
Don’t Shoot Messenger - DiabloD3
https://www.eff.org/deeplinks/2018/08/dont-shoot-messenger
======
salawat
Again, the more fundamental question being fought over here is who has primacy
in the United States, the individual Citizen, or the "collective" Citizens.

This is the primary danger that comes from blind adherence to
Democratic/Republican principles. Letting the COLLECTIVE will filter down
without bureaucratic checks and balances in terms of having laws expire and
having to get reaffirmed as the population changes leads to a slow
consolidation of power that goes unchecked to the Federal level.

The Federal Government was not intended to be the hammer that gets thrown
about all over the country. The fact that we're even entertaining the
discussion that the Federal Government should be able to exercise such primacy
in access to personal information is a scary thing indeed.

It was never meant to be that pervasive. This country runs from the bottom up.
There are ways for Law Enforcement to do their jobs without ubiquitous
capacity to wiretap. The potential for abuse is simply too high.

~~~
Angostura
> This country runs from the bottom up.

That's all well and good, except irrespective of the issue, if you as an
individual Citizen tell Facebook to do something, it will take one look at you
and say 'bugger off'.

I don't see that there is anything intrinsically wrong with the government
directing Facebook to operate within laws or take action. The problem here is
that, the particular policy of the government in this case is stupid, and it's
up to the collective Citizens to change that policy.

~~~
bilbo0s
>if you as an individual Citizen tell Facebook to do something, it will take
one look at you and say 'bugger off'.

This.

In my own opinion @salawat's heart is in the right place, but his/her ideas
are completely unworkable. Expecting a lone individual in Lincoln, or
Birmingham, or Providence, or Dallas to be able to protect his or her rights
against Facebook, in the absence of a federal government, is just naive.

~~~
salawat
The point I"m making is more along the lines that a slow consolidation of
ultimate power at the Federal level is to be avoided.

The "Collective" Citizen, represented by the Federal Government, MUST be
limited in it's ability to intrude in the affairs of the Individual Citizen.

Things like CALEA represent dangerous precedents and potentials for abuse that
should require reaffirmation and consistent reevaluation in the light of
advancing technology.

We all want a powerful and responsible government, but we have to weigh the
dangers and potential for abuse in the long run against the short term gains
from granting a new power with little or no constraint.

Perhaps I didn't express it that well.

------
seanlinmt
What bothers me is that if Facebook has to reengineer messenger to comply with
the government then what’s stopping signal having to reengineer its
infrastructure to comply with government demands?

And wouldn’t it be more secure to setup your own infrastructure instead of
depending on someone else’s infrastructure where you are unable to determine
with certainty that serverside code is unmodified?

~~~
tialaramex
The article explains that courts have concluded these Acts in particular don't
give the government carte blanche, it doesn't get to destroy your business to
achieve its goals under the Acts, and obviously allowing wiretapping in
Signal's app that exists specifically so that they nobody can wiretap you
would destroy Open Whisper Systems' business.

So Facebook's Messenger is made more vulnerable by the fact that "Also the
government can't wiretap this" isn't a prominently advertised feature. In
fact, prior to this article if you'd asked if they can do so I'd have guessed
"Yes" and recommended Signal instead.

Why not set up your own infrastructure? Well that does come with a significant
downside. "Don't Stand Out" is one of the principles we've learned is
important for real world communications security. Once you set up your own
secure systems, while everybody else keeps using Messenger, you are marked
out, your communications label themselves as especially interesting. So _once
you do that_ you have to be sure that two things are true:

1\. Your technical systems are 100% secure. No adversary has a backdoor to
your GPU firmware, a laser microphone listening to your keypresses, a black
bag team who can break in and silently copy your data when you're out
shopping, a zero day exploit for your browser, or whatever. If your adversary
is "Bob from next door" this seems plausible. But if it's the government of
your country you are probably in deep shit immediately.

2\. Your society has both norms and strongly enforced laws that will ensure
it's not just easier and cheaper to bypass all this technology and get what
they want from you anyway.

But so long as you Don't Stand Out all this fades into the background. If we
make _everybody's_ communications secure, yours won't Stand Out and a powerful
adversary (such as the US Government) can't target you.

------
gshrikant
I didn't understand the references to TLS (with GMail, for example) and why
the goverment likes that better. Is there previous legal precedent which makes
TLS more vulnerable or does the protocol itself make snooping on it easier?

------
menzoic
Even if the session key for voice calls were shared, what use is it if the
audio is sent peer to peer and never hits Facebook's servers?

~~~
perch56
Quoting from the article: “The government would then use that key to decrypt
voice data separately captured by the subject’s ISP (likely a mobile provider
in this case).”

~~~
forapurpose
They also could just capture the data from the subjects' routers, assuming
they can be hacked (which for most people is probably the case).

------
asimpletune
Idk understand why option 1) wouldn’t be the best one. Facebook hands over
their session keys, and then they go to the cell provider to retrieve the data
and then it’s no problem.

Unless this case is actually about trying to establish precedent and using the
fact that it’s a well known, heinous gang to argue for something more than it
needs.

------
bufferoverflow
It's evolution! Criminals who use vulnerable chats/voicechats do get caught
(more often). Sooner or later the government will breed the criminals who use
open source end-to-end encrypted software. What will they do then?

~~~
nickthemagicman
I agree with you in theory. It's an arms race which just makes the
software/encryption better. However, governments have a Trump card to this
whole arms race. Alot of countries just make encryption illegal.

~~~
bufferoverflow
I don't think criminals care about things being illegal.

~~~
nickthemagicman
It's pretty easy to be caught though. The internet is public.

