This was a great article OP. But I think the author misses two critical points.
Privacy and secrecy, in my mind, are questions of agency. In this context we're talking about information. You can, broadly speaking, only do three things with information: create it, retain it, and share it. If you're to have agency -- that is, the ability to independently control your own existence -- in a digital sense, that implies that you must be able to control those three things. And if you think about it in terms of actual physical speech, it seems so intuitive: it would be an extraordinary day indeed if there were widespread physical manipulation of the very words coming out of our mouths, if somehow some third party could magically eavesdrop at will over anything we speak. But we've acclimated ourselves to thinking of digital spaces as somehow separate, as if the perceived triviality of, say, instagramming food pics might also imply that there is any less of a violation of our personal agency. That, for me, is why "private-by-default" is and always has been so vital: without it, you're incapable of exercising any meaningful control over the digital world around you. I'm always sad to see this framing left out, because I think it's a very important perspective to have.
The second, and likely more appropriate point (given that this is HN), is that this isn't just economics and geopolitics. It is a technical failure that allowed third parties to have any control over it in the first place. HTTP doesn't even protect security, much less privacy. HTTPS is a step forward, but if you think it's sufficient in protecting privacy, I would offer Facebook as a counterexample. Protection of data in transit is an insufficient condition for privacy, and therefore an insufficient condition for agency. It's perfectly possible to create a protocol to address this, to afford not just security but agency, and I am absolutely positive that there are people out there working on this (I know, because I'm one of them: https://github.com/Muterra/doc-muse). But the hard part is overcoming the inertia we already have, and on that front, we are indeed back to economics and politics.
Your narrative fails to explain what happened to Skype. Skype was a fully encrypted means of communication, and the only way to listen in on the parties talking to each other was to hack one of their computers. Then the NSA (and possibly other agencies) forced Skype to install a backdoor; this is one of many examples. There is no technological solution to the government compelling cooperation from any developers who venture to protect privacy. What would you do if someone held a gun to your head and ordered you to either give them a backdoor, go to jail, or be shot?
The US government (for example,) has used many rationales to justify this behavior, including third party doctrine, and despite the obvious lack of any enumerated power to spy on citizens and residents at-will. Most other governments never pretended to provide privacy protections for their populations, these people were largely kept safe because of the sheer volume of traffic communications and the high cost of surveillance (before powerful computers and huge national governments).
It seems that the problem is entirely political, as the government(s) will go to any lengths necessary to preserve their ability to look in on citizens. Powers that were once viewed as abhorrent and inherently totalitarian have become accepted through the collective passivity of an ever-more risk-averse populace.
I don't buy framing that as a purely political issue; it's exceptionally rare that anything fits so neatly into a box like that. Furthermore, boiling down the deprecation of the original Skype protocol at the hands of post-acquisition Microsoft is pretty far removed by what I'm saying; there's just too much to account for.
Your characterization of a coercive state just isn't how the US political world works. Black suits don't show up at a developer's door with a gun and tell them "you must introduce technical vulnerabilities in your protocol and/or implementation or we're going to kill you". That's Hollywood. In reality, the government puts indirect economic pressure on Microsoft, and this has a measurable impact on the command chain there, and eventually a "favorable" outcome (from the government's perspective) is reached. This may even be internally justified for "performance reasons" (and it was).
The plain fact of the matter is that at the end of the day, a technical vulnerability was implemented somewhere in the Skype protocol + implementation + system chain. That is still a technical deficiency, even if, as I said in my original reply, it is influenced by economic and political factors.
Lavabit was ordered to provide the SSL key in machine readable format by noon, August 5 or face a fine of $5000 per day.
A phone call which from the IRS is defiantly backed up by people with guns even if nobody is directly in your face about it. Suggesting people in Black suits need to show up when
PS: https://en.wikipedia.org/wiki/LavabitThe service suspended its operations on August 8, 2013 after US government ordered it to turn over its Secure Sockets Layer (SSL) private keys.Levison also stated he has even been banned from sharing some information with his lawyer.Levison and his lawyer made two requests to Judge Claude M. Hilton to unseal the records, both of which were denied.
> Suggesting people in Black suits need to show up when
But that's exactly what I'm trying to say. I was responding to:
> What would you do if someone held a gun to your head and ordered you to either give them a backdoor, go to jail, or be shot?
Which is not reality. That's not the kind of coercion you experience. The government applied (in this case direct) economic pressure, and Lavabit made a business decision that a fine of $5000 per day (and potential future legal problems) was an unacceptable operating expense. Goodbye, Lavabit.
And once again, a protocol (like SMTP) that doesn't inherently protect agency is, in my opinion, a technical problem. That email requires SSL for confidentiality is a security vulnerability. You don't fix that by taking on the political system (I mean you could, but good luck). You fix it by engineering a protocol that isn't vulnerable in the first place.
My point is that we need to stop waiting for the politics to change, and solve the problem ourselves. That's going to mean questioning some very entrenched protocols, like SMTP. So be it.
When you say he faced "potential legal problems", what you really mean is that they were threatening to send him to jail, or if he failed to cooperate with the brave boys in blue, they would shoot him. Fines are enforced in essentially the same way: either pay, go to the small box, or die. It is unpleasant to describe things this way, but using euphemisms to assuage our consciences does not change the reality of the system we operate in.
Is there a federal debtors' prison I'm unaware of? A fine from the government (when e.g. the sentence for a crime is a fine)—which you don't pay—turns into credit-score damage, liens and garnished wages; it does not turn into reduced freedom of movement/association.
You can't be imprisoned for being unable to pay a fine, but you can be imprisoned for being unwilling to pay a fine. This goes back to Bearden v. Georgia in which the SCOTUS ruled
>If the probationer has willfully refused to pay the fine or restitution when he has the resources to pay or has failed to make sufficient bona fide efforts to seek employment or borrow money to pay, the State is justified in using imprisonment as a sanction to enforce collection. [0]
So yes, had Levinson refused to pay the fines imposed he could have been facing a prison sentence. You can easily find a plethora of news stories about people being imprisoned for failure to pay fines.
> Skype was a fully encrypted means of communication... Then the NSA...
Another Skype skullduggery that's much less known than the protocol weakening is that they preserve voice mails and video messages forever. There is literally no way to delete them. I can't figure out if this misbehavior is being imposed on Microsoft/Skype or it's something they decided to do on their own.
Setting Preferences -> Privacy -> Delete history (OS X) or Options -> Privacy Settings -> Clear history (Windows) appears to delete the voice/video messages but it merely hides them from your view.
If you re-install Skype, all the "deleted" messages comes back. You can also run Skype on a different computer to see that all the voice/video messages still exist. As far as I can determine, deleted chats (text conversations) do not re-appear, though we shouldn't assume those aren't being surreptitiously archived as well.
Googling about this yields surprisingly little discussion. It appears that a few people have been aware of it since 2013. I can't find any response, workaround, explanation, or admission from Microsoft/Skype.
Skype's a strange example to hold up. Propriety protocol, with heavily obfuscated client to prevent reverse engineering. And with an obviously centralized system (hint: if it's got password reset, it's not secure).
It had to have been, in order to implement authentication and password reset. If not, Skype has been sitting on a massive breakthrough :). Decentralized user/password auth for 100M users would require a few GB of storage. Then you'd need a way to verify that info. Not impossible, but see how heavy e.g. the Bitcoin block chain is. The real obvious tell is that Skype had password reset via email, so obviously they've always had a "backdoor".
On top of that, the client was heavily obfuscated, so it's unlikely anyone besides the developers actually knew what it did in every situation. (Skype client did stuff like generate executable (.com) files on the fly to check things - they really didn't want the protocol reverse engineered.)
Skype allowed LE in well before Microsoft. And how would that even be noticed? Your system would relay through "random" peers and you had no way to verify the selection, and since the protocol is unknown, you have no way to verify the packets transmitted. The client could easily divert your call via a special interception node and you'd have no idea.
Skype could have easily implemented proper E2E crypto with a simple audio verification step (ala PGPFone and now ZRTP.) They chose (and continue to choose) not to. They could then publish the spec so users could verify; they choose not to.
What you're probably thinking of is MS's decision to nix the P2P part of the Skype client which imposed undue resource usage on clients. Now MS runs the "peers" needed to maintain the network. This is the least concerning part of Skype, but looks the most sinister to a casual glance.
> There is no technological solution to the government compelling cooperation from any developers who venture to protect privacy.
What about formally proven security? can we expect in a near future to have communication software for which adequate security is guaranteed by a formal proof?
The essential problem is that governments treat elimination of private and secure methods as a game of whack-a-mole. As soon as a new service/software/protocol pops up, the government either bans/eliminates it or forces a backdoor. In this environment, we should expect that any service/software/protocol which survives for a prolonged period is insecure, regardless of proofs, because it probably would not have been allowed to remain secure by the 'authorities'.
This is, again, a political problem, because the populace supports Stasi-like surveillance.[1] The people are getting exactly what they want, and what they want is a horrific system. As H.L. Mencken said: "Democracy is the theory that the common people know what they want, and deserve to get it good and hard".
I understand that this seems a bit conspiratorial or paranoid, and I wish it were. If you want an example of how our expectations of surveillance have changed, please watch the 90s conspiracy-thriller "Enemy of the State".
This whole scheme is totally unproblematic as long as everyone acknowledges that we live in fascist states, which should not be called democratic anymore.
Calling modern fascism "democratic" is a stretch, but thanks to modern fascist marketing (i.e. calling critics "conspiracy theorists"), controlling the press and big media it works.
Other countries solved that problem e.g. by calling themselves "People's republic", which leaves the path of ancient greek democracy (which has almost nothing to do with our democracy btw) and follows more Napoleon's republic principles, who invaded all of Europe to liberate the suppressed peoples from the aristocratic rulers.
I just read the whitepaper, and Muse sounds incredibly interesting [1]. Thanks for working on this, I definitely want to spend more time looking at it!
Thomas M. Cooley's 1879 analysis of privacy of telegraphic correspondence (the "hampered by fears" link in the Guardian article) is fascinating: https://archive.org/details/jstor-3303981/
In brief, then, the doctrine that telegraph authorities may be
required to produce private messages, on the application of third
persons, is objected to, on the following grounds:--
1. That it defeats the policy of the law, which invites free com-
munication, and to the extent that it may discourage correspondence,
it operates as a restraint upon industry and enterprise, and, what is
of equal important, upon intimate social and family correspondence.
2. It violates the confidence which the law undertakes to render
secure, and makes the promise of the law a deception.
3. It seeks to reach a species of evidence which, from the very
course of the business, parties are interested to render blind and
misleading, and which, therefore, must often present us with error in
the guise of truth, under circumstances which preclude a discovery
of the deception.
4. It renders one of the most important convfeniences of modern life
susceptible at any moment of being used as an instrument of infinite
mischiefs in the community. It is not necessary to enumerate these
mischiefs. Any one can picture to his own mind what would be the
condition of things in any neighborhood, if its whole correspondence
were exposed to the public gaze. A single instance, in which the veil
of confidential secrecy is thrust aside, will introduce some of these
evils, but it will suggest the possibility that any moment all the others
may follow.
Inviolability of Telegraphic Correspondence.
Supreme Court of the United States.
Thomas Snell et al. v. The Atlantic Fire and Marine Insurance Company.
February 1, 1879
A minor nit: Thomas Snell et al. v. The Atlantic Fire and Marine Insurance Company is the opinion which follows Thomas M. Cooley's opinion you are quoting here.
Where did it go? From what I've read, it never existed, except as comforting bullshit. Read Bamford's books about the NSA. Read about the British Black Chamber.[0,1]
The Black Chamber typically refers to an American organization[0] although, to be fair, it was not the only use.
> The term "Black Chamber" predates Yardley's use of it in the title of his book. Codes and code breakers have been used throughout history, notably by Sir Francis Walsingham in Elizabethan England. A so-called cabinet noir was established by King Henry IV of France in 1590 as part of the Poste aux Lettres.
Privacy as a legal construct is relatively recent.
It's as old as the fourth amendment.
The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.
It wasn't called privacy then or analyzed as a right to privacy until 1890, although courts have agreed since then that "privacy" is part of what the fourth amendment protects.
Sometimes courts have thought of the privacy protections in the fourth amendment as very narrow and specific. For example, they've carved out almost everything we do that's intermediated from fourth amendment privacy protections!
Privacy and secrecy, in my mind, are questions of agency. In this context we're talking about information. You can, broadly speaking, only do three things with information: create it, retain it, and share it. If you're to have agency -- that is, the ability to independently control your own existence -- in a digital sense, that implies that you must be able to control those three things. And if you think about it in terms of actual physical speech, it seems so intuitive: it would be an extraordinary day indeed if there were widespread physical manipulation of the very words coming out of our mouths, if somehow some third party could magically eavesdrop at will over anything we speak. But we've acclimated ourselves to thinking of digital spaces as somehow separate, as if the perceived triviality of, say, instagramming food pics might also imply that there is any less of a violation of our personal agency. That, for me, is why "private-by-default" is and always has been so vital: without it, you're incapable of exercising any meaningful control over the digital world around you. I'm always sad to see this framing left out, because I think it's a very important perspective to have.
The second, and likely more appropriate point (given that this is HN), is that this isn't just economics and geopolitics. It is a technical failure that allowed third parties to have any control over it in the first place. HTTP doesn't even protect security, much less privacy. HTTPS is a step forward, but if you think it's sufficient in protecting privacy, I would offer Facebook as a counterexample. Protection of data in transit is an insufficient condition for privacy, and therefore an insufficient condition for agency. It's perfectly possible to create a protocol to address this, to afford not just security but agency, and I am absolutely positive that there are people out there working on this (I know, because I'm one of them: https://github.com/Muterra/doc-muse). But the hard part is overcoming the inertia we already have, and on that front, we are indeed back to economics and politics.