
Tech Companies and Government May Soon Go to War Over Surveillance - kristiandupont
http://www.wired.com/opinion/2013/08/stop-clumping-tech-companies-in-with-government-in-the-surveillance-scandals-they-may-be-at-war/#!
======
sseveran
I figure that the NSA will simply subpoena the private SSL certs with a gag
order. That gives the companies involved plausible deniability since XKeyScore
(and XKeyScore whatever is next) can just record all the raw internet traffic.
I don't see how large technology companies will be able to fight back. SSLv3
includes Perfect Forward Secrecy via ECC but it is not widely used.

~~~
devx
Browser vendors (which seem to coincide with many of these tech companies
involved) can also use certificate pinning:

[http://tack.io/](http://tack.io/)

Or we can all start to use something like this (both projects are from Moxie
Marlinspike):

[http://convergence.io/](http://convergence.io/)

~~~
michaelt
There's not much you can do to detect MITM by someone who has subpoenaed the
private SSL certificates, is there?

I mean, there's no way to tell apart the certificate from the intermediary
from the cert from the endpoint as they're the same.

~~~
a-priori
No, if the private keys are compromised (such as via a subpoena) then a man-
in-the-middle attack is trivial.

Worse, if a trusted certificate authority's private key is compromised, then
the TLS public-key infrastructure as a whole is broken. An attacker who can
also intercept traffic (e.g. by routing traffic through a data centre they
control) can execute a MITM attack by issuing their own TLS certificate for
any domain.

The only way to detect such an attack would be to notice that one time you
connect to a site you see the legitimate key, and another time you see the
attacker's key. That's what certificate pinning detects.

At this point it's probably safe to assume that the NSA has compromised at
least one certificate authority's private keys via a subpoena and gag order
and can therefore do MITM attacks on TLS traffic.

~~~
sseveran
With SSLv3 you can prevent MITM attacks as well as replay attacks where the
cert is compromised in the future. The SSL cert is used to verify the identity
of the server. Once the handshake is completed a symmetric key is chosen for
the session using Diffie-Hellman key exchange
([http://en.wikipedia.org/wiki/Diffie%E2%80%93Hellman_key_exch...](http://en.wikipedia.org/wiki/Diffie%E2%80%93Hellman_key_exchange))
to compromise the session the NSA would have to subpoena the data from the
servers memory (a real possibility) but would be unable to attack any sessions
that had been previously recorded. This is called Perfect Forward Secrecy
([http://en.wikipedia.org/wiki/Perfect_forward_secrecy](http://en.wikipedia.org/wiki/Perfect_forward_secrecy)).
It is supported by OpenSSL using elliptic curve Diffie-Hellman. If this was
adopted universally it would make conventional attacks on SSL impossible
without compromising the servers memory. However there is still a risk that
any government may compel a company to preserve the session keys under a gag
order.

If a CA is compromised then we have much larger problems since it is
impossible to verify the identity of the participants in the session. Since an
attack was used to create valid certificates as part of the attack on Iran's
nuclear program it is likely that other attacks exist and are in the hands of
the same actors. We can't move to ECC based SSL fast enough.

------
DannyBee
Historically, the government has won every political fight about this (I guess
nobody remembers CALEA, or it's predecessors), and been roundly supported by
both law enforcement and the populace at large.

Outside of the tech community, i have yet to hear large amounts of actual
outrage.

I thus predict the same outcome as say, patents:

Techies will complain on techie-friendly websites about how it sucks, rather
than doing something productive like repeatedly contacting their
congressfolks, requesting and having real live meetings with them.

People will propose technical solutions, apparently oblivious to the fact that
the government will simply require you not to use them (as they have in the
past).

Nothing will change.

Techies will then blame the tech companies for losing this war, or blame it on
not spending enough money on lobbyists, or some bogeyman that does not require
realizing the harsh truth: As a whole, techies refuse to actually get involved
when it's something that actually requires doing something other than coding
or writing comments on a website.

Instead, they rely on EFF and other orgs, which are simply not enough.

~~~
snitko
Contacting congressfolks is useless. I don't know where you guys get this idea
that it actually works, but if you simply look at incentives (not expectations
of how it's supposed to be) government officials have absolutely no incentives
to change their policies even if a large enough group of people demands it.
Whenever something is inconvenient to a government, this group of people can
simply be ignored, because nothing else would follow. No uprisings, no media
coverage, and, most importantly, no reduction in financing (taxation) -
nothing. The people in government know this very well, but, of course, they
are interested in perpetuating this myth, because it adds legitimacy to them.

~~~
pampa
> no reduction in financing (taxation)

If you look at the GDP to national debt map on wikipedia you will notice, that
most (if not all) first world countries, the beacons of human rights and
democracy, owe more that they can produce in the foreseeable future. It is not
the tax money they are spending.

~~~
dragonwriter
> If you look at the GDP to national debt map on wikipedia you will notice,
> that most (if not all) first world countries, the beacons of human rights
> and democracy, owe more that they can produce in the foreseeable future.

The highest debt:GDP ratio on the list under either measure is Japan's under
the CIA measure, at a little over 200% of GDP. That's not more than it can
produce in the forseeable future (its a little more than it produces in two
years.)

It may be more than they can are likely to pay off in the forseeable future,
but then, that's a completely different story.

> It is not the tax money they are spending.

That's not a question that is addressed by debt:GDP ratio, its a question that
is addressed by deficit:budget ratio, which is a very different beast.

~~~
pampa
Well, there is a chart for that on wikipedia too, and it doesn't look good
either. And I'm not talking about Japan.

There was a country just a little over 20 years ago that was in debt up to its
neck and was trying to do global surveillance and project global power. Half
of the world was screwed when it fell, and not everybody in the eastern block
did recover yet. God help us all if this happens to the usa.

~~~
dragonwriter
> Well, there is a chart for that on wikipedia too, and it doesn't look good
> either.

After you misrepresented the last one without actually linking to it, I'm not
really inclined to expend the effort to verify your characterization of this
one.

> There was a country just a little over 20 years ago that was in debt up to
> its neck and was trying to do global surveillance and project global power.

AFAICT, the Soviet Union, just before it fell, had an estimated $65-$100
billion in foreign debt with a GDP on the order of $2.5 trillion -- it wasn't
really "in debt up to its neck".

------
einhverfr
I think we are going to see a massive showdown over crypto backdoors, the
likes of which we have not seen yet. I am further not sanguine about the tech
companies coming out on top this time.

The problem, as the article points out, is that people are demanding greater
security, and government abuse is driving this. That security comes at a cost
for things like wiretaps. The choices are bleak and the showdowns are
commencing. Dangerous times.....

~~~
jerf
"I am further not sanguine about the tech companies coming out on top this
time."

Remember, though, this isn't just "government vs. the little guy". There are
large interests that don't particularly care for the US government
intercepting their every move. Some of these may sue, some may contribute to
furthering encryption technology, who knows what else.

My personal feeling is that the NSA's surveillance is going to slowly but
surely get much harder over the next few years. Centralization was convenient,
but if there's enough push to decentralize, it can be done, and will be done.
And further, the exact stuff that the NSA is most interested in is going to be
the first to go.

We're overdue for another wave of decentralization anyhow.

~~~
wmeredith
>>> And further, the exact stuff that the NSA is most interested in is going
to be the first to go.

It's already gone. That's what's so insidious about this whole
NSA/CIA/FBI/DHS/DEA debacle: it's all a wasteful charade. They haven't caught
__anyone__. They haven't stopped __anything__ of import. It's a bunch of
bureaucrats playing cold war with real lives and money. They shouldn't have
access to anything because they don't DO anything worthwhile with it.

The world is getting safer. Information/education (power) via technology is
being shifted to the individual in a big way and they HATE it because it makes
them irrelevant. The current state of the government three letter agencies is
an ongoing FUD apparatus that exists for almost no other purpose than self
sustenance.

The NSA has systematically and illegally shared information with the DEA and
other domestic law enforcement[1]. It has done so while encouraging them to
cover it up using “parallel construction” to establish probable cause for an
arrest. The FBI entraps people into terror plots and then "busted" them[2].
The ATF sells guns to the Mexican drug cartels[3].

Look at the sources below. It's Forbes, The New York Times and The Washington
Post. This isn't edge case conspiracy theory. This is systematic
institutionalized corruption covered daily in the main stream press .

The military industrial complex and it's self-sustaining security theater is
eating billions (trillions?) in real tax payer money and costing us god knows
what via chilling effects and opportunity costs of human lives ruined or
snuffed out. It makes me sick to think about the scale of the losses.

The only good news is we (as in we, the people) are winning, as of now. We can
all still talk about this stuff without secret police showing up at our door.
And, more importantly we ARE talking about it. Everyone is pissed, congress'
approval rating is 11%. Pretty soon everybody will know everything. Obama,
Holder, Clapper and co have a lot more to hide than we do. That's why the
government and their financiers are so freaked out and paranoid.

[1] [http://www.washingtonpost.com/blogs/the-
switch/wp/2013/08/05...](http://www.washingtonpost.com/blogs/the-
switch/wp/2013/08/05/the-nsa-is-giving-your-phone-records-to-the-dea-and-the-
dea-is-covering-it-up/)

[2]
[http://www.nytimes.com/2012/04/29/opinion/sunday/terrorist-p...](http://www.nytimes.com/2012/04/29/opinion/sunday/terrorist-
plots-helped-along-by-the-fbi.html?pagewanted=all&_r=0)

[3][http://www.forbes.com/sites/realspin/2011/09/28/fast-and-
fur...](http://www.forbes.com/sites/realspin/2011/09/28/fast-and-furious-just-
might-be-president-obamas-watergate/)

~~~
codyb
I really feel as if when Obama was elected someone walked into the Oval Office
and said "Hey. Nice speeches. Now here's how the world works so try to keep
the ball rolling as long as you can." and he probably just said "Fuck."

Once someone puts the whole picture together and the middle class continues to
decline, and the rich get richer, and the poor get poorer, and the safety net
gets dismantled more and more (although Obama Care is at least a step forward
I'd say), and the prisons keep expanding, and the endless drug war keeps going
on, and the debts keep rising, and the population keeps expanding, and the
costs of goods keep going up and up, and the whole myriad of other things that
are going on in secret and out in the open, well... I'd imagine it's not going
to be pretty at best. Hopefully things can change slowly and we can avoid all
the whole house of cards collapsing, but who really knows?

~~~
richardjordan
Not to mention resource depletion and the peaking of flow rates in oil
extraction.

------
seiji
I've always toyed with the idea of tech companies gearing up militarily. Let's
see Google Hellfire Missile Drones defend their datacenters against Facebook
Autonomous Cockroach Bots with kilograms of incendiaries embedded in them.

Just watch out for Apple's that's-no-office-building spaceship. (It's easier
to disguise a launching platform as an office building rather than build an
(undetected) assembly platform in LEO.)

~~~
walshemj
They would lose this isn't CP2020 :-)

That's a nice little phone company you have their Mr Brinn it would be
terrible if something happened to your telecoms licence.

------
forgotAgain
Makes a nice headline for a Friday afternoon. Unfortunately it will never
happen. Tech company leaders don't have the stones while the government has
guns and prisons.

------
16s
Ban crypto and then only criminals and governments would have it. Same as
guns.

~~~
Jayschwa
Pedophiles and terrorists use high-strength crypto to transmit dangerous and
illegal information. There's no reason normal citizens need high-strength
crypto. Besides, if it came down to it, do you really think your crypto would
stand a chance against the government's three letter agencies? You can still
protect yourself from passive script kiddies with ROT13.

~~~
sukuriant
For those that didn't catch it, Jay is using a mock version of the anti-gun
argument in his response here. I'm pretty sure his views aren't that at all
(but a part of me is terrified to think that someone will use his response as
a defense for crypto to not be in normal users' hands, taking what he said
completely out of context)

~~~
EthanHeilman
Wait until they start using words like "assault crypto" or military grade-
crypto. Why does any citizen need the crypto that is used in warfare? They
aren't in combat, why do they need more than 54-bit keys? Who are they so
worried about anyway?

~~~
hga
"There is no need in American civilian life for these weapons of war."
([https://en.wikipedia.org/wiki/Enigma_machine](https://en.wikipedia.org/wiki/Enigma_machine))

The next time they come for the gun owners (well, that would be yesterday:
[http://www.pagunblog.com/2013/08/29/obama-issues-
executive-o...](http://www.pagunblog.com/2013/08/29/obama-issues-executive-
orders-to-screw-us/)) you might want to consider that this set of rights is
indivisible.

------
RyanMcGreal
"You want us to execute that warrant for you? Ok, sure, but the user will get
a nice big popup warning telling them that their messages are likely being
intercepted!"

I'm pretty sure that would be illegal in the case of an NSL.

~~~
tomjen3
Has the supreme court ever ruled on NSL secrecy vs the fourth amendment?

~~~
magicalist
I don't think there's really any overlap there. The overlap with the 4th would
be less about secrecy and more if someone demanded full content from an
account, since NSLs are not warrants (legality of procuring "metadata" without
a warrant is the much larger issue there, but so far courts have been ok with
it).

The secrecy part _can_ be a violation of the 6th amendment (right to confront
your accuser), but theoretically evidence procured under the NSL will be
produced by trial time (except when shown to conflict with national security,
which judges can sometimes accept too readily).

The real problem with secrecy is the first amendment, since you are forcing
people to not divulge that they received an order to hand over information.
Typically prior restraint like that is heavily circumscribed to protect an
ongoing investigation but no further, which means that _indefinite_ gag orders
should have correspondingly extraordinary justification. Considering the
hundreds of thousands of NSLs that have been issued, this seems unlikely to be
the norm.

The first amendment approach has been successfully[1] argued by the EFF at the
district court level. This has opened the way for more lawsuits, including an
appeal of that case, which will hopefully make their way higher in the court
system.

(read the linked EFF article if you're interested in more. It lays the case
and the judge's ruling out in great detail)

[1] [https://www.eff.org/deeplinks/2013/03/depth-judge-
illstons-r...](https://www.eff.org/deeplinks/2013/03/depth-judge-illstons-
remarkable-order-striking-down-nsl-statute)

------
devx
If only, but I just don't see companies like Google, Microsoft or Facebook
implementing end-to-end encryption like OTR, ZRTP and PGP for their services,
and even if they do, I'm not even sure I'd trust them not to implement a
backdoor to get that data before it's encrypted somehow, at the behest of the
government.

Unfortunately, the alternatives will have to come from elsewhere - from
_disruptive_ (in privacy) start-ups that will launch only services with
security in mind from day one, as they try to steal customers away from those
companies.

------
hardwaresofton
Isn't the more important battle here between the government and the agencies
that server as the 'backbone' of the internet (ISPs,etc?)

~~~
ihsw
Indeed, the author seems to be clearly ignorant of that, be it willingly or
otherwise:

> My guess is the de facto interception technique of the future will involve
> targeting users’ endpoints (phone, computer, tablet, whatever) instead of
> trying to intercept communications in transit.

The data is still stored in the hands of tech companies, and as such outside
the realm of control of the owners of the data. The article writer would do
well to realize that it's not about national security, terrorists, or China --
but instead it's about control.

~~~
hardwaresofton
Yeah, I highly doubt they will target users' endpoints (mostly because the
ease and largely unreported nature of fiddling/requesting data from ISPs)

No matter where the data ends up being stored, if it has to GO somewhere, and
you are the man in the middle everywhere, things start getting a lot easier to
track.

------
joshdance
Have there been any examples of tech companies that have simply refused to
provide access to governments?

~~~
hga
Yes, it's a stark object lesson:
[https://en.wikipedia.org/wiki/Joseph_Nacchio#Qwest](https://en.wikipedia.org/wiki/Joseph_Nacchio#Qwest)

ADDED: which helps explain the current behavior of other companies we'd like
to think better of. I'm sure the people running them would to, but they and
their families (who the Feds have targeted in other political prosecutions)
would prefer they stay out of Federal prison.

------
junto
I predict that more companies outside the US will start producing products and
services that the US can't touch legally. As a result US tech firms would lose
out.

It is their interest to band together now as one powerful lobby group and
force a change to the legislation.

~~~
DannyBee
"I predict that more companies outside the US will start producing products
and services that the US can't touch legally. As a result US tech firms would
lose out. "

I guess I view this as highly naive. What makes you think the US won't get
agreement from these places to share? They already have in a large number of
cases.

~~~
bjelkeman-again
I would only say somewhat naive. There is a lot of effort in the EU that
points in this direction. Not everyone is a British poudle over here. We
started our work in the direction a couple of years ago, where I work. It will
take a while, but it will happen.

------
maybeso
That's a possibility. Google has made WebRTC encrypted by default. However, it
uses RSA which still isn't the best of choices (15 years in the future, when
the NSA builds a usable quantum computer).

~~~
marcosdumay
We have nothing that would survive a quantum computer. RSA is even better than
ECC, because it uses longer keys _.

But we are very far from a usable quantum computer. I doubt we'll get it in 15
years, and I doubt we'll get it before everything changes because of AI,
nanotech, some other disruptive tech, or some kind of doom.

_ Yes, there is nothing stopping you from using ECC with a 2k bits key. Except
that you aren't.

------
f902370
Friends sue each other. That's a show for their enemy. I'm supprised some of
us are still thinking tech companies and their government are against each
other in this case.

------
morgante
Sadly a majority of the American public is completely okay with being spied
on. [1] Given that is the customer base for these tech companies, I don't see
them fighting very valiantly, if at all. Especially when the government can
put on pressure via political prosecutions. [2]

1: [http://www.people-press.org/2013/06/10/majority-views-nsa-
ph...](http://www.people-press.org/2013/06/10/majority-views-nsa-phone-
tracking-as-acceptable-anti-terror-tactic/) 2:
[http://en.wikipedia.org/wiki/Joseph_Nacchio](http://en.wikipedia.org/wiki/Joseph_Nacchio)

------
tinco
Don't be too quick in supporting the Tech Companies in this war. The only
thing that will happen if they win, is that the government will have to _pay_
to get your data.

In this war, the government should win, because the government is by extension
the people. It is up to the people of the world to make sure that their
governments implement the right laws to restrict surveillance.

~~~
pessimizer
What if your government is currently using chemical weapons on you, or
imprisoning you for being gay?

~~~
tinco
Wat are tech companies going to do about that?

~~~
alextingle
Not cooperate with warrantless data requests that might reveal that someone is
gay?

~~~
tinco
I don't know. That sounds right in theory.. but in practice, would a country
that prosecutes people on ethnical/cultural grounds even consider allowing
companies to ignore their data requests?

History tells us no. History also tells us that tech companies often don't
give a shit. Perhaps a highly visible company like Google or Twitter might,
but a little visible company like IBM or Cisco? I wouldn't bet on it.

------
api
We can hope.

------
Helianthus
>Given X-Keyscore was a program primarily designed to intercept unencrypted
internet traffic, you could be forgiven for interpreting Facebook’s post as a
middle finger pointed in NSA’s direction. (Sources inside Facebook say it is a
coincidence, and indeed the company had been in the process of enabling this
across-the-board for years. But still. The timing.)

What journalistic integrity.

