[nl]

All of the major tech companies have been on board for a long time (and that was years ago).

I have read the Snowden leaks.

This is one of those times when details matter, and in those details you are wrong.

I wrote this previously[1] about Apple, but it applies here too:

The problem is that PRISM has conflated two separate things, and it is unclear how much of that conflation occurred at the NSA and how much outside.

Apple was (and is) compliant in the "release customer details with a court order" thing, which it seems is part of the PRISM data.

However, there was a second part, where the NSA got bulk access to communications without a court order. It is unclear which companies were complicit in this part. We know Google wasn't (because the NSA slide decks show how they had to intercept Google's inter and intra-data center links which were unencrypted at the time - and Google undertook a crash program to fix that).

Apple's statements are pretty clear: they say they only release information with a court order. That means they weren't complicit in bulk collection - but they may have been hacked at the time like Google was.

[1] https://news.ycombinator.com/item?id=13517740

[Pyxl101]

Yes, this is a crucial distinction and matches my understanding from what I've read of these public documents: PRISM is a program in which the NSA intercepted Internet and other communications, and then reconstructed the meaning of those communications at a higher level -- that is, interpreting HTTP requests to Google as searches, email views, and whatever else.

I did not see any evidence in the leaked documentation nor the reporting on those primary sources that the companies involved were complicit. If this evidence exists I would be very interested to know, but from Google's actions subsequent to the leaks it did not seem they agreed with the program or were complying with it, and instead took actions to oppose the program by encrypting their communications links internally, and indirectly by advocating encryption in public Internet protocols such as HTTP and SMTP.

[nym]

I was under the impression that Google gave bulk access to the NSA, and the NSA wiretapped them regardless. I don't have a source to substantiate that claim though.

[candiodari]

It doesn't even matter at all.

The US demands - through law - that any company, US and doing business in the US, give access to all it's user data upon simple subpaena by a secret court without notification to anyone, in a situation that can last for years. They're not even allowed to let you delete your data. There is no justification needed and most users are never informed this has happened, not even in the future. If you're a US citizen the time limit is measured in years (and can be extended by said secret court), if you're not a US citizen (or merely suspected not to be one), there is no time limit.

Doing "just" this to their users is what is understood in this discussion under the misnomer "not cooperating" with US spying. One can only assume that the OP has a funny sense of humor.

Given that this is noncooperation, why are we discussing who is cooperating and who is not ? This is WAY over the line, and of course means that no foreign company of any size should trust ANY US company with any amount of data.

And, frankly, it means that given the slightest disagreement in court, you should assume that all your data is public. Famously this facebook/instagram/whatsapp private messages in divorce cases, but not just that. Outlook messages of non-US citizens being picked apart by competitors because of a small non-payment vs non-delivery civil case in a non-US court has happened.

Note that the US government is famous for exploiting private sector relationships for spying and the reverse (exploiting government spying to give advantages to favored US companies).

So you should assume the worst and immediately implement basic security mechanisms (that are standard procedure at most companies now):

1) anything sent to you for any reason gets automatically deleted, especially email, unless specifically and individually prevented

2) any backup system is encrypted and the keys are subject to (1).

3) NOTHING can be put on any cloud system, for any reason without (1) implemented, and you should refuse to cooperate with external parties that insist on such a system.]

4) more strict measures are needed for director level and upward (note: legal definition of director, not just because it's used in company directories). Protocols negotiated beforehand dictate what can only be discussed over secure channels. First item on that list: anything related to any one specific employee.

[nl]

Access to a single user's data is different in degree and effect to bulk collection.

I can't defend the secret courts or how long the secrecy lasts though.

[nl]

I've never seen any evidence that in any leaked papers and Google has very strongly denied it.