I don't really see what there is to be upset about in this particular case. This is how investigations are supposed to be done, by the book.
The FBI has copies of the servers TorMail ran on that they legitimately seized in an unrelated investigation (the servers were also hosting child pornography websites).
In the course of another investigation, the FBI found that orders for forged credit cards were being sent to a TorMail account.
The FBI obtained a search warrant for that specific account and then accessed it from their own copy.
This is not trolling the seized database for anything and everything that might be illegal. This is finding probable cause from another source and obtaining a specific search warrant. This is how it is supposed to be done. Why would you expect anything less from competent law enforcement?
The FBI is not the NSA. FBI cases have to hold up in the light of open court.
If you are upset about the fact that TorMail was not in fact secure, well, that's on the TorMail operators and on the users for trusting the entity that controlled TorMail while knowing absolutely nothing about them. Remember, TorMail has nothing to do with the Tor protocol, and is just the name someone gave their supposedly secure and anonymous e-mail service that they hosted on the deep web. For all anyone knew, the FBI could have been running TorMail all along.
People are upset because of this new standard of "grab everything, put it in a 'secure' location and mine it in the future for past crimes."
The main concern is that something you did today may become a crime tomorrow, so now entire populations are apparently in the situation of Schrodinger's cat: we are both criminals and not criminals, and only the indistinct future will determine where we end up.
If you want a society where an individual is free to pursue their interests as long as they don't hurt anyone, it makes a lot of sense to have a transparent set of rules that are applied equitably to every citizen, regardless of their demographics or background.
If you want a society where the individual is completely at the whims of mysterious and unknown forces that can destroy their life utterly for no apparent reason at all, well then carve out special exceptions for some while reserving harsh punishments for others. Introduce secret courts, evidence and trials... Institute a "permanent record" of someone's behavior that can be used to manipulate them as desired. Break the well-thought out control systems that help avoid abuses all to make "LEO easier."
I'm assuming every experience you've ever had with law enforcement is positive?
What you have said above is correct, however it is not the "main" concern. There are numerous concerns. That is one key one. Since I have not seen others post other key concerns, I will also contribute an additional concern:
Sensitive data left lying around are/is very tempting to use for illegal economic and blackmail gains. The FBI in particular has a pattern of getting indicted for re-selling sensitive data, even before massive amounts of "seize now, convict later" was taking place.
> Ex post facto laws are unconstitutional in the US.
The Fourth Amendment protects US citizens from unreasonable search and seizure. Clearly that is being violated as the recent ruling on NSA data collection has pointed out.
Not according to a US District Judge who granted a preliminary injunction against the phone spying. Please don't parrot the politicians who claim legality. The fourth amendment is clear enough to prohibit this government conduct.
One says yes, one says no, so therefore it is still up in the air. Until there is a definitive ruling on the matter you can't claim it is illegal...it is still a gray area until something like the Supreme Court definitively rules one way or another.
while a gray area it is still legal. It's only illegal when the courts say it is, so de-facto it's legal. That's a pretty basic property of the US democratic system.
You're confusing "innocent until proven guilty" with a constitutional law question. There is no "presumption" that the executive branch is operating lawfully.
Different courts have reached different conclusions on this matter. It will probably end up in the Supreme Court at one point. Until then, various three letter agencies will treat it as if it is legal and act as if they are immune from consequences of abuse (which they are, presently).
There is more subtlety in this case. The NSA has interpreted the law in a specific way which justifies their activities. If the Supreme Court later determines that interpretation is invalid, they most definitely can be convicted of a crime. If the Supreme Court instead determines that their interpretation of the law was valid, but that the law itself was unconstitutional, then ex post facto protection would apply.
>The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized
>No person shall be held to answer for a capital, or otherwise infamous crime, unless on a presentment or indictment of a Grand Jury, except in cases arising in the land or naval forces, or in the Militia, when in actual service in time of War or public danger; nor shall any person be subject for the same offence to be twice put in jeopardy of life or limb; nor shall be compelled in any criminal case to be a witness against himself, nor be deprived of life, liberty, or property, without due process of law; nor shall private property be taken for public use, without just compensation
>In all criminal prosecutions, the accused shall enjoy the right to a speedy and public trial, by an impartial jury of the State and district wherein the crime shall have been committed, which district shall have been previously ascertained by law, and to be informed of the nature and cause of the accusation; to be confronted with the witnesses against him; to have compulsory process for obtaining witnesses in his favor, and to have the Assistance of Counsel for his defence.
>Excessive bail shall not be required, nor excessive fines imposed, nor cruel and unusual punishments inflicted
Not sure what this is trying to prove, but it has been ruled long ago that metadata (the phonecall records your carrier generates on your behalf while you voluntarily use their service), which the NSA is collecting have never belonged to you and are legally available to be collected by a 3rd party.
That ruling applied to a very different situation than anything under discussion here. For one thing, the metadata was collected for only one subject, not 250 million at once.
The misinterpreted quotes from the Constitution above are trying to state that metadata that ATT generates about your call history somehow belongs to you and is not available to be collected by a 3rd party. This is incorrect.
> The Fourth Amendment protects US citizens from unreasonable search and seizure. Clearly that is being violated as the recent ruling on NSA data collection has pointed out.
In other words, clearly, The Fourth Amendment does NOT protect anyone from NSA's violations.
That page is about 95% bullshit. For example: the establishment clause prohibits the government from establishing an official religion or preventing the free exercise of religion. It doesn't prevent the government from simply monitoring religious and political groups that may be associated with illegal activity. That argument is ridiculous on its face: if the 1st amendment guarantees freedom of assembly, and gangs are assemblies of people, and monitoring is the same as restricting the freedom, does that mean the government can't monitor gangs? We know that's not what the 1st amendment means for the simple reason that the U.S.G. has performed internal counter-insurgency from the very beginning, and those practices were overseen by many of the same people that drafted the Constitution.
There are not a "lot of unconstitutional practices" that are law in the U.S. There are a lot of people who read the words in the Bill of Rights extremely broadly and without historical or legal context, and then put up poorly-designed web pages about all the "unconstitutional" things they have discovered.
I don't disagree with your overall point, but "We know that's not what the 1st amendment means for the simple reason that the U.S.G. has performed internal counter-insurgency from the very beginning, and those practices were overseen by many of the same people that drafted the Constitution" is not strong evidence. The Alien and Sedition Acts[0] were passed in 1798 and were signed by (Federalist) John Adams. The next (Democratic-Republican) president, Thomas Jefferson, opposed them enough to pardon people who had been convicted under them, but then proceeded to prosecute several of his critics under the Acts before they expired. So yeah, a surprisingly bad beginning for free speech in the US.
I wasn't aware of any Constitutional rights that I as a US citizen should feel like I should actually have. I just know that I can't complain about it or upset the people in power, or else I'll be killed, put in without cause or trial jail, or have my property confiscated.
The thing is the enforcement mechanism against unreasonable search is the state loses at court. If the state never brings a case they have more freedom. This is also the reason why the police need not advise you of your rights before interrogating you if they don't plan to charge you.
If the feds bring unrelated cases based on these seizures I'm sure the admissibility of the evidence will be the main thing being argued in court.
Great, so you've read a blog and you learned a word. Good for you. There's still no civil opportunity to challenge government behavior in a vacuum. Article III Section 2 requires a "case or controversy."
You're trying to have it both ways. Maybe we shouldn't worry about parallel construction because it's harmless and would never send any of us to prison, and maybe we shouldn't worry about it because there's nothing we can do to stop a determined governmental bad actor, but you can't claim both, clearly contradictory, propositions in the same thread.
The point is that FBI cases go to court. You're not going to be prosecuted in a US court for something that was legal when you did it and illegal when it was found out.
My point once you start tolerating unconstitutional laws you undermine the whole purpose of the constitution. It must be the supreme law, or it's just another easily bypassed piece of legislation.
A person has no constitutional rights, he has natural ones. In other words, a piece of paper does not grant anyone any rights, not even the right to extort people (ie. to tax them).
What kind of things you can voluntarily, bindingly agree to is another matter. I just wanted to point out that the constitution has nothing to do with our rights as human beings, and can't remove or grant any. It's wrong to think about rights as something the government gives you - actually the government only violates them.
A total absence of government would be just as destructive to your natural rights as a government with too much power over its citizens. The government didn't grant you the rights, but in some situations its very capable of preserving them.
There are two main problems with the United States, the first is that too many of us are ready and willing to trade personal freedom for economic and physical safety. The second is that we allowed money to control politics.
People don't actually have natural rights, if you're using the common definition of "natural".
The only thing that's natural are the laws of nature, otherwise known as physics, and there is no law of physics that prevents me from torturing someone.
> The only thing that's natural are the laws of nature, otherwise known as physics, and there is no law of physics that prevents me from torturing someone.
Good thing I didn't imagine the idea of rights would physically prevent you from torturing someone. Basically, rights are an idea meant to help us in drawing boundaries between what's acceptable behaviour and what's not. But it's got nothing to do with the government, and everything to do with reason, logic, consistency and common sense. A government or a piece of paper can't grant any rights or take any away, and in fact, governments only violate our rights.
I understand people who have an issue with the "grab everything" mentality. But, from a technology point of view, how else do you do it?
Imagine your the FBI IT guy. How long do you think it would take YOU to walk into an unknown datacenter, locate the specific computer / IP address referenced in the warrant, connect to that computer and copy just the minimum amount of data necessary to prosecute said bad guy (just his e-mail .mbox file? or is this a windows shop..grab the pst? What about backups? What about his contact list? All this just for e-mail!)
Often times he probably doesn't even know the specifics of the case. Maybe just let the local DataCenter guy copy the data off for you right? Well hopefully hes honest and not involved in the crime.
The fact of the matter is, it is 100x easier to walk in, grab the servers of interest and walk out. If the FBI IT guy is smart and prepared he just brings tools to remove the hard drives from the server, copy them and put them back. BUT, if theres child porn, contraband, etc. the FBI is NOT giving that computer back any time soon. Doesn't matter who owns it.
So because of an overly-broad warrant, or lack of training, or vague suspicions or even the mere chance that your data happened to be stored on the same box as Criminal A, we should just allow the FBI to violate the Constitution?
Reductio ad absurdum with your argument and we should just let the FBI run all internet infrastructure, because it is expedient for the FBI, it makes life easier on the FBI, and they can inspect your data to their heart's content. It is a much preferable situation to the one where an FBI agent has to do something complicated.
Nowhere do I see you advocating for the innocent whose rights are infringed upon.
The Constitution specifically states "unreasonable search and seizures". I did not say it should be easy for the FBI to collect. I specifically was referring to "reasonable". Again, if you were tasked with collecting this data, how do you do it reasonably? Sometimes the most reasonable thing is to simply copy the hard drives the data is living on.
The reasonable here does not mean what's techincally easiest or reasonable for the government, but what a reasonable violation of the suspects' or innocent people's privacy is, in light of the suspected crimes.
Grabbing the servers is easy, but arguably because so much unrelated data could be on a shared server these days, it's unreasonable to just grab everything. Many other people are affected, and unrelated data is collected and evaluated later for purposes unrelated to the original collection purpose. This circumvents a reasonable expectation of privacy, and strongly shifts the balance of power from the regular citizens to the agency hording the data. Especially in light of the plea-bargaining justice system in the USA, where the data can be and is used to threaten and coerce, this is worrying.
Right, technical details aren't the real issue. Ultimately, the govt has to earn back the trust it has destroyed, or face rebellion. That's how trust works.
it makes a lot of sense to have a transparent set of rules that are applied equitably to every citizen, regardless of their demographics or background.
It sounds like your response is based on broad ideological convictions that have little to do with the commenter's argument. He or she is arguing that the NSA is not equivalent to the FBI because the FBI, in this case, did follow established procedures to obtain a conviction.
If you want a society where the individual is completely at the whims of mysterious and unknown forces that can destroy their life utterly for no apparent reason at all, well then carve out special exceptions for some while reserving harsh punishments for others.
In order for this comment to be relevant, you'll have to establish how it relates to the details of this case.
Has that ever actually happened? Person did X, X later became illegal, and Person was prosecuted for doing X because of a digital footprint left behind while doing X?
If they are using it with warrants only then I agree there is nothing wrong as long as they can't keep the data permanently. There needs to be a reasonable point at which the data is destroyed. My other expectation is that the data is not available through a network and is in an evidence room that requires two people to access.
My primary concern is the now known strategy of parallel construction. The FBI could be trolling the emails for crimes then using that illegal evidence to find ways to get a warrant to allow the previously illegal evidence into the case.
If this was Fed Ex distribution center that had been seized it would have been treated very differently. They would collected the mail pertinent to the case and rest would have gone away. If they were to confiscate the whole building holding all of the mail for a later time in case they needed it there would be a huge back lash. But because it was email and we haven't set ground rules most people don't bat an eye, even if it's their mail that's been taken.
As a parent it's really difficult not to be supportive anywhere child porn is involved. It's an issue that is so emotional for me that my first instinct is that I would give up everyone's privacy in the hopes of putting a dent in the abuse of children. Even if it only saved one child, emotionally, it would be worth it to me. Logically I realize that once these systems are in place there is no stopping them, and they will be used for everyone else's emotional/political hot button. I only bring this up because having the reaction I do allows me to understand what other people are feeling when the issue is around terrorists/hackers/fraud/whatever.
My understanding is that they collect scan copies of massive amounts of mail meta-data. Specifically the stuff on the envelope, but not the contents within. The contents within are highly protected and would require a warrant. The problem with e-mail is that it's really difficult to analyze the metadata without also capturing the e-mail content.
The issue I have with this is that there's no such thing as "by the book" Federal investigations anymore. Snowden showed us that US intelligence agencies are using illicit, warrantless means of obtaining information and then providing that information to law enforcement agencies. Those agencies then go to judges and request warrants, and they can prove that the warrant is justified because they already have the damning evidence that they're legally supposed to require the warrant to get. Which renders them meaningless on a federal level.
How do we know that this is what has really happened? On the surface this seems to be possibly a case of parallel construction, in which FBI found the emails on TorMail first and then asked for a warrant for the GMail mailbox to get enough evidence to get a warrant for the TorMail one. Is there a reason why this is impossible or improbable?
I was ready to be super upset when I started reading, especially about indicting someone on an unrelated case from the data - but then I read that they got a warrant and did everything the right way and I was completely surprised that we have competent law enforcement that does things the right way.
That shouldn't have been a surprise, that should have been expected.
You don't have to be upset to think that this is interesting! Indeed, it's a very different face of "data changes law enforcement" than the NSA story. Whereas NSA has a specific mandate, FBI can use anything seized for a broad variety of uses. This may always have been true, but the scope of the seizures has increased now that they can include entire server copies, which host many different services. It's a dramatic increase in prosecutorial power (which may or may not be a good thing, I'm not making a case either way).
It's also not clear to me (maybe it is to others) where the limit on seizures is. In the extreme case, AWS is used for all kinds of criminal activities. Can FBI seize copies of AWS, and then with warrant go back and get evidence for other investigations? I doubt they would try, but somewhere between this extreme and the child porn server extreme is some sort of inflection point, both practically and legally.
{EDIT: I really hope people were risk assessing and choosing an appropriate provider. Sadly, many people weren't and were choosing what they thought was secure. This is why the newer crypto tools get a lot of hostile scrutiny. Not because people don't want them, but because they have to operate in a hostile environment and consequences of failure can be severe. If prison is a risk you need have a lot to learn about encryption and privacy.}
There should be legal controls over what information is seized. Requests should need a warrant, signed by a judge. "Accidental" seizures of too much information should be reported to the body who provides scrutiny and oversight.
Some of those accidental seizures should be criminal offences and lead to punishments for the agencies involved. (Or the individuals).
While the UK has a lousy record on this (with bizarre interpretations of law so spies can say they obey the law) the reports from the scrutineers are interesting reading.
Some parts of the UK government use statistics carefully and they have real statisticians available to produce and review the charts. This document? I'm not so sure. While the raw data can be trusted the use of pie-charts is usually a flag for me, and this document does include a few of them.
It sometimes amazes me how naive people are. The reality is that since the patriot act, the entire intelligence community has had access to any information they need. One needs to be delusional to think that they do not already have access to your emails, browsing history, phone call conversations in both audio and text versions, mapping points of where you have been throughout the day. They collect a very wide net of data that they can later scan through for any reason. And no, that data isn't deleted after a certain time frame.
Why are articles like this so shocking?
Have any of you guys had IQT reach out to you, the CIA's investment ARM? They are very active in finding tech companies that can decipher this data, profile everyone automatically, categorize people, and try to predict their next behaviors.
While investigating a hosting company known for sheltering child porn last year the FBI incidentally seized the entire e-mail database of a popular anonymous webmail service called TorMail.
Now the FBI is tapping that vast trove of e-mail in unrelated investigations.
I think the reason people are opposed to PC is the same why people are opposed to insurance companies knowing too much - we don't want them to perform their job (identifying crime, keeping a good probability distribution of bad events over population) in an optimal way, because the more wrong they are (to a limit), the more society benefits.
I'm not sure what to think of it; it's just an observation.
Also reminds me of an idea I read somewhere that the ability of law enforcement, judges, etc. to "look the other way" instead of following the rules to the letter is the grease for the engine of law - the rules are not perfect and they'd do a lot of damage if followed precisely.
PC is based on a perversion and subverting of the Constitution. There's no way to argue around that.
Among the reasons I argue so strongly against it is because I've seen how very similar methods work, myself, direct personal experience. Oh, and I was the party benefiting from the disclosure. Turns out that virtually all of what we had was in fact legitimately obtained.
As for the insurance argument: what state do you live in? Do you have your car smogged? Are you aware that your smog data, which comprises a rather detailed data record, is sold in several large states (California and Washington, off the top of my head, along with a few others) to ISO, the Insurance Services Office (descriptive name, no?), a division of Verisk, to rate your auto insurance. See:
So, the question is: were you made aware of this when you brought your vehicle in for smogging? Did you realize that the dataset was 1) being collected, 2) being sold, and 3) could materially impact your insurance costs?
Moreover: what's the equity here? Yes, as it turns out, miles driven is a significant statistically correlated risk factor in insurance costs. But what is the social purpose of insurance, how should those costs be allocated (often it's the less financially able who drive further to work because they cannot afford to live nearer their jobs), and what are the social equity effects of a hidden pricing and rating factor?
Yes, insurance companies can perform useful functions. They're among the leading business voices for climate change risks, as the underwriting costs directly affect them. Insurance underwriting has either directly or indirectly supported huge improvements in workplace and product safety. Where it used to be possible for companies to argue that negative outcomes were "accidents" and "acts of God", comprehensively compiled incident statistics correlated with causal factors showed that specific patterns of behavior, design, use, etc., were predictably associated with accidents, damage, injury, and/or death.
But gathering that information in a covert fashion strikes me as fundamentally unjust.
> "As for the insurance argument: what state do you live in? Do you have your car smogged? Are you aware that your smog data, which comprises a rather detailed data record, is sold in several large states (California and Washington, off the top of my head, along with a few others) to ISO, the Insurance Services Office (descriptive name, no?), a division of Verisk, to rate your auto insurance. See:"
So here is a question: the last time I had my car's emissions checked in Washington state, my car reported that it was not ready to report its status because I had disconnected the battery a week before, apparently resetting the stuff that it needed to report. I had to drive around for two hours on the highway before going back to the emissions place to have it re-tested.
Is there any value in unplugging the battery shortly before getting your emissions checked?
The reason why people oppose parallel construction is that a) the methods used to gain the original information are illegal, and b) the acts then used to convince a judge of the evidence are a lie.
We don't want a government and law enforcement that route around the Constitution.
The potential for abuse goes up faster than the potential for good law enforcement, because more people are innocent than guilty. Data should only be collected when necessary for an active investigation.
I kinda think the problem is the other way around; everybody's guilty of something, but most of what they are guilty of, prosecution is actively against society's best interest. Our legal system theoretically recognizes this as a problem, in practice it doesn't. The more information is collected, the more irrelevant infractions the government has at hand to do with as it pleases.
I wouldn't automatically assume that most people are guilty, and in fact our justice system is explicitly not allowed to make that assumption.
Law enforcement is not an end in itself, it is only one of the tools a government has available. There's nothing in the constitution that says "you must prosecute as many people as possible".
I don't mean guilty in the sense that a court has convicted you; I mean, everybody has done something that objectively breaks the law, and the more information the government collects in general, the more likely it is that they have something on you, with probability rapidly approaching 1.
For instance, if a friend on Facebooks cross-site posts a photo that they don't have a license to, you've broken copyright law by downloading it too. Again, nominally, convicting you requires "criminal intent", but this has been getting weaker lately too. This is just an easy example; there's a lot more and many worse ways they can get you, but this is an example where probably everybody on the Internet has a record of many of this sort of violation on file somewhere in the government right now.
"Law enforcement is not an end in itself, it is only one of the tools a government has available."
And it was never meant to be a tool that the government had at hand against all of its citizens, but if we aren't there now, we will soon.
Defining people as "guilty" or not is hair-splitting. Credibly likely of being prosecuted of some infraction of the law is an accurate description, and frankly, it's not necessary to go that far. In most cases, the bar of passing grand jury review is sufficient to create all measure of hardship for someone: negative press, asset seizure, jail time, family and business disruption.
> I wouldn't automatically assume that most people are guilty
US of A already officially admitted that they've lost track of all the federal laws they have, so it's pretty sure at this point that everyone would be found guilty of breaking some obscure, forgotten rule that happens to be in force, if prosecutors would look hard enough.
In 1982, the Justice Department got sick of the scattered laws and, to show how ludicrous the situation was, they tried to organize them. After estimating ~3,000 criminal offenses, they gave up. http://online.wsj.com/news/articles/SB1000142405270230431980... The protest fell on deaf ears, Congress did nothing to clean up the criminal code, and no one has seriously tried it since.
According to the article they did not look at the other data in the database until they had a warrant to do so. And they didn't obtain a warrant until a different investigation pointed at a tormail account.
Surreptitiously mine database for incriminating information.
Build case. Apply for warrant.
Oh look, surprise surprise, the warrant turned up something.
Yes, if we trust law enforcement, blah blah blah. The point of having checks on government authority is so you don't HAVE to trust government. Government is not to be trusted; it is to be kept in check. Your safety, your rights, should not be contingent upon trustworthy official.
That's an accurate comment to make, yes. They know that you correspond with people who use Tor. See how this can escalate? I think we are (hopefully) all agreed that chasing down people who use the web for wrongdoing is acceptable for the govt to do - but the collateral damage is where the problems can lie - the potential for "guilt by association" here is monumental.
Excuse my lack of knowledge in terms of mail encryption, but wouldn't the knowledge of communication be enough to warrant further investigation, even if the text itself is encrypted?
Well, yes... but then, by openly encrypting your traffic, you would be stating that you are a law-abiding, technically sophisticated citizen, willing to provide decryption keys to legitimated law enforcement officials with an appropriate order.
People with real secrets to hide ought to escalate to steganography + subliminal channel communications.
Email is one of the really worst security risk regarding exposure to false accusations. Its even worse if you consider prosecutors who is more interested in statistics and carer than justice and truth.
Almost everyone has hundred thousands of emails laying around. All in your name, all forever stored, all with a legal signature on them binding you, and each with a short text message with no context. It is very often used as evidence, attached with a conjecture provided by the prosecutor. The defended is then forced to try defend themselves both regarding the conjecture, but also having to remember and explain the original context.
It has been used in a profile case to "prove" conspiracy, and has also been used by prosecutors to move public opinion by providing snippets (official sanctioned leaking) to media.
This is why I view running a email server without full disk encryption to be negligence, and that everyone should have their own mail server. Until the legal system have caught up with technology, its not much more one can do.
E-mail was actually designed to just copy a message file from the sender's computer to the receiver's one; it is sad how it evolved into a plaintext database of private stuff hosted by third parties.
OT: Let me propose that link titles now replace link-baity parts (i.e. "This Secure Webmail Site") with specific data where available (i.e. "TorMail").
> Now the FBI is tapping that vast trove of e-mail in unrelated investigations.
Wait - can they do that? Why can they do that?! Isn't that like a fishing expedition? Now they're just looking for crimes from that database trove? I've never used TorMail but screw everything about that!
This is why we need to pass some strict laws against mass collection of data, and against using data in "unrelated investigations".
I've been called out by no less than a Linux evangelist, working at Google, for being so rude as to PGP-encrypt my email to him "because it was such a hassle to open".
When the ICIJ was doing its extensive collaborative investigation of offshore banking, the team evaluated using PGP, but ultimately abandoned it:
The project team’s attempts to use encrypted e-mail systems such as PGP (“Pretty Good Privacy”) were abandoned because of complexity and unreliability that slowed down information sharing. Studies have shown that police and government agents – and even terrorists – also struggle to use secure e-mail systems effectively. Other complex cryptographic systems popular with computer hackers were not considered for the same reasons. While many team members had sophisticated computer knowledge and could use such tools well, many more did not.
What's hard about GPG or S/MIME-encrypted mail? You set up the thing to integrate with the MUA once (in GPG's case, S/MIME are supported out-of-the-box with most common desktop MUAs), then the only hassle is to enter password on startup or when reading the first message. And lock the computer properly when you're getting away.
Write a message, tick "encrypt" (or don't untick it), send, done.
Receive a message, see a badge "encrypted, verified", type a password (if key's not cached before), read it as usual, done. I fail to see how anything can be easier and less obstructive than this.
At least, my only problem with encrypting email is that practically no one of my peers have keys published. This could be easily solved if mail client software vendors could make their products ask user to generate and backup a keypair on install.
Oh, right, encryption has problems with webmail. Extension/userscript kludges are insecure (unless they open separate window/tab for anything private) and break with every other update.
I'm with you. I've had mutt set up to use PGP for ages. I've configured a half-dozen or more other MUAs to use PGP/GPG. If I've got an MUA that doesn't support PGP, I can do ASCII armor encryption and decryption easily.
That's you and me, the geek set.
The Google guy I mentioned: he's just as versed. And yet, felt he should give me grief.
If you've got a Linux desktop, odds are that the tools you need are integrated. Congratulations, that's ... about 0.5-3% of all desktops depending on whose numbers you trust and/or like.
And an increasing number of users are now on smartphones and tablets. Yes, I've got K9Mail, but I've received no, and sent very few, encrypted emails.
In corporate environments, you get the tools you've got on a standard desktop and that's it. I've had a hell of a time convincing engineering and dev teams to create and use PGP/GPG keys and/or use SSH key authentication rather than passwords. I've been at shops recently which still use rsh (and had the pleasure of giving the solution to a user creating large numbers of client sessions: oh, yeah, SSH doesn't have the 512 max outbound connections limit that RSH does due to its privileged port use). Sigh.
Key distribution is a huge part of the problem. In large part it's what PGP Corp (now part of Symantec) addressed with its appliance solutions: a box that creates, signs, manages, and automatically applies keys for users. I don't exist, and yet I've got a key published (and embedded in my G+ profile coverphoto). Oh, what the heck, let's add it to my HN profile.
As you note: webmail, mobile, smartphone, and Windows are all problematic. But more than that: people don't fundamentally understand the technology they use (part of a much larger rant and topic), and this stuff confuses them utterly.
I'm not sure if you mean what's so hard for a "linux evangelist" or in general. Linux probably has the best and easiest GPG integration. In general, encrypted mail is practically useless for every day communication and provides little real benefit. Unless you only communicate with linux experts, 90%+ of the people you're talking to likely don't even know what a "MUA" is. I use gpg for transferring sensitive data (passwords, api keys) occasionally to the rare few clients that have gpg, but the rest of our emails are still sent unencrypted. Why?
Encryption requires everyone in the thread to support it. Need to CC in the C-Level exec on something? Good luck getting them to setup it up in their outlook and use it properly. Even with my help, it took a good 30 mins to set my dad up with GPG on Windows/thunderbird. Have to figure out which software you need, the nomenclature for key generation etc is different in each program.
Encryption breaks search, at least in thunderbird. You can't search through the encrypted messages and they aren't indexed. This makes sense if you're sending very sensitive data perhaps, but for general business correspondence it's reduces productivity. There's an open bug in EnigMail by a user who saves every email in plain text to use regular file search tools. That's useless.
There's the aforementioned webmail. Tons of people only use webmail, and there's no way to interact with them. More importantly in my book, encryption breaks mobile access. Sure, there are addons for gpg on android, but I don't trust my private key on my phone. In the near future there may be some way to use a yubikey with NFC for passing in the private key, but that brings in it's own set of problems.
Lastly, it's the cost/benefit that really keeps encryption use from being wide spread. It costs you time in getting each contact you use to use it, time dealing with being unable to search, time setting up your phone to securely access mail, unable to use webmail at all, and for all this you really only get two benefits: Prevention of e-mail interception by intelligence agencies or internet backbones and access to your mail by your e-mail provider. If I'm not concerned about these, just using proper TLS access for IMAP/SMTP prevents anyone I'm actually worried about (wifi interceptor, bad ISPs) from reading the mail. For mail inside an organization with their own mail server, mails are never anywhere unencrypted than company owned equipment, TLS in transit.
Doing encryption right is hard, for 99% of email the threat model just doesn't justify the expense in time and headaches so the NSA doesn't know there's a conference call at 11am tomorrow or that you should call grandma tomorrow because it's her birthday.
And this is nothing new: "In 1862, Lincoln authorized sweeping control over the American telegraph infrastructure for Edwin Stanton, his secretary of war. Telegraphs were re-routed through his office, and Stanton used his power to spy on Americans, arrest journalists, and even control what was or wasn't sent." Source: http://www.theverge.com/2013/7/6/4499636/how-lincoln-used-te...
There you have it: The US government has been using NSA-style electronic surveillance to spy on its citizens since at least 1862. So do you really think anything's going to change now all of a sudden?
If the French hosting service was really OVH, it would be quite strange that a Polish refugee fleeing for political reasons take part in a large-scale spying operation. But since they are now operating in the US, I guess they have no choice than look like nice little soldiers.
As long as people think the issue is technical only, they'll keep choosing providers that cannot hold the promise they make. Legislation and local provisions should be very high on your list. So far, Switzerland seems like the best legislation of choice according to this article: http://arstechnica.com/tech-policy/2013/12/switzerland-wont-...
Of course the author seems to disagree, especially when you look at the title, but that seems only because of some odd fascination with gag orders which seem largely irrelevant in real life as several comments have pointed out.
Seize it all now and justify it[or not] later. Makes sense. Maybe we should all just go to jail now and wait to see if the government finds a 'lawful' reason later for us to be there.
If HN is going to be a nexus of discussion on the FBI and NSA, it needs to understand the "social engineering" programs going on, and take steps to out astroturfing.
Unless I missed it, the FBI still hasn't disclosed how they tracked down the physical server. The FBI said was it was "located in a country with an arrangement with the US, who gave us access", but remained intentionally vague and said nothing more. Can they really use that data without disclosing how they got it?
The site was heavily associated with small time trading of drugs and weapons and what not. While US law might be overly harsh on the criminals, I can't really bring myself to feel bad for the half a dozen people who had any substantial legitimate traffic on the server.
So having the private communications of innocent people compromised as collateral damage to an investigation of a few bad people is ok now? They have servers full of communication logs and only a handful of people have been charged with crimes based on that information.
People who used tormail with their real name and/or without PGP are naive and have clearly no idea in what they were into. If the NSA has a huge amount of PGP's well... who cares? :-)
Parallel Construction, anyone? They just happened to be executing a search of his gmail account and certainly hadn't looked over this trove of emails from people trying to be secretive?
"...we had to oppose their application to preserve our own ability to protect our own games. Otherwise, it would be much easier for future copycats to argue that use of the word “Saga” when related to games, was fair play."
That's disgusting. "We use the word saga in more than one of our games, therefore it's our game word and it's unfair if other people steal that word from us." ...
The FBI has copies of the servers TorMail ran on that they legitimately seized in an unrelated investigation (the servers were also hosting child pornography websites).
In the course of another investigation, the FBI found that orders for forged credit cards were being sent to a TorMail account.
The FBI obtained a search warrant for that specific account and then accessed it from their own copy.
This is not trolling the seized database for anything and everything that might be illegal. This is finding probable cause from another source and obtaining a specific search warrant. This is how it is supposed to be done. Why would you expect anything less from competent law enforcement?
The FBI is not the NSA. FBI cases have to hold up in the light of open court.
If you are upset about the fact that TorMail was not in fact secure, well, that's on the TorMail operators and on the users for trusting the entity that controlled TorMail while knowing absolutely nothing about them. Remember, TorMail has nothing to do with the Tor protocol, and is just the name someone gave their supposedly secure and anonymous e-mail service that they hosted on the deep web. For all anyone knew, the FBI could have been running TorMail all along.