LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

PostgreSQL 9.3 beta: Federated databases and more

LWN.net Weekly Edition for May 9, 2013

(Nearly) full tickless operation in 3.10

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

GUADEC: Danny O'Brien on privacy, encryption, and the desktop

GUADEC: Danny O'Brien on privacy, encryption, and the desktop

Posted Aug 5, 2010 4:15 UTC (Thu) by drag (subscriber, #31333)
Parent article: GUADEC: Danny O'Brien on privacy, encryption, and the desktop

> He mentioned some Russian journalists that he had talked to who don't talk on the telephone because they believe it to be bugged. They also only use Gmail over HTTPS, "which is fine if you trust Google", but they switched to using Yahoo Messenger "because they heard good things about it"—unfortunately Messenger isn't encrypted. O'Brien said that the reason they didn't know that it "is less secure is because their desktop isn't telling them".

In the USA the standards for evidence the government can use to legally justify spying on you is different for content you surrender to Google vs content you manage your self. This is something you need to keep in mind if your engaging in sensitive correspondence that may be of political interest to somebody in government.

The rules are complicated and difficult to understand. For example if you have not edited a document in 180 days it's easier for the government to force Google to surrender it to them then if it's something you've worked with recently.

-------------------------------

Another thing to be aware of:

President Obama is also pushing hard to expand the ability for the FBI and other government agencies to gain unfettered access to metadata on your communications and reduce judicial oversight.

The FBI for years has used what is called "National Security Letters"

These letters, when sent to corporations, were designed as a way to gain access to very small and very limited amounts of information about a 'subject of interest'. At the time the FBI needed a certain amount of facts to be able to justify that a character was probably a spy or a terrorist or something like that in order to legally write the letter.

With the Patriot Act this was expanded greatly by removing the level of justification. Now there is no requirements for facts or proof, but it depends entirely on a judgement call by the FBI to issue these sort of 'limited judgeless warrants' for information.

However the amount and types of information was still very specific. (who owns the account, how long they have owned the account, what is their address, etc) (The FBI actually went beyond that and actually got their hands slapped by George Bushes' legal council)

However, this is something that very recently Obama is trying to fix. The way he is trying to fix it is by greatly expanding the type of information the FBI can request.

Obama is pushing for the ability to have _any_ transactional data for any electronic communications to be eligible for a request using NSLs and to have NSLs be used on anybody in the course of a terror investigation even if they are not actually anybody that is suspected of being a terrorist or even directly involved.

So basically... any website you visited, web searches you've done, information on who you've been emailing, information on everybody that visited a suspected website, cell phone GPS tracking data, etc etc.

So they are saying that while they need judge to help them get access to your email they should be able to request the headers of your email with no justification.

What is on top of this there are gag orders involved with NSLs.

For example:

If the government gets a warrant to wiretap your phones they are legally required end up revealing the wiretap to you after it's over.

However the NSLs if the FBI sends a request to Google for your metadata then it's illegal for Google to tell you about it. So it makes judicial oversight and journalist investigations impossible. Nobody can practically challenge a NSL because nobody is allowed to know about it.

So... yeah. It's going to be very difficult in the future to trust any corporation with your data if your involved in anything politically disruptive or unpopular with whatever president is in power. They will be able to use the FBI to require corporations to spy on you with utmost secrecy. Anybody who know the history of the FBI know much of the time it's used as a political tool by whoever is in charge of the executive branch at the time..

(Log in to post comments)

GUADEC: Danny O'Brien on privacy, encryption, and the desktop

Posted Aug 5, 2010 7:52 UTC (Thu) by gmaxwell (subscriber, #30048) [Link]

Not just NSLs: http://blogs.forbes.com/firewall/2010/08/01/stealthy-gove...

Seems some crazy people have applied bush administration style thinking to the wiretap laws and decided that it's possible for you to wave your right to privacy in the provider's TOS — No NSLs required, as far as I can tell their legal reasoning would even allow them to sell your private data to your enemies/competitors for monetary gain.

Additionally, many "cloud computing" services may not enjoy stored communications act http://www.georgetownlawjournal.com/issues/pdf/98-4/Robis...

GUADEC: Danny O'Brien on privacy, encryption, and the desktop

Posted Aug 5, 2010 9:14 UTC (Thu) by drag (subscriber, #31333) [Link]

bush administration... that's funny because it's Obama that is pushing it now. Shouldn't you be calling it Obama Administration-style? Things are just getting worse no matter what the voting public does.

But this is not the government agency, it's just one business sharing information with another. Different rules. They cannot use the threat of force to compel corporations to cooperate like the government can, but they can probably get stuff that would be troublesome for the government to do easily legally.

Think about the difference between a P.I. vs a Cop.

I guess it's time we take a closer look at those EULAs for our ISPs.

---------------------------

on a side note:

If anybody tells you that if you just cooperate with the government and not to worry because they won't throw you in jail... they are lying to you. Often you have no choice but to cooperate since like all the other amendments in the bill of rights the government has been working very hard to eliminate the positive effects of the 5th amendment, but regardless: Get a lawyer first.

----------------------------

For people that are curious more about this phenomena the The Washington Post has done a very good investigative journalism to document the extent at which the government has gone to monitor and survey it's own citizens. The vast majority of the money is getting funneled into private contractors... If you want to get rich quick: Join the FBI for a couple years, drop out, and then create your own private investigative firm and get a contract with the government. Very lucrative.

http://projects.washingtonpost.com/top-secret-america/

GUADEC: Danny O'Brien on privacy, encryption, and the desktop

Posted Aug 6, 2010 21:23 UTC (Fri) by spender (subscriber, #23067) [Link]

That Forbes article should be taken with a grain of salt. The following posts and comments should help illuminate the situation a bit:
http://taosecurity.blogspot.com/2010/08/project-vigilant-...
http://www.reddit.com/r/IAmA/comments/cx2t8/iama_voluntee...
(check out the Forbes journalist asking on reddit for input; that's quality)

I don't mean to devalue your point when applied to the existence of private companies who may be engaging in the same or similar behavior, I'm just speaking to this specific instance.

-Brad

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds