Representative Rush Holt, Democrat of New Jersey, has introduced a bill that would, among other provisions, bar the government from requiring software makers to insert built-in ways to bypass encryption.
What a useless bill. The government doesn't officially require it now - it's just that they'll extrajudicially extort your cooperation if you don't give it freely of your own free will. Ask Joseph Naccio, former CEO of the former Qwest - Qwest refused to allow telecommunications surveillance on the wholescale level permitted by AT&T and Verizon, so the government convicted him on charges of insider trading because he'd traded his own shares with knowledge of the secret contracts they themselves had granted him. (And took away as soon as he took a principled stand against overreach, too.) They didn't officially require cooperation then - but they made damn sure they got it.
It's not a useless bill at all. I don't know about that specific provision, but this is actually the most aggressive anti-NSA bill yet. Its main purpose is actually to repeal both the Patriot Act and the FISA Amendments Act in full, and it would also require standard warrants for any surveillance request. But it also includes other provisions about backdoors and whatnot. You can read it here:
Oh! I hereby stand corrected. I should have said (and checked) that the provision as described is useless. I know there's reason for cynicism when it comes to Congress, but maybe I'm overdoing it. Thanks for the link!
> In the meantime, several Internet companies, including Google and Facebook, are building encryption systems that will be much more difficult for the N.S.A. to penetrate, forced to assure their customers that they are not a secret partner with the dark side of their own government.
Except, after all we've learned, nobody in their right mind will be able to trust those companies again.
Except, we never learned that they added backdoors, sidedoors, or firehose access for the NSA. The most probable and likely thing that happened is that the NSA simply tapped their inter-datacenter fiber just like the NSA tapped Soviet undersea fiber, and that the NSA scooped up any non-encrypted SMTP traffic. The NSA may even be able to tap internal networks without entering the building through TEMPEST like techniques.
There has never once been presented a single shred of evidence that they knowingly cooperated with the NSA in any manner other than the normal court approved processes via warrant or NSL that they've already alluded to and are petitioning the government to give more transparent details of.
On top of that, Google has been adding security for years on the front end that the NSA won't like, for example, using SSL for everything, doing SSL on mail traffic whenever possible, using forward-secrecy with Chrome, adding Channel-ID support to Chrome. All indications are that they are trying their best to secure things as much as possible, but with a state actor with virtually limitless resources and a half century of experience of penetrating tough adversaries, it's not enough.
Rather than breaking out the pitchforks for these companies, people should be breaking out the pitchforks for the NSA. Technical solutions are not going to solve the problem when the government is against you.
There has never once been presented a single shred of evidence that they knowingly cooperated with the NSA in any manner other than the normal court approved processes via warrant or NSL that they've already alluded to and are petitioning the government to give more transparent details of.
As we saw with the first Snowden leak, the Verizon Business court order, those "warrant[s] or NSL[s]" can be incredibly far reaching.
SSL doesn't help if the endpoints are compromised, is the point of Snowden's latest revelations. As is much crypto compromised if your adversary can predict your PRNG.
This is quite the conundrum -- isn't it? -- as it's not just "those companies" named in the Snowden documents. There was nothing particularly unique about them that permitted them to be corrupted and compromised other than their nodal market position. If the spirit of your argument causes a perceptible shift in market share to new players, then these too should be instantly distrusted. Even if fully open cryptographic implementations become the norm (which doesn't matter if they give up their keys), remote closed-source services will need clear text to provide service algorithmically. What then?
Knowing that backdoors exist to these products, are Chinese, Russian, and other Western intelligence organizations trying to brute-force calculate the location of these known backdoors?
If NSA opsec was such that an outlier like Snowden, ideologically motivated and willing to up sticks and lose a career and a nice untroubled life, could access and deliver detailed information on backdoors (we haven't seen any specifics, but indications seem to be that they are likely in the docs Snowden lifted) and cover his tracks, then it seems at least worth considering that "normal" spies, where the motivation is money, sometimes blackmail, who will stay in place or exit gracefully, have already delivered similar information to parties with the means to procure such, including the ones you list; so they might not need to brute-force anything.
The infamous Google/Gmail hack December before last was specifically targeted at an internal Google system designed to allow access by law enforcement.
At the time it was made to sound like it was used by conventional warrants, but it is pretty clear now it was probably mostly used by for FISA requests.
The (allegedly Chinese-linked) attack successfully penetrated that, and used it to access email accounts used by Chinese dissidents.
I don't think you can rule out the fact that they are not aware of such backdoors. If NSA can pay people to write such backdoor from time to time, other countries would have similar resource devoted to decipher the complexity of openssl (just an example) to find exploit. I am also sure this backdoor business is not new to the intelligence community anyway!
Since humans banded together to form governments thousands of years ago, every government in existence has been able to investigate effectively on behalf of its citizens, mainly for crime prevention and national security. Unbreakable encryption changes all of that. In that respect, this bill could be considered a dangerous experiment. Not only are no prospective trials planned, but no thought at all has been given to the unknown risks involved in changing the ancient tools of government so radically.
Actually the truth is almost exactly the opposite.
Every government in history has not had the ability to monitor and record the majority of conversations people have; the cost would have been too great. The USA with the NSA is the first to approach that ability.
There are legal requirements that exist that are laws like "If you break into a building, you go to jail". But there are also effective "legal requirements" like "if you don't install this back door, we're going to find a reason to make your life suck in every imaginable way". Or more subtly "we'll fail to forgive this crime that we know about".
> Mayer said executives faced jail if they revealed government secrets [...] Mayer was asked why tech companies had not simply decided to tell the public more about what the US surveillance industry was up to. "Releasing classified information is treason and you are incarcerated," she said.
To quote that reddit thread about that article:
> She'd go to jail, but it wouldn't be for breaking the gag order. It'd be because she was suddenly prosecuted for one of the other 1,000 illegal things that any CEO does in a given quarter. Just ask the CEO of Qwest, who blabbed about the NSA surveilling his customers and then was thrown in prison on insider trading charges
> Qwest was allegedly the lone holdout, despite threats from the NSA that their refusal to cooperate may jeopardize future government contracts [...] Former Qwest CEO Joseph Nacchio, convicted of insider trading in April 2007, alleged in appeal documents that the NSA requested that Qwest participate in its wiretapping program more than six months before September 11, 2001. Nacchio recalls the meeting as occurring on February 27, 2001. Nacchio further claims that the NSA cancelled a lucrative contract with Qwest as a result of Qwest's refusal to participate in the wiretapping program. Nacchio surrendered April 14, 2009 to a federal prison camp in Schuylkill, Pennsylvania to begin serving a six-year sentence for the insider trading conviction. The United States Supreme Court denied bail pending appeal the same day
She'd go to jail, but it wouldn't be for breaking the gag order. It'd be because she was suddenly prosecuted for one of the other 1,000 illegal things that any CEO does in a given quarter. Just ask the CEO of Qwest
Joe Nacchio was a simple crook. Full stop. Please stop with this meme. His unethical and eventually illegal activity had a long track record. His entire business career and the entire strategy of his Qwest acquisition was, in hindlsight, a giant fraud waiting to happen.
It is shitty public policy to have laws that are designed to be (unavoidably) broken. This puts everyone in the position of being a criminal, at the whim of 'selective enforcement'. This is a fair and valid point. The Qwest saga is a completely gratuitious data-point, in this regards.
Nacchio was convicted of insider trading in the shares of his own company. This means he witheld material information about the business from public SEC filings. That information was the essentially flawed strategy he had been pursuing was ultimately failing.
"Comprehensive Counter-Terrorism Act of 1991"
"Sponsor: Sen Biden, Joseph R., Jr. [DE] (introduced 1/24/1991)"
"Cosponsor: [...] Sen Reid, Harry [NV] - 1/30/1991"
"It is the sense of Congress that providers of electronic communications services and manufacturers of electronic communications service equipment shall ensure that communications systems permit the government to obtain the plain text contents of voice, data, and other communications when appropriately authorized by law."
What is specifically objectionable to you? The quote you provided seems to be the only substantive reference to electronic communication and extremely toothless/redundant. (wouldn't telcos be assumed to be compelled to release "lawful" requests by default?)
It's not about questioning the law, it's about uncovering the internal works of the law. My previous readings pointed to this bill as one of the earliest regulations that was used by everything in plain text. A nice way to describe backdoors without saying them explicitly, especially if the product claims to be secure from snooping. But what message does it send that the law orders you to screw your customers?
This specific bill might have died (I'm sure the patriot act superseded it), but every NSA-related revelation (and the FBI ones ~3 years ago) point in a direction that something similar is still in effect.
I'm not sure how it overlaps with other laws, but at least there's this about CALEA:
> not only does the law speak about encryption, but it specifically protects the right of companies to build strong encryption for which only the customer has the decryption key into their products.
If that's true, then companies could actually use CALEA on their side to implement true end to end encryption, that they can't decrypt themselves, for their customers.
Unfortunately, the Holt bill engages in, as others put it, a silly bit of optimism.
I looked up to see what has happened thus far regarding Reagan's Executive Order 12333 [0] where assassinations by anyone representing the USG is completely forbidden from engaging in assassination attempts. Does anyone honestly believe this prevents anything? I find it hard to believe it is adhered to. Was it amended post-9/11? It is hard to tell, as the follow executive orders on this topic never address assassination.
Of course the American government engages in covert assassinations. That we tried to kill Castro several times, at least, is common knowledge. Every modern government probably has an office they call on to get their "laundry" cleaned, legally or no.
I don't think that has any relevance on whether or not this particular bill will pass, though.
Sigh. The point is legislating against covert acts is inherently ineffective. This was long after Castro, and I am asking some 15+ years later if people still even weigh this when considering things like UAV strikes. Technically, assassinations are not legal for USG employees. It is very clear.
What a useless bill. The government doesn't officially require it now - it's just that they'll extrajudicially extort your cooperation if you don't give it freely of your own free will. Ask Joseph Naccio, former CEO of the former Qwest - Qwest refused to allow telecommunications surveillance on the wholescale level permitted by AT&T and Verizon, so the government convicted him on charges of insider trading because he'd traded his own shares with knowledge of the secret contracts they themselves had granted him. (And took away as soon as he took a principled stand against overreach, too.) They didn't officially require cooperation then - but they made damn sure they got it.