
NSA Codebreaking: I Am The Other - thecoffman
http://www.popehat.com/2013/09/06/nsa-codebreaking-i-am-the-other/
======
mpyne
> The NSA's official response is to suggest that wanting to secure our
> communications from our surveillance is inherently suspicious and suggestive
> of criminal activity.

No, their official response is to suggest that encrypting your communications
makes you indistinguishable (at their end) from those who encrypt for criminal
activity. There _is_ a difference, and there's no getting around the idea that
if the set of Bad Actors are to have the crypto broken then it will
necessarily involve breaking the same crypto in use by the Good Actors.

Even the NSA also says _in the very paragraph quoted_ that encryption is also
used for "nations [...] to protect their secrets" (which is hardly a criminal
or illegitimate goal).

Likewise, if the government hires a lockpicker to plant a bug in an embassy
then by definition they now have the technical ability to pick locks (even if
they don't have the legal permission).

The rest of his points, on the whole, are quite valid but are sometimes
answering a question that isn't actually behing asked from the other side.

~~~
javajosh
Something just came into clear focus for me: the NSA really screwed the pooch
here. They had a situation where they had access to anything they wanted, but
because they insisted on not getting warrants for access, they pissed off
Snowden, and now people are going to punish the NSA by becoming more security
savvy and using systems that are impenetrable, even with a warrant.

Smooth move, NSAssholes.

~~~
Finster
And that's the core of the issue for me. I don't have any problem with the NSA
working with and studying encryption and methods to break encryption.

What I have a problem with is invading my privacy and gathering my
communications and information without a warrant. My 4th amendment rights have
been completely violated.

~~~
javajosh
Totally. No-one (including me) would have blinked an eye if it turned out the
NSA was snooping on anything and everything...with a warrant. Heck, I would
have probably been moderately pleased. But snooping on anything, in secret,
without judicial oversight, without public consent...that is all very wrong,
and Sheier is right: it's a total betrayal of the internet.

Whatever short-sighted jerk-offs came up with this grand plan ought to be put
in prison for harming US interests. To say that Snowden is the one who harmed
US interests for revealing these activities is an intolerable act of a
government that values only one thing, loyalty. Principles? Nah. Principles
are soooo pre-Industrial revolution. And let's face it: with all the thousands
of people working on these projects, someone was bound to blow the whistle
sooner or later, because no matter how far down the rabbit hole an agency like
the NSA goes when it comes to defining new norms, there are always some
awesome weirdos who don't buy it, no matter how normal everyone around them
treats it. (Hat tip to you, Snowden, for not drinking the Kool-Aid).

Guess what bozos (yes, NSA, I'm talking to you): national security is affected
by abrogation of trust and betrayal of people like you. Our position as an
exemplar of personal freedom, and self-restrained government, has been badly
damaged by you. Going after Snowden, doubling down on internal
security...these damage you, and us, further. Maybe Congress is confused on
this issue, but I (and most everyone I've talked to) am not: you need to stop
collecting data without warrants immediately. You need to dismantle your
capacity to do so. You need to delete all information that you've gathered
under those conditions.

And this should be the last act of the NSA's senior leadership before
resigning.

~~~
einhverfr
Not quite. We don't allow general warrants so a court order to decrypt all
internet traffic is not Constitutional. If the NSA was snooping on anything
and everything with a warrant, that is no different than what is happening,
and it is not Constitutional (particularity requirement not met).

What is the problem is the NSA doing this sort of blanket surveillance where a
warrant is normally required but where they make an end-run around the
Constitution.

We require warrants because we require magistrates to require particularity in
the warrant.

But it gets worse. What will come out of this is a massive market for more
secure communications, much of it designed to thwart this sort of
surveillance. The NSA by not respecting our rule of law has now encouraged
people to do exactly what they are afraid of and in the end, wiretaps will now
go dark. The NSA broke their end of the legal bargain and now the entire
government will pay a price, and that price will, no doubt, impede legitimate
law enforcement efforts as well as this.

~~~
MacsHeadroom
Snooping on "anything and everything" traversing the Internet without a
warrant is perfectly constitutional according to SCOTUS, POTUS, most of
Congress, and the 3 letter agencies doing the snooping.

Information traversing the Internet has been legally deemed to not be included
in one's "person, house, paper or effects" and as such is not constitutionally
protected by the fourth amendment.

~~~
einhverfr
> Snooping on "anything and everything" traversing the Internet without a
> warrant is perfectly constitutional according to SCOTUS, POTUS, most of
> Congress, and the 3 letter agencies doing the snooping.

Please provide citations regarding SCOTUS. In fact, given that Katz v. United
States was never overruled, that sounds very suspicious. The closest I think
you can get is Amnesty International v. Clapper but that was a standing issue
and never reached the merits.

~~~
mpyne
EFF has a good page about privacy, including the limitations on privacy for
information provided to a third party.

[https://ssd.eff.org/your-computer/govt/privacy](https://ssd.eff.org/your-
computer/govt/privacy)

The "communications records that receive special protection" are limited to
ECPA, I believe, which doesn't apply to NSA since foreign surveillance trumps
that law (though, IANAL so feel free to read and analyze for yourself).

~~~
einhverfr
The third party exception though has come under increasing scrutiny by the
courts more recently. The case which really established it in large measure
was California Bankers Association v. Shultz. This is in many ways more
important than the pen register case of Smith v. Maryland
([http://caselaw.lp.findlaw.com/scripts/getcase.pl?court=us&vo...](http://caselaw.lp.findlaw.com/scripts/getcase.pl?court=us&vol=442&invol=735))
because pen registers were held in part valid without a warrant due to their
lack of intrusiveness, and in part because the information was not only
conveyed to a third party, but also how they were used by a third party. In
essence Smith v. Maryland held pen registers allowed without a warrant via
"legitimate expectation of privacy" analysis of the sort found in Katz v.
United States in part because everyone relied on the phone companies
collecting this information and that people relied on the phone companies
using this information to be able to track back, for example, harassing phone
calls. If individuals can track back incoming harassing phone calls, there is
no legitimate expectation of privacy when the police look at those records.

The much more concerning line of cases are the banking instrument cases, like
US v. Miller ([http://caselaw.lp.findlaw.com/cgi-
bin/getcase.pl?navby=volpa...](http://caselaw.lp.findlaw.com/cgi-
bin/getcase.pl?navby=volpage&court=us&vol=425&page=442#442)) and California
Bankers Association v. Shultz
([http://supreme.justia.com/cases/federal/us/416/21/](http://supreme.justia.com/cases/federal/us/416/21/))
which hold no 4th Amendment protection for banking transaction information.

The problem with communications is that while call detail records fall outside
4h Amendment protection in general, wiretaps require a warrant (see Katz v.
United States) and Smith v. Maryland did have dissenters due to the fact that
it is hard to draw a line between these two. More recently a circuit split has
developed over whether cell site location data is at least potentially
protected. The 5th Circuit (which also holds that all airport searches at
security checkpoints are necessarily consented to, so presumably random strip
and body cavity searches would be Constitutional) says they are not, while the
third says they may be. See [http://crimeinthesuites.com/circuit-split-
brewing-over-gover...](http://crimeinthesuites.com/circuit-split-brewing-over-
government-access-to-cell-phone-location-data/)

My point is that "knowingly exposed to a third party" is not at all as clear
as the page suggests. The reason this line is there is that it is an
indication that certain information is not really expected to be secret, but
if it was read literally, Katz would have come out very differently and
wiretaps would not require a warrant.

Obviously if you write details of your criminal conspiracy on the back of a
postcard, you can't complain when the postmaster reads it, but when you put it
in an envelope then this would be a search. This sort of line is much harder
to draw regarding papers outside that sort of home or mail environment than it
is in them, but that's largely what I would describe the difficulty to be.
This leads to the question of whether email is like a postcard or like a
letter or a phone call and I don't think the answer is clear.

At any rate I would suggest that this is an area of developing law regarding
electronic communications and I have been watching interesting developments
there just in the last few years.

------
ferdo
"Perhaps you think your E-mail is legitimate enough that encryption is
unwarranted. If you really are a law-abiding citizen with nothing to hide,
then why don't you always send your paper mail on postcards? Why not submit to
drug testing on demand? Why require a warrant for police searches of your
house? Are you trying to hide something? You must be a subversive or a drug
dealer if you hide your mail inside envelopes. Or maybe a paranoid nut. Do
law-abiding citizens have any need to encrypt their E-mail?

What if everyone believed that law-abiding citizens should use postcards for
their mail? If some brave soul tried to assert his privacy by using an
envelope for his mail, it would draw suspicion. Perhaps the authorities would
open his mail to see what he's hiding. Fortunately, we don't live in that kind
of world, because everyone protects most of their mail with envelopes. So no
one draws suspicion by asserting their privacy with an envelope. There's
safety in numbers. Analogously, it would be nice if everyone routinely used
encryption for all their E-mail, innocent or not, so that no one drew
suspicion by asserting their E-mail privacy with encryption. Think of it as a
form of solidarity."

Phil Zimmerman, 1994

[http://www.pgpi.org/doc/whypgp/en/](http://www.pgpi.org/doc/whypgp/en/)

~~~
mpyne
You know what's beautiful about the mail example?

Who delivers those letters? In the U.S., and many other countries, it's the
_government_.

You're literally handing your letters to the government and asking them to
deliver them to the intended recipient without peeking. In short, you are
_trusting them_ to do the right thing, because they certainly could look
inside the envelope if the really wanted to.

Legal safeguards are your only defense against the government here, but we the
people generally consider it a solid safeguard.

But if it were to even be _suggested_ to send email using government-provided
networks (even encrypted email) you'd be laughed right out of any hacker con
you attend.

It's a pretty surreal difference IMHO.

~~~
cinquemb
Maybe if it were possible to be notified when the contents of files are
opened/read, and some how change the appearance (or state of them) to some
extent that people know that something has been tampered with, like with
enveloped mail and custom seals people used to send mail during the colonial
america/pre-revolutionary times because mail was being opened and read…

~~~
mpyne
You could take those countermeasures even now if that's something in your
threat model.

But for the vast, vast majority of people it's apparently _not_ something they
worry about. They indeed simply trust the government to obey the law.

~~~
cinquemb
I know one can take those countermeasures now ;)

Luckily, the vast majority of people aren't really needed to bring about
change because most people do nothing because their blind trust doesn't
require them to… Only just a relatively few methodically dedicated people who
have the ability to see beyond and work through their current circumstances
and help forge the future they want to see, are all that are needed.

------
aray
It would be great to break through the "if you have nothing to hide" line and
push that responsible citizenry need security (and cryptography) as well.

I am also the other.

~~~
malandrew
I think Martin Fowler has written one of the better arguments that appeal to
the "I have nothing to hide" crowd, in "Privacy protects bothersome
people"[0]. It's worth sharing with anyone who thinks that just because they
have nothing to hide, it doesn't mean that they are not beneficiaries of those
that do have something to hide. Privacy is one of the few things that protect
those that protect us from the transgressions of our government.

[0] [http://martinfowler.com/articles/bothersome-
privacy.html](http://martinfowler.com/articles/bothersome-privacy.html)

~~~
Symmetry
I actually think the biggest danger is the NSA digging up dirt on politicians
_a la_ J. Edgar Hoover. If details of my sex life were made public I'd be
embarrassed but my employer wouldn't care and my life would go on. For a
politician, though, scandal means losing your job.

~~~
sseveran
Unless of course you can be made to look like a bad person and the
twitterverse blows up.

------
devx
> _" I wonder: what if a substantial number of Americans started using strong
> crypto on a routine basis?"_

That may happen anyway, in time, if this situation is not fixed, but it could
happen _so much faster_ if companies like Google, Microsoft and Facebook (ok,
I know I'm really pushing with this one) who have services used by over a
_billion people_ would offer very secure end-to-end communications platform,
_by default_ , and in a very transparent way (being able to check for sneaky
backdoors pre-encryption, or anything like that).

They don't even have to do it _for everything_ , especially the parts which
are meant to be more public anyway, but there's absolutely no reason why IM's
couldn't be _completely private_ \- from everyone and anyone, including the
companies themselves.

So what are you waiting for Google, Microsoft and Facebook (and others, too)?

~~~
smsm42
You understand that any platform offered by any company with substantial
presence in the US would have full access to any data provided to NSA and law
enforcement agencies, in most cases under gag order preventing them from
disclosing that fact? It can not be any other way - US government has full
jurisdiction in the US, and if US law says US citizens can not have privacy
from the government and have their data not be accessible by the government -
and that is what current interpretation of the law seems to be - then any
provider on the US soil, including Google, Microsoft and Facebook - has no
other option but to comply with the law?

~~~
derefr
It'd be interesting if US, Russian, and Chinese entrepreneurs got together and
agreed to build start-ups for _one-another 's_ citizens, where the US brand
was run from Russia, the Russian one from China, etc. Now _that 'd_ get some
people on terrorist watch-lists.

~~~
smsm42
I think the temptation would be too great for the respective governments to
resist, and given that surveillance against foreigners would not even cause a
significant public backlash, those would be compromised even quicker. Right
now the whole story blew up because NSA is spying on Americans. If Snowden
revealed that NSA is mass-collecting information on Chinese or Russians, the
only response would be "keep up the good work, guys!".

~~~
derefr
Well, sure, it decreases the amount of "security by angry-mob-if-you-screw-up"
you get, but it increases the amount of "security by inability to legally
compel keys from the companies involved." I'm not sure whether that's
positive- or negative-sum, actually.

------
brown9-2
_" I wonder: what if a substantial number of Americans started using strong
crypto on a routine basis?"_

They already do! Everyone who makes Amazon purchases, or sends Facebook
messages, or does online banking is all using some form of strong crypto.

Does our government treat all e-commerce shoppers as "bad guys"? No.

~~~
gknoy
Perhaps I am cynical, but my bet is on "Yes, let's collect that too Just In
Case".

------
iandanforth
"Thousands of Americans have fought and suffered and died to preserve freedom
over our history — does it make sense to sacrifice freedom now because the
state tells us people will die if we don't?"

This.

~~~
205guy
I agree with the sentiment of the passage you quote (and the original article
in general), but I actually think historical circumstances are a bit different
than "Americans have fought and suffered and died to preserve freedom over our
history."

Yes, Americans have fought and suffered and died to preserve some nebulous
definition of freedom, but not the Americans you think--nor the freedoms you
think. I'm not sure how the original author meant the statement, but usually,
statements like that refer to American soldiors who fought in wars that are
assumed to have preserved US freedom. But not since 1812 have the US armed
forces needed to defend the territory where the freedoms enshrined in its
constitution are in effect. For the US civil war, there was no black nor white
(to make a bad pun) on the Union side, so I'll call that a wash on preserving
freedoms. Yes, during the world wars, the US projected its power and helped to
reinstate freedoms in Europe (almost exclusively), but we're not talking about
the defense of Europe here.

One could argue that by using and projecting military power and becoming the
sole remaining world superpower, the US has preserved US freedoms by pushing
our "borders" further away and engaging the "enemies" of said freedoms before
they reach us/US (which is why 9/11 was such a shock, similar to the Vandals
sacking Rome). I think that's a stretch, given that much of our recent
military action seems directly aimed at preserving access to petroleum energy,
not actually preserving freedoms.

Taking the Howard Zinn approach to US history, there have always been US
citizens who are denied their freedoms within the US. From native Americans in
the 19th century, to labor movements in the early 20th century, targets of
McCarthy, civil rights activists, to occupiers of the 21st century. Many of
these did suffer and die because they dared to oppose the political and
economic status quo, and relied on their freedoms of speech and assembly to do
so.

And to be frank, they preserved nothing. The freedoms were always trampled
whenever it suited the powers-that-be. In other words, exactly what's
happening now.

I think now _feels_ different because the internet gave us a taste of true
freedoms. Freedom to publish your speech to the world at almost zero cost.
Freedom to find and network with like-minded people. Freedom to have political
influence just by writing a blog. Freedom to enact change lawfully and
peacefully by rallying against WallSt corruption, revealing the extent of the
Military-Industrial Complex, questioning the wars, questioning the powers-
that-be.

It turns out, we never really had those freedoms on the internet. Edit to add
one of my favorite pithy sayings: same as it ever was.

------
frank_boyd
> Would it be better to say back to the government "no thank you" and accept a
> higher risk of terrorist attack if it means not living in a society of
> entitled spies?

Of course it would be better, b/c:

Right after the argument for the right to privacy comes the fact that _there
literally IS no terrorism_ (in western countries, anyway - I'm not about
places like Iraq after the invasion etc.). We've been brainwashed by our media
to _think_ there is. Just take a look at some numbers:
[http://www.washingtonsblog.com/2011/06/fear-of-terror-
makes-...](http://www.washingtonsblog.com/2011/06/fear-of-terror-makes-people-
stupid.html)

Conclusion (as an example): If we know that "You are 8 times more likely to be
killed by a police officer than by a terrorist", then we'd first need to fight
the police officers before pouring billions into a surveillance state.

------
jusben1369
So I was really excited then disappointed as I clicked through. I thought it
was going to be a developer who helps the NSA crack encryption. No offense to
anyone here but the last thing I need is another article around the NSA and
snooping from someone.

Who here wouldn't love to hear from a developer who's helping with this and
has strong beliefs in their reasons for doing it?

------
anigbrowl
_I mean I am the "other" contemptuously categorized by my government, a vast
category of people with an interest in using encrypted communications to
thwart my government's attempt to spy on me._

The government almost certainly doesn't want to spy on you, it just wants to
be able to find spies and other bad actors among you.

I have to admit to taking a jaundiced view of these complaints, since for
almost 20 years the US has maintained an immigration regime in which illegal
aliens have virtually no legal path to residency (despite many of them having
no criminal record - unauthorized presence in the US is a violation of
administrative rather criminal law, and it only become a criminal matter in
the case of deportation and repeated unlawful re-entry); illegal immigrants
can be detained incommunicado for up _6 months_ without any right to a
hearing, have no right to provided counsel, and enjoy very few constitutional
protections (in general, those extended to 'persons' rather than 'citizens' or
'the people'). _Leaving_ the US imposes a whole raft of additional sanctions
on such a person (eg a 3 or a 10 year banishment during which the person may
not even apply to re-enter the country) which don't apply to people who stay,
and thus create a strong economic incentive to remain, resulting in an
entirely legal underclass of about 11 million people who have even fewer
rights than ex-felons. 'But they broke our laws' is the response of most
people, as if the laws were not the responsibility of the legislators and
people who elected them, but had come down from heaven.

I'm not excusing the NSA's overbroad vacuum-cleaner approach to gathering
metadata, busting encryption and so on, other than to note it's not very
different from the kind of data collection private actors fiercely defend the
right to engage in, saying that the onus is on the data owner to use good
security. But it's very hard for me to give a sympathetic ear to complaints of
tyranny from people who seem happy to tolerate a system that severely curtails
the freedom of several millions of their neighbors.

~~~
lukejduncan
> The government almost certainly doesn't want to spy on you, it just wants to
> be able to find spies and other bad actors among you.

Maybe, that is true today. My fear is that tomorrow they will want to spy on
me? Why, because the definition of "bad actor" has serious scope creep. I
think this is the authors point.

~~~
anigbrowl
It's a point I don't agree with. The scope grows and shrinks. Up to 10 years
ago, there were parts of this country where two men having gay sex (or indeed,
any two people having the 'wrong' kind of sex) were committing a criminal
offense. This only became legal because a man who was arrested in Texas in
1998 for doing so in his own home appealed the case up to the Supreme Court
([http://en.wikipedia.org/wiki/Lawrence_v._Texas#Arrest_of_Law...](http://en.wikipedia.org/wiki/Lawrence_v._Texas#Arrest_of_Lawrence_and_Garner)).

As of 2013, the Federal government is required to recognize gay marriage and
no adults engaged in consensual sexual relations can be hit with criminal
charges in the US. That's a significant _shrinkage_ in the scope of state
power.

It's a two way street. Just as the notion that government is always benign or
correct (a subset of the just world fallacy) is flawed, so is the libertarian
trope that government is always oppressive and encroaching (a subset of the
mean world fallacy). In the context of this conversation, I agree that the
NSA's reach is overbroad, which is worrying because of the potential for
government blackmail or overprosecution; but on the other hand I note that
things you could have been blackmailed with or prosecuted for up to quite
recently - and which had been considered serious crimes going back to ancient
times - are no longer criminal, which is an enormous step forward for
individual freedom.

~~~
cliffu
They sure scope creeped with the CFAA, though. Downloading too many PDFs is a
felony. Changing your user agent is a felony.

And then against the First; sharing links to websites that stream videos is a
crime once we get you extradited here. Writing a tasteless joke online is a
felony that warrants half a million for bail. Sharing a link to documents we
don't want you to see is a felony.

Maybe they're not always oppressive. But it's reasonable for us to assume the
possibility of scope creep. And it's reasonable to not want them to have all
our communications stored against the event.

------
Revisor
I am the spied upon Other, because I'm not an American. I don't have a voice
in your debate, no representative, no senator, no amendment. My only hope is
that privacy becomes a generally accepted human right.

~~~
lkbm
I think your only hope is that we develop a robustly secure Internet.

------
pyaniv
Well...NSA is built by a democracy. The people wanted war..their
representatives gave it. The people wanted spying...their representatives gave
it to them. Only a minority doesn't want these. In a democracy, minority
loses. Unfortunately, it turns out the majority are stupid..anywhere in the
world. So, just have to live with it, hoping they get intelligent someday.

------
rasur
We are all The Other now.

~~~
Finster
By claiming you are The Other, that clearly places you in the category of
domestic terrorism. You are no longer The Other.

