Hacker News new | past | comments | ask | show | jobs | submit login
Senate bill rewrite lets feds read your e-mail without warrants (cnet.com)
184 points by nhebb on Nov 20, 2012 | hide | past | favorite | 137 comments

This is a thread full of passionately argued polemics about the US national security state and not one link to the legislation proposed in any incarnation. After the debacle that was the trade press reporting on CISPA, it is probably a bad bet that Declan McCullagh got this exactly right.

Obviously, a provision that allows law enforcement warrantless access to random people's email would be a terrible thing. It seems a little unlikely that in the wake of the Patraeus scandal, that's what Leahy would really be proposing. Maybe it is. Can we FIND OUT?

Late edit: here it is: http://news.ycombinator.com/item?id=4811489

No point. It's shitty living somewhere with a government that would propose this sort of thing. It's also like rearranging the deck chairs on the Titanic, as the NSA et al have already tapped everyone's fibers years ago.

Furthermore - it's not a secret that they did so. Books have been written on the matter. The public got suitably outraged, and then nothing happened. The taps are all still there, and the equipment's all been upgraded as the capacities have increased.

It truly doesn't matter what these laws say. Your communications in the US are all already monitored as a fact of life.

I respectfully but vigorously disagree with you that there's no point discovering what proposed laws say. It's our responsibility as citizens to figure this stuff out. There aren't that many "cyber" laws proposed every year.

This is a country in which people of African descent couldn't even reliably vote 55 years ago. I refuse to succumb to the notion that all is lost simply because we've had 8-10 years of overreach.

> It's our responsibility as citizens to figure this stuff out.

Well, that, or flee.

> I refuse to succumb to the notion that all is lost simply because we've had 8-10 years of overreach.

If that's the case, I ask non-sarcastically: How many decades of tapped phones, illegal body searches, and indefinite detention and/or torture of political prisoners are you willing to wait for reform before you declare the US an unacceptable place for good and reasonable people to continue living in and paying taxes to?

I'm genuinely curious. Is there an upper bound?

For me, personally, it was ~8 years.

"The most dangerous man to any government is the man who is able to think things out for himself, without regard to the prevailing superstitions and taboos. Almost inevitably he comes to the conclusion that the government he lives under is dishonest, insane and intolerable, and so, if he is romantic, he tries to change it. And even if he is not romantic personally he is very apt to spread discontent among those who are." --H. L. Mencken

> How many decades of tapped phones, illegal body searches, and indefinite detention and/or torture of political prisoners are you willing to wait for reform before you declare the US an unacceptable place for good and reasonable people to continue living in and paying taxes to?

So, if things get tough you typically quit? Only 8 years? There are isolated cases of each of those occurrences, and while just one is unacceptable, this country is far from uncorrectable.

There are quite a few citizens of the USA that waited a lot longer than 8 years for rights we all are born with and take for granted today. I find it perfectly reasonable to both have the determination to stay active/volunteer as well as the patience for the process to work.

> Your communications in the US are all already monitored as a fact of life.

I would ask you to provide evidence that my private communications are being monitored. Explain to me how the US government has cracked/backdoored every crypto library available.

Really? I'm sorry, but this just struck a nerve.

You feel safe hiding behind the theoretical/practical integrity of a cryptographic library? I'm almost tempted to link the requisite XKCD cartoon.

I think ensuring private communication for all people, regardless of technical means of ensuring secret communication serves us all, including those, like you, who feel safe with their already existing measures.

If a precedent is set that allows a government the power and right to spy indiscriminately everyone's privacy is dimished including those who are avid PGP users.

Besides, once that step is taken the next logical conclusion is to simply demand you provide pass phrases and private keys for any encrypted communication as is the case in other countries [1].

Besides, information leaks by other means, which might be used to circumvent encryption. Man-in-the-middle attacks or simply targeting a weak end point in a communication stream. Colleagues might not be as adamant about security and their end of the communication might come under scrutiny. Besides, unless all electronic devices are electromagnetically shielded TEMPEST and other similar attacks are still possible. Once the door is open to monitoring or surveillance all bets are off as to how they accomplish this, and it might be through means that render current cryptographic libraries useless.

Even assuming a perfect means of ensuring a message is sent unseen, the patterns of communications themselves can yield a significant amount of information. Even if governments can't tell what the contents of a message the fact a communication existed (a carefully protected communication at that) might be used against people, never mind if they're to trace the communication or establish contact frequency.

It also reminds me of the mechanisms used look for errant behavior patterns. Targeting people that use only cash, don't have credit cards or those who simply fall outside of the established behavior patterns. Monitoring of everyone else's communications establishes sufficient data to single further target people and erode their privacy.

Target was able to determine when clients were pregnant by simply analyzing shopping patterns [2].

It also reminds me of how Germany dealt with the Baader Meinhof group, by screening for "seemingly mundane items as utility bills" to establish probable cause for detention or investigation. Once we're all under surveillance the government won't even need to read everything we write to further erode our privacy.

By fighting for better privacy protection for all I think we make our own private communications safer.

1. http://en.wikipedia.org/wiki/Key_disclosure_law

2. http://www.nytimes.com/2012/02/19/magazine/shopping-habits.h...

edit: grammar and expanding out a few ideas.

What you're complaining about is not a solvable problem, and has nothing to do with privacy.

Today, in this world we live in at this very moment, I can communicate in such a way so as to prevent the US government from reading/hearing what I say.

So, unless you have specific evidence that this isn't the case, people should listen to what you're saying with the same attention they give every other conspiracy theorist.

Maybe I didn't explain myself properly, but what I was stabbing at had everything to do with privacy. As does the whole point the OP mentioned of having communications monitored.

Whether or not the US government can at this point in time read/hear what you say is somewhat irrelevant if they're monitoring it and recording it and there exists a non-0 chance of they being able to then crack it.

I was also not attempting to draw up some huge conspiracy theory that the US government is out to get you or any particular person. I'm merely trying to point out that the more information and communications the US Government (or any other entity) records, then the greater their capacity to infringe on our privacy. And that in some use cases the actual contents are irrelevant in so far that the monitoring itself can inconvenience us and harm us due to information that is inadvertently leaked or signalled through our communication patterns.

But to be honest, I'm glad there exists a way for someone to have every single method of communication go through secure means that are impervious to any manner of eavesdropping.

> Whether or not the US government can at this point in time read/hear what you say is somewhat irrelevant if they're monitoring it and recording it and there exists a non-0 chance of they being able to then crack it.

No, that's completely wrong. Just because something exists doesn't mean it's accessible. That's what warrants are for, and if it's unlawful for the government to ever see that information, then the warrant will never be granted.

We were talking about whether or not people are able to communicate privately, and you claimed it was impossible. This is factually inaccurate, as I've been trying to point out.

Do you have any evidence to suggest that the government is capable of breaking currently considered secure encryption? If not, shut the fuck up.

>> The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.

I don't understand how anyone can think that the founding fathers would not have considered email and cell phone conversations to fall under this provision.

I'm so sad about our country's abandoning the principles of freedom.

The main issue here is that it's legislation covering cases not covered by the 4th amendment, i.e. where there is no Constitutional violation in the search, but which the legislature could add additional statutory requirements to. And the main reason that's the case is that you only have 4th-amendment rights in your person and property, but you have no property rights in your Facebook account, which is wholly owned by Facebook, and which you use for free only as a guest. So the only party that could object to a search of Facebook is Facebook itself (they could fight subpoenas, attempting to quash them as unreasonable impositions... not unreasonable impositions on you, but on Facebook).

I don't think that's a good state of affairs, but I can see how it logically makes sense. On HN we're often reminded that people have no right as users to any particular service from Google or Facebook, and the reason is that they don't own anything about the service or the data on it. Facebook could sell your data to advertisers, they could mail all your posts to the FBI without a warrant, whatever they want. So similarly there is no 4th-amendment right that you have relating to a search of Facebook, because it's not a search of your person or property, but of theirs. In the Founding generation this wouldn't have been an issue because it was not common to for a person to store significant amounts of their personal papers in a form where they had no ownership over them (even when you stored with a 3rd party, like in a bank safety deposit box, there was typically a contract specifying that you had certain ownership rights).

I do think there should be a fix to it, which will require implying some kind of rights that Facebook users have against government searches of Facebook targeted at that user (despite the user having no ownership in Facebook). But one wouldn't want that to go too far, because I can also see the property-rights argument: if I really do want to voluntarily mail the data on my server to the FBI, and I didn't sign a contract with the users saying I wouldn't, why should the users be able to stop me from doing so? You'd have to abrogate property rights with some kind of right-to-information-privacy that supersedes the fact that it's my server and I own its contents. Overall it seems like a situation that the Constitution's framers didn't imagine.

I see what you're saying, but there are at least two separate issues here.

>> you have no property rights in your Facebook account, which is wholly owned by Facebook

By this logic, do I also have no right to expect privacy when I mail a paper letter through the post office? After all, its sorting facilities are wholly owned by the government.

I honestly don't know what the framers would have said about that. If I shouldn't expect privacy there, the argument is done.

If I should expect privacy from the post office, there's a second issue:

>> and which you use for free only as a guest

By this logic, I should expect privacy from my cell carrier, because I pay to use their service, therefore my account and the data passing through it might be argued to be "mine".

>> in a bank safety deposit box, there was typically a contract specifying that you had certain ownership rights... [snip] ... some kind of right-to-information-privacy that supersedes the fact that it's my server and I own its contents.

Both of these parts of your comment suggest that I should be legally able to operate a service and specify in the user agreement that I won't give their data up for search without a warrant; that they have some ownership rights over their data.

Sadly, I think the government would assert otherwise. The only loophole I've heard used so far is to operate a service which, through encryption, actually can't access users' data. And for all I know, that will be declared obstruction of justice.

On the letter analogy, things owned by the government are treated differently from things owned by a 3rd party in the private sector. The government generally is more restricted in its actions. And in the case of the USPS, there are further statutory restrictions beyond those required by the Constitution that are written into law, specifically about protecting the privacy of mail in transit. The same is true with phone calls: wiretapping statutes place certain requirements on when a wiretap can be authorized, beyond the minimums the Constitution would require. One of those (which the AT&T wiretapping scandal hit) is to actually make it criminal for a phone company to volunteer information to the federal government without a warrant, which basically closes down the 3rd-party-consent end-run around search warrants, since it explicitly makes it criminal for them to consent. I do think it's a good idea to consider extending some of these to email, given its pervasive role that's largely replacing what physical mail and phones used to carry. But that requires admitting that email to some extent needs to be treated less like a purely private-sector business, and more like a utility.

Your last point is an interesting one, though. If a provider specifically includes in their service policies a promise not to give up the user's data, then it seems like the provider would have a good claim when they attempt to quash subpoenas, even if the user themselves doesn't have any particular rights in the matter.

> "The main issue here is that it's legislation covering cases not covered by the 4th amendment"

The cases are only uncovered by the fourth if we accept a narrow reading which somehow determines that "your papers" only applies to physical pieces of paper and that "be secure" only applies if the citizen would be deprived of access in the course of the search.

Those distinctions make no sense and, if applied, make the fourth amendment wholly technologically obsoleted in the very near future.

Is it a remotely logical position to argue that the founders were really concerned about government searches, seizures and surveillance, but only inasmuch as people were inconvenienced by those searches, seizures and surveillance?

That provided the English could have searched, seized and surveilled quickly, efficiently and entirely-on-the-sly the Revolutionaries wouldn't have been so hot about the issue?

Is anyone surprised by this, in the wake of PATRIOT and NDAA?

The time to leave the US is now. You no longer have the basic rule of law. Collect your family and possessions and emigrate.

It's not easy[1], but it's the only way, now. We're never getting those rights back.

[1] I did it. It's tough, no foolin'.

If you don't mind me asking, what country did you move too that has better personal rights? I know that Canada and most of the EU have a worse track record than the US when it comes to this.

IMHO moving out of the US just avoids the problem, instead of solving it. We need to put more support behind advocacy groups like the EFF who's mission statement is to fight against the infringement of personal rights.

You know that Canada (and the EU) has a worse track record... Can you provide a link to support this rather bold assertion? I am fairly familiar with Canadian law and strongly disagree with your statement.

Check out Canada's hilariously-named "human rights commissions."

I'm not saying that the US is strictly better than Canada in the rights department. However, it's definitely not strictly worse.

I have had to deal with Human Rights Commissions in two provinces over the course of 10 years and have never seen anything like what is referenced: HRCs do not have the capacity to access email and documents without the owner of such being informed. Your argument is just an attempt at changing the topic at hand. The orginal comment ended with "when it comes to this" thus referencing warrantless access to email and such.

According to his Twitter profile, he's in Germany: https://twitter.com/sneakatdatavibe

Ah, the land where the police use trojans to surveil you.

At least Canada is not involved in wars of aggression and is a relatively peaceful nation (in comparison to the US). The point is not where we are now that is of concern, it's when the shit hits the fan, which will inevitably happen. When this happens, first thing out of the window is personal rights.

Canada is an an interesting choice, until you read some history and realize that every fascist state eventually turns its wars of aggression toward its closest neighbors. The odds that America will turn fascist on its own people, act on continuous wars of aggression globally, but never attack Canada - is roughly zero. It's a matter of time, unless the fascist state creep is rolled back and quickly.

This is a message board comment that says that the US is well on its way towards invading Canada.

It's a message board comment that says if you believe the US is on its way to being a fascist state, read a history book sometime on exactly how fascist countries operate.

History teaches us that the US will soon invade Canada, is what you're saying.

I wouldn't expect it in the next decade. However, if you cycle forward the progression of laws and behavior represented by the last 10 to 15 years, then it seems likely that at a minimum the US will begin to intrude on Canadian sovereignty either through direct or indirect coercion.

Fascist countries don't tend to be very tolerant of their friendly neighbors.

Hello to you from the other side of the ocean! How's the weather at where you've left from? I have to admit, it is somewhat disturbing to meet you in the middle of the Atlantic, rowing just as enthusiastically as we do, just in the opposite direction.

>You no longer have the basic rule of law.

In many EU countries (my own included) people would start either crying bitterly or laughing hysterically have you told this to anybody older than 12. Loosing control over your mail shouldn't be the turning point in making a decision whether to emigrate or not.

Using that argument, a reasonable approach would simply be to make sure all steps for the worse are incremental, so nobody ever has a "turning point" they can point to.

Arguably this is already happening.

The turning point is often just the final straw, not "everything was 100% fine up until they started reading my email".

In no way I am encouraging to calm down, wait or try to ignore the bill. Poor choice of words on my side. I was trying to say that your right to own your email is definitely something you can try to defend. See those guys around asking for whom they may contact regarding this issue? I'm totally with them. They are doing something about another something they don't like. "All that is necessary for the triumph of evil is that good men do nothing." (Edmund Burke)

Fleeing is also an option, but I am 100% sure Sneak had more reasons to move abroad than just PATRIOT and NDAA.

First, it is not easy (if not impossible), for most people to just move. Let's say some people did move to some other country (X). What is the guarantee that X will not through the same route? What do we do in that case?

Where did you move to? Honestly, I really am curious.

I'm not the OP, but: Anywhere with mountain plains (2000ft+) for decent growing and grazing for cattle or sheep. Temperate zones are best to minimize disease vectors. This can work anywhere (even in the US) because rule of law is more or less like cell phone coverage. > http://img203.imageshack.us/img203/9017/worldfactor10.jpg

Yes because Germany is so much more "free" than america, I mean its a regular paradise over there comparatively.

[1] A decision of a court that assumes that a publication is violating another person's personal rights (a newspaper for example can be forced not to publish private pictures).

[2] All forms of movie ratings (also for computer games but not for books) motivated by youth protection.

[3] Media that is assumed to be very harmful to youth is indexed by the Bundesprüfstelle für jugendgefährdende Medien (Federal Department for Media Harmful to Young Persons). These publications are restricted in marketing but not de jure censored in general. Indexing can grant publicity but is often tried to prevent. The reduced violence in some German versions of movies and games that carry a USK rating have in fact not been censored, but the companies releasing them have decided themselves to remove certain content in order to make the media available to a wider audience.

[4] Publications violating laws (that restrict freedom of speech in general) can be censored; their authors can be penalised. Such restrictions are Volksverhetzung, slander and libel (which are in Germany Beleidigung, Verleumdung and Üble Nachrede). Especially Üble Nachrede (defamatory statement) scarcely causes censorship. Üble Nachrede (Defamatory statement) means violating personal rights by spreading gossip/news which are neither evidentially true or false.

Membership in a Nazi party, incitement of hatred against a segment of the population (Volksverhetzung) and Holocaust denial, are illegal in Germany. Publishing, television, public correspondence (including lectures), and music are censored accordingly, with legal consequences that may include jail time.

Source: http://en.wikipedia.org/wiki/Censorship_in_Germany

Wow, so much freedom the government must step in to stop people from thinking certain ideas, and voicing certain opinions, now that's freedom!

Let's talk about banned video games:

Soldier of Fortune: Payback - Banned due to high levels of gore (decapitations, dismemberments, and excessive blood-letting) KZ Manager (1990-10-29/1990-11-19) - Banned because of Nazi references. Condemned: Criminal Origins (Decision AG Munic February 2008) - Banned because of high impact violence and cruelty. Condemned 2: Bloodshot - Banned because of high impact violence and cruelty. Manhunt (all versions, 2004-07-19) - Banned because of high impact scary violence and cruelty. Manhunt 2 - Banned for "gross, unrelenting, and gratuitous violence." Dead Rising - Banned because of high impact violence and cruelty. Dead Rising 2 - Banned because of high impact violence and cruelty. Silent Hill: Homecoming (Uncut) - Banned because of high impact violence and cruelty. Wolfenstein (Uncut) - Banned because of Nazi references. Scarface: The World is Yours (Uncut) - Banned because of high impact violence and cruelty. Left 4 Dead 2 (Uncut) - Banned because of high impact violence and cruelty. The Darkness (Uncut European Xbox 360 version) - Banned because of Nazi signs in bonus comic.

Source: http://en.wikipedia.org/wiki/List_of_banned_video_games#Germ...

Yes indeed, what a way to celebrate your new found freedom by cowardly running away to a country that itself was home to some of the worst atrocities known to man kind; further compounding your stupidity because that country itself has many banned topics, ideas, and restrictions on how you can express yourself.

You are a coward, and I say good riddance to you, because surely whenever things get tough in a country, the answer is to turn tail and run away to somewhere "better".

> because surely whenever things get tough in a country, the answer is to turn tail and run away to somewhere "better"

The USA PATRIOT Act turned 10 years old in October 2011. If it was going to get better, it would have happened in the first decade.

There are way more things you can't say in the USA than there are things you can't say in Germany. On paper, it certainly appears as if the US has more liberty, sure.

I realized that it was time to go when I walked up the path to the Jefferson Memorial and saw a sign indicating that carrying firearms is prohibited on the grounds.

The liberties that are guaranteed to you in the constitution are no longer real. The fact that Germany enumerates the specific things you can't say and do actually makes it much better here.

EDIT: Found the sign from the TJ memorial. I took a picture of it when I was in DC to visit the NSA's Crypto Museum. http://i.imgur.com/KROsp.jpg

Respectfully: the German government has created official blacklists of religions, promulgating to employers questionnaires intended to help them screen out members of those religions. Yes, the religion involved is Scientology. Yes, I think Scientology is a terrible religion. But a society that can create an official ban on a specific religion has a hard time claiming to be more free than the US.

Scientology is demonstrably not a religion but a harmful scam.

I've lived in both, I can say with authority: One is a lot more free in practice, here. The police concern themselves with criminals, not with bullying. Surveillance is a lot less common. The government isn't wholesale tapping the fibers (or, if they are, they were slick enough to censor the news stories and books about them doing it, too). There aren't laws suspending certain groups' right to trial.

So prior restraint of speech and expression is OK in Germany as long as a credible case can be made that that speech in some way supports an organization conducting a harmful scam.

I agree with you completely about Scientology. And I'd rather have Scientology Centers on as many corners as Christian churches than have a government that colludes with private employers to screen new hires based on their religion.

If you agree with me completely, we wouldn't be having this discussion, as Scientology is _not a religion_.

I do not agree that you and I should have the authority to declare things "not a religion", and note that Germany persecutes Scientologists, not Scientology. That is deeply fucked up.

It's one thing to say that the government should have nothing whatsoever to do with religion, including tax exemption. It's another to say that not only should the government be in the business of picking "legit" religions and designating others as scams or cults, but that it should then be using its power to coordinate a shunning of adherents to those religions.

It's not like the problem is that Germany doesn't respect Scientology. I could give a shit; I don't respect it either. It's that Germany thinks it's the role of the state to tell people what they can and can't believe.

We are in agreement there. It was my impression that Germany just doesn't recognize scientology as a religiom, period.

Scientology is demonstrably not a religion but a harmful scam.

Which makes it way different, from say, the Catholic Church.

There are way more things you can't say in the USA than there are things you can't say in Germany.

Ridiculous. Name one.

Get back to me after you present a forged travel document in Germany, or show up at the airport with a device that will look to everyone else like a bomb. This ought to be good.

And I'd rather be corralled into a "free speech zone" for expressing a countervailing political opinion than arrested and indicted for it, as you would be in Germany.

The guy who _made the website_ that outputs PDFs of boarding passes was the one who got raided. It wasn't "present[ing] forged travel document[s]".

The people at the RNC _were_ arrested.

The guy who _made the website_ that outputs PDFs of boarding passes was the one who got raided. It wasn't "present[ing] forged travel document[s]".

My point stands. If anything, you just reinforced it by pointing that out.

The people at the RNC _were_ arrested.

And then what happened to them?

The reality is, one nanny state is as good/bad as another. You can point to no objective evidence that Germany is a more enlightened, tolerant, or liberal nation than the US. It's great that you're happy there, but you shouldn't have to indulge in rhetorical gymnastics to affirm your decision to stay... and you can't possibly expect such cherry-picking to convince anyone else.

haha, you create a new account to hide behind to call someone else a coward :)

>You are a coward, and I say good riddance to you

...says the smurf account. If you actually disagree with someone say it with your main or don't say it at all.

How on earth is creating a single-purpose account shadier than writing on HN under a pseudonym, which is common practice here? Your name isn't on your profile either. Some of us are comfortable putting our names behind our words. Others can't do that, and our norm is that that's fine.

The comment you're responding to isn't a drive-by. It makes a substantive argument. If it's wrong, address the wrongness.

What makes you think it's fundamentally different anywhere else?

I don't think things are looking so ugly everywhere else, no.. At least not in Brazil.

Brazil??? Oh yeah, they're real bastions of freedom, fighting an even more nobler War on Drugs than the US...

OK enough is enough! In the light of this bill, post-thanksgiving time I will spend on cleaning up all my email boxes and would like your suggestions for a new email account that fulfills the following requirements:

- is located off shore, preferably some small country with less draconian laws that exists now and could be implemented in near future (15 years?), BUT stable enough so that my service can be reliable,

- content of my emails is automatically encrypted,

- and at this point, I am fine with paying for my email. The amount of work it lets me do, I am fine with paying up to $49/month, I think.


The best solution right now is probably to use a desktop app that encrypts e-mails locally with OpenPGP before sending them.

Can't someone make a Chrome extension that does the same for Gmail, though? There seem to be a few solutions for Firefox.

Hint: You are not the first person to notice that crypto can be done client-side in Javascript. There are very good and not-obvious reasons why this is not done.

Could you please elaborate, so that more people do not fall into this intellectual trap?


Basically, the server you're talking to, as well as any resources on that page, can undermine your javascript primitives and render your crypto useless (or just backdoor it).

If you trust the server to not backdoor your crypto... you can just trust the server to _do_ the crypto in the first place.

There is an effort underway to build better crypto APIs into browsers, but I'll bet you a bitcoin that it's super easy to fuck up the implementation of and most end up being insecure, and/or nobody ends up using it after all.

I read that article as explaining why a web application can't do crypto with javascript. As someone that knows almost nothing about browser extensions, can you elaborate on why one isn't a good idea for chrome?

The sections "How are browsers hostile to cryptography?", "What systems programming functionality does Javascript lack?", "What else is the Javascript runtime lacking for crypto implementors" cover issues you would encounter with browser extension cryto.

I didn't realize extensions were largely javascript. Thanks for the pointers.

Ah yeah. I believe the usual terminology is such that "extensions" are javascript and "addons" are something native. You could probably do cryto well with an addon.. to the extent that it is possible to do an addon at all properly (honestly I have no idea there).

I think you could at least have it implemented in NaCl in Chrome, if the Javascript versions fail.

Presuming you're securing against gmail monitoring, Google in this case would be the eavesdropper/attacker.

Google controls the key/cert that allows for Chrome extension updating...

Hope you enjoy talking to yourself, because encrypted email only works if the receiving side participates. And realistically, almost nobody does.

I'd like to take this opportunity to remind everyone that GPG encryption for email (and other data) is freely available. It would be considerably more generally usable if someone with design skills contributed to the projects. The Mac GPG integration is nice, but in my explorations outside of that, it's been... difficult to use. Particularly galling is the key distribution problem. :-)

Encryption has a couple of drawbacks. If you happen to be unable to decrypt something the authorities want to see, you go to jail for a long time in some countries.

And then of course I can't make everyone I communicate with use encryption. So all I can do is encrypt incoming mail, which is rather pointless because there's another unencrypted copy out there and the mail headers will give away where to look.

It seems the OTR protocol works around that, as I think the messages are not stored indefinitely like with PGP:


Wanna bet there is an exclusion for legislators in the bill?

Just like they get their own pass for the TSA at airports.

" ... two legs better."

Yay to the EU Safe Harbour. Oh no wait a minute.

This is why we host all our stuff ourselves in a UK DC. Snooping legislation is crazy in the land of the free

In UK you can go to jail for not remembering your password. There's nothing to "yay".

> A 19-year old from Lancashire has been sentenced to 16 weeks in a young offenders institution for refusing to give police the password to an encrypted file on his computer.


"Forgetting" the password to files comprising the entirety of evidence pertaining to the investigation of a crime is hardly the same as being jailed for forgetting an arbitrary password.

It looks the same to me. If the "files comprising the entirety of evidence" are what's encrypted, then there is no case unless and until they decrypt them. What's to stop them from jailing anyone they want who can't/won't decrypt everything on their computer at demand? This is exactly how police states operate.

A police state doesn't require evil intent. On the contrary, each one starts out with the BEST of intentions.

Hasn't UK just passed an outrageous snooping bill recently?

Yes but we're still protected by DPA and European data protection law.

What does that mean exactly? Why would they pass it if that were true?

It means that if it happens or is required then due process is followed and information is available to us.

However those who do nefarious things certainly don't do email.

The writing on the wall was visible to the Australian government as well, which chanced free trade agreements to keep things local.

How is Australia these days?

The land of the free? Whoever told you that is your enemy.

It's time for more encryption, at least for anything we store in "the cloud".

I wish there was a router that could automagically handle encryption. This way even grandma could plug in her "freedom box" behind her router and have secure communications. Maybe a simple web based admin page to manage configuration.

Would love to see this, i.e. some open source box, that just handles OpenVPN and TrueCrypt for the local network. As an idea it sounds not that overtly complex to realize - just hoping somebody will take something like this one day on Kickstarter.

That sounds very hard. How does it know to encrypt my Google docs, but not my public tweets?

Specifically encryption using your own key that you never transmit to a third party/your cloud provider.

I'm hoping web crypto will solve this, but only if the e-mail and storage service providers offer the option in an intuitive way, and I don't think the big ones like Google and Microsoft will want to do that unless we all demand it. It's also not going to be a finished draft until 2014, so we have to wait a little more.


Web crypto will never solve this, especially not when provided by a big company like Google/MSFT. They'll always have provisions to make the unencrypted version available to authorities. You can only trust client side encryption.

Yes, that's what I meant. Implement web crypto and allow the user to use his own encryption key. So nobody but you and the recipient can access it (unless they can crack it, of course).

If you do that "the cloud" can do nothing with that data. You wouldn't be able to search your gmail account without storing it all offline unencrypted. The only cloud service that just about works with encryption is backup.

Not necessarily... My pitiably incomplete understanding of something called "fully homomorphic encryption" is that it offers the possibility of letting someone else do operations (math, search, etc) on your encrypted data, giving you useful results, without them ever actually seeing the plaintext data.

My understanding is that this is still in the experimental stage.

My understanding of encryption is probably no more complete than yours, but any operation that can give me useful search results necessarily reveals a lot about the content. That's the point of search after all.

Because nothing says freedom like regulators from the OSHA and SEC warrantlessly reading your drunk messages.

"At the moment, Internet users enjoy more privacy rights if they store data on their hard drives or under their mattresses, a legal hiccup that the companies fear could slow the shift to cloud-based services unless the law is changed to be more privacy-protective."

It's not really a legal hiccup. Let's rewrite it without the editorializing:

"At the moment, Internet users enjoy more privacy rights if they keep their data private than if they share their data with non-governmental third parties..."

If you tell me you're planning to kill someone, the FBI doesn't need a search warrant to get me to testify about what you said. A subpoena will do. Why should it be different if you tell Google you're planning on killing someone, by storing "Killing Someone Plans.doc" on their servers in plain text?

> Why should it be different if you tell Google you're planning on killing someone, by storing "Killing Someone Plans.doc" on their servers in plain text?

Because there's an expectation of privacy when you store information with password protection.


What if I print out the document in plain English and store it in a safe-deposit box? I'd say that's a more apt comparison.

Metaphors are not helpful for understanding this sort of issue. It's a bit like and a bit not like all kinds of things, and isn't exactly enough like anything else.

I agree you don't need metaphors, but not because it's not like anything, rather because it's too simple to need a metaphor: If you give something, anything, to a third party to handle or keep, the government can't demand to go and look at it without a warrant.

The government can't demand to go look in your safety deposit box, it can't get your library check out records, it can't see how many airline miles you have, it can't read the mail in your PO box etc etc without a warrant. Of course, in some of those cases, the third party will cooperate without a warrant, but they're not required to.

This is troubling. Anyone have advice for who to contact about this? (Should I look up my senator, congresspeople, both?)

Contact your senators. Here's a handy search site: http://whoismyrepresentative.com/


I think this is a great idea - making people aware of this assault on rights is the best possible course of action, at this point

Sorry, on a plane and somehow deleted former post with iPad. Anyway, I'm still serious about getting former profs/legal scholars involved in a podcast setting, hn members with insight to how it will have a deleterious effect on tech progress (the cloud) and launching a fierce social media campaign from it.

A lot of people wonder why Americans aren't more outraged about the increasing number of fascist laws being passed in the US.

The obvious answer is that too many Americans no longer believe in the basic rights to property and privacy. The civil liberty wing of the Democrat party has also been completely destroyed. It's not just the policy makers - it's the American people that are at fault. It's their sense of life, ideas and culture that is bankrupt.

Which Senator's staffs rewrote the bill?

From the article, I read it's Leahy's:

"CNET has learned that Patrick Leahy, the influential Democratic chairman of the Senate Judiciary committee, has dramatically reshaped his legislation in response to law enforcement concerns. A vote on his bill, which now authorizes warrantless access to Americans' e-mail, is scheduled for next week."

not to suggest anything to anyone but just think how crazy it would be to get to know his personal or official email address and sign him up here and there for some questionable websites, like piratebay emailing list, hackers emailing list, perhaps some lists for kkk etc. Sorry to drop it here BUT just the dark side of me is waking up in the light of this news...

Won't work, is morally wrong, will get you in trouble, and will change the story to something that helps the bill get passed.

I wonder if any HN'ers are in Vermont?

Hi, I'm in Vermont!

I've always voted against Leahy, but I have almost no hope in voting him out. I think the last incumbent US Senator from Vermont to lose re-election was Luke Poland in 1867.

Which Senator's lobbyists rewrote that bill? ftfy

Yep, someone lobbied and it might not be an actual lobbyist, but a government agency. Regardless, some Senator or Senators is responsible for the rewrite.

We need to know which ones did it. How it was done or who they took direction from is irrelevant. One or more Senators signed off on this.

We need the photos they had of him during their "lobby."


Bye cloud, we hardly knew ye.

Hello encryption, we've needed ye all along.

It's extraordinarily trivial for the Feds to then outlaw the use of encryption (in any given convenient manner) if it were to ever become a problem. Or, eg simply require that all encrypted data be unencrypted upon request by any law enforcement (or else 20 years in prison).

Encryption solves absolutely nothing unless you're physically outside of the US.

The only way to deal with what's happening is to peacefully dismantle the monster in DC through voting (good luck of course). You can't have a government the size of the US, without it becoming totalitarian and destroying civil liberties - there's nothing else for something that big to do.

Client-side encryption solves everything until they make it illegal, which is a very big and very clear step that they have not made. And if you're not encrypting it yourself, you shouldn't consider it encrypted, period.

Some of us have observed that the cloud was a stupid idea from the beginning. All the cloud should be is an encrypted data service for locally run and stored programs, without anyone but you having access to the data in unencrypted form.

You are probably one of the last bastions of common sense. Everyone is eager to sell out their data.

And why would lawmakers be intimidated by encryption? They could just force you to decrypt whenever one of those agencies asks for it and punish you with lengthy jail terms if you refuse.

If everyone used encryption, and they started doing this, we could at least get rid of the facade of "we are not attempting to pool power in a way that will lead to a police state." It would be a bald-faced power-play.

Exactly. It means the pretense evaporates, and that the sheep wake up.

I mean, if some government agent rifles through their stuff in the cloud, the sheep don't care. But if they knock on the sheep's door and do it, then the sheep is going to get angry, if he's innocent.

At least if they had to force you to decrypt, you would know that they had access to your data and they couldn't read it secretly. Also, forcing you to decrypt something would presumably require an order from a judge, which would presumably require the police to show probable cause.

I don't see why all those presumptions shouldn't be true for accessing unencrypted email. But maybe you're right that more traditional ways of storing files would lead to more traditional interpretations of the law.

I am just wondering, why the topic here is "senate bill rewrite", and not "Democratic Majority in the Senate wants to led feds read your e-mail without warrants".

Maybe it is just me, but the recent (absolutely justified) bashing of the GOP retraction the copyright policy paper makes me wonder, why negative GOP stories have always attached to the party name, while DEM stories are usually attributed to a single politician or the institution per se.




Let's not act like this is something new. Your rights to privacy have been gone for some time.

The point of privacy in public policy, or any other right for that matter, isn't that we get things right 100% of the time. We didn't suddenly give up on the idea of mass detention of people by race after we set up Japanese Internment Camps. We are going to get things wrong, regularly. Think of the Constitution and our civil liberty norms as an error correction code. At any one point in time, we'll have flipped numerous bits the wrong way; the point is that over time, the US is overall run in the fashion it was originally intended to run in.

I would really like to believe this. But the US is killing its own citizens without due process, according to secret lists. The emails, IMs, and whatever else that we send are being stored at the NSA facility in Utah. These are just bits that need to be flipped back the other way? What greater contradiction to the original ideas of the US could you imagine, and what progress do you see to correct them?

I think that was absolutely true for a very, very long time, ending sometime (±10 years) around the time that I was born (1983).

Call it an unrecoverable two-bit error, in your metaphor.

POST TO FACEBOOK AS: The Senate is voting on a law next week that will let employees from 22 different federal agencies eat your Twinkies whenever they feel like it!!!

You rascally government! Can we just cut the foreplay? Let's fire up the incinerators and form some orderly lines.


Problem solved.

Unfortunately not, encryption is simply a workaround.

The bill covers every user of email, but it's not hard to make the argument that neither GPG or PGP are correctly usable by every user of email.

Despite there being a technical workaround, it's simply a kludge; strong civil liberties need to be in place, with encryption simply augmenting them.

Dat personal responsibility. Isn't it great when purely technical solutions exist (for quite some time) to these problems?

Couldn't this mean a big hit to ALL american IT companies? I for one(brasilian) would move out of G-mail right off the bat, this bill probably means USA gets to snoop and mine data on anyone even if not an american citizen, possibly even if such thing is illegal in this person country...

I'd definitely consider abandoning plenty of USA-based services/business, use an alternative from some other place that has some regard for humanity, spread the word to people I know, maybe even making a living off of it

- "come to my service everyone, we're not .com!"

The short answer: absolutely

The relatively strong property rights and privacy laws that the US has enjoyed are being obliterated at warp speed (or more specifically, they're using the leap to digital as a means to bypass all the existing physical protections on the books, pretending none of it applies).

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact