Uncrunched

Last week’s announcement of iOS 7 really shook things up in silicon valley. And it may not be what you think.

Yes, people are excited to get to work on it. But app developers aren’t just putting a fresh face on their existing products. They’re rethinking their apps from the ground up, say a bunch of startups I’ve spoken with. They’re looking at this as a whole new platform, as they should, and they know that first movers have all the advantages.

Most people I’m talking to agree with Marco Arment, who says “iOS 7 is different. It isn’t just a new skin: it introduces entirely new navigational and structural standards far beyond the extent of any previous UI changes.”

So how are startups responding to the news? They’re “tearing up their Q3 product roadmap” and “starting from scratch,” say a few of the startups I spoke to. “There are subtle but profound changes” says one.

Daniel Raffel, Snapguide CEO (a CrunchFund company), says Android likely took a big hit with the announcement of iOS 7. Leading up to WWDC there had never been a better time for developers to invest big in Android. Now that investment is on hold, he says, as teams repriortize resources to develop for the iOS 7 launch.

Another CEO I spoke to off the record today said that he’s leaving his Android client engineers on task (they’ve released both iOS and Android apps), but all UI/UX designers and engineers are focusing 100% on iOS 7.

And another startup founder: “Android is no longer on our 2013 product roadmap.”

And finally, the worst news of all from yet another mobile startup – they’re canceling all summer vacations.

It’s becoming pretty clear, particularly from today’s Snowden Q&A and the partial transcript from President Obama’s Charlie Rose interview, that we’re zeroing in on how the government accesses private individual data.

If you’re not a “U.S. person,” there are few restrictions on what the U.S. government can do to monitor you. If you are a U.S. person then there are at least some restrictions, and the involvement of at least the secret FISA court, before that data can be accessed.

What’s also clear are that these are just policy decisions, as Snowden puts it, and that things may have been different in the past and can be different in the future.

My guess is that most journalists will continue to dig into the FISA court stuff. This quote alone is a gold mine for arguing that there is no true judicial oversight on any of this stuff:

Charlie Rose: But has FISA court turned down any request?

Barack Obama: The — because — the — first of all, Charlie, the number of requests are surprisingly small… number one. Number two, folks don’t go with a query unless they’ve got a pretty good suspicion.

In other words, “trust us.”

But here’s what journalists should be asking at this point: What data does the government store? How long have they been storing it? Do they ever delete it?

All of the government arguments around 4th Amendment protections center on policy decisions regarding what the NSA and FBI can look at. But as they make these arguments they imply that the data is already sitting on government servers. Snowden, of course, doesn’t imply this, he says it flat out.

This is what scares me the most. Not that today’s government is using this data improperly today (although the IRS scandal certainly shows that the government is quite willing to use data improperly). Rather, I’m much more concerned with what the government will do with this data down the road.

Knowing that the government will start surveillance on you if you do something wrong is one thing.

But knowing that you are constantly being watched, with everything you do being stored in a database somewhere, is something else. It doesn’t matter if anyone is looking at it today. Knowing that anything you do now, innocently, may be evidence of a crime in 5, 10 or 30 years, is the opposite of freedom. No matter how you look at it.

I don’t understand how the government can argue that storing, possibly forever, every phone call and every email and our location and everything else can somehow be consistent with the rights acknowledged under the 4th amendment. Until journalists start asking these questions, however, they won’t even be forced to make those arguments.

The PRISM story firmly changed course yesterday when The Guardian published a video interview with NSA whistleblower Edward Snowden. If you haven’t watched the interview, you should. It’s historic and fascinating.

The media has all but forgotten about just how the NSA gathers all this information from the companies listed in the presentation. After the story first broke, the denials happened. Then the NY Times connected some dots, and there were then further denials (“the government does not have access to Google servers—not directly, or via a back door, or a so-called drop box”). Then Snowden happened.

At this point there are a lot more things we don’t know than we do. But there are still a lot of dots to connect. So I’m watching the Snowden developments out of one eye while I continue to find peace in my soul for the PRISM stories that can’t find a way to merge into one believable narrative.

I’m working from the assumption that every statement by the companies involved is true, or at least arguably true. Besides the fact that I don’t think these people are liars, with all the leaking going on, they just don’t know what other information is going to explode onto the scene, and they have to hedge.

But still, unless you think the original PRISM document is a fake, or so completely muddled in how it explains things that it might as well be, there are some big questions unanswered.

All of the denials and statements admit that the companies turn data over to the government “only in accordance with the law” along with various versions of how the companies review orders before complying.

I’ve spent a good number of hours researching these government orders, and talking to experts, over the last few days. I’m embarrassed to say that this was just not an area that I was particularly interested in, despite all the writing on the wall. To the best of my ability I’ve remedied that and am starting to push forward into some seriously grey area stuff. I am thankful to Wired’s Threat Level blog which has long focused on these issues. David Kravets work has been particularly edifying.

Here’s where we stand. I believe that #3 in my original post is still the most likely truth: “The presentation is real, and the companies are carefully drafting responses so that they aren’t technically lying.”

The government has a variety of tools under FISA and the Patriot Act to get the data they want (which is all of the data). We know a little about how National Security letters work from Google’s willingness to share data around those and the recent judicial challenges.

The Verizon vacuuming of all data over to the NSA, while horrifying, doesn’t apply to internet companies. Those companies must still comply with National Security Letters and FISA order, however.

The NY Times article changes the original allegations from The Guardian and Washington Post. There is no direct access allegation any more. The focus is now on special hardware lockboxes at company datacenters where requested data is moved for pickup by the NSA.

At first glance that sounds like a good idea. The government gets a court order, serves the order onto the company. The company reviews it and then sends the requested data into the lockbox. The NSA gets that data and the transaction is completed.

The only problem with this theory (from the NY Times story) is that Drummond afterwards said it’s not accurate – “not directly, or via a back door, or a so-called drop box.”

So let’s put Google aside for a moment and look at all the internet companies not on the Hot 9 list. Twitter, Amazon, Salesforce, for example. When they get a secret FISA order in they still must comply, without question. But they aren’t on the “direct access” slide. Clearly they are doing things, or not doing things, that make the process of getting their user data more complicated or just slower.

These Super 9 companies, in contrast, are doing something that makes them a headliner in the presentation deck. Twitter didn’t make the cut. Google did.

So again, taking Drummonds statements as true, what is Google doing that’s different than Twitter, and why is that thing making the NSA really happy?

I don’t know, but I have a guess.

My guess is that Google and the others have agreed to receive FISA requests in an automated way, process them in an automated way, and fire off the data in an automated way. That whole process could take a very small amount of time. Milliseconds for small sets of data, easy. Anything beyond that is from any human intervention at Google to read the order and decide whether to accept it. From what I’ve seen, it’s extremely rare for companies to push back on orders, since the secret FISA court always, without exception, tells them to settle down and get that data over to the NSA, pronto.

So Google complies, and the whole thing has been handled “in accordance with the law.” Given how important the Super 9 are to PRISM, it seems clear that responses from queries must come back pretty quickly, almost as fast as a normal search engine, for example.

That tells me there’s a lot of automation going on in a server or two (just don’t call them back doors or drop boxes).

Now here’s something new (to me at least) that also fills in some boxes. The NSA can begin surveillance on a subject for a full week before going to the secret FISA court for an order. In the last year every one of those orders have been granted, so it’s just a formality.

If I had been paying attention in May, David Kravets was already answering the questions I had last weekend. From his article Secretive Spy Court Approved Nearly 2,000 Surveillance Requests in 2012, he says:

The legislation does not require the government to identify the target or facility to be monitored. It can begin surveillance a week before making the request to the secret court, and the surveillance can continue during the appeals process if, in a rare case, the spy court rejects the surveillance application.

See section (g) here for the law behind his statement that the NSA can surveil someone for a week before going to the secret rubber stamp court.

So back to that “in accordance with the law” stuff that the Awesome 9 keep relying on. It appears to be quite legal to begin surveillance a week before getting a secret court order. That gives them time to determine if they’re barking up the wrong tree.

So, sitting around the NSA office one day an analyst has an idea. Like, “Hey, let’s find Republicans in Wyoming who have Facebook or Twitter friends with someone outside of the U.S. And then cross reference that with concealed carry permits. I think these guys might be gun running. Can I get a high five!?

Our guy fills out a form in PRISM, I imagine, with his query. The damn Twitter doesn’t do Prism and needs a more formal order, probably requiring someone to wake up the secret judge and tell him to get that stamp ready. And then they send off the order in a variety of ways and demand a response in 24 hours or something.

Meanwhile things are rocking on Prism. The Verizon data is all locked in and can map out his location over time as a map overlay, easily. Our analyst filled out the form, checked the “FISA approved” box (knowing this is legal because they have a week to go to court), waits a few seconds….and then boom there it is. Lots of data on gun owners in Wyoming with overseas friends. It went through the express line at Google, who noted the FISA approved stamp, and rushed that data right back down the pipe to the NSA.

Hey, bring up those Verizon records and see where this guy’s been. Damn, he goes to the range nearly every day. I wonder if he’s complying with every single Federal and state gun law. Let’s send an agent down to chat with him. And if he gives you any shit just show him this picture of his mistress Verizon sent over. That’ll shut him up.

WAIT! Here’s a frickin video! oh man, I’m sending this to myself. No, hold on guys, I’m doing this. Ok, now, show him this video of himself in a compromised position with his girlfriend and ask if we should sent it to his wife at their home address, it’s right here.

So after a day of looking at pictures of naked girlfriends and wives and ranking the top ten porn searches our perp Googled in the last year, our NSA guys still can’t find a NSA-type crime or figure out how they might stop a major terrorist event. Time to delete this data (which probably means shoving into an archive for later analysis and cross checking). And no bother going to the court on this since the surveillance ended before the week was up.

A few days after that a big package comes in from Twitter with 40,000 printed pages of information. They’ve complied with FISA, with a big middle finger. That stuff gets tossed into the scanning room and forgotten.

My scenario is ridiculous above, but it squares with the slides, it squares with the Snowden interview, and it squares with the many denials we’ve heard.

WE KNOW THIS: These nine companies have done something (we don’t know what) to make the NSA’s lives easier. So easy that agents are told to just focus on these companies (not Twitter or Salesforce or Amazon) for FISA orders.

WE KNOW THIS: The NSA can begin surveillance on someone(s) for a full week before they have to get the rubber stamp from the secret court (which has never said no).

WE KNOW THIS: The NSA routinely talks about mitigation efforts to purge U.S. people data; however, they always talk about these measures being taken after they have control of the data. What they should be doing is proving the data is clean before they grab it. But it’s way more efficient (and also evil) to dragnet everything and then try to cut the good data away from the bad. This is self evident from them taking all call data from all Verizon customers, even calls beginning and terminating in the U.S. They get the data, then make promises to the court that they’ll treat that data appropriately. Huge, Huge, HUGE incentives for misuse here based on efficiency arguments.

I GUESS THIS: The NSA “request” is fired off to Google and others as soon as these guys see a thread to pull, and they mark the request as FISA ordered (they have a week to actually get the order, which will be backdated). Google greenlights it as a legal order and fires over the data. If the data is useful the NSA wakes the secret judge up again to stamp it good. Otherwise they toss the data out and nobody ever talks about it again.

This is the world described to me by people I’ve spoken with who seem to have the best grasp of how FISA orders work, and how they might work in connection with PRISM. It makes sense when you realize that the NSA can order surveillance without court approval for a full week. Since surveillance needs data I assume that Google and the others send that data pronto to comply with the law. I doubt they ever see or hear about the actual FISA order a week later.

There’s a lot of educated speculation here, but if this is mostly right then we’ve got a system that works much like the PRISM slides say – it feels like direct access to a server. There are some things going on in between, like checking a box that the order is FISA compliant, but it seems to me that any request for data under FISA is looked at as a FISA order, as it looks like the companies have no ability to delay or object to the seven day period where surveillance can occur without the actual secret court order.

Thus, under this conspiracy theory, PRISM works just as planned, and just as efficiently, as it was described in the presentation.

Now, the only way for this to stop is for someone in one of these companies to pull an Edward Snowden, download some FISA orders and hop on a plane to Hong Kong. And then call me and I’ll fly over and do a really kick ass interview with you where you can tell the world the rest of the PRISM story. I’ll even start your legal defense fund for you and solicit donations, because you’re going to need it.

You’ll definitely want to plan ahead to avoid the fate of other patriots who tried to do what’s right with government demands. There are usually short trials followed by long prison sentences. See Joseph P. Nacchio as a sad example of a man doing what he thought was right and then being torn apart by the government for saying no to them.

This time it’ll be differen’t, though. Ecador, Iceland, China, they all got your back.

Snowden says, I and I agree, that we have a short window of time to dismantle the government’s surveillance machine. If we wait too long it’ll be too late, and nothing the people of the world can do will be able to stop it.

But let’s say it’s already too late, and some of us make the decision to just live with it (I say this only partly tongue-in-cheek).

We don’t fret over the government knowing everything about us by collecting our online activities from willing corporate partners. We just live and enjoy our life, and try to avoid doing anything that might catch the attention of our government.

Like Robert Scoble, we simply revel in being surveilled. Hey, at least we know someone’s paying attention.

We just fade into the masses, so to speak. Don’t even think about things that might get you in trouble.

It’s not totally impossible. I visited the Soviet Union in 1980 with my parents, and there was some joy in that country. People find a way to survive.

But my biggest problem with all this is we don’t get a rule book, and the rules will constantly change. The Russians had it easy, all they had to do was support a single political party, without fail and for their entire lives.

We don’t have it nearly so easy.

We know that under this administration we shouldn’t associate with the Tea Party, oppose abortion, join the NRA, or make donations to the President’s political opponents.

That’s pretty clear. I can live with that.

But what if a republican gets into office next? The rules will change. People getting abortions may be targeted next. Or who support “common sense” restrictions to the Second Amendment. Or who donate to that president’s political opponents.

Sure, we can probably see some of that coming and change our positions on key issues deemed important by the new government. We’re not stupid, after all! We can see the writing on the wall and change our core beliefs right as the new administration takes power.

But we won’t be able to go back and change our history. They’ll see that a decade ago we donated to Planned Parenthood and voted for President Obama. Suddenly, going out and buying a gun or two won’t be enough. The new government will know we’re not true believers in the cause. We’re secret left wing or right wing extremists, and guilty of a new crime – engaging in personal behavior designed to fool the surveillance state.

Yes, I can easily see a future law that prohibits us from engaging in behavior that is designed to trip up the surveillance machine.

Knowing this, we know that we need to start being careful today in order to ensure our ability to live tomorrow.

That means the only rule to living in our particular kind of surveillance state (where the machine is permanent, but the targets swing wildly over time with the whims of democracy) is this – be completely apathetic. Support nothing and condemn nothing.

Do nothing to draw attention to yourself. Think carefully about every email, phone call, Facebook like and Twitter favorite and make damn sure that doesn’t conflict with our government’s goals either today or tomorrow.

And in the meantime, support the only political party that really matters, the NSA. Follow them on Twitter and Facebook now. It might get you a little lenience later on when they’re tracking you for buying that Prius.

The NSA is good. The NSA protects us. The NSA knows what’s best. They’re here, and they’re here to help.

Will not one tech CEO stand up and tell the truth?

The NSA story of the secret assassination of the Fourth Amendment continues to unfold. Today we heard from Google CEO Larry Page and Facebook CEO Mark Zuckerberg.

Page was confused (the title of his post is “What the…?). Zuckerberg claimed the press reports were outrageous. Both made strong denials of specific allegations (“direct access,” “back doors”). Both were technically telling the truth. Both were also overtly misleading people.

So…much…false…indignation.

Those denials now look ridiculous, sitting below a new top headline story with yet more information. I’m guessing Page and Zuckerberg would like to rewrite those statements after reading Claire Cain Miller at the New York Times blowing the lid off with allegations that not only are these companies knowingly working with the NSA, they’re even finding ways to make data transfers more efficient.

In at least two cases, at Google and Facebook, one of the plans discussed was to build separate, secure portals, like a digital version of the secure physical rooms that have long existed for classified information, in some instances on company servers. Through these online rooms, the government would request data, companies would deposit it and the government would retrieve it, people briefed on the discussions said.

and

But instead of adding a back door to their servers, the companies were essentially asked to erect a locked mailbox and give the government the key, people briefed on the negotiations said. Facebook, for instance, built such a system for requesting and sharing the information, they said.

In case you missed it, Miller spells it out for you: “While handing over data in response to a legitimate FISA request is a legal requirement, making it easier for the government to get the information is not.”

Or to put it another way, who the hell needs “direct access” or “back doors” when companies are building “secure portals” for them instead?

We could quibble all day about whether these men lied (no), or simply misled (yes). But what I really want to know is this:

What has these people, among the wealthiest on the planet, so scared that they find themselves engaging in these verbal gymnastics to avoid telling a simple truth?

We understand the law – these companies can’t acknowledge FISA orders, let alone discuss them – the Verizon document said as much:

It is further ordered that no person shall disclose to any other person that the FBI or NSA has sought or obtained tangible things under this Order.

But why is that stopping them? Do they really see themselves being dragged away, Bradley Manning style – to sit for years in a prison before even being given the dignity of a trial?

Because that’s not going to happen.

If just one of them stood up and told us what’s really going on, as the EFF has urged, we could start to have a real discussion in this country about freedom v. security.

Stand up, I say, and tell us about these FISA orders. Publish them all. Tell us everything. Let us understand the true scope of the evil we are facing.

Because their lawyers might be telling them what they are required to do. But their soul should be telling them what they must do.

At the end of the day, when it comes to government snooping on the phone records and Internet activity of millions of Americans, it doesn’t matter in the least if it’s legal or if procedures were followed. What matters is that the privacy of millions of people has been violated without probable cause or suspicion of wrongdoing, simply so the government could scoop up data on the off chance of finding something interesting.

Will you do it, Marissa? Or you, Ballmer? Or you, Armstrong? Will anyone stand up and say the truth? Will anyone stand up to the secret organization with the secret courts and, simply, do what’s right? Despite the consequences? Despite what your lawyers tell you?

Perhaps you could all get on a conference call tonight and double dare each other to do it all together, at the same time.

“The NSA makes us do things that crush our Constitution, and then they make us never talk about it.”

I hope one of them does. History will not be kind to the people who say nothing. And it will be even less kind to those that mislead us.

The Guardian breaks a big story yesterday – a court document authorizing the FBI and NSA to secretly collect customer phone records. All of them, for all Verizon customers.

Then today the Washington Post breaks an even bigger story – a leaked presentation stating that the NSA is “tapping directly into the central servers of nine leading U.S. Internet companies” to collect information on users. The project is code-named PRISM.

These are the huge repositories of user information from Microsoft, Yahoo, Google, Facebook, PalTalk, AOL, Skype, YouTube, Apple. Dropbox, we’re told, is “coming soon.” Twitter is noticeably absent.

Then the counter stories – most of the companies mentioned in the NSA presentation have denied that the NSA has access to their servers. And people are pointing out that the Verizon order doesn’t include actual phone conversations, just the metadata around those conversations.

On the WP story, that means one of these things must be true:

1. The NSA presentation is fake and the Washington Post got duped, or

2. Microsoft, Yahoo, Google, Facebook, Apple, etc. are lying, or

3. The presentation is real, and the companies are carefully drafting responses so that they aren’t technically lying.

I believe the third option above is truth.

The denials are all worded too similarly and too specifically:

Comparing denials from tech companies, a clear pattern emerges: Apple denied ever hearing of the program and notes they “do not provide any government agency with direct access to our servers and any agency requesting customer data must get a court order;” Facebook claimed they “do not provide any government organisation with direct access to Facebook servers;” Google said it “does not have a ‘back door’ for the government to access private user data”; And Yahoo said they “do not provide the government with direct access to our servers, systems, or network.” Most also note that they only release user information as the law compels them to.

How else could these companies be supplying the data? Easy, by simply sending a copy of all data to the NSA. Verizon’s court order, for example, required that they send call data daily.

The companies sending the data have both immunity from prosecution and are also prohibited from disclosing that the NSA has requested or received the data.

The truth of what’s going on becomes obvious.

The U.S. government is compelling companies to turn over all personal information of users to the NSA. They have immunity for this, and they are absolutely prohibited from admitting it.

The result is a massive NSA database that includes information about everything we do online, and everything we do offline that has any online ghost (checkins, photos, etc.).

If twenty years from now the government wants to listen to my phone calls from today, they’ll be able to, because they’re all being stored. Or see who I voted for, or who I associate with. A simple AI can parse all this and profile me. And a hostile government, intent on attacking political enemies, can target me (or anyone).

If you missed this story from May read it now. Former FBI counterterrorism agent Tim Clemente says that the U.S. government already has the ability to listen to past phone calls:

CLEMENTE: “No, there is a way. We certainly have ways in national security investigations to find out exactly what was said in that conversation. It’s not necessarily something that the FBI is going to want to present in court, but it may help lead the investigation and/or lead to questioning of her. We certainly can find that out.

BURNETT: “So they can actually get that? People are saying, look, that is incredible.

CLEMENTE: “No, welcome to America. All of that stuff is being captured as we speak whether we know it or like it or not.”

That’s why Mathew Ingram is totally correct when he says that we desperately need “a stateless repository for leaks” (such as WikiLeaks) to have any chance of fighting back.

But what I would like to see right now is for people at these internet companies to stand up and say the truth, all of it, about their dealings with the NSA.

It doesn’t matter if it’s the CEOs or lower level employees. It can be anonymous or on the record. Unless that Washington Post presentation is a fraud, then a lot of people in Silicon Valley know what’s going on, or parts of what’s going on. They have a duty to stand up to the government, and their employers, and tell the world the truth.

Because right now it certainly looks to me like we’re living in a totalitarian state. And the amount of control that state has over all of us, through intimidation and fear, will only grow over time.

Now is the time to stand up and talk, and be a hero.

Or not, and be complicit.

For my part, I don’t give a damn that Senator Feinstein and others in our government say that this is “called protecting America.”

It doesn’t, it’s Orwellian and it kills liberty and freedom on a scale never seen before. It’s not a way to stop terrorism. It IS terrorism.

The courts are allowing this. The government loves this. The only ones left to oppose it are us.