Thursday, July 09, 2015

Goodbye Caspar

I think I first met Caspar Bowden back in 2007.

I first encountered him at privacy conferences, where he would, without fail, be the first person to the microphone anytime a tech company employee or government official spoke, and he would hammer them with the most uncomfortable, probing questions about privacy and surveillance.

The thing is, there are very few new faces on the privacy circuit. Many of these people had encountered Caspar before and had been on the receiving end of his unpleasant questions. If they gave a bullshit answer, the next time he asked the question, he would come prepared with material to respond. If they evaded, the next time he asked the question, he would mention how many times they had evaded it. He was relentless. It worked. He would ask the same questions over and over, until he finally browbreat them into giving an honest answer, on the record, in front of a room full of privacy experts, officials, and academics.

As a young, green activist, I was in awe.

Moreover, Caspar had somehow convinced Microsoft to hire him, to pay him a good wage, allow him to travel around the world, with a corporate Amex card, while he took the mic and railed against the very privacy-invading corporations who were paying his mortgage. Microsoft was for some reason keeping one of the biggest privacy curmudgeons in Europe on its payroll.

Microsoft has been, and continues to be, a total trainwreck on privacy. I always assumed that Microsoft kept Caspar around, in spite of his rough edges, because he provided the company with blunt, useful, internal feedback on their own products and services before they launched. If they listened to Caspar, it meant they would avoid a public flogging from public interest advocates. 

Eventually, Microsoft fired him. I don't know if it was because the company tired of his public shenanigans, because he was, unlike many of his corporate shill peers at Microsoft, not willing to tow the obviously deceptive company line about its commitment to privacy, or, as Caspar later hinted, because he was increasingly voicing his concerns internally about FISA Amendments Act Section 702 and the ease with which the US government could spy on the cloud computing services, such as those provided by Microsoft, which were used by non-Americans.

But once Microsoft fired him, he dedicated himself to warning everyone he could about the way in which the NSA, through the FISA Amendments Act, could spy on the world. Caspar saw PRISM coming, and he tried to warn the world. But few would listen.

I remember in the week or two before the CCC Camp, in the summer of 2011, trying to convince Caspar to change the slides he planned to use for his talk (video) on FISA surveillance. They looked like a bottle of Doc Bronner's soap, words packed into every available inch of white space. They were impossible for the average attendee to understand, and would make him look crazy, as he stood on stage talking about a global NSA Internet dragnet. Caspar disagreed, and said that it was important to include as much useful information, the more the better, so that people watching at home could look it all up themselves.

Caspar knew he was right about what we now know as PRISM, he knew that the US government and US corporate interests were engaged in an active disinformation campaign to muddy the water on the issue of US government surveillance of cloud computing, and sadly, he could come off as a bit of a crank.

But he was right. He was so damn right.

Caspar taught me a lot, both by showing me what to do, and what not to do. I really looked up to him, and now he's gone.


I'll miss you Caspar.

Thursday, August 15, 2013

Gone Fishin'

This blog is not currently active. If you want to see what I'm upto, find me on Twitter at @csoghoian or at the ACLU Free Future blog.

Saturday, June 08, 2013

Analyzing Yahoo's PRISM non-denial

Today, Yahoo's General Counsel posted a carefully worded denial regarding the company's alleged participation in the NSA PRISM program. To the casual observer, it might seem like a categorical denial. I do not believe that Yahoo's denial is as straightforward as it seems.

Below, I have carefully parsed Yahoo's statement, line by line, in order to highlight the fact that Yahoo has not in fact denied receiving court orders under 50 USC 1881a (AKA FISA Section 702) for massive amounts of communications data.

We want to set the record straight about stories that Yahoo! has joined a program called PRISM through which we purportedly volunteer information about our users to the U.S. government and give federal agencies access to our user databases. These claims are false. [emphasis added]

No one has claimed that the PRISM program is voluntary. As the Director of National Intelligence has confirmed, the PRISM program involves court orders granted using Section 702 of the Foreign Intelligence Surveillance Act.

By falsely describing PRISM as a voluntary scheme, Yahoo's general counsel is then able to deny involvement outright. Very sneaky.

Yahoo! has not joined any program in which we volunteer to share user data with the U.S. government. We do not voluntarily disclose user information.
Again, PRISM has nothing to do with voluntary disclosures. These are compelled disclosures, pursuant to an order from the FISA court.
The only disclosures that occur are in response to specific demands.
The government can make a specific demand for information about all communications coming to or from a particular country. This is an empty statement.
And, when the government does request user data from Yahoo!, we protect our users.
Claiming to "protect our users" means nothing.
We demand that such requests be made through lawful means and for lawful purposes. We fight any requests that we deem unclear, improper, overbroad, or unlawful.
When the law allows blanket surveillance, "lawful means and lawful purposes" doesn't mean anything.
We carefully scrutinize each request, respond only when required to do so, and provide the least amount of data possible consistent with the law.
When a FISA court order demands blanket surveillance, responding only when required to do so is an empty promise, as is providing the least amount of data possible.
The notion that Yahoo! gives any federal agency vast or unfettered access to our users’ records is categorically false.

Elsewhere in the post, Yahoo's uses the terms "user data" and "user information". Why the sudden switch to the term "users' records"? This seems to deny participation in a Section 215 metadata disclosure program (see: the Verizon Business order revealed earlier this week), which has nothing to do with PRISM.

In any case, the PRISM scandal is not about unfettered access to users' data. It is about giving the government data in which one party of the communication is not in the US. Yahoo is not accused of giving the government unfettered access to communications where all parties are in the US.

Of the hundreds of millions of users we serve, an infinitesimal percentage will ever be the subject of a government data collection directive.
Note the use of the word directive in this statement, which does not mean voluntary. Now see below.
Where a request for data is received, we require the government to identify in each instance specific users and a specific lawful purpose for which their information is requested.
Here, Yahoo switches to using the term "requests" which are voluntary, not demands. The government is not obligated to describe "a specific legal purpose" when it has obtained a court order compelling the disclosure of data. It is only when the government is making a voluntary request of Yahoo that the company has the ability to set terms for the disclosure.
Then, and only then, do our employees evaluate the request and legal requirements in order to respond—or deny—the request.
Yahoo has flexibility when the government makes a request for data. The company has far less flexibility when it receives a court order demanding the disclosure of data.
We deeply value our users and their trust, and we work hard everyday to earn that trust and, more importantly, to preserve it.
If that were true, Yahoo would protect the privacy and security of its customers by enabling HTTPS by default for Yahoo Mail. Yahoo was the last big email provider to even offer HTTPS as an opt-in option, and has still not enabled it by default.