
FBI wants real-time Gmail, Dropbox spying power - Lightning
http://www.slate.com/blogs/future_tense/2013/03/26/andrew_weissmann_fbi_wants_real_time_gmail_dropbox_spying_power.html
======
gnosis
If you value your privacy, it would be prudent to assume any unencrypted
communication of yours is compromised.

That includes unencrypted email and any unencrypted data stored on a server
not under your control.

Even your encrypted communication might be compromised at some point in the
future, given the odds that it has probably been logged by someone as it
travelled from hop to hop through the Internet.

Once encrypted data leaves your control, anyone intercepting and logging it
can attempt to crack that data at their leisure, virtually indefinitely.

Laws may stop some law-abiding entities from trying. But I wouldn't count on
it.

~~~
zurn
Dropbox and Gmail are already encrypted - the problem is who else can get at
the keys. And which other credentials of yours can be compromised starting
from there.

~~~
TillE
Encryption that is out of your control is not encryption in any meaningful
sense. You must be the only one who has the key, else the whole process is
compromised.

~~~
darkarmani
Isn't this tarsnap's selling point? I'm not a user of it, but it seems like a
sound service for backup (not cloud sharing of data).

~~~
AJ007
There are quite a few options available from the stand-alone, like SpiderOak,
to things that sit on top of Dropbox, such as Boxcryptor.

What I haven't seen is a comprehensive security review of these alternatives.
There could be bugs, flaws, or they could outright not be doing what they
claim to do.

------
rdl
Not to be overly tinfoil hatted, but:

Historically, intelligence monitoring of communications providers was done
extra-legally (by employees at the communications providers who either worked
directly for or were compensated or politically-motivated agents of
intelligence agencies). When it doesn't need to be used in court, there are a
lot more options. Stuff as simple as an employee providing copies of the day's
tapes.

Later, intelligence agencies got smart (particularly the Israelis) and ran
cut-rate service providers for support services (VoIP termination, billing
reconciliation, etc.), selling to existing consumer-facing providers,
primarily for information.

Just because FBI is talking about this for law enforcement purposes (implying
they don't have it now) doesn't mean they don't necessarily have various types
of existing access for their dual role as a counterintelligence agency, or
that other organizations (US and foreign) don't have access.

~~~
DanBC
ECHELON shows us that the US (and the 4 other countries involved) are happy to
sidestep the law and spy on their citizens.

ECHELON did it by having 5 nations involved. If the US wanted information on a
US citizen they'd pass that name onto the 4 other countries who would do the
spying for them.

ECHELON was also used for industrial espionage, providing lots of information
to US aerospace.

~~~
choko
As far as I know, data obtained using ECHELON or Predator or whatever they are
are calling it this month, would not be admissible in court. The spying
approach might work for the NSA, but the FBI needs data they can use in a
court case.

~~~
dhimes
Data that you can't use in court can still be very valuable. For example, if
they can illegally determine whom to follow or where to look, then they can
focus on collecting enough legally obtained information to paint a picture
that gets them a warrant.

~~~
datr
This would probably be considered fruit of the poisonous tree so would also be
inadmissible. Whether the defence could show that to be the case though is
another matter.

------
justindocanto
Am i the only person who assumes that everything we send/receive over the
internet is already watched/surveyed/sniffed/logged/at least something by at
least one branch of the government?

For the record, I dont mean that in a 'government is bad' tone. That is a
different discussion. I mean that in an objective 'you'd think the people who
run the country and have access to more resources then we ever will would just
find a way to do it in the first place' kind of way.

They can send machines to mars, have laser guided devices fly to the other
side of the world and hit a target, (insert more technically difficult feats
here)... but they cant get access to all our data on the wires and networks
they govern in their own country? i really doubt that.

~~~
UnoriginalGuy
I'm with you.

If you look at history and the kind of surveillance powers governments had
compared to the general population, it isn't unreasonable to assume that they
can "monitor" everything. In fact you can find several YouTube videos of
people who claim they created just such a system after 9/11 for the NSA.

The question is not if the NSA are sweeping every piece of electronic
communications, the question is: "how much are they storing?"

If they're just building communications trees then that is a lot less invasive
than even automated e-mail scanning. However it is very likely they're looking
at content too, because historically (e.g. cold war) they always did
keyword/phase monitoring.

If I had to guess, I would guess they're building large communication trees
and giving everyone in them a "score" (think: credit score). This score raises
based on things like the language used, perceived threat, and similar.

Then when someone's score is high enough or they talk to the "wrong people"
you have human analysts who go over their profile with a fine tooth comb...

None of this is impossible with our current technology. In fact it isn't even
technically that difficult - just expensive.

Now if you want to get really conspiratorial then let's talk about the public
SSL certificate oligopoly. The five or six companies generating the majority
of the world's SSL keys are likely handing them straight over to the NSA and
in exchange the NSA keeps those companies in power/control of that market.

~~~
jsmeaton
> Now if you want to get really conspiratorial then let's talk about the
> public SSL certificate oligopoly. The five or six companies generating the
> majority of the world's SSL keys are likely handing them straight over to
> the NSA and in exchange the NSA keeps those companies in power/control of
> that market.

That's really a very scary thought and I wouldn't be at all surprised if it
were true. At least the first part.

------
dreamdu5t
Summary: The FBI admits they aren't capable of performing MITM SSL attacks,
and that Google is currently providing them with private data. Because of
this, they want some sort of real-time inspection powers that do not depend on
Google's cooperation.

~~~
bigiain
<hat type="tinfoil"> … or they've so thoroughly subverted the SSL certificate
"industry" and the major internet backbones that they figure even people using
SSL cert pinning aren't going to notice they're already MITMing every single
piece of web traffic with self-issued browser-trusted certs. So it's a good PR
time to pretend they need new powers.</hat>

~~~
camus
if they can do that ,the backdoor will be found by others sooner or later.

~~~
bigiain
Where by "sooner or later", you mean "last year":

[http://www.computerworld.com/s/article/print/9235260/Rogue_G...](http://www.computerworld.com/s/article/print/9235260/Rogue_Google_SSL_certificate_not_used_for_dishonest_purposes_Turktrust_says?taxonomyName=Data+Security&taxonomyId=203)

and

[http://www.computerworld.com/s/article/9219606/Hackers_stole...](http://www.computerworld.com/s/article/9219606/Hackers_stole_Google_SSL_certificate_Dutch_firm_admits)

Fortunately that attack is only possible if you're a despotic nation-state who
controls your entire countries internet connection - or perhaps a three letter
agency who'd only have to lean on half a dozen or so major internet backbone
company CEOs - so you can MITM pretty much _all_ the traffic...

------
Down_n_Out
I might be exaggerating a little, but all this does is making the move to
"cloud-systems/apps" slow down. People or companies are already afraid of the
cloud concerning owning their data, spying, etc... Articles like this are bad
advertising (but also good to point out the privacy issues, don't get me wrong
here). Maybe everyone should start running their "OwnCloud" (pun and reference
intended) as well as their own email system? So in other words, let's abandon
the cloud all together?

~~~
nitrogen
_So in other words, let's abandon the cloud all together?_

Yes, let's. For non-critical public services like blogs and videos, cloud
providers like AWS and VPS hosts are great. But for things that matter
significantly, like corporate e-mail, let's abandon the cloud and regain some
of the decentralization that the earlier Internet protocols like SMTP
exemplify.

~~~
Down_n_Out
If only business and non-business would see eye-to-eye ;-)

------
DanielBMarkham
tl;dr Google and other companies already have the capability to spy on your
real-time net activity, but they're (rightly so) currently squeamish about
just throwing open the doors and letting the FBI poke around with whomever it
pleases. (Which is pretty much the way the cellular carriers handle it) FBI
wants more legislation to "fix" this problem. Seems like people in some cases
are communicating with each other and the FBI can't listen in, and this
situation is intolerable to them.

ADD: What we're probably going to need is a new way for users to universally
encrypt data deep in the OSI layer instead of continuing to tack it on top of
the stack with downloaded apps. Need to think through that some more.

~~~
pi18n
I thought the DIY cellphone was neat for just this reason. I'd like my next
phone to be a hideous contraption made by adding a cellular radio to a
Raspberry Pi.

~~~
DanielBMarkham
It's the hobbyests that are going to lead here. We're the guys gluing bubble
gum to bailing wire and figuring out how to make a cowbell out of it.

I took a flyer on how my idea would work as a PC program.
<https://news.ycombinator.com/item?id=5449049>

Not sure I made any progress, but that's the fun part about being a hacker and
doing this from your armchair (and Pi/packet radio board) -- anything you can
imagine you can begin to realize.

I honestly believe all of this surveillance news is going to result in many
more technological solutions, although probably no long-term "wins"

------
law
This article is absolute trash. The 4th amendment doesn't apply to your data
hosted on Google's servers, and ECPA and CALEA are essentially meaningless
here. The truth is that Facebook and Google can give away (or even sell) your
data to the government, and they have your consent to do so.

Reading the terms of service and privacy policy of each site you visit daily
is a good exercise. Nearly all will contain some ambiguous catch-all provision
that they can use your data to "improve [their] services." Then, if they're
sued, the question is whether they have the resources to hire a law firm that
can convince a court that selling data to the FBI/CIA/etc. improves their
services. They do.

~~~
archangel_one
> The truth is that Facebook and Google can give away (or even sell) your data
> to the government, and they have your consent to do so.

Can, but apparently aren't, if the FBI is making a fuss about not liking how
things work at the moment. If Google were giving them everyone's Gmail, one
assumes they'd just stay quiet about it.

------
eksith
That's nice. Meanwhile, real criminals use Hushmail and Tormail. This is a
movement to spy wholesale, nothing more.

If any precedent or piece of legislation disproportionately and negatively
affects a certain demographic of a population (let's say those with the means
to form their own opinions), while they argue "well it's for _everyone's_
safety", the reality is that it's unjust no matter how you try to spin it.

~~~
MichaelGG
Why would you use Hushmail over Tormail + your own PGP? I thought Hushmail's
rep was pretty well shot[1].

1:
[http://en.wikipedia.org/wiki/Hushmail#Compromises_to_email_p...](http://en.wikipedia.org/wiki/Hushmail#Compromises_to_email_privacy)

~~~
eksith
OH! I didn't know about that. Seemed like everyone who wanted to send PGP
messages was using, but I guess I was wrong.

I don't use Tormail cause it's painfully slow at times (at least for me) and
since I figured they're probably not interested in my plaintext gmail anyway.
Stories like this may change my mind.

It's not that (mostly) anything I send is PGP worthy; it's just the principle
of it.

------
josscrowcroft
This will sadly only serve to make 'criminals' smarter in their attempts at
secrecy, and result in ordinary people becoming criminalised...

------
josephagoss
Can someone tell me if this is true for Dropbox? I pay for Dropbox and also
many family and friends pay for Dropbox. I know several businesses that use
Dropbox as a file server. Also I am in Australia.

If Dropbox starts to let a foreign government (In this case the USA) to watch
our files, I must cancel all accounts and will advise all my friends and
family to shut down all Dropbox accounts immediately.

Can someone comment as to the truth of this article? If true that means we can
never trust a US company again. Please someone tell me this is scaremongering
and FUD and has no substance.

~~~
raesene2
This is, as far as I know, already in the Dropbox T&C's (article here
[http://articles.businessinsider.com/2011-04-18/tech/30033770...](http://articles.businessinsider.com/2011-04-18/tech/30033770_1_user-
files-user-data-law-enforcement)) and their T&C's here
<https://www.dropbox.com/privacy> do mention handing over data in relation to
law enforcement requests in section 3

------
schabernakk
Is there a one-click all in one open source solution I can use to get rid of
Gmail? And by that I mean email, calendar etc.

Something I can perhaps just throw up on an S3 instance and pay a few bucks
for it every month?

Even if we are just talking about e-Mail frontends: Horde is one of the more
popular ones and is just awful UX wise. I don't know of any mature free
solution which at least tries to match GMail in this regard.

------
chmike
What about users outside of USA ? What is their status ? I have the impression
we are not considered to have any rights from the US perspective.

~~~
bluedanieru
Even US citizens traveling outside the country, and especially residing
outside the country, are on thin fucking ice. No, the US government does not
consider itself beholden to any laws when operating on foreign soil. It also
doesn't really define any criteria that when met allow it to operate on
foreign soil in the first place. As such, you are, in essence, right now a
subject of a global American Empire under which you have no rights - not even
a right to life or property.

~~~
wes-exp
Regardless of how US government departments and agencies may currently behave
with respect to foreign soil, the fact is that the Constitution does apply to
foreign soil and doesn't magically disappear.

This was made clear in a 1957 Supreme Court ruling, Reid v. Covert:

"At the beginning, we reject the idea that, when the United States acts
against citizens abroad, it can do so free of the Bill of Rights. The United
States is entirely a creature of the Constitution. Its power and authority
have no other source. It can only act in accordance with all the limitations
imposed by the Constitution. When the Government reaches out to punish a
citizen who is abroad, the shield which the Bill of Rights and other parts of
the Constitution provide to protect his life and liberty should not be
stripped away just because he happens to be in another land."

"This Court and other federal courts have held or asserted that various
constitutional limitations apply to the Government when it acts outside the
continental United States. While it has been suggested that only those
constitutional rights which are 'fundamental' protect Americans abroad, we can
find no warrant, in logic or otherwise, for picking and choosing among the
remarkable collection of 'Thou shalt nots' which were explicitly fastened on
all departments and agencies of the Federal Government by the Constitution and
its Amendments."

[http://www.law.cornell.edu/supct/html/historics/USSC_CR_0354...](http://www.law.cornell.edu/supct/html/historics/USSC_CR_0354_0001_ZO.html)
[http://www.guardian.co.uk/commentisfree/2013/mar/15/charles-...](http://www.guardian.co.uk/commentisfree/2013/mar/15/charles-
krauthammer-constitutional-ignorance-foreign-soil)

~~~
bluedanieru
Tell that to the executive (and Congress, for that matter). they could use a
good chuckle.

------
SeanDav
Interesting that the Government does not include Skype on that list. One can
only assume that is because they already have Skype access.

~~~
pi18n
They do have Skype access. <https://en.wikipedia.org/wiki/Calea>

------
p6v53as
That reminds me once again of Dotcom's proposal to encrypt almost everything
to be safe from the government persuasion.

------
luiperd
Some interesting discussion on Reddit about this, too. Especially the top
comment.

[http://www.reddit.com/r/technology/comments/1b2m4l/fbi_pursu...](http://www.reddit.com/r/technology/comments/1b2m4l/fbi_pursuing_realtime_spying_powers_for_gmail/)

------
mtgx
So we can expect deep packet inspection very soon then.

~~~
dreamdu5t
Of encrypted traffic?

~~~
moheeb
Yes. In case you're unaware this is currently possible.

------
booruguru
If someone wants their e-mail to be truly private and secure what options are
available?

~~~
jazzyb
Use PGP to encrypt your emails[1]. I've never used it with any server I didn't
control (like Gmail), but I'm sure it's possible to set up.

[1] <http://lifehacker.com/180878/how-to-encrypt-your-email>

~~~
chimeracoder
Google will never include PGP support in their official web client, because it
kills their advertising model (which requires them to have access to the plain
text of your emails).

However, as long as Gmail supports IMAP, it's pretty easy to set up PGP
encryption/signing with Thunderbird or Mutt or the like. Thunderbird has a
plugin/extension for integrating support, and Mutt provides it natively.

If you already use Thunderbird or Mutt, it'll take maybe 15 minutes to set up,
and then you don't have to think twice about it.

------
rsync
If you don't run your own mail server you are a clown-person that has no
business speaking of security or privacy or digital rights.

Running your own mail server[1] is the "must be at least this tall to ride"
threshold for even having an opinion.

[1] and possibly providing your own dialtone, which isn't that tough these
days ...

