The most important line: "put security ahead of both domestic and international surveillance". That's what it comes down to, we can have communications security or surveillance, not both.
Yes, so far NSA has been successful as promoting mass surveillance as a matter of "security" not just against terrorists (which we now learn is being very wasteful and ineffective), but against "cyber-attacks", too.
Every time they talked about cyber-attacks, they implied Congress need to give them more powers and more money, which they later used for offensive actions, rather than securing the networks. NSA has zero interest in security networks at this point. Maybe they cared about that a little before 9/11, but I don't think they care about it at all anymore.
All they want to do now is be able to break into everything or have backdoors into everything, which means they will not only hoard systems' vulnerabilities for themselves, but they also won't even use that knowledge to secure domestic systems, because the truth is they want access to domestic systems, too, and to them that has a higher priority than securing those systems even against China and so on.
The NAS has probably always had this corrupted idea about security, but I think it became much more so when they merged the US Cyber Command with the NSA.
Bottomline is that we need to educate others that surveillance is pretty much the opposite of "cyber-security", and we need to call NSA out on it everytime they try to use the lie that they're the same.
> we can have communications security or surveillance, not both
With all the smart people in the industry, I don't see Google, much less Cisco, internalizing this fact. They want the toothpaste to slide back into the tube so they can sell to normal users as well as law enforcement as well as spy agencies. Nobody, especially not overseas customers, will believe that is possible.
Any product that accommodates surveillance is not secure. Too much of the tech industry, and especially the security industry, is too impressed with helping catch "bad guys." They will have to leave that to real-world person-to-person police work if they want to be credible about secure communications and storage.
"We have been repeatedly told that these surveillance programs would have been able to stop 9/11, yet the NSA didn't detect the Boston bombings -- even though one of the two terrorists was on the watch list and the other had a sloppy social media trail."
It's upsetting how freely those in the government are willing to give up liberty for safety, but when we find out it isn't even a fair trade they're still ok with it.
While there's a healthy debate in the US (and to a lesser extent in Europe perhaps) about the extent of spying being done by governments, I see hardly any concern in India among both media organizations (with probably the exception of The Hindu newspaper), businesses and citizens.
Fed by the constant drip-drip of "free" features, people are almost blind to the true "cost" they're paying. I've tried my best to convince people I know to adopt even simple (not foolproof, which probably nothing is) countermeasures like VPNs or HTTPS-Everywhere...but nobody gives a damn.
Reminds me of a Supernatural episode [1] featuring drugged Turducken sandwiches that turn people into passive, media-absorbing, harmless zombies.
This is true, just days ago there was a proposal of a Google tie-up with Election Commission of India [1]. The proposal allowed Google to offer services for the General Elections in India to be held in 2014. Google proposed free online voter registration besides making available vital details of voter EPIC card numbers and polling station locations.
While this did stir up a concern among the political parties and got some column inches and airtime in mainstream media, I think it should have deserved a lot more attention. I was quite surprised that many people I know don't even have a clue that this happened about a week ago. With all the recent spying revelations, this was seen as a huge security risk. Nevertheless, the Election Commission of India later dropped plans to partner with Google after spying fears [2].
"The proposal allowed Google to offer services for the General Elections in India to be held in 2014. Google proposed free online voter registration besides making available vital details of voter EPIC card numbers and polling station locations."
I started and used to run these programs for Google.
I'm not sure what you are implying is done with this data, but security and privacy are always the highest priority.
Google does this stuff for completely altruistic reasons. It's not even part of .com anymore, it's part of .org. The goal is to help people know where to vote. Nothing more, nothing less.
If you'd like to tell me what conspiracy you think this is part of, ...
The point I was trying to make was that when it comes to security, privacy etc there isn't as much debate and media interest as I think should be in India.
In this case there were concerns voiced that the Election commission neither consulted all the stake holders nor consulted political parties to discuss this. And, of course with the revelations of US agencies indulging in widespread spying and intelligence gathering, sharing vital data pertaining to Indians citizens to a foreign company was perceived as a security risk.
I did not imply that there is a conspiracy. I just think when there are concerns about security and privacy, as in this case, there should be a louder discussion.
"The point I was trying to make was that when it comes to security, privacy etc there isn't as much debate and media interest as I think should be in India."
Fair enough.
Note when I started this, Google was essentially one of the only players in this space who didn't want data that had PII in it (in the US, things like voter files get sold quite a lot). Still true, sadly
For national ID systems, most of it was something like "ID xxx through zzz vote at YYY". where xxx to zzz was some very large range. For those systems that required fine grained data (like Peru, I believe), our design was to give them secure one way hashes to use on the data before giving it to us so that we never had any info, just something we could key on (we would then proxy api calls to do the actual national id lookups or something so again, we never saw the id's)
AFAIK, none of these ever panned out for other reasons.
At least when I was running it (and i doubt things have changed in the past 8 months, it's the same people other than me), there was a zero percent chance we would have ever agreed to receive any "vital data" at all.
I haven't looked heavily into all this, but I have very strong doubts any info about people would have actually been asked for or given. You know how the press tends to understand nuanced technical detail.
In most cases where these stories happen, sad truth is the real reason is losing control of voter suppression.
The NSA has forced Google to lie to us about other stuff, and they have also been heavily spied upon and infiltrated without knowing it. you may be sitting in the ball pit, drinking the cool aid from the cafeteria, but all the "omg conspiracy theory" stuff has been proven to be true.
Ignoring all the claims here, can you explain the relevance to the current discussion?
As mentioned, we have refused any info that has PII in it, so what exactly is there that would be taken?
(This is even true in countries where it's publicly available info)
If you want to do a crappy NSA troll, and personally attack the work I did, you'll need to do better than this.
As for whether a country really needs the help, i'm just going to say "yes". You clearly have no concept the logistics and IT competence that are actually involved in things like disseminating accurate voting location information in the average country.
Surely you did. You said it wasn't done for purely altruistic reasons, implying that there was an alterior motive for doing this. I proposed, created, and set up the voting information work. I was responsible for their mission, for hiring everyone who worked on them (again until last year), etc.
Implying it wasn't done for altruistic reasons, when i've told you it was, is certainly a personal attack in this case. It is calling me a liar.
Look, there's no reason to take this personally. Here's the original claim I took issue with:
> Google does this stuff for completely altruistic reasons.
You are not Google, are you? I'm saying that Google is not an altruistic company, as evidenced by their helping the NSA spy on everyone all over the world. It's highly unlikely that Google would do anything related to elections for "purely altruistic reasons".
You personally may well be working for Google without any evil intentions, but that's not something I've argued against. OK?
Did you not read the part where he said it was his project at Google? You attacked the project. It looks like you got cowed by Daniel's response, and now are just tendentiously refusing to apologize. Maybe just apologize?
People on HN get caught up in this idea that they are having 1-on-1 conversations, but really they're always writing to the whole site. Lots of people are reading this little thread. What convincing argument do you think you're making in that context? You're an anonymous person with one message ("Google is an evil NSA accomplice") trying to tell the actual person who managed the voting information project at Google that Google had malicious intentions for voting information. You look silly.
> Did you not read the part where he said it was his project at Google? You attacked the project.
Did you read what I wrote? Once again, I'm tempted to make the distinction between Daniel and Google clear. I did not attack Daniel, and I did not attack the project. I attacked Google, or more specifically, this claim that Daniel made:
> Google does this stuff for completely altruistic reasons.
Here is my original response to that claim:
> But of course. Just like they help the NSA rape people's privacy for purely altruistic reasons? Don't Be Evil and all, right?
It's simply not accurate to claim I was attacking Daniel or his work at Google.
Even if I had actually attacked the project, that would still be separate from attacking Daniel - he's just doing whatever he's told to do, and most likely without any evil intentions, as I already acknowledged.
> It looks like you got cowed by Daniel's response, and now are just tendentiously refusing to apologize. Maybe just apologize?
There is nothing to apologize for. It's not my problem if Daniel takes arguing against a specific claim he made as an attack against his person, or his work.
> You're an anonymous person with one message ("Google is an evil NSA accomplice") trying to tell the actual person who managed the voting information project at Google that Google had malicious intentions for voting information
Well, Snowden's revelations tell us that Google has been actively helping the NSA spy on people for many years now, long before the Don't Be Evil mantra lost credibility in people's eyes. I simply referred to this fact, to suggest that we already have evidence of distinctly non-altruistic actions on Google's part, and this undermines the credibility of Daniel's claim.
"> Google does this stuff for completely altruistic reasons.
Here is my original response to that claim:
> But of course. Just like they help the NSA rape people's privacy for purely altruistic reasons? Don't Be Evil and all, right?
It's simply not accurate to claim I was attacking Daniel or his work at Google."
This stuff = the project being referred to.
I"m not sure how you can see it any other way, and as you can see, this is how other people saw it as well.
"Even if I had actually attacked the project, that would still be separate from attacking Daniel - he's just doing whatever he's told to do, and most likely without any evil intentions, as I already acknowledged."
It's interesting you think that i just do whatever i'm told to do, or that it is in any way like that (IE that there is/was top down direction in this case).
But this is silly at this point, I think i've already adequately explained how this all functions. You are welcome to believe as you like.
1) the project != why it's done
2) the project != you personally or your work or why you do it
> It's interesting you think that i just do whatever i'm told to do
That's how jobs work, is it not? You get tasks/responsibilities assigned to you in exchange for a salary. Doing your job doesn't mean you're being evil, even if Google or its management is. I see why/how you got upset, but I didn't attack you or your work, personally. I'm sure you did a fine job of whatever tasks you had. Just to be clear, it's certainly possible to work on something without knowing that it's not done for purely altruistic reasons.
No one actually cares about "freedom" in India may be one reason is they are getting too many things for free from the repressive government. The concept of privacy is non-existent.
Consider the case of Aadhar card (similar to SSN but with biometric data collection). World's largest biometric database collection and maintenance was given to two foreign companies with roots in Middle East and United States. No debate about the background checks of this company.
> We need to build a coalition of free-world nations dedicated to a secure global Internet, and we need to continually push back against bad actors -- both state and non-state -- that work against that goal.
Let's do it. Even though I'm starting to believe that a "secure by default Internet" will come from the wilderness of the Internet and not from committees, because too many corporations (Google, Facebook, Microsoft, etc) and governments (US, China, "5 eyes", etc) will push against those committees' standards, I still think it's important to have at least some large countries support those types of projects when they arrive, or at least not be outright hostile against them and try to ban them "because terrorism/child pornography/money laundering".
These technologies will need some time to incubate, and leak into the mainstream, so at the very least we'll need some countries to turn a 'blind eye' to them until they reach critical mass, and not try to shut them down from day one or threaten people with new laws and arrests if they use them.
