
Secret Text in Senate Bill Would Give FBI Warrantless Access to Email Records - JumpCrisscross
https://theintercept.com/2016/05/26/secret-text-in-senate-bill-would-give-fbi-warrantless-access-to-email-records/
======
themartorana
"Blah blah national security just this one time in this focused fashion. Plus
we've been doing it for 5 years already..."

Fast forward 10 years...

"Blah blah national security just this one time in this focused fashion. Plus
we've been doing it for 5 years already."

Fast forward 20 years...

"...intelligence bill will give the FBI the right to enter your house and
confiscate your possessions, without a warrant, in total secret..."

~~~
mtgx
Don't forget the "we need a balance" statements, even though it's the U.S.
government that has long moved away from that balance, and now just wants to
be able to do whatever it wants, whenever it wants it, to whoever it wants,
with no oversight.

~~~
forgottenpass
Every "balance" argument is a strait up con.
[http://www.everydaynodaysoff.com/wp-
content/uploads/2013/11/...](http://www.everydaynodaysoff.com/wp-
content/uploads/2013/11/Illustrated-Guide-To-Gun-Control.png)

~~~
rayiner
I hate when balancing tests are invoked when the law is clear on its face.

But the 4th amendment is different than the 1st and the 2nd. It has balancing
built into it, by only prohibiting "unreasonable" searches and seizures. It's
as if the 1st amendment said "Congress shall make no law ... abridging the
freedom of reasonable speech" or if the 2nd amendment said "the right of the
people to keep and bear arms reasonably, shall not be infringed."

------
ghouse
And this is why we need SCM-level tracking for our laws.

~~~
koolba
> And this is why we need SCM-level tracking for our laws.

That'd be great. Each commit would be pushed by the attesting legislator and
they could even put the corporate lobbyist that actually wrote the change in
the author field!

~~~
a3n
And suddenly everyone would understand how to use git blame.

~~~
TeMPOraL
And at some point people would start referring to proposed laws by their
commit hashes.

"The Senate hearing over controversial bill 4ad57b ..."

~~~
koolba
> "The Senate hearing over controversial bill 4ad57b ..."

Ha! That'd be a nice side effect this approach.

Taking the concept one step further, there should be a CI environment to test
out new laws.

------
upofadown
>... such as email subject lines and other metadata ...

How could subject lines possibly be considered metadata? It is quite clearly
content.

~~~
slantedview
Because calling them metadata provides the government with an argument that
minimizes their importance, thereby allowing them to be exploited for
nefarious purposes in the same way that calling torture "enhanced
interrogation techniques" allows it to be exploited for nefarious purposes.
And so we get stuck arguing over the definitions of words instead of the
actual actions being performed under those definitions.

~~~
Kristine1975
"We Kill People Based on Metadata" \-- former NSA and CIA director Michael
Hayden

Bruce Schneier's take on the distinction between "data" and "metadata":
[https://www.wired.com/2015/03/data-and-goliath-nsa-
metadata-...](https://www.wired.com/2015/03/data-and-goliath-nsa-metadata-
spying-your-secrets/)

------
ohitsdom
How is this constitutional? I thought the courts have already clearly ruled
that emails are private and therefor require a warrant.

~~~
voxic11
They have not. Only emails you hold yourself are protected under the
Constitution. Emails held by third parties like Gmail are subject to the third
party doctrine and therefore have no constitutional protections. They still
have some statuary protections which this bill is actually expanding (mostly
besides this part).

~~~
anf
Is there a market for email server software with UX akin to Sandstorm, then
(i.e. easy to install / self-maintaining), or would this apply to EC2 servers
just as it does to email?

If so, a simple physical mail server with a battery / cellular network
connection for power or network outages seems like a good technical solution.

The more reasonable solution is a legal one, of course: treat treat third
party email the same way one treats a third party mailbox (PO box). Safety
deposit boxes are a good comparison, as well: [http://arstechnica.com/tech-
policy/2014/12/microsoft-tells-u...](http://arstechnica.com/tech-
policy/2014/12/microsoft-tells-us-the-worlds-servers-are-not-yours-for-the-
taking/)

~~~
reitanqild
I would guess/hope something like this is on the sandstorm roadmap but I don't
know.

~~~
anf
[https://docs.sandstorm.io/en/latest/administering/email/](https://docs.sandstorm.io/en/latest/administering/email/)

Running a Sandstorm instance in your home with backup network / power is a
separate story, however.

~~~
reitanqild
As long as it is for personal use I at least don't feel the need for redundant
power or network.

I also ran a sandstorm instance locally for a few months and it was boring in
a good way.

------
microDude
God, is Ron Wyden (D.Ore) the only one reading and disclosing these things?

~~~
readme
Probably. Most senators do not read the bills. They get a sparknotes like
summary by a private company and they read that.

------
meeper16
I think more visualization and ML tools like this are going to made available
to cull through data like too [http://52.11.211.67/recommend/chart-
discovery/data/clusters/...](http://52.11.211.67/recommend/chart-
discovery/data/clusters/9b5d75c00cb74fd80fc392d44ba49c1b27d41eaa-20160527-09_04_34_AM.html)

------
Aelinsaar
Encrypt Everything.

~~~
Kristine1975
"Hi, I'm F. Beeye. Please give us all your passwords, or you will be
imprisoned until you do."

~~~
swombat
... or we'll hit you with this rubber hose until you tell us.
[https://xkcd.com/538/](https://xkcd.com/538/)

~~~
Aelinsaar
The only effective countermeasure is for everyone to encrypt everything.
Unless you wan to get half of the population to torture the other half in
shifts...

------
vox_mollis
There is no fighting the future, by political processes. There is only
subversion.

Run your own mailserver, in your home or a semi-trusted local colo. Full disk
encryption, fully encrypted offsite backups. Cabinet door reed switch triggers
immediate power-down in the absence of a cryptographically signed override.

~~~
mindslight
Running your own SMTP server at home is a pain in the ass, so it will never be
widely adopted. I could easily move my mail server from Linode to my home
connection, yet I won't. It's simply nicer to not have to worry about bouncing
or delayed emails during power outage or network maintenance. And even if I
did, the messages still come in plain text - we're only a few steps away from
"email search" meaning "search of NSA's email records".

What we've really got is a protocols/software/UI problem. The end-to-end
nature of the Internet came out of _engineering_ sense, which was necessary to
bootstrap it but not necessary for its continued functioning (hence it's slide
back toward centralization eg DPI gear). What we need are better protocols
that explicitly _protect_ the end-to-end principle.

One should be able to have an untrusted cloud "mail server" that knows only
what it needs to, passing messages to a slightly more trusted home server
(your half-hardened hardware is really only protected by it's _unique_ nature,
so not scalable). A message only needs to be fully unlocked when it is being
read. And the system needs to work this way out of the box with a minimum of
configuring, because sysadmin work is an annoyance when you're just trying to
get something done.

~~~
anf
> Running your own SMTP server at home is a pain in the ass, so it will never
> be widely adopted.

It is, but it doesn't have to be. Someone could make a <$100 device which has
a power backup for running through power outages and a backup network
connection via the cellular network, which should provide high enough uptime
for all practical purposes. Messages between mail servers are encrypted most
of the time, more and more so every year [1]. This is a technical solution for
a legal problem, though.

I'm not sure if I understand the system you are proposing, but email protocols
seem secure enough now as they are now, it's just the third party principle
that doesn't align with the obvious expectations of privacy in mail [2]. To
me, it's pretty clear that my email account is like a PO box. Just because my
email is held by a third party doesn't make it any less private than being
delivered to my home, just as mail arriving at a "third-party" PO box isn't
all that different from my mailbox.

1\.
[https://www.google.com/transparencyreport/saferemail/](https://www.google.com/transparencyreport/saferemail/)
2\. [http://techcrunch.com/2014/04/30/google-will-also-stop-
scann...](http://techcrunch.com/2014/04/30/google-will-also-stop-scanning-
google-apps-inboxes-for-ads/)

~~~
mindslight
It is not "a legal problem". It is a problem with legal, technical, governance
(and probably more types of) approaches. If you're working on a legal solution
I'll support you, just like if someone else succeeds in neutering the traitors
in DC/VA, I'll cheer them on. But I am not a lawyer nor a soldier, so I'll
remain focused on finding technical solutions.

Protocols "seem" secure enough, because you don't seem to be focused on the
technicals (which is fine, as per what I just said. Just don't nay-say). For
example, even if messages are encrypted between servers, the graph of who is
talking to who is still revealed to a passive adversary, and this problem only
gets worse with individually-run servers.

~~~
anf
Hiding "who is talking to whom" against a global passive adversary is an
active area of research and I don't know of any solution that is backwards
compatible with email. Is this so of the one you are suggesting?

