cryptanalysis.
> On June 5, 1776, the Congress appointed John Adams, Thomas Jefferson, Edward Rutledge, James Wilson, and Robert Livingston "to consider what is proper to be done with persons giving intelligence to the enemy or supplying them with provisions." They were charged with revising the Articles of War in regard to espionage directed against the American forces. The problem was an urgent one: Dr. Benjamin Church, chief physician of the Continental Army, had already been seized and imprisoned as a British agent, but there was no civilian espionage act, and George Washington thought the existing military law did not provide punishment severe enough to afford a deterrent.
Washington sent an army to squash the Whiskey Rebellion, and John Adams signed the Alien and Sedition Acts into law. They were quite happy to go after threats to their power.
It depends a lot on how you define “their”. In both those cases you could also argue that the president was still establishing the supremacy of a democratically elected republican government as the process for achieving change rather than perpetual revolution. It’s different then having elected officials undermined by permanent bureaucracies.
I’m not defending the sedition act, but it’s quite important that it was implemented during a quasi-war and was still barely passed. There’s also a reason that two hundred years later it’s constantly held up as a paragon of bad law and there’s no way it would pass judicial review at any point since then (it didn’t at the time either, because it expired 2 years after it was passed and before judicial review was established).
Dead on, and those are a couple excellent illustrations of why, no matter how good a chief executive had been before taking office, you have to watch them relentlessly.
not to mention that we're speaking of colonists who intentionally set out to genocide the native population on a regular basis. and most were slavers, putting the lie to any talk of freedom. in the end, little mattered to them in that revolution than removing English fetters on themselves. that people identify with a group that would almost certainly would have denied them the right to legal personhood and look to them as guarantors of freedom only speaks to their historical illiteracy.
The context is really key when you consider the information that the prominent senator is aware of about the subject that you as a random member of the public may not.
If you look at the fate of people like Aaron Burr, I think it’s quite clear that the founders were not supermen, but humans who dealt with similar problems that we do today. Likewise, the post-revolution treatment of tories wasn’t exactly magnanimous either.
I think it would be interesting to know how people really feel about this. I would love to see a survey that actually truly explained the trade-offs and see how people felt about it, eg avoiding the “ should government be able to subpoena records from private business” but actually ask questions like “is it OK with you that with a subpoena that the government can get a list every website that you have visited?” And then present the trade offs and abuse cases. I really think that we’ve allowed the surveillance state to form without actually having a meaningful public debate about it.