In an interesting development, seven big internet companies (AOL, Facebook, Google, LinkedIn, Microsoft, Twitter, and Yahoo) have jointly set up a website listing five principles by which government surveillance can be reformed to protect the general privacy of people while satisfying the government’s genuine need for security information. The five principles are:
- Limiting Governments’ Authority to Collect Users’ Information
- Oversight and Accountability
- Transparency About Government Demands
- Respecting the Free Flow of Information
- Avoiding Conflicts Among Governments
Noteworthy is Apple’s absence from this list.
The big issue is whether these companies are going to use their considerable clout to really push for these changes or whether it is a public relations exercise because of the beating they have taken. That question will be answered by how they react when the government flatly turns down their request. If the question was just about terrorist threats, then it may be possible for the government to agree. But the government wants all the information as part of its attempt to monitor all the activity of all the people. The terrorist threat is just one element of it but provides a valuable cover story. And this pervasive monitoring of everyone now extends to monitoring online games and that state and local police agencies are also spying on people.
What would be a genuine test of these companies’ bona fides is if they upped the encryption standards to make it much harder for the NSA to get at them and refused to provide back door access.
But still this action should be gratifying to Edward Snowden that the risks he took are paying off. The fact that he was just voted The Guardian newspaper’s Person of the Year is another validation of his efforts.
doublereed says
Microsoft also implicitly said that the US Government is an Advanced Persistent Threat. For those that don’t know, APT1 refers to a massive organization in China that spies on everything.
I’ve heard “While APT1 might refer to a Chinese organization, APT0 is the US Government.”
Marcus Ranum says
The mice voted to bell the cat.
Google and Microsoft et al, rather cheerfully sell their data to marketers, governments, and whoever else asks for it nicely (“nicely” means with some money clenched in your teeth)
If people want to stop rewarding such behavior, they can realize that “free” isn’t free. For $100/year I host a server where I can give out as many mailboxes as I want. But everyone wants the google. And then they are all upset and shocked -- shocked I tell you -- when they find out that google’s corporate interest doesn’t align with their own.
Marcus Ranum says
There are various reports putting the size of the US governnment’s penetration of personal computers at “well beyond” 50,000 -- so, yeah, if there’s complaints about what the Chinese are doing, it’s mostly just that they’re trying to warn the Chinese gov’t not to poach on our colonial turf.
colnago80 says
Is Apple an internet company?
doublereed says
It’s more about the kinds of attacks APTs can do. The idea is that APTs play the long game. If you’re being targeted by an APT, you’re facing some unique threats that even most big businesses don’t have to deal with. You’re talking dedicated custom malware and stuxnet-style infiltration. You’re talking supply chain threats.
This ain’t your Anonymous Denial-of-Service bullshit. These are threats that have lots of resources, personnel, and time.
The term APT really only applies to organizations in Russia and China from what I’ve heard. Saying that the US Government is an APT is actually pretty big talk from a US company.
wtfwhateverd00d says
I bet an enormous number of people’s primary internet connection is via their iphone.
wtfwhateverd00d says
I am somewhat shocked everyday when I read some very long blog comment or forum comment and realize someone tapped it into a phone.
wtfwhateverd00d says
Professor Singham, these companies did it for a variety of reasons, but much as I appreciate their effort, I am still not convinced it’s not just the right protect the business move for them.
I will be much happier when I see organized demonstrations against the NSA and Gov’t Spying, and see candidates running to put an end to it.
I am curious, are there any organized democratic or liberal organizations creating, running any sort of march, or demonstration?
And if not why not? (You don’t have to answer that, we both know why liberal organizations aren’t doing this.)
lorn says
If the private companies didn’t collect the information there would be little for the government to steal. I suspect that the corporation aren’t really concerned with any government agency ending up with their client’s information. What really upsets them is that the government didn’t pay them for it. Most people don’t know that most of what the government steals is available, for sale.
Lassi Hippeläinen says
The weakest link is “2. Oversight and Accountability”. The structure of the Internet makes it possible to copy data in flight without anybody noticing it. One of the reasons why snooping grew so massive is because they could. Note that the whole circus became public only after an insider exposed it.
A famous mountaineer once explained that he climbed a mountain “because it is there”. The spooks are no different. They will treat new regulations as new challenges to work around.
khms says
The radio told me today that the main reason these companies are doing this is probably that 80% of their customers are outside of the US, mostly in places like Europe and Asia … places where there is a lot of upset about the NSA. They are afraid that if they don’t do something, their customers might run away.
Given I’m hearing politicians and top managers talk about keeping IP connections between EU endpoints from ever leaving the EU[*], I think they definitely have a point.
[*] I wonder if they mean “the EU without the UK”, here.
colnago80 says
I’m not sure that using a device (Iphone, Ipad, notebook computer, desktop computer etc.) makes the company that manufactured the device an Internet company.
jamessweet says
I see no reason to doubt that this is in good faith and that the companies in question really do mean it. I think they are legitimately pretty upset at the NSA, not so much because they care about their customers’ privacy (as others have pointed out, Google’s entire business model is sort of based on providing information about you — which I don’t really have a problem with, but that’s tangential to this discussion), but rather because they want to be in control, and the US government’s mixture of sneaky underhandedness and unfair strongarm tactics have taken away that control. Namely:
1) These companies would really like to have the option to talk about what the gov’t is and is not asking them to do. Surely they don’t want to be compelled to talk about it, but being forbidden from talking about it severely impedes their ability to spin — or even to tell the truth, for that matter. They can’t control the messaging if the government won’t even let them share mundane information like how many secret subpoenas they have answered.
2) In addition to not being able to control the messaging, the enforced secrecy means that the gov’t could compel the companies in question to do something they really actually don’t want to do, and there’d be no recourse. It’s much more difficult to lobby for laws that favor your profit margin if you aren’t allowed to speak about it. These guys know they are being shoved around, and just because so far the shoving hasn’t made them do anything they really care about, that doesn’t mean it’s not a bad precedent.
3) I really think that a lot of the people working for these companies, even in the top echelons, felt a genuine sense of betrayal at the revelations that the US gov’t had been tapping their unencrypted backend communications. I think the fact that they HAD been cooperating made it that much more bitter. Again, there’s this question of control: If the gov’t is going to compel you to do stuff, then forbid you from talking about it, THEN secretly go even further than what they told you they were going to do… well who the fuck knows what else they are going to do?
I think that these companies are beginning to feel legitimately threatened by the monster that the surveillance state has become. Again, it’s not that they really care about their users’ privacy, but the monster is now showing signs of being entirely out of control. And that’s bad for business.
Marcus Ranum says
APTs are a marketing term established to describe what the Chinese (and other governments) do to us, not what we do to everyone else.
There are no “APTs” in the literal sense -- all successful attacks are exploited and persistent.
(I’ve been working in the INFOSEC trenches for 27 years, now. These fads come and go. They are just fads.)
Marcus Ranum says
The EFF accomplishes a fair amount, but doesn’t waste its time on marches or demonstrations.
Your question amounts to: “is anyone doing anything useless about this?”
Marcus Ranum says
The ACLU is involved, as well. I’ve upped my annual donation, in fact.
Lassi Hippeläinen says
Apple has its music/app/whatever store that has lots of customer information.
I’m not an Apple user, so I don’t know how their services work, but I’m pretty sure that they know quite well where their customers are located, and how they can be grouped by their interests. In addition to all the usual credit info etc.
invivoMark says
Facebook is just upset that it has competition.
spanner says
There is Public Citizen at citizen.org. I think they’ve organized marches, if that’s what you really want, but they also lobby Congress and fight legal battles for progressive causes, including internet privacy issues.
wtfwhateverd00d says
Your question amounts to: “is anyone doing anything useless about this?”
That’s pretty funny.