> The NSA's official response is to suggest that wanting to secure our communications from our surveillance is inherently suspicious and suggestive of criminal activity.
No, their official response is to suggest that encrypting your communications makes you indistinguishable (at their end) from those who encrypt for criminal activity. There is a difference, and there's no getting around the idea that if the set of Bad Actors are to have the crypto broken then it will necessarily involve breaking the same crypto in use by the Good Actors.
Even the NSA also says in the very paragraph quoted that encryption is also used for "nations [...] to protect their secrets" (which is hardly a criminal or illegitimate goal).
Likewise, if the government hires a lockpicker to plant a bug in an embassy then by definition they now have the technical ability to pick locks (even if they don't have the legal permission).
The rest of his points, on the whole, are quite valid but are sometimes answering a question that isn't actually behing asked from the other side.
There's also a fundamental logic error in that sentence.
The NSA says: "It should hardly be surprising that our intelligence agencies seek ways to counteract our adversaries’ use of encryption. Throughout history, nations have used encryption to protect their secrets, and today, terrorists, cybercriminals, human traffickers and others also use code to hide their activities. Our intelligence community would not be doing its job if we did not try to counter that."
Ken replies: "The NSA's official response is to suggest that wanting to secure our communications from our surveillance is inherently suspicious and suggestive of criminal activity."
But that doesn't follow at all! A cop might say "well of course we have battering rams for breaking down locked doors." That doesn't mean he thinks anyone who locks their door is a criminal!
The battering ram isn't really the right analogy. It's not a matter of them having particular equipment, or techniques, which they can legitimately use as part of their job. And it's not like they are very visibly damaging lots of things.
This is more like a society in which the police routinely break into houses by picking the lock in order to rifle through your papers secretly, without telling you. They say that they have secret warrants to do this, but since they're secret, and they do the breaking in in secret, you can't even find out if they have broken into your house.
People don't like this; they don't like the idea that some cop may be in their home rifling through their things. So they start developing stronger and stronger locks. The police get worried that they won't be able to pick the locks on your doors, and will actually have to get a warrant and not break in secretly. So they lobby to pass a law that all locks have to either be weak enough to be picked, or have a master key that the police have. Of course, the people, who don't like the police breaking in with impunity, defeat this bill.
So the police don't stop there. Instead, they just make secret deals with a few key lockmakers, to build locks that accept master keys anyhow. When lockmakers standardize on key designs that are more secure, the police add a section to the standard that makes it so that any lock that implements that standard will be able to be opened with a particular master key, but in a way that you can't tell what that master key is from the standard. Since there are enough lockmakers that they can't subvert them all, and not everyone implements those standards they subverted, they also talk to a few doormakers to add a secret part that you can push to disengage the hinges.
Now this information comes out. People are outraged; their lockmakers are supposed to make locks that even the police can't get in through; people don't trust these secret warrants and secret searches, and with good reason, as the police have used these secret searches to investigate ex-lovers before, not just terrorists. They're outraged by the betrayal of the police, making an end-run around the law that they thoroughly defeated to prevent the police from having master keys. They're outraged by the lockmakers subverting their trust.
And what's the police response? "We need these tools to investigate terrorists and criminals." Never mind that in order to investigate terrorists and criminals, they've weakened everyone's security, and everyone's trust in their government and the companies that sold the compromised locks. Never mind that they've been through the houses of many innocent people, in a wide sweep to try to find evidence of a few criminals. Never mind that the system has been abused many times, but the only way the abuses have come to light is by whistleblowers who the police prosecute severely.
The police (or the NSA, to step back from the analogy to the real world) find these tools useful in their job. I'm sure they do. But the public finds these tools too intrusive. I'm sure it would be useful for the police to be able to secretly break into any house they wanted, rifle through people's papers, and find people who had jihadist leanings that way. We have amendments in our constitution specifically forbidding that, for good reason.
Likewise, regardless of how useful the NSA finds these abilities, we the public find them abhorrent. Just like the police should have ways to get warrants and under the authority of those warrants, search houses, there are definitely legitimate uses for some of what the NSA does, if properly regulated. But weakening everyone's security, so they can intercept and read your mail at will, in secret, with no oversight, is just as wrong as the police breaking into your house in secret, at night, and rifling through your belongings.
Just like we shouldn't have to trust the cops not to bust my door down, right?
It sounds snarky but it cuts to the core of the peoples' relationship with government. How much do you trust the government? How much can you trust the government?
That's why libertarians are generally logically consistent when they oppose the NSA, and entitlement programs, and giant government services, etc., because they're the ones who will tell you that a government big enough to give you $FOO is big enough to take it away from everyone else.
> Just like we shouldn't have to trust the cops not to bust my door down, right?
Sure, if it were possible to stop the government from doing anything at all I would be in favour of that, letalone obviously positive things like not spying on everybody or busting down their doors. Of course, there are no doors that require more energy than that available in the universe to forcibly enter. That's not the case for cryptography so it makes sense to exploit that. What am I missing here?
> It sounds snarky but it cuts to the core of the peoples' relationship with government. How much do you trust the government? How much can you trust the government?
This sounds like it is supposed to be some kind of profound question, but the answer is consistent and obvious in both cases, not at all.
> That's why libertarians are generally logically consistent when they oppose the NSA, and entitlement programs, and giant government services, etc., because they're the ones who will tell you that a government big enough to give you $FOO is big enough to take it away from everyone else.
Sure, I'd tell you that, I don't see why it's inconsistent to believe that and simultaneously want to dismantle the government? Isn't it actually pretty much the only logically consistent position?
> Sure, I'd tell you that, I don't see why it's inconsistent to believe that and simultaneously want to dismantle the government? Isn't it actually pretty much the only logically consistent position?
It is one logically consistent position, yes.
I happen to disagree that it is the only logically consistent position, which is one reason I've been poking so hard at the notion that people need to examine under what logical basis government operates at all before they go 'rah rah government bad!'.
Much like a corporation is the legal stand-in for the will of the collective shareholders, a government is the societal stand-in for the will of the people at large.
A society that tries to maintain no government, or very limited government, is at an unstable point. In the best case it will collapse from internal conflict but be left alone from there (e.g. Somalia, tribal areas of Afghanistan/Pakistan). In the normal case the society will simply be eventually overrun by those who choose to organize (e.g. USA vs. the Native Americans, Hitler vs. the appeasers), but a government will spring up again one way or another.
> I happen to disagree that it is the only logically consistent position
When I say it's a logically consistent position, what I mean to imply by that is for people who think that government is an abomination, it is logically consistent for them to hope for the dismantling thereof. You, who most decidedly do not think that government is an abomination, as a lawyer, are logically consistent in thinking that it should not be dismantled.
> Much like a corporation is the legal stand-in for the will of the collective shareholders, a government is the societal stand-in for the will of the people at large.
Except that it most clearly is not.
> A society that tries to maintain no government, or very limited government, is at an unstable point. In the best case it will collapse from internal conflict but be left alone from there (e.g. Somalia, tribal areas of Afghanistan/Pakistan). In the normal case the society will simply be eventually overrun by those who choose to organize (e.g. USA vs. the Native Americans, Hitler vs. the appeasers), but a government will spring up again one way or another.
That's a normalcy bias, there have been many points throughout history with no centralised productivity extracting parasitic force initiating agency. In fact, the variant we have now with extremely high direct taxation on the incomes of almost all productive activity within a society is the historical anathema. Not only that, but this fails to take into account the methods of control the state actually uses to exercise control on its population, and that currency control was recently removed from their hands.
Agorism becomes a very real threat under these circumstances
As a nash equilibrium, an involuntary centralised productivity extracting parasitic force initiating agency is not at all stable. It stands to reason that it will only be able to maintain control by either force or fraud. Right now they're going with fraud, from the amount of discontent I see with the political state of the world I don't know how much longer it will last until they devolve to force.
I'm not actually a lawyer, though I suppose I do sometimes play one on HN.
Regarding your noted normalcy bias, I would suggest you're forgetting the very many more points through recorded history with a centralized purveyor of force and taxation.
In that light, pointing out isolated counterexamples isn't very suggestive of some realistic future possibility for most or all of mankind, just as pointing out that Athens once had a direct democracy isn't very useful as a way to organize the governance of a nation.
Of course, the agorism you point out doesn't even have voting. I can only assume the idea is for some type of useful emergent behavior to come about, but that only talks about how the society would function internally, and it doesn't even really provide details about how that would work in all the important corner cases.
Is there some type of existing emergent societal system that you can point out which works in practice and need only be scaled up?
> As a nash equilibrium, an involuntary centralised productivity extracting parasitic force initiating agency is not at all stable. It stands to reason that it will only be able to maintain control by either force or fraud.
If by 'stable' you mean 'impossible to overturn' then I would argue that no political system meets this. If you mean 'can continue perpetually' then it is certainly a stable equilibrium, though it does unashamedly require force. Fraud alone can't keep it going in any event, otherwise police wouldn't be needed.
Are you really not a lawyer? As we've sparred fairly frequently over time I kinda wanted to get a feel for where you were coming from so I read through all your comment history for a while (though this was a while ago).
I just double checked that and saw this;
rayiner 671 days ago | link
As someone who left software engineering for law, I have to say that partnership is a great motivator.
and this;
rayiner 274 days ago | link | parent | flag
So I'm a lawyer and you should take my opinion with a grain of salt, but I think you've misread the market.
and this;
rayiner 303 days ago | link
So my grandfather on my mom's side was a doctor and a lawyer. My mom's siblings include a couple of doctors, a military officer, a business executive, etc. My mom was herself a journalist, and of her sons I'm a lawyer and my brother is a banker. This is not a coincidence. Privilege is passed down from generation to generation, not just in money, but in social status, connections, values, culture, insight, motivation, outlook, etc.
amongst a great many other descriptions of legal minutiae that I can see how I may have gotten that impression. But it leads me to wonder what your story actually is? Feel free to ignore this request if you think it's breaching privacy.
Describes a system based purely around free market mechanisms. Free markets are emergent, and they certainly work very well, scaling them up to consume all the functions currently performed by government in the methods described by this book is in my opinion the best method for abolishing the state I've heard of so far.
There are many other ideas however, and I'm open to any of them to the extent that they employ persuasion / markets rather than force.
> Fraud alone can't keep it going in any event, otherwise police wouldn't be needed.
Yes, when the lies stop being believable, then you need the jackboots to come in and crack skulls and assert the true facts of the way those in power see things. This is part of my problem with the system in question.
If the police in my town were Federal agents, then yes, I would expect to have a somewhat different relationship with them. My town would feel "occupied," just as my computer now does.
Well there are many towns where if the police were Federal agents, it would actually be an upgrade over the corruption and abuse the citizens normally see. So I don't understand any intuitive reason why the agency supplying the cops would necessarily make you feel differently, except perhaps for inherent biases.
>So I don't understand any intuitive reason why the agency supplying the cops would necessarily make you feel differently, except perhaps for inherent biases.
If you don't like what the cops in your town are doing then you can campaign for local political candidates who will rein them in and have some hope of actually affecting the election outcome. Getting anything similar done at the federal level seems to require some combination of mass fatalities that incense the public and a box truck filled with hundred dollar bills to grease the wheels, which is obviously outside the control and ability of most normal humans.
> If you don't like what the cops in your town are doing then you can campaign for local political candidates who will rein them in and have some hope of actually affecting the election outcome.
That's a good point, but local civil servants enjoy due process too, so it's not always a matter of simply hiring the right politician, as the politician may not be able to simply fire or replace offending staff. Especially when we're talking about first responders, who typically enjoy strong union protection.
Yes, the libertarian principle that it's OK to do whatever in a certain city as people who don't like it can always move away. Great principle. :P
Either way though, your logic applies just as much to Federal cops as it does to local ones. Think the FBI dudes around your city are a bunch of dicks? Move to the other coast, maybe they'll be better.
Hell, you can even pick an entirely different nations' cops, if you want.
I love Popehat, and Ken in particular, but any issue that intersects with his politics tends to get the same semilogical hyperbolic treatment. The "Buckyball" magnet thing was, if anything, even worse.
I rather liked the Buckyball article personally, but I wanted to note that Ken, while probably the best author on Popehat, isn't the only one and the Buckyball article wasn't him; it was Clark. Clark's articles are often the explicitly libertarian ones.
"No, their official response is to suggest that encrypting your communications makes you indistinguishable (at their end) from those who encrypt for criminal activity."
However, it is not within the NSA's authority to pursue criminal activity within the U.S. — they're only mandated to spy on communications between the U.S. and a foreign country, or entirely outside the U.S. If I'm in the U.S. and send an encrypted message to somebody else in the U.S. (like my friend or my bank), they have no legal excuse to spy on me. If I'm under criminal suspicion for a crime committed in the U.S., the FBI or local law enforcement agencies need to get a warrant to intercept my communications. But, as the article states:
In fact, the NSA's "minimization" techniques — touted as methods for restricting spying to foreign terrorists instead of U.S. citizens — are often transparently and insultingly ridiculous.
But the architecture of the Internet also seems to make it very difficult to determine conclusively that a given communication has nothing whatsoever to do with someone outside the U.S.
Consider a VPN/proxies for instance, or even an email from an American to AQ_Recruiter at gmail (where the owner of AQ_Recruiter logs in from Yemen via a series of proxies, the endpoint of which is wholly-domestic).
I guarantee you that NSA wishes that problem was easy... they could pawn off the mere "domestic" stuff wholly on the FBI and focus on the "interesting" work of international spying and counter-terrorism (because again, in bizarro-world they aren't simply spying on people just because, but because they have a specific mission to attend to as directed by Congress and the DoD, which having to filter USPERS detracts from).
I agree that you can't tell where a user behind a proxy is located, so I'm willing to give the NSA the benefit of the doubt on that issue. But the vast majority of domestic internet traffic does not go through a VPN or proxy, so you can tell just by looking at the originating and terminating IP addresses that the packet is going from one place in the U.S. to another. Also, you can probably assume that a VPN that's on a domain registered to a company inside the U.S. that is not selling VPN services to the general public (e.g., a bank) isn't being used by random terrorists outside the U.S.
But the whole business of "parallel construction" where the NSA shares warrantlessly intercepted data with the DEA and keeps it secret from defense lawyers is pretty good evidence that "minimization" is a sham and the NSA is not honestly trying to keep itself within legal and constitutional bounds.
I live in the US, but I'm not a US citizen, so I'm definitely a foreign person. Now suppose that I were a spy or a supporter of terrorism, are you saying the NSA shouldn't be able to monitor my activities because I am inside the US?
I've had occasion to think about this before, here and in other countries. I'm Irish, and as I'm sure you know there was a lot of anti-British terrorism originating in Northern Ireland for a long time. Terrorism was carried out within the UK, and for that mattter a good bit of it was funded from the US by people who considered that terrorism a noble cause (including, famously, Republican representative Peter King - http://en.wikipedia.org/wiki/Peter_T._King#Support_for_the_I...).
But the whole business of "parallel construction" where the NSA shares warrantlessly intercepted data with the DEA and keeps it secret from defense lawyers is pretty good evidence that "minimization" is a sham and the NSA is not honestly trying to keep itself within legal and constitutional bounds.
No dispute with that point. I just want to clarify that the NSA's legitimate scope is not defined purely geographically.
Actually, by virtue of being on U.S. soil you are also fully protected by the 4th Amendment, despite not being a U.S. citizen.
That's why the NSA is generally careful to refer to "U.S. persons" instead of "U.S. citizens" when they talk in technical terms about things like minimization.
'US person' includes citizens, green card holders, and US-based associations or corporations consisting/employing largely of the first two. I don't have a green card, so I'm not a US person. See USC 1801.i. The 4th amendment's protections even extend to people such as tourists, whereas they are not considered US persons under FISA.
> I guarantee you that NSA wishes that problem was easy... they could pawn off the mere "domestic" stuff wholly on the FBI and focus on the "interesting" work of international spying and counter-terrorism
Parallel construction is much more relevant to things like DEA's SOD or the FBI itself though.
In the NSA's heyday there was simply never a need for parallel construction as it wasn't as if they were going to be bringing up Soviet diplomats on indictments. They explicitly didn't touch people on American soil so the whole idea of 'chain of custody' was almost completely moot.
Even now parallel construction is only a thing because it's that much easier for NSA to run across domestic communications commingled with international comms. Nowadays the analyst may see evidence of a major upcoming crime in the process of their actual duties, which puts you back in Churchill's Coventry quandry.
(2) The NSA is way out of line in this respect and no matter how much they do/did it that stands and you should not apologize for it. If you do you are essentially advocating for broadening the official reach of the NSA's powers rather than to rein them in because they clearly can not stick to their mandate.
The balance here is not to get to perfect security without privacy, the balance point is to get to an optimal level of security with a maximum of privacy. Anything less won't do, lest we all end telling another generation how terribly sorry we were.
Power corrupts, it's never been any different historically.
It's not whether it actually happened that's important or not, and I think you realize that. Prime Minister Churchill certainly did need to be careful about what actions he took based on ULTRA decrypts so as to avoid revealing the activities of Bletchley Park. Coventry is the quotable example despite not actually happening the way the story is told.
However if you require an example that actually happened, consider when Adm. Nimitz received message intelligence pointing out Adm. Yamamoto's flight itinerary.
In his case he ended up using a literal example of parallel construction (having a coastwatcher send a report of a Japanese flight) to generate a non-codebreaking reason for his staff to know about the flight, and then sent out his fighter planes to shoot Yamamoto's flight down.
> (2) The NSA is way out of line in this respect and no matter how much they do/did it that stands and you should not apologize for it.
With respect to things like DEA I would agree with you. But on the other hand if they came across a no-shit email from a hitman or something describing an upcoming murder I would expect them to report it.
It may be that it's impossible to write a policy that straddles that border, in which case I'd say we should probably ban that type of information sharing and then rely on the idea that an analyst who sees that type of murder plot might still leave an anonymous tip.
> The balance here is not to get to perfect security without privacy, the balance point is to get to an optimal level of security with a maximum of privacy.
However, it is not within the NSA's authority to pursue criminal activity within the U.S. — they're only mandated to spy on communications between the U.S. and a foreign country, or entirely outside the U.S.
Completely untrue. The NSA is in the business of gathering national foreign intelligence, which includes intelligence on the signals activity of foreign persons within the US. Suppose we know there are two Belgian spies in New York, are you telling me the NSA isn't allowed to listen into their conversations? Of course they are. This notion that they're not supposed to listen to any calls that begin and end within the US is just absurd. Foreign intelligence doesn't just encompass other places, it encompasses persons from those places who may be acting within the US. I can't believe I have to explain this.
EDIT: It amuses me that people downvote posts with citations to primary sources. Have some more! Here's the definition of US persons (who the NSA is not supposed to spy on): http://www.nsa.gov/sigint/faqs.shtml#sigint4 per http://www.law.cornell.edu/uscode/text/50/1801 which defines exactly who is a US person, an agent of a foreign power etc. basically, individuals who are citizens or hold green cards are US persons (also some associations and corporations, but you can read it yourself), any other individual is not regardless of whether they are in the US or not.
No, they're not allowed to target foreigners inside the US. Spies inside the US fall under the jurisdiction of the FBI. See page of the leaked incidents report [1] on page 6 where it talks about the types of incidents, specifically:
"Roamers: Roaming incidents occur when valid foreign target selectors are active inside the U.S. Roamer incidents continue to constitute the largest category of collection incidents across E.O. 12333 and FAA authorities. Roamer incidents are largely unpreventable, even with good target awareness and traffic review, since target travel activities are often unannounced and not easily predicted."
What you're quoting is an operational manual. Executive orders are law, until such time as the legislature or judiciary sees fit to restrain the executive branch. They most certainly are allowed to target foreigners; whether they hand their data over to the FBI for the arrest process is beside the point.
What I'm quoting is not an operations manual, it's the executive summary of the 1st quarter 2012 intelligence oversight report from NSA's internal oversight and compliance section. According to that document, NSA considers it a violation of both EO 12333 and the FISA Amendment Act to target foreigners on US soil.
I should have cited a link to EO 12333 [1] in my previous comment; the section that indicates that the FBI has the lead in domestic counterintelligence is section 2.3 (b). I'll admit it's not the most clearly worded, but it does go out of its way to single out the FBI:
"Collection within the United States of foreign intelligence not otherwise obtainable shall be undertaken by the FBI or, when significant foreign intelligence is sought, by other authorized agencies of the Intelligence Community, provided that no foreign intelligence collection by such agencies may be undertaken for the purpose of acquiring information concerning the domestic activities of United States persons"
The section on the NSA responsibilities (section 1.12(b)) speaks primarily to collecting signals intelligence for foreign intelligence purposes in support of the Department of Defense; it doesn't mention anything about counterintelligence. The FBI is singled out again in 1.14(a) as having the responsibility to conduct domestic counterintelligence. Other parts of the DoD have the responsibity to work with the FBI on matters of domestic counterintelligence (1.12(d)).
Thanks for the clarification. I misread your post above and thought this was based on one of the Snowden Powerpoint slides. However, I think part of the confusion here is over the US persons term.
As mentioned elsewhere in this thread, that term refers to citizens and green card holders, plus associations/corporations made up largely of those two groups. A tourist or someone on a temporary visa, for example, is not a US person. therefore, any activities they engage in are by definition those of a forieng person. I stand by my argument that 'foreign/domestic' is a function of the people involved and the scope of their activities, not of geography.
"NSA's domestic surveillance activities are limited by the requirements imposed by the Fourth Amendment to the U.S. Constitution; however, these protections do not apply to non-U.S. persons located outside of U.S. borders, so the NSA's foreign surveillance efforts are subject to far fewer limitations under U.S. law."[1]
As you mentioned in another one of your comments, the Fourth Amendment applies in the U.S. even to people who are not U.S. Persons. So this would seem to imply that warrantless eavesdropping on people's communications within the U.S. by the NSA is not permissible.
Also, regarding FISA:
"In sum, a significant purpose of the electronic surveillance must be to obtain intelligence in the United States on foreign powers (such as enemy agents or spies) or individuals connected to international terrorist groups. To use FISA, the government must show probable cause that the “target of the surveillance is a foreign power or agent of a foreign power."[2]
This does not seem to permit going after ordinary criminals such as drug dealers, and it does not seem to permit indiscriminate gathering of all internet communications (since there would be no probable cause for the vast majority of these communications).
"Suppose we know there are two Belgian spies in New York, are you telling me the NSA isn't allowed to listen into their conversations?"
Sure they are, if they go to the FISA court and get a warrant.
I wouldn't rely on Wikipedia's summary when you can consult the original document that summary is based on. As for the 4th amendment, there are national security exceptions to the 4th amendment that derive from other parts of the constitution, which exceptions have been upheld by courts. Providing for the common defense is also part of the government's constitutional remit.
This does not seem to permit going after ordinary criminals such as drug dealers, and it does not seem to permit indiscriminate gathering of all internet communications (since there would be no probable cause for the vast majority of these communications).
I'm specifically not talking about that non-national security contexts. Everything I've heard about the relationship between the NSA and the DEA seems like a massive ethical and legal fail.
As has been discussed before, internet communications almost certainly do not meet the definition of 'papers' per the 4th amendment, especially if those communications are not point-to-point but go through third party providers like webmail providers. Arguably they should be, but my understanding of the alw (especially Smith v. Maryland) is that they're not.
If I'm under criminal suspicion for a crime committed in the U.S., the FBI or local law enforcement agencies need to get a warrant to intercept my communications.
Something just came into clear focus for me: the NSA really screwed the pooch here. They had a situation where they had access to anything they wanted, but because they insisted on not getting warrants for access, they pissed off Snowden, and now people are going to punish the NSA by becoming more security savvy and using systems that are impenetrable, even with a warrant.
It's several things beyond just the lack of warrants. It the opportunistic monitoring as opposed to the targeted monitoring and the activities beyond their jurisdiction. Parallel construction to me suggests that they have been funded with so much cash that they now have enough money to fund scope creep beyond their jurisdiction. They should never had had more cash than they needed to do their job.
I personally would like to see the NSA organization around defense and not offense. Make better tools to protect us. Don't backdoor things since any backdoor they have can be discover and used by others. etc.
Worth a read:
"How the NSA could stop sucking and be awesome instead" by Ted Dziuba:
On can sensibly argue that passively reading traffic is defensive. Infiltrating computers, planting bugs, and actively eavesdropping is more of an offensive stance. Listening to what everyone says in a public square (the internet) is comparatively passive.
The trouble is that, in aggregate, the knowledge acquired is powerful and transcends time-honored boundaries.
And that's the core of the issue for me. I don't have any problem with the NSA working with and studying encryption and methods to break encryption.
What I have a problem with is invading my privacy and gathering my communications and information without a warrant. My 4th amendment rights have been completely violated.
Totally. No-one (including me) would have blinked an eye if it turned out the NSA was snooping on anything and everything...with a warrant. Heck, I would have probably been moderately pleased. But snooping on anything, in secret, without judicial oversight, without public consent...that is all very wrong, and Sheier is right: it's a total betrayal of the internet.
Whatever short-sighted jerk-offs came up with this grand plan ought to be put in prison for harming US interests. To say that Snowden is the one who harmed US interests for revealing these activities is an intolerable act of a government that values only one thing, loyalty. Principles? Nah. Principles are soooo pre-Industrial revolution. And let's face it: with all the thousands of people working on these projects, someone was bound to blow the whistle sooner or later, because no matter how far down the rabbit hole an agency like the NSA goes when it comes to defining new norms, there are always some awesome weirdos who don't buy it, no matter how normal everyone around them treats it. (Hat tip to you, Snowden, for not drinking the Kool-Aid).
Guess what bozos (yes, NSA, I'm talking to you): national security is affected by abrogation of trust and betrayal of people like you. Our position as an exemplar of personal freedom, and self-restrained government, has been badly damaged by you. Going after Snowden, doubling down on internal security...these damage you, and us, further. Maybe Congress is confused on this issue, but I (and most everyone I've talked to) am not: you need to stop collecting data without warrants immediately. You need to dismantle your capacity to do so. You need to delete all information that you've gathered under those conditions.
And this should be the last act of the NSA's senior leadership before resigning.
I prefer to describe them as people with a conscience, that are cognizant of the consequences of hypocrisy and danger of the actions of the organization which they serve.
Not quite. We don't allow general warrants so a court order to decrypt all internet traffic is not Constitutional. If the NSA was snooping on anything and everything with a warrant, that is no different than what is happening, and it is not Constitutional (particularity requirement not met).
What is the problem is the NSA doing this sort of blanket surveillance where a warrant is normally required but where they make an end-run around the Constitution.
We require warrants because we require magistrates to require particularity in the warrant.
But it gets worse. What will come out of this is a massive market for more secure communications, much of it designed to thwart this sort of surveillance. The NSA by not respecting our rule of law has now encouraged people to do exactly what they are afraid of and in the end, wiretaps will now go dark. The NSA broke their end of the legal bargain and now the entire government will pay a price, and that price will, no doubt, impede legitimate law enforcement efforts as well as this.
Snooping on "anything and everything" traversing the Internet without a warrant is perfectly constitutional according to SCOTUS, POTUS, most of Congress, and the 3 letter agencies doing the snooping.
Information traversing the Internet has been legally deemed to not be included in one's "person, house, paper or effects" and as such is not constitutionally protected by the fourth amendment.
> Snooping on "anything and everything" traversing the Internet without a warrant is perfectly constitutional according to SCOTUS, POTUS, most of Congress, and the 3 letter agencies doing the snooping.
Please provide citations regarding SCOTUS. In fact, given that Katz v. United States was never overruled, that sounds very suspicious. The closest I think you can get is Amnesty International v. Clapper but that was a standing issue and never reached the merits.
The "communications records that receive special protection" are limited to ECPA, I believe, which doesn't apply to NSA since foreign surveillance trumps that law (though, IANAL so feel free to read and analyze for yourself).
The third party exception though has come under increasing scrutiny by the courts more recently. The case which really established it in large measure was California Bankers Association v. Shultz. This is in many ways more important than the pen register case of Smith v. Maryland (http://caselaw.lp.findlaw.com/scripts/getcase.pl?court=us&vo...) because pen registers were held in part valid without a warrant due to their lack of intrusiveness, and in part because the information was not only conveyed to a third party, but also how they were used by a third party. In essence Smith v. Maryland held pen registers allowed without a warrant via "legitimate expectation of privacy" analysis of the sort found in Katz v. United States in part because everyone relied on the phone companies collecting this information and that people relied on the phone companies using this information to be able to track back, for example, harassing phone calls. If individuals can track back incoming harassing phone calls, there is no legitimate expectation of privacy when the police look at those records.
The problem with communications is that while call detail records fall outside 4h Amendment protection in general, wiretaps require a warrant (see Katz v. United States) and Smith v. Maryland did have dissenters due to the fact that it is hard to draw a line between these two. More recently a circuit split has developed over whether cell site location data is at least potentially protected. The 5th Circuit (which also holds that all airport searches at security checkpoints are necessarily consented to, so presumably random strip and body cavity searches would be Constitutional) says they are not, while the third says they may be. See http://crimeinthesuites.com/circuit-split-brewing-over-gover...
My point is that "knowingly exposed to a third party" is not at all as clear as the page suggests. The reason this line is there is that it is an indication that certain information is not really expected to be secret, but if it was read literally, Katz would have come out very differently and wiretaps would not require a warrant.
Obviously if you write details of your criminal conspiracy on the back of a postcard, you can't complain when the postmaster reads it, but when you put it in an envelope then this would be a search. This sort of line is much harder to draw regarding papers outside that sort of home or mail environment than it is in them, but that's largely what I would describe the difficulty to be. This leads to the question of whether email is like a postcard or like a letter or a phone call and I don't think the answer is clear.
At any rate I would suggest that this is an area of developing law regarding electronic communications and I have been watching interesting developments there just in the last few years.
Given that Amnesty International vs Clapper was a 5-4 decision and that the standing articulated there was met (the other 4 wanted more expansive standing), it is clear to me that the Snowden documents in fact provide an avenue for challenge.
No, congress and the tech companies have the incorrect understanding that phone calls and emails going through a third party gives that third party consent to share them with the government.
4A as it has been interpreted is woefully inadequate for privacy protections in the modern world. Absent a complete change in how the courts do this, we need laws like ECPA (but better), technical countermeasures and a strikedown of laws like CALEA (which is unconstitutional already), or a constitutional amendment explicitly protecting privacy. Or all 3.
Yes, I'm being flippant with the terminology. I know that to be true but strongly disagree that we should have no reasonable expectation of privacy for emails. Telephone calls go through a third party and they are covered.
Yes, but telephone calls are covered because Congress passed a law making it so, not because of a Supreme Court ruling per se. Separate laws had to be passed to protect cell phone calls, beepers, etc.
Totally agree. I wish this would get more emphasis. This is primarily a matter of policy and respect for the rule of law. The involvement of technology is incidental, IMHO.
I think what is more likely to happen here is just a continuation of the natural ebb and flow of code-makers and codebreakers.
For thousands of years, some groups of humans have been trying to find ways to protect their communications, and other groups of humans have sought ways to break those protections.
At times the code-makers become aware of the breakthroughs that the codebreakers have made and change their tactics, or new technology gives them a new cipher. Either way, the codebreaker sets a setback and has to change their tactics as well.
This new revelation doesn't seem like anything too different from that cycle - it is just revealing a larger breakthrough than is regularly revealed.
This is exactly the point of the whole debate, and lost on quite a few of the parties. The NSA went in the eyes of many from being the good guys to being at a minimum the tools of potential bad guys and quite possibly to being bad guys themselves. So now the curtain has been pulled back and there is no undoing that.
Honestly, crytpo -- whether we need more of it or less of it -- itself is not the problem.
It boils down really to who do you think can be a suspect, just because they have locks on their doors.
If all crypto users are potential criminals, then all gun owners, knife owners or any person who owns an item that can maim another human being is a suspect. A state that suspects almost all of its citizenry, is a state that has bigger problems than terrorists.
Even worse, a state this does this, sooner or later, will convert a large chunk of its perfectly good citizens into behaving like bad ones because they are no longer sure what exactly constitutes bad.
At the heart of a democratic society is the social contract that the state will, largely, do things that will keep most of the citizens safe and un-harassed; while, on the flip side, the citizens are largely expected to behave in a manner that is not detrimental to the state.
What you see play out right now is that contract being broken.
Important question is, what is the right price to pay in freedom for what is deemed to be adequate security?
> No, their official response is to suggest that encrypting your communications makes you indistinguishable (at their end) from those who encrypt for criminal activity.
Good way to put it. An analogy that might help this stick in your mind: encrypting your communications is like walking around downtown in black clothes and a face-covering balaclava. You might not be doing anything wrong--but if someone in the same area robs a convenience store, the police won't be able to tell that you aren't them, and they'll have to at least stop you and search you for stolen goods before they can let you go.
Interestingly, just asking you to take off the mask (i.e. knowing that the source and destination headers on the packets are both local) isn't enough; they don't know what the face of the guy who robbed the store looks like under his mask, so knowing what you look like under yours won't tell them whether you're him or not. (Likewise, they don't know that the chinese hackers they're trying to infiltrate aren't using Tor with a US exit node, so they can't trust US-to-US traffic to be, well, US traffic.)
I would also add that using encryption online is much more of a norm than walking around downtown in black clothes and a face-covering balaclava. While both activities are perfectly legal and acceptable, the former is performed by millions on a daily basis and is essential to the successful continuity of businesses and personal lives.
That is to say the likelihood of a random encrypted message on the internet being malicious is infinitely smaller than the likelihood of a person wearing all black with a facemask in the vicinity of a crime perpetrated by someone also wearing all black with a facemask.
> encrypting your communications is like walking around downtown in black clothes and a face-covering balaclava
No, it's like walking around clothed when most people are naked. You may have legitimate reasons to cover your body, but because you're part of a minority you stand out.
Well, you may have legit reasons to wear a balaclava. You may have a facial scar which you don't want people seeing. You may be doing a film for a director friend of yours. It may be freaking cold outside.
Either way changing the labels you use doesn't significantly change the point.
> if the government hires a lockpicker to plant a bug in an embassy then by definition they now have the technical ability to pick locks
This reminds me of a conversation I had with a locksmith in the spring: he is essentially a full time contractor and goes around the city drilling out locks to which the military custodians have lost the combo. Your tax dollars at work.
"Perhaps you think your E-mail is legitimate enough that encryption is unwarranted. If you really are a law-abiding citizen with nothing to hide, then why don't you always send your paper mail on postcards? Why not submit to drug testing on demand? Why require a warrant for police searches of your house? Are you trying to hide something? You must be a subversive or a drug dealer if you hide your mail inside envelopes. Or maybe a paranoid nut. Do law-abiding citizens have any need to encrypt their E-mail?
What if everyone believed that law-abiding citizens should use postcards for their mail? If some brave soul tried to assert his privacy by using an envelope for his mail, it would draw suspicion. Perhaps the authorities would open his mail to see what he's hiding. Fortunately, we don't live in that kind of world, because everyone protects most of their mail with envelopes. So no one draws suspicion by asserting their privacy with an envelope. There's safety in numbers. Analogously, it would be nice if everyone routinely used encryption for all their E-mail, innocent or not, so that no one drew suspicion by asserting their E-mail privacy with encryption. Think of it as a form of solidarity."
Who delivers those letters? In the U.S., and many other countries, it's the government.
You're literally handing your letters to the government and asking them to deliver them to the intended recipient without peeking. In short, you are trusting them to do the right thing, because they certainly could look inside the envelope if the really wanted to.
Legal safeguards are your only defense against the government here, but we the people generally consider it a solid safeguard.
But if it were to even be suggested to send email using government-provided networks (even encrypted email) you'd be laughed right out of any hacker con you attend.
One difference is the degree of effort and expensive required to record mailed letters in bulk.
If I was a person of intense interest to the government I definitely would not trust the mail system. But as a nobody, I imagine its pretty unlikely anyone is looking at my mail.
With email, the resources required to record all email is comparatively trivial and this makes it much more feasible that even us nobodies are having our privacy invaded.
Maybe if it were possible to be notified when the contents of files are opened/read, and some how change the appearance (or state of them) to some extent that people know that something has been tampered with, like with enveloped mail and custom seals people used to send mail during the colonial america/pre-revolutionary times because mail was being opened and read…
Luckily, the vast majority of people aren't really needed to bring about change because most people do nothing because their blind trust doesn't require them to… Only just a relatively few methodically dedicated people who have the ability to see beyond and work through their current circumstances and help forge the future they want to see, are all that are needed.
It would be great to break through the "if you have nothing to hide" line and push that responsible citizenry need security (and cryptography) as well.
I think Martin Fowler has written one of the better arguments that appeal to the "I have nothing to hide" crowd, in "Privacy protects bothersome people"[0]. It's worth sharing with anyone who thinks that just because they have nothing to hide, it doesn't mean that they are not beneficiaries of those that do have something to hide. Privacy is one of the few things that protect those that protect us from the transgressions of our government.
I actually think the biggest danger is the NSA digging up dirt on politicians a la J. Edgar Hoover. If details of my sex life were made public I'd be embarrassed but my employer wouldn't care and my life would go on. For a politician, though, scandal means losing your job.
> It would be great to break through the "if you have nothing to hide" line and push that responsible citizenry need security (and cryptography) as well.
Who (of any relevance) on the NSA or DoJ side is saying people don't need crypto or security though? I've seen a Congressman use the 'nothing to hide' line but haven't seen it much elsewhere even among NSA's defenders.
The government does seem to be saying that if you're only concerned about the government possibly seeing your stuff, that you don't have anything to worry about (as long as you're not recruiting for AQ or something) as the NSA doesn't have time to care about you anyways, but that's not quite the same concept.
Plus even that has an adequate justification if we assume there is some bizarro universe where the NSA might actually only be doing their job (as everyone "needlessly" using crypto to hide their innocous emails simply helps The Bad Guys to blend in even more effectively).
If you don't believe there could be a 'needless' reason to hide emails from any possible government collection, or that there's no such thing as Bad Guys (or both) then you would probably conclude we don't actually live in that bizarro universe.
But not everyone would come to the same answers for both and they have logical reasons too.
"The government does seem to be saying that if you're only
concerned about the government possibly seeing your stuff,
that you don't have anything to worry about (as long as
you're not recruiting for AQ or something) as the NSA
doesn't have time to care about you anyways, but that's
not quite the same concept.
The problem with that statement is that it is patently untrue. Both Laura Poitras and Jacob Appelbaum are shining examples of people who don't fit the description of those they are authorized to target that have been targeted anyway.
In fact, I would love to see how the NSA has been using the tools at their disposal since this story broke over two months ago. It would shock me if resources had not already been diverted from "find the terrorists" to "monitor and control American public discontent with our surveillance practices because the attitude of the American people present an existential threat to us."
IMHO not one penny of tax payer money should ever be spent on any public relations activity at any level of government. I pay taxes for the government to provide me with services which I deem valuable. I do not pay taxes to pay for the labor that will defend how they spend my tax dollars. The problem with permitting any government agency to spend our tax dollars on such activities was succinctly summarized by Clay Shirky, "Institutions will try to preserve the problem to which they are the solution."
> "I wonder: what if a substantial number of Americans started using strong crypto on a routine basis?"
That may happen anyway, in time, if this situation is not fixed, but it could happen so much faster if companies like Google, Microsoft and Facebook (ok, I know I'm really pushing with this one) who have services used by over a billion people would offer very secure end-to-end communications platform, by default, and in a very transparent way (being able to check for sneaky backdoors pre-encryption, or anything like that).
They don't even have to do it for everything, especially the parts which are meant to be more public anyway, but there's absolutely no reason why IM's couldn't be completely private - from everyone and anyone, including the companies themselves.
So what are you waiting for Google, Microsoft and Facebook (and others, too)?
You understand that any platform offered by any company with substantial presence in the US would have full access to any data provided to NSA and law enforcement agencies, in most cases under gag order preventing them from disclosing that fact? It can not be any other way - US government has full jurisdiction in the US, and if US law says US citizens can not have privacy from the government and have their data not be accessible by the government - and that is what current interpretation of the law seems to be - then any provider on the US soil, including Google, Microsoft and Facebook - has no other option but to comply with the law?
It'd be interesting if US, Russian, and Chinese entrepreneurs got together and agreed to build start-ups for one-another's citizens, where the US brand was run from Russia, the Russian one from China, etc. Now that'd get some people on terrorist watch-lists.
I think the temptation would be too great for the respective governments to resist, and given that surveillance against foreigners would not even cause a significant public backlash, those would be compromised even quicker. Right now the whole story blew up because NSA is spying on Americans. If Snowden revealed that NSA is mass-collecting information on Chinese or Russians, the only response would be "keep up the good work, guys!".
Well, sure, it decreases the amount of "security by angry-mob-if-you-screw-up" you get, but it increases the amount of "security by inability to legally compel keys from the companies involved." I'm not sure whether that's positive- or negative-sum, actually.
They also don't need to snoop on the in-progress transaction to get all the information they want. They can get evidence via your CC records for Amazon, and in both cases they can subpoena the purchase/banking records. AFAIK the bar for getting those is a little lower than the bar for private email, which seems to be what most people are thinking of.
"Thousands of Americans have fought and suffered and died to preserve freedom over our history — does it make sense to sacrifice freedom now because the state tells us people will die if we don't?"
I agree with the sentiment of the passage you quote (and the original article in general), but I actually think historical circumstances are a bit different than "Americans have fought and suffered and died to preserve freedom over our history."
Yes, Americans have fought and suffered and died to preserve some nebulous definition of freedom, but not the Americans you think--nor the freedoms you think. I'm not sure how the original author meant the statement, but usually, statements like that refer to American soldiors who fought in wars that are assumed to have preserved US freedom. But not since 1812 have the US armed forces needed to defend the territory where the freedoms enshrined in its constitution are in effect. For the US civil war, there was no black nor white (to make a bad pun) on the Union side, so I'll call that a wash on preserving freedoms. Yes, during the world wars, the US projected its power and helped to reinstate freedoms in Europe (almost exclusively), but we're not talking about the defense of Europe here.
One could argue that by using and projecting military power and becoming the sole remaining world superpower, the US has preserved US freedoms by pushing our "borders" further away and engaging the "enemies" of said freedoms before they reach us/US (which is why 9/11 was such a shock, similar to the Vandals sacking Rome). I think that's a stretch, given that much of our recent military action seems directly aimed at preserving access to petroleum energy, not actually preserving freedoms.
Taking the Howard Zinn approach to US history, there have always been US citizens who are denied their freedoms within the US. From native Americans in the 19th century, to labor movements in the early 20th century, targets of McCarthy, civil rights activists, to occupiers of the 21st century. Many of these did suffer and die because they dared to oppose the political and economic status quo, and relied on their freedoms of speech and assembly to do so.
And to be frank, they preserved nothing. The freedoms were always trampled whenever it suited the powers-that-be. In other words, exactly what's happening now.
I think now feels different because the internet gave us a taste of true freedoms. Freedom to publish your speech to the world at almost zero cost. Freedom to find and network with like-minded people. Freedom to have political influence just by writing a blog. Freedom to enact change lawfully and peacefully by rallying against WallSt corruption, revealing the extent of the Military-Industrial Complex, questioning the wars, questioning the powers-that-be.
It turns out, we never really had those freedoms on the internet. Edit to add one of my favorite pithy sayings: same as it ever was.
> Would it be better to say back to the government "no thank you" and accept a higher risk of terrorist attack if it means not living in a society of entitled spies?
Of course it would be better, b/c:
Right after the argument for the right to privacy comes the fact that there literally IS no terrorism (in western countries, anyway - I'm not about places like Iraq after the invasion etc.). We've been brainwashed by our media to think there is. Just take a look at some numbers: http://www.washingtonsblog.com/2011/06/fear-of-terror-makes-...
Conclusion (as an example): If we know that "You are 8 times more likely to be killed by a police officer than by a terrorist", then we'd first need to fight the police officers before pouring billions into a surveillance state.
So I was really excited then disappointed as I clicked through. I thought it was going to be a developer who helps the NSA crack encryption. No offense to anyone here but the last thing I need is another article around the NSA and snooping from someone.
Who here wouldn't love to hear from a developer who's helping with this and has strong beliefs in their reasons for doing it?
I mean I am the "other" contemptuously categorized by my government, a vast category of people with an interest in using encrypted communications to thwart my government's attempt to spy on me.
The government almost certainly doesn't want to spy on you, it just wants to be able to find spies and other bad actors among you.
I have to admit to taking a jaundiced view of these complaints, since for almost 20 years the US has maintained an immigration regime in which illegal aliens have virtually no legal path to residency (despite many of them having no criminal record - unauthorized presence in the US is a violation of administrative rather criminal law, and it only become a criminal matter in the case of deportation and repeated unlawful re-entry); illegal immigrants can be detained incommunicado for up 6 months without any right to a hearing, have no right to provided counsel, and enjoy very few constitutional protections (in general, those extended to 'persons' rather than 'citizens' or 'the people'). Leaving the US imposes a whole raft of additional sanctions on such a person (eg a 3 or a 10 year banishment during which the person may not even apply to re-enter the country) which don't apply to people who stay, and thus create a strong economic incentive to remain, resulting in an entirely legal underclass of about 11 million people who have even fewer rights than ex-felons. 'But they broke our laws' is the response of most people, as if the laws were not the responsibility of the legislators and people who elected them, but had come down from heaven.
I'm not excusing the NSA's overbroad vacuum-cleaner approach to gathering metadata, busting encryption and so on, other than to note it's not very different from the kind of data collection private actors fiercely defend the right to engage in, saying that the onus is on the data owner to use good security. But it's very hard for me to give a sympathetic ear to complaints of tyranny from people who seem happy to tolerate a system that severely curtails the freedom of several millions of their neighbors.
> The government almost certainly doesn't want to spy on you, it just wants to be able to find spies and other bad actors among you.
Maybe, that is true today. My fear is that tomorrow they will want to spy on me? Why, because the definition of "bad actor" has serious scope creep. I think this is the authors point.
It's a point I don't agree with. The scope grows and shrinks. Up to 10 years ago, there were parts of this country where two men having gay sex (or indeed, any two people having the 'wrong' kind of sex) were committing a criminal offense. This only became legal because a man who was arrested in Texas in 1998 for doing so in his own home appealed the case up to the Supreme Court (http://en.wikipedia.org/wiki/Lawrence_v._Texas#Arrest_of_Law...).
As of 2013, the Federal government is required to recognize gay marriage and no adults engaged in consensual sexual relations can be hit with criminal charges in the US. That's a significant shrinkage in the scope of state power.
It's a two way street. Just as the notion that government is always benign or correct (a subset of the just world fallacy) is flawed, so is the libertarian trope that government is always oppressive and encroaching (a subset of the mean world fallacy). In the context of this conversation, I agree that the NSA's reach is overbroad, which is worrying because of the potential for government blackmail or overprosecution; but on the other hand I note that things you could have been blackmailed with or prosecuted for up to quite recently - and which had been considered serious crimes going back to ancient times - are no longer criminal, which is an enormous step forward for individual freedom.
They sure scope creeped with the CFAA, though. Downloading too many PDFs is a felony. Changing your user agent is a felony.
And then against the First; sharing links to websites that stream videos is a crime once we get you extradited here. Writing a tasteless joke online is a felony that warrants half a million for bail. Sharing a link to documents we don't want you to see is a felony.
Maybe they're not always oppressive. But it's reasonable for us to assume the possibility of scope creep. And it's reasonable to not want them to have all our communications stored against the event.
I am the spied upon Other, because I'm not an American. I don't have a voice in your debate, no representative, no senator, no amendment. My only hope is that privacy becomes a generally accepted human right.
Well...NSA is built by a democracy. The people wanted war..their representatives gave it. The people wanted spying...their representatives gave it to them. Only a minority doesn't want these. In a democracy, minority loses. Unfortunately, it turns out the majority are stupid..anywhere in the world. So, just have to live with it, hoping they get intelligent someday.
No, their official response is to suggest that encrypting your communications makes you indistinguishable (at their end) from those who encrypt for criminal activity. There is a difference, and there's no getting around the idea that if the set of Bad Actors are to have the crypto broken then it will necessarily involve breaking the same crypto in use by the Good Actors.
Even the NSA also says in the very paragraph quoted that encryption is also used for "nations [...] to protect their secrets" (which is hardly a criminal or illegitimate goal).
Likewise, if the government hires a lockpicker to plant a bug in an embassy then by definition they now have the technical ability to pick locks (even if they don't have the legal permission).
The rest of his points, on the whole, are quite valid but are sometimes answering a question that isn't actually behing asked from the other side.