Wiretapping the internet

The Obama administration is seeking the authority to wiretap the internet–including Facebook, Skype, smart phone e-mails, and every other kind of online communication–and to force sites to provide unencrypted access to law enforcement agencies. From the New York Times:

Federal law enforcement and national security officials are preparing to seek sweeping new regulations for the Internet, arguing that their ability to wiretap criminal and terrorism suspects is “going dark” as people increasingly communicate online instead of by telephone.

Essentially, officials want Congress to require all services that enable communications — including encrypted e-mail transmitters like BlackBerry, social networking Web sites like Facebook and software that allows direct “peer to peer” messaging like Skype — to be technically capable of complying if served with a wiretap order. The mandate would include being able to intercept and unscramble encrypted messages.

The bill, which the Obama administration plans to submit to lawmakers next year, raises fresh questions about how to balance security needs with protecting privacy and fostering innovation. And because security services around the world face the same problem, it could set an example that is copied globally.

James X. Dempsey, vice president of the Center for Democracy and Technology, an Internet policy group, said the proposal had “huge implications” and challenged “fundamental elements of the Internet revolution” — including its decentralized design.

“They are really asking for the authority to redesign services that take advantage of the unique, and now pervasive, architecture of the Internet,” he said. “They basically want to turn back the clock and make Internet services function the way that the telephone system used to function.”

But law enforcement officials contend that imposing such a mandate is reasonable and necessary to prevent the erosion of their investigative powers.

Webmonk, who alerted me to the issue, has some special expertise on the subject and offers some useful explanation:

I developed software for police departments to do (almost) exactly this – wiretap an Internet signal. That is perfectly legal (in most jurisdictions) as long as one has a warrant – the police take their software/hardware to the Internet Service Provider, and hook it up to whichever of their routers happens to funnel the subject’s Internet traffic. My software made a copy of every bit that the subject passed in or out and stored it. Then, the police could go look at that stored information.

The problem we ran into was encryption: encryption encodes the information being passed back and forth so that even if someone is listening in the middle (hackers, police, stalker) and can see what is going back and forth, they can’t decode the message to understand the contents. . . .

The same sort of thing that helps keep my banking information from being stolen can also keep illegal activity safe. Most of the websites that we were interested in knowing the subject’s activity, used encryption, so the police weren’t able to see the details of what the person was saying or doing on that site.

The difference in what I developed and what is being proposed here is that this would require all “communications” websites to install software that would allow the government (with a warrant, presumably) to access everything that someone was doing in an UNENCRYPTED form.

For example: Facebook uses encryption. If the police get a warrant to tap your Internet signal, they can see that you are going to Facebook, but they can’t see what you are doing on there. The proposed law would require Facebook to install software that somehow provides a completely UNENCRYPTED copy of what you are doing on their site to the lawman with a warrant because Facebook could be used by (rather dumb) terrorists to communicate with each other. This would apply to all websites that provide “communications” of some sort.

So what do you think about this? Is it a legitimate update of law enforcement needs in light of new technology or a dangerous assault on civil liberties? Do you see anything wrong with this statement?: I don’t do anything wrong, so I don’t have anything to hide. Might there be a time when a law aimed at terrorists could be used against other “subversive” groups, such as Tea Partiers? Or Christians?

HT: Webmonk

About Gene Veith

Professor of Literature at Patrick Henry College, the Director of the Cranach Institute at Concordia Theological Seminary, a columnist for World Magazine and TableTalk, and the author of 18 books on different facets of Christianity & Culture.

  • SKPeterson

    My first thought – financial transactions. When you have a broke government desperate for revenue, being able to more easily track the financial transactions of people makes it much easier to eventually seize it. The socialists think anyone with wealth or who makes a profit is basically a criminal or terrorist so they would be justify it on such grounds. And warrants? Really? We’re going broke – how quickly would warrants be tossed in the name of a national “emergency”?

    The government would need to be very careful (not its strong suit) and remember that two can play the same game. How many government secrets could be revealed by others using similar technology against them? So, instead of an arms race, there’d be an encryption and cracking race.

  • SKPeterson

    My first thought – financial transactions. When you have a broke government desperate for revenue, being able to more easily track the financial transactions of people makes it much easier to eventually seize it. The socialists think anyone with wealth or who makes a profit is basically a criminal or terrorist so they would be justify it on such grounds. And warrants? Really? We’re going broke – how quickly would warrants be tossed in the name of a national “emergency”?

    The government would need to be very careful (not its strong suit) and remember that two can play the same game. How many government secrets could be revealed by others using similar technology against them? So, instead of an arms race, there’d be an encryption and cracking race.

  • Joe

    I think it goes to far in that it makes service providers actually change the way they provide service – change they architecture of their cites. I don’t recall phone taps requiring AT&T to change the manner in which they provided telephone service.

  • Joe

    I think it goes to far in that it makes service providers actually change the way they provide service – change they architecture of their cites. I don’t recall phone taps requiring AT&T to change the manner in which they provided telephone service.

  • Joe

    From a privacy standpoint it does not appear that anything is changing – if a cop gets a warrant he can listen in. Unless they are talking about warrant-less taps, I don’t see a difference.

  • Joe

    From a privacy standpoint it does not appear that anything is changing – if a cop gets a warrant he can listen in. Unless they are talking about warrant-less taps, I don’t see a difference.

  • Winston Smith

    “Necessity is the plea for every infringement of human freedom. It is the argument of tyrants; it is the creed of slaves.” — William Pitt the Younger

    Anyone — including Christians and political conservatives — who thinks they have nothing to hide from the government are depressingly naive, and do not seem to understand the essential dynamic of American liberty. The rights that we enshrine in the Bill of Rights are God-given (in Constitutional theory, at any rate); they are not bestowed, or to be taken away, by human authority.

    Because human beings are fallen and totally depraved, all of us need to be protected from each other by checks and balances, so that no one has too much power over anyone else. That includes the “authorities,” since they are sinful human beings as well.

    The trend (since the beginning of the Republic, but especially since 9/11) has been for government to expand its powers at the expense of the people’s liberties. Necessity, as the man said, is the pretext — they’re fighting for our freedoms, or protecting us from the big mooslim boogeyman out there, or something. We’re supposed to meekly comply, or else we’re terrorist-loving liberals who hate America. That seems to be equally true under this administration as the last one.

    If you think that only muslims or jihadists are to be spied on, think again. Law enforcement agencies have been known to profile supporters of third party candidates (like Ron Paul), anti-abortion activists, anti-war, pro-Second Amendment and anti-free trade demonstrators as potential terrorists. This trend has picked up speed with the election of a Democratic administration. Google “Missouri Information Analysis Center report” if you don’t believe me.

    It actually does my heart good to learn that Blackberry, et al are one step ahead of the electronic flatfeet in protecting users’ privacy. I am much less frightened by the (remote) possibility of a terrorist using a Blackberry than I am of an ominpresent East German-style spy apparatus knowing everything about everyone. Freedom will not long survive, for any of us, when the government is omnipresent and seemingly omnipotent.

  • Winston Smith

    “Necessity is the plea for every infringement of human freedom. It is the argument of tyrants; it is the creed of slaves.” — William Pitt the Younger

    Anyone — including Christians and political conservatives — who thinks they have nothing to hide from the government are depressingly naive, and do not seem to understand the essential dynamic of American liberty. The rights that we enshrine in the Bill of Rights are God-given (in Constitutional theory, at any rate); they are not bestowed, or to be taken away, by human authority.

    Because human beings are fallen and totally depraved, all of us need to be protected from each other by checks and balances, so that no one has too much power over anyone else. That includes the “authorities,” since they are sinful human beings as well.

    The trend (since the beginning of the Republic, but especially since 9/11) has been for government to expand its powers at the expense of the people’s liberties. Necessity, as the man said, is the pretext — they’re fighting for our freedoms, or protecting us from the big mooslim boogeyman out there, or something. We’re supposed to meekly comply, or else we’re terrorist-loving liberals who hate America. That seems to be equally true under this administration as the last one.

    If you think that only muslims or jihadists are to be spied on, think again. Law enforcement agencies have been known to profile supporters of third party candidates (like Ron Paul), anti-abortion activists, anti-war, pro-Second Amendment and anti-free trade demonstrators as potential terrorists. This trend has picked up speed with the election of a Democratic administration. Google “Missouri Information Analysis Center report” if you don’t believe me.

    It actually does my heart good to learn that Blackberry, et al are one step ahead of the electronic flatfeet in protecting users’ privacy. I am much less frightened by the (remote) possibility of a terrorist using a Blackberry than I am of an ominpresent East German-style spy apparatus knowing everything about everyone. Freedom will not long survive, for any of us, when the government is omnipresent and seemingly omnipotent.

  • WebMonk

    Pfft! Obviously this guy doesn’t know what he’s talking about when he talks about encryption – a know-nothing blowhard. :-D

    Dr. Veith took out the fun part – I gave everyone my SSN, my bank account number, my bank, and the password to log into the website. Encrypted, of course.

    The part of the bill that is of the most concern to me is that it makes the providers take a very significant and active roll in tapping their users for the police. Actually, they do ALL the work – they do the software installation, they do all the tracking, they do all the collation, they do all the avoiding encryption – everything to keep track of the user activity.

    Essentially they are doing a “wiretap” on everyone (and a lot more than that) just in case the police/FBI/CIA etc want to look at one of their customer’s data.

    Aside from the fact that this requires private groups to do the work of “wiretapping” for the police (and the civil rights issues that brings up), this opens up holes in security which I can guarantee hackers will be able to exploit – it makes communications generally more open to hackers and thieves so that the government can look at the information too.

  • WebMonk

    Pfft! Obviously this guy doesn’t know what he’s talking about when he talks about encryption – a know-nothing blowhard. :-D

    Dr. Veith took out the fun part – I gave everyone my SSN, my bank account number, my bank, and the password to log into the website. Encrypted, of course.

    The part of the bill that is of the most concern to me is that it makes the providers take a very significant and active roll in tapping their users for the police. Actually, they do ALL the work – they do the software installation, they do all the tracking, they do all the collation, they do all the avoiding encryption – everything to keep track of the user activity.

    Essentially they are doing a “wiretap” on everyone (and a lot more than that) just in case the police/FBI/CIA etc want to look at one of their customer’s data.

    Aside from the fact that this requires private groups to do the work of “wiretapping” for the police (and the civil rights issues that brings up), this opens up holes in security which I can guarantee hackers will be able to exploit – it makes communications generally more open to hackers and thieves so that the government can look at the information too.

  • WebMonk

    Winston, just to mention some of the differences between the MIAC and this proposed legislation (which I assume/hope will die) is that the MIAC was gathering just open-source information – stuff anyone with the Internet and some research skills can do.

    To access the information potentially made available by this bill, the government would need to get a warrant – exactly the same way they have to get a warrant now to search a person’s house or wiretap their phone. In theory, the actual invasion of privacy is no greater than a regular warrant to search someone’s property.

    In practice – well, it depends on how much you trust the judges who hand out those warrants. There was no warrant required for the MIAC to gather their information since the individuals had all placed their information out into public (knowingly or not), whereas this bill wouldn’t allow the same sort of widespread delving into random people’s private lives like the MIAC did into people’s public lives.

    So it’s not exactly the same as the MIAC. Deals with electronic data gathering, but that’s about it.

  • WebMonk

    Winston, just to mention some of the differences between the MIAC and this proposed legislation (which I assume/hope will die) is that the MIAC was gathering just open-source information – stuff anyone with the Internet and some research skills can do.

    To access the information potentially made available by this bill, the government would need to get a warrant – exactly the same way they have to get a warrant now to search a person’s house or wiretap their phone. In theory, the actual invasion of privacy is no greater than a regular warrant to search someone’s property.

    In practice – well, it depends on how much you trust the judges who hand out those warrants. There was no warrant required for the MIAC to gather their information since the individuals had all placed their information out into public (knowingly or not), whereas this bill wouldn’t allow the same sort of widespread delving into random people’s private lives like the MIAC did into people’s public lives.

    So it’s not exactly the same as the MIAC. Deals with electronic data gathering, but that’s about it.

  • http://www.bikebubba.blogspot.com Bike Bubba

    Two big objections:

    1. Didn’t Obama campaign against this sort of thing?

    2. Since when are criminals going to give up the encryption they currently have in favor of unencrypted code? Don’t criminals by definition, you know, break the law?

    So really what we have here, especially in light of #2, is government wanting to look at the activities of the innocent–and in doing so, burdening technological development for the law abiding.

  • http://www.bikebubba.blogspot.com Bike Bubba

    Two big objections:

    1. Didn’t Obama campaign against this sort of thing?

    2. Since when are criminals going to give up the encryption they currently have in favor of unencrypted code? Don’t criminals by definition, you know, break the law?

    So really what we have here, especially in light of #2, is government wanting to look at the activities of the innocent–and in doing so, burdening technological development for the law abiding.

  • EricM

    This kind of thing has come up before. I remember in the 90′s the government was pushing the Clipper encryption chip. The idea was that the encryption would still be strong but the government would have a key so that they could decrypt any thing they needed to (with a warrant of course). Of course with any security system – if there is a built in back door, some unauthorized person will use it.

    If the government forces this back door into standard communication systems a few things will happen: 1 – bad folks with resources will use other means, 2 – services outside the jurisdiction of the US law will get more customers, 3 – some one will use the back door to access sensitive information in an unauthorized manner.

  • EricM

    This kind of thing has come up before. I remember in the 90′s the government was pushing the Clipper encryption chip. The idea was that the encryption would still be strong but the government would have a key so that they could decrypt any thing they needed to (with a warrant of course). Of course with any security system – if there is a built in back door, some unauthorized person will use it.

    If the government forces this back door into standard communication systems a few things will happen: 1 – bad folks with resources will use other means, 2 – services outside the jurisdiction of the US law will get more customers, 3 – some one will use the back door to access sensitive information in an unauthorized manner.

  • Winston Smith

    WebMong @5, I understand the difference between the authorities’ gathering publicly available information and covertly wiretapping, but that wasn’t my point. The point I was trying to make was that law enforcement and intelligence agencies are targeting people who hold unpopular or politically incorrect opinions as potential terrorists. Many nice, white bread Americans who think that they have nothing to hide, because they are not radical muslims, may come closer to the official definition of “terrorist” than they realize. If you support gun rights, if you would like to be sure that the President meets the constitutional qualifications for office, if you oppose the idea of one-world government, if you believe that Bible prophecy is literally true, if you shoot your mouth off on blogs in defense of Constitutional freedoms, you may already be on a list somewhere.

    Dr. Veith asked “Might there be a time when a law aimed at terrorists could be used against other “subversive” groups, such as Tea Partiers? Or Christians?”

    The answer, sadly, is yes, and sooner than you might think. Eternal vigilance is the price of liberty.

  • Winston Smith

    WebMong @5, I understand the difference between the authorities’ gathering publicly available information and covertly wiretapping, but that wasn’t my point. The point I was trying to make was that law enforcement and intelligence agencies are targeting people who hold unpopular or politically incorrect opinions as potential terrorists. Many nice, white bread Americans who think that they have nothing to hide, because they are not radical muslims, may come closer to the official definition of “terrorist” than they realize. If you support gun rights, if you would like to be sure that the President meets the constitutional qualifications for office, if you oppose the idea of one-world government, if you believe that Bible prophecy is literally true, if you shoot your mouth off on blogs in defense of Constitutional freedoms, you may already be on a list somewhere.

    Dr. Veith asked “Might there be a time when a law aimed at terrorists could be used against other “subversive” groups, such as Tea Partiers? Or Christians?”

    The answer, sadly, is yes, and sooner than you might think. Eternal vigilance is the price of liberty.

  • DonS

    I agree with Joe and Webmonk on this one. Assuming a legally sufficient warrant is secured, law enforcement should be entitled to intercept communications, whether they are conventional hard line phone calls or whether they occur through modern communications networks. But to put the burden of de-encryption on the providers is unduly burdensome. The government should decode the information it is entitled to after receipt, using its own de-encryption tools generated with necessary information supplied by the providers. Security for innocent users is an important factor here.

  • DonS

    I agree with Joe and Webmonk on this one. Assuming a legally sufficient warrant is secured, law enforcement should be entitled to intercept communications, whether they are conventional hard line phone calls or whether they occur through modern communications networks. But to put the burden of de-encryption on the providers is unduly burdensome. The government should decode the information it is entitled to after receipt, using its own de-encryption tools generated with necessary information supplied by the providers. Security for innocent users is an important factor here.

  • WebMonk

    EricM, another thing that will happen is that workarounds will become commonplace.

    Right now, it is already possible for individuals to encrypt their own traffic beyond even what the website may enforce or require. This can cause problems for some sites and situations, but the technology is already out there. Should this proposed bill become law, I can guarantee you that personal encryption efforts will become much more common, especially among those who particularly want to hide their activities- aka the bad guys.

    What will the result be? Innocent individuals will lose a lot of security from thieves because of the holes opened up by the requirements put upon the websites, and most of the bad guys the police/FBI/CIA want to see will move to doing their own encryption and the police/FBI/CIA will be mostly back to square one in regards to the stated desire.

    For everyone out there who wants an interesting book on the subject (fiction, young adult, but very good), check out Little Brother.

    It’s a story about EXACTLY this sort of situation where the government (state gov in the book) decides to seriously crack down on any and all attempts to have private electronic communications. Great book on multiple levels.

  • WebMonk

    EricM, another thing that will happen is that workarounds will become commonplace.

    Right now, it is already possible for individuals to encrypt their own traffic beyond even what the website may enforce or require. This can cause problems for some sites and situations, but the technology is already out there. Should this proposed bill become law, I can guarantee you that personal encryption efforts will become much more common, especially among those who particularly want to hide their activities- aka the bad guys.

    What will the result be? Innocent individuals will lose a lot of security from thieves because of the holes opened up by the requirements put upon the websites, and most of the bad guys the police/FBI/CIA want to see will move to doing their own encryption and the police/FBI/CIA will be mostly back to square one in regards to the stated desire.

    For everyone out there who wants an interesting book on the subject (fiction, young adult, but very good), check out Little Brother.

    It’s a story about EXACTLY this sort of situation where the government (state gov in the book) decides to seriously crack down on any and all attempts to have private electronic communications. Great book on multiple levels.

  • Pingback: The Doctor's Log

  • Pingback: The Doctor's Log

  • http://www.toddstadler.com/ tODD

    WebMonk, was your example to Veith about Facebook merely hypothetical? Because Facebook doesn’t use encryption, except when you log in. All the things I’m saying to my friends, all the things they’re saying to me: passed around in plain text.

    Anyhow, as a Web developer (but not only in that role), I’m more than a little concerned about this idea. Right now, my sites only use encryption when it comes to credit card transactions and logging in. Presumably, that does not fall into the group of “services that enable communications”. But it would be a huge burden to Web developers working on small (but private) sites to have to comply with the government, I’d think. Oh, you use encryption to protect your little group’s discussion forum? Then you need to install this software from the government.

    There are, of course, larger concerns, as others have noted. A back door is a back door — it really is almost as simple as imagining that the government insist that every “meeting place” have one particular door with one particular lock in it, and that lock can only be opened by the government’s key. Would that worry you, having that on your church, at your office, wherever else? Might you be concerned that not everyone in the government had every group’s best interest at heart? And the fact that the same lock is on the door of every interesting space certainly would invite criminals to do their best to open it. Maybe if you hit it with a hammer just so. Or maybe if you acquire a key somehow. Then you can open all the locks and go anywhere! It’s an analogy, but still.

    And while it’s not as easy in the above scenario to imagine everyone moving their meeting spaces to less intrusive countries, it’s all too easy to imagine Web servers moving to other countries, because the end users, by and large, wouldn’t care (except for some slight lag time). It’s not like any of us know where the Web servers we interact with are actually located, by and large.

    In short, if this effort would catch anyone, it would likely only be the idiots. Meanwhile, it would open up a whole host of potential problems.

  • http://www.toddstadler.com/ tODD

    WebMonk, was your example to Veith about Facebook merely hypothetical? Because Facebook doesn’t use encryption, except when you log in. All the things I’m saying to my friends, all the things they’re saying to me: passed around in plain text.

    Anyhow, as a Web developer (but not only in that role), I’m more than a little concerned about this idea. Right now, my sites only use encryption when it comes to credit card transactions and logging in. Presumably, that does not fall into the group of “services that enable communications”. But it would be a huge burden to Web developers working on small (but private) sites to have to comply with the government, I’d think. Oh, you use encryption to protect your little group’s discussion forum? Then you need to install this software from the government.

    There are, of course, larger concerns, as others have noted. A back door is a back door — it really is almost as simple as imagining that the government insist that every “meeting place” have one particular door with one particular lock in it, and that lock can only be opened by the government’s key. Would that worry you, having that on your church, at your office, wherever else? Might you be concerned that not everyone in the government had every group’s best interest at heart? And the fact that the same lock is on the door of every interesting space certainly would invite criminals to do their best to open it. Maybe if you hit it with a hammer just so. Or maybe if you acquire a key somehow. Then you can open all the locks and go anywhere! It’s an analogy, but still.

    And while it’s not as easy in the above scenario to imagine everyone moving their meeting spaces to less intrusive countries, it’s all too easy to imagine Web servers moving to other countries, because the end users, by and large, wouldn’t care (except for some slight lag time). It’s not like any of us know where the Web servers we interact with are actually located, by and large.

    In short, if this effort would catch anyone, it would likely only be the idiots. Meanwhile, it would open up a whole host of potential problems.

  • WebMonk

    You don’t have your computer to use Facebook over a secure connection?

    Oh. Um. Yeah. Wow.

    That’s an awful lot of information to be passing around unencrypted. Each to his own, I guess.

  • WebMonk

    You don’t have your computer to use Facebook over a secure connection?

    Oh. Um. Yeah. Wow.

    That’s an awful lot of information to be passing around unencrypted. Each to his own, I guess.

  • WebMonk

    Ahhh, I spoke too soon.

    I checked and I have a plug-in that enforces https (HTTP Secure) protection. You’re right – Facebook doesn’t seem to use https regularly, though with a simple plug in, you can force it to do so.

    My plugin is called HTTPS-Everywhere. I suspect there are lots of them freely available.

  • WebMonk

    Ahhh, I spoke too soon.

    I checked and I have a plug-in that enforces https (HTTP Secure) protection. You’re right – Facebook doesn’t seem to use https regularly, though with a simple plug in, you can force it to do so.

    My plugin is called HTTPS-Everywhere. I suspect there are lots of them freely available.

  • WebMonk

    Just a plug to anyone reading – please encrypt everything when you can, ESPECIALLY if you are using a wireless system.

  • WebMonk

    Just a plug to anyone reading – please encrypt everything when you can, ESPECIALLY if you are using a wireless system.

  • Porcell

    I’ve learned from hard experience that sophisticated hackers can find a way to gain entry into supposedly encrypted financial information and actually draw finds from it, though fortunately a thorough, though expensive, investigation, revealed the culprits who were successfully prosecuted. That’s why, BTW, my lawyers strenuously advised that I not use a real name on this blog.

    However, looking at this issue from the perspective of the CIA, NSA, and FBI, who are properly in the business of tracking down criminals, spies, and terrorists, one may understand that they have become frustrated by both personal and institutional encryption. I don’t know the details of this Obama/Biden bill, though I assume they have built in privacy protections for ordinary, law abiding people. Further, it shouldn’t be much of a burden for institutional soft-ware to include a method for the government with proper warrant to end around the encryption.

    We all on balance run acceptable risks given the benefits of a digitized milieu. Personally, I doubt whether in a robust democracy the government would have the time or the inclination to do harm to law-abiding people. While sometimes paranoids have real enemies, the notion that the government would be out to get tea-partiers or Christians is overblown.

    It’ s interesting that the Obama administration, facing the reality Islamic jihadis and the Mafia, have with this issue moved beyond Bush, that former, rather evil president whom the liberals excoriated.

  • Porcell

    I’ve learned from hard experience that sophisticated hackers can find a way to gain entry into supposedly encrypted financial information and actually draw finds from it, though fortunately a thorough, though expensive, investigation, revealed the culprits who were successfully prosecuted. That’s why, BTW, my lawyers strenuously advised that I not use a real name on this blog.

    However, looking at this issue from the perspective of the CIA, NSA, and FBI, who are properly in the business of tracking down criminals, spies, and terrorists, one may understand that they have become frustrated by both personal and institutional encryption. I don’t know the details of this Obama/Biden bill, though I assume they have built in privacy protections for ordinary, law abiding people. Further, it shouldn’t be much of a burden for institutional soft-ware to include a method for the government with proper warrant to end around the encryption.

    We all on balance run acceptable risks given the benefits of a digitized milieu. Personally, I doubt whether in a robust democracy the government would have the time or the inclination to do harm to law-abiding people. While sometimes paranoids have real enemies, the notion that the government would be out to get tea-partiers or Christians is overblown.

    It’ s interesting that the Obama administration, facing the reality Islamic jihadis and the Mafia, have with this issue moved beyond Bush, that former, rather evil president whom the liberals excoriated.

  • WebMonk

    “Further, it shouldn’t be much of a burden for institutional soft-ware to include a method for the government with proper warrant to end around the encryption. ”

    Clueless. You’re totally clueless about what you actually said there.

    You’ve never configured a web server to be really secure. Never had to install security onto a web server. Never had to try to open up holes in a security system and then put protections over those holes. Never had to worry about something called a buffer overrun.

    You mentioned that your financial info got stolen. That sucks. Now, require that every site that has “services that enable communications” provide a uniformly available backdoor. You REALLY think your financial info is going to be safer with something like that in place?!? Uh huh.

    Have you ever put your credit card information into Amazon, Facebook, World of Warcraft, Borders, or anything like them? Do you pay Verizon, AT&T, any phone company or ISP? Cable provider?

    If so, your information would very likely be affected by this bill – the govt would require that all those companies open up their system in a publicly-known way, and then try to put protections back over it.

    Every hacker and thief in the world will be nailing a target like that, and if you think it is even remotely possible to put truly solid protections back over that sort of hole, then you’re nuts.

  • WebMonk

    “Further, it shouldn’t be much of a burden for institutional soft-ware to include a method for the government with proper warrant to end around the encryption. ”

    Clueless. You’re totally clueless about what you actually said there.

    You’ve never configured a web server to be really secure. Never had to install security onto a web server. Never had to try to open up holes in a security system and then put protections over those holes. Never had to worry about something called a buffer overrun.

    You mentioned that your financial info got stolen. That sucks. Now, require that every site that has “services that enable communications” provide a uniformly available backdoor. You REALLY think your financial info is going to be safer with something like that in place?!? Uh huh.

    Have you ever put your credit card information into Amazon, Facebook, World of Warcraft, Borders, or anything like them? Do you pay Verizon, AT&T, any phone company or ISP? Cable provider?

    If so, your information would very likely be affected by this bill – the govt would require that all those companies open up their system in a publicly-known way, and then try to put protections back over it.

    Every hacker and thief in the world will be nailing a target like that, and if you think it is even remotely possible to put truly solid protections back over that sort of hole, then you’re nuts.

  • http://www.toddstadler.com/ tODD

    WebMonk urged everyone (@14), “please encrypt everything when you can, ESPECIALLY if you are using a wireless system.” And, while I admire your paranoia, I think that you simply expect too much of people. The horse, quite simply, is out of the barn. If there is going to be online security for people, it will be in spite of what they know, not because of it.

    It’s stretching things to expect most people to even check for encryption when entering credit card details, much less the correct URL before entering a username and password. But you want them to think about how they’re connecting to the Internet (wireless vs. wired), or to install a plugin for their browser, much less to understand how that plugin works or what its limitations are? Have you been to a coffee shop or other public WiFi spot lately?

    Also, best I could find, HTTPS-Everywhere is only available from the EFF (almost certainly your source), and, according to them, is fairly unique; it also does not work on Chrome, my browser of choice these days.

    And Porcell (@15), I’ve said this to you before, but your financial information was almost certainly not hacked in any way because you used to use your full name when posting comments on blogs. Using a handle (or otherwise non-unique portion of your name) may be a good practice if you don’t want people to be able to discover your personal thoughts in connection to your real-life identity, but that’s about the only advantage such a tactic offers.

  • http://www.toddstadler.com/ tODD

    WebMonk urged everyone (@14), “please encrypt everything when you can, ESPECIALLY if you are using a wireless system.” And, while I admire your paranoia, I think that you simply expect too much of people. The horse, quite simply, is out of the barn. If there is going to be online security for people, it will be in spite of what they know, not because of it.

    It’s stretching things to expect most people to even check for encryption when entering credit card details, much less the correct URL before entering a username and password. But you want them to think about how they’re connecting to the Internet (wireless vs. wired), or to install a plugin for their browser, much less to understand how that plugin works or what its limitations are? Have you been to a coffee shop or other public WiFi spot lately?

    Also, best I could find, HTTPS-Everywhere is only available from the EFF (almost certainly your source), and, according to them, is fairly unique; it also does not work on Chrome, my browser of choice these days.

    And Porcell (@15), I’ve said this to you before, but your financial information was almost certainly not hacked in any way because you used to use your full name when posting comments on blogs. Using a handle (or otherwise non-unique portion of your name) may be a good practice if you don’t want people to be able to discover your personal thoughts in connection to your real-life identity, but that’s about the only advantage such a tactic offers.

  • Porcell

    WebMonk: Clueless. You’re totally clueless about what you actually said there.

    Not really, I chair, and was formerly CEO, of an investment company that is responsible for the security of client’s information. We have an officer for information technology with whom I am in close contact. He informs me that the bill, which is essentially Biden’s idea, would present no serious problem, though he intends to follow its progress through Congress like a hawk to make sure that the privacy protections stay solid.

    This is another case, like cosmology, where you pretend to have superior knowledge with a ludicrous quantum of huffing and puffing. You might have designed software for police departments, though that in itself hardly qualifies you to pontificate on this complex subject.

  • Porcell

    WebMonk: Clueless. You’re totally clueless about what you actually said there.

    Not really, I chair, and was formerly CEO, of an investment company that is responsible for the security of client’s information. We have an officer for information technology with whom I am in close contact. He informs me that the bill, which is essentially Biden’s idea, would present no serious problem, though he intends to follow its progress through Congress like a hawk to make sure that the privacy protections stay solid.

    This is another case, like cosmology, where you pretend to have superior knowledge with a ludicrous quantum of huffing and puffing. You might have designed software for police departments, though that in itself hardly qualifies you to pontificate on this complex subject.

  • WebMonk

    I’m a Firefox boy these days. I hadn’t thought of its compatibility with Chrome. The EFF is probably where I got it.

    Bugger about that! Maybe I’ll write one up. If I ever get it to a stable state, I’ll pass it around.

    I find your @17 sort of funny – in a sad way. You start by suggesting most people don’t know enough about Internet communications. You finish by alerting Porcell that putting a real name on a message board can’t compromise financial information.

    I doubt you specifically meant it this way, but your ending was a perfect example of the beginning. Peter, I back up tODD on this 110% – using a real name on a message board doesn’t contribute toward hackers stealing your financial information. There are lots of reasons to use a pseudonym, but protecting your financial data isn’t one of them.

    Maybe I’m an optimist. I hope that people who grow up with this stuff will be generally more aware and proactive on the topic – just like you never leave a credit card lying around, so too one shouldn’t leave personal info lying around.

    On the other hand, so far, a pessimistic view is certainly born out by the lack of concern college-and-younger youth have over their personal data.

    Just as a quick example – Sarah Palin’s email account got hacked just from what is commonly known about her. Granted, that wasn’t an encryption issue, but it is part of the general lack of concern over security most people have.

  • WebMonk

    I’m a Firefox boy these days. I hadn’t thought of its compatibility with Chrome. The EFF is probably where I got it.

    Bugger about that! Maybe I’ll write one up. If I ever get it to a stable state, I’ll pass it around.

    I find your @17 sort of funny – in a sad way. You start by suggesting most people don’t know enough about Internet communications. You finish by alerting Porcell that putting a real name on a message board can’t compromise financial information.

    I doubt you specifically meant it this way, but your ending was a perfect example of the beginning. Peter, I back up tODD on this 110% – using a real name on a message board doesn’t contribute toward hackers stealing your financial information. There are lots of reasons to use a pseudonym, but protecting your financial data isn’t one of them.

    Maybe I’m an optimist. I hope that people who grow up with this stuff will be generally more aware and proactive on the topic – just like you never leave a credit card lying around, so too one shouldn’t leave personal info lying around.

    On the other hand, so far, a pessimistic view is certainly born out by the lack of concern college-and-younger youth have over their personal data.

    Just as a quick example – Sarah Palin’s email account got hacked just from what is commonly known about her. Granted, that wasn’t an encryption issue, but it is part of the general lack of concern over security most people have.

  • WebMonk

    Porcell – you know a guy and maybe had a five minute conversation with the him.

    I, on the other hand, have regularly programmed the software which we are talking about. Heck, I’m programming something similar right now. It has a 30 minute test-run time, so I have lots of down time right now to reply.

    And did you just listen to yourself – you say that my experience programming what were essentially hacking tools for the police doesn’t give me any expertise on hacking?!?!? I’ve also worked as a web master for a couple companies. I am currently developing software which does hacking (albeit legally).

    If you’re part of a financial organization, then your friend is absolutely right – it won’t affect HIS COMPANY, and he won’t have to do much of anything. But, you go right ahead and pass out blanket assertions for companies everywhere based on a quick conversation with a guy who works in a company that won’t be directly affected by the legislation.

  • WebMonk

    Porcell – you know a guy and maybe had a five minute conversation with the him.

    I, on the other hand, have regularly programmed the software which we are talking about. Heck, I’m programming something similar right now. It has a 30 minute test-run time, so I have lots of down time right now to reply.

    And did you just listen to yourself – you say that my experience programming what were essentially hacking tools for the police doesn’t give me any expertise on hacking?!?!? I’ve also worked as a web master for a couple companies. I am currently developing software which does hacking (albeit legally).

    If you’re part of a financial organization, then your friend is absolutely right – it won’t affect HIS COMPANY, and he won’t have to do much of anything. But, you go right ahead and pass out blanket assertions for companies everywhere based on a quick conversation with a guy who works in a company that won’t be directly affected by the legislation.

  • Porcell

    WebMonk, I”m listening to you, though I usually ignore people with a rather righteous and emotional view point, however technically qualified.
    You have far from made clear that any company would have a serious problem with this Obama/Biden bill, the purpose of which is to protect the security of the nation.

  • Porcell

    WebMonk, I”m listening to you, though I usually ignore people with a rather righteous and emotional view point, however technically qualified.
    You have far from made clear that any company would have a serious problem with this Obama/Biden bill, the purpose of which is to protect the security of the nation.

  • WebMonk

    Huh. So the word of two people (tODD and myself) who both work in the exact field which this would affect say it will make security much weaker, isn’t enough.

    And you base your opinion on … what? Your own expertise in the field? A statement from a friend who works for a company that wouldn’t be affected by the requirements, and who (at least according to your phrasing of what he said) never said it wouldn’t cause problems, just that it wouldn’t cause problems for his company?

    Well, if you really want to have outside statements, I can get those for you too. (it’s a thing called Google)

    eweek.com/c/a/Security/Obama-Administration-Internet-Wiretap-Plans-Dredges-Up-Old-Debate-305528/

    According to the Times, the rules appear to be coming together around these ideas: Communications services that encrypt messages must have a way to unscramble them; foreign-based providers that do business inside the United States must have a domestic office capable of performing intercepts; and developers of peer-to-peer software must redesign their service to allow file interception.

    However, these changes could present security risks of their own—for example, opening up backdoors that could be exploited by attackers.

    “Abuse of backdoors by hackers or other foreign governments should be a major concern,” opined Forrester Research analyst John Kindervag. “If our government is able to get into these systems or look at this traffic, then other entities will be able to do so. We must disabuse ourselves of any notion that our government can do it in a manner that is completely secure and cannot be exploited by non-authorized or malicious actors. This could lead to things as dangerous as creating intentional flaws or decrementing the security implementations of SSL /TLS—as an example. In theory, this could be disastrous for e-commerce.”

    A backdoor is a backdoor, Cohn said, adding that the government already has the ability to do wiretaps with its existing authority.

    “If you want a secure thing, it’s got to be secure, period,” Cohn said. “It just doesn’t work to try to make something insecure only against one possible [entity]. … Right now the government has so many different ways to get access to our communication with really very little justification, and very little court oversight. Taking away our ability to do encryption is just another hit, and it’s one that I think again has tremendous collateral effect.”

    wired.com/threatlevel/2010/09/fbi-backdoors/

    Cryptographers have long argued that backdoors aren’t a feature — they are just a security hole that will inevitably be abused by hackers or adversarial governments.

    The proposal also contradicts a congressionally-ordered 1996 National Research Council report that found that requiring backdoors was not a sensible policy for the government.

  • WebMonk

    Huh. So the word of two people (tODD and myself) who both work in the exact field which this would affect say it will make security much weaker, isn’t enough.

    And you base your opinion on … what? Your own expertise in the field? A statement from a friend who works for a company that wouldn’t be affected by the requirements, and who (at least according to your phrasing of what he said) never said it wouldn’t cause problems, just that it wouldn’t cause problems for his company?

    Well, if you really want to have outside statements, I can get those for you too. (it’s a thing called Google)

    eweek.com/c/a/Security/Obama-Administration-Internet-Wiretap-Plans-Dredges-Up-Old-Debate-305528/

    According to the Times, the rules appear to be coming together around these ideas: Communications services that encrypt messages must have a way to unscramble them; foreign-based providers that do business inside the United States must have a domestic office capable of performing intercepts; and developers of peer-to-peer software must redesign their service to allow file interception.

    However, these changes could present security risks of their own—for example, opening up backdoors that could be exploited by attackers.

    “Abuse of backdoors by hackers or other foreign governments should be a major concern,” opined Forrester Research analyst John Kindervag. “If our government is able to get into these systems or look at this traffic, then other entities will be able to do so. We must disabuse ourselves of any notion that our government can do it in a manner that is completely secure and cannot be exploited by non-authorized or malicious actors. This could lead to things as dangerous as creating intentional flaws or decrementing the security implementations of SSL /TLS—as an example. In theory, this could be disastrous for e-commerce.”

    A backdoor is a backdoor, Cohn said, adding that the government already has the ability to do wiretaps with its existing authority.

    “If you want a secure thing, it’s got to be secure, period,” Cohn said. “It just doesn’t work to try to make something insecure only against one possible [entity]. … Right now the government has so many different ways to get access to our communication with really very little justification, and very little court oversight. Taking away our ability to do encryption is just another hit, and it’s one that I think again has tremendous collateral effect.”

    wired.com/threatlevel/2010/09/fbi-backdoors/

    Cryptographers have long argued that backdoors aren’t a feature — they are just a security hole that will inevitably be abused by hackers or adversarial governments.

    The proposal also contradicts a congressionally-ordered 1996 National Research Council report that found that requiring backdoors was not a sensible policy for the government.

  • WebMonk

    internetnews.com/security/article.php/3866131

    esecurityplanet.com/features/article.php/3866121/Wiretapping-the-Internet-Legal-and-Dangerous.htm

    Just to toss up two more. I won’t bother excerpting from them. Suffice it to say they continue to talk about the security issues involved with doing Internet wiretapping.

  • WebMonk

    internetnews.com/security/article.php/3866131

    esecurityplanet.com/features/article.php/3866121/Wiretapping-the-Internet-Legal-and-Dangerous.htm

    Just to toss up two more. I won’t bother excerpting from them. Suffice it to say they continue to talk about the security issues involved with doing Internet wiretapping.

  • Porcell

    WebMonk, eweek,along with the ACLU, is rather hysterical on this issue. Personally, I’m following the matter, as it affects my company, though I’m underwhelmed by you, Todd, and such outfits as eweek</i and the ACLU.

  • Porcell

    WebMonk, eweek,along with the ACLU, is rather hysterical on this issue. Personally, I’m following the matter, as it affects my company, though I’m underwhelmed by you, Todd, and such outfits as eweek</i and the ACLU.

  • http://www.toddstadler.com/ tODD

    “I usually ignore people with a rather righteous and emotional view point” (@21). Indeed, you even counsel others to ignore such people!

    Peter, when you’re bluffing, people who actually know what they’re talking about can tell.

  • http://www.toddstadler.com/ tODD

    “I usually ignore people with a rather righteous and emotional view point” (@21). Indeed, you even counsel others to ignore such people!

    Peter, when you’re bluffing, people who actually know what they’re talking about can tell.

  • Porcell

    Todd, exactly what are your bona fides on this issue. Have you analyzed the Obama/Biden bill in detail , or are you, per usual, with WebMonk, huffing and puffing?

    My information tech fellow has taken a careful look at this bill and regards it as tolerable, though he does think that the NSA and CIA already have likely overcome the encryption problem; apparently the FBI is the agency behind this bill, as it generally tends to be behind the curve on information matters.

  • Porcell

    Todd, exactly what are your bona fides on this issue. Have you analyzed the Obama/Biden bill in detail , or are you, per usual, with WebMonk, huffing and puffing?

    My information tech fellow has taken a careful look at this bill and regards it as tolerable, though he does think that the NSA and CIA already have likely overcome the encryption problem; apparently the FBI is the agency behind this bill, as it generally tends to be behind the curve on information matters.

  • WebMonk

    Peter, I can say with great authority that the CIA has not cracked the good 256 bit encryption techniques. But that’s neither here nor there.

    tODD happens to be a web master, and has been for many years. I’ve been a programmer in the exact field of “hacking” for 5+ years now, and have worked as a website tech and a web master for 3+ years.

    You don’t know the difference between SHA256 and SHA224. You’ve had a quick conversation with a guy who isn’t directly affected by this bill, and you apparently consider yourself enough of an expert that you can dismiss people with over a decade of experience in the field.

    Not only that, but you brush off the opinions of the people quoted in those articles as if they don’t know what they are talking about either.

    Your expertise in this field astounds me!

  • WebMonk

    Peter, I can say with great authority that the CIA has not cracked the good 256 bit encryption techniques. But that’s neither here nor there.

    tODD happens to be a web master, and has been for many years. I’ve been a programmer in the exact field of “hacking” for 5+ years now, and have worked as a website tech and a web master for 3+ years.

    You don’t know the difference between SHA256 and SHA224. You’ve had a quick conversation with a guy who isn’t directly affected by this bill, and you apparently consider yourself enough of an expert that you can dismiss people with over a decade of experience in the field.

    Not only that, but you brush off the opinions of the people quoted in those articles as if they don’t know what they are talking about either.

    Your expertise in this field astounds me!

  • http://www.toddstadler.com/ tODD

    Porcell (@26), again, you can use words like “huffing and puffing” and sound like you have the upper hand when it comes to knowledge and authority on this topic, but even your question of “have you analyzed the Obama/Biden bill in detail” appears to betray ignorance about the topic, even with respect to what little facts are in the New York Times article. The bill hasn’t been submitted yet, nor will it be until next year. As the article notes, “there is not yet agreement on important elements, like how to word statutory language.” One wonders exactly how your “information tech fellow has taken a careful look at this bill.” Do tell.

    Not that the details would matter, as to the technological points WebMonk and I have made. A back door is a back door, and any back door suffers from the problems we have already addressed. To say nothing of the complete inability of any legislative solution to address encryption software used by individuals, or open-source software, or foreign software or services outside of (domestic) law’s reach.

    But I’m glad to hear that you fully support the Obama administration and trust them completely with your data.

  • http://www.toddstadler.com/ tODD

    Porcell (@26), again, you can use words like “huffing and puffing” and sound like you have the upper hand when it comes to knowledge and authority on this topic, but even your question of “have you analyzed the Obama/Biden bill in detail” appears to betray ignorance about the topic, even with respect to what little facts are in the New York Times article. The bill hasn’t been submitted yet, nor will it be until next year. As the article notes, “there is not yet agreement on important elements, like how to word statutory language.” One wonders exactly how your “information tech fellow has taken a careful look at this bill.” Do tell.

    Not that the details would matter, as to the technological points WebMonk and I have made. A back door is a back door, and any back door suffers from the problems we have already addressed. To say nothing of the complete inability of any legislative solution to address encryption software used by individuals, or open-source software, or foreign software or services outside of (domestic) law’s reach.

    But I’m glad to hear that you fully support the Obama administration and trust them completely with your data.

  • trotk

    Peter -

    Good grief. You are in way over your head. Admit you don’t know personally what you are talking about, admit that your IT guy seems to disagree with tODD and WebMonk, plan to go question your IT guy tomorrow to find out if he responded off the cuff to the issue or really knows what could happen, recognize that there are many companies out there who might be affected in different ways, recognize that your IT guy might not have even considered the impact on the average consumer or web user, and then admit again that you don’t know what you are talking about.
    When you are bluffing, you accuse others of doing so. It is a trait you should know about yourself, as it will destroy you in a poker game. WebMonk and tODD have told you specific details of how this will impact web security, and you respond by saying that you were a CEO and had a securities guy who disagreed. Really? That’s an argument? Arguments from authority only work if we all know and respect the same authority.
    Calm down, and acknowledge that you are talking without knowledge and understanding, which necessarily means wisdom isn’t present.

  • trotk

    Peter -

    Good grief. You are in way over your head. Admit you don’t know personally what you are talking about, admit that your IT guy seems to disagree with tODD and WebMonk, plan to go question your IT guy tomorrow to find out if he responded off the cuff to the issue or really knows what could happen, recognize that there are many companies out there who might be affected in different ways, recognize that your IT guy might not have even considered the impact on the average consumer or web user, and then admit again that you don’t know what you are talking about.
    When you are bluffing, you accuse others of doing so. It is a trait you should know about yourself, as it will destroy you in a poker game. WebMonk and tODD have told you specific details of how this will impact web security, and you respond by saying that you were a CEO and had a securities guy who disagreed. Really? That’s an argument? Arguments from authority only work if we all know and respect the same authority.
    Calm down, and acknowledge that you are talking without knowledge and understanding, which necessarily means wisdom isn’t present.

  • trotk

    Peter -

    One more thing. As a leader of an organization, I can say that our employees oftentimes say something will be no problem because it is difficult for them to acknowledge they can’t do something or don’t know something. Ask for specific details next time, and you will hopefully find out if he knows what he is talking about.

  • trotk

    Peter -

    One more thing. As a leader of an organization, I can say that our employees oftentimes say something will be no problem because it is difficult for them to acknowledge they can’t do something or don’t know something. Ask for specific details next time, and you will hopefully find out if he knows what he is talking about.

  • Pingback: Plan To Stop Digital Freedom « BCM301

  • Pingback: Plan To Stop Digital Freedom « BCM301

  • Heidi

    A question for Webmonk:
    You say I should only communicate with Facebook using encryption. Anything I put on Facebook is something I’m willing to put on a billboard, because I assume it’s public, even if it isn’t supposed to be. So why should I care about encryption?

  • Heidi

    A question for Webmonk:
    You say I should only communicate with Facebook using encryption. Anything I put on Facebook is something I’m willing to put on a billboard, because I assume it’s public, even if it isn’t supposed to be. So why should I care about encryption?

  • Heidi

    My take on the internet privacy issue is that I have no reason to panic, because my life is pretty dull from a law-enforcement perspective. But that doesn’t mean that privacy is at all unimportant on general principles.

  • Heidi

    My take on the internet privacy issue is that I have no reason to panic, because my life is pretty dull from a law-enforcement perspective. But that doesn’t mean that privacy is at all unimportant on general principles.

  • Pingback: PC Fórum

  • Pingback: PC Fórum


CLOSE | X

HIDE | X