Feds Trying To Get Master Encryption Keys From Tech Companies
from the of-course-they-are dept
This is hardly surprising, but Declan McCullagh is reporting that the feds have been trying to get various tech companies to hand over their master encryption keys so that the NSA and FBI can decrypt any of the messages they scoop up. So far the tech companies have been resisting:"The government is definitely demanding SSL keys from providers," said one person who has responded to government attempts to obtain encryption keys. The source spoke with CNET on condition of anonymity.It's unclear from the article if any companies have given in and provided the keys, but it sounds like at least most of the big ones are fighting it. Microsoft and Google both directly denied that they would hand over such a master key. Lots of other companies didn't respond to Declan's questions. Of course, it's no surprise that the government would ask. They've been asking for access and backdoors to just about everything.
The person said that large Internet companies have resisted the requests on the grounds that they go beyond what the law permits, but voiced concern that smaller companies without well-staffed legal departments might be less willing to put up a fight. "I believe the government is beating up on the little guys," the person said. "The government's view is that anything we can think of, we can compel you to do."
If they can't convince the companies that this is legal and required, you can fully expect that a law will be proposed shortly which will more or less require companies to hand over such keys.
"The requests are coming because the Internet is very rapidly changing to an encrypted model," a former Justice Department official said. "SSL has really impacted the capability of U.S. law enforcement. They're now going to the ultimate application layer provider."Once again, perhaps it's time to think about moving away from a situation in which all our "cloud" data is stored in a few centralized spots. You can still get the benefits of a cloud, even if you control the data yourself -- if only companies would open up and allow users to point their services at data stored elsewhere.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: doj, encryption, fbi, master keys, nsa, privacy, surveillance, tech companies
Reader Comments
Subscribe: RSS
View by: Time | Thread
Things need to change.
[ link to this | view in chronology ]
Re:
Wonder what will happen with all those Kickstarter projects and whatnot that are attempting to encrypt data/communication. If they don't cave to the government's (UNCONSTITUTIONAL) demands, the latter will likely falsely accuse them of aiding the enemy, because they're lunatics.
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Not that we'd care
If they get them, I'm off forever. If you can't be secure at all with any of it, why bother?
The SSL keys are the only thing stopping the NSA from having real-time spying on-line, and it's only a matter of time before these companies give in because they're gutless cowards, just like everyone who doesn't care.
It might not be surprising to some people but it is highly disturbing to me, and I'm pretty much convinced that the end is near for that 'wild west' synergy that used to be so true on the Internet.
It'll be owned and controlled by the corporate masters and watched every second by the NSA. Nothing will be private, nothing will be secure.
We're half-way there now. I can see the writing all over the wall-ten feet high.
[ link to this | view in chronology ]
Re: Not that we'd care
Go buy some tiny box with linux inside, connect usb disk, turn encryption on. That's it. Want to communicate with your box over internet - few more checkboxes.
Your government want an ability to wiretap communications. What's new about it? Do you know that you phone has never been encrypted?
[ link to this | view in chronology ]
There is no substitute for offline, offsite, secure backups of all your data; and that is for both businesses and individuals.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Why is the net pursuing encryption?
The monetary rewards for stealing our private actions is large. Most elected now have used data mining and demographic analysis to get elected - they think they need to keep lying and stealing to stay in office.
The nation needs ambiguity and privacy. It need transparancy, so we can see what our tax dollar buys us. The consent of the justly governed is an informed consent.
[ link to this | view in chronology ]
Re: Why is the net pursuing encryption?
https://www.ncsbe.gov/VoterInformation.aspx?id=F0D58B31DF69D43E01439C71E87026C3
[ link to this | view in chronology ]
This is simply insane
Sad state this country is in. This all started with Bush and Obummer is just taking it to the next level. Makes me sick.
[ link to this | view in chronology ]
Re: This is simply insane
It started well before Bush.
[ link to this | view in chronology ]
Do it
[ link to this | view in chronology ]
It is a lot easier to steal private keys if they are located in central repository. Saves me the trouble of hacking lots of individual targets.
-- Lazy hacker
[ link to this | view in chronology ]
Web of Trust
[ link to this | view in chronology ]
[ link to this | view in chronology ]
sigh
[ link to this | view in chronology ]
Plausible deniability
There is an encryption technology called plausible deniability: dual encrypted channels with double keys. When the government demands the keys, you give them one set of keys to placate them so you don't end up in jail. I won't bore you with the details, but check out True Crypt.
I never liked the idea of storing anything of mine on rack servers (AKA the cloud) owned by anyone other than me. All the B.S. about we protect you is utter nonsense. I'm going back to type writers, in person face to face communications, and when I do use skynet, I'll encrypt my messages on top of the SSL layer. Then I'll use TOR because I don't even want anyone knowing where I'm sending messages to in the first place. If they want to track me, they can use old fashioned detective work.
[ link to this | view in chronology ]
Paranoid yet?
[ link to this | view in chronology ]
Key escrow
[ link to this | view in chronology ]
Oh Microsoft, you kid...
With Microsoft, based on the past, I call bullshit. I would be surprised if they haven't already handed it over.
[ link to this | view in chronology ]
Re: Oh Microsoft, you kid...
[ link to this | view in chronology ]
ms tried to get google censored. I think they actually sued them or at least tried to. probably so they could say "look bing works better than google". yeah now that it's crippled MICRO-DICK
[ link to this | view in chronology ]
quick on the heels of...
[ link to this | view in chronology ]
Re: quick on the heels of...
[ link to this | view in chronology ]
Public Key Encryption 101
What would help even more is if there was some way to get people to take encryption seriously, and not just as a checkbox or prepending https to a url.
The notion of "trust" is absolutely core to the security of public key encryption. You need to determine whether a key you are using was actually issued by who you think it was issued by.
We now know that the default way this is "ensured", that it was vouched for by a CA such as Verisign, Microsoft, etc., is meaningless in terms of being able to trust the key. People have to start taking a more active role in verifying the keys they use.
[ link to this | view in chronology ]
A new law ?
[ link to this | view in chronology ]
Why do they even need this?
Why would the Obama Justice department want to spy on your Google Searches in such a way that they don't want to send a subpoena to Google? Hmm?!
The only question of real import is: WHY HAVN'T WE HUNG THESE PEOPLE YET?
[ link to this | view in chronology ]
All your SSL belong to us
[ link to this | view in chronology ]
Consumer Trust
(We all know the Feds can't keep a secret)
[ link to this | view in chronology ]
I would suggest something more 'decentralized'.
[ link to this | view in chronology ]
Well, that's as good as admitting that they have received requests for encryption keys...
[ link to this | view in chronology ]
The gate keepers
Imagine the NSA telling Microsoft there is an exploit in the OS long before anyone is publically aware of it. The NSA will tell them about it and ask them not to patch it yet. This way, the NSA can exploit it themselves. Microsoft can start fixing it so when the vulnerability goes public, Microsoft can have a patch ready to go. Ditto with all the viruses. I wonder how many viruses are military in nature?
I imagine there is a whole lot of information sharing going on we have not learned about yet. The NSA, being the gate keepers keeping big tech in check.
[ link to this | view in chronology ]
Hey feds...
[ link to this | view in chronology ]
Re: Hey feds...
[ link to this | view in chronology ]