Schneier on Security
A blog covering security and security technology.
« "The Cult of Schneier" |
| Friday Squid Blogging: Squid Coloration »
September 4, 2009
Subpoenas as a Security Threat
Blog post from Ed Felten:
Usually when the threat model mentions subpoenas, the bigger threats in reality come from malicious intruders or insiders. The biggest risk in storing my documents on CloudCorp's servers is probably that somebody working at CloudCorp, or a contractor hired by them, will mess up or misbehave.
So why talk about subpoenas rather than intruders or insiders? Perhaps this kind of talk is more diplomatic than the alternative. If I'm talking about the risks of Gmail, I might prefer not to point out that my friends at Google could hire someone who is less than diligent, or less than honest. If I talk about subpoenas as the threat, nobody in the room is offended, and the security measures I recommend might still be useful against intruders and insiders. It's more polite to talk about data losses that are compelled by a mysterious, powerful Other -- in this case an Anonymous Lawyer.
Politeness aside, overemphasizing subpoena threats can be harmful in at least two ways. First, we can easily forget that enforcement of subpoenas is often, though not always, in society's interest. Our legal system works better when fact-finders have access to a broader range of truthful evidence. That's why we have subpoenas in the first place. Not all subpoenas are good -- and in some places with corrupt or evil legal systems, subpoenas deserve no legitimacy at all -- but we mustn't lose sight of society's desire to balance the very real cost imposed on the subpoena's target and affected third parties, against the usefulness of the resulting evidence in administering justice.
The second harm is to security. To the extent that we focus on the subpoena threat, rather than the larger threats of intruders and insiders, we risk finding "solutions" that fail to solve our biggest problems. We might get lucky and end up with a solution that happens to address the bigger threats too. We might even design a solution for the bigger threats, and simply use subpoenas as a rhetorical device in explaining our solution -- though it seems risky to mislead our audience about our motivations. If our solution flows from our threat model, as it should, then we need to be very careful to get our threat model right.
Posted on September 4, 2009 at 6:18 AM
• 24 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
But can you secure against a broken legal system at all?
"Not all subpoenas are good -- and in some places with corrupt or evil legal systems, subpoenas deserve no legitimacy at all -- but we mustn't lose sight of society's desire to balance the very real cost imposed on the subpoena's target and affected third parties, against the usefulness of the resulting evidence in administering justice."
I am not convinced.
The USA seems to be one of those bad places. Witness SCO versus IBM with discovery costs incurred that must run in the millions. With not a shred of evidence to start with.
SCO vs IBM and Psystar vs Apple are only two out of many cases were discovery materials were channelled to third parties.
Great post, but a third harm is to expectations. When we say a system has a problem with subpoenas, most reasonable people will say "Subpoenas won't go away, so that system is no good." The result is that an obscure threat has much more influence than a correct threat model would predict. Even Bruce reminding folks that insiders are a bigger threat doesn't sway them. They think their employee-picking judgment is excellent, while "Evil Lawyer" is almost an oxymoron.
"Evil Lawyer" an oxymoron?
I'd say exactly the opposite - the word "evil" is redundant.
@Nostromo -- that's a trifle over the top. Lawyers are essentially hired guns. You should direct your ire at those who hired them.
Lawyers are good at spreading terror to those their adversaries represent... especially if they represent a plaintiff. Seldom are defending lawyers as frightening.
@Nostromo: All the experiences I've had with lawyers on my side has been positive. I believe most lawyers are generally good people. However, the amount of trouble one bad one can inflict on you is frightening. My second cousin Jane can probably tell you about being sued for everything she had and more, and winning. She'd done nothing wrong in the first place, and really, really doesn't want to go through that experience again.
@RSaunders: Just thinking of all the Golden Age British mystery novels, with a prominent character being confident that he's a good judge of men.
I think a significant problem is, that if your data is held by a third party and they are subpoenaed to produce data, they may roll over when you would have preferred to try tio quash the subpoena.
NSLs have a very similar problem.
One of the major reasons I hesitate to use an Electronic Medical Record, especially as promoted by the government, is the potential for "rolling over" as described by Any Name above. I might resist any demand for information if I think it inappropriate, while the service provider would find it easier to comply with what appears to be a legal demand, without allowing me opportunity to block it. I would only use remote storage if the data were encrypted and could not be decrypted by the physical possessor of the storage device.
"Lawyers are essentially hired guns. You should direct your ire at those who hired them."
Hmmm ... so 'hit man' is a perfectly respectable profession; only their employers are bad?
Seriously, I realise that my original comment was a bit over the top. Not all lawyers are evil. But far too many of them have the 'hired gun' mentality. They will do whatever brings them the most money, regardless of whether they destroy lives in the process; and that is evil.
Somewhat off topic, but one comment I've always made regarding the security of Google-scale https implementations... How secure do you really think the private key Google uses for SSL connections is? It must be on thousands if not millions of computers around the globe, in more jurisdictions than you can count. If even one copy was ever compromised anywhere in the world (and it almost assuredly has been) then every SSL connection to google can be MITM'd.
I will trust their HTTPS significantly more when accessing https://gmail.com bounces me (randomly) to something like https://serv12.rack4.cluster3,site31.datacenter.google.com/gmail, and the certificate is valid only for that server.
"Lawyers are essentially hired guns. You should direct your ire at those who hired them."
And those who hire them are usually acting as "hired guns" themselves -- they're managers or bureaucrats acting as agents of their organization.
So no one is responsible -- everyone is an agent whose ethics are determined by acting in the "best interests" of an abstract idea, with no human at the bottom of it all.
So I have to direct my ire at everyone, since we all create "the system"?? That's not terribly productive.
I think the real threat of third party subpoenas(subpoenae?) is that your information is released WITHOUT YOU KNOWING about it, and without any recourse. We're pretty used to this situation with regard to phone companies, but their information is pretty limited. The problem shows up when the third party has access to the information but doesn't OWN the information.
If subpoenas are a threat, they ought to be included in the threat model.
This is a little dated, (talks about card-indexes) but is the best essay I have seen on the subject.
What to do before and after a subpoena for data arrives
a chapter by Knerr CR in
Seiber JE (ed.) The Ethics of Social Research Surveys and Experiments Springer Verlag 1982 pp 191-208
The whole book is thought-provoking.
Apologies for the formatting. My inverted commas and so on come out funny.
For the record Bruce, I've always been irritated that I very never see anyone criticize Certificate Authorities for their vulnerability to the exact same thing. More specifically--they're "vulnerable" to a court order and subsequent gag order--to hand over their signing key. And for a company like Verisign, that operates under US/California jurisdiction--I see no choice but to presume they are compromised.
To be clear--when I state that I consider this a threat--I do not consider the fact that the government may pursue justice for social interest a problem. I consider the fact that SOMEONE may use judicial process to put my data into another's hands--and the justice system will cease to protect it according to the standards with which I have defended it. If someone in the government has Verisign's key--that's one more person that has to keep a secret.
My information may be locked away from competitors by cipher in a vault--but if it just takes a lawyer and a judge's signature to get it in the public records--I have a problem. Even if it's sealed by the court--there's very little assurance that it will be defended by the court by the same standards I have protected it.
There may be very few cases where this is a threat--but in the ones where you deal with an adversary that might gain access to a courthouse (and is it really that unlikely an adversary with all the electronic data systems these days)--it is a genuine attack on any process I may implement--and a fairly appealing one, as it virtually guarantees I will decode the data.
"I would only use remote storage if the data were encrypted and could not be decrypted by the physical possessor of the storage device."
Just one thing I would add to that,
The Internet enables trade and information to cross international borders with little or no problem.
Subpoenas on the other hand usually do not cross borders (although in Europe we have recently mucked that up, and in the UK RIPA has some wonderful hidden meanings).
Thus if you split your data or your data and you across one or more international borders, it effectivly nullifies the subpoena on a third party threat.
However a judge can order you to give over the data or be found in contempt. But with a little thought you can get around that issue as well.
"I very never see anyone criticize Certificate Authorities for their vulnerability to the exact same thing."
It is a fundemental "Elephant in the room" problem of all heirachical systems (on which most societies base themselves). So much so that we almost implicitly assume it is a given or "axiom of life", in that we have truisms such as,
'Absolute power corrupts absolutely'
'Who watches the watchers'
'The King game'
'Take it on trust'
And many others either directly or indirectly highlighting the issue from different aspects.
But we rarely come up with workable alternatives to hierachical systems that become accepted (I'm not sure I can actualy think of one).
The simple fact is that in human terms "trust can be broken" at any time, in many ways, for many reasons and there is little or nothing that can be done about it.
The current solution is to design heirachical systems such that you limit any undesirable issues should such an event occure. However you apear to always end up with a choice between "blind faith" or "workability".
The PGP "Key signing parties" always used to amuse me where pepole would put trust in a passport or other officialy issued document. Basicaly it moves the problem it does not solve it.
Even a previous head of one of the UK's "MI's" Steller Rimmington passed comment on the futility of National ID scheams for exactly this reason.
Quite simply "You cannot prove that you are who you say you are" and no piece of paper can solve that issue.
And as Bruce noted about cryptographers just the other day (on a previous blog page about OTP & SIGBA),
"Actually, we would like it very much... ... Then we can work on the actually hard problems, key distribution among them."
Which this problem is a major part of.
Oh and also look up the work of Adam Young and Moti Yung with regards PK in their book "Malicious Cryptography".
However I suspect if the problem is ever solved, it will be immediatly banned with draconian penalties. Deception is just to powerfull a tool for those in power to willingly give up...
"I've always been irritated that I very never see anyone criticize Certificate Authorities for their vulnerability to the exact same thing."
While the topic is indeed seldomly brushed, there are indeed solitary papers out there that address exactly this topic. You might want to take a look at the car-2-car-communications community.
The main problem of PKI-structures is, that the very concept is based on trust in authorities. If you start every work with a statement that assumes the trustworthyness of something then the question never arises. Interestingly this assumption is widely accepted by a community otherwise trained to question authority.
Not following the logic. Why would I care if a CA's signing key was compromised by the govt? The govt will then falsely sign new user certificates with that key while claiming they are (as an example) VeriSign?
I am reminded of a slashdot article from a while back in which it was asked whether the use of cloud computing or similar off-site data storage had legal implications for law firms. One of the commentators was quite convinced that by handing the information to a third party in the way, the attorney gives up attorney client privilege.
IANAL nor do I play one on TV. But it seems to me that the legal implications of handing your data to a third party may not yet be well defined, and if they are they may not be trivial. In any case a desire to be made aware of, and to have a chance to respond to, certain subpoenas is not something that we should be overly suspicious of.
Bruce, didn't you recently have a discussion on now to protect information (on, say, a laptop) from legal scrutiny when entering a?
"One of the commentators was quite convinced that by handing the information to a third party in the way, the attorney gives up attorney client privilege."
Probably no more than they are putting documents into storage with another company.
It revolves around them being duely diligent and that LEOs are required upon finding such and becoming aware it is privalaged information to quarantien it from investigators.
Usually paper client files are fairly obviously marked as such when put into storage and an LEO would have little excuse in touching them further. I wish I could say the same for electronic storage, from some things I've seen some LEA are trying to argue that on a hard drive etc is on public display...
If they succeed then any legal person who did not use suitable encryption etc would be open to the equivalent charge of being guilty of leaving the paper files on a park bench etc. Which is why I'm hoping those sitting in judgment wake up to this and the LEAs fail in their attempts.
yes,i like them very much !
yes, we love them very much!
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.