Technical Risks of the US Protect America Act

A group of respected security researchers has released a paper on the security holes that would be opened up if a broad warrantless wiretapping law is passed. The subject could hardly be more timely, as Congress is debating the subject now. Steve Bellovin, Matt Blaze, Whit Diffie, Susan Landau, Peter Neumann, and Jennifer Rexford have released a preprint of Risking Communications Security: Potential Hazards of the Protect America Act (PDF), which will appear in the January/February 2008 issue of IEEE Security and Privacy. It will hit the stands in a few weeks. From Matt Blaze's blog posting: "As someone who began his professional carrier in the Bell System (and who stayed around through several of its successors), the push for telco immunity represents an especially bitter disillusionment for me. Say what you will about the old Phone Company, but respect for customer privacy was once a deeply rooted point of pride in the corporate ethos. There was no faster way to be fired (or worse) than to snoop into call records or facilitate illegal wiretaps, well intentioned or not. And it was genuinely part of the culture; we believed in it, even those of us ordinarily disposed toward a skeptical view of the official company line. Now it all seems like just another bit of cynical, focus-group-tested PR."

Call your senators

[Steeltalon (734391)]

The only thing that we can do is look at material like this and make sure that we communicate these points to those who represent us. It's only natural to be cynical about the likelihood of making a difference with your call, but unless you take that action we'll never know if we could stop this thing.

Re:Call your senators

[bleh-of-the-huns (17740)]

I wish that was true.. and honestly I thought it was somewhat true.. till after having a conversation with a friend of mine and her roomate. They both work for Senators, in one case that individual is actually the person who filters all the calls that go into a senators office, and decides what gets through.. and what does not... (Apparently most of the calls they get involve black helicopters.. go figure). I mentioned the latest FISA related stuff, and her response was that the Senator has "people" that research that stuff all day and inform the senator.. to which my response was that, that was not the point I was trying to make, and that the point I was making is that the people they represent are against said bills, not whether they are cooks or not. She shrugged her shoulders... at me... Which leads me to believe, that the people the senators hire (which obviously fall in line with the senators agenda), have no interest in hearing from constituents, but rather already have the answer, and are only really researching the questions.

I honestly hope this scenario is incorrect, but that is the impression I got from that little conversation.

Re:Call your senators

[flaming error (1041742)]

The day my "representatives" listen to me is the day they learn I donated more than the telco industry.

spot on

[kneemoe (1042818)]

unfortunately you got the right impression. living/working in Albany, NY I get to see a lot of this with friends that work in (state) senators' offices, nothing ever gets to them without being filtered and they already know where they stand on bigger issues and outright ignore their constituents unless the media gets involved (like spitzer and his give illegals drivers licenses thing)
heck I've written our 'good' senator Schumer a number of times on big issues and all you ever get back is a form letter written by an office intern, no big deal there but you have to know he never reads any of those emails, they get read by the same intern and if you're lucky he summarizes a few of them to his boss later.

Re:Call your senators

[russ1337 (938915)]

Which leads me to believe, that the people the senators hire (which obviously fall in line with the senators agenda), have no interest in hearing from constituents, but rather already have the answer, and are only really researching the questions

If that approach is systemic then things are really bad but the question is 'how can someone change that?'

Re:Call your senators

[BoomerSooner (308737)]

Don't forget 9/11 changed everything.

Re:

[WK2 (1072560)]

Don't forget 9/11 changed everything.

Not really. We have always been at war with Eastasia. It used to be called something else, though.

Re:Call your senators

[Relic of the Future (118669)]

And that's the thing, isn't it?

Everyone complains about "the congress", and yet, everyone keeps re-electing the same scumbags back into it!

"Oh, no!" they say, "_my_ congressperson is doing a fine job! It's everyone _else's_ that's a problem!" Which really means "My guy brings the pork home, and that's good; but yours brings YOUR pork home, and that's bad!" And with the way the rules in congress works, a junior member has a lot less pull to bring that pork home; so 90% of the time, the incumbant wins.

Or they say "I would, except, $MY_PARTY keeps putting up the same choice for re-election, and I'm certainly not going to vote for $OTHER_PARTY," which is an appeal to how poorly the First Past the Post method of adjudicating elections works. With any more-robust voting method, parties could run multiple candidates without risks of spliting the vote and losing, or, *gasp*, third-party candidates could have a real chance, without acting as spoilers (damn you Ralph Nader!)

But again, that's just pointing out the problems. How do you fix the bylaws in congress, when those who benefit from them are the only ones with the power to change them? How do you change voting practices when all the lawmakers in power owe their position to the current method?

All I can think of, is start at the bottom. You can't change the nation before you change your state, and you can't change your state before you change your town. So, in order to fix the US Congress by, oh, 2020, run for town council today.

Re:Call your senators

[dkleinsc (563838)]

One solution to that is to get your politicians face to face, rather than going through the flappers. This is sometimes tricky, but essentially involves waiting for an opportunity (like when he's back in his district), and walk right up to him and start talking. Sometimes he'll walk away (which is a pretty clear message in and of itself), but most will listen to you for about 1-5 minutes first.

I've done this with my entire legislative delegation (congressman and 2 senators) at some point or another, and my results are at least as decent as calling or emailing: My congressman actually did what I asked him to do, which was to impeach Dick Cheney first.

Re:Call your senators

[riseoftheindividual (1214958)]

If you do call your senators for this or any reason, remember to be polite, courteous, yet let your convictions come through and without directly threatening to vote them out of office, be very firm(while being polite and courteous) that their position on this matter will weigh heavily on the choice you make in the next election. Also, NEVER EVER EVER STATE THAT YOU DID NOT VOTE FOR THEM. If you didn't, then don't lie unless you want to be lowered to their level, just don't bring up who you did vote for. Saying you didn't vote for them makes them even less likely to give a damn what you have to say.

Re:

[TheVelvetFlamebait (986083)]

If you didn't, then don't lie unless you want to be lowered to their level, just don't bring up who you did vote for.

Um, I hate to break it to you, but politicians don't usually lie outright, they usually fail to bring up certain relevant facts that could destabilise their position. If you deliberately fail to mention that you didn't vote for them, you basically are at their level.

Re:

[riseoftheindividual (1214958)]

Um, I hate to break it to you, but politicians don't usually lie outright,

Really, so I can't take a typical politician in general and compare his campaign promises to his actions in office and find blatant inconsistencies that most reasonable people would believe indicate lies? Last time I looked it into, I was able to do just that. Maybe there's a new breed of politician out there I'm not aware of that has suddenly infiltrated the mainstream. I understand there are exceptions to this, but the last time

Re:

[schnikies79 (788746)]

Yes.

Re:Call your senators

[Bill, Shooter of Bul (629286)]

My senator is too busy running for president, the other one is too busy running the senate. Even when the candidate was a freshman, he was too busy to take calls from a previous boss. Didn't even say " we're looking at the situation", just "The senator declines to speak with you on this matter". And that was on an issue of international security. Sorry for being cynical, maybe other states have less involved senators that have time to pretend to care about important issues.

Police State Coming

[queenb**ch (446380)]

You can mod me as a troll or flame bait or what ever you like. The fact of the matter is that we're on the slippery slope toward becoming a police state. Stay with me...

First the Patriot Act - no more do you have show probable cause and get a search warrant. The enforcement branch is now unfettered by little things like the Bill of Rights.

Second the Emergency Powers Act - this allows martial law to be declared and turns the President into a military dictator if there's "catastrophic emergency" but utterly and complete fails to define what qualifies as a "catastrophic emergency"

Third is this - Now they have the unlimited ability to spy on the average citizen.

Am I seriously the only one who sees a pattern in all of this? Shall I start citing historical examples? Wake up people!!!

2 cents,

QueenB

Re:

[LilGuy (150110)]

You forgot the signing statements. The president signing a bill from Congress into law, but declaring he won't follow portions or the entire thing.

Edmund Burke Updated

[Stanistani (808333)]

"All that is necessary for evil to triumph is for good men to do nothing."

As a bonus, pass a law giving evil men immunity.

Re:Edmund Burke Updated

[snl2587 (1177409)]

Come now: this is the U.S. government we're talking about. What could be evil about that?

I don't think it'll help

[liquidpele (663430)]

This book isn't so much about actual risks as it is about "This is why it's stupid", and I really don't think our government thinks it's stupid. They think it'll work (and it will to some extent) and that they'll be able to control the abuse.

Re:

[riceboy50 (631755)]

They think it'll work (and it will to some extent) and that they'll be able to control the abuse

Some of the more cynical among us might be inclined to wonder if the abuse is the real purpose.

Thank you Matt Blaze

[Presto Vivace (882157)]

One more document showing privacy = security.

The U.S. government is very corrupt.

[Futurepower(R) (558542)]

"Now it [privacy] all seems like just another bit of cynical, focus-group-tested PR."

The U.S. government has become extremely corrupt. One method is the one mentioned, testing for weaknesses in public understanding, or willingness to act, and exploiting those weaknesses.

Here are others:

Making sure that honest, public-minded leaders from both parties are defeated.

Giving bills in Congress misleading names, like "Protect America".

Giving bills misleading features and widely publicizing the misleading features. For example, the "economic stimulus" bill only causes the government, which is deeply in debt [futurepower.org], to print more money. That will make the value of the dollar go down even further. The "economic stimulus" bill also contains provisions to funnel money to banks. The banks apparently deliberately created the mortgage finance crisis doing so was profitable, and because banks were sure that the U.S. government would pass a bill to lessen the losses.

Re:

[CannonballHead (842625)]

I'm not sure the apparently extremely democratic-party-biased link is very helpful in this case. Yes, America is in debt, but it seems that you are attempting to push that the Democrat party is much less corrupt than the Republican party?

Re:The U.S. government is very corrupt.

[dr2chase (653338)]

Actually, yes. Delay, Abramoff, and that crowd were pretty much in the business of trading earmarks (lots of earmarks) for votes on bills. The Democrats aren't saints (I post from MA), but when the Republicans got control, they went very bad very fast. There's also the small issue of pretty much the entire Republican Party, with the exception of Ron Paul and John McCain, being pretty much ok with actions that, in previous wars, were called torture. Translated from the original German, "Enhanced Interrogation Techniques".

More recent information about U.S. government debt

[Futurepower(R) (558542)]

More recent information about U.S. government debt:

U.S. Government Debt Graph (2007 Budget data) [zfacts.com] (Good for a quick view.)

U.S. Government Debt Clock [brillig.com]

U.S. Government Debt [zfacts.com]

Re:

[Bill, Shooter of Bul (629286)]

The U.S. government has become extremely corrupt

Welcome to the 1800's.

MMMMMM

[isotope23 (210590)]

Smells like Freedom!!

Oh say does that Star Spangled Banner yet wave,
o'er the Land of the Free,
Or the home of the SLAVE......

Re:MMMMMM

[Captain Sarcastic (109765)]

...And I'm proud to be an American,
Where at least I know I'm free
As long as I follow the party line
And carry my ID...

(With apologies to Mr. Greenwood)

Re:

[xerxesVII (707232)]

I think Mr. Greenwood is the one who should apologize to all of us.

I want this passed. Then...

[scooter.higher (874622)]

...once this has passed, I hope that someone (with a quickness) is able to exploit the system, record the personal calls of the legislators who passed the bill, and subsequently post them on the internet.

Everything from making dentist appointments to arranging for private meetings.

Live streaming if possible.

Re:

[wizardforce (1005805)]

they don't record their own calls, only the "peasants" beneath them...

I doni't think people should be laughing

[zappepcs (820751)]

If there is a way for the NSA or DHS to listen to your calls, then there is a way for a determined hacker to listen to them. period. no kidding. I mean it.

By creating a monitoring system, the US corru^H^H^H^H^Hgovernment legistlators will create the means necessary for other governments, nefarious organizations, and plain old criminals to listen to your phone calls, monitor your emails, track your Internet usage.

If there is a way, there will be a will... trust me on that.

On the bright side, forget archiving

In typical slashdot fashion...

[Actually, I do RTFA (1058596)]

In typical slashdot fashion, I have not taken the time to read the whole bill. I have not even read a summary of it. However, having read the title, I can say that I, living in America, support this whole concept of "protecting America." Go on Congress, allocate the funds for some more tanks or something, I'm behind you!

In typical congressional fashion...

[LockeOnLogic (723968)]

No congressperson has read the bill either!

Re:

[Actually, I do RTFA (1058596)]

No congressperson has read the bill either!

I is a congressperson? Yippe! I get hot wife like Kucinich [did] with job?

Re:In typical congressional fashion...

[ZombieRoboNinja (905329)]

Well, you've apparently got lies built right into your name - not a bad start!

Actually, its...

[Xelios (822510)]

the Pillage our Rights, Oppose The Exasperating Constitution and Tolerance, And Manufacture Evil Relentlessly to Inundate the Citizens of America Act

Spin on name of Protect America Act

[by Anonymous Coward]

If lawmakers were held to truth in naming, and agreed with Bruce Schneier's "Security and Privacy Arent Opposites" [wired.com] the act might be titled "Control America Act". But that would be a lot harder to gather support.

"The debate isn't security versus privacy. It's liberty versus control."

I don't like the acronym

[sk8king (573108)]

RIAA, MPAA, and now USPAA....tell me you don't notice a problem here.

Hoover, anyone?

[SuperBanana (662181)]

There was no faster way to be fired (or worse) than to snoop into call records or facilitate illegal wiretaps, well intentioned or not.

Bull*shit*, chief. Hoover wiretapped and bugged whatever and whomever the hell he wanted, and nobody dared complain- he was 'fighting' communism. Hoover did it entirely on the premise that, as director of the FBI, it was his purview. That's it. No fancy legal mumbo-jumbo. "I'm the boss."

I hate the current wiretapping as much as the next guy, but let's not get caught up in "when I was your age, candybars cost 5 cents and the phone company didn't tap your phones illegally."

Our phones have been tapped almost since their inception; all the changes is who's calling the shots, what "evil" group is being targeted, and whose definition of "legal" is being used.

believe it or not young-unz, but...

[jdogalt (961241)]

The fourth ammendment to the constitution and the Geneva Conventions used to be a strong part of the ethos of american culture.

But those were the good ol' pre-9/11 days.

Wake up and smell and the realized nightmares of the founding fathers, and don't waste your time thinking that whatever is left of their foundation of democratic principles can help us.

We are sliding full speed down the slippery slope already. The only hope is that america will survive the impact at the bottom, and that the result will be painful enough, that the constitution gets ammended, and a new dawn of liberty arises.

I was the longest holdout in believing that intelligent debate could actually help. It is clear to me that the only thing to do is to sit back, suffer the consequences along with everyone, and hope that people are capable of learning from their mistakes.

O what a brave new world. Human cloning, animal-human hybrid research, warrantless wiretaps. Someone could really write a good book about all of this... But these days you probably wouldn't want to purchase it or check it out of a library, lest your name be put referenced in database queries for threat index assessments.

-dmc

Amend the constitution?

[wurp (51446)]

What good will amending the constitution do? The constitution already:

• strictly limits the powers of the federal government. They basically only have legal power over:
  
  • the currency
    
  • inter-state disagreements
    
  • inter-national disagreements & treaties
  
  
• specifically guarantees your right not to have to 'show your papers'
  
• gives only congress the power to declare war (Congress may not delegate that power to the President)
  

The real problem is that people don't give a crap about the constitution.

Re:

[wurp (51446)]

First, simply that one should have the right to carry on with your business without being stopped by the police. If you are doing nothing wrong, the police can stop you and if you happen not to have the correct papers on you, now you have committed a crime. It turns from a free society where one assumes their rights are secure, to one in which you must get permission from the state simply to exist.

Second, it allows a police officer to harass you. If you do something (or are something) that they simply do

Telcos More Important than Security

[Doc Ruby (173196)]

Bush and his Republicans say that the FISA renewal is the most important weapon we have to protect ourselves against attack. But Bush says he'll veto it if it lets people sue telcos for helping Bush wiretap us, and his Republicans also have tried to stop the bill from being amended, or even debating amendments. And now these Republicans are even trying to stop FISA from being extended while the Congress debates what the renewed version contains.

So Bush and his Republicans say that telco amnesty, retroactive immunity, is worth going without FISA at all. Even though they say it's our most important defense. So telco immunity, even though telcos would be immune under current law if they can show evidence that Bush assured them they were immune, is more important than our security.

If you're a Republican, it is.

Doesn't sound very convicing...

[MadMidnightBomber (894759)]

Why should I listen to such a bunch of no-names? I'm waiting to see what John Dvorak says.

Domestic traffic that leaves the country

[Sloppy (14984)]

On around page 28 of the PDF, it talks about domestic traffic (where both participants are inside the US) that may cross the border, due to network routing that goes through Canada, Skype relay nodes, etc. If you intercept all traffic that crosses the border, you may end up intercepting US-citizen-to-US-citizen communications.

But wouldn't Big Brother counter that the mere fact that the traffic crosses the border, makes it fall under their 'legitimate' border-protecting authority anyway, regardless of the apparent endpoints? So what if it's "virtually" domestic traffic -- physically it's not, and that alone possibly makes it fall under their authority. And we have a (regrettable) historic precedent that even US citizens lose some rights when they interact with the border (e.g. You can be searched for drugs w/out a warrant, whenever you enter the country).

Also, keep in mind that of you're communicating through a proxy, then that's an opportunity to set up a covert channel to a third party. For example: I talk to grandma through a foreign proxy. My conversion seems to be "Hello grandma, I got the cookies you sent me last week." A steganographic bit is seen by the proxy, and I just transmitted "0" (meaning: "sorry, I will not have collected the resources in time for next week's attack") to my mission control in Afghanistan. (Not that the NSA, even if it had legal authority to tap my call to grandma, would be able to detect whether I'm doing that or not...)

I'm strongly opposed to warrantless domestic eavesdropping, but I think the argument that sometimes domestic traffic leaves the country, is not a valid argument against spying on border-crossing traffic. A lot of other good points in the PDF, though.

Framing

[srobert (4099)]

Well, I'm not sure which proposal has been dubbed the "Protect America" act, but I'll bet that it has, in all likelihood, nothing to do with protecting America. Who names these things? Karl Rove? Why are Republicans so much better at the art of framing the debate than the Dems are? It's the "Clear Skies Initiative", the "Death Tax", the "Patriot Act" LOL. Dems need to start renaming these bills to reflect what effects they really have.

Not primarily a question about privacy

[jandersen (462034)]

Although privacy is important, this is not a question about privacy, but about accountability. The sad truth is that even if they have to ask a judge about it, they will still get all the warrants they want - remember, this is about National Security (TM). But when you get a warant from a judge, a record is made of the event, by an authority that is independent (at least in principle), unless I am much mistaken, which means that in principle it will be possible to review the events later and possibly prosecute things like abuse of power etc.

If there are no independent records, what is there to stop agents from spying on their neighbors? Only the personal integrity of the individual agent, and while most may be decent people, some aren't. And much worse than that, it will be a lot easier for powerful interest groups to infiltrate and abuse the system - do we want, say, Scientology to have agents in a position where they can tap our private communications? They aren't exactly know for their respect for their fellow humans, and there are many other groups exactly like them.

Oh I'm so bored of this.

[EddyPearson (901263)]

You Americans.

A few intelligent people will tell you in no uncertain terms that you MUST NOT LET THIS ACT PASS. They will explain that it'll smash your privicy into tiny peices, they'll say its up to YOU to speak to your representitive to get it thrown out. And you know what? You'll all do fuck all.

Then four months down the line thousands and thousands of you will be back here, whinging about "yet another affront to our privicy" through a act they "sneaked through".

You vote a Paranoid Texan Oil Baron into office, TWICE, so what the hell do you expect? The man's a joke the world over, so if I was you I'd try and stop him passing any laws (that will be very hard to revoke when you finally get a President with two braincells to rub together).

Yet all you seem to do is COMPLAIN. Fucking do something about it.

Oh yeah, and to the torrent of "Bush cheated his way in! Recounts were fixed" comments coming up, I say "What? Twice motherfucker? And if the country is REALLY that against him, why did it all come down to Florida."

Your president is terrible, the American public are worse.

Re:

[bn0p (656911)]

It is a stretch to say that the scenarios of abuse of power are "fantastic". The administration repeatedly stated publicly that no one's rights were in danger, that the surveillance they were undertaking required a warrant. This was the whole point of the FISA law, to allow the government to perform surveillance on those who might want to harm us while preventing any potential abuses of the ability to monitor communications.

Then the administration was caught doing an end-run around the FISA law by doin