Hacker News new | comments | show | ask | jobs | submit login
Panel seeks to fine tech companies for noncompliance with wiretap orders (washingtonpost.com)
81 points by gsibble 1423 days ago | hide | past | web | 49 comments | favorite



You'd think we would learn our lessons about sabotaging our infrastructure and software to enable easy LE wiretap access after the Olympics spying scandal in Athens when somebody discovered this back door and used it to spy on the Prime Minister plus a hundred other dignitaries such as the US Ambassador.

Wonder how this panel's decision will affect projects such as Textsecure and Redphone which were sadly sold to Twitter, and therefore under US jurisdiction to force backdoors into. Same goes for Phil Zimmerman's new service.


> Wonder how this panel's decision will affect projects such as Textsecure and Redphone

I say it is only a matter of time. The wheels are already turning in that direction. Just need a few terrorism/child porn high profile cases where someone on behalf of FBI will testify how they had to let the evil perpetrator go because encryption made it impossible to wiretap them -- and bam legislation will be out in no time.

Remember many countries make cryptography illegal and even in US exporting string cryptographic software was the same legally as exporting the designs for bombs and rockets. And ban and/or arm twisting fines are just around the corner I suspect.


People surprised by this probably ought to revisit the trap and trace requirements that the telcos have had in place for decades.

http://en.wikipedia.org/wiki/Communications_Assistance_for_L...


The legal framework was established in the 60's:

http://www.aarclibrary.org/publib/church/reports/book3/html/...


Excellent point. Which is why once we're done with ECPA reform— en.wikipedia.org/wiki/Electronic_Communications_Privacy_Act — CALEA reform is next.

These laws /must/ be updated for modern usage.


People will have a really tough time complying with this. CALEA requires that the subject of the intercept not be made aware of intercepts being made. If a target can check that the IP of his peer and is own is public, by a side channel for example, and a 3rd party IP is still used for 'nat/firewall traversal' that is known not to be needed, then the game is up. As usual, you'll only catch the clueless.


I once set up a bridging firewall (using LEAF Bering) for a friend's business to control traffic invisibly (this wasn't for any nefarious purposes -- he really needed a firewall that didn't take up an IP number on his public network.)

Configuring it was a pain in the ass (you couldn't telnet/ssh into it because it had no IP number) but it worked very well and didn't show up in pings, traceroutes, or much of anything else.

You can do a lot at the frame layer.


I find it funny that because technology began in the simplest, unencrypted, analog formats that now the government expects the ability to wiretap anything with ease.


Not to mention the implicit idea that if something makes law enforcement's job easier, then it should be legally mandated.


That's a little disingenuous here -- "compliance" in this context means "able to comply." Currently, if a company is "unable to comply," that means they can't forward along whatever information is required by the warrant, and usually law enforcement backs off. The change here is that now they're starting to say "too bad, make it happen."

Law enforcement doesn't have a hand in the tech stacks of private companies. This isn't "making their job easier" -- in a lot of cases it's making their job possible.


Their job is to catch criminals, not to snoop, maybe it's worth mentioning. These are necessarily linked only when the talk itself is the crime.


That's a fairly extreme and frankly unrealistic generalization. Warrants (of any form) exist because of the need to gather evidence in cases; the existence of evidence isn't always a crime in and of itself but is used to support a case that a crime has occurred (or is going to occur).


The police do not need the cooperation of tech companies to gather evidence. Yes, CALEA made it easier to gather evidence, but the police did a fine enough job beforehand.

What you are ignoring is that this proposal, like CALEA, is really part of a very long chain of events that have led to ever greater police power. If you look at the history of law enforcement for the past 50 years, you see monotonic increases in the power of the police: the power to arrest people, the power to kill people (including the weapons the police carry), the power to conduct surveillance, the power to seize assets, etc. The reason we have the largest prison population on the planet is that we have ceded such vast power to the power to the police (and to prosecutors).

Unfortunately, there are a lot of ring-wing, law-and-order types in this country who see nothing wrong with this picture:

https://upload.wikimedia.org/wikipedia/commons/7/7c/San_Bern...


I'll reply to you and 'abecedarius in the same spot:

The problem arises when critical evidence exists only in the infrastructure of some private company. If a case hinges on a fact that is proven only by information that is in the hands of, e.g., Verizon, then yes, law enforcement requires the cooperation of that tech company to gather evidence.

>but the police did a fine enough job beforehand

Beforehand? The police did a fine enough job gathering evidence before technology leapfrogged ahead of them? Sure, they did. Then they sought to adapt our laws to the advancements that we've made. You see power creep in law enforcement; I see power creep in everybody.


"If a case hinges on a fact that is proven only by information that is in the hands of, e.g., Verizon, then yes, law enforcement requires the cooperation of that tech company to gather evidence."

...and if the company lacks that evidence because the police took too long to ask for it, then the case falls apart. So what? Our justice system is not meant to minimize the number of false negatives, it is meant to minimize the number of false positives.

"The police did a fine enough job gathering evidence before technology leapfrogged ahead of them?"

Read the context; the police did a fine enough job of gathering wiretap evidence before CALEA. The phone had been around and in common use for decades before CALEA, and even in the years leading up to CALEA the police had gathered enormous amounts of evidence from wiretaps and pen registers. It was just harder, because prior to CALEA the police had to actually step away from their desks and install a machine to perform a wiretap -- how terribly inconvenient!

"You see power creep in law enforcement; I see power creep in everybody."

Only if you ignore the fact that the police are more powerful today than they were when our parents were growing up. You are not witnessing power creep, you are witnessing a possible minute change in the balance of power between people and the government. Instead of calling up a phone company and demanding a wiretap, the police might have to show up in a data center with a rack-mountable interception device, in the worst case.


It was just harder, because prior to CALEA the police had to ... install a machine to perform a wiretap

Good point. Let's say you're a company like Facebook and the feds come to you with a warrant; would you rather service that warrant yourself (CALEA style) or have them install a Carnivore inside your data center? Which one do you think is going to do more damage?


Sure, Facebook would rather service the warrant themselves than have cops in their datacenter. So what? Let them create a system for working with the police if they are concerned about it.

Consider this problem: if you are running a Tor relay, would you want to be forced to keep logs and make your system readily-accessible to law enforcement agencies? If you use Tor, do you want your circuits to have nodes with special backdoors built in? Do you want to see Tor, Freenet, proxy server and remailer operators put in legal danger or pushed out of the United States?


I agree that snooping can support a case; I denied your claim that it's necessary.


Snooping without a warrant is definitely not needed in most criminal cases I've read about. Seems to me law enforcement will just approach these people in person as informants and sell them fake bombs, or get them to talk about importing drugs or something else illegal and it's game over. No wiretap needed


"Law enforcement doesn't have a hand in the tech stacks of private companies."

For good reason, because if a private company was busy bending over backwards for law enforcement through mounds of code that already works for their needs with their investor/own capital taking time away of providing/improving something useful to their target users, they wouldn't be in business for long.


Aha, bingo, that is why big companies love that. It kills the smaller, more agile competitors. Big monopolies will just pass this right through to the customers. As long as customers don't have an option to use a non-American carrier they have not choice.


I know, pulling over for flashing lights and sirens, what BS is that?

Seriously though, it often makes sense to build in affordances for enforcement. We may not agree what laws exist, but if they're going to be enforced, they should be enforced uniformly and efficiently.


You're assuming that the laws should always be enforced. Remember that governments, even governments that are wealthy and technologically advanced do go crazy and engage in genocide against their subjects under color of law. It has happened before, it could happen here.

I'll tell you what; we can discuss broad based mandatory surveillance capabilities AFTER the US Government lives up to it's treaty obligations under the International Convention Against Torture [1], and prosecutes those Government Officials who authorized, engineered and abetted a torture regime during the past 2 decades.

1. http://en.wikisource.org/wiki/Convention_against_Torture


Laws should always be enforced. Prosecutors that are ignoring the law need to be removed.

It has happened here, ask a native american.

Throwing up an arbitrary, "here's something I don't like, we can make no progress till you fix it" is a tactic to avoid the issue.


>Laws should always be enforced.

That's rather naive. We need to fix a lot of laws before we could do that because:

1. It's not unheard of for laws to be contradictory in some circumstances, or just outright contradictory.

2. Do you really want everyone to be automatically ticketed for jaywalking?

Laws were written with policemen's, and the court's discretion in mind, whether you want to believe that or not, and switching to an automatic always on enforcement mode would be oppressing in the extreme.


I've always been uncomfortable with one set of written rules that doesn't really matter, and another secret set of unwritten rules that actually matters.

If some cab driver gets a ticket from a speed camera becasue he's rushing to get a pregnant woman to the hospital, i've got no problem letting that ticket go - that should be an easy and painless process as well.

It often seems that discretion is used to protect the powerful from any consequence. Yeah, i'd rather err on the side of everybody gets a day in court.

edit

Explicitly, i think laws should say what they actually mean. If jaywalking is sometimes ok, write that down somewhere so we don't have to argue about it.


>Explicitly, i think laws should say what they actually mean.

Just to be clear, I agree with you. I was pointing out the way I think things are and probably will continue to be.

>It often seems that discretion is used to protect the powerful from any consequence.

It does seem to have that effect.

>Yeah, i'd rather err on the side of everybody gets a day in court.

That, in itself is another freebie to the wealthy and well-connected. In Texas it is almost always possible to get a traffic citation dismissed by showing up in court with an attorney that specializes in such things. Or, if you're a working stiff, who has no more days off, you can plead no contest and pay the citation with a credit card. Cost is about the same in my experience (minus the day off).


"Laws should always be enforced."

Like the laws that made slavery legal on US soil?

Like the laws that mandate jews business ilegal, made them move to ghettos and finally to concentration camps in Germany?

The laws that expropriated private property on Russia, made agriculture collapse and people nearly starve? Same thing in Cuba not long ago.

Like laws that make intellectual property common ideas like software patents and make small developers servants of the big entities?


No, we should not enforce laws efficiently, because that weakens the protection against tyranny. We want law enforcement agencies to have to jump through hoops so that tyrannical and oppressive laws are hard to enforce. The reason the US government is so inefficiently organized is to thwart the establishment of tyranny. Yes, it means that people who creep us out, who are "obviously" guilty, and whom we personally want to punish will continue to walk free. As H. L. Mencken famously said,

"The trouble with fighting for human freedom is that one spends most of one's time defending scoundrels. For it is against scoundrels that oppressive laws are first aimed, and oppression must be stopped at the beginning if it is to be stopped at all."


I dunno. i think that's the kind of thinking that pushed the cost to defend against a federal case up to 1.5 million.

I'm not advocating we just throw people who might be guilty in jail. Everybody deserves their day in court. I think you'd be hard pressed to find someone (who's not directly involved in something horrible - father of a murdered child, etc) that disagrees with getting a fair trial.

For example, i'm a big fan of red light cameras. I hate them, but the blind uniform enforcement is great. Doesn't matter if you're a cop, or an important business man, or late for school. You break the law, you pay your ticket and move on.

Laws are for cases where it's hard to get everyone to agree in the heat of the moment, that's why we write them down beforehand. Arguing about Alice killing Bob is different from arguing about Alice buying a car from Bob. It's still a negotiation, but adding some special cases so everyone gets all the facts doesn't seem wrong. Remember, the prosecution still has to turn all that stuff over.


"I think you'd be hard pressed to find someone (who's not directly involved in something horrible - father of a murdered child, etc) that disagrees with getting a fair trial."

I am pretty sure your local district attorney would disagree. The majority of prisoners in America -- the overwhelming majority -- did not have a trial and took a plea deal instead. A standard prosecutor tactic is to make the list of charges as long and extensive as possible, to pressure the defendant into a guilty plea. It has been suggested that if everyone were to refuse a plea deal and demand a jury trial, the justice system would be completely overwhelmed and unable to handle the load.

"For example, i'm a big fan of red light cameras. I hate them, but the blind uniform enforcement is great. Doesn't matter if you're a cop, or an important business man, or late for school. You break the law, you pay your ticket and move on."

I had not thought of that, but it is a perfect example of why we do not want law enforcement to become too efficient:

http://www.marketplace.org/topics/life/shorter-yellow-lights...


Is the district attorney's opinion because of your strategy to make everything expensive?

We build other systems that are very complex, explicit and efficient. Less prosecutor discretion, and more adaptive law seems better than making trial costs spiral out of control.

Yes, and yellow light timing isn't contentious at all, is it? It's almost like perfect enforcement of stupid laws gets those laws modified to not be stupid. But whatever, i'm sure your way is good too.


It's not clear to me that the more difficult-to-enforce laws are also the more tyrannical. Examples - tyrannical but easy to enforce: "private citizens must allow soldiers to stay in their houses and eat their food". Hard to enforce but not tyrannical: "don't have sex with people against their will".


That is a different kind of difficulty. What I am talking about are the deliberate obstacles to law enforcement and other government functions in the United States. There is an easier example than quartering soldiers: search warrants. It is easy for the police to search a home; it is hard for the police to get permission to do so.

The purpose of these obstacles is to make law enforcement difficult in general, so that tyranny is harder to establish. By forcing the police to work hard, we force them to prioritize the laws they will enforce. It would be hard for the government to justify enforcing some oppressive law while letting murderers walk free; it is less difficult to justify ignoring an oppressive law because the police were too busy tracking down murderers.


Jumping through hoops -- a system of checks and balances -- is fine and good.

When those checks and balances check out, so to speak, I want my law enforcement agencies able to do their job efficiently. This is a case of making that process -- the post-warrant process, after checks and balances have played out -- easier.


One would think that the police are already able to do their jobs efficiently, since we have the largest prison population on this planet. What this proposal is about is making it easier for the police to gather evidence, because as we all know, leaving their desks and actually working to catch criminals is just asking too much of them. It is precisely the same argument that was made for CALEA: demanding that the police actually go into the field and attach wiretapping equipment to phone lines is making it too hard to catch criminals, so we "must" make it possible to execute wiretap orders without even leaving their chair.

The checks and balances are weakened every time we make the police "more efficient." Again, the point of making the government, police included, inefficient is to thwart those who would try to establish oppressive systems. Making the police more efficient makes it easier for unjust laws to be passed and enforced.


Meh, i think it's more about having to many stupid laws. Lying to a federal agent is 5 years, even if you don't know they're a federal agent? that's madness.

I think your approach of making everything hard, really just makes government expensive. The flip side, looking for fewer and more specific crimes frees up a bunch of resources to do the job well.


"Meh, i think it's more about having to many stupid laws. Lying to a federal agent is 5 years, even if you don't know they're a federal agent? that's madness."

Sure, but such laws must be enforceable, and they must be enforceable with the resources available to law enforcement agencies. We have a lot of stupid laws, but over the period of time where those lose were passed we also increased the power and authority of the police.

"I think your approach of making everything hard, really just makes government expensive."

Thus making it accountable to the citizens, as those expenses must be paid for with tax money (or debt, which is just a way to postpone tax collection). Eventually people start to complain about the poor funding for education, healthcare, parks, and other things. Eventually, the limited tolerance people have for government spending begins to catch up with law enforcement (though we are nowhere near that point).

Of course, for the past few decades, we have taken the alternative approach: prioritizing law enforcement over civil rights and reducing or eliminating the obstacles to law enforcement.


Pulling over for flashing lights and sirens is one thing.

But building a bridge out of the way of your own infrastructure with your own/investor capital so only flashing lights and sirens can cross it is another (god forbid the other parties involved use the same bridge).

Why don't law enforcement agencies build their own social networks and email clients that people want to use?


They have 2 problems (and they somewhat conflict with each other). They _need_ strong, quality encryption to use it themselves. NSA advises and certifies on picking correct algorithms, with right sized keys on particular hardware, certified using this and that certificate (FIPS 140-2) and so on, when it comes to what government agencies should be using to keep their secrets safe. BUT at the same time they want everyone else to use something that is crack-able, traceable and easily controllable by them.

Their wet dream is key escrow, something like "You can use your strong 2048 bit keys but please be kind enough first to send it to the NSA for escrow storage".


The Coming War on General Purpose Computation http://craphound.com/?p=3817


A good starting place to think about the CALEA system (besides, as other comments mention, looking at CALEA itself) is this paper from Matt Blaze and his students: http://www.crypto.com/blog/calea_weaknesses/

Also interesting is Steve Bellovin et al.'s excellent report on security implications of extending CALEA to VoIP: https://www.cs.columbia.edu/~smb/papers/CALEAVOIPreport.pdf Steve Bellovin is now the FTC's Chief Technologist and spends his days trying to bring technical sanity to the government in various ways.


So companies will have to build in "wiretap friendly" monitoring capabilities into their products in order to facilitate regulatory compliance? Is the government going to subsidize the cost of developing this stuff? Aside from how insidious the requirement seems from a privacy standpoint, it seems to place undue economic burden on businesses from a compliance standpoint.


1984... "Freedom is Slavery!" "War is Peace!"


I can see why there's a demand for a P2P/distributed routing for voice/video services to get around this as they would require working with multiple ISPs at the least and at most involve some sort of end-to-end encryption.

Wonder if it's possible to implement something like Tor for VoIP.


I think the hard part about doing Tor for VoIP would be latency. It would be pretty difficult to have a voice conversation with the sort of latency you'd get from bouncing a connection through a bunch of volunteer computers.


Good point. It may make more sense to initiate a connection via multiple routes (node discovery) and then direct-connect securely. Of course that won't prevent anyone eavesdropping of knowing where the call is going, just keep them from knowing what they were talking about.


I like how fines will double each day if left unpaid. Within a few months, the fine will be much much higher than all money in existence.


And now I can write a simple greasemonkey script that can encrypt the text send to facebook chat and the other side decrypting it. We just need to be able to exchange keys by other channels - not hard at all.

And on any device with root you can install driver that encrypts the mic signal.

So instead of terrorists we will have technology literate terrorists.




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact

Search: