Thankfully, we don't have to blindly trust people. That's why we have auditing systems. Of course they probably aren't going to catch low level abuse (e.g. you use it to check on your sister's boyfriend), but it should certainly catch a select *. As long as you are judicious with who gets admin rights to the auditing systems, you'll go a long way to curtailing that sort of behavior.
You would think, wouldn't you? But not really.
Because - for all intents and purposes - me running that select * is indistinguishable to pretty much anyone but myself from stuff I need to do as part of my normal duties. Hell, I've pulled a few dozen reports today that would - if I were to sell / release the report - be national news. Maybe not on a par with the Target / Home Depot breach, but certainly massive disclosure.
There's literally nothing in place that would prevent me from doing this if I wanted to. Granted, if I did so most likely someone would come back, audit the logs, and identify that I was the source.
But that would be in the future - if Snowden or Manning hadn't gone public, I would bet money that nobody would even notice the breach happened. If the data sat on a USB drive in their drawer and was never sold / released, it would still be sitting there.
There has to be a level of trust somewhere on the chain. Oversight and audits and process only get you so far - people need to be able to do their jobs, and making a system that's too secure for people to do their jobs just means they are going to work around the system and open a whole new set of vulnerabilities. Making it a pain to store data on a secure shared directory means people store the data on their personal laptop. Too restrictive a password policy means people will reuse passwords or write them down.
Same thing extends to Sysadmin stuff...and we know the system better than the person who creates the security policies and runs the audits.
I certainly couldn't run a select * against our production environment without someone noticing despite having the capability to do so, and I would argue though that someone catching it later in the logs is acceptable here. It's like law enforcement. Most of the time, you can't stop people from committing the crime, but you can catch them after the fact and hopefully that deters future would-be criminals.
But companies really do need to pay more attention to security (both external and internal). With things like HIPAA, it's too expensive not to take the risks seriously. To me, that means having dedicated resources for security and auditing, and it needs to scale as your company grows. What worked for my company a decade ago when we had fewer than a hundred employees won't work now when we have over 500 and multiple offices.
Right, but the point is that this ALREADY HAPPENS.
Snowden didn't get away with anything. We know he did it and how. But that didn't stop him from doing it because that can't be done.
And so the vulnerability that blog-post above is discussing is essentially unsolvable. Because there will always be someone along the line with the power to do this kind of thing because the system can't function without that.
All we can do is punish them afterwords. But that doesn't actually prevent the initial breach.
Did we actually catch him? I mean he confessed by publishing all that material, so it's hard to say if whatever auditing apparatus the NSA has would have caught him eventually or not. Given how poorly they appear to vet their contractors, I'd be willing to bet their internal auditing problem isn't up to snuff either.
We caught him in that once he actually did anything with the material, it was like "Oh, there he is!".
If he had, as suggested above, just stuck in on a USB drive and buried it in his back yard nothing would have happened because he'd have done nothing really.
Right.
I mean, it's possible that the NSA has a process in place that would have caught him given enough time. Maybe a quarterly / annual audit or something like that. We don't really know enough about the NSA's internal security policies to know for sure, but I've been around enough to say with a high level of confidence that unless he did something REALLY stupid (which isn't out of the question) to obtain the data, nobody would have noticed.
Outside of happenstance - some sort of random audit or stumbling over this when looking into some unrelated thing - the actions it would take for the NSA to have prevented this instead of simply being reactionary are more surveillance and control over people with this access. You could create a list for people with clearance that requires prior approval if they attempt to buy an international plane ticket or cross an international border. You could monitor their phone calls and e-mails to see who they are communicating with. You could install a keylogger and monitor everything they do on any machine, even their own personal ones.
But realistically, creating a system that could entirely prevent something like this would create a system so inefficient it's almost impossible for people to do their jobs. And even then, someone who really wants to will find a workaround - be it technical or social. All the keyloggers in the world won't help if I snap a picture of my PC screen with the camera phone I convinced the guard I need to hang onto because my wife could go into labor at any time. Etc.
So, going back to private sector data, concerns about data that fitness apps collect has had legislators and regulators looking into making sure the data is protected. The obvious idea? Extend HIPAA to cover wearables.
So, going back to private sector data, concerns about data that fitness apps collect has had legislators and regulators looking into making sure the data is protected. The obvious idea? Extend HIPAA to cover wearables.
That's an interesting issue and one I can see go either way.
Are the number of steps on a Fitbit going to be covered under HIPAA? What about the results from my GPS watch? If my GPS watch is tied in with a heart rate monitor? What if instead of a basic heart rate monitor, it's a wearable ECG to warn me / record if I'm having an afib episode?
What even constitutes a wearable fitness app? I mean, it seems like a rhetorical question, but really - what boundaries are there? At my last job we had a little pedometer that we could choose to wear on our shoes so we could track and 'compete' for fitness. Is that collected data going to be bound by HIPAA guidelines, or is there going to be a carve-out for those things?
Health and fitness information overlap quite a bit, but there are a lot of places where they are distinctly different. The tech giants are going to bitch and complain, but ultimately if fitness apps are covered by HIPAA they are the only ones who can afford to be compliant.
They don't want it covered because that limits what they can do with the data and increases their liability in the event of a breach. Not to mention the costs of compliance.
Not super surprising they don't want it covered, but I'm not overly sympathetic to their concerns.
They don't want it covered because that limits what they can do with the data and increases their liability in the event of a breach. Not to mention the costs of compliance.
Not super surprising they don't want it covered, but I'm not overly sympathetic to their concerns.
I can see a bit of their argument, though I agree with you.
To them, it's basically, "I had this great idea, which I acted on, which I expect to be able to build a business on. But now regulation might make it unsustainable because suddenly I'm a medical device and not a cool tech gadget?"
But it's more important to make sure that the personal data is safe, in the end.
They don't want it covered because that limits what they can do with the data and increases their liability in the event of a breach. Not to mention the costs of compliance.
Not super surprising they don't want it covered, but I'm not overly sympathetic to their concerns.
I can see a bit of their argument, though I agree with you.
To them, it's basically, "I had this great idea, which I acted on, which I expect to be able to build a business on. But now regulation might make it unsustainable because suddenly I'm a medical device and not a cool tech gadget?"
But it's more important to make sure that the personal data is safe, in the end.
As long as they develop a way to insure informed consent, the customer can agree to anything the developer might want to do.
Now, getting the tech industry to adopt actual informed consent instead of click-thru EULA's will be something of a miracle.
They don't want it covered because that limits what they can do with the data and increases their liability in the event of a breach. Not to mention the costs of compliance.
Not super surprising they don't want it covered, but I'm not overly sympathetic to their concerns.
I can see a bit of their argument, though I agree with you.
To them, it's basically, "I had this great idea, which I acted on, which I expect to be able to build a business on. But now regulation might make it unsustainable because suddenly I'm a medical device and not a cool tech gadget?"
But it's more important to make sure that the personal data is safe, in the end.
Which is an argument that only deserves mockery and scorn.
New round of declassified documents from a FOIA request by the ACLU regarding legal justification for domestic spying. John Yoo is the gift the keeps on giving.
"We have known for quite some time that they have been using EO 12333 paragraph 2.3.C to collect approximately 80 percent of all US-to-US phone calls and Internet data, and that Fairview is the main program to do this," he told Ars on Monday.
New round of declassified documents from a FOIA request by the ACLU regarding legal justification for domestic spying. John Yoo is the gift the keeps on giving.
"We have known for quite some time that they have been using EO 12333 paragraph 2.3.C to collect approximately 80 percent of all US-to-US phone calls and Internet data, and that Fairview is the main program to do this," he told Ars on Monday.
And there's another strike against Stanford's integrity (Yoo is a law professor there.)
New round of declassified documents from a FOIA request by the ACLU regarding legal justification for domestic spying. John Yoo is the gift the keeps on giving.
"We have known for quite some time that they have been using EO 12333 paragraph 2.3.C to collect approximately 80 percent of all US-to-US phone calls and Internet data, and that Fairview is the main program to do this," he told Ars on Monday.
And there's another strike against Stanford's integrity (Yoo is a law professor there.)
Isn't that technically the same strike as last time?
Well, it's technically not a strike at all because we all concluded the NSA is a happy fun time agency that wouldn't even be interested in spying on you anyway!
2.3 Collection of Information. Agencies within the Intelligence Community are authorized to collect, retain or disseminate information concerning United States persons only in accordance with procedures established by the head of the agency concerned and approved by the Attorney General, consistent with the authorities provided by Part 1 of this Order. Those procedures shall permit collection, retention and dissemination of the following types of information:
(c) Information obtained in the course of a lawful foreign intelligence, counterintelligence, international narcotics or international terrorism investigation;
I don't quite see how intra-US traffic comes into play at all.
I will grant them some of the jargon around collecting information- if you're taping a cable that goes from Hawaii to CA in order to intercept communications going from Japan to Mexico (as a random example) you're probably going to get US traffic incidentlly. The problem is them storing that traffic.
2.3 Collection of Information. Agencies within the Intelligence Community are authorized to collect, retain or disseminate information concerning United States persons only in accordance with procedures established by the head of the agency concerned and approved by the Attorney General, consistent with the authorities provided by Part 1 of this Order. Those procedures shall permit collection, retention and dissemination of the following types of information:
(c) Information obtained in the course of a lawful foreign intelligence, counterintelligence, international narcotics or international terrorism investigation;
I don't quite see how intra-US traffic comes into play at all.
I will grant them some of the jargon around collecting information- if you're taping a cable that goes from Hawaii to CA in order to intercept communications going from Japan to Mexico (as a random example) you're probably going to get US traffic incidentlly. The problem is them storing that traffic.
Because they put the taps in backbones all over the US (not just Hawaii or on the coasts). This is how they 'incidentally' receive the majority of domestic traffic.
They don't want it covered because that limits what they can do with the data and increases their liability in the event of a breach. Not to mention the costs of compliance.
Not super surprising they don't want it covered, but I'm not overly sympathetic to their concerns.
I can see a bit of their argument, though I agree with you.
To them, it's basically, "I had this great idea, which I acted on, which I expect to be able to build a business on. But now regulation might make it unsustainable because suddenly I'm a medical device and not a cool tech gadget?"
But it's more important to make sure that the personal data is safe, in the end.
personal data and HIPAA protected data are very very different things
the cost structure of maintaining a data center that's HIPAA compliant is completely different
Then, a funny thing happened. One night, a couple of years ago, I was in an Uber SUV in NYC, headed to Penn Station to catch the train to Washington DC when I got a text message from a tech socialite of sorts (I’ll spare her name because Gawker has already parodied her enough), but she’s someone I hardly know, asking me if I was in an Uber car at 33th and 5th (or, something like that). I replied that I was indeed, thinking that she must be in an adjacent car. Looking around, she continued to text with updates of my car’s whereabouts, so much so that I asked the driver if others could see my Uber location profile? “No,” he replied, “that’s not possible.”
At that point, it all just started to feel weird, until finally she revealed that she was in Chicago at the launch of Uber Chicago, and that the party featured a screen that showed where in NYC certain “known people” (whatever that means) were currently riding in Uber cabs. After learning this, I expressed my outrage to her that the company would use my information and identity to promote its services without my permission. She told me to calm down, and that it was all a “cool” event and as if I should be honored to have been one of the chosen.
Then, a funny thing happened. One night, a couple of years ago, I was in an Uber SUV in NYC, headed to Penn Station to catch the train to Washington DC when I got a text message from a tech socialite of sorts (I’ll spare her name because Gawker has already parodied her enough), but she’s someone I hardly know, asking me if I was in an Uber car at 33th and 5th (or, something like that). I replied that I was indeed, thinking that she must be in an adjacent car. Looking around, she continued to text with updates of my car’s whereabouts, so much so that I asked the driver if others could see my Uber location profile? “No,” he replied, “that’s not possible.”
At that point, it all just started to feel weird, until finally she revealed that she was in Chicago at the launch of Uber Chicago, and that the party featured a screen that showed where in NYC certain “known people” (whatever that means) were currently riding in Uber cabs. After learning this, I expressed my outrage to her that the company would use my information and identity to promote its services without my permission. She told me to calm down, and that it was all a “cool” event and as if I should be honored to have been one of the chosen.
Wow.
What idiot looked at that proposal and thought "yep, this will in no way seem creepy as fuck".
They've gone ahead and pretty much violated the main principle which I believe underpins whether surveillance stretches into overreach: disclosure, and broadcasting.
Then, a funny thing happened. One night, a couple of years ago, I was in an Uber SUV in NYC, headed to Penn Station to catch the train to Washington DC when I got a text message from a tech socialite of sorts (I’ll spare her name because Gawker has already parodied her enough), but she’s someone I hardly know, asking me if I was in an Uber car at 33th and 5th (or, something like that). I replied that I was indeed, thinking that she must be in an adjacent car. Looking around, she continued to text with updates of my car’s whereabouts, so much so that I asked the driver if others could see my Uber location profile? “No,” he replied, “that’s not possible.”
At that point, it all just started to feel weird, until finally she revealed that she was in Chicago at the launch of Uber Chicago, and that the party featured a screen that showed where in NYC certain “known people” (whatever that means) were currently riding in Uber cabs. After learning this, I expressed my outrage to her that the company would use my information and identity to promote its services without my permission. She told me to calm down, and that it was all a “cool” event and as if I should be honored to have been one of the chosen.
Wow.
What idiot looked at that proposal and thought "yep, this will in no way seem creepy as fuck".
They've gone ahead and pretty much violated the main principle which I believe underpins whether surveillance stretches into overreach: disclosure, and broadcasting.
At this point, Uber is the poster child for why regulations exist (the rider who got literally hammered by an Uber driver being the latest incident there.) But this illustrates why I am more concerned with private data gathering than I am with the government - it's more pervasive, and it's handled a lot more cavelierly.
Cant recall any instances of company execs blatantly lying to congress and getting away with it, no. Evasion, non answers, and meamingless statements that sound like they mean something but dont sure. But nothing like "No we do not spy on Americans".
No secret dictionaries whose definitions re totally the ones used in rules despite nobody having ever heard of them or being completely at odds with the actual meanings.
Companies evade, mislead, decieve, and use every loophole they can. They lobby and corrupt. But they still technically follow the rules or they get fined.
The NSA basically ignores the rules and gets away with it.
Cant recall any instances of company execs blatantly lying to congress and getting away with it, no. Evasion, non answers, and meamingless statements that sound like they mean something but dont sure. But nothing like "No we do not spy on Americans".
No secret dictionaries whose definitions re totally the ones used in rules despite nobody having ever heard of them or being completely at odds with the actual meanings.
Companies evade, mislead, decieve, and use every loophole they can. They lobby and corrupt. But they still technically follow the rules or they get fined.
The NSA basically ignores the rules and gets away with it.
So no, you haven't been paying attention. Because businesses do all that, and a lot more brazenly. And they get away with it too. Do you know how newsworthy it is when a judge actually tells a major corporation that hey, you actually have to produce the legal paperwork that says that you own the mortgage (to give one example of many.)
And when fines are a rounding error on profits, then they become meaningless.
Then, a funny thing happened. One night, a couple of years ago, I was in an Uber SUV in NYC, headed to Penn Station to catch the train to Washington DC when I got a text message from a tech socialite of sorts (I’ll spare her name because Gawker has already parodied her enough), but she’s someone I hardly know, asking me if I was in an Uber car at 33th and 5th (or, something like that). I replied that I was indeed, thinking that she must be in an adjacent car. Looking around, she continued to text with updates of my car’s whereabouts, so much so that I asked the driver if others could see my Uber location profile? “No,” he replied, “that’s not possible.”
At that point, it all just started to feel weird, until finally she revealed that she was in Chicago at the launch of Uber Chicago, and that the party featured a screen that showed where in NYC certain “known people” (whatever that means) were currently riding in Uber cabs. After learning this, I expressed my outrage to her that the company would use my information and identity to promote its services without my permission. She told me to calm down, and that it was all a “cool” event and as if I should be honored to have been one of the chosen.
Wow.
What idiot looked at that proposal and thought "yep, this will in no way seem creepy as fuck".
They've gone ahead and pretty much violated the main principle which I believe underpins whether surveillance stretches into overreach: disclosure, and broadcasting.
At this point, Uber is the poster child for why regulations exist (the rider who got literally hammered by an Uber driver being the latest incident there.) But this illustrates why I am more concerned with private data gathering than I am with the government - it's more pervasive, and it's handled a lot more cavelierly.
Its terms of service, like those of Lyft, Sidecar, and similar sharing-economy startups like Airbnb, make it clear over and over again that they are not liable under any circumstances for bad things that might happen when you use the service.
“YOU EXPRESSLY WAIVE AND RELEASE THE COMPANY FROM ANY AND ALL ANY LIABILITY, CLAIMS OR DAMAGES ARISING FROM OR IN ANY WAY RELATED TO THE THIRD PARTY TRANSPORTATION PROVIDER,” Uber’s terms of service say.
Ride at your own risk of hammer attack, in other words.
Holy shitballs.
Fucking tech-revolution short-sighted idiocy. Companies trying to avoid all responsibility (all we do is link people up man!) and people not noticing.
Then, a funny thing happened. One night, a couple of years ago, I was in an Uber SUV in NYC, headed to Penn Station to catch the train to Washington DC when I got a text message from a tech socialite of sorts (I’ll spare her name because Gawker has already parodied her enough), but she’s someone I hardly know, asking me if I was in an Uber car at 33th and 5th (or, something like that). I replied that I was indeed, thinking that she must be in an adjacent car. Looking around, she continued to text with updates of my car’s whereabouts, so much so that I asked the driver if others could see my Uber location profile? “No,” he replied, “that’s not possible.”
At that point, it all just started to feel weird, until finally she revealed that she was in Chicago at the launch of Uber Chicago, and that the party featured a screen that showed where in NYC certain “known people” (whatever that means) were currently riding in Uber cabs. After learning this, I expressed my outrage to her that the company would use my information and identity to promote its services without my permission. She told me to calm down, and that it was all a “cool” event and as if I should be honored to have been one of the chosen.
Wow.
What idiot looked at that proposal and thought "yep, this will in no way seem creepy as fuck".
They've gone ahead and pretty much violated the main principle which I believe underpins whether surveillance stretches into overreach: disclosure, and broadcasting.
At this point, Uber is the poster child for why regulations exist (the rider who got literally hammered by an Uber driver being the latest incident there.) But this illustrates why I am more concerned with private data gathering than I am with the government - it's more pervasive, and it's handled a lot more cavelierly.
Its terms of service, like those of Lyft, Sidecar, and similar sharing-economy startups like Airbnb, make it clear over and over again that they are not liable under any circumstances for bad things that might happen when you use the service.
“YOU EXPRESSLY WAIVE AND RELEASE THE COMPANY FROM ANY AND ALL ANY LIABILITY, CLAIMS OR DAMAGES ARISING FROM OR IN ANY WAY RELATED TO THE THIRD PARTY TRANSPORTATION PROVIDER,” Uber’s terms of service say.
Ride at your own risk of hammer attack, in other words.
Holy shitballs.
Fucking tech-revolution short-sighted idiocy. Companies trying to avoid all responsibility (all we do is link people up man!) and people not noticing.
Oh, it gets better. Uber charges a $1 "Safe Ride Fee" surcharge.
Then, a funny thing happened. One night, a couple of years ago, I was in an Uber SUV in NYC, headed to Penn Station to catch the train to Washington DC when I got a text message from a tech socialite of sorts (I’ll spare her name because Gawker has already parodied her enough), but she’s someone I hardly know, asking me if I was in an Uber car at 33th and 5th (or, something like that). I replied that I was indeed, thinking that she must be in an adjacent car. Looking around, she continued to text with updates of my car’s whereabouts, so much so that I asked the driver if others could see my Uber location profile? “No,” he replied, “that’s not possible.”
At that point, it all just started to feel weird, until finally she revealed that she was in Chicago at the launch of Uber Chicago, and that the party featured a screen that showed where in NYC certain “known people” (whatever that means) were currently riding in Uber cabs. After learning this, I expressed my outrage to her that the company would use my information and identity to promote its services without my permission. She told me to calm down, and that it was all a “cool” event and as if I should be honored to have been one of the chosen.
Wow.
What idiot looked at that proposal and thought "yep, this will in no way seem creepy as fuck".
They've gone ahead and pretty much violated the main principle which I believe underpins whether surveillance stretches into overreach: disclosure, and broadcasting.
At this point, Uber is the poster child for why regulations exist (the rider who got literally hammered by an Uber driver being the latest incident there.) But this illustrates why I am more concerned with private data gathering than I am with the government - it's more pervasive, and it's handled a lot more cavelierly.
Its terms of service, like those of Lyft, Sidecar, and similar sharing-economy startups like Airbnb, make it clear over and over again that they are not liable under any circumstances for bad things that might happen when you use the service.
“YOU EXPRESSLY WAIVE AND RELEASE THE COMPANY FROM ANY AND ALL ANY LIABILITY, CLAIMS OR DAMAGES ARISING FROM OR IN ANY WAY RELATED TO THE THIRD PARTY TRANSPORTATION PROVIDER,” Uber’s terms of service say.
Ride at your own risk of hammer attack, in other words.
Holy shitballs.
Fucking tech-revolution short-sighted idiocy. Companies trying to avoid all responsibility (all we do is link people up man!) and people not noticing.
Oh, it gets better. Uber charges a $1 "Safe Ride Fee" surcharge.
That reminds of how Papa Johns charges a $3.49, none of which goes to the driver.
Which is crazy, because normally corporations are so honest.
New round of declassified documents from a FOIA request by the ACLU regarding legal justification for domestic spying. John Yoo is the gift the keeps on giving.
"We have known for quite some time that they have been using EO 12333 paragraph 2.3.C to collect approximately 80 percent of all US-to-US phone calls and Internet data, and that Fairview is the main program to do this," he told Ars on Monday.
And there's another strike against Stanford's integrity (Yoo is a law professor there.)
How could it be a strike against Stanford's integrity when you've been agreeing with John Yoo for this entire debate?
Cant recall any instances of company execs blatantly lying to congress and getting away with it, no.
Probably because they never get called in the first place.
But nothing like "No we do not spy on Americans".
Except, you know, that's not what he said, and that's not what was asked.
He was asked to give a yes or no answer to a question that was asking about all data collection in general, but framed in the context of dossiers.
No secret dictionaries whose definitions re totally the ones used in rules despite nobody having ever heard of them or being completely at odds with the actual meanings.
There are two ways to interpret the question that Clapper was asked:
1) Does the NSA collect in any type of data collection of Americans, even something as harmless as a publicly listed phone directory?
2) Does the NSA collect information in terms of having 1984 style tribunals read through all your data and compile a dossier as a summary?
The answer to the first question is "Yes," but the question is completely pointless and meaningless. The answer to the second question is "No."
So Clapper answered the second question. Which is the question that most people assumed him was answering. And it was obviously the question that was intended, or else the person asking it would have followed up with a "Wait, you don't collect in any data collection at all? Not even something as basic as a simple phone book?" At which point, Clapper would have been forced to clarify what he meant.
You don't get to reinterpret the question to refer to a specific agency program after the fact. If you ask a question in the context of dossiers, you don't get to accuse Clapper of being a liar because his question would be dishonest in the context of bulk metadata.
The NSA basically ignores the rules and gets away with it.
No more so than any other industry.
Schrodinger on
0
Options
FencingsaxIt is difficult to get a man to understand, when his salary depends upon his not understandingGNU Terry PratchettRegistered Userregular
Our Government oversight is a damn site better than our corporate oversight.
Then, a funny thing happened. One night, a couple of years ago, I was in an Uber SUV in NYC, headed to Penn Station to catch the train to Washington DC when I got a text message from a tech socialite of sorts (I’ll spare her name because Gawker has already parodied her enough), but she’s someone I hardly know, asking me if I was in an Uber car at 33th and 5th (or, something like that). I replied that I was indeed, thinking that she must be in an adjacent car. Looking around, she continued to text with updates of my car’s whereabouts, so much so that I asked the driver if others could see my Uber location profile? “No,” he replied, “that’s not possible.”
At that point, it all just started to feel weird, until finally she revealed that she was in Chicago at the launch of Uber Chicago, and that the party featured a screen that showed where in NYC certain “known people” (whatever that means) were currently riding in Uber cabs. After learning this, I expressed my outrage to her that the company would use my information and identity to promote its services without my permission. She told me to calm down, and that it was all a “cool” event and as if I should be honored to have been one of the chosen.
Wow.
What idiot looked at that proposal and thought "yep, this will in no way seem creepy as fuck".
They've gone ahead and pretty much violated the main principle which I believe underpins whether surveillance stretches into overreach: disclosure, and broadcasting.
At this point, Uber is the poster child for why regulations exist (the rider who got literally hammered by an Uber driver being the latest incident there.) But this illustrates why I am more concerned with private data gathering than I am with the government - it's more pervasive, and it's handled a lot more cavelierly.
Its terms of service, like those of Lyft, Sidecar, and similar sharing-economy startups like Airbnb, make it clear over and over again that they are not liable under any circumstances for bad things that might happen when you use the service.
“YOU EXPRESSLY WAIVE AND RELEASE THE COMPANY FROM ANY AND ALL ANY LIABILITY, CLAIMS OR DAMAGES ARISING FROM OR IN ANY WAY RELATED TO THE THIRD PARTY TRANSPORTATION PROVIDER,” Uber’s terms of service say.
Ride at your own risk of hammer attack, in other words.
Holy shitballs.
Fucking tech-revolution short-sighted idiocy. Companies trying to avoid all responsibility (all we do is link people up man!) and people not noticing.
And Uber is going to settle out of court for a large, undisclosed amount of money so these TOS are never challenged to test their actual legality.
He was asked to give a yes or no answer to a question that was asking about all data collection in general, but framed in the context of dossiers.
[...]
There are two ways to interpret the question that Clapper was asked:
1) Does the NSA collect in any type of data collection of Americans, even something as harmless as a publicly listed phone directory?
2) Does the NSA collect information in terms of having 1984 style tribunals read through all your data and compile a dossier as a summary?
The answer to the first question is "Yes," but the question is completely pointless and meaningless. The answer to the second question is "No."
So Clapper answered the second question. Which is the question that most people assumed him was answering. And it was obviously the question that was intended, or else the person asking it would have followed up with a "Wait, you don't collect in any data collection at all? Not even something as basic as a simple phone book?" At which point, Clapper would have been forced to clarify what he meant.
No, the question was absolutely not "Does the NSA collect information in terms of having 1984 style tribunals read through all your data and compile a dossier as a summary?". While Wyden may have said the word 'dossier', actually listening to the question it's clear that he changed the question AWAY from being some outdated notion of dossiers, and rather whether or not the NSA collects non-public information on US citizens.
He immediately has to back up his 'no' answer and play games with the word 'wittingly'. Because, in reality, the NSA is collecting reams of real data on US citizens 'incidentally' through their upstream programs.
edit:
Clapper's characterization of his answer was:
“What I said was, the NSA does not voyeuristically pore through U.S. citizens’ e-mails,” he’s quoted as saying. “I stand by that.”
He immediately has to back up his 'no' answer and play games with the word 'wittingly'. Because, in reality, the NSA is collecting reams of real data on US citizens 'incidentally' through their upstream programs.
It is incidentally though. Like, the way upstream works is that you grab a large data line and just copy all the data off it. Because that's the only way to read something like that. Because you can't distinguish the data you want from the data you don't without looking at all of it.
Clapper's characterization of his answer was:
“What I said was, the NSA does not voyeuristically pore through U.S. citizens’ e-mails,” he’s quoted as saying. “I stand by that.”
Yeah, I take it he believed or chose to believe the question was did they do this deliberately.
0
Options
JuliusCaptain of Serenityon my shipRegistered Userregular
Then, a funny thing happened. One night, a couple of years ago, I was in an Uber SUV in NYC, headed to Penn Station to catch the train to Washington DC when I got a text message from a tech socialite of sorts (I’ll spare her name because Gawker has already parodied her enough), but she’s someone I hardly know, asking me if I was in an Uber car at 33th and 5th (or, something like that). I replied that I was indeed, thinking that she must be in an adjacent car. Looking around, she continued to text with updates of my car’s whereabouts, so much so that I asked the driver if others could see my Uber location profile? “No,” he replied, “that’s not possible.”
At that point, it all just started to feel weird, until finally she revealed that she was in Chicago at the launch of Uber Chicago, and that the party featured a screen that showed where in NYC certain “known people” (whatever that means) were currently riding in Uber cabs. After learning this, I expressed my outrage to her that the company would use my information and identity to promote its services without my permission. She told me to calm down, and that it was all a “cool” event and as if I should be honored to have been one of the chosen.
Wow.
What idiot looked at that proposal and thought "yep, this will in no way seem creepy as fuck".
They've gone ahead and pretty much violated the main principle which I believe underpins whether surveillance stretches into overreach: disclosure, and broadcasting.
At this point, Uber is the poster child for why regulations exist (the rider who got literally hammered by an Uber driver being the latest incident there.) But this illustrates why I am more concerned with private data gathering than I am with the government - it's more pervasive, and it's handled a lot more cavelierly.
Its terms of service, like those of Lyft, Sidecar, and similar sharing-economy startups like Airbnb, make it clear over and over again that they are not liable under any circumstances for bad things that might happen when you use the service.
“YOU EXPRESSLY WAIVE AND RELEASE THE COMPANY FROM ANY AND ALL ANY LIABILITY, CLAIMS OR DAMAGES ARISING FROM OR IN ANY WAY RELATED TO THE THIRD PARTY TRANSPORTATION PROVIDER,” Uber’s terms of service say.
Ride at your own risk of hammer attack, in other words.
Holy shitballs.
Fucking tech-revolution short-sighted idiocy. Companies trying to avoid all responsibility (all we do is link people up man!) and people not noticing.
Yeah the more I hear about Uber the more I feel they represent the worst of that sillicon-valley-break-the-rules shit.
He was asked to give a yes or no answer to a question that was asking about all data collection in general, but framed in the context of dossiers.
[...]
There are two ways to interpret the question that Clapper was asked:
1) Does the NSA collect in any type of data collection of Americans, even something as harmless as a publicly listed phone directory?
2) Does the NSA collect information in terms of having 1984 style tribunals read through all your data and compile a dossier as a summary?
The answer to the first question is "Yes," but the question is completely pointless and meaningless. The answer to the second question is "No."
So Clapper answered the second question. Which is the question that most people assumed him was answering. And it was obviously the question that was intended, or else the person asking it would have followed up with a "Wait, you don't collect in any data collection at all? Not even something as basic as a simple phone book?" At which point, Clapper would have been forced to clarify what he meant.
No, the question was absolutely not "Does the NSA collect information in terms of having 1984 style tribunals read through all your data and compile a dossier as a summary?". While Wyden may have said the word 'dossier', actually listening to the question it's clear that he changed the question AWAY from being some outdated notion of dossiers, and rather whether or not the NSA collects non-public information on US citizens.
1) If that were the case, then why no followup or attempt to clarify what he meant?
2) If that were the case, then what was the point of the question, if it wasn't to make people think that Clapper was responding to dossiers?
Here's the problem:
“The reason I’m asking the question is, having served on the committee now for a dozen years, I don’t really know what a dossier is in this context. So what I wanted to see is if you could give me a yes or no answer to the question, does the NSA collect any type of data at all on millions or hundreds of millions of Americans?”
If Wyden doesn't know what a dossier is in this context, then the appropriate question would be, "Could you please explain what would and wouldn't qualify as a dossier under NSA guidelines?"
By making it sound like the meaning of dossier is unclear, Wyden is trying to make it so that people assume that the term is ambiguous. If he doesn't know what a dossier is, despite being on the committee for many years, then why bring it up in the first place?
Or, here's another example: "Mr. Clapper, let's assume a hypothetical form of data collection X. Simple yes or no: Does the NSA engage in X? And if so, then why does X not fall under dossier collection?"
Why doesn't Wyden ask about specific data collection, rather than any data collection in general?
Like if a cop pulls me over and asks if I have any weapons in the car, the implication are tools specifically designed to inflict harm on others, such as a fire arm. He's not going to ask a stupid question like "Have you ever had anything in your car that could potentially be used as a weapon?", because that's not a useful question, and it could literally apply to anything.
Clapper's characterization of his answer was:
“What I said was, the NSA does not voyeuristically pore through U.S. citizens’ e-mails,” he’s quoted as saying. “I stand by that.”
Right. Because that's what dossier collection implies, and that's what Snowden lead everyone to believe that Clapper was doing ("I was authorized to read the presidents e-mail without a warrant!").
So basically you're blaming Clapper for interpreting the question the same way most of America interpreted the question.
He immediately has to back up his 'no' answer and play games with the word 'wittingly'. Because, in reality, the NSA is collecting reams of real data on US citizens 'incidentally' through their upstream programs.
It is incidentally though. Like, the way upstream works is that you grab a large data line and just copy all the data off it. Because that's the only way to read something like that. Because you can't distinguish the data you want from the data you don't without looking at all of it.
I disagree that it's necessary for the government to have unfettered access to the line. By the spirit of the law, the backbone owners should be asked to provide filtered access, with a fisa warrant specifying a narrow set of addresses for a foreign intelligence target.
Some people get so bent out of shape over nothing. I see the potential for misuse but it’s not like they were going to release the information.
That is a quote from one of the attendees, which really illustrates the core problem here. Also creepy is Uber's "Rides of Glory" data analysis, where they look at usage statistics to determine how many riders are using the service to get laid.
He immediately has to back up his 'no' answer and play games with the word 'wittingly'. Because, in reality, the NSA is collecting reams of real data on US citizens 'incidentally' through their upstream programs.
It is incidentally though. Like, the way upstream works is that you grab a large data line and just copy all the data off it. Because that's the only way to read something like that. Because you can't distinguish the data you want from the data you don't without looking at all of it.
I disagree that it's necessary for the government to have unfettered access to the line. By the spirit of the law, the backbone owners should be asked to provide filtered access, with a fisa warrant specifying a narrow set of addresses for a foreign intelligence target.
You know this isn't how you actually do data collection, right?
I mean this isn't CSI, they don't just plug in an IP and basically hack some dudes Gibson.
The best way is making a generalized net for certain types of data, encryption types or similar and just pull everything as it passes through. Or TOR would literally foil everything ever.
Then, a funny thing happened. One night, a couple of years ago, I was in an Uber SUV in NYC, headed to Penn Station to catch the train to Washington DC when I got a text message from a tech socialite of sorts (I’ll spare her name because Gawker has already parodied her enough), but she’s someone I hardly know, asking me if I was in an Uber car at 33th and 5th (or, something like that). I replied that I was indeed, thinking that she must be in an adjacent car. Looking around, she continued to text with updates of my car’s whereabouts, so much so that I asked the driver if others could see my Uber location profile? “No,” he replied, “that’s not possible.”
At that point, it all just started to feel weird, until finally she revealed that she was in Chicago at the launch of Uber Chicago, and that the party featured a screen that showed where in NYC certain “known people” (whatever that means) were currently riding in Uber cabs. After learning this, I expressed my outrage to her that the company would use my information and identity to promote its services without my permission. She told me to calm down, and that it was all a “cool” event and as if I should be honored to have been one of the chosen.
Wow.
What idiot looked at that proposal and thought "yep, this will in no way seem creepy as fuck".
They've gone ahead and pretty much violated the main principle which I believe underpins whether surveillance stretches into overreach: disclosure, and broadcasting.
At this point, Uber is the poster child for why regulations exist (the rider who got literally hammered by an Uber driver being the latest incident there.) But this illustrates why I am more concerned with private data gathering than I am with the government - it's more pervasive, and it's handled a lot more cavelierly.
Its terms of service, like those of Lyft, Sidecar, and similar sharing-economy startups like Airbnb, make it clear over and over again that they are not liable under any circumstances for bad things that might happen when you use the service.
“YOU EXPRESSLY WAIVE AND RELEASE THE COMPANY FROM ANY AND ALL ANY LIABILITY, CLAIMS OR DAMAGES ARISING FROM OR IN ANY WAY RELATED TO THE THIRD PARTY TRANSPORTATION PROVIDER,” Uber’s terms of service say.
Ride at your own risk of hammer attack, in other words.
Holy shitballs.
Fucking tech-revolution short-sighted idiocy. Companies trying to avoid all responsibility (all we do is link people up man!) and people not noticing.
Yeah the more I hear about Uber the more I feel they represent the worst of that sillicon-valley-break-the-rules shit.
I dunno, I'd say in that race to the bottom AirBNB narrowly edges out Uber for the turd shaped medal.
But yeah, I'd definitely say that there is a hell of a lot more oversight on the US Government than there is on private corporations, people who violate the law are far more likely to be punished - and harshly - when they work for the government, and when there are violations they are far less likely to be swept under the rug with out of court settlements protected by an NDA.
Not to mention that, in theory and in practice, there are far more controls and compliance in the private government protecting personal information than private companies. Could you imagine if the IRS started randomly calling people for shits and giggles about their tax returns? Or hell, NSA analysts calling about the affairs or sexting?
Posts
Right.
I mean, it's possible that the NSA has a process in place that would have caught him given enough time. Maybe a quarterly / annual audit or something like that. We don't really know enough about the NSA's internal security policies to know for sure, but I've been around enough to say with a high level of confidence that unless he did something REALLY stupid (which isn't out of the question) to obtain the data, nobody would have noticed.
Outside of happenstance - some sort of random audit or stumbling over this when looking into some unrelated thing - the actions it would take for the NSA to have prevented this instead of simply being reactionary are more surveillance and control over people with this access. You could create a list for people with clearance that requires prior approval if they attempt to buy an international plane ticket or cross an international border. You could monitor their phone calls and e-mails to see who they are communicating with. You could install a keylogger and monitor everything they do on any machine, even their own personal ones.
But realistically, creating a system that could entirely prevent something like this would create a system so inefficient it's almost impossible for people to do their jobs. And even then, someone who really wants to will find a workaround - be it technical or social. All the keyloggers in the world won't help if I snap a picture of my PC screen with the camera phone I convinced the guard I need to hang onto because my wife could go into labor at any time. Etc.
Guess who is lobbying against that?
That's an interesting issue and one I can see go either way.
Are the number of steps on a Fitbit going to be covered under HIPAA? What about the results from my GPS watch? If my GPS watch is tied in with a heart rate monitor? What if instead of a basic heart rate monitor, it's a wearable ECG to warn me / record if I'm having an afib episode?
What even constitutes a wearable fitness app? I mean, it seems like a rhetorical question, but really - what boundaries are there? At my last job we had a little pedometer that we could choose to wear on our shoes so we could track and 'compete' for fitness. Is that collected data going to be bound by HIPAA guidelines, or is there going to be a carve-out for those things?
Health and fitness information overlap quite a bit, but there are a lot of places where they are distinctly different. The tech giants are going to bitch and complain, but ultimately if fitness apps are covered by HIPAA they are the only ones who can afford to be compliant.
Not super surprising they don't want it covered, but I'm not overly sympathetic to their concerns.
I can see a bit of their argument, though I agree with you.
To them, it's basically, "I had this great idea, which I acted on, which I expect to be able to build a business on. But now regulation might make it unsustainable because suddenly I'm a medical device and not a cool tech gadget?"
But it's more important to make sure that the personal data is safe, in the end.
As long as they develop a way to insure informed consent, the customer can agree to anything the developer might want to do.
Now, getting the tech industry to adopt actual informed consent instead of click-thru EULA's will be something of a miracle.
Which is an argument that only deserves mockery and scorn.
http://arstechnica.com/tech-policy/2014/09/new-docs-show-how-reagan-era-executive-order-unbounded-nsa/
And there's another strike against Stanford's integrity (Yoo is a law professor there.)
Isn't that technically the same strike as last time?
I don't quite see how intra-US traffic comes into play at all.
I will grant them some of the jargon around collecting information- if you're taping a cable that goes from Hawaii to CA in order to intercept communications going from Japan to Mexico (as a random example) you're probably going to get US traffic incidentlly. The problem is them storing that traffic.
Because they put the taps in backbones all over the US (not just Hawaii or on the coasts). This is how they 'incidentally' receive the majority of domestic traffic.
personal data and HIPAA protected data are very very different things
the cost structure of maintaining a data center that's HIPAA compliant is completely different
Wow.
What idiot looked at that proposal and thought "yep, this will in no way seem creepy as fuck".
They've gone ahead and pretty much violated the main principle which I believe underpins whether surveillance stretches into overreach: disclosure, and broadcasting.
At this point, Uber is the poster child for why regulations exist (the rider who got literally hammered by an Uber driver being the latest incident there.) But this illustrates why I am more concerned with private data gathering than I am with the government - it's more pervasive, and it's handled a lot more cavelierly.
3DS: 0473-8507-2652
Switch: SW-5185-4991-5118
PSN: AbEntropy
...you haven't been paying attention the past few years, have you?
You must not have heard of this thing called 'Binding Arbitration'.
No secret dictionaries whose definitions re totally the ones used in rules despite nobody having ever heard of them or being completely at odds with the actual meanings.
Companies evade, mislead, decieve, and use every loophole they can. They lobby and corrupt. But they still technically follow the rules or they get fined.
The NSA basically ignores the rules and gets away with it.
3DS: 0473-8507-2652
Switch: SW-5185-4991-5118
PSN: AbEntropy
So no, you haven't been paying attention. Because businesses do all that, and a lot more brazenly. And they get away with it too. Do you know how newsworthy it is when a judge actually tells a major corporation that hey, you actually have to produce the legal paperwork that says that you own the mortgage (to give one example of many.)
And when fines are a rounding error on profits, then they become meaningless.
http://www.forbes.com/sites/ellenhuet/2014/09/30/uber-driver-hammer-attack-liability/
Holy shitballs.
Fucking tech-revolution short-sighted idiocy. Companies trying to avoid all responsibility (all we do is link people up man!) and people not noticing.
Oh, it gets better. Uber charges a $1 "Safe Ride Fee" surcharge.
You should talk to anyone who's ever had a health insurance company deny their claim and try to explain that to them.
That reminds of how Papa Johns charges a $3.49, none of which goes to the driver.
Which is crazy, because normally corporations are so honest.
How could it be a strike against Stanford's integrity when you've been agreeing with John Yoo for this entire debate?
Probably because they never get called in the first place.
Except, you know, that's not what he said, and that's not what was asked.
He was asked to give a yes or no answer to a question that was asking about all data collection in general, but framed in the context of dossiers.
There are two ways to interpret the question that Clapper was asked:
1) Does the NSA collect in any type of data collection of Americans, even something as harmless as a publicly listed phone directory?
2) Does the NSA collect information in terms of having 1984 style tribunals read through all your data and compile a dossier as a summary?
The answer to the first question is "Yes," but the question is completely pointless and meaningless. The answer to the second question is "No."
So Clapper answered the second question. Which is the question that most people assumed him was answering. And it was obviously the question that was intended, or else the person asking it would have followed up with a "Wait, you don't collect in any data collection at all? Not even something as basic as a simple phone book?" At which point, Clapper would have been forced to clarify what he meant.
You don't get to reinterpret the question to refer to a specific agency program after the fact. If you ask a question in the context of dossiers, you don't get to accuse Clapper of being a liar because his question would be dishonest in the context of bulk metadata.
No more so than any other industry.
And Uber is going to settle out of court for a large, undisclosed amount of money so these TOS are never challenged to test their actual legality.
No, the question was absolutely not "Does the NSA collect information in terms of having 1984 style tribunals read through all your data and compile a dossier as a summary?". While Wyden may have said the word 'dossier', actually listening to the question it's clear that he changed the question AWAY from being some outdated notion of dossiers, and rather whether or not the NSA collects non-public information on US citizens.
Can skip ahead to the 6 minute mark:
He immediately has to back up his 'no' answer and play games with the word 'wittingly'. Because, in reality, the NSA is collecting reams of real data on US citizens 'incidentally' through their upstream programs.
edit:
Clapper's characterization of his answer was:
It is incidentally though. Like, the way upstream works is that you grab a large data line and just copy all the data off it. Because that's the only way to read something like that. Because you can't distinguish the data you want from the data you don't without looking at all of it.
Yeah, I take it he believed or chose to believe the question was did they do this deliberately.
Yeah the more I hear about Uber the more I feel they represent the worst of that sillicon-valley-break-the-rules shit.
1) If that were the case, then why no followup or attempt to clarify what he meant?
2) If that were the case, then what was the point of the question, if it wasn't to make people think that Clapper was responding to dossiers?
Here's the problem:
“The reason I’m asking the question is, having served on the committee now for a dozen years, I don’t really know what a dossier is in this context. So what I wanted to see is if you could give me a yes or no answer to the question, does the NSA collect any type of data at all on millions or hundreds of millions of Americans?”
If Wyden doesn't know what a dossier is in this context, then the appropriate question would be, "Could you please explain what would and wouldn't qualify as a dossier under NSA guidelines?"
By making it sound like the meaning of dossier is unclear, Wyden is trying to make it so that people assume that the term is ambiguous. If he doesn't know what a dossier is, despite being on the committee for many years, then why bring it up in the first place?
Or, here's another example: "Mr. Clapper, let's assume a hypothetical form of data collection X. Simple yes or no: Does the NSA engage in X? And if so, then why does X not fall under dossier collection?"
Why doesn't Wyden ask about specific data collection, rather than any data collection in general?
Like if a cop pulls me over and asks if I have any weapons in the car, the implication are tools specifically designed to inflict harm on others, such as a fire arm. He's not going to ask a stupid question like "Have you ever had anything in your car that could potentially be used as a weapon?", because that's not a useful question, and it could literally apply to anything.
Right. Because that's what dossier collection implies, and that's what Snowden lead everyone to believe that Clapper was doing ("I was authorized to read the presidents e-mail without a warrant!").
So basically you're blaming Clapper for interpreting the question the same way most of America interpreted the question.
I disagree that it's necessary for the government to have unfettered access to the line. By the spirit of the law, the backbone owners should be asked to provide filtered access, with a fisa warrant specifying a narrow set of addresses for a foreign intelligence target.
That is a quote from one of the attendees, which really illustrates the core problem here. Also creepy is Uber's "Rides of Glory" data analysis, where they look at usage statistics to determine how many riders are using the service to get laid.
You know this isn't how you actually do data collection, right?
I mean this isn't CSI, they don't just plug in an IP and basically hack some dudes Gibson.
The best way is making a generalized net for certain types of data, encryption types or similar and just pull everything as it passes through. Or TOR would literally foil everything ever.
I dunno, I'd say in that race to the bottom AirBNB narrowly edges out Uber for the turd shaped medal.
But yeah, I'd definitely say that there is a hell of a lot more oversight on the US Government than there is on private corporations, people who violate the law are far more likely to be punished - and harshly - when they work for the government, and when there are violations they are far less likely to be swept under the rug with out of court settlements protected by an NDA.
Not to mention that, in theory and in practice, there are far more controls and compliance in the private government protecting personal information than private companies. Could you imagine if the IRS started randomly calling people for shits and giggles about their tax returns? Or hell, NSA analysts calling about the affairs or sexting?