Hacker News new | comments | ask | show | jobs | submit login
Don’t Shoot Messenger (eff.org)
197 points by DiabloD3 5 months ago | hide | past | web | favorite | 20 comments

Again, the more fundamental question being fought over here is who has primacy in the United States, the individual Citizen, or the "collective" Citizens.

This is the primary danger that comes from blind adherence to Democratic/Republican principles. Letting the COLLECTIVE will filter down without bureaucratic checks and balances in terms of having laws expire and having to get reaffirmed as the population changes leads to a slow consolidation of power that goes unchecked to the Federal level.

The Federal Government was not intended to be the hammer that gets thrown about all over the country. The fact that we're even entertaining the discussion that the Federal Government should be able to exercise such primacy in access to personal information is a scary thing indeed.

It was never meant to be that pervasive. This country runs from the bottom up. There are ways for Law Enforcement to do their jobs without ubiquitous capacity to wiretap. The potential for abuse is simply too high.

> This country runs from the bottom up.

That's all well and good, except irrespective of the issue, if you as an individual Citizen tell Facebook to do something, it will take one look at you and say 'bugger off'.

I don't see that there is anything intrinsically wrong with the government directing Facebook to operate within laws or take action. The problem here is that, the particular policy of the government in this case is stupid, and it's up to the collective Citizens to change that policy.

>if you as an individual Citizen tell Facebook to do something, it will take one look at you and say 'bugger off'.


In my own opinion @salawat's heart is in the right place, but his/her ideas are completely unworkable. Expecting a lone individual in Lincoln, or Birmingham, or Providence, or Dallas to be able to protect his or her rights against Facebook, in the absence of a federal government, is just naive.

The point I"m making is more along the lines that a slow consolidation of ultimate power at the Federal level is to be avoided.

The "Collective" Citizen, represented by the Federal Government, MUST be limited in it's ability to intrude in the affairs of the Individual Citizen.

Things like CALEA represent dangerous precedents and potentials for abuse that should require reaffirmation and consistent reevaluation in the light of advancing technology.

We all want a powerful and responsible government, but we have to weigh the dangers and potential for abuse in the long run against the short term gains from granting a new power with little or no constraint.

Perhaps I didn't express it that well.

> This country runs from the bottom up.

While I very much support individual privacy and liberty, I think the statement above is being misapplied: Yes it runs from the bottom up, and therefore it does not run according to ancient rules and their interpretations. It's a democracy, not a religion; today's voters decide what they want, not ancient prophets (the Founders) who handed down scripture (the Constitution, Federalist Papers, etc.). And in fact, that's how the founders of the U.S. designed it.

What bothers me is that if Facebook has to reengineer messenger to comply with the government then what’s stopping signal having to reengineer its infrastructure to comply with government demands?

And wouldn’t it be more secure to setup your own infrastructure instead of depending on someone else’s infrastructure where you are unable to determine with certainty that serverside code is unmodified?

The article explains that courts have concluded these Acts in particular don't give the government carte blanche, it doesn't get to destroy your business to achieve its goals under the Acts, and obviously allowing wiretapping in Signal's app that exists specifically so that they nobody can wiretap you would destroy Open Whisper Systems' business.

So Facebook's Messenger is made more vulnerable by the fact that "Also the government can't wiretap this" isn't a prominently advertised feature. In fact, prior to this article if you'd asked if they can do so I'd have guessed "Yes" and recommended Signal instead.

Why not set up your own infrastructure? Well that does come with a significant downside. "Don't Stand Out" is one of the principles we've learned is important for real world communications security. Once you set up your own secure systems, while everybody else keeps using Messenger, you are marked out, your communications label themselves as especially interesting. So _once you do that_ you have to be sure that two things are true:

1. Your technical systems are 100% secure. No adversary has a backdoor to your GPU firmware, a laser microphone listening to your keypresses, a black bag team who can break in and silently copy your data when you're out shopping, a zero day exploit for your browser, or whatever. If your adversary is "Bob from next door" this seems plausible. But if it's the government of your country you are probably in deep shit immediately.

2. Your society has both norms and strongly enforced laws that will ensure it's not just easier and cheaper to bypass all this technology and get what they want from you anyway.

But so long as you Don't Stand Out all this fades into the background. If we make _everybody's_ communications secure, yours won't Stand Out and a powerful adversary (such as the US Government) can't target you.

If I understood the article properly, this is about Messenger voice calls, which are not E2E encrypted:

> However, end-to-end encryption is not an option for Messenger voice calls.

Hence, the FB infra is in a position where they can actually retain the key, which Signal is not:

> This differs in a major way from other secure messaging applications like Signal, WhatsApp, and iMessage. All of those apps use protocols that encrypt that initial session key—the key to the voice data—in a way that renders it unreadable by anyone other than the intended participants in the conversation.

However, Signal could of course modify the client applications to siphon off the keys and send them wherever. Especially since it's hard/impossible to verify the source code running in the binary on your phone, this is somewhat scary and forces me to trust Signal.

But if I understand everything correctly, Signal could not be coerced into revealing keys from the backend side. (Please correct me if I'm wrong)

I didn't understand the references to TLS (with GMail, for example) and why the goverment likes that better. Is there previous legal precedent which makes TLS more vulnerable or does the protocol itself make snooping on it easier?

Even if the session key for voice calls were shared, what use is it if the audio is sent peer to peer and never hits Facebook's servers?

Quoting from the article: “The government would then use that key to decrypt voice data separately captured by the subject’s ISP (likely a mobile provider in this case).”

They also could just capture the data from the subjects' routers, assuming they can be hacked (which for most people is probably the case).

> Force Facebook to retain the session key to the suspect’s conversation and turn it over to the government. The government would then use that key to decrypt voice data separately captured by the subject’s ISP (likely a mobile provider in this case).

They can wiretap the data lines, it's not a problem for the gov. The problem is decrypting that data.

Idk understand why option 1) wouldn’t be the best one. Facebook hands over their session keys, and then they go to the cell provider to retrieve the data and then it’s no problem.

Unless this case is actually about trying to establish precedent and using the fact that it’s a well known, heinous gang to argue for something more than it needs.

It's evolution! Criminals who use vulnerable chats/voicechats do get caught (more often). Sooner or later the government will breed the criminals who use open source end-to-end encrypted software. What will they do then?

I agree with you in theory. It's an arms race which just makes the software/encryption better. However, governments have a Trump card to this whole arms race. Alot of countries just make encryption illegal.

So then they use encrypted messaging with plausible deniability (eg steganography).

I don't think criminals care about things being illegal.

It's pretty easy to be caught though. The internet is public.

Applications are open for YC Summer 2019

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact