Schneier on Security
A blog covering security and security technology.
« NSA Publications |
| Master's Theses in Homeland Security »
September 30, 2010
Wiretapping the Internet
On Monday, The New York Times reported that President Obama will seek sweeping laws enabling law enforcement to more easily eavesdrop on the internet. Technologies are changing, the administration argues, and modern digital systems aren't as easy to monitor as traditional telephones.
The government wants to force companies to redesign their communications systems and information networks to facilitate surveillance, and to provide law enforcement with back doors that enable them to bypass any security measures.
The proposal may seem extreme, but -- unfortunately -- it's not unique. Just a few months ago, the governments of the United Arab Emirates, Saudi Arabia and India threatened to ban BlackBerry devices unless the company made eavesdropping easier. China has already built a massive internet surveillance system to better control its citizens.
Formerly reserved for totalitarian countries, this wholesale surveillance of citizens has moved into the democratic world as well. Governments like Sweden, Canada and the United Kingdom are debating or passing laws giving their police new powers of internet surveillance, in many cases requiring communications system providers to redesign products and services they sell. More are passing data retention laws, forcing companies to retain customer data in case they might need to be investigated later.
Obama isn't the first U.S. president to seek expanded digital eavesdropping. The 1994 CALEA law required phone companies to build ways to better facilitate FBI eavesdropping into their digital phone switches. Since 2001, the National Security Agency has built substantial eavesdropping systems within the United States.
These laws are dangerous, both for citizens of countries like China and citizens of Western democracies. Forcing companies to redesign their communications products and services to facilitate government eavesdropping reduces privacy and liberty; that's obvious. But the laws also make us less safe. Communications systems that have no inherent eavesdropping capabilities are more secure than systems with those capabilities built in.
Any surveillance system invites both criminal appropriation and government abuse. Function creep is the most obvious abuse: New police powers, enacted to fight terrorism, are already used in situations of conventional nonterrorist crime. Internet surveillance and control will be no different.
Official misuses are bad enough, but the unofficial uses are far more worrisome. An infrastructure conducive to surveillance and control invites surveillance and control, both by the people you expect and the people you don't. Any surveillance and control system must itself be secured, and we're not very good at that. Why does anyone think that only authorized law enforcement will mine collected internet data or eavesdrop on Skype and IM conversations?
These risks are not theoretical. After 9/11, the National Security Agency built a surveillance infrastructure to eavesdrop on telephone calls and e-mails within the United States. Although procedural rules stated that only non-Americans and international phone calls were to be listened to, actual practice didn't always match those rules. NSA analysts collected more data than they were authorized to and used the system to spy on wives, girlfriends and famous people like former President Bill Clinton.
The most serious known misuse of a telecommunications surveillance infrastructure took place in Greece. Between June 2004 and March 2005, someone wiretapped more than 100 cell phones belonging to members of the Greek government -- the prime minister and the ministers of defense, foreign affairs and justice -- and other prominent people. Ericsson built this wiretapping capability into Vodafone's products, but enabled it only for governments that requested it. Greece wasn't one of those governments, but some still unknown party -- a rival political group? organized crime? -- figured out how to surreptitiously turn the feature on.
Surveillance infrastructure is easy to export. Once surveillance capabilities are built into Skype or Gmail or your BlackBerry, it's easy for more totalitarian countries to demand the same access; after all, the technical work has already been done.
Western companies such as Siemens, Nokia and Secure Computing built Iran's surveillance infrastructure, and U.S. companies like L-1 Identity Solutions helped build China's electronic police state. The next generation of worldwide citizen control will be paid for by countries like the United States.
We should be embarrassed to export eavesdropping capabilities. Secure, surveillance-free systems protect the lives of people in totalitarian countries around the world. They allow people to exchange ideas even when the government wants to limit free exchange. They power citizen journalism, political movements and social change. For example, Twitter's anonymity saved the lives of Iranian dissidents -- anonymity that many governments want to eliminate.
Yes, communications technologies are used by both the good guys and the bad guys. But the good guys far outnumber the bad guys, and it's far more valuable to make sure they're secure than it is to cripple them on the off chance it might help catch a bad guy. It's like the FBI demanding that no automobiles drive above 50 mph, so they can more easily pursue getaway cars. It might or might not work -- but, regardless, the cost to society of the resulting slowdown would be enormous.
It's bad civic hygiene to build technologies that could someday be used to facilitate a police state. No matter what the eavesdroppers say, these systems cost too much and put us all at greater risk.
This essay previously appeared on CNN.com, and was a rewrite of a 2009 op ed on MPR News Q -- which itself was based in part on a 2007 Washington Post op ed by Susan Landau.
Three more articles.
Posted on September 30, 2010 at 6:02 AM
• 95 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Same argument. Different millenium.
I don't know what threat analysis they showed him during his onboard briefings but it sure seems to have scared the President into a 180 from his campaign rhetoric.
Basically they're asking you to remove the curtains from your home windows, so they can look inside. Add a locking mechanism to your kitchen door which can be opened by a universal key, just in case.
Sound-proofing is forbidden, coz directional mics wouldn't work.
These are merely real-world analogs but it's a frightening thought.
What scares me even more is that they've been getting away with it.
Anyone who wants privacy must be guilty of something, right? When are the police agencies going to allow us open access to all of their communications, so we can be sure they are doing their jobs without abusing them?
I just dont get it. 100 years ago no government knew where any of its citizens where at any moment of the day, period. Now they know so much more about all of us, and suddenly because of new technology they need to know even more because they just cant manage?
I don't get it. That won't help against criminals *at all*, because they will just use some open source VoIP-Solution that doesn't have any backdoors.
Bruce thanks for this article. Lucky for you, you don't know how right you are about the unintended consequences of the eavesdropping game. Its not just the issue of a police state, that is bad enough, when its farmed out to contractors like ATT Security and others you have problems. Its citizens watching citizens. So the person on your phone tap/house tap/realtime audio on your vehicle (like the one the cops use on dope dealers and terror suspects)
is not a cop, not an NSA employee. Imagine you are listed as a terrorist. Your phone is tapped. You call the cops because you see a drug deal next door.
Imagine that your dope dealing neighbors are your observers and have relatives on the phone tap/house tap.
So you have people observing who know you reported them to the police. The police are so new at this sort of thing they don't know to turn off the phone/house tap for calls. There's no off switch. Imagine a FEMA cellphone network;GETS/WPS system where people can hand around phone codes that aren't monitored. So you have people who are participating in illegal drug activity and are using the cellphone network to run dope and to watch out for the cops.
These networks of citizens can't be policed. Its actually potentially far worse than a police state because these folks have quasi police powers, no accountability, no transparency. As you all have mentioned the obvious, no one watches the watchers.
It is a mistake to assume at any point that observations are policed. They are laying cops off, not hiring.
Eavesdropping has devastating implications for all of us. You can not imagine what it is like to hear over and over (from people who shouldn't even know you) personal information about you, your family, your private life. It is awful. Your life and your reputation is pretty much destroyed and people are careless with the eavesdropping information. There is no expectation of professionalism or even protecting a person from observer misconduct with the eavesdropping game.
From the wired article:
"In the New York Times story that unveiled the drive [for encryption backdoors], the FBI cited a case where a mobster was using encrypted communication, and the FBI had to sneak into his office to plant a bug."
So they can't even argue they _need_ any backdoors, since they have sufficient other means to accomplish their goal. Basically they're just lazy and want to make their life easier at the cost of the rest of us.
And, so, logically, everyone will begin encrypting their messages on an individual basis, using pgp, rather than trusting the encryption to service providers.
But that's the issue, isn't it. Not everyone will encrypt their messages, or feel the need to. And those people that don't are likely to be the majority. It would be fairly easy to sow mistrust of people that do, using the age-old canard that "people with nothing to hide have no need to keep secrets."
It's won't be until you start getting some fairly blatant misuse of the system that "Joe six-pack" (remember him) will get on board with the idea that general encryption is a good idea.
The same backdoors can be used against our government by the very enemies the government wants to spy on. The hack for this will command a high initial price: a week later it will be available for $5 on eBay, and criminals of every stripe will buy, or steal, their own copy.
This campaign will drive more use of existing forms of steganography, and drive the development of new ones. You'll be fine having the government (or enemies or criminals) eavesdropping on your overt channels as long as your covert channels remain unseen. Inevitably, the very information the spooks want the most will appear to vanish, and all this scheming will have been for nothing, causing much more trouble than it was worth.
"Those who give up essential liberty for temporary security, deserve neither liberty, nor security" (Benjamin Franklin) Time and time again, we see how right Franklin was. The sad part in this case is that it's not even "temporary" we are talking about - word "illusory" is more applicable.
I wonder if this comes from pure ignorance in the topic of security in the top echelons of NSA and the like? Surely, there have to be experts with enough understanding of security and long-term effects of decisions made to see the problem with their solution.
Or, perhaps, the reason is economic - it's more beneficial (less costly in the short run) to the agencies to demand backdoors via law, since they don't have to invest into research and changing their methods of dealing with new technologies used by the enemy.
Can the reason be political? This type of law signifies the current administration's "work" on security/war-on-terror, and it's supposed to make us feel better?
On a personal note, I recently became a US citizen, and it makes me sick to see one of the fundamental liberties walked all over by our own government. I came from a country with 70 years experience in totalitarianism and 10 year experience in democracy farce, and I did not come here to see US turn into a police state. I've never been a fan of the current administration, but security was one of the areas where i had some hopes.
Why did Obama make a 180 degree turn? Is he suddenly as afraid as George W Bush was for the arabs? The fanatic Muslims? The conspiring communists?
The fear of the omnipresent terrorists might be ever so real, but so is the fear expressed in the ACTA agreement and in the EU gallo report.
The fact that these reports also point at Internet as the new big evil makes me think that maybe terrorists isn't what puts pressure on the president to reconsider his core values.
It is pointed out in the earlier comments that the government already have the violence monopoly and thus can do most anything already to stop crime from happening if they really wanted to.
Maybe the president instead is driven by trade agreements, economics and the fact that Internet market mobility is very difficult to restrain rather than the fear of another World Trade Center blowing up?
Allowing government to demand service providers to help fight crime presents a viable political way for then ask them to filter the content for unlicensed material because you can't argue against crime fighting.
The lowest form of this lobbying was observed in Denmark where it was suggested that no politician could ever object against fighting child pornography. They were absolutely right.
The crime fighting strategy doesn't even have to work. If the general consumer believe that the government is in control then they will act accordingly. If the US market can be controlled, then trade agreements can be met with EU (they will have to control their market too).
This is why I think nobody will care what Mr Schneider is saying about the _real_ security aspects in this matter.
I think there should be more zeroknowledge startups like clipperz.com. We should all have irrevocable rights to do whatever we want with our own private data. There are some great encryption tools out there unfortunately getting users to use them is quite hard. Like I wish I could talk to my family, friends, coworkers, gf etc.. And have us all share our pgp key's but the steps to do that are too complicated and a hassle for them all. Common people dont really see the implications of the .gov's ability to look through our emails and communications freely and at will, or automated. There needs to be more tools.. And more services that make encrypted emails seamless. Hushmail, and those types of services suck. There needs to be an alternative, there are addons to firefox/chrome for encryption for gmail but they arent really seamless. How will we get the world educated about these issues? We need to be harder on google, yahoo, microsoft and other companies, not just our government. They need to learn that there is profit in privacy and security than datamining personal information
One problem with this would be the disruptive effects on e-commerce.
Right now, when I order stuff over the web, I wind up in an https site where I type my Paypal password or credit card number or other stuff I don't want the world to know. This is accomplished by having everything between my computer and the site encrypted with a key that nobody between the two systems knows.
Therefore, it's impossible to tap the connection productively, since all you can get at an intermediate node is ciphertext. The vagaries of the internet are going to make side-channel attacks, such as exact packet timing, almost useless.
Therefore, an effective wiretap law would require https to function entirely differently, or be completely replaced. The consequences of that are left as an exercise to the reader.
This post is right on - just thought I'd mention that the highway speed analogy is a bit off. Decreasing the national highway speed to 50 would save billions of gallons of gas. It's something we should do, and we'll probably be forced to do in the coming years of oil shortage.
You can bet your bottom dollar that elements within the NSA use illegal surveillance for financial and political gain (eavesdropping and sending intelligence to business and organizations they support).
People have it wrong: freedom and security are not at odds.
People who are free are secure. Freedom *is* security.
yep, it will force the truely guilty to limit the info they send or place on hard drives, perhaps they will just put it on thumbdrives and hand carry them to those who may need digital content. isn't something like this how osama does it nowadays. but the gov dosen't really want to work the hard cases, they want to pick the low hanging fruit. to get a glimpse of how the government works, read charles bowdens book "Down by the River" or just scan it starting around page 150 and the next ten pages to get the gist. turns out that the CIA had agents inside the DEA to help drug traffickers that pleased Casey during the reagan regime. Absolutely amazing when its all complied like this book, but I do remember reading much of this when it was just a news blip, not a compiled coherent story.
Is it a coincidence that this is announced so soon after the wikileaks incident with the Afghanistan documents?
As I've said here before, these are not the actions of a government protecting its citizens from a threat, but the government protecting itself from its own citizens.
Sure, we will probably have a slight amount of "home grown" terrorism that is the "real thing" but this won't help much with that.
What it's good for is preventing a general revolt. If you catch people thinking like that while the group sizes are still small, you get to call them terrorists, and mop them up, protecting the power of those who have it now.
I think you can add the normal tendency of any bureaucracy to play the game of getting more project, power, and money for itself.
Remember, this country was started by what would have been called terrorists, and they managed to get going and succeed partially due to the fact they could communicate without the current lords knowing about it and "nipping it in the bud".
I'm an old cold warrior, and it sickens me to see what this country has become since. We are already in some ways worse than the adversaries we were fighting then, just with a little more time for the average guy to sit on the couch, eat cheetos, and watch TV -- a little better off financially, the real opiate of the masses. Now that the ponzi scheme is collapsing (yes, I trade the markets even now, and study where the fiat money goes) that provided that, there is real cause for the government to fear we're gonna really throw the bums out.
This is frightening for them, and fearful people are the most dangerous, right up there with those who think they have nothing to lose.
@BF Skinner: I don't know what threat analysis they showed him during his onboard briefings but it sure seems to have scared the President into a 180 from his campaign rhetoric.
@Kristofer Pettersson: Why did Obama make a 180 degree turn? Is he suddenly as afraid as George W Bush was for the arabs? The fanatic Muslims? The conspiring communists?
It's no secret that I loath Barack Obama as president (that's not personal, I like him personally). But I will say that a Candidate Obama has much different information, and much different goals and responsibilities, than a President Obama.
Whether or not the explanation flies, I really don't have enough information to know. But it is fair to say that running for president and actually being president are two very different things. I imagine more than once, he's thought "I didn't know ___ back when I said ___."
I will add one thing to the above -- think of what happens when unelected people get the dirt on those who are, and use it to manipulate them.
Should be pretty easy, as they're pretty much all dirty. Funny thing, since some of this extra wiretapping has happened (longer than they admit to), the people doing the tapping have all their requests just fly through congress...
No matter who gets into office, we see the same results -- once they get there. How much of that is that the reality is simply different from what the pols know on the campaign trail -- and they find out once elected, and how much might be a phone call that kinda says "if you give us what we want, we won't bother mentioning that little peccadillo (via some anonymous leak) we know about you" is anyone's guess.
And yes, the implications of misuse of supposedly private info for private gains in the financial game are pretty serious. We have laws about insider trading for good reasons. This would allow them to be broken, but never enforced, as the people breaking them just use the "national security" mantra to shut that down. As they have already in related cases, when they denied they were doing this at all, but got caught.
I had a question for crypto experts and fellow admins:
Does this new requirement coupled with deep packet inspection enable systematic prosecution of people using real cryptography? It would force pretty much everything to use a stenographic layer, crippling bandwidth.
"Why did Obama make a 180 degree turn?"
He never made a 180-degree turn. He, and his party, only gave the appearance of being against wiretapping because they weren't in power.
They're politicians, after all ... you can be certain that once they *became* the ones in power, they absolutely want more wiretapping abilities.
All that changed is we now see they never gave a damn about privacy in the first place, and anyone who believed they did ... well ...
Obama should be careful what he asks for. J. Egregious Hoover stayed in power so long by having embarrassing information on Presidents.
What campaign rhetoric? Obama as a senator voted for retroactive immunity for the telcos during the Bush era taps. Doesn't seem as though he's changed sides on this issue at all.
@ted: That's interesting. Also, the twitter page is either frozen or forged (twitter/wikileaks). The timestamps are anomalous. The haven't changed in over 12 hours.
P.S. - Is it me, or is there a lot of spam about political preferences here?
Remember, these are the same guys who will someday want you to use the internet for electronic voting. Once they know how you vote then they know who to jail after the election.
This is change we can believe in.
India is a democracy too. You have them lumped in with UAE and Saudi Arabia as a totalitarian country.
Don't forget that people have gotten DEAD over this stuff. From the Wiki page:
"On March 9, the Network Planning Manager for Vodafone - Greece, Kostas Tsalikidis, was found dead in an apparent suicide. According to several experts questioned by the Greek press, Tsalikidis was a key witness in the investigation of responsibility of the wiretaps. Family and friends believe there are strong indications he was the person who first discovered that highly sophisticated software had been secretly inserted into the Vodafone network. Tsalikidis had been planning for a while to quit his Vodafone job but told his fiancée not long before he died that it had become "a matter of life or death" that he leave, says the family's lawyer, Themis Sofos. There is speculation that either he committed suicide because of his involvement in the tapping of the phones, or he was murdered because he had discovered, or was about to discover, who the perpetrators were. After a four-month investigation of his death, Supreme Court prosecutor Dimitris Linos said that the death of Tsalikidis was directly linked to the scandal. "If there had not been the phone tapping, there would not have been a suicide," he said."
In August of 2006 an ISP/CLEC I was working for already had complete control over the Internet and telecommunications infrastructure for approximately 800 buildings in NYC alone. They operated across 8 points of presence in northeastern cities and were in the process of adding more. All the telco was VOIP, of course, and eavesdropping on communications either live or after the fact was pathetically easy for someone with my accesses. For after-the-fact access, one didn't even need to go through the application. It was as simple as copying a file on the server.
I was a system administrator - not a cop, not a fed, and yet I had complete access to the VOIP communications for 800 buildings in NYC. Not tenants. Not individual businesses or residences. BUILDINGS. And that was four years ago.
"It's like the FBI demanding that no automobiles drive above 50 mph, so they can more easily pursue getaway cars."
Actually it is more like the FBI demanding from automobile makers that they install throttle regulators so that cars can't drive above 50 mph for all cars sold in the US, except for law enforcement vehicles.
Criminals would still find a way around it, but the law abiding citizen would be greatly inconvenienced.
Campaign rhetoric? Heck, as recently as a week ago Obama stated in a speech to the UN:
"We will promote new tools of communication so people are empowered to connect with one another and, in repressive societies, to do so with security."
I guess the message is that security is unnecessary in non-repressive societies...
"And, so, logically, everyone will begin encrypting their messages on an individual basis, using pgp, rather than trusting the encryption to service providers.
See "Reflections on Trusting Trust".
The PGP you believe you're running may not be the PGP you're really running. Trustworthiness becomes a belief we can no longer believe in.
Or law enforcement will require that automobile manufacturers install remote engine kill switches, so they can catch fleeing suspects.
Oh wait, they already have that... it's called On-Star... have you seen the commercial?
I think everyone is missing an even bigger point in the "nothing to hide argument." This point was covered in the excellent lecture "Don't Talk to the Police" by Professor James Duane. (first reason, in fact). What is it? There are so many laws on the book, many ridiculous, that it is nearly impossible to truly be law abiding. Studies have shown that the average American accidentally commits 3 felonies a day and you can be prosecuted for breaking any law for any reason. With around 97% of the world's lawsuits, it's also likely that charges may eventually be sought by someone that doesn't like you. Anyone who doubts that courts will ruin innocent people over technicalities should look at Chuck Shepherds News of the Weird in the "Finer points of the law" section.
In the videos by Duane and Flex Your Rights ("10 Rules"), they make the case for the Fifth Amendment and how it protects Americans from wrongful prosecution and imprisonment. This is the right to remain silent. It could also be phrased "the right to conceal information from authorities." Supreme Court and other justices have repeatedly ruled that it was protected and extremely important for public welfare. In a surveillance state, this right is effectively destroyed. If a cop doesn't like you, he has between 10,000 and 40,000 ways to arrest you in the US, maybe more. Thanks to court precedent, you will be convicted. So, if we can't hide anything from them, we are at their mercy. Many innocent, decent people sitting in prison cells would probably agree with me.
Don't Talk to the Police
10 Rules (four parts, 40 min in all)
Bet ya they pick an Israeli company to monitor all the changes. They did that with CALEA and lo and behold the company got caught selling wiretap info to drug gangs in LA. The FBI threw a fit and demanded the company have its access revoked.
But with four US Congressmen wanting to free Kenneth Pollard, after he gave Israel tons of US intelligence data which Israel turned around and sold to Russia in exchange for Jewish immigrants, one can guess that the new regulations will be overseen by the Mossad.
Oh, and that new NSA data center in Utah? What do you think THAT'S for?
Oh, and guess what? Utah TV news reporting that "Israeli art students" ('member them? Look them up if you don't) are going door to door in Utah asking questions about it.
As Stephen Walt and I like to say, Obama is "Bush Lite" when it comes to civil rights and foreign policy, whatever his domestic agenda.
@Axel: "I don't get it. That won't help against criminals *at all*, because they will just use some open source VoIP-Solution that doesn't have any backdoors."
Actually, one problem is that I don't think the president wants his cell-phone under surveillance -- or any of his close buddies -- but this capability, when Organized Crime gets access, makes blackmail and political manipulation a trivial step.
Perhaps the specter of "illegal access" to these capabilities can be used to frighten those who think that only "authorized" people (and the organizations they represent) will have access.
It could be that, when a high-end politician somewhere in the world has their words from a phone call broadcast for all to hear that this capability will finally be seen for vulnerability it provides, and, using Bruce's comment about a "national ID" card as being valuable, having clandestine access to a clandestine surveillance system will be of such incredible value that few will resist.
And... the hell of it is that I'm not even really addressing Skype or Gtalk or... and, really, those w/ clandestine access won't be eager to expose the access since there is a LOT of money to be made by listening in to corporate board member's phones.
For me, it's a huge problem that this just won't work against organized criminals. You can't successfully scrub the global Internet of all programs without backdoors. The Mafia, drug cartels, terrorists, or whoever else will just switch programs.
That makes a slippery slope that much more plausible. A few years from now, law enforcement sees that this hasn't worked against the worst badguys, so they propose mandatory security flaws in OSes and/or hardware, unlocked by master keys -- your crypto software won't get around *that* (they say).
Computers are secure communication devices; you can't absolutely control secure communication without controlling computers. If we don't face it now and reject this proposal that won't really work and will have all sorts of bad consequences, we'll have to face it down the line.
Worse than that greek wiretapping case, was a wiretapping case is Spain.
'There have been several scandals in Spain over illegal wiretapping by the intelligence services. In 1995, Deputy Prime Minister Narcis Serra, Defense Minister Julian Garcia Vargas and military intelligence chief Gen. Emilio Alonso Manglano were forced to quit following revelations that they had monitored the conversations of hundreds of people, including King Juan Carlos'.
They don't want a backdoor, they want a frontdoor invitation.
Saying nothing, ever, to the police is likely illegal in many cases, as it can be considered obstructing an investigation. If they can prove that you aren't directly involved in a crime, pleading the 5th won't do you any good.
@pdf23ds: That's a lie. Police aren't allowed to talk about open investigations, and you never know if they're investigating you or that something you will say could implicate you so the 5th amendment does always pertain.
Well, it's not a lie, but it was my understanding. If you have a link, that would be good. (I can't watch videos on this connection, so if it's covered elsewhere, that'd be nice.)
"I don't speak to law enforcement without my lawyer present" works.
Being not guilty of a crime has never hindered prosecution.
All of that juicy corporate data, behind an "easy enough for a cop to use" interface. Please rush this bill through, I now know how to fund my retirement.
I actually think a better analogy for the situation is you giving the government a key to your house in case one day they want to go or have a warrant to come in. It's a slippery slope from there :"Well, we had the key so the owner was basically approving our entry". Never mind that the key surrender was forced by law.
@Steeeve and pdf23ds
The 5th can't protect you if the answers wont' be used against you. For example, many journalists have been jailed for refusing to give information about informants. All that's needed is some paper that says you can't be prosecuted. Since it can't be used against you once that is done, the 5th doesn't attach and you can be jailed for not talking.
Obstructing an investigation is a catch all the police use to scare people and when there's really nothing else. Always ask for a lawyer. Charges could be dropped as it might be hard for anyone to prove that the 5th didn't attach and police can't by themselves protect you from prosecution and invalidate the application of the 5th amendment.
The police can arrest and hold you arbitrarily for a certain amount of time without any reason, but you can never be compelled to talk by the police.
The courts are entirely another matter. They can hold you indefinitely and may compel you to give any information they feel is justified.
Man, everything is "ask for a lawyer". Talking to the police is expensive.
Yes. The problem is that in the heat of the moment and with the police telling you things, you can't know whether it's better to consent or not. It's all about short vs long gain term. If you ask for a lawyer and remain silent, then long gain term(no conviction and maybe no arrest) is almost guaranteed if they don't have anything.
On the other hand, short term gain (they let you go immediately) is hard to see and might not happen.
The claim that the proposed law would only maintaining present wiretap capabilities against changing technology is dishonest. In fact, the government can already wiretap freely with existing law, the difference is only in the messages they pick up. No part of the government has ever had any assurance that they would be able to read any message they intercepted. Demanding plaintext is a radical new expansion.
RF, above identified the worst problem with this. The current proposal would affect only those who rely on a service provider's encryption. Any entity that is aware of the situation and needs security will simply encrypt before putting the data into the service provider's system.
So, logically, to make it work, the government will have to expand the scope to force a backdoor requirement on every endpoint device and program. That becomes an Orwellian police-state nightmare: it would mean prohibiting general-purpose computers, regulating programming, restricting compilers, censoring math education, imprisoning citizens who refuse to give up keys, and other egregious abuses.
Once the government has this, criminals will shortly have it as well. And then some good people will get it, and that's when things will hit the fan.
Imagine several million phone calls copied and safely forwarded to Wikileaks, whose friends across the globe post them on YouTube for the world to hear. (Transcripts available online.)
"Western companies such as Siemens, Nokia and Secure Computing built Iran's surveillance infrastructure, and U.S. companies like L-1 Identity Solutions helped build China's electronic police state."
Need sources for this.
...and the water in the pot gets a little warmer without the sheople noticing...
"India is a democracy too. You have them lumped in with UAE and Saudi Arabia as a totalitarian country."
You're right; that was a mistake.
You're right except this is expensive and hard to do. Companies rely on the service providers because it facilitates security at a reasonable cost. It would be a developmental hurdle to get everyone to use encryption on platforms that might not necessarily be open.
@James: Right, but the folks hiding from the police are exactly the ones who'd find it worth the hassle to set up strong crypto. Normal folks will use Skype, drug lords'll use something like PGPFone. Worst of both worlds.
A question about the wiretapping ability built into Vodafone products, that is referred to in the article. Is this still present, but dormant in most countries? This is a major incentive to change mobile providers!
Despite your little mistake you acknowledge above, congratz for a very good article, thanks!
This was both a fantastic read and a disturbing one!
I wonder if the average, good-willed crypto user (or company) will be viewed as a potential criminals even if they do comply with eavesdropping?
Hardly seems fair, but it does seems more likely.
I wish stupid (powerful) people would stop sacrificing our freedoms in favour of supposedly increased security.
Everybody seems to be vigorously objecting to this move -- are there any thoughts on how to block Obama's plan, or at least hinder its progress? I'm pretty sure that posting to this blog won't have any lasting effect on U.S. federal policy....
@Ted: "Is it a coincidence that this is announced so soon after the wikileaks incident with the Afghanistan documents?"
Isn't it ironic that mandated backdoors will be a major source of material seen on Wikileaks for years to come...
I'd imagine there will always be software out there, open source or otherwise that will be as fully secure as possible with no back doors.
Many different types of people, including people with bad intentions, in an unofficial capacity, will be able to use that software, while corporations, governments, perhaps even large portions of the military, national guard, etc... will be forced to use the backdoored stuff.
The "official" entities get the backdoored stuff, the "un-official" entities use the non-backdoored stuff.
It's not a good plan.
Interesting. The thing is though that wiretapping capabilities are built into most traditional telephony systems. It's not the case that Ericsson developed this capability especially for Vodafone. This capability (of being able to tap phones) is an almost universal requirement of anyone who runs a publicly available communications system.
The Greek scandal was as bad as it was, not because the wiretapping system was installed, but because the wiretap management system (confusingly called IMS) was not installed. Without IMS and only RES installed, wiretaps can be carried out by arcane transactions directly on the relevant switches. Similarly arcane transactions would be needed to review the taps. Had IMS been installed, the presence of illegal intercepts would have been obvious.
It's inevitable that security agencies who are used to a certain level of capability with respect to telephony and other communications will want the same capability with Internet based communications. There is a danger in digging in our heels and refusing to participate in any way in helping the law enforcement agencies, that they will impose draconian solutions upon ISPs or will bring the very heavy hand of regulation to what we can do on the Internet.
My feeling is that we should recognise the legitimate concerns of law enforcement agencies and participate in the design of systems that are tamper resistant and readily auditable. It should be built into the design that a situation such as that which occurred in Greece cannot happen. It should be impossible for half a system - the unauditable, easily compromised part - to be installed.
Thanks for the article Bruce! Keep fighting the good fight!.
But are we fighting battles in a war that's already lost?
How can you convince a generation of netizens to value and guard their privacy when they live their whole lives on social networking sites?
I still find it disturbing that during all the debate and hand-wringing over wiretapping the FBI were cheating on the investigations examination:
It wasn't even cheating itself that was so bad compared with all the awful twists of logic and excuses put forward during the investigation.
This is a part of the philosophy by which two constituencies
are each awarded with their own prize plum,
even though it's one sole plum
that each will prepaer to use differently.
One will plant it, to let it grow,
the other will eat it,
and later pass the seed.
As long as a mistake is made that operates
to the benefit of the administrator or executive,
it's both more likely to be made,
and as long as possible left uncorrected.
The externalized cost converts to a personal benefit,
and is left externalized.
It is a contest between system-defined and real identities,
and persons hearts choose according to their perceptions,
pursuasions, and lived philosophies of life's premises.
The bigger issue is installing security backdoors in professional software when all the criminals will just end up using an open source fork of SSH to communicate. It's pointless, unnecessary, and controlling, even if they can get warrants.
Additionally, Bush's Administration didn't have a great track record abusing the warrant system with National Security stuff. I'm not sure I trust Obama's administration any more (or anyone in a position of power).
The bigger issue is installing security backdoors in professional software
There's already security backdoors in professional software, and that's because of the number of users that keep forgetting their own passwords.
Obama had me the day he appointed half of the entertainment industry's copyright attorneys to high-level policy positions, proving where his interests sit.
Obama has zero chance of winning the next election. Cost of living skyrockets, debt skyrockets, you pay for banks' malicious greed, health insurance premiums continue to rise, health insurance benefits continue to fall, wars continue (and expand, as in Afghanistan), domestic surveillance expands, and yet the pivotal issue for people is a story about a guy, a girl, an irresistible apple and a snake.
I hate conservative ideology as much as anybody (and I benefit from them financially since I'm one of the "poor rich"), but regardless of whether Obama is to blame for what's transpired, it will get pinned on him.
Left or right, you get fucked.
As for the article: as usual, Schneier is spot on. OpenPGP will probably be made illegal because it provides "material support" to terrorists. The guy should be in charge of everything. But then he wouldn't make as much money and probably wouldn't be able to appear on cable news to bemoan the counterintuitive nature of public policy.
well, i for one am flabbergasted. the NSA used a taxpayer-funded surveillance system to spy on their ex-wives and girlfriends? unthinkable!
it's almost like bush & cheney starting a war with iraq after 9/11, which was--officially--perpetrated by a bunch of muslim dudes carrying saudi passports. i mean, some people might question the legitimacy of such a war, given the fact that iraq was openly hostile to religious fanatics. but i trust my gub'mint, so i'm sure there were good reasons, besides personal profiteering.
anyway, i'm sure those accusations about the NSA are all lies, because those people all took oaths on the Bible to serve their country, so i know they would never use surveillance tools in a manner that would violate the constitutional rights of americans.
you know who the real criminals are? whoever is spreading these lies about the good people in washington who are protecting our freedom. it is shameful to even suggest that anyone in a position of power would ever abuse it, because great power demands great responsibility, especially in our noble nation.
perhaps once the x-ray vans hit the road, we can find out once and for all who these infidels are.
@ Sam Stephens,
With regards your question,
"Is this still present, but dormant in most countries? This is a major incentive to change mobile providers?"
About Vodafone and the Greek wire tap scandle.
Changing mobile phone provider would not help.
The ability to do the tap is built in as a requirment in to both the mobile handset and in the exchange switches.
Even if it was not made as easy as it was by the specifications mandating the requirment, the "technology is a sword that cuts both ways" applies.
The user requirment for such features as multiparty cal and the ability to put and handle calls on hold, would give any malware all the hooks required to do it.
So even if the appropriate and extrodinarily expensive managment component of the Ericson switch had been present the malware could have just been designed to work at a layer below the intercept system.
As others have noted we will probably never know the full how and the way of the Greek Vodafone compramise because the employee who supposadlly installed the malware also supposedly killed himself. As has been noted on many occasions "Dead men don't talk"...
FYI Ceausescu's secret police was IBM's first Eastern European customer in the late 60s. They "desperately" needed the infrastructure for keeping books on all former and present political detainees.
@HJohn "I really don't have enough information to know. "
But it is fair to say that running for president and actually being president are two very different things.
I imagine more than once, he's thought "I didn't know ___ back when I said ___."
Fair to say. But I don't buy it.
Presidents don't make their decisions because of the information they have, but in spite of them.
During the Vietnam war Johnson was shown comprehensive evidence that it was unwinable. Unless every North Vietnamese was killed (man, woman, child, chicken and goat) it could only be continued.
This was the fundamental truth of the McNamara report.
We've been told this over and over. "We have the intel. We are on the inside. If you knew what we knew." And they discount the views, arguments and opinions of people outside the veil. The American people could see we weren't winning squat in Vietnam, the troops could see it, the South Vietnamese certainly could and the DoD documented it in great detail. Everyone but the man at the top.
For major policy decisions like starting a war? Hidden secrets means bollocks.
The US? We saw our enemy in Afghanistan and yet the Bush administration started warring with Iraq.
Why? Because they were behind 9/11? WMD? Or Rice's famous "Bin laden support? No WMD? So what it was only one of the reasons we went to war." Really. That's not what you were telling the American people.
We went to war not becuase of the intel but despite it. Cheney made up his mind on the day of 9/11 that Iraq was responsible and made sure the President shared that belief. The intel and analysis came later.
Insiders get compromised by the special access they recieve. Behind Oz's curtain they see 'great and terrible truths'. They mistake data for information and information for reason.
Who's gonna watch Big brother? Big Daddy or Big Mother
Its just the MAN sticking it to the masses.
Funny someone mentioned that would put PayPal at risk. paypalobjects.com is signed by CA under control of UAE: http://www.schneier.com/blog/archives/2010/09/...
Nothing new here. Your PayPal account can be hacked by a totalitarian government already.
In the past, the US government is even responsible for putting a backdoor into "management" software, then distributing it to the governments of other countries so it could spy in them.
That's not considering that the US government "stole" this software from the DOJ, and redistributed it after making the "modification".
Feel free to search for "Inslaw" and "PROMIS".
Amazing how prescient "Enemy of the State" was back in 1998.
Well, in the United States, the constitution protects your rights to remain silent and against unlawful searches. The Supreme Court and Federal Courts have repeatedly rules on this, although one decision said you have to say you wish to remain silent. The search rules don't apply at the airport or customs and Patriot Act might override both rules in some cases with federal agents. However, they do apply to law enforcement in most situations.
Reasons to remain silent? From the professor's presentation.
1. There are 30,000+ laws in the United States and you can never know if you're giving a cop evidence. For example, one law says you can't possess fish or game that's illegal in any state or *foreign* country. People have been jailed for the latter.
2. As James pointed out, you might be so nervous that you accidentally slip and say something incriminating. Here's a little caveat about our law: anything you say that shows guilt can be considered an admission of guilt (confession), but anything you say to cops that supports innocence is considered hearsay. What you say to cops can only be used against you in court. Re-read that again, because it's implications are astounding.
3. The cop might not remember what you said correctly. This happens due to how the human mind works. In many situations, a minor detail might be misremembered. Then, it's your word against the cops. It's well-known amongst defense attorneys that juries suspect by default that the defendant is guilty. Having to argue with a cop usually increases guilt in the jury's mind, esp. if the alleged offense is socially horrendous.
That's just a few from the "Don't Talk To The Police" video. Many wrongful convictions have occurred because of these three points. Innocent people are in jail or prison right now for no good reason just because they didn't remain silent. Hence, remain silent, ask if "your detaining me or am I free to go?", and if they push you for answers reassert your right to remain silent. Cops might make your life difficult, but many will just give you a ticket and leave to reduce their risk.
If you get pulled over, a cop can order you out of the vehicle. Hide anything you wish to remain private before you stop. Keep the glove compartment and trunk locked and when the officer approaches, only roll down the window a little. This sends a clear message. If you are ordered out, turn off the car and lock the doors behind you. If they ask to look around or whats in the vehicle, say "i know your just doing your job, but I don't consent to searches." If they are doing a "required check of your house" (read B.S.), then open the door with chain on or step out and lock it behind you, then tell them you don't consent to searches without warrant.
Important point: verbally resist, but don't physically resist. They can legally pat you down for guns or knives, so you want to tell them ahead of time very calmly. If they search your property, deny you an attorney, etc., this is police misconduct and maybe more. You can use this as a procedural defense later to throw out evidence or collect monetary damages from their department. Always handle police misconduct in court later: simply touching a cop is a felony charge in many states.
Also, don't let their claims that they are there to help or will unleash the K9 on you fool you: cops are legally allowed to lie to you to get a confession or cooperation. So, if everything they hear and find will only be used against you, why help them find evidence? See why I don't talk to cops?
The above are excerpts from the two videos. I'd suggest you go to flexyourrights website and get their 10 rules video. Not knowing and using their rights has landed many innocent people in jail. Never know who will be next. Best to take precautions.
"A CACHE of secret files stolen from ASIO and police and anti-corruption agencies has been discovered during a drug raid in Melbourne, raising fears of a major breach of national security and crime intelligence.
Police are investigating whether the former head of intelligence and phone tapping at Victoria's Office of Police Integrity stole the documents."
I'd like to hear the source regarding L-1 Identity Solutions. I don't think they have ever supported the China government. Some might call that statement slanderous without quoting your source.
@ Eric on China and L-1
Yes, I'm actually interested in seeing that source. A few minutes Googling turned up nothing. That doesn't seem like much time, but I"m surprised I find nothing but a Rolling Stone article that may have been pulled from their site. Does anyone have evidence of this claim or is it an oft-repeated rumor?
There is a bigger picture here.
The FBI has asked for the power to obtain without warrants, American’s “electronic communication transactional records” including email addresses they used to send communications—bypassing the Fourth Amendment; the FBI request for no warrant Internet surveillance can’t be viewed separately because if pending bills in Congress pass, the FBI will have the power to use warrant-less Internet surveillance to arrest and indefinitely detain Americans on only (suspicion) not probable cause or evidence, based on someone’s Internet Activity. Americans to avoid arrest on suspicion and or federal criminal charges, would have to report to police every (email) received that might allude to anything illegal; that is because the FBI would not need a warrant to introduce emails into court as evidence against a receiver. Similarly East German Citizens out of fear they would be arrested for supporting criminal, subversive or terrorist activities, found it necessary to report to the Stasi Police, suspicious emails, phone and face-to-face communications turning ordinary Citizens into informants. Undercover East German police would often in social settings, tell East Germans Citizens something that appeared illegal; if the Citizen didn’t report it, he or she was arrested. East Germans were afraid to voice an opinion or talk to strangers. This is where the U.S. is going; police too easily can take any hastily or poorly written email or fax out of context to claim a crime or violation was committed to cause the arrest of an American or forfeiture of their property. U.S. private contractors and their operatives now work so closely with FBI/Police exchanging information to arrest Americans and or share in the forfeiture of their personal and business assets, or to assess huge fines, private contractors appear to merge with police. Dangerously, private contractors/corporations can influence U.S. Government, which businesses and persons are to be prosecuted.
If recently introduced bills Pass, such as S.3081 The “Enemy Belligerent Interrogation, Detention, and Prosecution Act of 2010” introduced March 4, 2010 by John McCain; then any private/information the FBI or police derive from warrant-less searches of emails, Internet Activity—including social websites and non-internet sources e.g., (informants) may be used to arrest anyone on only-suspicion not probable cause. McCain’s bill among others introduced, would eliminate several Constitutional protections allowing Government to arbitrarily pick up Americans on suspicion; your political opinions, statements made on websites on the phone and emails could be used by authorities to deem you a “hostile” “Enemy Belligerent” to cause your arrest and indefinite detention. McCain’s bill has the potential of spawning domestic terrorism in the United States. Consider how Americans might respond should Government use this bill to take away their loved ones, family members and friends on only suspicion. Considering U.S. Government’s past domestic counter intelligence program COINTELPRO 1960 though the 1980’s, Americans should expect warrant-less-Internet spying will result in government harassment, prosecution, blackmail; and civil asset forfeiture of American’s property—which requires only a preponderance of civil evidence, little more than hearsay—because someone questioned or lawfully opposed police or government policy.
Government can now use National Security Letters (NLS) to target someone’s clients, scaring off their customers and business associations, to make it difficult or impossible to make a living; the Nazis used similar tactics using the Gestapo. Lawful American activists and individuals under McCain’s bill S.3081 would be extremely vulnerable to indefinite detention and prosecution, without right to legal counsel if (charged with mere suspicion) of “intentionally or materially providing support to hostilities or an Act of Terrorism”, for example American activists can’t control what other activists might do illegally—they network by email or phone domestically and overseas. U.S. Government under McCain’s bill would only need allege an individual kept in military detention, is an Unprivileged Enemy Belligerent, suspected of; having engaged in supporting hostilities against the United States; its coalition partners; or Civilians to indefinitely detained Americans without legal counsel. It is problematic under S.3081, detained individuals in the U.S. not involved in terrorism or hostile activities, not given Miranda Warnings or allowed legal counsel will be prosecuted for ordinary crimes because of their alleged admissions while in military custody.
McCain’ S.3081 is so broadly written lawful anti-war protesters and Tea Party Groups might be arrested and detained in military custody just for attending demonstrations; Government can charge demonstrators "materially supported hostilities.” McCain’s bill mentions “non-violent acts" supporting hostilities in America against Civilians; against U.S. government or emanating from America against a Coalition Partner. Non-violent terrorist acts, can under the Patriot Act be any physical act, to prosecute Persons for allegedly supporting “coercion or intimidation” to influence a government or to affect a civilian population. Any Person that writes on the Internet, expresses an opinion against or an entity of U.S. could be alleged by U.S. Government under S.3081 to be a hostile Enemy Belligerent to order their indefinite detention.
To compare government’s COINTELPRO with today’s government convert operations against American Activists access the following websites.
A lot of our privacy is protected simply by the cost and difficulty of invading it and of the commercial advantage of being able to say that you provide guaranteed privacy. However, if companies are forced by law to bear this cost and prohibited by law from enjoying the benefits of privacy, rest assured they will reap the benefits of non-privacy.
What about communicating company secrets? Are companies exempt? Would storing noise on U.S. servers become illegal? Even for foreigners?
It amazes me that so many people still think a candidate "changes his mind 180" after being elected and seeing certain pieces of intelligence. News flash: they already side with government intrusion and LIE on the campaign trail because they don't get votes by saying things like "and I pledge to create new ways to spy on all American citizens." There are technical matters that are top secret - threat assessments contain specifics, but all the intelligence is general knowledge. It's not like Switzerland is really an evil empire of nuclear-powered robots, and now the President knows that 60% of the American people are collaborators and must be monitored. Iran is bad, they want to nuke Israel, and they're close to having the technology to do it. Meanwhile, the US government is wringing your civil liberties out of you and wants to know who they can prosecute for kiddy porn because one image on your hard drive happened to be of a 17-year-11-month-old. Then, your every political opinion becomes irrelevant because nobody wants to be identified with a pervert. Character assassination is the new way the elite keep people in check. Look at Spitzer who was about to knock the Wall Street trash can over and send the rats running when suddenly, he's Client 9, and now, like Winston Smith, he's got his own CNN show and loves Big Brother. What a freaking joke. Pontificate on your histories all you want. We've reached the end of America's.
This will likely lead to some people in US government using all the gain information (such as, lets say, emails sent by some investment bankers) to their own advantage.
Yea this is not "unique" but USA should not feel justified to do it because United Arab Emirates, Saudi Arabia and India do it. I am sure North Korea does it as well.
When privacy is outlawed, only outlaws will have privacy.
Yes, hang on to that old computer, with the unadulterated CPU, the unadulterated OS, the unadulterated encryption software.
The sneakernet also works well ;-)
The only way to make wiretaps on the Internet viable would be to mandate that every client and server connected to the network be tightly regulated by the government and unmodifiable by end users, akin to the Bell System prior to the Carterfone decision, but the decentralized nature of the Internet makes that impossible. However, it seems that traditional signal networks such as cell phones, are easy to monitor or control. More info about jamming cell signal:
Looks like they won't even need wiretapping if CISPA passes. They will be able to get any information they need as there will be no more 4th amendment protection on the internet. Let's hope it get vetoes and nothing else comes of it.
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.