I was thinking about Rackspace and PRISM today (I spend > $10K/month at Rackspace) ... and that thread about how all this could harm the startup ecosystem.
If the Govt/NSA wanted access to certain metadata and a company refused (like some claim Twitter did), what's to stop them from going to Amazon or Rackspace and throwing their weight around to get access that way? Or, if that didn't work, they could just keep going up the OSI layers (or tier 1 providers) until they get the access they want OR can force it be threatening to disrupt service.
My point is, even awesome companies like Rackspace are dependent on less-than-awesome companies for some types of infrastructure.
Any company that doesn't comply and hand the data by API will have it's links scraped. Sure it's more costly. That's why they go through the arm twisting.
Probably one of the better responses that we've seen.
Regardless of my earlier posts, I'm actually inclined to believe these service providers.
I'm curious, has anyone seen/heard anything from CA's? I imagine it would be much easier to just create a split network route at the ISP layer and decrypt all traffic.
Wouldn't be that crazy if you had all of the root keys.
Ugh, this keeps coming up. No amount of cooperation from Certificate Authorities will enable passive attacks on SSL.
All the CA does is cryptographically certify "this is the public key that the Company (eg. Google) gave me"; they never see the corresponding private key.
Cooperation from the CA might give the NSA their own certificates for Google, which would allow for an active man-in-the-middle attack. Certificate pinning would defeat that, and doing that on the fly in the Internet at large would be a serious undertaking.
But if they want to decrypt traffic passively and they don't know about serious SSL vulnerabilities, they would have to have Google's private key. And with Perfect Forward Secrecy, even that is not sufficient. (PFS requires an active attack because the session key can only be determined if you're actually one of the two doing the handshake, or you know how to factor very large numbers.)
1) Generating certificates on the fly for arbitrary domains has been the usual operating mode for transparent proxies for at least 8 years.
2) There have been many public SSL vulnerabilities in the last year. To think that there might be some non-public ones is not a stretch.
3) If anyone can factor very large numbers, it is the NSA. The move to ECC for Suite B has been interpreted to imply this may be becoming more feasible.
> No amount of cooperation from Certificate Authorities will enable passive attacks on SSL
Actually, it's quite common for CAs to do the site admins a favor and generate the keypair for them. The admin then downloads the private key and installs it on his server.
On TLS connections where the client and server do not negotiate the use of Ephemeral Diffie-Hellman (EC)DHE (sometimes called EDH), then the CA could have retained the private key data which could be used to decrypt the packet capture after-the-fact.
Google should be applauded for configuring their servers to prefer (EC)DHE on their TLS services. It also means they can fight a law enforcement subpoena for their private key.
The attack is to generate a certificate, sig. it themselves as valid, and then man in the middle the target. it's not about decrypting somebody else's session, it's about creating their own, seemingly valid one.
What I think you're driving at is what this device (and others like it already do) http://www.nextgigsystems.com/netronome/ssl_inspector_SI-800.... However, you must be sitting in between the client and server and inject into the exchange (be a proxy). You can't just listen to both sides and reconstruct it later. Well, that is if you believe the NSA has not straight-up cracked SSL -- which I don't believe it has above 128-bit keys. Their cpu cycles are better used elsewhere, plus they have so much unencrypted data to analyze. But the race continues...
I would imagine the tech used in the device you linked to has been in use for quite some time. Nothing stated in the Rackspace or other ISPs posts says anything about the routers in place at these facilities. They're all quite careful to say how secure the customer's "stored data" is safe on the "servers" - nothing is said about data flows through routers.
I note there's been no statements - suspiciously scripted or not - from the likes of Juniper, EMC, HP, Dell, Cisco...
The social media company presumably-NSA-supplied denial script says "no direct access to servers".[1] I wonder just how few bits of networking gear (or switch OSs) you'd need to root - gear that sits between the SSL termination and the servers - to not even need to ask for "direct access"?
[1] In fairness - perhaps that turn-of-phrase only appeared in every CEO denial because it was a direct quite from the WaPo article.
Dmitry's followup at the bottom of the page is both insightful and indicative of our nitpicking attitude to this. Is metadata covered under this? How about their routing and network equipment's logs? In the same time, when do we stop asking clarifying questions and arguing about the semantics of the message, a process that might turn into legalese and then lawyers talking to each-other?
Note well that Rackspace offers primarily dedicated server services, which would make it rather difficult for them to participate in PRISM as shown. You'd tend to notice if someone rebooted your box and installed a service. :D
Nothing stopping NSA from splitting their transit fibers on the (3), Telia, and Qwest sides though.
What's going to be really interesting is how PRISM integrates with AWS, once some brave Amazon soul decides to self-immolate for our own intellectual curiosity.
See, that's part of the problem in terms of economic calculation when dealing with a surveillance society -> since it's largely impossible to quantify the amount of lost business due to various surveillance / justice actions, as the methods and individual events in which such actions took place may never see the light of day, a society could be going bankrupt due to an overly large security division, and never know it.
Let's consider a real-life plausible scenario: a DEA agent gets a tip from a questionable source about a large shipment of Molly coming in tonight on the docks (cliche, but let's roll with it). The information isn't good enough to get a warrant, but the DEA hasn't had a bust in a while, and the agents are being pressured to find something to justify their jobs. This DEA agent figures that it wouldn't hurt to have a look around (nothing illegal there, right?), and spotting nothing immediately out on the docks, begins to think that it's a bust. The agent notices that an upper window is open on one of the warehouses, and that there are voices being heard within; it would take a little effort, shimmying up the side, but the agent could peak through the window (questionable)...and maybe even climb inside if the agent sees something. The agent climbs up, and hears rising voices from within. Not seeing anyone, the agent climbs in.
The agent, walking on top of some crates, sees the owners of the voices, and after listening for several moments, realizes that it's just a typical worker's spat. The agent goes to leave, not seeing anything of interest...but as the agent moves, one of the crates topples, pushing the one in front of it, and so on in a domino fashion. The agent manages to leave undiscovered, but not before $30 million in Lowe's Italian Chandeliers are dropped three stories onto a hard concrete floor.
The workers will be blamed for not stacking the crates correctly, and the owner of the warehouse cited. The insurance company will, of course, cover the costs of the damaged merchandise. However, the cost to society, for this overstep, was more than a minor civil rights violation...it was more than those workers make in a decade, possibly their lives.
And that's kind of at the heart of these infringements...when the intelligence agencies screw up, when the police screw up, it's not like they're shouldered with that debt; it's charged to society as the cost of doing business...no different from what the bankers did recently when they 'privatized the gains, and socialized the losses.'
Not to engage in the spergy one-upmanship that usually happens now, but one of the best hackers I know got me building kernels without loadable module support of any kind in the 90s after demoing a similar attack. I build my colo machine kernels without most hardware drivers outside of disk and ethernet. (n.b. that you must also patch to deny writes to /dev/mem and /dev/kmem (even for uid0), as you can use these to insert code into a running kernel even without module support.)
From the point of view of any non-resident alien who has US cloud data, this is a very ponderable answer. We know what the Fourth Amendment says. The problem is that apparently (IANAL!) the US courts are upholding the idea that the Fourth Amendment does not apply to the US-based cloud data of non-US-resident non-US-citizens. I've heard a couple of people suggesting that this interpretation is based on the idea of border search, but that's neither here nor there: the upshot is that, unlike for example the US property of non-US-resident non-US-citizens, which is protected by the Takings Clause, the US cloud data of non-resident aliens seems to have no Constitutional protection. This seems to be the Constitutional foundation of FISA http://www.gpo.gov/fdsys/pkg/STATUTE-92/pdf/STATUTE-92-Pg178... 702 http://www.govtrack.us/congress/bills/110/hr6304/text , the law which allows the NSA to get Foreign Intelligence Surveillance Orders against non-resident aliens. Absolutely the only thing the government has to prove to the FISC court to get one of these orders is that the targets are (more likely than not!) non-resident aliens. No probable cause, no standard of suspicion for anything: the government doesn't even have to state its motivation. And the "Notwithstanding any other provision of law" language in 702 seems to sweep away any other statute law you (or Rackspace etc.) might want to use against the order. (Again IANAL.)
So how are we to interpret
"Based on our interpretation of the Fourth Amendment and ECPA, we are of the view that Rackspace is prohibited from accessing and turning over customer data stored on a customer’s server or other storage device in a U.S. data center without a properly issued, lawful request ( e.g. search warrants, court orders, Foreign Intelligence Surveillance Orders) from a U.S. court with appropriate jurisdiction over Rackspace and the data sought."
? Coming right after the recitation of the Fourth Amendment, this gives the impression that Rackspace will only hand out your data in response to a warrant (or warrant-like-thing) that demonstrates probable cause. But in fact, when the customer is a non-resident alien, the order is a FISA 702 order, and the court is the FISC, probable cause never comes into it: the US can (completely properly and lawfully!) get such an order for no stated reason at all. Imagine the following conversation in 1860:
Q: I hear that you have slaves on your Virginia cotton plantation. Is this really true?
A: The Fifth Amendment to the US Constitution states that 'No person shall [...] be deprived of life, liberty, or property, without due process of law'. No-one is forcibly detained on this plantation except fully in accordance with the law and the Fifth Amendment.
This answer seeks to suggest that the only prisoners on the plantation are convicted criminals, which is false - the plantation is worked by slaves. But in fact the answer is precisely true though devious: slaves have no rights under the law, while the Fifth Amendment does not apply to slaves. I really hope this isn't the correct way to interpret Rackspace's statement as well.
"The problem is that apparently (IANAL!) the US courts are upholding the idea that the Fourth Amendment does not apply to the US-based cloud data of non-US-resident non-US-citizens."
And further - it's not just "US-based cloud", it's almost certainly "cloud resources physically based _anywhere_ if it's owned/operated by a US based company". I'm pretty sure Rackspace[1] would consider any data that I (a non-US resident/citizen) store on a Rackspace instance intentionally provisioned in their Sydney Australia datacenter to be subject to US law instead of local Australian law[2] - and would most likely hand over any and all of my data with no need for a warrant.
[1] for completeness/fairness, I'm pretty sure Amazon would treat and Sydney AZ instances I spin up exactly the same way.
[2] actually, I suspect I'd get the worst-case scenario of the least protection available under either US or Australian law - if push ever came to shove...
"[1] for completeness/fairness, I'm pretty sure Amazon would treat and Sydney AZ instances I spin up exactly the same way. [2] actually, I suspect I'd get the worst-case scenario of the least protection available under either US or Australian law - if push ever came to shove..."
Totally. These points completely nail it for me (A non-US consumer of US based services).
Anyone who was concerned about "the subpoena risk" [1] before, but was satisfied if their data resides in (eg) Australian data centres will now be forced to think again.
I see this as a huge opportunity for non-US domestic PAAS / IAAS providers who keep everything in a single juristiction.
Ninefold (http://www.ninefold.com) push this pretty hard (see the Data Jurisdiction link in their footer), but unfortunately I fear their (and my) local Australian legal system doesn't provide me with any protection against even medium-level US law enforcement "friendly requests".
When you see just how far the New Zealand law enforcement rolled over and violated national law at the request of US copyright enforcement in their shoddily executed raid on Kim Dot Com, I have very little doubt that in spite of Ninefold's marketing using legal jurisdiction nightmares if you use their major competitors AWS or Rackspace - if the NSA showed up even without local law enforcement on their side, me and my data would likley get "thrown under the bus" (especially in the light of stories like this: https://mailman.stanford.edu/pipermail/liberationtech/2013-J... )
Perhaps one solution is to store your data in a jurisdiction that is not the US or Australia.
If some nation can step up and provide some guarantee that your data is not subject to law enforcement without rigorousness due process, they might be able to attract substantial investment.
Perhaps - I don't have any real knowledge here, but I suspect most countries probably have something similar to the stated (but clearly abused) special protection for citizens privacy rights over non-citizens (kinda inevitably in one sense - if you have no ability to vote in elections in the country making the laws, you have very little reason to be protected as much by those laws as those who can vote poor lawmakers out).
So for my personal situation - there are two juridictions I have citizenship in (Australia and The UK), neither of which I have much confidence in the amount of resistance they'd provide at a policy or law enforcement level to requests for my personal data from US agencies - and both places where I suspect that companies capable of storing data for me reliably and availably enough probably all have enough of a US presence that they'd be easily "leaned on" by agencies as powerful as the NSA (and probably even the MPAA) in such a way that it'd be "the right thing for them to do" to give up my data rather than incur the costs to the company of fighting.
My current "solution" is increase my (and as many people as I work and communicate with as possible) use of encryption (and hope that as well as "not doing anything wrong, so I've got nothing to fear", that things like AES & PBKDF2 with strong passphrases and tools like EncFS, TrueCrypt, 1Password, OpenSSL are still viable options even against the NSA).
Maybe it's time to compile a list of alternative non-US cloud services? I would be particularly interested in a non-US hosting company comparable to Linode.
I suggest http://www.copernico.net/ ,who are in Spain. I've no affiliation, other than being a customer; in my experience, the service is excellent, the boss, Miguel Angel, is very easy to reach, and I've come to know him as an independent spirit, who does not like governmental intervention at all.
But the US of A has absolutely no obligation for the welbeing or privacy of any non-US citizen. if their data happens to be within US jurisdiction, the US gov't can do anything they like, provided that what they do is "lawful".
I m not saying PRISM is lawful (that remains to be seen?), but i think many non-US citizens are feeling too entitled to the protection of US law.
I don't think it's a sense of entitlement at all but rather decades of trust (and reliance) that was built after World War II when the only thing standing in the way of Soviet domination was the USA. It was always a little naive to think that the USA had everybody's best interest at heart but now it is now clear and unambiguously painted in big bold letters that the USA* are in it for themselves and only for themselves. All the talk of shared values and common purpose, spreading democracy and freedom, etc. etc. all rings rather hollow.
It's seems stupid that given recent events that the uproar over whether the US government is reading your Facebook posts has rammed the point home to many people but I guess this is just the final prod that woke a lot of people up.
*Purely from the perspective of the government. I've nothing but admiration (mostly) for large parts of the culture, attitude and hard work of the good citizens of the 50 states.
You're correct about the US of today, but you're making the common mistake of thinking the US of today has much in common with the US of 1950 (etc). We're a radically different nation today, even than what we were 15 or 30 years ago. This kind of rapid change isn't uncommon in our history, the US of 1840 was vastly different from the US of 1890.
There have been at least four or five major epochs for the US, which saw fairly substantial changes (good or bad) to the rule of law and social cohesion. We started as a constitutional republic and nearly laissez-faire capitalism; then we had a massive federal explosion post civil war, that saw the power of the states greatly diminished; we shifted to a mixed economy, welfare state with a heavy bent toward democracy; now we're speeding toward police state socialism with oligarchs, the facade of property rights, and blended government-corporations, aka fascism (or as some call it in our incarnation, corporatism).
Not quite. If you are in the US as a tourist, it doesn't matter what you have signed. They can't go and strip search you just because they felt like it.
What you have to realize is that 4th Amendment law is largely tied to searches for prosecution reasons and so usually the issue is "well, the 4th Amendment is violated and so to punish the government and give them the right incentives, we won't let them use the following set of evidence in their prosecution." It's really hard to make such rules effective regarding surveillance of foreigners conducted overseas.
Non-citizens in the US for whatever reason do have relevant liberties. This does not extend to say buying tv advertisements for candidates in elections, but it does extend to unreasonable searches and seizures. Non-citizens with no real ties to the US, and not in the US are different.
> Non-citizens with no real ties to the US, and not in the US are different.
But their US property is still protected. If I'm a Russian orthodontist in Minsk and I buy 500 shares of Google, the Fifth Amendment protects me having them expropriated by the US government even if I never go near the States. (IANAL, but I did check this one.) However if I open a Google Mail account then apparently (under current interpretations) I have no similar protections.
I can't say if this apparent discrepancy is actually legally justified, or not. Without even getting into the question of whether it's morally justified, it is going to come as a significant surprise to a lot of people, who have got used to the idea that they're largely protected by the US rule of law when they do business with the US. And one way or the other, it's reasonable to point out that Rackspace's Fourth Amendment-based reassurances seem to be (no doubt accidentally) crucially misleading to many or most of its customers.
The 5th and the 14th amendment cover all people, not just citizens.
Here is an informative read on how and why and the history of the question of non-citizen rights.
http://scholarship.law.georgetown.edu/cgi/viewcontent.cgi?ar...
Found this after a discussion of the rights of Boston Marathon suspects as non-citizens. Pretty much they have every right of a non-citizen, except the right to vote.
Does the US constitution really only apply to US citizens in a global marketplace? Perhaps we'll look back on Bush and Obama as presidents who struggled with a dated viewpoint of the world, who tried to change the constitution into 'no rights for anyone' instead of 'freedom for all'?
Their main defense is that they operate within the boundaries of the law, which the Obama administration also claims. If they ever face a court order telling them to hand over everything, as long as it follows law at face value then their statement is true.
That is most definitely incorrect. The third party doctrine is shaky judicial construction at best (see, for instance, US v Warshak for the latest example and a case many can now use to justify holding off court orders until the Supreme Court or Congress weighs in on the ECPA), it is not held universally (wiretaps being the longest existent example), and Smith v Maryland would only get you things like call metadata at best anyways. Certainly not server contents. And certainly not with an indefinite gag-order on the service provider.
But as I noted separately, widespread collection of call detail records is not really at issue in Smith v. Maryland. Rather it sits at the intersection of Jones v. United States, United States v. Knotts, and California Bankers Association v. Shultz.
If you read these (I noted them in order from most recent to oldest) and read/carefully count votes on concurring and dissenting opinions (after having read Smith v. Maryland), I think you could be pardoned for thinking the Supreme Court had said a bunch of things about this, much in conflict with a bunch of other things.
Someone trots this horse out of the barn every time privacy issues come up.
I don't give a fuck what SCOTUS said in 1979. They could have gotten it wrong. Their interpretation could disagree with a plain reading of the Constitution, or they could have based their decision on inaccurate or incomplete data. Even if neither of those things are true, times have changed; issues at hand are wildly different than would ever have been conceivable in 1979.
Going "SHUT UP, SCOTUS DECIDED THIS ALREADY" does nothing for the discussion, and it comes out every single time there's an ECPA or 4th Amendment thread.
I responded to one point in the Rackspace response I thought was a bit off-base, specifically that their general counsel thinks the fourth amendment applies to them ... "Based on our interpretation of the Fourth Amendment ". It does not.
You may not give a * about what the SCOTUS decided in 1979 but the SCOTUS does, it is called legal precedent.
Times may have changed, but Smith v Maryland is still controlling law.
But it is still controlling law in the area of pen registers applied to single individuals, right? Knotts raises some uncertainty as to whether dragnet surveillance should be under the same rules, and at least 5 justices in Jones v. United States clearly articulated that it was different for long-term, widespread surveillance of this sort.
So I am questioning as to whether Smith controls the Verizon order as it is. I am not sure a simple "yes" is possible.
Ok to be fair: that's how judicial rulings work, based on precedence. There may be (and I believe to be) far MORE precedence saying the opposite, but don't dismiss precedence's power.
1. They can be narrowed. "Gathering data from all customers regarding where and where they called from and who they called is fundamentally different under the 4th Amendment than what was decided under Smith."
2. They can be expanded, "Cell site location information is no different than what a pen register collects under the Constitution."
3. They can be overruled by the Supreme Court ("We hold we were wrong when we decided Smith v. Maryland.") This is the last choice for obvious practical reasons, and it involves more scrutiny.
I don't think this will cause the third party doctrine to be reconsidered as it was decided in the past (in the context of narrow investigations). I think it is far more likely that courts (from circuit courts to the Supreme Court) will merely hold that it is Constitutionally different to do this to everyone without individualized suspicion than to do it to a specific individual already under investigation, just as it would be Constitutionally different to issue a search warrant for all apartments in a high-rise apartment building than it is to issue a search warrant on an individual's home. I don't think California Bankers Association will be overruled either and if they feel compelled to differentiate, they may say that rules do not require routine disclosure of all financial records, only the few big ones.
Thanks for your comments. I appreciate the tone and research you have added. I actually am a lawyer, though a bit rusty on con law, having spent the past 10 years working in tech after a stint as a federal criminal defense attorney where the fourth amendment was one of my main weapons.
With that out of the way, the best discussion of this topic and all the nuances that I've found is a "debate" between two law professors on the initial issue I raised: the third party doctrine.
Like you, they argue what they think the law should be. In contrast, I'm stating simply what it is.
I stand by my original assertion that Rackspace is not bound by the fourth amendment. This may be a technical point but an important one. Shaky though Smith v. Maryland may be, it remains the law of the land. Users have no "reasonable expectation of privacy" in data they store on Rackspace servers.
I guess my viewpoint is that I am not sure that it is clear what the law is. Smith seems pretty clear as does California Bankers Association, and when you take these two cases together, then dragnet surveillance would not be under different rules and Smith would govern this.
However I am not certain that this is the only way to look at the existing precedents. If you look at Rhenquist's majority opinion in Knotts, for example, he is quite clear that whether widescale tracking is under the same rules is not a question the court was deciding. Knotts is important for the Verizon order because I think one can argue that beeper cases are closer to cell site location information (also disclosed under the Verizon order) than they are to pen registers.
Since Knotts leaves explicitly open the question of whether widespread location tracking is under different rules, I think it is premature to just say that Smith and California Bankers Association control on their face. Additionally it is anything but clear what the Supreme Court said about this in Jones v. United States because it isn't clear how to count the votes. I would argue that Sotomayor and Alito do not control, but the fact that you have 5 justices clearly edgy about such things in their separate opinions (Alito concurring in judgement joined by Breyer, Ginsberg, and Kagan, Sotomayor concurring with Scalia but endorsing Alito's views).
If I had to say what the law is in this case I would say this:
The law is currently unclear. There is, however, a bunch of Supreme Court opinion which seems to give permission to circuit courts to figure this issue out.
Edit: I would also like to point out that the third circuit has held that historical cell site location information is at least potentially protected under the 4th Amendment, and that magistrates have the power to deny ordering disclosure of such on the basis of such 4th Amendment concerns. I don't think the Third Circuit could do this if it was clearly established that these third party business records were outside the purview of the 4th Amendment.
I don't think that is quite right. Smith v. Maryland did not actually merely say it does not apply there. Smith v. Maryland said that installing a pen register to to record call detail information regarding an individual under surveillance did not need a warrant because:
1. The information was willingly shared with a third party.
2. The individual relied on the sharing for many other services including being able to trace harassing phone calls, and the like, and
3. The information was not deeply revealing.
The much more important case regarding 3rd Party Doctrine is California Bankers Association v. Shultz (1974), which established that there is no reasonable expectation to privacy in routine surveillance of bank records of transactions above a certain amount (set at $10k under the statute then as now). The thing is that the dissent was worried specifically about dragnet surveillance and the majority more or less swept that one under the rug.
However, this is not the 1970's any more and there are reasons to think the dragnet surveillance concerns that were ignored in 1974 carry more weight today. In 1983, the Supreme Court, in United States v. Knotts included clear dicta differentiating the case of following a car with a beeper installed in something that was sold with suspicion that it would be used illegally, from the dragnet surveillance case. Rhenquist, writing for the majority, said:
But the fact is that the "reality hardly suggests
abuse," Zurcher v. Stanford [460 U.S. 276, 284] Daily,
436 U.S. 547, 566 (1978); if such dragnet-type law
enforcement practices as respondent envisions should
eventually occur, there will be time enough then to
determine whether different constitutional principles
may be applicable.
The court further narrowed beeper tracking in Karo v. United States to hold it was a search when law enforcement officers determined that a barrel of ether (suspected of being used in making of narcotics) was traced to someone's home. Given that even without GPS, our cell phones are effectively beepers have lead some courts to start pushing back on subpoenas for historical cell site location data.
More recently, you have the 5 concurring justices in Antoine Jones v. United States, opining that long-term surveillance by virtue of time and amount of data collected may well violate the 4th Amendment even if individual pieces may not. I say "opining" rather than "ruling" because Sotomayor refused to rule on that ground, but instead chose Scalia's more narrow rule, while at the same time endorsing Alito's much broader rule. While not the "Opinion of the Court" it is still "an opinion of the majority of the court" and I think this has a certain amount of force on courts below.
We must be confronted that we are at a point where Rhenquist's insistence that dragnet surveillance must be considered separately now mandates that we confront that. A clear majority on the Supreme Court seems to believe that this can violate the Constitution with the other four justices merely having declined to comment on it.
I hope this clarifies both what the court said and what confusions there currently are as this area develops. No I am not a lawyer but I read Supreme Court cases for fun.
That was a weird situation. Italian government asks US government for "help" with servers (well, logs) in a UK datacenter run by US-based Rackspace.
They'd still do it today, IMO:
> we are of the view that Rackspace is prohibited from accessing and turning over customer data stored on a customer’s server or other storage device in a U.S. data center without a properly issued, lawful request ( e.g. search warrants, court orders, Foreign Intelligence Surveillance Orders)
Are the intel services (DIA, CIA, NSA, NRO, etc...) considered actual LEAs? Part of the issue here afaik is the collection of data for intel, not actual LEA. Or else the FBI would be getting all this juicy NSA data to o after actual criminals.
So I've opened support cases with both Amazon and Linode, the former will probably get back to me in several days, but as usual Linode has already replied.
---
vertis
29 minutes ago I am an Australian (i.e. Non-US-Resident Non-US-Citizen). While I have nothing of particular interest on my servers, the revelations of the last week have concerned me for multiple reasons.
The Guardian story about the PRISM program suggests there is extensive surveillance and interception of foreign citizens' data without a court order. Do I need to move my servers to a provider that is based in a country that respects my rights to not be surveilled?
lmatos
18 minutes ago Hello,
As an American citizen, I completely understand. With that said, we have to comply with all US law as we are a US based company.
If there is anything else that we can do to help, please do not hesitate to ask.
The thing most bothering me right now is the lack of meaningful response from the companies that really matter: Google, Microsoft, Apple, and others. The responses we do have seem to be downright lies.
These sorts of things are gag-ordered. It may be that the top brass doesn't even know, for plausible deniability's sake, or that they've been told and now immediately face federal felony charges if they tell anyone (spouses and PR flacks included).
There was a fight (which was won) to get the gag-order provisions of PATRIOT NSLs lifted, at least for speaking to one's own lawyer, which is a protected right (spouses and coworkers are still out, tho). Who knows if those rights extend to FISA orders, though we've seen how they interpret other constitutionally protected rights.
It's not their fault that they don't want jail time. Blame your government. Support courageous people like Snowden. Tell your friends.
If the Govt/NSA wanted access to certain metadata and a company refused (like some claim Twitter did), what's to stop them from going to Amazon or Rackspace and throwing their weight around to get access that way? Or, if that didn't work, they could just keep going up the OSI layers (or tier 1 providers) until they get the access they want OR can force it be threatening to disrupt service.
My point is, even awesome companies like Rackspace are dependent on less-than-awesome companies for some types of infrastructure.