Their main mission nowadays is to stop terrorism, etc... I I think that when they look at this rationally they believe are better served by being able to access these conversations.
The article theorizes that people with data to hide will use encryption, or otherwise would be so stupid, that one can find them easily in any case. In the real world a lot of these cases are broken on a "lucky" break or two. Someone improperly or not using their encryption software once, for example.
I think it seems foolish to accuse them of being dumb, evil, or incompetent. Given the stakes they deal with, and the amount of data they have to sift through, I think its very reasonable that they try to reduce the amount of work they need to do to find credible leads. And I'm sure they try to institute methods to minimize abuse, but I'm sure they are also aware that some abuse will happen.
While some of this feels like it may cross the line, I think it's a line that a rationale organization, with their mission, should push against.
I say actively oppose innovation, because I've seen people told to get in line and shut up when speaking out about how to make processes better. This attitude mostly comes from a culture of "special agents" who are their own cool kid club. Imagine a bunch of movie-stereotypical dumb jocks. Now imagine them in front of a computer. FBI.
The most egregious of technological sins I witnessed was when we told the FBI that if they appended a row id to the scattered data they were sending us, that it would literally save on the order of 10 million dollars a year in people not having to manually input things, but being able to parse the data out. Their engineers came back and told us that it was not technologically possible. I said that not knowing their systems, what languages they were using to program the database, or even the database structure itself, give me one hour in the code and I will make it happen. Let's just say that didn't go over well.
Imagine a world where every phone call, email, chat, forum post, etc is fully anonymous or indecipherable to law enforcement. And imagine your loved one has been abducted and law enforcement has no tools for finding those responsible.
There are many kinds of dystopias. Big Brother is one. Rule by competing gangs is another. We're shooting for some compromise where both individuals and society's rights are balanced.
So somehow, these abductors managed to leave no physical evidence at all and no witnesses? What does communication privacy have to do with that?
There was once a time in this country when communications could be anonymous -- when law enforcement agencies did not have easy wiretapping access. We still managed to prosecute criminals then. Yes, sometimes criminals got away with their crimes, but that is what striking a balance is all about. The FBI is not trying to strike a balance with this proposal, they are trying to shift the balance in their favor.
Federal authorities always had wiretapping powers pursuant to a warrant. If you mean before that, it was also a time when limited communications forced more visible means of coordination. Consider the difference between planning a crime in a shady corner of a restaurant, with potential witnesses, versus doing the same in an electronic chat room with no ability to capture the communications, even pursuant to a warrant.
I am not sure I see the difference. On the one hand, you have two people who likely have a legitimate reason to meet at a restaurant speaking quietly to each other. On the other, you have two people with a legitimate reason to have an Internet connection using it to communicate. There is a matter of distance I suppose, but so what? Postal mail has always allowed people to communicate at a distance, and it has always allowed anonymous senders.
Why not require all restaurants to record their customers' conversations, just in case the FBI needs to investigate it later on (with a requirement for a warrant, of course)? The same reasoning applies to this FBI push for expanded wiretapping power.
The focus of privacy activists is in my opinion misplaced. People want an internet that's never monitored, never recorded, never wire-tappable. That's never going to happen, nor is it apparent that it's desirable. What we want is something that preserves the scope of investigative powers that have historically existed with the telephone system. That means robust protections against warrantless wiretaps, but also an effective way of getting access to information pursuant to court-authorized warrants.
Even with a restaurant, you're relying on someone present giving evidence to law enforcement. That works just the same with encryption -- if you have an encrypted chat room with five people and one of the participants sends the logs to the FBI (or is an undercover agent), the FBI will have the logs. If no one does, the FBI will not, which is the same as it is when co-conspirators meet in a restaurant.
>That means robust protections against warrantless wiretaps, but also an effective way of getting access to information pursuant to court-authorized warrants.
The FBI has plenty of tools available. Even if data is encrypted, law enforcement agents with a warrant would still be able to obtain information from ISPs as to who is communicating and when. In the most serious cases trotted out to justify new powers, the FBI can install a listening device or put a trojan on the suspect's communications device.
The way to strike the right balance here is to make wiretapping extremely technologically difficult but not impossible. That makes it very hard for criminals or anyone without government-level resources, and makes it very difficult for governments to engage in unjustifiable dragnet surveillance of innocent people, while still allowing governments to capture the communications of suspects in the rare and most serious cases where the existing evidence justifies that extraordinary level of invasion into the private communications of citizens.
The post office does allow anonymous senders, but not receivers. Mail can be intercepted, although evidence of tampering maybe harder to conceal.
Which doesn't mean it's not a dystopia.
> We live largely under rule by competing gangs
No, not for any useful definition of the word 'gang'.
Every time a wiretap is executed, there should be some sort of public notice. It should be automatic and only suppressed if the investigation is ongoing and only with a judges approval.
Would that make everyone happy? Obviously there are tons of edge-cases, but those would have to be ironed out as they are revealed, just like anything else.
We have major issues to overcome with keeping those in power honest and free of corruption, but like you said, it's hard.
I don't doubt that FBI believe that total surveillance and complete control over every move that their citizen do is useful to data mine. However, the article question such logic because of the social impact that total surveillance has on society, criminals and innocents.
And this article is not alone on that aspect. The Swedish secret police had similar objections when the military suggested introducing such surveillance in Sweden. Their primary objection was that ubiquitous surveillance pushed criminals and innocents alike to darknets and encryption, which would then make their job harder (through, after they got a slice of the surveillance pie, they have now become very silent on the subject). I guess the police would have similar objection, however they are also getting a slice soon.
In the mean time, we can actually see in real-time the effects on society, like hot-lines being called less, people avoiding calling priest/lawyer and so on. Germany has some direct statistics since they introduced the surveillance several years before Sweden. I guess we will have to wait for hot-lines being added to tor hidden services before people feel comfortable again with talking with a stranger about suspected child abuses or domestic abuse. Criminals will as suggested move to more encrypted routes. Botnet distributors can get an increased slice in facilitating secure communication, and the military, secret police, and to a degree, the regular police can catch those too slow to follow the technology change.
Is this a dumb, evil, or just incompetent change to society?
That doesn't mean bad things won't happen, just that you have people "trying to do their jobs" who aren't thinking about fundamental liberties. Get a few million of these ants together and they end up in all aspects of your life, much like real ants. In most cases, the best you can hope for is benign mediocrity.
When counted as individuals, it's the infinitesimal minority that reach to greatness or descend to horror.
The article also does not mention something obvious, the FBI does not have earth-wide jurisdiction, moving to a "chat" or operating system hosted and built in another country is already available in many forms.
So they will encroach upon your freedom and throw your culture into the garbage to catch a bunch of dummies.
Sure, FBI are not evil or anything but even one abuse is too much. Government agencies are build to act according to the status quo.
What if the government is not perfect and there are people trying to change something but the government in power is opposing it. Ending the slavery, ending the Vietnam war, gay rights or any movement with an opposition in Washington could have been destroyed with the power that FBI is seeking. The recent decriminalization of drugs in some states could have been prevented if FBI had this power of intercepting all communications. People must have means to challenge the government with non-violent actions. Just because FBI may catch some terrorists is not good enough reason to give them all the means to preserve the status quo. I am not even talking about individual abuses that may occur, compared to society engineering, they are not that important anyway.
The resources spent on combating terrorism are vastly disproportionate to the threat presented. The FBI may see this as the best way to combat terrorism, but it's an unworthy goal, and it's bad for them to potentially cause so much damage in pursuit of it.
Maybe another alternative should be presented: "solving the wrong problem."
I mean, sure, an organization with Mission X can go about that mission in variety of ways. It's like the sci-fi movies about a God-like-AI "solving" society's problems. Stop crime in New York City? Easy, just encase every resident in three inches of plastic? Makes sense "from their point of view".
And the fact is that the deaths and mayhem from terrorism haven't exceed deaths and mayhem from many other sources. Thus preempting everything to fight terrorism is not actually logical for us as a society and has not, so far, been particularly positive in its effects.
Anyone could have predicted that something like the Google hack was going to happen. I also seem to remember that there was a similar incident involving the cellphone network in Greece.
"Trevor Timm: Well, yeah. They’ve been complaining about this “Going Dark” problem for years now and we’ve never really seen any actual evidence that this actually exists. The FBI or the DOJ has to report the number of times they run into encryption when they ask for surveillance. Every year they have to report back how many times they ultimately couldn’t get the information they sought; the number is always 0—for the last 11 years."
He shared this on twitter a while ago: https://twitter.com/trevortimm/status/331985318620327936
We already have the largest prison population in the world. There is no pressing need to expand it.
I was trying to do this by piping the output of my webcam to openssl and then to netcat, which sends the packets to a publicly addressable server (Amazon instance) that relays the encrypted packets to another computer behind a firewall, that decrypts the video stream and plays it in MPlayer. It works, but the latency is about 10 seconds. To reduce the latency, I could delta-encode the video stream, leverage the GPU somehow, but I'm not sure how to get the latency down to the 200ms required for seamless conversation. Also, it should be noted that there is little code behind this, mainly just unix utilities and pipes.
PS: Also I could remove the Amazon piece and forge a direct P2P connection using NAT hole punching if the routers on both ends permit, but this is not always reliable and isn't a huge source of latency.
Jitsi claims to. ( http://www.jitsi.org )
To avoid intermediaries you'd have to run your own Flash server (e.g. Red5) though.
Your comment pisses on every person who ever went to school to study criminal law, many of whom did so for noble or at least neutral reasons.
Unless you are doing this:
It is not as though this is some kind of new, unprecedented behavior either:
So let's say a young man is thinking about joining the FBI; he wants to do good for the world, maybe help catch a serial killer or take down a child abuse group. How does he know he will not be asked to conduct surveillance on an anti-war group? How does he know he will not be asked to dig up some dirt on a civil rights leader?
This "honorable profession" you are defending has always had a dark side.
The "Stanford Prison Experiment" is a good example of this phenomenon: http://www.thoughtcrime.org/blog/career-advice/
I would absolutely hate the USA to go the way of Russia, USSR, China or many others. Unfortunately we are headed in that direction.
Yeah right, and bittorrent is mainly used for distributing Debian ISOs.
I'm against government surveillance, but your statement is way too broad.
Only one reason? Really? You don't think anybody goes into law enforcement to protect others, curb violence, and generally do good for the world?
I doubt you'd want your profession to be slandered so casually.
Would you like the authority and power to prevent women from being raped? Would you like the power to vote to implement laws equalizing 'rights', such as same-sex marriages?
I see 'power' as 'the ability to realize my will' and I think you're extending it to 'power over other people,' which does imply that, at some point, it will conflict with someone's legitimate (not saying who is to decide what is legitimate) pursuit of well-being.
I think perhaps we also disagree on the definition of 'evil', but I'm not interested in debating this online. This discussion requires beers and scarred wooden furniture. :-)
Anecdotal, but the FBI's first web site was hosted by a NASA machine. I think the FBI was traditionally an IBM shop, and mainframes and the web didn't work well together at first.
In more verifiable evidence of incompetence, there's the Virtual Case File epic fail (http://www.washingtonpost.com/wp-dyn/content/article/2006/08... just one of many articles about it) followed by a minor debacle in Sentinel (http://www.pcmag.com/article2/0,2817,2407922,00.asp)
This push to "stop terror" via reading the general public's email/chats/etc. seems more like Big Bro and less like a viable method to stop the next 9-11. Sure, the bros from Boston weren't exactly sophisticated, but I find it hard to believe nobody in Al Qaeda knows how to use PGP.
Still, I'm voting for incompetent. If they want to know what kind of porno we all like, fine.
I think you mean that it is hard to factor the product of two primes, factoring primes is pretty easy regardless their size.
Depends on what you mean by this... There are no practical systems which will do so. But the reason why quantum computing became interesting was because of Shor's work showing that they can factor large primes quickly (in theory).
... that we know of. The intelligence community has secretly outpaced the rest of the world in computing, cryptography and cryptanalysis before.
There are very hard fundamental physics problems with quantum computing. IANAexpert, but as I understand it, the difficulty lies in closing off the system (cold atoms, what have you) you're using to do the computation from the outside world, while you're doing the computation. Any contact (up to a very, very low limit), and you smear ("decohere") the computation so that the output will be in essence noise---not what we want at all. One can approach this as (in some sense) an engineering/experiment problem and try to limit contact with the outside world, or as a theory problem and try to come up with a system that inherently resists problematic contact with the outside world (topological quantum computation, https://en.wikipedia.org/wiki/Topological_quantum_computer), comes to my mind).
So we're dealing with a physics problem: either the gloriously messy, difficult work of experiment, trying to track down and eliminate sources of decoherence, or the theoretical work of finding an appropriate system (and then figuring out how to implement it).
Both of these are far from the core competencies of the NSA, as I understand them (not that I have any real information---just an impression based on way to much time spent reading Hacker News :-) ). As you say, NSA is (perceived as) very, very good and far ahead of the community at computing, cryptography, and cryptanalysis. The problem is, this is not a computing problem, it's a physics problem.
One possibilty, though, is that the NSA has figured out some way to use something like the D-Wave quantum computer (which I am ridiculously far from understanding, but you might recall Scott Aaronson's blog post on the subject not too long ago) to factor large primes---that is to say, to transform prime factorization into the D-Wave problem. At a gut level, I find this much more plausible than that the NSA has independently built a quantum computer: that sort of problem-transformation is much more the kind of math that I feel the NSA would be good at, or be able to become good at very quickly.
Much more cheaper and practical approach is for them than to try to outpace and outspend everyone else combined is to stockpile on zero day exploits which can be used when needed.
OK, you're in charge of the FBI now. There are tens of thousands of public events today in tens of thousand of venues.
Protect them all. Go.
"Find the person who committed crime X" is more like your surgery example: a task law enforcement can often accomplish. "Protect everyone all the time" is as impossible for law enforcement as "grant immortality" is for doctors.
Letting anything through should simply result in the leaders going to the electric chair.
My, you have high standards. I hope you've never released a bug. Every line of code is available for your inspection and behaves deterministically. Unlike, say, people, who are nearly uncountable, much less predictable, much less controllable.
To avoid letting anything through would require being omniscient and omnipotent.
Please at least try to give others the benefit of the doubt that you'd like them to give you.
I mean, it's pretty easy to monitor Quaker anti-war activists: they do everything publically and invite participation politely. No agency needs wiretap access to monitor them. So, who are they going to monitor with this?
If your political or religious views are or become unpopular, how much power to monitor, control and punish you do you want government organizations to have? How much oversight do you want for them?
I think the author under-estimates the difficultly of catching criminals.
The bigger problem is not 'catching' them, but prosecuting them effectively. This requires prioritization of limited resources based on severity of offense, availability of sufficient evidence, and difficulty of prosecution. The last is ugly because it's almost directly economic, in that the ability to afford legal counsel creates some level of inequality.
The fact that they do not give a shit about you and your data (and why should they?).
If you want your data to be encrypted, you have to do it at your end. PGP has shown exactly how much people really care about keeping their communication private if it requires even a minuscule amount of effort.
In theory, nothing. In practice, creating tension with the FBI and DoJ who may then decide to investigate or prosecute them for entirely unrelated things that would otherwise not have been investigated or prosecuted, etc.
They have a choice between doing the Right Thing and doing the Easy Thing. We'll know what they choose soon enough.
I once had a job that involved investigations of criminal activity (not law enforcement or government related, just a company protecting its own users and employees).
In this case, I had identified, with certainty, one individual that was engaging in significant fraud. He appeared to have several accounts, and it was appearing highly likely that he had a few accomplices.
During the investigation, I was fully willing to violate everyone's privacy to find everyone in the fraud network. This included data that was already submitted voluntarily, private communications, as well as embedding tracking objects and invisible flash objects to retrieve IP addresses of users surfing behind proxies (this used to be an effective way to unmask users). I didn't have a second thought about it. Why would I? I didn't care what the legitimate users were doing, wasn't going to stalk them, wasn't going to pay any attention to their personal affairs. But, to weed out this problem effectively, I needed to sweep everything. I'm trustworthy, just doing my job, and I certainly trust myself enough to disregard or ignore information that wasn't pertinent.
After being entrenched in the investigation, I had a fairly exhaustive list of the bad actors. Initially this was just basic hard data, (such as correlating IP addresses), but then there was kind of a "sixth sense" that I also started relying on, where I couldn't articulate the signal, but some behavioral cues just felt like they were related. You know, "gut instinct". So I ended up digging into those accounts, and confirmation bias took over. I did find many more bad actors, but I was thoroughly convinced that a few cases were also related, which ended up being suspended, and it turned out that they were actually unrelated and legitimate. That's when I started to reflect a bit.
I didn't go through with the most blatant of the proposed violations, although at the time I was willing to initially. I now realized how egregious that was, and noticed how easily I fell into that mindset. If asked, I think the words "If you've got nothing to hide, you've got nothing to fear" could have naturally rolled off my tongue (though, this certainly would have alerted me to the errors of my thought process).
So I concluded a few things:
- Most of the time, these blatant, sweeping violations, are most likely not malicious and probably do have good intentions. I very much understand what frame of mind most of those people are in. It's not an opaque three letter agency, it's made up of regular individuals with tunnel vision on their legitimate objectives (stopping crime).
- When you look at criminals day in and day out, and are on a mission, everybody starts to look like a criminal.
- The "working backwards" approach - finding signatures of bad activity, and applying it to other data, then "confirming" the new matches, is a well-understood statistical fallacy, aptly named, the prosecutor's fallacy. If you spot it in court, your defense attorney can try and point it out to the jury - and good luck explaining it to your "peers" who probably play the same lotto numbers because theirs is "due eventually". But let's face it - your life is already ruined by then. You're on all the watch lists, your vehicles are bugged, you've got huge legal bills and no job, and maybe if you're extremely unlucky, you're even in Guantanamo. Everything prior had little or no judicial oversight, no way to defend yourself, and is from a system that is invariably full of investigators who are not self-aware enough to always catch themselves doing this, especially when the cost of missing an actual threat is extremely high.
And for bonus points:
The interface that a coworker created to do some of the data mining (let's call it the "lawful intercept interface") had an SQL injection bug in the logic that parsed login history. It wouldn't have been difficult to discover and exploit without even knowing this interface existed, due to the error a user would see on login if they had certain bad characters in the affected field. I found it roughly a year later and reported it to the CTO in a message from his own account, after using the bug to take his auth cookie out of the DB (we were friends, so I knew he would be a good sport).
tl;dr It's mostly good intentioned individuals with tunnel vision, who are very misguided, and who don't understand the side effects and costs of what they propose.
If you aren't aware that there were many documented false positives who were sent to Guantanamo or other CIA detention facilities, you aren't paying attention, because there were some very high profile cases. Here is one example:
Khalid El-Masri is a German citizen who was mistakenly abducted by the Macedonian Police, and handed-over to the U.S. CIA, whose officers interrogated, sodomized and tortured him. While in CIA hands, he was flown to Afghanistan, where he was held in a black site, interrogated, beaten, strip-searched and subjected to inhuman and degrading treatment, tantamount to torture. After El-Masri held hunger strikes, and was detained for four months in the "Salt Pit", the CIA finally admitted his arrest and torture were a mistake and released him.
In April 2004, CIA Director George Tenet was told by his staff that El-Masri was being wrongfully detained. National Security Adviser Condoleezza Rice learned of the German citizen's detention in early May and ordered his release. Shortly before el-Masri was released, in May 2004 the US ambassador to Germany informed the government for the first time of his detention.
* According to a December 4, 2005, article in the Washington Post, CIA agents discussed whether they should remove El-Masri from Macedonia in an extraordinary rendition. The decision to do so was made by the head of the al Qaeda division of the CIA's Counter-Terrorism Center, on the basis of "a hunch" that El-Masri was involved in terrorism; his name was similar to Khalid al-Masri, strongly suspected as a terrorist.*
I can't think of a worse way to completely ruin an innocent man's life. He was basically a "Soccer Dad".
IMHO, the idea that law enforcement should have either all or no access to online data is a false dichotomy.
Wiretapping capability is less relevant than ever IMHO, in a time with more privately-owned cameras and personal communication devices than ever; it is more likely than ever that criminals will leave physical evidence of physical crimes, and so there is less reason than ever to invade people's privacy or criminalize thoughts and suspicion/conspiracy/planning of physical crimes when the damage comes from the follow-through, not the imagination. Violent crime has been declining In Canada and the US for decades. This idea of urgency simply doesn't fit those facts.
The Internet is basically a bunch of random thoughts. In a sense, people are having public conversations, but in another people are simply thinking out loud; the more we hold to criminalizing thoughts, the more we create problems by that process and criminalize freedom of thought.
I'm for warrants, and against vigilante justice, but I also really think we need to dissect this idea that only law enforcement should have, or even already has, the tools to address all dangerous situations. IMHO, the less individuals rely on institutions the better, since it is well known that power corrupts. So far Canada and the US have had pretty good luck and the public has had some success holding institutions accountable for abuses of power, but I don't get the impression that influence is as strong as it needs to be, going forward (and I don't know how to fix it while continuing to empower institutions that quite predictably stray from their mandates rather than close shop). IMHO, Institutions pose an unnecessary risk as they continue to grow and claw for more power - in this case, pushing for more surveillance capabilities. I would rather be responsible for myself, without the help of institutions, wherever possible.
As we create new potentials, and empower people to help themselves, I think the role of institutions should decrease. Take the recent article on the French police offloading missing person searches on Facebook for example. ( http://www.itworld.com/networking/357720/french-police-end-m... ) As much as I don't like Facebook, I think that's the right tool for that job, and I would like to see more work to empower individuals in that sense. It's a wonderful thing to be not needed because you actually solved a problem. I, for one, would love to not need to rely on (and pay for) the police or government because I was safe and had a voice of my own.
With the devices so closely integrated into the cloud we are already close to the "day every iDevice was wiped irreversibly and huge part of the world stopped". Let's not make it closer.