UPS Denies Helping the NSA 'Interdict' Packages

An anonymous reader writes "When Glenn Greenwald's book came out recently, one of the most startling revelations was that the NSA has been intercepting shipments of networking gear to add spyware. Cisco was one of the vendors whose gear was altered, and now their shipping provider has spoken up about it: 'UPS, which Cisco has used since 1997 to ship hardware to customers around the world, said on Thursday that it did not voluntarily allow government officials to inspect its packages unless it is required to do so by law. "UPS' long-standing policy is to require a legal court-ordered process, such as a subpoena, before responding to any third-party requests," UPS spokeswoman Kara Ross wrote in an e-mail to TheBlot Magazine. "UPS is not aware of any court orders from the NSA seeking to inspect technology-related shipments." In a follow-up e-mail, Ross said UPS had no knowledge of similar orders from the FBI, CIA or any other federal agency.' That sounds like carefully parsed language to me. 'Did not voluntarily,' 'unless it is required to do so by law.' Perhaps they're bound by a National Security Letter?"

Guilty

[Noah+Haders]

Not voluntarily unless required by law? Why do companies release statements like this? It just makes them seem more guilty. Better not to say anything.

Re:Guilty

[jythie]

Because 'we will never allow XYZ', while it makes for a good speech, would not be truthful or accurate, in fact it would be downright deceitful. I would consider such a statement to be a far greater indicator of guilt then even staying quiet since it is legally not an option.

There is a huge difference between 'yeah, we will voluntarily do XYZ when asked' and 'we will comply with the law when required'.

Re:Guilty

Yup. "required by law" is called an NSL.

And you aren't allowed to talk about it either.

Re:Guilty

[geekmux]

Not voluntarily unless required by law? Why do companies release statements like this? It just makes them seem more guilty. Better not to say anything.

Uh, no. I'd rather know about it so then we can at least attempt to do something about it. Not knowing would do nothing to resolve the issue.

And it's quite the serious issue. Where we used to have only the government legally allowed to sit behind the bullshit excuse of "cannot confirm or deny", they have now expanded that standard legal waiver (via NSLs) to every American corporation they touch.

And the secret monitoring will be legally allowed to continue without your knowledge. Sorry, but until they dismantle secret courts, Snowdens revelations haven't done a damn thing to change policy or weaken the NSAs capability at all.

Re:Guilty

[NotDrWho]

Here is the quote from the article:

“UPS’ long-standing policy is to require a legal court-ordered process, such as a subpoena, before responding to any third-party requests,” UPS spokeswoman Kara Ross wrote in an e-mail to TheBlot Magazine. “UPS is not aware of any court orders from the NSA seeking to inspect technology-related shipments.”

When you parse the language and translate it from PR-speak/legalese, you realize that this is basically a meaningless statement. The first sentence is boilerplate BS, and has nothing to do with the allegation at hand at all. "We have a long-standing policy not to do X" *IS NOT* the same as saying "We didn't do X" (though that's what they want you to believe they're saying, of course). The second part of the statement only tells us that the NSA didn't get a court order to do this, *NOT* that UPS didn't let them do it anyway without a court order.

And what the whole statement is absolutely NOT is an actual denial. In short, if UPS *REALLY* didn't let the NSA intercept their packages, they could have released a very simple statement saying "UPS did not and does not let the NSA intercept our packages." What they released was some vague boilerplate BS that basically says fuck all.

Re:Guilty

[Charliemopps]

Not voluntarily unless required by law? Why do companies release statements like this? It just makes them seem more guilty. Better not to say anything.

Maybe that's the entire point. They're not allowed to complain out loud because of an NSL but they can make it clear what's going on and that it's hurting them with a statement like this.

It's long past time for us to decide our government should not be keeping secrets. They clearly cause far more harm than they help. At worst, some criminals get away. How does that saying go? It's better to free 100 guilty men than imprison 1 innocent?

Re:Guilty

[TWX]

Some people like a man in uniform...

Re:Guilty

[Frobnicator]

Reading the rest of the article (yeah, who does that) has more of the little gems.

The quotes fro the headlines were from a PR drone. They write PR, but they don't know the actual secrets. They are not the ones who are called in to a private executive meeting with the legal team.

When they question Mark Chandler, the executive general counsel who does hear the legal secrets:

“We ought to be able to count on the government tonot interfere with the lawful delivery of our products in the form in which we have manufactured them,” Chandler wrote. “To do otherwise, and to violate legitimate privacy rights of individuals and institutions around the world, undermines confidence in our industry.”

We ought to trust... people need to trust... because that is good for business.

Chandler didn’t say if the company knew of the NSA interdiction program, nor did the executive acknowledge if Cisco participated in the interception of packages delivered to certain customers.

No need for UPS to help

[headhot]

If the device is made (or packaged in the US) and is being shipped overseas, the NSA can grab it at customs, there is nothing the shipper can do about it.

Re:No need for UPS to help

[Cassini2]

Many (all?) custom's warehouses are operated by third-party companies. This will be a little bit more complicated than inspecting luggage. However, the companies (subsidiaries) that operate those warehouses get their entire revenue from allowing people to transport goods across borders. I suspect the NSA can get away with almost anything in that environment.

Re:No need for UPS to help

When you say Custom's warehouse, I think you actually mean the two types of regulated facilities which are bonded and foreign-trade zone warehouses.

Bonded warehouses are only allowed to store imported goods. The importer files customs entry forms for the goods prior to storing them within the warehouse and must paid the owed duties prior to removing the goods from the warehouse. This is the most common type. Basically it is where you put things while you pay your entry fees.

Foriegn-trade zone (FTZ) warehouses allow both domestic and foreign cargo to be stored. Small manufacturing can be performed within the FTZ too. You would use this if you plan to re-export the goods or the product you manufacture have a mixture of domestic and foreign parts and it would be cheaper to import the finished product than each individual part. The goods are not considered imported until they leave the warehouse for a domestic address. A lot of global manufacturers have FTZ facilities and despite what the parent comment implied, this facility is operated by the manufacturer or a contracted agent for the manufacturer. It is not a place where customs or the NSA can freely enter and have access to any of the goods.

Yes I used to make a living in this field.

Can NSA serve National Security Letters?

[Gibgezr]

Excuse my ignorance, I am not from the U.S., but I thought only the F.B.I. could serve National Security Letters. Can the NSA also serve them?

Re:Can NSA serve National Security Letters?

[Cassini2]

The NSA rarely admits to doing anything. The other agencies are directed to cover up their involvement and how they got their information. For example: Exclusive: U.S. directs agents to cover up program used to investigate Americans.

Re:Can NSA serve National Security Letters?

[NotDrWho]

I thought only the F.B.I. could serve National Security Letters. Can the NSA also serve them?

Even if they couldn't (and they won't say whether this is the case or nor), they could easily get the FBI to do it for them.

We the public are never going to know either say (without another heroic whistleblower), since even the process is a secret. Maybe we can find out the truth in about 75 years when they declassify it.

Re:wow

[larry+bagina]

Too many secrets.

I watched sneakers a couple days ago (it's on netflix) and nearly shit my pants at the end when Robert Redford reveals the magic decryptor box isn't for spying on the russians, it's "for spying on us". (Of course, they meant the NSA was spying on the FBI/CIA but still... future predicted).

Weaponized products don't sell

When you weaponize U.S. technology products to the extent that the NSA has, don't be surprised when no one wants to buy those products in the future.

What foreign CEO or government official wants U.S. technology in control of their banking industry? Their communications infrastructure? Their manufacuring base? Their electrical power and distribution network?

Can you imagine the U.S. response if the critical infrastructure items such as those listed above were found out to be backdoor and controllable at will by the Russians? Chinese? Indians?

The U.S. has a serious reputation problem right now. We need to stop this nonsense immediately if we expect our tech industry to survive.

It takes a second to destroy a reputation - it takes years, sometimes decades to build it back.

Re:Weaponized products don't sell

[jythie]

And of course they are blaming the economic damage on getting caught as opposed to, well, what they were doing.

Possibly...

[the_skywise]

"Perhaps they're bound by a National Security Letter?"

Maybe. It could also be exactly what they say - When presented by an actual warrant to intercept items (EG for goods purchased with stolen credit cards or contraband) they follow it. That WOULD include national security incidents too but, as they say "UPS is not aware of any court orders from the NSA seeking to inspect technology-related shipments" and I'd think a gag order would prevent them from affirming or denying the issue.

Re:Weasel words

[NoNonAlphaCharsHere]

"UPS is not aware of any court orders from the NSA seeking to inspect technology-related shipments."

Because we know the NSA never does anything without a valid court order.

yeah, whatever

[phillk6751]

Just like Google, Microsoft, Apple, etc, etc. Nobody wants to fess up, but some appear to be "trying" to step up to the NSA now.

I wonder if they (private companies) secretly allowed it(NSA infiltration) to happen under fear of the NSA using whatever power they have to get the companies shut down if they didn't follow suit. Now that the public has been informed, the companies are using all the plausible deniability they can to prevent lawsuits. In the case of the UPS, I don't think there's any plausible deniability to use...It's not a software system that the NSA could exploit per-se.

Or is it the case these companies really are just as corrupt as the NSA?

I really don't see any other alternative, unless you want to argue that Snowdens docs were fake (Highly unlikely).

Re:Trust!

[Opportunist]

You know that the US resembles more and more the USSR of old? The way to get to the result is a different one, the end result is the same: You have a population that is mostly apathetic towards its government. And whoever isn't apathetic outright hates it. You have a secret service that seems to be more concerned with domestic spying than foreign intelligence, simply because the state and the powers that are fear their "internal" enemies more than they fears anyone coming from abroad. You have a small "elite" that mostly stays within its own circle who share the power in the country while everyone else is mostly powerless. And you have a mainstream press that toes the party line.

It's actually pretty amazing. You needn't have a totalitarian dictatorship to create a situation where you can bullshit and oppress most of the population. But what you DO need is an absence of a better system. That's what fell the communist systems and what keeps the current one we have alive: We lack the "west" they had.

Re:Trust!

[Opportunist]

As I said, we lack the "west". Sadly, there is nowhere to run.

Why do you think you can still travel? Having a right is pointless if there's no way to make use of it.

Re:Physical interdiction of trucks?

[Lemmeoutada+Collecti]

UPS drivers have assigned routes that they drive, so barring vacation and sick time any given address is serviced by the same driver every day. Knowing which truck is similarly easy, since all that would be needed is to track the first few stops to get the truck number - and if required, the driver of the day's name. Knowing the day is a function of UPS' own tracking systems, it will tell you when a package is out for delivery.

So here is a theoretical setup:

1) Identify the route of the target - the company who ordered the part
2) Order a delivery scheduled for the same day to a company earlier in the route
3) Watch the second company, identify the truck number and driver
4) Run a background on the driver to find out family, friends, brand of toilet paper
5) Meet driver en route and perform the stop as above

National Security Letter

[plazman30]

Of course they're gagged by a National Security Letter. This whole process is disgusting.

Next time try this:

[mvw]

"Stories on rearranged routing yielded great overstatement today. For UPS customers keep invaluable. No government necessitated said law!"

Re:Trust!

I would argue this is because the average American has been sold a lie - that a society's economic system is equivalent to its system of government. So long as America remains a free market, there is no way that we could ever slip into bureaucratic decline.

The problem is, that the "free market" essentially amounts to a privatization of bureaucracy, not its elimination. We've granted trust to a small class of individuals on the promise they will free us, and unsuprisingly, they are betraying that trust. This is where we now resemble the USSR - the blind allegiance of the multitude to the promises of the few elite in the political class.

Geezus, UPS is flat out lying

In a follow-up e-mail, Ross said UPS had no knowledge of similar orders from the FBI, CIA or any other federal agency.

This just beggars belief. It's well known that all US couriers have security divisions that work with federal and state government agencies. They routinely help with investigations of suspicious packages containing drugs, counterfeit products, explosive materials, firearms, etc.

Here's what one UPS executive, customs and brokerage manager Norman T. Schenk, had to say in a Congressional hearing in 2000 on how to stop illegal drugs from being delivered by mail:

Our partnership with the Customs Service has dramatically
curtailed the flow of contraband. Today, Mr. Chairman, we urge
you to ensure that the Customs Service has the 21st century
tools it needs to maintain the extraordinary growth of commerce
in this new millennium. Last year, the United States received
21 million commercial shipments. By 2004, that number is
projected to climb to 50 million. Customs simply cannot inspect
each shipment by hand.
        Mr. Chairman, full funding of the new automation system
known as ACE, the Automated Commercial Environment, is
essential for Customs to keep pace with the growth of commerce.
        No technology can enable the Customs Service to inspect 50
million shipments, but ACE can help Customs leverage the power
of information to target its inspections efficiently and
precisely.
        Our own experience at UPS shows the difference such a
system will make. Our advanced electronic manifesting procedure
provides Customs with extensive information from the
destination of a parcel to a description of its contents on
every package we transport to the United States before it
arrives at a UPS facility. ...
In addition to our work with Customs, UPS conducts an
aggressive and thorough drug interdiction program of our own.
We train delivery drivers to spot packages that may contain
illegal drugs. We screen for suspicious parcels. We routinely
work with the other law enforcement agencies like the FBI, DEA,
and State and local authorities, including providing them
information about any offender we identify.

So they not work with 3 letter federal agencies routinely, but they do it without the prompting of a subpoena, or NLS.

Who says they were third parties?

[Guppy06]

This all presupposes that Cisco wasn't sending these routers to Fort Meade to begin with, with the NSA re-shipping the routers to their final destination after modification.

Vetting National Security Letters

[phorm]

OK, so the NSL is basically a secret letter, that nobody wants to talk about. How do they (recipients) even know if/when they're legit. It's not like there's a 1-800-DIAL-NSA number to check it out.

What's to stop "shady group X" from getting some serious looking guys with suits, sunglasses, and some fake ID's+forms to drop by the local datacentre and say "OK, we're NSA and we need records/access from this group of servers here. Oh, and you can't talk about this to anyone. Delay us and very bad things will happen to your and/or your business"

Re:Also Snowden's Fault

[rogoshen1]

No. A person exposing a crime is not responsible for the consequences.

A guy starts driving home from a bar while being completely hammered. Someone sees him swerving on the road and calls the cops. The drunk driver can't go back and sue to the person who reported him for damages stemming from the DUI fine and loss of driving privileges.

Eventually what the NSA would have been found out, and the piper would have to paid. Snowden did us ALL a huge favor by getting this out in the open and hopefully stopped.

Stop covering for these asshats. The damage to the tech industry is on the NSA, and maybe on us for allowing such secretive government agencies to exist in the first place. The founding fathers would have been absolutely aghast at the IDEA of a NSL.