[malandrew]

I'm honestly shocked that many of these companies aren't being sued in European courts. There is more than enough evidence now to support this. Hit every company on their bottom line. Europeans need to present the following dichotomous choice to every American tech company:

(1) Operate in Europe and make money here, but no spying on any EU citizen.

(2) Continue spying, but don't operate in Europe.

Alternatively, eliminate the tax evasion benefits of routing everything through Ireland. The tax hit of forcing many US companies to pay the full amount of US corporate taxes should be more than enough to change their tune.

[MisterWebz]

According to the General Data Protection Regulation(GDPR) which is an expansion of the current Data Protection Directive and is planned to take effect in 2016, companies that are located outside the EU and that process EU citizen's data are supposed to be compliant with the GDPR. The GDPR allows much greater control over one's own data.

The current Data Protection Directive apparently does not take into account many of the foreign online services, but the new GDPR does.

On wikipedia:

The proposed new European Union Data Protection Regulation (a draft for which was unveiled in January 2012) extends the scope of the EU data protection law to all foreign companies processing data of European Union residents.[1]

I'm wondering if and how the EU will enforce this law?

Source: https://en.wikipedia.org/wiki/Data_Protection_Directive , http://en.wikipedia.org/wiki/General_Data_Protection_Regulat...

[jholman]

I wish this plan of yours made any sense. Btw, IANAL.

First of all, I strongly disagree with "enough evidence now".

Next, to sue successfully, you need to prove that the thing happened (and that it happened in a way or in a place where the relevant law claims jurisdiction). How will your imagined plaintiffs get actual evidence? Subpoena the companies? Seriously, imagine you're a successful, law-abiding, US company. And imagine that a European court orders you to reveal facts XYZ, blah blah blah. Normally, because you're law-abiding, you try legal ways to avoid it, and then you obey the court. But in this case, the NSA has a gun to your head, and it's a legal gun (both in the sense that the gun is not illegal, and in the sense that the gun is made-out-of-laws). What do you do? You can't obey both laws at once. What you do is obey your own country. So the only way they'd get evidence (assuming your unfounded accusations are true) is if there were enough whistleblowers inside each sued company. If those people existed, they'd probably be coming forward already.

ALSO, not counting the UK, profits in Europe are pretty small, overall. Not small enough to ignore, but way way way too small to threaten US profits. Even all of non-UK Europe put together, actually, but especially if you're talking about individual countries.

And finally, you seriously have no clue how tax avoidance (not evasion) works. If big companies were forced to move out of Ireland, they'd move to any of the dozens of alternatives. Even the UK and France, for example, when they're not hassling big-corps, literally brag about how good their tax incentives are. There are LOTS of tax havens. Many countries would rather have 10% of a lot than 50% of nothing. You can disapprove or whatever, but that's the world the the politicians have created, when they're not pretending to be angry about that very same world.

The thing is, although I think nearly every sentence of your comment is ill-conceived, I wish your plan made sense. Because I would like to see the truth come out, whatever the truth is. If my company is innocent, I'd like proof. If my company is guilty, I'd like proof, so I can quit, and pressure fellow-engineers to quit, to send a message that would actually affect the bottom line. But your plan will never help me to learn the truth.

[malandrew]

I reckon you could use link honeypots to prove emails are being read. Send out enough emails from many accounts with links that aren't meant to be followed and see how many are followed and what IP addresses the links are followed from. If you do that across enough accounts, you should be able to figure out whose accounts are being wiretapped.

I'm sure there are other types of honeypots that could be set up.

[jholman]

Ah, hmn, that's a more-clever plan than any of mine.

BUT I'm still a little skeptical, though maybe the details could be worked-out. I mean, if you send the emails to fake users, then the NSA isn't likely to follow the links. And if you send emails to real users, then you have trouble proving it wasn't the real user (owner of the mailbox) who followed the link. I mean, the IP addresses do help... unless the snoopers use TOR, or equivalent. (In fact, what do you figure are the odds that the original TOR developers now report to Alexander, via USCYBERCOM, via the Tenth Fleet, via NETWARCOM? Where would you assign those guys, if they still work for the Navy?)

In favour of this honeypotting idea, though, if you set up fifty honeypots, and your opponent evades forty-nine of them but falls into the fiftieth, maybe you've still got something.

[malandrew]

I reckon the admins of mail servers that are likely to be NSA targets (government mail servers or newspaper mailservers for example) could set up some sort of script that sends emails from American services (gmail, yahoo, etc) to many addresses on their own mailservers and then use another script on their mailservers to "clean up" those messages before it gets to the recipients. This would ensure that the messages get intercepted by the NSA, but never get to their intended recipient. If any link is followed, then they can be certain that the message was intercepted.

Generating messages could be done using Markov chains that learn from the content across many of their own mailboxes. Before that Markov generator is used, it could be scrubbed of any words that are particularly sensitive because they refer to classified or secret material.

That's just one idea. Now that the cat's out of the bag, I hope security researchers are already working on such honeypots. Personally, I think every major newspaper should be among the first to implement honeypots. Alternatively, people who thinks they are at risk for surveillance or suspect that they are already being surveilled should be able to submit their email to some watchdog group that can set up the honeypot on their behalf.

[e3pi]

How do you discriminate this from auto-generated email addy spam? Am I missing something?

[nano111]

Russia promises legal action over NSA surveillance scandal -> http://rt.com/politics/internet-surveillance-western-prevent...

[criley2]

If the NSA is tapping fiber at providers, a la Room 641A, then the companies behavior is completely irrelevant to the spying, and the NSA watches all traffic in and out of their networks anyway.

So your choice, as a European, seems to be utilize networks that don't pass through America at all, or have the NSA spy on you. I apologize for the inconvenience.

[darkarmani]

> If the NSA is tapping fiber at providers, a la Room 641A, then the companies behavior is completely irrelevant to the spying, and the NSA watches all traffic in and out of their networks anyway.

Then why would the companies need blanket immunity?

[jtome]

Wrong, if they are tapping at the wires they only see that your using gmail, not the content of your email or who you are speaking to (Unless you turn off ssl for some strange reason).

[pvnick]

How likely is it that these companies can be compelled to turn over their SSL private keys via FISA court?

[sitkack]

Very likely. Even if it was for a specific case.

[csirac2]

Isn't the whole point of all this outrage that NSA have equipment or data exchange arrangements with GMail etc. so that SSL is irrelevant?

[jtome]

"Isn't the whole point of all this outrage that NSA have equipment or data exchange arrangements with GMail etc. so that SSL is irrelevant" Yes which is why the NSA needs the cooperation of the companies, since this info can't be gotten just by listening on the wire.