Thursday, August 15, 2013

Gone Fishin'

This blog is not currently active. If you want to see what I'm upto, find me on Twitter at @csoghoian or at the ACLU Free Future blog.

Saturday, June 08, 2013

Analyzing Yahoo's PRISM non-denial

Today, Yahoo's General Counsel posted a carefully worded denial regarding the company's alleged participation in the NSA PRISM program. To the casual observer, it might seem like a categorical denial. I do not believe that Yahoo's denial is as straightforward as it seems.

Below, I have carefully parsed Yahoo's statement, line by line, in order to highlight the fact that Yahoo has not in fact denied receiving court orders under 50 USC 1881a (AKA FISA Section 702) for massive amounts of communications data.

We want to set the record straight about stories that Yahoo! has joined a program called PRISM through which we purportedly volunteer information about our users to the U.S. government and give federal agencies access to our user databases. These claims are false. [emphasis added]

No one has claimed that the PRISM program is voluntary. As the Director of National Intelligence has confirmed, the PRISM program involves court orders granted using Section 702 of the Foreign Intelligence Surveillance Act.

By falsely describing PRISM as a voluntary scheme, Yahoo's general counsel is then able to deny involvement outright. Very sneaky.

Yahoo! has not joined any program in which we volunteer to share user data with the U.S. government. We do not voluntarily disclose user information.
Again, PRISM has nothing to do with voluntary disclosures. These are compelled disclosures, pursuant to an order from the FISA court.
The only disclosures that occur are in response to specific demands.
The government can make a specific demand for information about all communications coming to or from a particular country. This is an empty statement.
And, when the government does request user data from Yahoo!, we protect our users.
Claiming to "protect our users" means nothing.
We demand that such requests be made through lawful means and for lawful purposes. We fight any requests that we deem unclear, improper, overbroad, or unlawful.
When the law allows blanket surveillance, "lawful means and lawful purposes" doesn't mean anything.
We carefully scrutinize each request, respond only when required to do so, and provide the least amount of data possible consistent with the law.
When a FISA court order demands blanket surveillance, responding only when required to do so is an empty promise, as is providing the least amount of data possible.
The notion that Yahoo! gives any federal agency vast or unfettered access to our users’ records is categorically false.

Elsewhere in the post, Yahoo's uses the terms "user data" and "user information". Why the sudden switch to the term "users' records"? This seems to deny participation in a Section 215 metadata disclosure program (see: the Verizon Business order revealed earlier this week), which has nothing to do with PRISM.

In any case, the PRISM scandal is not about unfettered access to users' data. It is about giving the government data in which one party of the communication is not in the US. Yahoo is not accused of giving the government unfettered access to communications where all parties are in the US.

Of the hundreds of millions of users we serve, an infinitesimal percentage will ever be the subject of a government data collection directive.
Note the use of the word directive in this statement, which does not mean voluntary. Now see below.
Where a request for data is received, we require the government to identify in each instance specific users and a specific lawful purpose for which their information is requested.
Here, Yahoo switches to using the term "requests" which are voluntary, not demands. The government is not obligated to describe "a specific legal purpose" when it has obtained a court order compelling the disclosure of data. It is only when the government is making a voluntary request of Yahoo that the company has the ability to set terms for the disclosure.
Then, and only then, do our employees evaluate the request and legal requirements in order to respond—or deny—the request.
Yahoo has flexibility when the government makes a request for data. The company has far less flexibility when it receives a court order demanding the disclosure of data.
We deeply value our users and their trust, and we work hard everyday to earn that trust and, more importantly, to preserve it.
If that were true, Yahoo would protect the privacy and security of its customers by enabling HTTPS by default for Yahoo Mail. Yahoo was the last big email provider to even offer HTTPS as an opt-in option, and has still not enabled it by default.

Saturday, November 24, 2012

A few words on patronage

Over the past couple years, I've taken several big companies to task for their woeful privacy and security practices. Just as it is important to call out these flaws, I believe it is also important to give companies credit when they go the extra mile to protect their customers.

When Google began protecting Gmail with HTTPS by default, I praised the company. When it started voluntarily publishing statistics for government requests, I again praised the company. When AT&T protected its customers' voicemail accounts from caller ID spoofing by forcing users to enter PINs, I praised the company. When Twitter asked the government to unseal the 2703(d) order that it had obtained as part of its investigation into Wikileaks, I praised the company. When Facebook started to offer HTTPS, and then this month enabled it by default, I praised the company. When Mozilla switched to encrypted search by default for Firefox, I praised the organization.

You get the idea.

Of course, just because I praise a particular action by a company, it doesn't mean that I am suddenly giving the company or its products my seal of approval. As an example, I'm of course glad that Facebook is enabling transport encryption to protect its customers' communications from network based interception. That doesn't mean I suddenly love Facebook, or bless the company's other business practices. Turning on HTTPS by default is a great move, but it isn't enough to get me to open a Facebook account, or trust the company with my data.

It is unfortunate then that I must defend myself against Nadim Kobeissi's latest attempt at reputation assassination.

Earlier this month, I praised Silent Circle for the company's fantastic law enforcement compliance policy. [Silent Circle sent me an early draft of their policy, sought feedback, and even accepted some of my suggestions]. Compared to the industry norm, in which companies merely disclose that they will hand over their customers' data to the government when forced to do so, Silent Circle's policy is an absolutely stellar example of the ways in which companies can approach this issue in a clear, transparent and honest manner.

I have spent several years researching the ways in which law enforcement agencies force service providers to spy on their customers. Most companies are not willing to discuss their law enforcement policies, let alone publish them online. It is for that reason that I praised Silent Circle - because they have set a great example that I hope other companies will follow.

However, as with the numerous other examples I highlighted above, just because I praise a particular action by a company, it doesn't mean that I now stand behind the company or its products.

Although I have praised Silent Circle's legal policies, I've made no public statements regarding the technical merits of their products. When I've been questioned by journalists about the extent to which consumers should trust the company's technology, I've been consistently conservative. As I recently told Ryan Gallagher at Slate:

Christopher Soghoian, principal technologist at the ACLU's Speech Privacy and Technology Project, said he was excited to see a company like Silent Circle visibly competing on privacy and security but that he was waiting for it to go open source and be audited by independent security experts before he would feel comfortable using it for sensitive communications.

Nadim has suggested that I am endangering my independence and that I have some kind of conflict of interest regarding Silent Circle, possibly because the company loaned me an iPod Touch so that I could get a chance to try out the iOS version of their software while they work out the kinks in the Android version. (How does Nadim even know the company loaned me an iPod? Because I disclosed it in a discussion with him on a public mailing list.)

Let me be perfectly clear. I am not a consultant to Silent Circle or any other company. I am not on an advisory board for Silent Circle or any other company. The only employer I have is the American Civil Liberties Union. Yes, I regularly talk with people who work at the company, and offer suggestions for ways that they can better protect the privacy of their customers. However, I regularly give solicited (and even more frequently, unsolicited) feedback to many companies, big and small. Most ignore me, but some occasionally change their practices. I am a privacy activist, and that is what I do.