[gojomo]

First, even if the companies did know, there was probably a tacit agreement with the NSA that the NSA would always allow them plausible deniability. "Not only are you doing your country a great (and legally-required) service, but everyone involved will go to their graves with the details. Have you heard about how [competitors/famous-companies X, Y, Z] have fully cooperated for decades? You haven't? Exactly."

The NSA seems to have been forced by events to break that likely mutual-understanding.

Second, what does it mean for a "company" to know something? What if one compartmentalized group of employees know – perhaps ex-military/intelligence people themselves – and believe they are both compelled to comply and to keep the full details from upper management (for everyone's protection)?

Does that count as the "company" knowing? I could see the CEOs saying, as they have, "no", and the NSA saying, as they are here, "yes".

[voidlogic]

Internal corporate collaborators unknown to the executives speaks to a failure of corporate security/infosec. I'd imagine current CEOs are increasing their organizations security measures to protect not only against corporate espionage but also state players. If you are CEO and you are forced to comply that is bad, but not nearly so bad as complying without knowing it is happening. Not knowing doesn't allow you to leverage legal, oversee the extent of compliance or plan for the contingency of the compliance becoming public.

[gojomo]

How many CEOs view their interests as separate and opposed to their home-country security services? That's who protects them from terrorism, sabotage, blackmail, and kidnapping! A corporate infosec policy that keeps out everyone except a few quasi-official security-state moles may be exactly what they want. Earn brownie points, avoid paper trails, "everyone" wins.

Probably, helping the security-state even makes keeping other security threats out, easier: if you play ball, they want their secret, exclusive access to be unique. They fortify the holes behind them, and can use their many, many vantage points to warn you about other emerging threats. Otherwise, you're on your own.

Do you want to be friends with the best-funded, legally-advantaged infosphere apex predator, or enemies?

[jacalata]

So your first post seems to say"the CEOs could plausibly not have known" and this post seems to say "of course the CEOs went along with it!" Which is an entirely different claim. Could you clarify?

[gojomo]

It's not binary. I'm considering a range of situations which explain both the denials and the NSA lawyer's report.

The CEOs might know, and think it safe to lie. (That's the "First" part of the topmost post.) They might not know because the NSA only approached targeted lower employees, and the combination of the law and the company's own structure prevents the full decision/compliance from every being told to the CEO. (That's the "Second" part of the topmost post.)

And the reason that the don't "know" could be that the NSA is really good at a targeted approach, or that the CEO has helped by making sure enough people to make the NSA happy are empowered and compartmentalized to do so, without it getting back to him. In such a case, he honestly doesn't "know" exactly whether or how much the NSA is poking around, but that's ignorance-by-design.

If the government were angry at a CEO engineering such ignorance to avoid criminal liability, they'd prosecute under the theory of willful blindness:

http://en.wikipedia.org/wiki/Willful_blindness

But since the CEO is in this case doing the government a favor, the government will "look the other way" about the CEO "looking the other way"...

[voidlogic]

>How many CEOs view their interests as separate and opposed to their home-country security services?

Probably most in the tech industry now...

[polarix]

Correct. Companies are not monolithic. How many people do you need to know about it, in order to hide something from the monitoring systems and management alike? 10? 2?

[Zigurd]

The lawyer quoted in the article appears to contradict this: “Collection under this program was a compulsory legal process, that any recipient company would receive.” That's not a black bag job.

[gojomo]

Joe who used to work at Ft. Meade – totally stand-up patriot! – is a senior employee in the company's operations department. He is served the compulsory process, and it is implied that under the process, he should not tell anyone else at the company, including superiors and company counsel. In fact, the senior executives may have even tacitly employed Joe for this role for this very purpose: he's been pre-vetted by the security state.

That's not quite a 'black bag' job. Nor is it completely legitimate. It's something in-between, which most of the time lets everyone work under convenient fictions, getting on with the rest of their jobs.

[Zigurd]

Really? Can the janitor respond to a warrant being served?

[gojomo]

The example is "senior employee in the operations department". Probably, the same person who'd be asked to implement the tap if it went through CEO-counsel-VP-etc. The NSA might just be doing everyone a favor by fast-forwarding past those steps, since they can't say no and only face more risk for knowing more anyway.

But to consider another variant, I could absolutely see a janitor becoming convinced by men with badges that he must cooperate with their investigation, perhaps by planting a bug or offering out-of-hours access. A janitor could also be convinced by official-looking (and perhaps even truly official!) judicial paperwork that says he's not allowed to tell others.

In the case of my hypothetical 'Joe with Ft. Meade experience', the cooperation is cheerful because he believes in the mission and legitimacy of the request. But under the strange logic of compelled secret compliance, lower-level employees might be coerced into cooperation. (That'd be more likely to be seen as a true corporate infosec failure, rather than a "wink, wink, 'failure'", from the perspective of top executives.)