U.S. Gov't Grapples With Clash Between Privacy, Security 134
schwit1 writes:
WaPo: "For months, federal law enforcement agencies and industry have been deadlocked on a highly contentious issue: Should tech companies be obliged to guarantee U.S. government access to encrypted data on smartphones and other digital devices, and is that even possible without compromising the security of law-abiding customers?"
NSA director Adm. Michael S. Rogers wants to require technology companies to create a digital key that could open any smartphone or other locked device to obtain text messages or photos, but divide the key into pieces so that no one person or agency alone could decide to use it. But progress is nonexistent:
"The odds of passing a new law appear slim, given a divided Congress and the increased attention to privacy in the aftermath of leaks by former NSA contractor Edward Snowden. There are bills pending to ban government back doors into communications devices. So far, there is no legislation proposed by the government or lawmakers to require Internet and tech firms to make their services and devices wiretap-ready."
NSA director Adm. Michael S. Rogers wants to require technology companies to create a digital key that could open any smartphone or other locked device to obtain text messages or photos, but divide the key into pieces so that no one person or agency alone could decide to use it. But progress is nonexistent:
"The odds of passing a new law appear slim, given a divided Congress and the increased attention to privacy in the aftermath of leaks by former NSA contractor Edward Snowden. There are bills pending to ban government back doors into communications devices. So far, there is no legislation proposed by the government or lawmakers to require Internet and tech firms to make their services and devices wiretap-ready."
What's the acceptable limit? (Score:2, Funny)
So what's the acceptable limit?
Should they be allowed to watch you urinate?
Should they be allowed to watch you defecate?
Is it okay if they do this with a device that has an "Internet of Things" sticker on it?
Re: (Score:2)
Re:What's the acceptable limit? (Score:5, Insightful)
I wouldn't doubt thaht the NSA has broken iPhone's encryption.
This proposal by NSA mirrors the Clipper Chip/Skipjack + Key Escrow system proposed back in the early 90s. People didn't trust the government with their keys THEN... why the hell should they do so NOW, given that government intrusion into our lives has only increased in the interim?
Unlike the 90s, by now they have proved they can't be trusted.
Re: (Score:1)
Should they be allowed to watch you urinate?
Should they be allowed to watch you defecate?
Sure! If can watch them fornicate...
Re: (Score:1)
*sigh* some day I will see the things that are missing, oh wait, I do see things that are missing, until it's too late of course. I should be a procurement officer for the Pentagon.
Re: (Score:2)
They should be required to! That might make them learn.
Think Clockwork Orange like...
Re: (Score:2)
The only thing "clashing" here is the high tech political donations vs the military and surveillance dollars.
Its funny how the only "clashes" follow this same pattern...ok not funny at all.
Re: (Score:1)
The government? Hell no.
But if Twiglebook and their selected partners wish to serve up targeted ads to enhance my waste elimination experience then sign me up!
Re: (Score:1)
This Admiral is a treasonous POS. He took an oath to defend the constitution and here he is undermining it.
Re: (Score:2)
With a gradation in punishment. Probably exponential. The current head of the NSA should be slowly boiled in tar. It's difficult to imagine something appropriate for his boss.
Break the key apart? (Score:1)
, but divide the key into pieces so that no one person or agency alone could decide to use it.
Exactly how do they intend to split a key; by piling layers of encryption atop each other or by splitting the RSA public key modulo's factors into multiple authorities?
Given the option of piling layers of encryption on top of each other, it would seem that private keys would need to be divulged to create this encrypted comm. system
Re: (Score:3)
There's no such thing as a secret law in the USA... it's either in Lexis or it never existed.
Re: (Score:2)
But there are secret interpretations of the law, where the gov't basically does lawyer-shopping, going from one lawyer to the next [whom they hire], to write a legal opinion about something, and they just keep going through lawyers until they get the 'opinion' they want, and then use it as a legal justification for doing something.
You would think they would at least have to run it by a judge, but no. It only gets looked at by a judge:
-if someone finds out about it [hard to do when it is classified as top s
Re: (Score:1)
Re: (Score:3)
We all know how it is _supposed_ to work. We also know how it _actually_ works.
For example: GWB used secret legal memos to get around the due process clause when locking people up in Gitmo. Obama used secret legal memos to get around the due process clause when executing people. And the courts were less than useless in doing anything about it, bowing out over litigant's standing.
So ultimately, the law is basically whatever the President says it is. Yep -- that's authoritarian and fails to fit our mythi
Re: (Score:1)
That's not the kind of thing I'm talking about. More like the "we can kill an American anywhere on Earth except within the US, if we think he is a bad person". Or "the president or someone he delegates to, can decide you are a bad person, and can have you secretly detained and removed from US soil, without any judicial oversight or notification to anyone, and then keep you secretly detained for as long as they want".
But he also pinky-swears not to abuse this power.
Re: (Score:1)
Re: (Score:1)
The battlefield for the war on terror is "everywhere". And it's just a couple of guys in a room, none of whom are particularly impartial.
And this is a nice summary:
http://americablog.com/2014/05/post-constitutional-era-scotus-allows-capture-rendition-u-s-citizens-ndaa.html [americablog.com]
Re: (Score:1)
Re: (Score:2)
Re: (Score:2)
Succinct. Eloquent. Perfect.
Re: (Score:1)
Disclaimer: IANAL. This post is, however, legal advice, and creates an attorney-client relationship.
By claiming to be an attorney, (as in you are giving legal advice, thus laying claim to the attorney side of the attorney-client phrase), you _are_ claiming to be a lawyer:
http://www.lawyeredu.org/attorney-vs-lawyer.html
Thus, YOU are the evil one :)
Re: (Score:1)
Re: (Score:1)
Except that is a blank check. They can declare ANYONE to be a member of that set of people, without any oversight by anyone. And they can also have you killed on sight for being a member of that group. And there isn't anything anyone can do about it, either before or after you are killed.
It amounts to "that guy standing over there is bad. kill him now."
Re: (Score:1)
Re: (Score:1)
So, to avoid being killed as part of the war on terror, we have to leave the planet, because the US population has lost control of it's government...
Re: (Score:1)
Re: (Score:1)
It's only acceptable to you because you don't happen to live where they are killing a bunch of their 'targets'. There, if you happen to have gone to the wrong funeral, or the child of the wrong person, or just sitting in the wrong cafe, or walking on your own property with a rifle, oops, you get to be posthumously declared a terrorist. Hope you weren't with your wife and children.
Re: (Score:1)
Re: (Score:2)
At one time, there were no secret courts in the USA. And we see what happened to that.
Just something to think about.
Re:Break the key apart? (Score:5, Insightful)
There's not supposed to be, but there are. Every time a secret court like FISA makes a secret decision, new secret law is created on the fly. Secret precedent.
And by the way, there's also supposed to be no such thing as anonymous local police in the USA, but they take off their ID and pull balaclavas over their faces at the sight of three black people walking down the street with a protest sign.
There are a lot of things in the USA that are not supposed to exist. Secret laws, secret courts, secret trade agreements. Secret police. Secret police blacksites. Secret "crowd control" weapons for the secret police to use domestically. Torture. Rendition. Off-shore prisons. Extrajudicial assassination.
And secret donors, of course. That's what it's all for. There was a secret coup in the US decades ago, and we were collateral damage.
Re: (Score:2)
Secret interrogation centers:
http://www.theguardian.com/us-... [theguardian.com]
Re: (Score:2)
FISA creates a "sealed record"... they'll have to reveal it eventually if they want to use it in other courts.
Re: (Score:2)
Never underestimate the perfidy inherent in a system that's designed around profits. Never underestimate the greed of those who already have wealth beyond the dreams of avarice.
There is a reason someone who has 100 million strives to get a billion. It's a pathology that tells them they should have a billion because they're "worth it". And when you're "worth i
Re: (Score:1)
Unfortunately, the doctrine of parallel construction, which has been upheld in Federal court, means that there is. There have been several high-profile cases in Federal court settled based on secret case law, in which the judge's ruling itself was partially sealed. That's basically the definition of secret law. Case in point:
https://firstlook.org/theintercept/2015/03/26/new-low-obama-doj-federal-courts-abusing-state-secrets-privilege/
Unfortunately, Congress itself often does not have access to informatio
Re: (Score:2)
Parallel construction also gets around 4th amendment restrictions on searches and seizures. The remedy for an unlawful search or seizure is exclusion of evidence but that does not apply when parallel construction is used.
Re: (Score:2)
Regulations don't always appear in Lexis. They aren't laws, but they are laws.
Re: (Score:2)
Regulations aren't law... they're Executive branch policies, under authority granted by a previous law. Mostly they set numbers on things that the law left to a range... and courts don't hold up most others.
Re: (Score:2)
, but divide the key into pieces so that no one person or agency alone could decide to use it.
Exactly how do they intend to split a key; by piling layers of encryption atop each other or by splitting the RSA public key modulo's factors into multiple authorities?
Given the option of piling layers of encryption on top of each other, it would seem that private keys would need to be divulged to create this encrypted comm. system
The modulo is a semiprime number, so it has only 2 factors. I think he wants a Threshold cryptosystem, where m out of n parties need to use their keys for it to work.
Re: (Score:1)
splitting the RSA public key modulo's factors
The user generates 64 bits of the first key, the US Govt. generates the next 64 bits, the Canadian govt. generates the next 64 bits, et cetera. Apply same process for both keys, then use a one-way conversion process to create a new key from the old one such that only govt.s whose random numbers went into the making can reverse the new key in a finite amount of time. Of course, this would get hurt by FREAK-like vulnerabilities.
Re: (Score:2)
Yep, they don't understand "digital tear point"...
It's a way of sending a block to a lower-level person that gives them the headline and some of the story, enough to convince them to hand it to the high-level authorities that get the rest of the story by decrypting a second block that's only for them.
Breaking a key apart just means they have to get together and they they have everybody's secrets... that's not how it's supposed to be done.
Re: (Score:2)
Yes. I give it fifteen minutes, only because somebody will be making coffee before sharing the key in the first morning.
Re: (Score:2)
I believe I've seen Bitcoin Multi-Signature wallets use Shamir's algorithm:
https://en.wikipedia.org/wiki/... [wikipedia.org]
A Bitcoin 'wallet' is the private key which allows you to spend your the Bitcoin you own.
A Multi-Signature wallet is a wallet for which you need 2 out of 3 keys to spend the Bitcoin.
How something like that could be used in a secure system in this case I'm not so sure about.
Re: (Score:2)
You could use Shamir's Algorithm, but the recommended way to create a multi-signature Bitcoin address is to use a transaction script which separately checks each of the desired keys. That way each key holder can sign the transaction independently of the others, and—more importantly—there is no need to get all the key fragments together in one place to reconstruct a master key.
That last point, incidently, happens to be one of the problems with this proposal; once the master key has been reconstru
Re: (Score:2)
They don't. This is just for public consumption. They have no intention of slowing themselves down with any privacy safeguards.
They just think everybody's stupid. And, they would be right, except post-Snowden the number of people paying attention has gone up.
Re: (Score:2)
There's so much pissing in each others pockets and "retiring to private enterprise" but getting millions of dollars in government work that there's no clear line between agencies and between government and private companies (eg. those Booz losers Snowden worked for). If the Chinese, Iranians, Russians etc don't have top level
Parts of a key? (Score:2)
Wait till the key is needed.
Write the key down.
Use it whenever we want from then on, but make sure we tell everyone we're not.
The Math (Score:5, Informative)
An example of how to do cryptographically secure secret sharing:
Shamir's secret sharing [wikipedia.org].
There are other secret sharing schemes there, follow the link to the main article.
Re: (Score:2)
The problem here is that when the SSL snoops get credit card data, they become the cracker that's supposed to be arrested. These warrentless wiretap losers don't last long, yet they always seem to be making more of them.
No legislation is needed (Score:1)
They will just do it anyway. It doesn't matter. Most people prefer to feel secure, they don't care how it's done.
Collecting more noise does not help signal/noise! (Score:1)
I think most people fear a SWAT team coming in and shooting them in their own homes, than jihadist terrorists.
NSA has not measurably made anyone more secure since they started this big brother program. You assume it works, but collecting more noise does not make the signal stronger.
This idea of 'secure' you have, indicates a nice trust of the perfect nature of your leaders (i.e. the NSA), but those of us in foreign countries know where that leads to.
Really, swap NSA for KGB and you've got the situation you'
Why shouldn't we trust them? They sound legit! (Score:2, Insightful)
NSA director Adm. Michael S. Rogers wants to require technology companies to create a digital key that could open any smartphone or other locked device to obtain text messages or photos, but divide the key into pieces so that no one person or agency alone could decide to use it. But progress is nonexistent:
Sure. I totally believe that you're going to do that. I mean, it's not like you scum have a history of blatantly lying to the American people and doing the complete opposite of what you say you will, right?
How about no. Just fuck off and stop invading my privacy. You have absolutely no right there, whether you split that responsibility with other criminal--I mean, government-- organizations or not (not that I believe you'd even do that much).
Re: (Score:2)
[Quote]NSA director Adm. Michael S. Rogers wants to require technology companies to create... But progress is nonexistent:[/Quote]
Nobody's helping him, so he's complaining to the media... nothing to see here, move along.
Re: (Score:2)
Actually, at least according to the Supreme Court, they do get to throw out the rules. It's called the Third Party Doctrine.
http://www.abajournal.com/maga... [abajournal.com]
Re: (Score:2)
To put it another way: There is no clash between privacy and security. Privacy is security.
The word "security", or any variant thereof, appears exactly once in the US Constitution: "The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated [...]"
Not a key, it's a password... (Score:2)
The problem here is that uncrackable-without-the-secret crypto poses a problem for the "give us everything!" police investigators... these are the guys who want warrentless wiretaps and other gifts from the tech industry.
There's no master key that can solve all crypto... what they really want is a password that causes the device to give up its locks.
Perspective (Score:4, Insightful)
One should also remember that government employees with privileged access are people, and people can misuse [cnn.com]the access they have.
We should recognize that the Fourth Amendment of the US Constitution was created to prevent this exact scenario. Law abiding people encrypt sensitive information to protect it from misuse by criminals, but the information can be misused by ANYONE with access.
Dividing a backdoor key between multiple parties simply creates a requirement that all parties agree to access the information before it can be accessed. It doesn't guarantee that the access will be lawful.
Re: (Score:3, Insightful)
You can't install a back door to anything without weakening the security for the less than lawful crowd, when taken into context it would appear that the entire surveillance thing is not only unconstitutional, unconstitutional is also unlawful beyond not being that smart. It also concludes that not only the NSA and the elite are above the law, but every other law enforcement agency is going make a play for it because the NSA got away with it. Now take all that and add the element of organized crime that w
Keeping Secrets (Score:5, Insightful)
So... what makes the NSA think that anyone could actually keep these ultimate "keys to the kingdom" secret? I mean, just about everything else of theirs that was secret has leaked out thanks to a single contractor. Can you imagine how valuable these keys are, and how much money could be made by selling them? Hell, the US couldn't even keep our nuclear weapon plans under wraps.
And what's awesome about this scheme is that once the secret is out, every single smartphone in the US is compromised all at once. Whee!
Re:Keeping Secrets (Score:5, Insightful)
It goes further... their scheme requires that the people holding the parts of the key work together regularly whenever access is needed. This is likely to be thousands of times every year. There's no way to keep a secret that needs to be accessed so often by so many. Enigma was broken due to poor operational security, not poor technology. Venona [wikipedia.org] broke one-time pads due to poor OpSec. An encryption scheme used by all authorities wanting decrypts of cell phones would involve tens of thousands of people and would be impossible to carry out without making egregious operational errors. Add to that the fact that none of those who hold the keys have much to lose when they screw up. War time operatives know their way of life depends on them not screwing up. The local FBI office only cares about decrypting the phone, if they screw up, it doesn't hurt them, but it hurts me.
Re: (Score:3)
So... what makes the NSA think that anyone could actually keep these ultimate "keys to the kingdom" secret?
Hubris, most likely. If Bruce Schneier is correct there appear to be a number of NSA and CIA leakers still active. Not to mention the foreign spies within the NSA and CIA that we don't hear about because they are doing their job correctly.
7 people who hold the keys to the internet (Score:2)
Re: (Score:2)
Dear NSA (Score:5, Insightful)
No matter how many US agencies you distribute the key over, one thing is absolute certain: If you require US companies to make any and all contents on mobile devices available to US government (and, considering who owns it, US corporations), absolutely NO non-US company could sensibly buy anything anymore from a US tech company.
Hell, the chance to not be spied on would be bigger if you bought Chinese crap!
Quite seriously, why should anyone trust a country that has a worse record when it comes to industrial spying than China?
Re: (Score:2)
From your link:
"I don't know if there are backdoors - but it doesn't matter since there are so many vulnerabilities."
It was on the news that the NSA was hacking on Huawei. Maybe China was using the vulnerabilities and spying, but the US definitely was doing that. Now they want to put actual backdoors on American devices.
Since then they said they would start using more open source and open their systems for being audited by third parties. The Chinese government didn't complain about increasing the sec
Re: (Score:2)
http://www.reuters.com/article... [reuters.com]
http://www.bbc.com/news/259075... [bbc.com]
http://www.cnet.com/news/snowd... [cnet.com]
If you can't be assed to google for 5 minutes, I cannot be assed to provide proper links.
This is not a new problem (Score:1)
"Those who would give up essential liberty to purchase a little temporary safety deserve neither liberty nor safety."
----Benjamin Franklin, Historical Review of Pennsylvania, 1759
How far would this law go? (Score:3)
Re: (Score:3)
As I know there is a thing named Arduino. Also, there is a thing named Arduino GSM shield. Basically it means that it's possible to make a primitive communication device with almost totally user-controlled code. (Almost - because the GSM shield has a firmware in it, but it's interface can be controlled). You can use it to make an encrypted communication between parties but unfortunately it doesn't save you from collecting metadata; it still needs a solution (Such as "Diverter" in good old days of blueboxing
Re: (Score:2)
No Problem... (Score:4, Interesting)
They can have a back door to my phone - as soon as they give me the key to all THEIR systems (up to and including the President and IRS etc) so that when WE have the right to data, they can't say "we lost it". What? Its only fair - they watch me, I watch them
Re: (Score:3)
And you war-obsessed, money-blinded, overly-religious conservatives are saying what, exactly, about the current president? That he's some kind of angel of sunlight? No. You guys are currently calling him the worst president ever, claiming he's gonna make himself dictator (despite the 22nd Amendment to the US Constitution), comparing his administration to ... well let's not Godwin this. Notice I did NOT single out any current or past US political party.
Here's a newsflash: since before this country was f
There's only a clash in the minds of Republicans.. (Score:1)
For normal people, we recognize the right to privacy so there is no clash. The title is misleading. The Republicans don't recognize the average person as human thus they believe we have no rights. They strongly believe in the Constitution, but don't think it applies to the average person.
Naw (Score:5, Insightful)
Two Keys? (Score:4, Interesting)
Dr. Petrov: [Ramius has taken the Political officers Missile key and kept it] Sir! The reason for having two keys is so that no one man may...
Captain Ramius: May what, Doctor?
Dr. Petrov: Arm the missiles Captain.
Captain Ramius: Mmm, thank you for your concern Doctor
Re: (Score:1)
Anchoring (Score:1)
Later you'll be presented with, "Should the government get extra-legal access to some things?" and because of this framing you'll be more likely
Re: (Score:1)
Bullshit! (Score:2)
In what manner was the US government concerned with privacy?
After 9-11, we were supposed to just stop being Americans and give up the whole idea of what our founding fathers wanted.
Be a coward, and given them all the power they want, and see where that will get you.
Divide the key (Score:2)
Dividing the key makes sure a single individual cannot have access. But since all individual workers obey to their employer, it does not prevent any NSA access.
This is just a measure against rogue NSA employee access, not against NSA access.
The FBI isn't the only law enforcement agency (Score:5, Insightful)
There's no good way to compromise a system... (Score:2)
Sorry, but if you create a system with a security compromising flaw in it, even a well hidden, obfuscated, extremely well guarded flaw, someone aside from the "intended" users of said compromise are going to use it to break in.
The government's "need to know" does NOT trump my right to privacy. And if there's a real problem with that, they'd better be overtly bringing soldiers in to try to make me comply.
I call BS (Score:2)
whatever govs can do, crooks will do better (Score:4, Interesting)