Hacker News new | past | comments | ask | show | jobs | submit login
Is the FBI dumb, evil, or just incompetent? (techcrunch.com)
88 points by kevin_morrill on May 25, 2013 | hide | past | web | favorite | 103 comments

I think people have the FBIs motivations misunderstood. And I don't mean in some evil conspiracy theory sort of way, but in one that is pretty consistent with their mission.

Their main mission nowadays is to stop terrorism, etc... I I think that when they look at this rationally they believe are better served by being able to access these conversations.

The article theorizes that people with data to hide will use encryption, or otherwise would be so stupid, that one can find them easily in any case. In the real world a lot of these cases are broken on a "lucky" break or two. Someone improperly or not using their encryption software once, for example.

I think it seems foolish to accuse them of being dumb, evil, or incompetent. Given the stakes they deal with, and the amount of data they have to sift through, I think its very reasonable that they try to reduce the amount of work they need to do to find credible leads. And I'm sure they try to institute methods to minimize abuse, but I'm sure they are also aware that some abuse will happen.

While some of this feels like it may cross the line, I think it's a line that a rationale organization, with their mission, should push against.

Working with the FBI folks at the TSC (Terrorist Screening Center), being dumb and incompetent doesn't even begin to describe what I saw. The FBI is the most backwards agency technologically -- the leadership is mostly composed of people who actively oppose innovation. At any other government agency, you can host user created applications that consolidate workflows and make peoples' lives much easier. Some even have teams that are dedicated to creating these one-off solutions that don't fit into a general commercial/OSS workflow program. The FBI, however, doesn't allow programming of any sort outside of the scope of their contracts, which mean that a regular analyst is storing data in an excel spreadsheet and trying to pass it around as a database.

I say actively oppose innovation, because I've seen people told to get in line and shut up when speaking out about how to make processes better. This attitude mostly comes from a culture of "special agents" who are their own cool kid club. Imagine a bunch of movie-stereotypical dumb jocks. Now imagine them in front of a computer. FBI.

The most egregious of technological sins I witnessed was when we told the FBI that if they appended a row id to the scattered data they were sending us, that it would literally save on the order of 10 million dollars a year in people not having to manually input things, but being able to parse the data out. Their engineers came back and told us that it was not technologically possible. I said that not knowing their systems, what languages they were using to program the database, or even the database structure itself, give me one hour in the code and I will make it happen. Let's just say that didn't go over well.

Yes. Most of us here are privacy advocates, and I think society needs our voice. However, we're only one side of the coin.

Imagine a world where every phone call, email, chat, forum post, etc is fully anonymous or indecipherable to law enforcement. And imagine your loved one has been abducted and law enforcement has no tools for finding those responsible.

There are many kinds of dystopias. Big Brother is one. Rule by competing gangs is another. We're shooting for some compromise where both individuals and society's rights are balanced.

It's hard.

"Imagine a world where every phone call, email, chat, forum post, etc is fully anonymous or indecipherable to law enforcement. And imagine your loved one has been abducted and law enforcement has no tools for finding those responsible."

So somehow, these abductors managed to leave no physical evidence at all and no witnesses? What does communication privacy have to do with that?

There was once a time in this country when communications could be anonymous -- when law enforcement agencies did not have easy wiretapping access. We still managed to prosecute criminals then. Yes, sometimes criminals got away with their crimes, but that is what striking a balance is all about. The FBI is not trying to strike a balance with this proposal, they are trying to shift the balance in their favor.

> There was once a time in this country when communications could be anonymous -- when law enforcement agencies did not have easy wiretapping access.

Federal authorities always had wiretapping powers pursuant to a warrant. If you mean before that, it was also a time when limited communications forced more visible means of coordination. Consider the difference between planning a crime in a shady corner of a restaurant, with potential witnesses, versus doing the same in an electronic chat room with no ability to capture the communications, even pursuant to a warrant.

"Consider the difference between planning a crime in a shady corner of a restaurant, with potential witnesses, versus doing the same in an electronic chat room with no ability to capture the communications"

I am not sure I see the difference. On the one hand, you have two people who likely have a legitimate reason to meet at a restaurant speaking quietly to each other. On the other, you have two people with a legitimate reason to have an Internet connection using it to communicate. There is a matter of distance I suppose, but so what? Postal mail has always allowed people to communicate at a distance, and it has always allowed anonymous senders.

Why not require all restaurants to record their customers' conversations, just in case the FBI needs to investigate it later on (with a requirement for a warrant, of course)? The same reasoning applies to this FBI push for expanded wiretapping power.

The difference is that if you plot a crime in a restaurant, there are potentially dozens of sources of evidence linking you to the meeting: patrons and servers might see you, security cameras might record you, people might see you drive there, a credit card bill might link you to a meeting there, etc. If the same crime is planned in a chat room, the only thing police may have to go on is logs hosted by the intermediate service provider. Technology makes the real-time communication more anonymous and less traceable than was practical in the past. Even postal mail, besides not being real-time, isn't as anonymous as electronic communications without the possibility of obtaining logs via a warrant.

The focus of privacy activists is in my opinion misplaced. People want an internet that's never monitored, never recorded, never wire-tappable. That's never going to happen, nor is it apparent that it's desirable. What we want is something that preserves the scope of investigative powers that have historically existed with the telephone system. That means robust protections against warrantless wiretaps, but also an effective way of getting access to information pursuant to court-authorized warrants.

Where does "restaurant" come from? Can conspiracies not be planned in a private residence etc.?

Even with a restaurant, you're relying on someone present giving evidence to law enforcement. That works just the same with encryption -- if you have an encrypted chat room with five people and one of the participants sends the logs to the FBI (or is an undercover agent), the FBI will have the logs. If no one does, the FBI will not, which is the same as it is when co-conspirators meet in a restaurant.

>That means robust protections against warrantless wiretaps, but also an effective way of getting access to information pursuant to court-authorized warrants.

The FBI has plenty of tools available. Even if data is encrypted, law enforcement agents with a warrant would still be able to obtain information from ISPs as to who is communicating and when. In the most serious cases trotted out to justify new powers, the FBI can install a listening device or put a trojan on the suspect's communications device.

The way to strike the right balance here is to make wiretapping extremely technologically difficult but not impossible. That makes it very hard for criminals or anyone without government-level resources, and makes it very difficult for governments to engage in unjustifiable dragnet surveillance of innocent people, while still allowing governments to capture the communications of suspects in the rare and most serious cases where the existing evidence justifies that extraordinary level of invasion into the private communications of citizens.

The FBI can already do this in restaurants. They can ask the owner to tap a table (or set of tables). How many owners do you think would deny this request? This is essentially what the FBI is requesting.

The post office does allow anonymous senders, but not receivers. Mail can be intercepted, although evidence of tampering maybe harder to conceal.

<quote>So somehow, these abductors managed to leave no physical evidence at all and no witnesses?</quote> You are saying that it's impossible to hide your tracks when abducting someone? So, all the successful abductions that occurred were all due to lazy police work?

Rule by competing gangs is not a dystopia, it's the natural state that we were born into as animals and that we'be been living under for most of our history. We live largely under rule by competing gangs to the present day and are used to that. We prefer that to Big Brother. That's why the Berlin wall was built to keep people _inside_ the GDR and not the other way around.

> Rule by competing gangs is not a dystopia, it's the natural state that we were born into as animals and that we'be been living under for most of our history.

Which doesn't mean it's not a dystopia.

> We live largely under rule by competing gangs

No, not for any useful definition of the word 'gang'.

I don't think many rational people would be against this type of surveillance. It's all about transparency and ensuring that those who use this great power are doing so for the right reasons.

Every time a wiretap is executed, there should be some sort of public notice. It should be automatic and only suppressed if the investigation is ongoing and only with a judges approval.

Would that make everyone happy? Obviously there are tons of edge-cases, but those would have to be ironed out as they are revealed, just like anything else.

We have major issues to overcome with keeping those in power honest and free of corruption, but like you said, it's hard.

Abduction should be solved by physical surveillance.

> I think that when they look at this rationally they believe are better served by being able to access these conversations.

I don't doubt that FBI believe that total surveillance and complete control over every move that their citizen do is useful to data mine. However, the article question such logic because of the social impact that total surveillance has on society, criminals and innocents.

And this article is not alone on that aspect. The Swedish secret police had similar objections when the military suggested introducing such surveillance in Sweden. Their primary objection was that ubiquitous surveillance pushed criminals and innocents alike to darknets and encryption, which would then make their job harder (through, after they got a slice of the surveillance pie, they have now become very silent on the subject). I guess the police would have similar objection, however they are also getting a slice soon.

In the mean time, we can actually see in real-time the effects on society, like hot-lines being called less, people avoiding calling priest/lawyer and so on. Germany has some direct statistics since they introduced the surveillance several years before Sweden. I guess we will have to wait for hot-lines being added to tor hidden services before people feel comfortable again with talking with a stranger about suspected child abuses or domestic abuse. Criminals will as suggested move to more encrypted routes. Botnet distributors can get an increased slice in facilitating secure communication, and the military, secret police, and to a degree, the regular police can catch those too slow to follow the technology change.

Is this a dumb, evil, or just incompetent change to society?

The thing I try to keep in mind is that 'the government' is the emergent behavior of millions of self-interested people of varying abilities, from people who just want a job for life to people who want to rule the world. There's a framework in place, and they all live within it. Some work to change the framework, but as with ant colonies, it's not as if all of the ants are designing and architecting the colony. Uncle Milton is a blind watchmaker.

That doesn't mean bad things won't happen, just that you have people "trying to do their jobs" who aren't thinking about fundamental liberties. Get a few million of these ants together and they end up in all aspects of your life, much like real ants. In most cases, the best you can hope for is benign mediocrity.

When counted as individuals, it's the infinitesimal minority that reach to greatness or descend to horror.

Being reasonable to try and reduce harm/work in this regard is not congruent with reality. What makes the FBI so different than the NSA? The latter already throwing billions down the hole in useless tech and encroaching on your freedom at the same time.

The article also does not mention something obvious, the FBI does not have earth-wide jurisdiction, moving to a "chat" or operating system hosted and built in another country is already available in many forms.

So they will encroach upon your freedom and throw your culture into the garbage to catch a bunch of dummies.

There was an article about the IRS targeting legal organizations that are not exactly beloved ones by the government.

Sure, FBI are not evil or anything but even one abuse is too much. Government agencies are build to act according to the status quo.

What if the government is not perfect and there are people trying to change something but the government in power is opposing it. Ending the slavery, ending the Vietnam war, gay rights or any movement with an opposition in Washington could have been destroyed with the power that FBI is seeking. The recent decriminalization of drugs in some states could have been prevented if FBI had this power of intercepting all communications. People must have means to challenge the government with non-violent actions. Just because FBI may catch some terrorists is not good enough reason to give them all the means to preserve the status quo. I am not even talking about individual abuses that may occur, compared to society engineering, they are not that important anyway.

What do you call it when you do a good job of achieving a poor goal? "Evil" might not be too far off, although the FBI doesn't have too much of a choice in this matter.

The resources spent on combating terrorism are vastly disproportionate to the threat presented. The FBI may see this as the best way to combat terrorism, but it's an unworthy goal, and it's bad for them to potentially cause so much damage in pursuit of it.

Maybe another alternative should be presented: "solving the wrong problem."

So your choice is dumb, then? Meaning they understand only "their mission" and nothing else.

I mean, sure, an organization with Mission X can go about that mission in variety of ways. It's like the sci-fi movies about a God-like-AI "solving" society's problems. Stop crime in New York City? Easy, just encase every resident in three inches of plastic? Makes sense "from their point of view".

And the fact is that the deaths and mayhem from terrorism haven't exceed deaths and mayhem from many other sources. Thus preempting everything to fight terrorism is not actually logical for us as a society and has not, so far, been particularly positive in its effects.

Here is an interesting article discussing the relative probabilities of losing your life due to terrorism versus other ways.


Are defense attorneys dumb for taking on the cases of guilty defendants? Having a specific mission is often helpful, and doesn't preclude having other systems to provide an appropriate balance.

The last line is the most important: if there is a backdoor (that is the Lawful Interception interface) there is no guarantee that it won't be used by unauthorized third parties.

Anyone could have predicted that something like the Google hack was going to happen. I also seem to remember that there was a similar incident involving the cellphone network in Greece.

On top of this, the FBI doesn't have a "going dark" problem. For more on this please read Trevor Timm (an activist for the EFF and Executive Director of the Freedom of the Press Foundation) on the topic here: http://dprogram.net/2013/04/17/going-dark-whats-so-wrong-wit...

"Trevor Timm: Well, yeah. They’ve been complaining about this “Going Dark” problem for years now and we’ve never really seen any actual evidence that this actually exists. The FBI or the DOJ has to report the number of times they run into encryption when they ask for surveillance. Every year they have to report back how many times they ultimately couldn’t get the information they sought; the number is always 0—for the last 11 years."

He shared this on twitter a while ago: https://twitter.com/trevortimm/status/331985318620327936

I would say that the most important issue is that an already over-powered law enforcement agency is asking for even more power. The recent journalist surveillance scandal should give a clue about the dangers of law enforcement surveillance. This proposal by the FBI will make that sort of surveillance easier. They are trying to grab more power to gather evidence against people, and by extension more power to arrest people.

We already have the largest prison population in the world. There is no pressing need to expand it.

Are there any video chat clients with end-to-end encryption?

I was trying to do this by piping the output of my webcam to openssl and then to netcat, which sends the packets to a publicly addressable server (Amazon instance) that relays the encrypted packets to another computer behind a firewall, that decrypts the video stream and plays it in MPlayer. It works, but the latency is about 10 seconds. To reduce the latency, I could delta-encode the video stream, leverage the GPU somehow, but I'm not sure how to get the latency down to the 200ms required for seamless conversation. Also, it should be noted that there is little code behind this, mainly just unix utilities and pipes.

PS: Also I could remove the Amazon piece and forge a direct P2P connection using NAT hole punching if the routers on both ends permit, but this is not always reliable and isn't a huge source of latency.

Apparently FaceTime [1] and iMessage are end-to-end encrypted with unique session keys. Whether Apple has access to those keys is not known though (the key exchange isn't documented as far as I can tell).

1. http://www.zdnet.com/blog/apple/facetime-calls-are-encrypted...

Any communication that you don't set the keys/are able to track them should be considered unencrypted in my opinion.

I keep expecting to see more research into side channel attacks for encrypted video. A fair amount of work has been done for similar attacks on audio streams with VBR codecs. Secure encrypted voice requires using a codec in CBR mode, but that's not really possible for video. It's perhaps likely that video is too complex to leak anything usable through that type of side channel, but I haven't seen much discussion either way.

"Are there any video chat clients with end-to-end encryption?"

Jitsi claims to. ( http://www.jitsi.org )

I had end-to-end encrypted video chat bodged together using libvlc and SRTP streams at one point, but it was incredibly user-unfriendly and getting latency down below 1 second was easier said than done. VLC really wasn't designed for this kind of application.

Assuming TLS is still unbroken, RTMPS (Flash RTMP over TLS tunnel) offers the most accessible form of end-to-end encryption.

To avoid intermediaries you'd have to run your own Flash server (e.g. Red5) though.

WebRTC clients should be encrypted and secure, since it's P2P communication.

How does it handle the key management necessary to prevent a man-in-the-middle attack?

I say all of the above. There's basically one reason to work for law enforcement: Authority and its slutty sister, Power. People who are attracted to these things are susceptible to logic failures in pursuit of their interest in exerting Authority and Power.

Many people are drawn to law enforcement out of the desire to help others and do good for the world. Being an FBI agent is a very honorable and well-respected profession, especially outside of an internet forum.

Your comment pisses on every person who ever went to school to study criminal law, many of whom did so for noble or at least neutral reasons.

"Being an FBI agent is a very honorable and well-respected profession"

Unless you are doing this:


It is not as though this is some kind of new, unprecedented behavior either:



So let's say a young man is thinking about joining the FBI; he wants to do good for the world, maybe help catch a serial killer or take down a child abuse group. How does he know he will not be asked to conduct surveillance on an anti-war group? How does he know he will not be asked to dig up some dirt on a civil rights leader?

This "honorable profession" you are defending has always had a dark side.

So all the good guys who could disinfect the system from within should just turn down the chance and ensure only bad guys get into the position of power and authority?

It's not that "bad people" are the ones drawn to become cops and prison guards, but the inverse: working as a cop or a prison guard changes you to behave a certain way.

The "Stanford Prison Experiment" is a good example of this phenomenon: http://www.thoughtcrime.org/blog/career-advice/

You can always quit if your morale compass is that damn good.

That's exactly the point. That happens, now who is left running the show?

There are many ways "to do good for the world." I am incredibly suspect of law enforcement, especially at a national level. Not to say that local law enforcement is any less corrupt but it's the nationals that can influence laws like "show me all your messages" happen.

I would absolutely hate the USA to go the way of Russia, USSR, China or many others. Unfortunately we are headed in that direction.

>Many people are drawn to law enforcement out of the desire to help others and do good for the world.

Yeah right, and bittorrent is mainly used for distributing Debian ISOs.

I wholeheartedly agree - I was born on American soil and always felt that the FBI's profession was very admirable. I have had family members deal with the FBI and most of their field agents are second to none when it comes to being good at their jobs.

>> There's basically one reason to work for law enforcement: Authority and its slutty sister, Power.

I'm against government surveillance, but your statement is way too broad.

Only one reason? Really? You don't think anybody goes into law enforcement to protect others, curb violence, and generally do good for the world?

I doubt you'd want your profession to be slandered so casually.

I said "basically one reason" because I thought it may engender pedantry. Ya, sure, people may get into law enforcement for ideologically pure reasons but I am of the opinion that with great power comes great responsibility and there are just not that many people who can resist the temptation of those two sisters. And as I said elsewhere, there are many ways to "generally do good for the world."

Authority and power are not inherently evil, nor is the desire for authority or power.

Would you like the authority and power to prevent women from being raped? Would you like the power to vote to implement laws equalizing 'rights', such as same-sex marriages?

Power may be a necessary evil, but it's still evil. It robs you of empathy, because putting yourself in the shoes of every person affected by your decisions is just too emotionally taxing. And lack of empathy is the root of all evil.

We are perhaps defining power differently, which is why we will disagree.

I see 'power' as 'the ability to realize my will' and I think you're extending it to 'power over other people,' which does imply that, at some point, it will conflict with someone's legitimate (not saying who is to decide what is legitimate) pursuit of well-being.

I think perhaps we also disagree on the definition of 'evil', but I'm not interested in debating this online. This discussion requires beers and scarred wooden furniture. :-)

Well, yes, what you call "power", I'd call "freedom", and it isn't what comes to mind in the context of "power-hungry federal agents."

So if people who are attracted to law enforcement are hungry for Authority and Power then everyone else is attracted to Anarchy?

I vote a little dumb, a little evil (you know, the banality kind) and pretty incompetent.

Anecdotal, but the FBI's first web site was hosted by a NASA machine. I think the FBI was traditionally an IBM shop, and mainframes and the web didn't work well together at first.

In more verifiable evidence of incompetence, there's the Virtual Case File epic fail (http://www.washingtonpost.com/wp-dyn/content/article/2006/08... just one of many articles about it) followed by a minor debacle in Sentinel (http://www.pcmag.com/article2/0,2817,2407922,00.asp)

This has happened on a vastly smaller scale at a few places I have worked. Another flaw seems to be that none technical people ask for something to appear in the new system when they have no idea. The system is built, exactly as requested, and it sucks. Having a competent software engineer on staff who understands the field is vastly more handy than a fat wad of cash paid to outsource. I'm sure there is a good middle road, but companies I have worked for haven't found it.

I've read that quantum computing is picking up, so please correct me if I'm wrong... it IS still pretty hard to factor very large primes, right?

This push to "stop terror" via reading the general public's email/chats/etc. seems more like Big Bro and less like a viable method to stop the next 9-11. Sure, the bros from Boston weren't exactly sophisticated, but I find it hard to believe nobody in Al Qaeda knows how to use PGP.

Still, I'm voting for incompetent. If they want to know what kind of porno we all like, fine.

"it IS still pretty hard to factor very large primes"

I think you mean that it is hard to factor the product of two primes, factoring primes is pretty easy regardless their size.

Of course. I took it for granted that the audience here would know what I meant. My apologies.

it IS still pretty hard to factor very large primes, right

Depends on what you mean by this... There are no practical systems which will do so. But the reason why quantum computing became interesting was because of Shor's work showing that they can factor large primes quickly (in theory).

>> There are no practical systems which will do so.

... that we know of. The intelligence community has secretly outpaced the rest of the world in computing, cryptography and cryptanalysis before.

I would be surprised to find that the NSA has a quantum computer that can quickly factor large numbers.

There are very hard fundamental physics problems with quantum computing. IANAexpert, but as I understand it, the difficulty lies in closing off the system (cold atoms, what have you) you're using to do the computation from the outside world, while you're doing the computation. Any contact (up to a very, very low limit), and you smear ("decohere") the computation so that the output will be in essence noise---not what we want at all. One can approach this as (in some sense) an engineering/experiment problem and try to limit contact with the outside world, or as a theory problem and try to come up with a system that inherently resists problematic contact with the outside world (topological quantum computation, https://en.wikipedia.org/wiki/Topological_quantum_computer), comes to my mind).

So we're dealing with a physics problem: either the gloriously messy, difficult work of experiment, trying to track down and eliminate sources of decoherence, or the theoretical work of finding an appropriate system (and then figuring out how to implement it).

Both of these are far from the core competencies of the NSA, as I understand them (not that I have any real information---just an impression based on way to much time spent reading Hacker News :-) ). As you say, NSA is (perceived as) very, very good and far ahead of the community at computing, cryptography, and cryptanalysis. The problem is, this is not a computing problem, it's a physics problem.

One possibilty, though, is that the NSA has figured out some way to use something like the D-Wave quantum computer (which I am ridiculously far from understanding, but you might recall Scott Aaronson's blog post on the subject not too long ago) to factor large primes---that is to say, to transform prime factorization into the D-Wave problem. At a gut level, I find this much more plausible than that the NSA has independently built a quantum computer: that sort of problem-transformation is much more the kind of math that I feel the NSA would be good at, or be able to become good at very quickly.

Historically they are consistently about 10 years ahead of the curve per Bruce schneiers Applied Cryptography. I have no reason to not believe this to still be true

I do ... encryption back in the day was military stuff mostly. Nowadays it is everywhere and is much more mature field. And with the big internet companies siphoning the top talent I think they may have lost the edge a bit.

Much more cheaper and practical approach is for them than to try to outpace and outspend everyone else combined is to stockpile on zero day exploits which can be used when needed.

You mean numbers which are the product of two large primes.

You don't need such a long argument to prove FBI's stunning incompetence, an example like failing to prevent the Boston bombing where they couldn't find their assess with two hands would suffice.

>> failing to prevent the Boston bombing

OK, you're in charge of the FBI now. There are tens of thousands of public events today in tens of thousand of venues.

Protect them all. Go.

No I am not. I can't protect them so I wouldn't try to become the leader of the FBI. I also can't do surgery but if I come in to have some work done on my hand and leave with a foot chopped of I am going to sue the doctor.

Would you also sue the doctor if he/she failed to give your spouse immortality?

"Find the person who committed crime X" is more like your surgery example: a task law enforcement can often accomplish. "Protect everyone all the time" is as impossible for law enforcement as "grant immortality" is for doctors.

Exactly. The FBI was unable to perform their job properly. Then they ask the public for help. What, the bomber didn't leave behind any Facebook conversations to track? Boo hoo.

Exactly, the US has DHS, FBI, CIA and a dozen other agencies.

Letting anything through should simply result in the leaders going to the electric chair.

>> Letting anything through should simply result in the leaders going to the electric chair.

My, you have high standards. I hope you've never released a bug. Every line of code is available for your inspection and behaves deterministically. Unlike, say, people, who are nearly uncountable, much less predictable, much less controllable.

To avoid letting anything through would require being omniscient and omnipotent.

Please at least try to give others the benefit of the doubt that you'd like them to give you.

They are dumb and evil. But in some ways they're also very bright. It's the most dangerous mix possible; To be effective at being incompetent.

What happens when the FBI becomes infected with people like Lerner who use their power to persecute political dissidents?

What do you mean "becomes"? J. Edgar Hoover actually did use his power to persecute political dissidents. I say this whole FBI backdoor/legal intercept thing reeks of trying to do that sort of thing again.

I mean, it's pretty easy to monitor Quaker anti-war activists: they do everything publically and invite participation politely. No agency needs wiretap access to monitor them. So, who are they going to monitor with this?

This is the real danger of letting government become too powerful: individuals within it can abuse that power.

If your political or religious views are or become unpopular, how much power to monitor, control and punish you do you want government organizations to have? How much oversight do you want for them?

So the FBI would only be able to wiretap suspects who are either too dumb to use encryption — in which case they ought to be easy enough to catch without wiretaps

I think the author under-estimates the difficultly of catching criminals.

Agreed. The dumb ones will work out of 'the game' quickly enough and are quickly replaced.

The bigger problem is not 'catching' them, but prosecuting them effectively. This requires prioritization of limited resources based on severity of offense, availability of sufficient evidence, and difficulty of prosecution. The last is ugly because it's almost directly economic, in that the ability to afford legal counsel creates some level of inequality.

Maybe I'm being naive, but what's preventing Google or Facebook from using their resources to launch a PR campaign against these requests from the FBI, or at the very least be a bit more outspoken about them?

Until recently the US Government was issuing tech companies National Security Letters (different from subpoenas, they do not require judicial approval) and the letters had built in gag orders. In other words if the recipient could not discuss what was being requested by the government, or even challenge the request in court without criminal penalties. Recently courts have reviewed this and given a partial lift on the built in gag orders. (see: http://en.wikipedia.org/wiki/National_security_letter)

> Maybe I'm being naive, but what's preventing Google or Facebook from using their resources to launch a PR campaign against these requests from the FBI

The fact that they do not give a shit about you and your data (and why should they?).

If you want your data to be encrypted, you have to do it at your end. PGP has shown exactly how much people really care about keeping their communication private if it requires even a minuscule amount of effort.

>Maybe I'm being naive, but what's preventing Google or Facebook from using their resources to launch a PR campaign against these requests from the FBI, or at the very least be a bit more outspoken about them?

In theory, nothing. In practice, creating tension with the FBI and DoJ who may then decide to investigate or prosecute them for entirely unrelated things that would otherwise not have been investigated or prosecuted, etc.

They have a choice between doing the Right Thing and doing the Easy Thing. We'll know what they choose soon enough.

Google already makes noise about it. They have a project to report on requests. https://www.google.com/transparencyreport/

Google and Facebook are now basically corporate interests/extended arms of the USG.

How do you expect these companies to operate in the US while defying US laws?

the us government?

Google used to have a very subtle way of telling you that an NSL was issued against you by asking you to "re-accept" their ToS. This may or may not be true, though.

Cant the companies that would be affected just split off the operational side of the business to be outside of US jurisdiction, you know like some do to avoid paying tax (not to grossly over-simplify the issues...)? You know facebook could still exist as a US corporation encompassing the intellectual side of the company but create and icelandic company that actually deploys the servers and processes the data. Or something.

I'm one of the hard-headed privacy freaks usually sharpening my pitchfork when there is an outrage against civil liberties. I'm that guy.

I once had a job that involved investigations of criminal activity (not law enforcement or government related, just a company protecting its own users and employees).

In this case, I had identified, with certainty, one individual that was engaging in significant fraud. He appeared to have several accounts, and it was appearing highly likely that he had a few accomplices.

During the investigation, I was fully willing to violate everyone's privacy to find everyone in the fraud network. This included data that was already submitted voluntarily, private communications, as well as embedding tracking objects and invisible flash objects to retrieve IP addresses of users surfing behind proxies (this used to be an effective way to unmask users). I didn't have a second thought about it. Why would I? I didn't care what the legitimate users were doing, wasn't going to stalk them, wasn't going to pay any attention to their personal affairs. But, to weed out this problem effectively, I needed to sweep everything. I'm trustworthy, just doing my job, and I certainly trust myself enough to disregard or ignore information that wasn't pertinent.

After being entrenched in the investigation, I had a fairly exhaustive list of the bad actors. Initially this was just basic hard data, (such as correlating IP addresses), but then there was kind of a "sixth sense" that I also started relying on, where I couldn't articulate the signal, but some behavioral cues just felt like they were related. You know, "gut instinct". So I ended up digging into those accounts, and confirmation bias took over. I did find many more bad actors, but I was thoroughly convinced that a few cases were also related, which ended up being suspended, and it turned out that they were actually unrelated and legitimate. That's when I started to reflect a bit.

I didn't go through with the most blatant of the proposed violations, although at the time I was willing to initially. I now realized how egregious that was, and noticed how easily I fell into that mindset. If asked, I think the words "If you've got nothing to hide, you've got nothing to fear" could have naturally rolled off my tongue (though, this certainly would have alerted me to the errors of my thought process).

So I concluded a few things:

- Most of the time, these blatant, sweeping violations, are most likely not malicious and probably do have good intentions. I very much understand what frame of mind most of those people are in. It's not an opaque three letter agency, it's made up of regular individuals with tunnel vision on their legitimate objectives (stopping crime).

- When you look at criminals day in and day out, and are on a mission, everybody starts to look like a criminal.

- The "working backwards" approach - finding signatures of bad activity, and applying it to other data, then "confirming" the new matches, is a well-understood statistical fallacy, aptly named, the prosecutor's fallacy[1]. If you spot it in court, your defense attorney can try and point it out to the jury - and good luck explaining it to your "peers" who probably play the same lotto numbers because theirs is "due eventually". But let's face it - your life is already ruined by then. You're on all the watch lists, your vehicles are bugged, you've got huge legal bills and no job, and maybe if you're extremely unlucky, you're even in Guantanamo. Everything prior had little or no judicial oversight, no way to defend yourself, and is from a system that is invariably full of investigators who are not self-aware enough to always catch themselves doing this, especially when the cost of missing an actual threat is extremely high.

And for bonus points:

The interface that a coworker created to do some of the data mining (let's call it the "lawful intercept interface") had an SQL injection bug in the logic that parsed login history. It wouldn't have been difficult to discover and exploit without even knowing this interface existed, due to the error a user would see on login if they had certain bad characters in the affected field. I found it roughly a year later and reported it to the CTO in a message from his own account, after using the bug to take his auth cookie out of the DB (we were friends, so I knew he would be a good sport).

tl;dr It's mostly good intentioned individuals with tunnel vision, who are very misguided, and who don't understand the side effects and costs of what they propose.

[1] http://en.wikipedia.org/wiki/Prosecutor%27s_fallacy

Please tell which US citizens are in Guantanamo because they were "extremely unlucky". You make it sound as if the FBI is picking up Soccer Moms for no reason and mysteriously spiriting them away to Guantanamo.

No, I don't make it sound like that at all. Hence, "extremely unlucky." And I didn't say US citizens went to Guantanamo.

If you aren't aware that there were many documented false positives who were sent to Guantanamo or other CIA detention facilities, you aren't paying attention, because there were some very high profile cases. Here is one example:


Khalid El-Masri is a German citizen who was mistakenly abducted by the Macedonian Police, and handed-over to the U.S. CIA, whose officers interrogated, sodomized and tortured him. While in CIA hands, he was flown to Afghanistan, where he was held in a black site, interrogated, beaten, strip-searched and subjected to inhuman and degrading treatment, tantamount to torture. After El-Masri held hunger strikes, and was detained for four months in the "Salt Pit", the CIA finally admitted his arrest and torture were a mistake and released him.

In April 2004, CIA Director George Tenet was told by his staff that El-Masri was being wrongfully detained. National Security Adviser Condoleezza Rice learned of the German citizen's detention in early May and ordered his release. Shortly before el-Masri was released, in May 2004 the US ambassador to Germany informed the government for the first time of his detention.

* According to a December 4, 2005, article in the Washington Post, CIA agents discussed whether they should remove El-Masri from Macedonia in an extraordinary rendition. The decision to do so was made by the head of the al Qaeda division of the CIA's Counter-Terrorism Center, on the basis of "a hunch" that El-Masri was involved in terrorism; his name was similar to Khalid al-Masri, strongly suspected as a terrorist.*

I can't think of a worse way to completely ruin an innocent man's life. He was basically a "Soccer Dad".

d) all of the above?

Do FBI contradict myself? Very well then FBI contradict myself, (FBI am large, FBI contain multitudes.)

Why would the FBI be interested in social networks? I don't think criminals and terrorists communicate using Facebook.

It's probably for the network itself, not just the communications.

Which makes you wonder why they are interested in it, anyway, doesn't it?

Not true.

Can you cite any sources? I just find it implausible that anything other than petty crime would be discussed over social networks.

i guess they don't care about anything else as long as they can do their job

We obviously need a test-driven government framework. :-)

I'd say they're a little of all of those things and more. They are, after all, human. They get paranoid and worry, they make mistakes, they grasp for power when they can. It never works out like they want though, because they are human.

I believe that the CIA is much much worse than the FBI.

Most of these debates seem to start from the idea of a yes or no ballot to formalize a panopticon and I think that only makes it more likely that society will go there (I mean: please, somebody, think of the children).

IMHO, the idea that law enforcement should have either all or no access to online data is a false dichotomy.

Wiretapping capability is less relevant than ever IMHO, in a time with more privately-owned cameras and personal communication devices than ever; it is more likely than ever that criminals will leave physical evidence of physical crimes, and so there is less reason than ever to invade people's privacy or criminalize thoughts and suspicion/conspiracy/planning of physical crimes when the damage comes from the follow-through, not the imagination. Violent crime has been declining In Canada and the US for decades. This idea of urgency simply doesn't fit those facts.

The Internet is basically a bunch of random thoughts. In a sense, people are having public conversations, but in another people are simply thinking out loud; the more we hold to criminalizing thoughts, the more we create problems by that process and criminalize freedom of thought.

I'm for warrants, and against vigilante justice, but I also really think we need to dissect this idea that only law enforcement should have, or even already has, the tools to address all dangerous situations. IMHO, the less individuals rely on institutions the better, since it is well known that power corrupts. So far Canada and the US have had pretty good luck and the public has had some success holding institutions accountable for abuses of power, but I don't get the impression that influence is as strong as it needs to be, going forward (and I don't know how to fix it while continuing to empower institutions that quite predictably stray from their mandates rather than close shop). IMHO, Institutions pose an unnecessary risk as they continue to grow and claw for more power - in this case, pushing for more surveillance capabilities. I would rather be responsible for myself, without the help of institutions, wherever possible.

As we create new potentials, and empower people to help themselves, I think the role of institutions should decrease. Take the recent article on the French police offloading missing person searches on Facebook for example. ( http://www.itworld.com/networking/357720/french-police-end-m... ) As much as I don't like Facebook, I think that's the right tool for that job, and I would like to see more work to empower individuals in that sense. It's a wonderful thing to be not needed because you actually solved a problem. I, for one, would love to not need to rely on (and pay for) the police or government because I was safe and had a voice of my own.

Think like a sysadmin in a big corporation. Assume that there are devices (the BYOD trend) that you have no root to/ no way to monitor them. It will drive you crazy if you have a mild case of ODC(and in IT it comes with the profession) no matter what the real risk is. Now you are in FBI shoes.

With the devices so closely integrated into the cloud we are already close to the "day every iDevice was wiped irreversibly and huge part of the world stopped". Let's not make it closer.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact