[photochemsyn]

Snowden made a mistake in not dumping the whole archive to Wikileaks as was done with the US State Department cables and the CIA's Vault 7 files.

I think there's probably a lot more in those files that's of great embarrassment not just to the NSA and the US government in general (such as proof that it was conducting an illegal warrantless mass surveillance program in violation of US law) - but also to their collaborators in the private tech sector who seem to have been quite active participants in the program.

For example, one of the most revealing revelations was that NSA spied on the Brazilian oil company Petrobras - which is very hard to justify on national security grounds, and instead points to industrial espionage of the kind the NSA claims it doesn't engage in (as compared to China, etc.).

https://www.reuters.com/article/us-usa-security-snowden-petr...

[schoen]

> which is very hard to justify on national security grounds

I think the people doing this have a completely different notion of national security than the general public, one that includes a supposed right to know about surprises in general and big events in general, not just about bad guys plotting to attack you. For example, they might believe that details of economic activity, prices, religious movements, relationships among foreign politicians, epidemics, boycott and antiboycott campaigns, etc., are matters of national security in the sense that they could eventually develop into things that would affect a society negatively, or that could tend to increase or decrease the power of a state.

In maintaining the idea of privacy, we have to also maintain that others have to accept surprises and uncertainty. I don't know my neighbors' religious views, I don't know what oatmilk will cost next week at the supermarket, I didn't know when my former coworkers started trying to organize a union, I don't know if anyone has a crush on me. But all that information exists somewhere in computer systems. I accept that I have no right to it, but it seems incredibly hard to get governments to think the same way.

When Glenn Greenwald first talked about how spying on Petrobras wasn't a matter of U.S. national security, I thought that was obviously right. Petrobras isn't going to attack the U.S., it doesn't have any means of attacking the U.S., and it doesn't have any obligation to sell or not sell oil to the U.S. or any other country at any particular price. But now I think that it's not just like "the NSA must plan to help the Texas oil industry" or "the NSA must plan to help the Saudi oil industry" or something; it's more like "they don't accept that they should have to contend with surprises and uncertainty".

To be clear, I think that spying on Petrobras is wrong and I wish that Petrobras had a remedy for it. And I think disclosing that it happens is right, but it doesn't seem to have led to the kind of discussion or debate that Greenwald seemed to hope for.

Edit: The comment at https://news.ycombinator.com/item?id=38181265 had a more concise take on this point.

> If no amount of risk is acceptable, then any amount of surveillance is justified. To have a free society some level of risk must be accepted.

(But in this context we're not just talking about risks of violent attacks, but really risks of anything disruptive.)

Edit 2: The U.S. in particular is powerful enough to enforce economic sanctions which are themselves justified on national security grounds, so then there's also the sanctions enforcement part like figuring out whether Petrobras is working with the Iranian oil industry or whatever. Most countries probably wouldn't even expect to be able to do anything about that, although they might want to exert diplomatic pressure like "please stop trading with our enemy, from whom we concretely fear a physical attack".

[riversflow]

Huh. I completely agree with this justification for spying, to the point I would be upset if they weren’t spying in this way. To me spy craft is where personal ethics become less important than realpolitik. The most powerful country in the world should have an inside track on whats going on in important markets, by hook or by crook. That’s the governments job.

On what grounds does Petrobras have any right to privacy from the USG?

[schoen]

Huh, I have a radically different intuition from you. :-) I think "personal ethics" applies to everything and everyone in the world. The people who do things are moral agents.

> On what grounds does Petrobras have any right to privacy from the USG?

Among other things, their confidentiality is protected by Brazilian law. If hackers break that law, Petrobras should be entitled to a remedy against them, just like Americans should be entitled to a remedy against Russian hackers, whether they intend to steal money or private information.

As far as I know, all governments harbor criminals in this sense, but I think they should be incentivized to do so much less, including by pointing out that the espionage is a crime and not glamorizing it (or being upset with governments for not doing it!).

[riversflow]

This just seems incredibly idealistic to me.

Brazilian law isn't US law, if Brazil wants to it can try and arrest spies I guess. That's all there is to it.

> I think "personal ethics" applies to everything and everyone in the world.

I think that spies have the moral agency to gather and report information in order to better promote the welfare of their countrymen.

> I think they should be incentivized to do so much less

How? That's an impossible task in my book, and the main reason I think that spies are ethically just is because it's the nature of the beast. If you figure out a good way to do this, might I suggest focusing your efforts on de-militarization instead of de-espionage? The people with bombs and tanks are the one's who do the most damage.

[feoren]

Please see my sibling comment to yours for three reasons why this is a terrible justification for spying.

> The most powerful country in the world should have an inside track on whats going on in important markets, by hook or by crook

We can get a pretty good idea of what's going on in important markets with publicly available information. Why is this the job of a spy agency and not its economics departments? I would like the U.S. to have a strong understanding of upcoming weather patterns, but that doesn't mean we ask the CIA to spy on everyone who's using aerosol sprays.

[riversflow]

> We can get a pretty good idea of what's going on in important markets with publicly available information.

How can you possibly know that, are you claiming to be privy to the forecasts generated by the information gathered by US spies? Further, as stated later, spying is the status quo, if spying stopped wholesale wouldn't keeping information private be significantly more valuable?

> Reason 1 . . . literally any spying could be justified this way.

I don't give a solitary care about the spying a foreign government does. Why should I? They don't have jurisdiction over me. I care about what it does with that intel, but that is completely separate, which gets us to your Reason 2.

> Essentially anything that's outside of the status quo is suddenly classified as a risk. Basically our spy agencies' jobs become protecting the entrenched interests of those already in power

No, that isn't the job of spies, they gather intelligence. You are confusing other government actions with spying.

> Reason 3

Again, do you have some sort of inside track on the DoD(or some other 3 letters)? You have concocted a hypothetical about a Joe Shmoe, being caught in a dragnet filter. Is that actually a real problem? Or just a hypothetical about where this slippery slope goes.

Overall I think the burden of proof is on the group who wants to go against the status quo; nations constantly spy on one another. Justify why we shouldn't spy, rather than pointing out it's pitfalls.

[schoen]

> I don't give a solitary care about the spying a foreign government does. Why should I? They don't have jurisdiction over me. I care about what it does with that intel, but that is completely separate, which gets us to your Reason 2.

In the "realpolitik" environment you mentioned, when you lose control of your private information, you lose control of what's done with that information. That's is a good reason to care about protecting information and not regard this as "completely separate".

An example that people mention a lot in the domestic context is that laws and governments can change, so that information that was innocuous before could be sensitive in the future.

Someone doesn't need to have jurisdiction over you in order to harm you with your secrets. They could taunt you about them, they could blackmail you with them, they could use them to compete with or undermine your business, they could pass them to your government as a tip, they could reveal them to your political opponents...

You might say that this is all Reason 2 and not Reason 1 material, but if a government has unauthorized access to secret information of its choice, it's going to be hard to control or predict how it may use that information against your interests later. But, you might say, I also can't actually control whether they get unauthorized access to my secrets, so I just have no power over them at all, so why even talk about it?

Well, I'd say that lots of people who read HN have practical opportunities in their careers to engage in espionage or not, to make it harder or easier, to expose it or not, and so on. Governments are going to ask some people reading this thread to do them favors. They can't necessarily guarantee the safety of their own information, but they can significantly affect the safety of other people's information. It matters whether they think that's desirable or not!

[riversflow]

> Governments are going to ask some people reading this thread to do them favors.

I mean, my expectation is that those are the kind of offers you can’t refuse.

Why do you not find information asymmetry completely harmful?

[feoren]

> Overall I think the burden of proof is on the group who wants to go against the status quo

That attitude definitely benefits those who like the status quo. I think the "burden of proof", if such a thing exists, is on the position with the least prior evidence. That something is the status quo is pretty weak evidence in its favor; I can point to many instances in human history where the status quo was pretty awful.

> if spying stopped wholesale

Strawman. I never said spying should be "stopped wholesale". Never anything even remotely close to that, in fact. I'm not responsible for defending a position you completely fabricated.

> I don't give a solitary care about the spying a foreign government does ... I care about what it does with that intel, but that is completely separate

I don't believe the gathering of intelligence is "completely separate" from acting on that intel. I don't believe the accumulation of guns and ammunition is "completely separate" from the act of using those guns. I don't believe the enrichment of weapons-grade uranium is "completely separate" from building an atomic bomb. I don't believe building an atomic bomb is "completely separate" from using it.

> No, that isn't the job of spies, they gather intelligence. You are confusing other government actions with spying.

"Spies don't kill people, bullets kill people. Actually, bullets don't kill people, a rapid transfer of momentum from the bullet to the human body kills people. Actually, momentum doesn't kill people, a rapid loss of blood from the resulting tissue damage kills people. You are confusing human physiology with spying." Right: nobody is ever responsible for anything.

> You have concocted a hypothetical about a Joe Shmoe, being caught in a dragnet filter. Is that actually a real problem? Or just a hypothetical about where this slippery slope goes.

https://en.wikipedia.org/wiki/Extraordinary_rendition#Histor...

You don't need a security clearance to know of many instances of this happening.

[riversflow]

Bullets don’t kill people, the guy pulling the trigger on the gun does. Spies don’t pull the trigger.

I believe literally all those things you don’t believe about having something being completely separate from using it. A car can kill people just as easily as a gun. So what? It’s who used the object who is responsible for what it does and owning something doesn’t necessarily imply using it or even imply it at all.

How do you justify that point of view? I really don’t get that perspective.

I can’t say for certain, but I doubt extraordinary rendition is only using "terrorist-detector model” and not relying on analysts/tips. Also worth noting is that it seems like it hasn’t happened in ~20 years, and was a product of 9/11 fervor.

Let me put it another way. Why should the powerful countries take weaker ones at their word and not employ fact checkers? Nations are only really beholden to their constituents and greater powers. Why would any country tell a major power who wasn’t spying the truth?

[schoen]

> Strawman. I never said spying should be "stopped wholesale". Never anything even remotely close to that, in fact. I'm not responsible for defending a position you completely fabricated.

I think this is more in response to me than to you; one might correctly infer from my posts here that I think that a significant majority of espionage activity is morally wrong and should be stopped.

That's just a perennial difficulty in having a multi-way conversation.

[kwhitefoot]

Presumably the same grounds that the US DoE has a right privacy, a right not to be spied on by Brazil.

[riversflow]

I don't contend that the DoE or any other agency has a right to privacy from Brazil. Spy craft is just a part of international politics, turnabout is fair play.

[schoen]

Do you think it's bad if the U.S. prosecutes Brazilian spies who spy on U.S. organizations? Shouldn't we care whether the things that the justice system is punishing people for are things that are actually good or bad? (I mean, I guess your intuition probably says "no, not really"!)

I think if it's wrong we shouldn't do it (because we shouldn't do things that are wrong), and if it's not wrong we shouldn't punish other people for doing it (because we shouldn't punish people for doing things that are not wrong). Yes, this is exactly attempting to apply personal morality to the "international system". Which is made up of people who make conscious decisions about how to behave toward other people.

[riversflow]

> this is exactly attempting to apply personal morality to the "international system"

I can do that. Nobody should lie, it's wrong. So, as long as every nation stops lying, they can stop spying too. Easy Peasy.

> Shouldn't we care whether the things that the justice system is punishing people for are things that are actually good or bad?

Absolutely. Which is why usually friendly-nation spies don't seem to get in trouble. Take a look at this list, https://en.wikipedia.org/wiki/List_of_imprisoned_spies

I think lying/misrepresenting is bad and very harmful, however I also think it is human nature, and spying helps to alleviate that information asymmetry.

[hatboat]

"Sorry, I didn't pick the game - it is what it is" said LeBron to Neymar as they lined up for some one-on-one.

[saalweachter]

Do organizations and governments have rights?

[schoen]

They have legal rights under the jurisdictions where they're established, and presumably the people working for them also retain their individual human rights.

[feoren]

(Arguing with the point you present, not against you, since it seems like you mostly disagree with it too.)

Reason 1 to reject spying for this reason: literally any spying could be justified this way. Every butterfly's wing flap could theoretically contribute to a "national security risk". In line with that great quote that "If no amount of risk is acceptable, then any amount of surveillance is justified." There's no way to use this logic to ever argue that you shouldn't spy on someone.

Reason 2 to reject this: when we start broadening the scope of "national security risk" to include things like "economic disruption", then essentially anything that's outside of the status quo is suddenly classified as a risk. Basically our spy agencies' jobs become protecting the entrenched interests of those already in power. A technological breakthrough in battery tech has a big potential for "economic disruption"; is that a national security risk? What if it's invented in Iran? Would the U.S. sabotage the (hypothetical) "Iranian national energy laboratory" if it were on the cusp of a revolutionary technology that could weaken the U.S.'s economic position?

Reason 3 to reject this: we get it wrong. If the CIA's "terrorist detector" says Joe Schmoe has a 99% chance of becoming an active terrorist, based on his religion, political views, age, recent Google searches, facial hair, income, and gait, what is the actual probability of him becoming an active terrorist? The standard "Bayesian false-positive" puzzle applies here: the base-rate of humans committing actual terrorist acts is extremely low. Even if the CIA's terrorist-detector model is 10x better than OpenAI's wet dreams, there's no way it's more than 99% accurate. With a base rate of something like 10^-6, we're looking at a roughly 0.01% chance that Joe is actually a terrorist, given a very accurate model giving a 99% positive result. Do we think the person making the decision about whether to make Joe disappear is aware of these subtle nuances in Bayesian statistics? Even if he did, he also knows that if Joe did go on to bomb an office building, there might be a headline soon that "the CIA's own model said Joe Schmoe had a 99% chance of being a terrorist and DID NOTHING!!" So of course Joe disappears forever, based on a futurecrime, because he Googled the wrong thing at the wrong time in his life with the wrong skin color and facial hair.

Put all these reasons together and you can get some really questionable behavior from these agencies, and that's even assuming it's all done with the legitimate good intention of protecting the U.S.

[schoen]

> There's no way to use this logic to ever argue that you shouldn't spy on someone.

This reminds me of a talk by Halvor Flake in which he says that people in intelligence agencies are incentivized to try to know everything, in order to minimize the chance of being surprised by anything.

> A technological breakthrough in battery tech has a big potential for "economic disruption"; is that a national security risk?

I think it's kind of an abuse of language to call it that, but I wouldn't be surprised if many people intuitively thought that yes, this should count as a national security risk.

> The standard "Bayesian false-positive" puzzle applies here: the base-rate of humans committing actual terrorist acts is extremely low. [...] Do we think the person making the decision about whether to make Joe disappear is aware of these subtle nuances in Bayesian statistics?

I think that people at, say, the CIA are somewhat aware of them because they have a notion of confidence levels of assessments, and they're also used to the idea that they have a lot of noise to deal with. Like when they were trying to find Osama bin Laden's house, they presumably had many many many many ideas of places that could potentially be his house for some reason, but then they actively tried to disprove those hypotheses (like scientists!).

They will also literally say that they assess certain things with low confidence. I don't know if some of the analysts writing that maybe actually have an explicit Bayesian probability and are mapping that into particular ranges...?

On the other hand, I think that military personnel in, say, the initial U.S. occupation of Afghanistan did not have this perspective and were happy to detain people for minimal and highly speculative reasons. (Also, I guess the base rate of people in Afghanistan during the war who were violently opposed to the U.S. was much higher than the usual base rate worldwide.) They got a number of tragic false positives which led to enormous injustices.

I think part of what you're getting at here is that governments' power when acting to actually influence the world is, well, a matter of life and death. So things like the base rate fallacy are just as big a deal there as they are in cancer treatment, or, if you believe there's a relevant moral asymmetry between killing and letting die, an even bigger deal. Also, lots of kinds of agents of lots of governments are rarely ever very accountable for their decisions or decisionmaking processes.

I think this is kind of an argument against surveillance and espionage (you can think of the scene in Good Will Hunting where the main character says he doesn't want to work for a spy agency because he can vividly imagine a false positive scenario in which a foreigner gets killed because of his work), but I think overall it's much more an argument for more transparency and accountability in uses of force. Like, you don't want to give lots of information to the CIA if they're violent maniacs because they might use that information recklessly. But while giving them that information might also be highly questionable on moral and legal and political grounds, it seems like the biggest problem in the scenario is if the CIA is composed of violent maniacs, or if it's incentivized to cultivate rather than restrain people's tendencies to violent maniacal behavior.

As an analogy about the base rate argument, people have argued that it could be beneficial for people's health to perform fewer tests, in cases where false positives often lead to wasteful or dangerous medical interventions. But if there's nothing bad about the tests themselves, theoretically it would make more sense to give doctors more information rather than less, while trying to improve their decisionmaking.

[feoren]

Great points in general, but two things:

> you don't want to give lots of information to the CIA if they're violent maniacs because they might use that information recklessly ... the biggest problem in the scenario is if the CIA is composed of violent maniacs, or if it's incentivized to cultivate rather than restrain people's tendencies to violent maniacal behavior.

The problem is that the system can act like a violent maniac without any individual human being one. Each person running a model, typing into Excel, making just a small decision, can add up to enormous injustices. Similar to how an experiment that just tries to collect all the data can be much more vulnerable to p-hacking and researcher bias, even with well-intentioned researchers who would never dream of intentionally faking or fabricating data.

> As an analogy about the base rate argument, people have argued that it could be beneficial for people's health to perform fewer tests

And I think a similar argument could be made to show that, in the face of flawed models (possibly much more flawed than diagnostic tests), it may be beneficial for the country if spy agencies actually had less information. I think this is why I included "gait" as one of my features that identified my theoretical terrorist. Maybe it's a useful feature, maybe not. Maybe he injured his foot yesterday, causing him to walk like someone who's planning a bombing. To make it really obvious, how would you feel if you found out the CIA was using Zodiac signs as one of the features of its terrorist-detector model? I'm sure it's not literally doing that, but I'm less sure it's not using features that are just as spurious.

[schoen]

I think this is all fair, but it's really so hard to know.

Even this idealized scenario about the terrorism-detector and taking action based on it... well, it's one that came up a lot around the post-9/11 environment (with selectees and the no-fly list [the rare case where people could actually experience the government making an adverse determination against them on classified grounds and get even the one bit of information] and the Guantanamo detainees and the drone kill lists).

However, the task of deciding if person X is a good guy or a bad guy, or trying to make a list of the bad guys within some population, is a very small part of what the intelligence community does. And that's partly because of the super-expansive notion of national security that we've been talking about, where so many parts of the government feel that it's their business to know everything that's going on in the world, largely without even thinking about the "who is a terrorist" question at all. As we discussed elsewhere in the thread, the government does not think that Petrobras is a terrorist. But somehow it thinks that it should know what Petrobras is going to do in the future, including "by hook or by crook".

I guess there are really at least two threads in the conversation, one of them being the inherent morality of surveillance and espionage activities, and another being "given how (one might think, but probably doesn't actually know) a government makes choices about the use of force, is it a good idea for that government to have access to more and more information?".

I think one of riversflow's points in reply to you was basically that, if a government doesn't make choices about the use of force in a good way, that's already a problem, which is not clearly improved by reducing the government's access to information, although you're also right that it could be. (And I've seen Bayesian arguments about that before, including a Bayesian justification for some legal standards involving in the rights of criminal defendants.) But overall, if we know so little about how those decisions are made at all, it will be hard to be very confident about whether more or less information would be likely to make them better or worse!

[fyokdrigd]

> To be clear, I think that spying on Petrobras is wrong and I wish that Petrobras had a remedy for it.

sorry to break it to you, but the answer was too succumb to a full blow 60s style coup which remove the president who autored the Reuters article above.

she was ousted by the senate, the right wing vice who was there for "governability" signed rights to new oil reserves to texaco on his first week in power and then brazil got an election that was free for all (main candidate jailed on bogus claims, candidate working with steve banon leading, etc)

[schoen]

> sorry to break it to you, but the answer was too succumb to a full blow 60s style coup which remove the president who autored the Reuters article above.

I know lots of people in Brazil who wrote publicly all the time about how they didn't agree with Dilma's impeachment (and thought it was legally improper) and didn't agree with her successors. They all managed to avoid torture or disappearance or the knock on the door in the middle of the night.

If the impeachment and its aftermath were a coup, they were definitely not a "60s style coup".

[mbakke]

They were also tapping the private network links of the Norwegian oil company Equinor (formerly Statoil) according to the original leaks.

It's kind of odd that neither of these oil giants have put pressure on the U.S. government as a result. They are about the only "victims" big enough to pursue the case legally.

I suspect a Supreme Court case is just about the only thing that can bring some of the remaining documents to light. Anyone with access today is almost certainly under some gag order.

[OfSanguineFire]

That the NSA engages in industrial espionage on behalf of US industry has been known since the European Parliament’s ECHELON report in 2000. There it was a matter of spying on Airbus, the major competitor of Boeing. But considering that that report made few waves outside of the nerd community (cypherpunks, readers of John Young’s Cryptome site and Slashdot, etc.), and was soon forgotten, I don’t think dumping the whole Snowden archive would trigger the large-scale controversy that you might hope for.

[2OEH8eoCRo0]

Why is it a mistake to protect sources and military capabilities?