
Tech Companies Fight Back After Years of Being Deluged with Secret FBI Requests - uptown
https://theintercept.com/2016/06/21/tech-companies-fight-back-after-years-of-being-deluged-with-secret-fbi-requests/
======
bgentry
_The FBI’s decision to ask companies for everything and let them figure out
what they’re required to turn over has had the effect of potentially putting
smaller companies with fewer resources at a disadvantage, say national
security attorneys. Without expensive legal representation and a familiarity
with the law, companies might turn over more content than is necessary._

You'd think the FBI wouldn't be able to just demand all kinds of stuff they
have no legal right to.

It's sad that the current state of our legal and political systems allows this
sort of tactic to be effective and go unpunished.

~~~
nostrademons
Liberal democracies usually operate under the principle that you can ask
anything you want of someone, and it's up to them to say "no" if they find it
disagreeable. The law is then there to step in when there is a dispute and say
which party is right. Even the Bill of Rights depends upon people specifically
asserting their rights; if a person voluntarily chooses to incriminate
themselves, they've still incriminated themselves, the 5th amendment just
states that if the government asks them to bear witness against themself and
they refuse to speak, they have done nothing wrong.

While this can lead to unfortunate power imbalances and information
asymmetries, it's hard to see how the legal system could operate otherwise. If
people were forbidden from asking - who would do the forbidding? What if this
is used to prevent contracts that would legitimately be in the best interest
of both parties? What if it were used to prevent emerging power centers from
challenging the power of the organization that can determine what's legal to
ask? How would you even know that such a question has occurred, if one party
says "Don't talk about this"?

Probably the best we can hope for is for Congress to pass a law specifically
enumerating what electronic records the FBI may request. That seems to be what
this article is calling for - consciousness-raising, and public debate.
There's plenty of precedent for this, eg. the Miranda rights came from a court
case where it was determined that police could not simply _assume_ that a
suspect was aware of their constitutional rights, and had to explicitly have
them enumerated. But the fact that this needs to be handled on a case-by-case
basis is a feature of the legal system, not a bug.

~~~
EGreg
It is one thing to ask, quite another to demand and claim that the law is able
to compel the other party to comply. Especially materially misrepresenting the
law during a demand by a powerful party that should have known better. Do you
think we can't distinguish this from a regular request?

~~~
brokenmachine
They should be required when asking for something to state whether it is a
lawful order or a request.

But the real problem is that the government would lie anyway and can't be
trusted. It's sad that our "protectors" have become so corrupt and
dishonorable.

Oh, also there should be real consequences when agencies are caught lying or
being dishonorable. I can dream, right?

~~~
ipsin
The problem with the "lawful order or request" split is that, even if they
make it very clear, there's the implicit threat of escalation if you don't
agree.

Today you refuse a request. Maybe tomorrow they convince a judge to let them
very publicly come to your offices to take the data.

I suspect that fear drives many people and companies to cooperate, even if
they understand that there's a choice.

~~~
EGreg
They can convincea judge to do that anyway, _if it was a lawful request_.

~~~
brokenmachine
Exactly.

I believe the next step after a request would not be a search warrant, it
would be a warrant for the data lawfully requested. A company would not be
able to refuse such a lawful request. IANAL though, so what do I know.

------
kyledrake
One not-perfect trick: Stop retaining sensitive information. There is
_nothing_ in law that forces you to do retain things like IP addresses.

[https://www.eff.org/issues/mandatory-data-
retention/us](https://www.eff.org/issues/mandatory-data-retention/us)

Then they can harass you for data all the time with illegal shit "court"
orders and you can give them garbage and they can do nothing about it.

This is the best method I've seen for dealing with this problem on a budget.
Unfortunately the tradeoff is losing a lot of not-especially-effective tools
for dealing with spammers and the like.

~~~
abraae
As far as IP address goes, you could store a cryptographic hash of the IP,
rather than the IP itself. That would prevent you from, say, identifying
entire subnets used by spammers, but would be better than nothing.

You'd just need to do the hashing with some kind of tamperproof keystore that
exploded when the FBI fiddled with it.

~~~
woodman
This wouldn't work without some really bizarre implementation that would make
it less of a hash and more of a cipher. The range of potential values is too
small and highly structured, generating a rainbow table would be braindead
simple.

> ...tamperproof keystore that exploded...

So not one way hashes then?

~~~
kyledrake
Generating a salt and tossing it into scrypt would break any rainbow table
attempts, but it's still only 4,294,967,296 or so addresses for v4. It's
pretty hard for a small government to do it, but I wouldn't put it past the
NSA.

This is how we've implemented IP address retention at Neocities, BTW:
[https://github.com/neocities/neocities/commit/4983a9b24eac00...](https://github.com/neocities/neocities/commit/4983a9b24eac00b8d8bfd300a18cdcee0152a271)

Step two is to throw them away after x amount of time. It's not perfect, but
there you go. The best way is still to throw them away from the beginning, but
we do need them for spammers and the like.

~~~
woodman
Subtract 588 million reserved IPs, as well as 2 from each subnet (0 and 255).
There are also a lot of blocks that are publicly routable but see no use on
the internet. If I were to build a rainbow table, I'd start with blocks
assigned to ISPs, then throw in the results of publicly available distributed
internet surveys, only then would I start the algorithmic address generation.
Same story for IPv6. I really don't think it is a state actor level problem,
but if it is it won't be for long.

~~~
kyledrake
Right, no I agree, except that the rainbow table won't work if you used a
salt. You'll need to brute force it for that particular salt value.

Still quite doable, if you have the right resources at hand. As you pointed
out, it's less than the entire IPv4 space too.

------
rsync
The rsync.net warrant canary is 10 years old this year.

[https://www.rsync.net/resources/notices/canary.txt](https://www.rsync.net/resources/notices/canary.txt)

~~~
rms_returns
Just curious, why is a latest newpaper headline part of a warrant canary?

~~~
null0pointer
The idea with a canary is that some government request can stop you from
disclosing that request ("hey everyone we got subpoena'd") but they can't stop
you from NOT updating a page. Putting a newspaper headline on the page
basically provides a timestamp so anyone checking can go "hey, their canary
hasn't been updated in 6 months... maybe something happened". At least that's
my understanding of it.

~~~
ViViDboarder
Would a date not suffice?

~~~
null0pointer
You can't put the headline in there before it's been published, whereas you
can put any date you like.

------
jfoutz
I wonder if companies could just invoice the FBI for document processing or
administrative fees. Just follow the FOIA fee structure. Or, charge a whole
lot.

You can't make the NSL public, but it's not like you're complying with a
warrant or something that would be immune from fees.

Of course the government will refuse to pay, so you sue. Presumably you could
subpoena the emails around the NSL without disclosing the NSL. "We need to get
this information from $tech_company", $tech_company provided the information.
pay me.

------
arca_vorago
The FBI et al issue NSL's without a court order and on their own prerogative
correct?

In that case the FBI can _get a warrant_ like the constitution they swore to
uphold demands of them.

I'm tired of people bending over backwards for unconstitutional poppycock like
warrant-less surveillance. It's a fundamental part of _the supreme law of the
land, the constitution!_

------
rhizome
A more-detailed exposition on the topic:
[https://www.emptywheel.net/2016/06/21/key-details-about-
the-...](https://www.emptywheel.net/2016/06/21/key-details-about-the-mitch-
mcconnell-bid-to-expand-fbi-surveillance/)

------
vonklaus
> The FBI’s decision to ask companies for everything and let them figure out
> what they’re required to turn over has had the effect of potentially putting
> smaller companies with fewer resources at a disadvantage, say national
> security attorneys. Without expensive legal representation and a familiarity
> with the law, companies might turn over more content than is necessary.

Tech companies should jst turn over more than they're required. If they demand
info on 5 users, send 10K gzipped blend of fake & real users and random images
from imgur.

~~~
bllguo
It's fun to speculate on things like this but when in the shoes of a small
company faced with that request, without the clout of places like Apple and
Google, I would _not_ want to piss off the FBI.

~~~
nxzero
Who's the FBI?

------
nxzero
It would be curious to know if given the choice of supporting mass
surveillance or not being able to use services and products from brands like
Apple, Google, Microsoft, Wikipedia, etc. - what consumers would choose.

If they'd opt to use those brands, seems like the answer to change maybe very
simple.

~~~
brokenmachine
I feel like the public has already implicitly chosen convenience over privacy
and freedom.

IMO it is up to us techies to come up with a private and open system that
offers the same conveniences without the privacy problems.

The perfect system to me would support:

\- distributed (p2p) to avoid isolated silos and censorship

\- Tor-style privacy

\- encryption

\- multi-user database support to allow dynamic sites (ie users have access to
store their own posts/data on a site), not just static pages

\- distributed torrent-style downloading and streaming of large files

\- some kind of bitcoin payment system for people mirroring sites?

Zeronet combined with Tor is very interesting to me, although currently it
doesn't support large file chunking or payment-for-storage.

IPFS is good but doesn't have the privacy or multi-user database support.

~~~
Qantourisc
Freenet comes close, no database or torrent iirc though. Or dynamic sites(to
my knowledge).

~~~
brokenmachine
It also seemed very complicated to put your own sites up on Freenet. Seems
like it's pretty easy for an individual to put something up on IPFS or
Zeronet.

------
walid
_“Had the FBI put a reasonable position on the table … five years ago they
probably would’ve got that through,” Gidari argues. “They’re their own worst
enemy on this stuff.”_

------
beedogs
At this point, I honestly fail to see why the FBI is allowed to continue
existing. They seem antithetical to a democratic society.

------
ianpurton
Just playing devils advocate but...

Aren't the FBI the good guys going about catching criminals and terrorists? So
aren't we morally obliged to help rather than stamp our feet and say no and
then publish a blog post about how we are fighting back against the tyranny of
law enforcement. FFS.

~~~
simonh
Do you think that government agencies are beyond reproach and should not be
held accountable for their actions?

Unfortunately the FBI has a long history of activities clearly contrary to the
public good.

