The reason for the gag orders: to keep the Federal Attorneys from getting a pile of bad publicity. This flies straight in the face of any kind of transparent government. If the Attorney's office gets a ton of criticism, then they're probably doing something extremely unpopular. It's good to do unpopular things in defense of minority opinions, given the USA's free speech tradition, but if the criticism is large in volume, and it stings, which apparently the twitter investigation criticism did, then the public outcry is correct. The Feds shouldn't be doing this stuff. I conclude that the gag orders are crap, and should be lifted. The Feds are doing stuff that might be legal, but is in a larger sense immoral.
Seems like the gag orders are "don't tell these suspects that we're monitoring them". Seems quite legitimate and essential in ordinary cases. But we need a robust court system that will restrict gag orders to legit things, rather than suppressing dissent.
According to the text of the article, that's not true. The gag orders were to prevent the attorney from getting bad publicity. I suppose that they wrote "keep suspects in the dark" or the equivalent legalese in the motion, but the real reason appears to be otherwise.
After careful re-reading, I think you are correct. I didn't read closely enough. The key paragraph is attributed to Google's lawyer.
However, the whole "twitter didn't get a gag order" aspect does support the thesis that the Google gag order is to minimize criticism of the US lawyers.
Since the very same person (Jacob Appelbaum) appears to be the subject of both Twitter and Google search warrants, the "we don't want to alert TERRORISTS!" excuse for the gag order doesn't hold. Also, if it's a search warrant, and not a CALEA-type on-going surveillance warrant, why would a gag order be imposed? If Google has the data, they have to turn it over or face penalties, and I'm sure they have a policy to fork over any legally-demanded data. They may have a duty to their own consciences to contest the search warrants, but I'm sure that they hand over data.
I can think of one other motive for such a gag order, and that's to minimize the time that Appelbaum has to prepare a defense. That hardly seems fair, given that the USA is supposed to have a level playing field with ALL CITIZENS subject to the rule of law. I'd rather not think that the US Attorney, with all the legal and monetary resources of the federal government at hand, would stoop to cheap shots like that.
I think Gidari's conclusion, although an opinion, fits the facts as we know them. The Google gag order was sought to contain or minimize criticism. Assuming that seems to give the US Attorneys the benefit of the doubt, because otherwise I'd think they were trying to cheat, which they, as officers of the court have a moral duty to avoid.
> Seems quite legitimate and essential in ordinary cases
Is it though? I am of the mind that I am okay with making law enforcement's job harder if it means more transparency and the assumption of privacy for citizens. I'd rather a couple of criminals go free than that we secretly invade the privacy of one innocent person. People have a right to know when their personal data is being examined by law enforcement IMHO. Again this isn't saying they can't get access to the person's email but that the person IS notified when it happens.
> But we need a robust court system that will restrict gag orders to legit things, rather than suppressing dissent.
Would people involved with Wikileaks actually change their behavior if they were given proof that the US government was spying on them? I assume they are already operating under the assumption that that is the case. From what I have seen, the US government spying on that community is already taken as established fact within that community.
And that's basically the main point against gag orders. Or do you expect the rest of the population to also become paranoid toward their government not knowing if they are being spied on?
> But the case represents “an amazing Catch-22,” he said.
> Google doesn’t “have the strongest right to challenge the
> scope or the reasonableness of the warrant. The only people
> who really have that are the targets of the warrant, and
> they don’t know about it. So essentially the government has
> carte blanche to get whatever they want.”
Shouldn't in cases like this the gag order go to the target of the warrant. I imagine it could go something like this. Google hands the information and inform only the target. The target can't publicize or inform anyone else, but now have the knowledge and right to defend himself.
Not informing the target would restrict his ability to defend himself.
In a similar note, why even involve Google at all. Why not require the target to hand the information.
Maybe the fact that the targets are in different countries a problem to this approach.
Yup. Going to the third party provider as if it owns your data is a complete bypass of the 4th amendment. To make an analogy it would be like the federal government having to serve a warrant/court order/gar order only to your local mayor to search your house without your permission.
Imagine how messed up that would be. Yet, it's exactly what happens in the digital world, and somehow we've learned to take it for granted. If it's your data, the warrant should be served to you. As for terms of service and such of online services that say once you upload your data to their cloud, then it becomes "theirs", that's complete bull, and such a thing should be made illegal.
It just occurred to me, they figured out how to serve a complaint against your property (civil forfeiture) so I'm actually half surprised they don't serve warrants against the house not the house's occupants. Or even better, just serve the data itself; US Government versus 134,612 bytes of Data!
IMO governments need to learn how to adapt to this new "information age". That's not to say they need to try to find new ways to suppress information. They need to allow public discourse to help them define their limitations.
Could a company nullify gag orders if it was their policy to post ALL their correspondence on their website? For example, AcmeCo gets a request from the US Government to share information about one of AcmeCo's customers (e.g. WikiLeaks). AcmeCo scans and posts this letter (as it does for everything it receives including its electricity bill) on its website. Could they then circumvent the gag order this way? What would happen to AcmeCo?
Similarly, is anyone who reads the letter bound by the gag order or only the intended recipient. If the latter, you could always arrange to have someone read your mail first before you do (so you have no knowledge of it's contents and it's secret status), and that someone else would be able to talk about that NSL since they were not the subject of it.
"Could a company nullify gag orders if it was their policy to post ALL their correspondence on their website?"
Not a US-based company, because we have these nefarious things called National Security Letters. The penalty for knowingly breaking the gag order with the intent to interfere with an investigation is up to five years in prison.
Just to be clear, this case (or this particular gag order for this case, at least) had nothing to do with National Security Letters. It was a gag order from a regular federal judge.
The answer to the above is still no, however. I don't see how "I post everything I receive" could possibly get you out of "don't post this warrant".
Not to be, ah, subversive, but do you necessarily need business owners willing to go to jail, or business owners willing to employee willing martyrs?
Imagine you hire a number of people who happen to be willing to go to jail for their principles, who are strongly opposed to things like government secrecy, and put them in the line to handle a NSL. If they happen to violate a gag order and go to jail, well, you may have to fire them, but their contract is rather iron-clad and their severance quite impressive, more than adequate to take care of their family during a five year jail sentence...
There really is no prevailing over the legal tarpit - even if your action technically passes, they get you on intent or association. The only time logic really comes into play is writing post-hoc justification of the status quo. The more corrupt "laws" created, the easier such justification becomes.
(PS. given that authoritarianism is creeping in on many fronts, everybody who cares about these issues should be looking for ways to be subversive. embracing one front in an attempt to outrun the others is a losing strategy)
(a) in the form of a valid court order hand-delivered to and served on your CEO at his home at 6am by two very grim federal agents who don't really like getting up this early, or
(b) if you're represented by counsel, it comes in the form of notification to your attorney by the court clerk that a court order has been issued (or perhaps notification from an AUSA if the clerk's office is slacking).
The government can easily subvert the automated system (i.e. if you make legal@somedomain.com -> public record, they email your personal yahoo/gmail account which is not automatically posted).
OpSec notwithstanding. If the government doesn't know your other email addresses, this obviously doesn't apply.
If everything that comes to every one of your inboxes is immediately laid bare for the world to see, they cannot circumvent the process and also cannot prove that you knowingly and intentionally violated the gag order. I don't know anyone who does this, however.
> Do you know any business owners willing to go to prison for five years for one of their users?
The Lavabit guy came pretty close, IIRC, and he's a small fry.
Do you really think the government would jail the wealthy executives of Google or Microsoft? They won't even prosecute Wall Street executives, and bankers are far less popular with the public than tech CEOs.
If you're a google employee and you see a gag order and disagree with it you almost certainly have the skills to leak it undetectably such that you can't be prosecuted because there is no evidence.
I wonder, is that the right thing to do? How would you do it technically if you thought it was? Who would you leak it to?
Even granting your premise that a Google employee could leak the gag order undetectably (and I'm not confident about that, since the universe of people to investigate would be relatively small), there would still be serious repercussions to deal with.
At bottom, there's someone at Google in charge of overseeing the gag order. If the gag order leaks and they can't figure out who's responsible, I'm pretty sure they end up going to jail - if only because a court would have a hard time telling the difference between genuinely not being able to find the leaker and stonewalling / implementing a cover-up.
I'm less cynical. I don't think they can prosecute someone without evidence beyond reasonable doubt. Every single google employee who has to act on the order and be gagged by it has to see the order and verify its authenticity or else their actions would be illegal. "it must be one of these 50 google employees" might well be completely true, but not enough to prosecute any one of them.
I'd mod you up for making an interesting point, but it'd interfere with the meta-ness of your question being greyed out (a bit). I therefore leave you down-modded so you can better make your point.
On this particular story there seems to be quite a lot of (random?) down-modding. It'd be nice to hear if the admins could comment. From just looking at the greyed out comments, it at least seems different from the usual hn-patterns?
Google is good, not evil, they have fought for our rights, bravely and invented new genious technologies and social processes to protect our civil rights and society. Google is good, Google does what is in best interest for its users. Google stands up against an intrusive government. Being a user of Google services is supporting freedom and democracy. Google fights againt censorship and for open society.
Nope, nothing there supports google. He's claiming to have played them to use their resources in support of his interests. He's not endorsing them at all. (Maybe he would or has elsewhere but not there).
> In the fall of 2011, Google was able to tell Appelbaum that the government had sought data such as the IP addresses of the people he e-mailed with,
Google needs to store your plaintext email so it can make money by showing you ads, but its data retention policies are both unnecessary and outrageous.
Google was a premium partner in the Prysm NSA program. According to the first leaks, Google along with Facebook, Skype and Apple were the first to sign up to the NSA spying programs as partners.
All along they're trying to paint themselves as victims of the spying, which is ridiculous really...but I guess they can still fool a large population.
I acknowledge there's a moral and ethical distinction there, but I dispute that there's any pragmatic difference: If you use Google services, your data is compromised, period.
It doesn't really matter whether the NSA or GCHQ are tapping Google's datacenters, paying off low-level employees, operating under a legal court order, or benefiting from the enthusiastic help of Google executives. The end result is the same: You cannot trust cloud services.
The question has never been "Can you trust cloud services?"
It's "Can you trust them more than the alternatives?"
Yes, you can almost certainly keep your private data more secure in a system you build and monitor yourself(1). Until an NSA or GCHQ-level entity takes interest in you, and uses a 0-day exploit on your system or just physically walks in with a warrant and steals your physical media. How is that functionally different from "If the NSA / GCHQ takes interest in you, they can have the cloud service provider hand your data over?" And that's before you add the overhead of maintaining, securing, and physically protecting your own systems.
(1) Note that even this step is a huge hurdle for most people; "You cannot trust cloud services" basically tells those people "Don't use the Internet."
There is a massive, massive difference between automatically slurping all data coming in and out of a cloud provider, and going after somebody with a targeted exploit or physically seizing machines.
The difference is the same that enable a police officer to walk the street, but require a warrant before entering a home.
Even NSA do not like to invade peoples homes. Its a health risk for agents, its costly, it competes with other agencies, and its bad for PR. The legal steps required are also much smaller when asking a cloud service to hands over information.
The answer CAN be "all of the above." Just because the NSA went beyond any agreement they may have with Google, and Google is genuinely pissed off about that, doesn't mean Google (or any other major technology company in the US) hasn't cooperated with the government regarding surveillance.
It is certain that telecom carriers participated willingly in the massive collection of telephone network CDRs from way back when these were on mag tape.
So far, every time someone has asked "What if the government is using X for surveillance?" the answer has eventually been yes. 100% of the time. Nothing is out of bounds. And that includes making partners victims if it is part of the mission to collect everything. Belgium, for example, is both a partner, somewhere in the hierarchy of partners outside of the Five Eyes, and a victim of GCHQ hacking. Being a partner doesn't spare you and being a victim isn't indicative you're not a partner.
I don't dispute that there was some collusion or collaboration, but at the same time, I don't condemn people on an incomplete pictures. Period.
For all we know, PRISM was more-or-less a euphemism for "we had a shallow collaboration that we used to pivot into a larger compromise of their networks".
Conversely, I'm going to have to agree with 'tptacek and his (probably not popular) opinion on Google and their influence on privacy and security at large.
So I stand by my decision to not condemn them until we learn more about the nature of their collaboration with the NSA's plot to deteriorate human rights the world over. Not because I love Google and think they can do no evil, but because I believe in charitable debate and skeptical inquiry.
> I believe in charitable debate and skeptical inquiry.
I believe in the odds. And the odds are that any technology that has a high potential to significantly add to surveillance capabilities has been exploited for that purpose either by hacking it or convincing (strong-arming if needed) the technology provider to cooperate.
I don't deny that Google does a lot of great things in general, and in security research specifically. That would be denying the plain facts. But I also do not think that has any impact at all on the relationships the government builds with (or forces upon) large corporations regarding national security.
When the chips are down, the NSA and other TLAs are going to get what they want. Now that tptacek is part of a larger transnational security company, he may find that out firsthand.
What exactly was it that you thought Matasano did, that the NSA might have ever leaned on them for anything? People on HN have historically had really weird ideas of how my work intersects with privacy. Matasano is a software engineering service.
You didn't answer my question. What exactly do you think it is NSA wants firms like Matasano to do? Stop being evasive. Say something specific, so we can actually address the innuendo.
It seems much more likely that NSA would lean on your consulting practice: you build telephony and communications software. Obviously, I don't think NSA leans on companies like yours either.
I never mentioned Matadano. I specifically refered to the "larger transnational security company" that acquired Matasano. If that's not correct regarding Matasano, I'm sorry. But I'm not being evasive in any way.
I'll let you know when I scale up to where I get a glimpse into the abyss.
I worked for the "multinational" for two years after the acquisition and I'm curious about NSA's evil influence too. Tell us more, Zigurd? Seriously: just a theory about what could have been happening would be great.
RSA isn't in remotely the same space as Matasano, nor would it be "one of the largest" if it were in that space.
As I rock back and forth in my chair, silently repeat the serenity prayer, and try to remain charitable; what sort of work do you think Matasano (or NCC, Accuvant, or VerizonBusiness, my former employer) does?
Where did you read that? They're still alive and kicking.
'tptacek left it to start a new company. As far as I can tell, Matasano is quite successful and many of its employees are highly regarded hackers and engineers.
Well, he is correct that Matasano was acquired by NCC Group. But as a rank-and-file Matasanoan since before the acquisition, I can't say I've noticed a huge impact on the day-to-day.
Right, "does" - I forgot they just nested their namespace after going to NCC, sorry.
If you had to make a guess, you'd probably guess correctly, but we'll just end this thread here (don't guess). FWIW I'm not supporting Zigurd's statements, which sound crazy.
No Google, "fighting" a restriction on speech isn't doing exactly what you're told and asking a corrupt court for permission to do otherwise. It involves loudly publicizing the corruption and giving the thugs an uphill battle. Until you do this (or radically change your products to be oblivious to users' information in the first place), you're a de facto arm of the surveillance state.
