Hacker News new | comments | show | ask | jobs | submit login
Tech Companies and Government May Soon Go to War Over Surveillance (wired.com)
98 points by kristiandupont 1427 days ago | hide | past | web | 86 comments | favorite



I figure that the NSA will simply subpoena the private SSL certs with a gag order. That gives the companies involved plausible deniability since XKeyScore (and XKeyScore whatever is next) can just record all the raw internet traffic. I don't see how large technology companies will be able to fight back. SSLv3 includes Perfect Forward Secrecy via ECC but it is not widely used.


Browser vendors (which seem to coincide with many of these tech companies involved) can also use certificate pinning:

http://tack.io/

Or we can all start to use something like this (both projects are from Moxie Marlinspike):

http://convergence.io/


There's not much you can do to detect MITM by someone who has subpoenaed the private SSL certificates, is there?

I mean, there's no way to tell apart the certificate from the intermediary from the cert from the endpoint as they're the same.


No, if the private keys are compromised (such as via a subpoena) then a man-in-the-middle attack is trivial.

Worse, if a trusted certificate authority's private key is compromised, then the TLS public-key infrastructure as a whole is broken. An attacker who can also intercept traffic (e.g. by routing traffic through a data centre they control) can execute a MITM attack by issuing their own TLS certificate for any domain.

The only way to detect such an attack would be to notice that one time you connect to a site you see the legitimate key, and another time you see the attacker's key. That's what certificate pinning detects.

At this point it's probably safe to assume that the NSA has compromised at least one certificate authority's private keys via a subpoena and gag order and can therefore do MITM attacks on TLS traffic.


With SSLv3 you can prevent MITM attacks as well as replay attacks where the cert is compromised in the future. The SSL cert is used to verify the identity of the server. Once the handshake is completed a symmetric key is chosen for the session using Diffie-Hellman key exchange (http://en.wikipedia.org/wiki/Diffie%E2%80%93Hellman_key_exch...) to compromise the session the NSA would have to subpoena the data from the servers memory (a real possibility) but would be unable to attack any sessions that had been previously recorded. This is called Perfect Forward Secrecy (http://en.wikipedia.org/wiki/Perfect_forward_secrecy). It is supported by OpenSSL using elliptic curve Diffie-Hellman. If this was adopted universally it would make conventional attacks on SSL impossible without compromising the servers memory. However there is still a risk that any government may compel a company to preserve the session keys under a gag order.

If a CA is compromised then we have much larger problems since it is impossible to verify the identity of the participants in the session. Since an attack was used to create valid certificates as part of the attack on Iran's nuclear program it is likely that other attacks exist and are in the hands of the same actors. We can't move to ECC based SSL fast enough.


I've been using the Certificate Patrol add-on for a couple of year and I've noticed that there are periods of time during which Google's certs change very frequently (at least as seen by my browser). The last week or two has been one such period. It seems to be switching between certs from Equifax and GeoTrust multiple times per day.

http://patrol.psyced.org/

I've been thinking about installing the EFF's SSL Observatory - a sort of distributed cert pinning and comparison plugin.

https://www.eff.org/observatory


We could not have a central signing authority (ie. use ssh-style approach). This would still mean that Facebook could hand over their key, but would not leave the whole thing wide open as it is now since the NSA likely has already captured the private keys of major certificate authorities.


This happens way too often... The page is served over http and asks you to install it's addon. The addon is not verified. The addon is downloaded from "http://convergence.io/releases/firefox/convergence-current.x....

What's the point of providing such service if anyone capturing your internet traffic can change it in flight to a "return True" equivalent?

Edit: tried https... come on, they're not even trying: "The certificate is only valid for the following names: whispersystems.org , www.whispersystems.org"


The github project has also been stale for 1-2 years. I'm interested but you've got to maintain a project for it to be a "solution".


Historically, the government has won every political fight about this (I guess nobody remembers CALEA, or it's predecessors), and been roundly supported by both law enforcement and the populace at large.

Outside of the tech community, i have yet to hear large amounts of actual outrage.

I thus predict the same outcome as say, patents:

Techies will complain on techie-friendly websites about how it sucks, rather than doing something productive like repeatedly contacting their congressfolks, requesting and having real live meetings with them.

People will propose technical solutions, apparently oblivious to the fact that the government will simply require you not to use them (as they have in the past).

Nothing will change.

Techies will then blame the tech companies for losing this war, or blame it on not spending enough money on lobbyists, or some bogeyman that does not require realizing the harsh truth: As a whole, techies refuse to actually get involved when it's something that actually requires doing something other than coding or writing comments on a website.

Instead, they rely on EFF and other orgs, which are simply not enough.


Contacting congressfolks is useless. I don't know where you guys get this idea that it actually works, but if you simply look at incentives (not expectations of how it's supposed to be) government officials have absolutely no incentives to change their policies even if a large enough group of people demands it. Whenever something is inconvenient to a government, this group of people can simply be ignored, because nothing else would follow. No uprisings, no media coverage, and, most importantly, no reduction in financing (taxation) - nothing. The people in government know this very well, but, of course, they are interested in perpetuating this myth, because it adds legitimacy to them.


"I don't know where you guys get this idea that it actually works"

From doing it. From watching how DC works, from working next to DC lobbyists and politicians for many years, and watching people be effective and get things done in DC for many many years.

I'm not sure why you think it doesn't work. Have you actually done it?

They care tremendously what their constituents believe, contrary to popular belief. They get daily morning briefings on their constituents views on issues, etc.


>>From doing it. From watching how DC works, from working next to DC lobbyists and politicians for many years, and watching people be effective and get things done in DC for many many years.

So basically, anecdotal evidence. Got it.

This issue has been discussed on HN before, and we had overwhelming response from people who actually worked for Congresspeople that the vast majority of letters and calls from constituents get either ignored, or given canned responses. This fits my anecdotal experiences with politicians in general as well - for the most part, the politician is paid for by private interests and lobby groups.


What I've heard from friends who've worked in congressmans' offices is that the staffers will take all incoming communications - phone calls, letters, e-mails - and then divide them up into either "PRO" or "CON" piles for each bill that's up for a vote. They will then provide a report to the congressman, who combines the data of constituent feelings with his own personal beliefs, political compromises he brokers, and information from lobbyists in deciding how to vote. I've heard the rule of thumb is that for each person who writes in, roughly 10 other constituents feel the same way.

So yes, on an individual level, your vote is worthless. However, in the aggregate, constituent feedback counts for a lot, possibly the biggest single input. And so once you accept that you as an individual are insignificant in the grand scheme of themes, you can actually accomplish a lot by minimizing the personal effort you expend on writing your congressperson and instead getting lots of other people to vote the same way you do.

This suggests an interesting hack. Create a really simple mobile app that lets you subscribe to all upcoming legislation on issues you care about. It'd be structured like a news app or RSS reader, where you can flick it open whenever you have a spare moment and read the latest upcoming issues. And then let you easily indicate your position - perhaps swiping right means "Aye" and swiping left means "Nay". A swipe automatically sends a canned form letter to your congressman indicating your support or opposition for the legislation.

Basically, you're leveraging technology to enable direct democracy. Create a direct information line between constituent and congressperson, where the constituents have all the information available to them that congresspeople do, and can vote just as easily.


Kind of like Capitol Bells? http://capitolbells.com/#about-the-app

I recall the creator talking about this at length on reddit or somesuch in recent months.

Also Direct Democracy is a nightmare. See: California. Arnold Schwarzenegger outlines why his attempt at making most of his major issues ballot initiatives in his first term was a disaster in his book Total Recall.


Heh, pretty cool. Unfortunately it's not available for Android yet. But it seems to be basically exactly what I had in mind.


"This issue has been discussed on HN before, and we had overwhelming response from people who actually worked for Congresspeople that the vast majority of letters and calls from constituents get either ignored, or given canned responses."

[citation needed]

I highly doubt this is what was said, because it's simply not true. I certainly don't remember it being said either. Certainly, if that was the the "overwhelming response", you should have no trouble providing links. If you do, i'm happy to admit I was wrong. As far I know, having talked directly to legislative assistants of congressman, and chiefs of staff of senators, is that they are a huge input into how congressmen and senators vote.


Since you said you are willing to admit you are wrong, I took the time to search and find it. Here you go: https://news.ycombinator.com/item?id=5876185

Excerpt from first reply:

"ETA: I've also typically seen that regardless of the amount of pressure applied by the public for one side of an issue, nearly every politician will simply vote the party line anyways. They know where their bread is buttered, and won't go against party leadership. I've watched legislators look over at a senior party member and be signalled which way to vote when their turn comes up. I don't think anything I've done or said to my representatives has had the slightest impact on their opinion or voting record. That's just how the game is played."

Excerpt from second reply:

"IME: email is worthless. canned letters / faxes go in the garbage. A polite phone call may accomplish something. Better yet if you donated or voted for that politician. Even better if you phone banked." [followed by an explanation of what works, i.e. money]

Excerpt from third comment:

"I was an intern for a congressman. My job was to answer and return constituent emails and calls. We took the feedback, searched for the proper prewritten form letter, printed it out and sent it back with a stamp of the congressman's signature. He never got a single bit of the feedback himself."

Fourth comment mentions that anti-SOPA call-ins seemed to have been successful, but they are forgetting the billions of dollars of corporate money that went into protesting SOPA. Again, it was about money.


> no reduction in financing (taxation)

If you look at the GDP to national debt map on wikipedia you will notice, that most (if not all) first world countries, the beacons of human rights and democracy, owe more that they can produce in the foreseeable future. It is not the tax money they are spending.


> If you look at the GDP to national debt map on wikipedia you will notice, that most (if not all) first world countries, the beacons of human rights and democracy, owe more that they can produce in the foreseeable future.

The highest debt:GDP ratio on the list under either measure is Japan's under the CIA measure, at a little over 200% of GDP. That's not more than it can produce in the forseeable future (its a little more than it produces in two years.)

It may be more than they can are likely to pay off in the forseeable future, but then, that's a completely different story.

> It is not the tax money they are spending.

That's not a question that is addressed by debt:GDP ratio, its a question that is addressed by deficit:budget ratio, which is a very different beast.


Well, there is a chart for that on wikipedia too, and it doesn't look good either. And I'm not talking about Japan.

There was a country just a little over 20 years ago that was in debt up to its neck and was trying to do global surveillance and project global power. Half of the world was screwed when it fell, and not everybody in the eastern block did recover yet. God help us all if this happens to the usa.


> Well, there is a chart for that on wikipedia too, and it doesn't look good either.

After you misrepresented the last one without actually linking to it, I'm not really inclined to expend the effort to verify your characterization of this one.

> There was a country just a little over 20 years ago that was in debt up to its neck and was trying to do global surveillance and project global power.

AFAICT, the Soviet Union, just before it fell, had an estimated $65-$100 billion in foreign debt with a GDP on the order of $2.5 trillion -- it wasn't really "in debt up to its neck".


Not just the tax money. If tax money were completely irrelevant, nobody would bother to collect them.


You're semi right, in that many parts of government do not care about what the public thinks; however, congressmen are not in this group. They are totally beholden to the people in their district, as that is their source of power. The people who live in a district have that districts congressman by the nose, and they should act like it.


Well, let's see. Do people have the power to stop paying a congressman his salary immediately or do they have to wait for the next election and hope another guy wins? Or maybe they can take a congressman to court for not keeping his promises? What incentives does a congressman have to truly react to those who elected him and do something about the issues they have?


"People will propose technical solutions, apparently oblivious to the fact that the government will simply require you not to use them (as they have in the past)."

Are we still required not to use them, like > 40 bit DES in various circumstances? In 1997 I helped a lawyer who'd previously done embedded programming apply for an export license for a piece of my company's software, in which I either degraded the use of DES or confirmed that the code already did that.

But the Cold War/Clinton anti-strong crypo regime is over. For that matter, the Cold War/Vietnam national security and more ecosystem took major, major hits in the mid-to late '70s, e.g. the Church Committee (although for all we know the most critical thing was J. Edgar Hoover dying in 1972).

Why are you not heartened by the Amash Amendment vote? Especially in how it didn't break down according to any conventional lines?


"Why are you not heartened by the Amash Amendment vote? Especially in how it didn't break down according to any conventional lines? " This was more about congressmen being pissed off at the NSA, not lobbying efforts by anyone.


Well, did you call your Congresscritter's office? I did, and was told they were getting a lot of calls.

Everything I can see in my corner of Red State America says enough people believe the government has stepped over a line such that we can very possibly win. Then add discrete lobbying by tech companies ... which will I expect play out a lot slower and limited than normal given the Joseph Nacchio object lesson.


Over a decade ago now, I did get involved. Deeply involved. After 5 years I was completely sick and tired of the corrupt system and the utterly self-serving political elite. My options were to join or get as far away from it as possible.

Very few people go down this road and come back with their ideals and principles intact.


I think we are going to see a massive showdown over crypto backdoors, the likes of which we have not seen yet. I am further not sanguine about the tech companies coming out on top this time.

The problem, as the article points out, is that people are demanding greater security, and government abuse is driving this. That security comes at a cost for things like wiretaps. The choices are bleak and the showdowns are commencing. Dangerous times.....


"I am further not sanguine about the tech companies coming out on top this time."

Remember, though, this isn't just "government vs. the little guy". There are large interests that don't particularly care for the US government intercepting their every move. Some of these may sue, some may contribute to furthering encryption technology, who knows what else.

My personal feeling is that the NSA's surveillance is going to slowly but surely get much harder over the next few years. Centralization was convenient, but if there's enough push to decentralize, it can be done, and will be done. And further, the exact stuff that the NSA is most interested in is going to be the first to go.

We're overdue for another wave of decentralization anyhow.


>>> And further, the exact stuff that the NSA is most interested in is going to be the first to go.

It's already gone. That's what's so insidious about this whole NSA/CIA/FBI/DHS/DEA debacle: it's all a wasteful charade. They haven't caught __anyone__. They haven't stopped __anything__ of import. It's a bunch of bureaucrats playing cold war with real lives and money. They shouldn't have access to anything because they don't DO anything worthwhile with it.

The world is getting safer. Information/education (power) via technology is being shifted to the individual in a big way and they HATE it because it makes them irrelevant. The current state of the government three letter agencies is an ongoing FUD apparatus that exists for almost no other purpose than self sustenance.

The NSA has systematically and illegally shared information with the DEA and other domestic law enforcement[1]. It has done so while encouraging them to cover it up using “parallel construction” to establish probable cause for an arrest. The FBI entraps people into terror plots and then "busted" them[2]. The ATF sells guns to the Mexican drug cartels[3].

Look at the sources below. It's Forbes, The New York Times and The Washington Post. This isn't edge case conspiracy theory. This is systematic institutionalized corruption covered daily in the main stream press .

The military industrial complex and it's self-sustaining security theater is eating billions (trillions?) in real tax payer money and costing us god knows what via chilling effects and opportunity costs of human lives ruined or snuffed out. It makes me sick to think about the scale of the losses.

The only good news is we (as in we, the people) are winning, as of now. We can all still talk about this stuff without secret police showing up at our door. And, more importantly we ARE talking about it. Everyone is pissed, congress' approval rating is 11%. Pretty soon everybody will know everything. Obama, Holder, Clapper and co have a lot more to hide than we do. That's why the government and their financiers are so freaked out and paranoid.

[1] http://www.washingtonpost.com/blogs/the-switch/wp/2013/08/05...

[2] http://www.nytimes.com/2012/04/29/opinion/sunday/terrorist-p...

[3]http://www.forbes.com/sites/realspin/2011/09/28/fast-and-fur...


I really feel as if when Obama was elected someone walked into the Oval Office and said "Hey. Nice speeches. Now here's how the world works so try to keep the ball rolling as long as you can." and he probably just said "Fuck."

Once someone puts the whole picture together and the middle class continues to decline, and the rich get richer, and the poor get poorer, and the safety net gets dismantled more and more (although Obama Care is at least a step forward I'd say), and the prisons keep expanding, and the endless drug war keeps going on, and the debts keep rising, and the population keeps expanding, and the costs of goods keep going up and up, and the whole myriad of other things that are going on in secret and out in the open, well... I'd imagine it's not going to be pretty at best. Hopefully things can change slowly and we can avoid all the whole house of cards collapsing, but who really knows?


Not to mention resource depletion and the peaking of flow rates in oil extraction.


"I think we are going to see a massive showdown over crypto backdoors, the likes of which we have not seen yet"

All this has happened before, all this will happen again:

http://wiki.openrightsgroup.org/wiki/Crypto_Wars


I agree with that, but what is different now is that crypto has gone from something that will impact a few investigations to a fact that law enforcement and intelligence agencies will have to live with, and there will be much money to be made trying to build NSA-proof services.

The previous battles are I think small skirmishes compared to what is coming.


"what is different now is that crypto has gone from something that will impact a few investigations to a fact that law enforcement and intelligence agencies will have to live with"

That was exactly the issue during the crypto wars. The cat was out of the bag by the time NSA agents showed up in Rivest's office and started treating it like a crime scene. The DOJ brought up stories about common criminals using PGP to avoid prosecution when Zimmerman was testifying before Congress. The crypto wars were an effort to prevent cryptography from becoming commonplace, not just about a few high-level targets using it.

"there will be much money to be made trying to build NSA-proof services"

First of all, privacy is not a service, at least not if "privacy" means "NSA-proof." Hushmail and Lavabit have proved that point beyond any doubt.

I also doubt that privacy-enhancing technologies will be very profitable. There is a general lack of understanding of what things like PGP actually do, which makes it hard to sell such things. People want convenience more than privacy. Business users are willing to accept systems with back doors, for both their own internal needs (a dead employee's files should not be lost forever) and for compliance with various regulations (e.g. Sarbanes-Oxley).

What you almost certainly will see are lots of scams and snake-oil security.


> That was exactly the issue during the crypto wars. The cat was out of the bag by the time NSA agents showed up in Rivest's office and started treating it like a crime scene. The DOJ brought up stories about common criminals using PGP to avoid prosecution when Zimmerman was testifying before Congress. The crypto wars were an effort to prevent cryptography from becoming commonplace, not just about a few high-level targets using it.

Right. I totally get that. I am just saying it is totally different now that the government has given everyone strong incentive to use crypo as a matter of course. If people don't trust the government to be responsible regarding wiretaps, the government won't be able to wiretap.....


You think we're going to see that?

I imagine it'll be fought, but quietly and sealed under various letters/orders/statements for the next 30 years.


I've always toyed with the idea of tech companies gearing up militarily. Let's see Google Hellfire Missile Drones defend their datacenters against Facebook Autonomous Cockroach Bots with kilograms of incendiaries embedded in them.

Just watch out for Apple's that's-no-office-building spaceship. (It's easier to disguise a launching platform as an office building rather than build an (undetected) assembly platform in LEO.)


They would lose this isn't CP2020 :-)

That's a nice little phone company you have their Mr Brinn it would be terrible if something happened to your telecoms licence.


Makes a nice headline for a Friday afternoon. Unfortunately it will never happen. Tech company leaders don't have the stones while the government has guns and prisons.


Ban crypto and then only criminals and governments would have it. Same as guns.


> criminals and governments

You repeat yourself.


Made me think of a favorite Mark Twain quote.

Suppose you were an idiot. And suppose you were a member of Congress. But I repeat myself.


Ah, but there's a more apropos one combining the two:

"It could probably be shown by facts and figures that there is no distinctly native American criminal class except Congress."


It seems like it should be the other way around.

Suppose you were a member of Congress. And suppose you were an idiot. But I repeat myself.

Otherwise the only idiots in the world would be Congressman.


Pedophiles and terrorists use high-strength crypto to transmit dangerous and illegal information. There's no reason normal citizens need high-strength crypto. Besides, if it came down to it, do you really think your crypto would stand a chance against the government's three letter agencies? You can still protect yourself from passive script kiddies with ROT13.


For those that didn't catch it, Jay is using a mock version of the anti-gun argument in his response here. I'm pretty sure his views aren't that at all (but a part of me is terrified to think that someone will use his response as a defense for crypto to not be in normal users' hands, taking what he said completely out of context)


Wait until they start using words like "assault crypto" or military grade-crypto. Why does any citizen need the crypto that is used in warfare? They aren't in combat, why do they need more than 54-bit keys? Who are they so worried about anyway?


"There is no need in American civilian life for these weapons of war." (https://en.wikipedia.org/wiki/Enigma_machine)

The next time they come for the gun owners (well, that would be yesterday: http://www.pagunblog.com/2013/08/29/obama-issues-executive-o...) you might want to consider that this set of rights is indivisible.


Or better yet: Crypto of mass destruction!


    There's no reason normal citizens need high-strength crypto.
You seem to think that normal citizens have no need to hide things. I deem this assumption to be false. Witness "normal" citizens in various foreign countries with opprosive regimes whose very lives require they hide things.


Poe's law FTW


"You want us to execute that warrant for you? Ok, sure, but the user will get a nice big popup warning telling them that their messages are likely being intercepted!"

I'm pretty sure that would be illegal in the case of an NSL.


I'm pretty sure it would be illegal without an NSL. Tipping of the subject of an investigation over a search conducted pursuant to a valid warrant.


Would using a technology that makes a warning of surveillance unavoidable be illegal?


Would there be a way to expose the integrity of a service (actual devices connected etc), read only, to every user of a service? So that when an interception device or protocol is used, every user who cares to look (and can understand) would know about the disruption.

And then, when the government says "Stop doing that, we want to watch your users," the only way to do that and hide the watching would be to disable the system wide security view. And people make their conclusions.


They have an answer for that: the government installs black boxes that monitor stuff. That's why so many companies cooperate by giving them data, it's a lot better than having random stuff in your machine rooms with actions and purposes you neither control nor understand.


Has the supreme court ever ruled on NSL secrecy vs the fourth amendment?


I don't think there's really any overlap there. The overlap with the 4th would be less about secrecy and more if someone demanded full content from an account, since NSLs are not warrants (legality of procuring "metadata" without a warrant is the much larger issue there, but so far courts have been ok with it).

The secrecy part can be a violation of the 6th amendment (right to confront your accuser), but theoretically evidence procured under the NSL will be produced by trial time (except when shown to conflict with national security, which judges can sometimes accept too readily).

The real problem with secrecy is the first amendment, since you are forcing people to not divulge that they received an order to hand over information. Typically prior restraint like that is heavily circumscribed to protect an ongoing investigation but no further, which means that indefinite gag orders should have correspondingly extraordinary justification. Considering the hundreds of thousands of NSLs that have been issued, this seems unlikely to be the norm.

The first amendment approach has been successfully[1] argued by the EFF at the district court level. This has opened the way for more lawsuits, including an appeal of that case, which will hopefully make their way higher in the court system.

(read the linked EFF article if you're interested in more. It lays the case and the judge's ruling out in great detail)

[1] https://www.eff.org/deeplinks/2013/03/depth-judge-illstons-r...


I don't think it even got a ruling from a Federal Court yet, because the feds kept playing legal games, and got away with dismissing the cases. But I think it's been declared unconstitutional at least 3 times by normal Courts.

http://www.youtube.com/watch?v=DYsXCNLB0CI


It is usually ruled that the plaintiffs can't prove standing, meaning they can't prove they were harmed by the behavior. And of course one would probably need access to their raw data to prove standing, so its unlikely that the courts are the way to go. Even if the court does rule that its illegal it is almost impossible to enforce. The FISA court ruled that certain things were not permissible but the NSA did them anyhow.


Sorry, brain fart on my behalf, I had confused the first and the fourth admendment.


If only, but I just don't see companies like Google, Microsoft or Facebook implementing end-to-end encryption like OTR, ZRTP and PGP for their services, and even if they do, I'm not even sure I'd trust them not to implement a backdoor to get that data before it's encrypted somehow, at the behest of the government.

Unfortunately, the alternatives will have to come from elsewhere - from disruptive (in privacy) start-ups that will launch only services with security in mind from day one, as they try to steal customers away from those companies.


Isn't the more important battle here between the government and the agencies that server as the 'backbone' of the internet (ISPs,etc?)


Indeed, the author seems to be clearly ignorant of that, be it willingly or otherwise:

> My guess is the de facto interception technique of the future will involve targeting users’ endpoints (phone, computer, tablet, whatever) instead of trying to intercept communications in transit.

The data is still stored in the hands of tech companies, and as such outside the realm of control of the owners of the data. The article writer would do well to realize that it's not about national security, terrorists, or China -- but instead it's about control.


Yeah, I highly doubt they will target users' endpoints (mostly because the ease and largely unreported nature of fiddling/requesting data from ISPs)

No matter where the data ends up being stored, if it has to GO somewhere, and you are the man in the middle everywhere, things start getting a lot easier to track.


Have there been any examples of tech companies that have simply refused to provide access to governments?


Yes, it's a stark object lesson: https://en.wikipedia.org/wiki/Joseph_Nacchio#Qwest

ADDED: which helps explain the current behavior of other companies we'd like to think better of. I'm sure the people running them would to, but they and their families (who the Feds have targeted in other political prosecutions) would prefer they stay out of Federal prison.


I predict that more companies outside the US will start producing products and services that the US can't touch legally. As a result US tech firms would lose out.

It is their interest to band together now as one powerful lobby group and force a change to the legislation.


"I predict that more companies outside the US will start producing products and services that the US can't touch legally. As a result US tech firms would lose out. "

I guess I view this as highly naive. What makes you think the US won't get agreement from these places to share? They already have in a large number of cases.


I would only say somewhat naive. There is a lot of effort in the EU that points in this direction. Not everyone is a British poudle over here. We started our work in the direction a couple of years ago, where I work. It will take a while, but it will happen.


I see all these posts about X has raised 40m, Y has raised 80m! Pool together money and start lobbying.


That's a possibility. Google has made WebRTC encrypted by default. However, it uses RSA which still isn't the best of choices (15 years in the future, when the NSA builds a usable quantum computer).


We have nothing that would survive a quantum computer. RSA is even better than ECC, because it uses longer keys.

But we are very far from a usable quantum computer. I doubt we'll get it in 15 years, and I doubt we'll get it before everything changes because of AI, nanotech, some other disruptive tech, or some kind of doom.

Yes, there is nothing stopping you from using ECC with a 2k bits key. Except that you aren't.


Friends sue each other. That's a show for their enemy. I'm supprised some of us are still thinking tech companies and their government are against each other in this case.


Sadly a majority of the American public is completely okay with being spied on. [1] Given that is the customer base for these tech companies, I don't see them fighting very valiantly, if at all. Especially when the government can put on pressure via political prosecutions. [2]

1: http://www.people-press.org/2013/06/10/majority-views-nsa-ph... 2: http://en.wikipedia.org/wiki/Joseph_Nacchio


[deleted]


If these nodes are standardized, then the flaws in them are also standardized, which could make automated monitoring just as easy...


Don't be too quick in supporting the Tech Companies in this war. The only thing that will happen if they win, is that the government will have to pay to get your data.

In this war, the government should win, because the government is by extension the people. It is up to the people of the world to make sure that their governments implement the right laws to restrict surveillance.


What if your government is currently using chemical weapons on you, or imprisoning you for being gay?


Wat are tech companies going to do about that?


Not cooperate with warrantless data requests that might reveal that someone is gay?


I don't know. That sounds right in theory.. but in practice, would a country that prosecutes people on ethnical/cultural grounds even consider allowing companies to ignore their data requests?

History tells us no. History also tells us that tech companies often don't give a shit. Perhaps a highly visible company like Google or Twitter might, but a little visible company like IBM or Cisco? I wouldn't bet on it.


We can hope.


>Given X-Keyscore was a program primarily designed to intercept unencrypted internet traffic, you could be forgiven for interpreting Facebook’s post as a middle finger pointed in NSA’s direction. (Sources inside Facebook say it is a coincidence, and indeed the company had been in the process of enabling this across-the-board for years. But still. The timing.)

What journalistic integrity.




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact

Search: