Congrats, FBI, You've Now Convinced Silicon Valley To Encrypt And Dump Log Files
from the a-victory-for-privacy dept
Soon after the original Snowden revelations, I went around talking to a bunch of startups and startup organizers, discussing whether they'd be more willing to speak out and complain about excessive government surveillance. Some certainly did, but many were cautious. A key thing that I heard over and over again was "well, our own data privacy protections... aren't that great, and we'd hate to call attention to that." Every single time I'd hear that I'd point out that this should now be their first priority: clean up your own act, now and fix your own handling of people's data, because it's an issue that's going to become increasingly important, and you're being foolish and shortsighted to ignore it.While the Snowden revelations certainly did get some companies to improve their own practices, it looks like the FBI's decision to go after Apple over encryption, has really galvanized many in Silicon Valley to take action to truly protect their users from snooping government officials -- meaning making use of real (not backdoored) encryption and also diong other things like dumping log files more frequently.
“We have to keep as little [information] as possible so that even if the government or some other entity wanted access to it, we’d be able to say that we don’t have it,” said Gadea, founder and chief executive of Envoy. The 30-person company enables businesses to register visitors using iPads instead of handwritten visitor logs. The technology tracks who works at a firm, who visits the firm, and their contact information.The article is full of such stories -- including one of a company called Stealth Worker that is basically helping lots of startups build in better security from the start:
Stealth Worker — a start-up funded six months ago by the prominent incubator Y-Combinator — provides contract cybersecurity experts to early-stage start-ups, which often operate on a shoestring budget. Stealth Worker chief executive Ken Baylor said that in the past month he had been approached by a half-dozen companies looking for ways to build tougher encryption and other secure technical architectures.Because it's the Washington Post, and they feel the need to be "balanced" the article does include the one ridiculous contrarian quote from our old friend, former NSA General Counsel Stewart Baker, who basically dismisses reality as a myth in the heads of some engineers:
“This is a Silicon Valley delusion that the government wants to outlaw encryption,” Stewart A. Baker, a former National Security Agency general counsel, said in an interview. “I grant that there is a radicalized subculture of engineers that is very prone to that delusion, but it is a delusion.”This is classic Baker: saying something that avoids the actual truth by saying something that's nominally true, but not what people are actually discussing. The claim of "outlawing encryption" is really shorthand for "outlawing effective encryption that is less vulnerable to attack." And that's absolutely what many in the government are trying to do. I mean, there's no delusion necessary when you can just read the bill put forth by Senators Dianne Feinstein and Richard Burr, that absolutely would make real encryption illegal. Sure, it says you can keep encryption, but only if it includes a way for 3rd parties to decrypt it. And the only way that's possible is to introduce serious vulnerabilities into the encryption.
The thing that Baker and many others truly don't get about Silicon Valley is that when you give techies a challenge that involves making "the best" of something, they like solving the challenge. The suggestions to backdoor encryption undermine that philosophy. They're saying that techies would need to deliberately cripple their own solutions. And the more that the FBI and clueless Senators push for such a solution, the stronger Silicon Valley will dig in and keep building better overall solutions that are less prone to government snooping.
Maybe, just maybe, if the likes of the NSA and FBI hadn't regularly abused their snooping powers, folks would be more willing to give them the benefit of the doubt. But it's a bit late for that at this point.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: doj, encryption, fbi, silicon valley, startups, surveillance
Reader Comments
Subscribe: RSS
View by: Time | Thread
Until forced to keep logs
[ link to this | view in chronology ]
Re: Until forced to keep logs
[ link to this | view in chronology ]
Re: Re: Until forced to keep logs
[ link to this | view in chronology ]
Re: Until forced to keep logs
[ link to this | view in chronology ]
Re: Re: Until forced to keep logs
[ link to this | view in chronology ]
Re: Re: Re: Until forced to keep logs
[ link to this | view in chronology ]
Re: Re: Until forced to keep logs
[ link to this | view in chronology ]
Re: Re: Until forced to keep logs
[ link to this | view in chronology ]
Re: Until forced to keep logs
[ link to this | view in chronology ]
Re: you can't delete log files
[ link to this | view in chronology ]
Re: Until forced to keep logs
[ link to this | view in chronology ]
Re: Until forced to keep logs
[ link to this | view in chronology ]
Re: Re: Until forced to keep logs
[ link to this | view in chronology ]
understatement
[ link to this | view in chronology ]
Re: understatement
They made the mistake of initially framing the discussion in terms of "we conduct mass surveillance to keep you safe". But as is the case with a whole lot of propaganda, the framing begins to fall apart when you hold it up to reality.
Sure, they can use domestic mass surveillance to catch some baddies (although they certainly do not have a huge number of examples of it doing that - but whatever, let's pretend it does that to some degree). Where their "keep you safe" arguments start to fall completely apart is when we hold them up to the reality of all the ways it makes us "less safe" and what nefarious uses all that private data will certainly be put to by unscrupulous private, corporate, government, and criminal actors.
When framed in those alternate terms, the benefits proposed by law enforcement/intelligence community become highly improbable. Especially in light of the obvious detriments. And as they're a group of smart people, I can only assume they are very aware of these facts.
So that begs the question, what is their actual intent (vs their stated goal)?
[ link to this | view in chronology ]
Re: understatement
They made the mistake of initially framing the discussion in terms of "we conduct mass surveillance to keep you safe". But as is the case with a whole lot of propaganda, the framing begins to fall apart when you hold it up to reality.
Sure, they can use domestic mass surveillance to catch some baddies (although they certainly do not have a huge number of examples of it doing that - but whatever, let's pretend it does that to some degree). Where their "keep you safe" arguments start to fall completely apart is when we hold them up to the reality of all the ways it makes us "less safe" and what nefarious uses all that private data will certainly be put to by unscrupulous private, corporate, government, and criminal actors.
When framed in those alternate terms, the benefits proposed by law enforcement/intelligence community become highly improbable. Especially in light of the obvious detriments. And as they're a group of smart people, I can only assume they are very aware of these facts.
So that begs the question, what is their actual intent (vs their stated goal)?
[ link to this | view in chronology ]
Mispelling
[ link to this | view in chronology ]
Re: Mispelling
[ link to this | view in chronology ]
Re: Re: Mispelling
[ link to this | view in chronology ]
Re: Re: Mispelling
[ link to this | view in chronology ]
Re: Re: Re: Mispelling
[ link to this | view in chronology ]
Re: Re: Re: Re: Mispelling
Imagine if he left out the i.
[ link to this | view in chronology ]
Re: Mispelling
Okay, I searched for both 'diong', and for 'correct'.
I can find 'diong'. But I cannot find 'correct'.
[ link to this | view in chronology ]
Re: Re: Mispelling
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Now that the FBI is operating as an espionage agency
Which is poetic, since the FBI really got started to combat the Mafia.
[ link to this | view in chronology ]
Re: Now that the FBI is operating as an espionage agency
[ link to this | view in chronology ]
Re: Re: Now that the FBI is operating as an espionage agency
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
A radicalized subculture consisting of.. more or less everyone who has any skill or knowledge to contribute to the subject.
[ link to this | view in chronology ]
Re: Radicalized
The choice of this word speaks volumes about the mindset of law enforcement and the Senators supporting them. They DO see it as Gov versus Tech. They aren't looking for amicable solutions, they want blind obedience or you're equal to a terrorist in their eyes.
[ link to this | view in chronology ]
Re: Re: Radicalized
[ link to this | view in chronology ]
Re: Re: Re: Radicalized
If the government says that 2+2 equals 5 then that's the new mathematical reality, yet those commie terrorist pirates continue to insist that it equals 4, in clear contempt of their betters, and despite assurances from the governments(which is always right of course) that if they'd just try harder they'd be able to change the old, non-government approved math to meet the new, government approved version!
[ link to this | view in chronology ]
Re: Radicalized
[ link to this | view in chronology ]
Re:
What nut cases they are!
[ link to this | view in chronology ]
[ link to this | view in chronology ]
/dev/null logging is common practice for a number of different types of providers.
MTTR increases when you can't keep them. So the fact that judges completely disrespect indirect composition (meta data) as a form of speech under the first amendment, has real world expenses that are reflected in poor customer service, and higher maintenance costs.
Judges need to stop regarding digital composition as less worthy of protection than other speech. Yeah the volume is WAY higher, and yes it is often multiplexed and easier to get to. No that doesn't make the first amendment less relevant, it makes it MORE relevant.
Meta data, is indirect digital composition. The fact that it is accidental (from the original communicators perspective) does not make it less worthy of protection. Both antibiotics and vulcanized rubber were accidental composition. Would the same judges, play diddle-nuts with the rights of the composers in THOSE cases?
This double standard is progressing more and more into the lives of normal every day people. They will resent it. And eventually they will rectify it. From the states perspective, fixing this sooner, will be cheaper.
[ link to this | view in chronology ]
The mere mentioning of this should be laughed out of the room together with those who proposed such a thing.
Here is an equally crazy suggestion: Put bombs on every plane, train, bus and other transportation so we can blow it up before the terrorists can hit anything if there is a suspecion of someone on board. This is basicly what holes in encryption are: bombs just waiting to be misused.
[ link to this | view in chronology ]
Download book Applied Cryptography while it is still legal to do so
http://cacr.uwaterloo.ca/hac/
See this copyright information before downloading:
http://cacr.uwaterloo.ca/hac/about/copyright-notice.html
CRC press has granted the following specific permissions for the electronic version of this book:
Permission is granted to retrieve, print and store a single copy of this chapter for personal use. [ . . . rest omitted . . . ]
[ link to this | view in chronology ]
It's called blowback.
[ link to this | view in chronology ]
s/a nuclear/crypto cleared multi-engineer
[ link to this | view in chronology ]
Meanwhile in Bizzaro world...
"The government's position on this is the same today as it was yesterday, and will not change. Weakening encryption is a foolhardy idea that puts everyone at risk, and is something that only criminals and those that wish to aid them would ever push for, as criminals stand the most to gain from it. The tech sector's demand that all encryption be deliberately flawed is completely absurd, and I honestly have no idea what could have led to such an insane idea.
Numerous individuals in law enforcement have urged us to push back strongly against this dangerous idea, making it very clear that weaker encryption, far from decreasing crime as various tech companies claim will instead lead to an explosion of crime, as countless devices and services become easy targets for malicious individuals.
Weakened encryption is a dangerous idea, and any crimes that it would allow to be stopped would be vastly overshadowed by the countless crimes it would enable. I can only hope the tech sector realizes this before it's too late."
[ link to this | view in chronology ]
Australia has forced log retention
[ link to this | view in chronology ]
Techies are selective about crippling things.
The most common example of this being sites gratuitously coded to be unnavigable or, increasingly often, unreadable, if you turn off Javascript. Try it. Turn it off and see how many of your favorite (noninteractive! I mean sites where you go, read something, and leave, not Facebook and Twitter and the like) websites render as a blank page, or a blunt message saying "turn on Javascript or we won't show you anything", and how many more are readable but the links don't work and/or all of the images on the page are missing.
Of course it's perfectly technically possible for such sites to work without JS. A div element with some text in it inside the body element. An anchor element with an href attribute. An img element with a src attribute. These have been around since the 90s and work just fine with JS switched off. So what's the deal here?
The only answer that makes any sort of sense is that the site is deliberately broken to force people to switch JS on, and the only answer that makes sense as to why they want to force JS on is that they want to run a script on your computer to do something you'll find annoying rather than a value-add. This tends to mean advertising -- and not just display advertising, which is easily done with img tags and server-side scripts to determine what ads to serve, or even targeted display advertising, since 1x1 transparent GIFs and tracking cookies also don't need JS. No, they want to do obnoxious advertising that is deliberately crafted so as to obstruct the visitor from doing what the visitor wants to do until they've acknowledged the ad in some way. That's the only motive that makes sense for trying to force people to turn on JS.
Of course, that just drives people to turn on both JS and an ad-blocker, which in turn drives the suits to demand the engineers cripple the site even more by adding anti-adblock boobytraps, which of course also require JS enabled in order to function, adding more motive to force visitors to turn on JS to see content.
So the engineers have shown that they are perfectly willing to degrade and cripple their own product, making it less useful and more annoying to users, if their paycheck depends on their doing so. Just not for random G-men who aren't their bosses.
[ link to this | view in chronology ]
Re: Techies are selective about crippling things.
[ link to this | view in chronology ]
Re: Re: Techies are selective about crippling things.
And code monkeys aren't exactly the one's leading innovation.
[ link to this | view in chronology ]
Re: Techies are selective about crippling things.
In your particular case, there is a solution. Download and put up a crawler, and then write a patch that detects and ejects sites with development practices you disagree with. Then post a couple of years later, IF you've finished. I'd love to see YOUR solution. Hell, kickstart it and I'll help fund it for christ's sake. Note that all the software required to complete such a task, is FREE, and was written by the same kind of people that you are bitching about.
Please stop being a minion for an aristocracy that is trying to focus fear and bigotry on technicians and scientists. They spread this meme to maintain control. You, by bitching instead of contributing, are helping create the leverage that results in the shit code you are talking about.
BTW if you put up with the shit we put up with, you would have already gone postal. The people your complaining about are on your side.
[ link to this | view in chronology ]
Re: Techies are selective about crippling things.
There are plenty of sites that deliberately make their pages non navigable when you have ad-blocking software, etc, but the requirement for JS is real for many scenarios.
(Of course a company could write a less capable version of the site in static HTML in addition to the more interactive version, but it's twice as much work for something which will only impact a tiny fraction of users who are disabling JS in their browser).
Having said this - I personally recommend using privacy tools to minimize third-party tracking across sites, and ad blocking software. There are lots of options out there. I use Privacy Badger myself, and AdBlock Plus.
[ link to this | view in chronology ]
Re: Re: Techies are selective about crippling things.
This is true, but in practice (in my experience), 90% of the time that those approaches are used are in situations where they are not necessary.
I will continue with my current practice: disable Javascript by default. If a site doesn't work that way, and the site is not in some way critical to me, then I just won't go there anymore. If the site is critical to me, I'll take the time to determine which pieces of Javascript I will allow to run and which I won't. Usually, there's only one or two really critical bits.
[ link to this | view in chronology ]
Last I checked, especially regarding telecoms...
So yeah, some companies will sabotage the integrity of their product for sake of the government when the price is right.
Really, it's a short term gain for a long term loss.
[ link to this | view in chronology ]
Re: Last I checked, especially regarding telecoms...
Unfortunately, the "long term loss" is for society, not the companies involved.
[ link to this | view in chronology ]
Re: Techies are selective about crippling things.
And yes, page's being unreadable when JS is turned off is just that - a bug. There are plenty of fallback strategies for everything you can do in JS, however they take time and effort to code. Doing that coding for the quite small number of users that this applies to is not sound business practice.
[ link to this | view in chronology ]
Re: Techies are selective about crippling things.
[ link to this | view in chronology ]
Re: Re: Techies are selective about crippling things.
1. There's a slight security risk in activating scripts, even just for the domain serving the page you're viewing. If they get hacked and a script that loads an exploit kit gets added to their pages, boom.
2. The typical case doesn't work if you just enable the site's own scripts. There will be dozens of other domains with scripts listed in the unblock menu, and a lot of them will have *really* dodgy names, and one of the dodgier ones will often turn out to be the one that's needed to unlock the functionality of DISPLAYING SOME FREAKING STATIC TEXT.
For example, "d9f23ab948c01f3b.cloudfront.net". What the fuck is that? Malware domains often have large amounts of nonsense gobbledygook in them, just like that. At best it's a legitimate cloud hoster, in which case allowing scripts from it means allowing not just the scripts for example.com whose site I'm trying to browse but every *other* script hosted at that cloud hoster as well, including, in all likelihoods, some malicious ones.
[ link to this | view in chronology ]
are erasers still ok on #2 pencils? or does govt want to see our work?
[ link to this | view in chronology ]
[ link to this | view in chronology ]
[ link to this | view in chronology ]
/s
[ link to this | view in chronology ]
[ link to this | view in chronology ]
I suspected as much, the silence is deafining
I seriously doubt that very MANY companies in ALL fields take it as seriously as they should be, yet their quite willing to stipulate that a service or good only be purchased/exchanged for the ever growing list of our personal private data
Data protection laws are obsolete, outdated, and pitifully weak, and im sure there are those who want to keep it that way
[ link to this | view in chronology ]
Encryption is a must
[ link to this | view in chronology ]