Those who have paid attention to the massive spying effort of the feds have learned how to parse corporate denials. Comments like We have never knowingly participated in program ‘AbuseOurCustomersTrust’, could mean one of three things:
- The company didn’t know they were participating because they got bugged or hacked, so they really didn’t know until they read it in the newspaper like you did, or
- The company knows the actual program was TellTheFedsEverythingYourCustomersEverSaid, therefore they really and truly didn’t participate in a completely different program called AbuseOurCustomersTrust, or
- The company has no idea what name was used for the program for which they were a fully aware participant.
All of which means the company was telling the technical truth while fully cooperating with the specified program and saying they didn’t.
Shall we apply this parsing ability to a denial from the UPS about shipping packages to the NSA for hacking?
Over the last year we have learned that the NSA has a special program called Tailored Access Operation. This is a team that intercepts technology shipments going to various places around the world. The team opens the packages, installs various hardware trackers and software backdoors in the equipment, reseals the package so it looks from-the-factory-fresh, and puts it back in the logistics stream.
For a few dozen articles on TAO, follow this tag for a few dozen articles from Schneier on Security: https://duckduckgo.com/?kh=1&q=tailored+access&sites=www.schneier.com%2Fblog
Successful operation of that program means someone in the logistics pipeline is cooperating with the NSA. That would be either UPS, FedEx, USPS, or DHL. A photo from the NSA archives released by Glenn Greenwald shows the TAO team resealing a Cisco box. The Blot magazine carries the story from there: Exclusive: Courier Services Deny Participation in NSA Interception Program.
The article explains UPS is the shipper for Cisco.
Parsing the UPS denial
The author, Matthew Keys, got UPS to deny they are participating. At least that’s what a cursory read of their comments would suggest. Parsing the comment reveals a different story.
To expand understanding of the lost trust in the technology world (which is hurting sales of US made products) and to extend Mr. Keys point, I will quote three paragraphs of the story.
… it did not voluntarily allow government officials to inspect its packages unless it is required to do so by law.
“UPS’ long-standing policy is to require a legal court-ordered process, such as a subpoena, before responding to any third-party requests,” UPS spokeswoman Kara Ross wrote in an e-mail to TheBlot Magazine. “UPS is not aware of any court orders from the NSA seeking to inspect technology-related shipments.”
In a follow-up e-mail, Ross said UPS had no knowledge of similar orders from the FBI, CIA or any other federal agency.
Let me parse those comments for you:
- Not voluntarily – There could be a court order or National Security Letter ordering UPS to ship Cisco’s products to the TAO office, thus it woudn’t be voluntary.
- Inspect – Inspect means observe to learn the contents. The products were bugged. There weren’t any inspections. Hacking is not inspecting.
- Allow – That implies consent. A court order or NSL means the diversions were not voluntary or ‘allowed’.
- Unless…required…by law – There’s the rub. An NSL or court order means it is required by law to ship everything the TAO program wants to handle. Every package ever handled by UPS for any customer in UPS’ entire history could have been delivered directly to the TAO office and the spokeswoman’s comments would be absolutely true.
- Long standing polices – Its great to have a policy. Was it followed, either generally or in this case? Or was the policy ignored?
- Court-ordered process – Could have been shipped pursuant to an NSL. That means UPS never, ever shipped anything to the NSA or any other agency in response to a court order.
- Requests – NSLs aren’t a request. Jail is the option for noncompliance. That’s not a request.
- Not aware of court orders – Of course. It would have been ordered by an NSL. Thus, no court order.
- No knowledge…from FBI, CIA – Of course. It is the NSA that would have been sending the orders. No orders were ever received from the SEC, Federal Reserve, Bureau of Printing and Engraving, or the Forest Service either.
There are probably other qualifiers I don’t even recognize. Any one of those nine loopholes would invalidate the entire denial.
So there is the depressing lesson I have learned from the spying fiasco: A spokesman can tell the truth in giving a denial but the denial could be willfully, knowingly, completely deceptive.