
Senate bill rewrite lets feds read your e-mail without warrants - nhebb
http://news.cnet.com/8301-13578_3-57552225-38/senate-bill-rewrite-lets-feds-read-your-e-mail-without-warrants/?part=rss&subj=news&tag=title
======
tptacek
This is a thread full of passionately argued polemics about the US national
security state and _not one link to the legislation proposed in any
incarnation_. After the debacle that was the trade press reporting on CISPA,
it is probably a bad bet that Declan McCullagh got this exactly right.

Obviously, a provision that allows law enforcement warrantless access to
random people's email would be a terrible thing. It seems a little unlikely
that in the wake of the Patraeus scandal, that's what Leahy would really be
proposing. Maybe it is. Can we FIND OUT?

 _Late edit: here it is:<http://news.ycombinator.com/item?id=4811489> _

~~~
sneak
No point. It's shitty living somewhere with a government that would propose
this sort of thing. It's also like rearranging the deck chairs on the Titanic,
as the NSA et al have already tapped everyone's fibers years ago.

Furthermore - it's not a secret that they did so. Books have been written on
the matter. The public got suitably outraged, and then nothing happened. The
taps are all still there, and the equipment's all been upgraded as the
capacities have increased.

It truly doesn't matter what these laws say. Your communications in the US are
all already monitored as a fact of life.

~~~
tptacek
I respectfully but vigorously disagree with you that there's no point
discovering what proposed laws say. It's our responsibility as citizens to
figure this stuff out. There aren't _that many_ "cyber" laws proposed every
year.

This is a country in which people of African descent couldn't even reliably
vote 55 years ago. I refuse to succumb to the notion that all is lost simply
because we've had 8-10 years of overreach.

~~~
sneak
> It's our responsibility as citizens to figure this stuff out.

Well, that, or flee.

> I refuse to succumb to the notion that all is lost simply because we've had
> 8-10 years of overreach.

If that's the case, I ask non-sarcastically: How many decades of tapped
phones, illegal body searches, and indefinite detention and/or torture of
political prisoners are you willing to wait for reform before you declare the
US an unacceptable place for good and reasonable people to continue living in
and paying taxes to?

I'm genuinely curious. Is there an upper bound?

For me, personally, it was ~8 years.

 _"The most dangerous man to any government is the man who is able to think
things out for himself, without regard to the prevailing superstitions and
taboos. Almost inevitably he comes to the conclusion that the government he
lives under is dishonest, insane and intolerable, and so, if he is romantic,
he tries to change it. And even if he is not romantic personally he is very
apt to spread discontent among those who are."_ \--H. L. Mencken

~~~
smokinjoe
> How many decades of tapped phones, illegal body searches, and indefinite
> detention and/or torture of political prisoners are you willing to wait for
> reform before you declare the US an unacceptable place for good and
> reasonable people to continue living in and paying taxes to?

So, if things get tough you typically quit? Only 8 years? There are isolated
cases of each of those occurrences, and while just one is unacceptable, this
country is far from uncorrectable.

There are quite a few citizens of the USA that waited a lot longer than 8
years for rights we all are born with and take for granted today. I find it
perfectly reasonable to both have the determination to stay active/volunteer
as well as the patience for the process to work.

------
nathan_long
>> The right of the people to be secure in their persons, houses, papers, and
effects, against unreasonable searches and seizures, shall not be violated,
and no Warrants shall issue, but upon probable cause, supported by Oath or
affirmation, and particularly describing the place to be searched, and the
persons or things to be seized.

I don't understand how anyone can think that the founding fathers would not
have considered email and cell phone conversations to fall under this
provision.

I'm so sad about our country's abandoning the principles of freedom.

~~~
_delirium
The main issue here is that it's legislation covering cases _not_ covered by
the 4th amendment, i.e. where there is no Constitutional violation in the
search, but which the legislature could add additional statutory requirements
to. And the main reason that's the case is that you only have 4th-amendment
rights in _your_ person and property, but you have no property rights in your
Facebook account, which is wholly owned by Facebook, and which you use for
free only as a guest. So the only party that could object to a search of
Facebook is Facebook itself (they could fight subpoenas, attempting to quash
them as unreasonable impositions... not unreasonable impositions on you, but
_on Facebook_ ).

I don't think that's a good state of affairs, but I can see how it logically
makes sense. On HN we're often reminded that people have no _right_ as users
to any particular service from Google or Facebook, and the reason is that they
don't own anything about the service or the data on it. Facebook could sell
your data to advertisers, they could mail all your posts to the FBI without a
warrant, whatever they want. So similarly there is no 4th-amendment right that
_you_ have relating to a search of Facebook, because it's not a search of your
person or property, but of theirs. In the Founding generation this wouldn't
have been an issue because it was not common to for a person to store
significant amounts of their personal papers in a form where they had no
ownership over them (even when you stored with a 3rd party, like in a bank
safety deposit box, there was typically a contract specifying that you had
certain ownership rights).

I do think there should be a fix to it, which will require implying some kind
of rights that Facebook users have against government searches of Facebook
targeted at that user (despite the user having no ownership in Facebook). But
one wouldn't want that to go too far, because I can also see the property-
rights argument: if I really do want to voluntarily mail the data on my server
to the FBI, and I didn't sign a contract with the users saying I wouldn't, why
should the users be able to stop me from doing so? You'd have to abrogate
property rights with some kind of right-to-information-privacy that supersedes
the fact that it's my server and I own its contents. Overall it seems like a
situation that the Constitution's framers didn't imagine.

~~~
nathan_long
I see what you're saying, but there are at least two separate issues here.

>> you have no property rights in your Facebook account, which is wholly owned
by Facebook

By this logic, do I also have no right to expect privacy when I mail a paper
letter through the post office? After all, its sorting facilities are wholly
owned by the government.

I honestly don't know what the framers would have said about that. If I
shouldn't expect privacy there, the argument is done.

If I should expect privacy from the post office, there's a second issue:

>> and which you use for free only as a guest

By this logic, I should expect privacy from my cell carrier, because I pay to
use their service, therefore my account and the data passing through it might
be argued to be "mine".

>> in a bank safety deposit box, there was typically a contract specifying
that you had certain ownership rights... [snip] ... some kind of right-to-
information-privacy that supersedes the fact that it's my server and I own its
contents.

Both of these parts of your comment suggest that I should be legally able to
operate a service and specify in the user agreement that I won't give their
data up for search without a warrant; that they have some ownership rights
over their data.

Sadly, I think the government would assert otherwise. The only loophole I've
heard used so far is to operate a service which, through encryption, actually
_can't_ access users' data. And for all I know, that will be declared
obstruction of justice.

~~~
_delirium
On the letter analogy, things owned by the government are treated differently
from things owned by a 3rd party in the private sector. The government
generally is more restricted in its actions. And in the case of the USPS,
there are further statutory restrictions beyond those required by the
Constitution that are written into law, specifically about protecting the
privacy of mail in transit. The same is true with phone calls: wiretapping
statutes place certain requirements on when a wiretap can be authorized,
beyond the minimums the Constitution would require. One of those (which the
AT&T wiretapping scandal hit) is to actually make it criminal for a phone
company to volunteer information to the federal government without a warrant,
which basically closes down the 3rd-party-consent end-run around search
warrants, since it explicitly makes it criminal for them to consent. I do
think it's a good idea to consider extending some of these to email, given its
pervasive role that's largely replacing what physical mail and phones used to
carry. But that requires admitting that email to some extent needs to be
treated less like a purely private-sector business, and more like a utility.

Your last point is an interesting one, though. If a provider specifically
includes in their service policies a promise not to give up the user's data,
then it seems like the _provider_ would have a good claim when they attempt to
quash subpoenas, even if the user themselves doesn't have any particular
rights in the matter.

------
sneak
Is anyone surprised by this, in the wake of PATRIOT and NDAA?

The time to leave the US is now. You no longer have the basic rule of law.
Collect your family and possessions and emigrate.

It's not easy[1], but it's the only way, now. We're never getting those rights
back.

[1] I did it. It's tough, no foolin'.

~~~
johngunderman
If you don't mind me asking, what country did you move too that has better
personal rights? I know that Canada and most of the EU have a worse track
record than the US when it comes to this.

IMHO moving out of the US just avoids the problem, instead of solving it. We
need to put more support behind advocacy groups like the EFF who's mission
statement is to fight against the infringement of personal rights.

~~~
aroberge
You _know_ that Canada (and the EU) has a worse track record... Can you
provide a link to support this rather bold assertion? I am fairly familiar
with Canadian law and strongly disagree with your statement.

~~~
danielweber
Check out Canada's hilariously-named "human rights commissions."

I'm not saying that the US is strictly better than Canada in the rights
department. However, it's definitely not strictly worse.

~~~
aroberge
I have had to deal with Human Rights Commissions in two provinces over the
course of 10 years and have never seen anything like what is referenced: HRCs
do not have the capacity to access email and documents without the owner of
such being informed. Your argument is just an attempt at changing the topic at
hand. The orginal comment ended with "when it comes to this" thus referencing
warrantless access to email and such.

------
joering2
OK enough is enough! In the light of this bill, post-thanksgiving time I will
spend on cleaning up all my email boxes and would like your suggestions for a
new email account that fulfills the following requirements:

\- is located off shore, preferably some small country with less draconian
laws that exists now and could be implemented in near future (15 years?), BUT
stable enough so that my service can be reliable,

\- content of my emails is automatically encrypted,

\- and at this point, I am fine with paying for my email. The amount of work
it lets me do, I am fine with paying up to $49/month, I think.

Thanks!

~~~
mtgx
The best solution right now is probably to use a desktop app that encrypts
e-mails locally with OpenPGP before sending them.

Can't someone make a Chrome extension that does the same for Gmail, though?
There seem to be a few solutions for Firefox.

~~~
sneak
Hint: You are not the first person to notice that crypto can be done client-
side in Javascript. There are very good and not-obvious reasons why this is
not done.

~~~
aharrison
Could you please elaborate, so that more people do not fall into this
intellectual trap?

~~~
sneak
<http://www.matasano.com/articles/javascript-cryptography/>

Basically, the server you're talking to, as well as any resources on that
page, can undermine your javascript primitives and render your crypto useless
(or just backdoor it).

If you trust the server to not backdoor your crypto... you can just trust the
server to _do_ the crypto in the first place.

There is an effort underway to build better crypto APIs into browsers, but
I'll bet you a bitcoin that it's super easy to fuck up the implementation of
and most end up being insecure, and/or nobody ends up using it after all.

~~~
doug11235
I read that article as explaining why a web application can't do crypto with
javascript. As someone that knows almost nothing about browser extensions, can
you elaborate on why one isn't a good idea for chrome?

~~~
jlgreco
The sections _"How are browsers hostile to cryptography?"_ , _"What systems
programming functionality does Javascript lack?"_ , _"What else is the
Javascript runtime lacking for crypto implementors"_ cover issues you would
encounter with browser extension cryto.

~~~
doug11235
I didn't realize extensions were largely javascript. Thanks for the pointers.

~~~
jlgreco
Ah yeah. I believe the usual terminology is such that "extensions" are
javascript and "addons" are something native. You could probably do cryto well
with an addon.. to the extent that it is possible to do an addon at all
properly (honestly I have no idea there).

------
pnathan
I'd like to take this opportunity to remind everyone that GPG encryption for
email (and other data) is freely available. It would be considerably more
generally usable if someone with design skills contributed to the projects.
The Mac GPG integration is nice, but in my explorations outside of that, it's
been... difficult to use. Particularly galling is the key distribution
problem. :-)

~~~
fauigerzigerk
Encryption has a couple of drawbacks. If you happen to be unable to decrypt
something the authorities want to see, you go to jail for a long time in some
countries.

And then of course I can't make everyone I communicate with use encryption. So
all I can do is encrypt incoming mail, which is rather pointless because
there's another unencrypted copy out there and the mail headers will give away
where to look.

~~~
mtgx
It seems the OTR protocol works around that, as I think the messages are not
stored indefinitely like with PGP:

<http://www.cypherpunks.ca/otr/otr-wpes.pdf>

------
ck2
Wanna bet there is an exclusion for legislators in the bill?

Just like they get their own pass for the TSA at airports.

~~~
jamesbritt
" ... two legs better."

------
meaty
Yay to the EU Safe Harbour. Oh no wait a minute.

This is why we host all our stuff ourselves in a UK DC. Snooping legislation
is crazy in the _land of the free_

~~~
spindritf
In UK you can go to jail for not remembering your password. There's nothing to
"yay".

> A 19-year old from Lancashire has been sentenced to 16 weeks in a young
> offenders institution for refusing to give police the password to an
> encrypted file on his computer.

<http://www.theregister.co.uk/2010/10/06/jail_password_ripa/>

~~~
pixelbath
"Forgetting" the password to files comprising the entirety of evidence
pertaining to the investigation of a crime is hardly the same as being jailed
for forgetting an arbitrary password.

~~~
CapitalistCartr
It looks the same to me. If the "files comprising the entirety of evidence"
are what's encrypted, then there is no case unless and until they decrypt
them. What's to stop them from jailing anyone they want who can't/won't
decrypt everything on their computer at demand? This is exactly how police
states operate.

A police state doesn't require evil intent. On the contrary, each one starts
out with the BEST of intentions.

------
owendbybest
It's time for more encryption, at least for anything we store in "the cloud".

~~~
smokeyj
I wish there was a router that could automagically handle encryption. This way
even grandma could plug in her "freedom box" behind her router and have secure
communications. Maybe a simple web based admin page to manage configuration.

~~~
1337biz
Would love to see this, i.e. some open source box, that just handles OpenVPN
and TrueCrypt for the local network. As an idea it sounds not that overtly
complex to realize - just hoping somebody will take something like this one
day on Kickstarter.

------
mercurialshark
Because nothing says freedom like regulators from the OSHA and SEC
warrantlessly reading your drunk messages.

------
rayiner
"At the moment, Internet users enjoy more privacy rights if they store data on
their hard drives or under their mattresses, a legal hiccup that the companies
fear could slow the shift to cloud-based services unless the law is changed to
be more privacy-protective."

It's not really a legal hiccup. Let's rewrite it without the editorializing:

"At the moment, Internet users enjoy more privacy rights if they keep their
data private than if they share their data with non-governmental third
parties..."

If you tell me you're planning to kill someone, the FBI doesn't need a search
warrant to get me to testify about what you said. A subpoena will do. Why
should it be different if you tell Google you're planning on killing someone,
by storing "Killing Someone Plans.doc" on their servers in plain text?

~~~
tadfisher
What if I print out the document in plain English and store it in a safe-
deposit box? I'd say that's a more apt comparison.

~~~
jerf
Metaphors are not helpful for understanding this sort of issue. It's a bit
like and a bit not like all kinds of things, and isn't exactly enough like
anything else.

~~~
mseebach
I agree you don't need metaphors, but not because it's not like anything,
rather because it's too simple to need a metaphor: If you give something,
_anything_ , to a third party to handle or keep, the government can't demand
to go and look at it without a warrant.

The government can't demand to go look in your safety deposit box, it can't
get your library check out records, it can't see how many airline miles you
have, it can't read the mail in your PO box etc etc without a warrant. Of
course, in some of those cases, the third party will cooperate without a
warrant, but they're not required to.

------
mekane8
This is troubling. Anyone have advice for who to contact about this? (Should I
look up my senator, congresspeople, both?)

~~~
zrail
Contact your senators. Here's a handy search site:
<http://whoismyrepresentative.com/>

------
adventured
A lot of people wonder why Americans aren't more outraged about the increasing
number of fascist laws being passed in the US.

The obvious answer is that too many Americans no longer believe in the basic
rights to property and privacy. The civil liberty wing of the Democrat party
has also been completely destroyed. It's not just the policy makers - it's the
American people that are at fault. It's their sense of life, ideas and culture
that is bankrupt.

------
protomyth
Which Senator's staffs rewrote the bill?

~~~
r00fus
From the article, I read it's Leahy's:

"CNET has learned that Patrick Leahy, the influential Democratic chairman of
the Senate Judiciary committee, has dramatically reshaped _his legislation_ in
response to law enforcement concerns. A vote on his bill, which now authorizes
warrantless access to Americans' e-mail, is scheduled for next week."

~~~
joering2
not to suggest anything to anyone but just think how crazy it would be to get
to know his personal or official email address and sign him up here and there
for some questionable websites, like piratebay emailing list, hackers emailing
list, perhaps some lists for kkk etc. Sorry to drop it here BUT just the dark
side of me is waking up in the light of this news...

~~~
protomyth
Won't work, is morally wrong, will get you in trouble, and will change the
story to something that helps the bill get passed.

------
dendory
Bye cloud, we hardly knew ye.

~~~
wissler
Some of us have observed that the cloud was a stupid idea from the beginning.
All the cloud should be is an encrypted data service for locally run and
stored programs, without anyone but you having access to the data in
unencrypted form.

~~~
fauigerzigerk
And why would lawmakers be intimidated by encryption? They could just force
you to decrypt whenever one of those agencies asks for it and punish you with
lengthy jail terms if you refuse.

~~~
pyre
If everyone used encryption, and they started doing this, we could at least
get rid of the facade of "we are not attempting to pool power in a way that
will lead to a police state." It would be a bald-faced power-play.

~~~
wissler
Exactly. It means the pretense evaporates, and that the sheep wake up.

I mean, if some government agent rifles through their stuff in the cloud, the
sheep don't care. But if they knock on the sheep's door and do it, then the
sheep is going to get angry, if he's innocent.

------
stfu
I am just wondering, why the topic here is "senate bill rewrite", and not
"Democratic Majority in the Senate wants to led feds read your e-mail without
warrants".

Maybe it is just me, but the recent (absolutely justified) bashing of the GOP
retraction the copyright policy paper makes me wonder, why negative GOP
stories have always attached to the party name, while DEM stories are usually
attributed to a single politician or the institution per se.

------
sneak
<http://en.wikipedia.org/wiki/ECHELON>

[http://en.wikipedia.org/wiki/NSA_warrantless_surveillance_co...](http://en.wikipedia.org/wiki/NSA_warrantless_surveillance_controversy)

<http://en.wikipedia.org/wiki/Room_641A>

Let's not act like this is something new. Your rights to privacy have been
gone for some time.

~~~
tptacek
The point of privacy in public policy, or any other right for that matter,
isn't that we get things right 100% of the time. We didn't suddenly give up on
the idea of mass detention of people by race after we set up Japanese
Internment Camps. We are going to get things wrong, regularly. Think of the
Constitution and our civil liberty norms as an error correction code. At any
one point in time, we'll have flipped numerous bits the wrong way; the point
is that over time, the US is overall run in the fashion it was originally
intended to run in.

~~~
b6
I would really like to believe this. But the US is killing its own citizens
without due process, according to secret lists. The emails, IMs, and whatever
else that we send are being stored at the NSA facility in Utah. These are just
bits that need to be flipped back the other way? What greater contradiction to
the original ideas of the US could you imagine, and what progress do you see
to correct them?

------
shill
POST TO FACEBOOK AS: The Senate is voting on a law next week that will let
employees from 22 different federal agencies eat your Twinkies whenever they
feel like it!!!

------
smokeyj
You rascally government! Can we just cut the foreplay? Let's fire up the
incinerators and form some orderly lines.

------
drcube
<http://www.gnupg.org/>

Problem solved.

~~~
scott_karana
Unfortunately not, encryption is simply a workaround.

The bill covers _every_ user of email, but it's not hard to make the argument
that neither GPG or PGP are correctly usable by every user of email.

Despite there being a technical workaround, it's simply a kludge; strong civil
liberties need to be in place, with encryption simply augmenting them.

------
Buzaga
Couldn't this mean a big hit to ALL american IT companies? I for
one(brasilian) would move out of G-mail right off the bat, this bill probably
means USA gets to snoop and mine data on anyone even if not an american
citizen, possibly even if such thing is illegal in this person country...

I'd definitely consider abandoning plenty of USA-based services/business, use
an alternative from some other place that has some regard for humanity, spread
the word to people I know, maybe even making a living off of it

\- "come to my service everyone, we're not .com!"

~~~
adventured
The short answer: absolutely

The relatively strong property rights and privacy laws that the US has enjoyed
are being obliterated at warp speed (or more specifically, they're using the
leap to digital as a means to bypass all the existing physical protections on
the books, pretending none of it applies).

