I remember you. You're the paranoid conspiracy theorist who shows up in every surveillance post making wildly inaccurate claims. I'll humor you again and stick to one of your stupendous claims: that the stingray devices record all the data sent from every connecting device. Where is your evidence? All the released documents show that it is used to home in on the location of a targeted subscriber, which can be done without recording anybody else's data. Why would they have added the extra technical and legal complexity of doing what you so nonsensically claim?

Thanks for pointing people to that thread. It shows another one of your crazy claims thoroughly debunked by tptacek and myself that you couldn't be bothered to correct yourself about. That's why it's pointless correcting you. If another user cares to discuss these issues, I'll gladly take them up on the offer.

As for my documents, you linked to the canonical document that broke the story itself. You even quoted the part about how it most likely works. "They said the device determines which phones belong to suspects and 'lets go' of the non-suspect phones." The rest of the article consists of evidence-free speculation about data collection that is not necessary to perform the task that the device is required for.

I'm done. Thanks for the link to the previous conversation. I'll just repost that the next time you respond to one of my comments, so everybody will understand why I won't bother to correct your points.

You failed to link to documents (again), failed to reply to all items (again) and selectively quoted content (again).

"it collects information on cellphones belonging to people who aren’t criminal suspects"

"unknown are the steps taken to ensure data collected on innocent people isn’t kept for future examination"

"scooping up of large volumes of information, even for a short period, may not be properly understood by judges"

"Some within the agency also question whether people scanning cellphone signals are doing enough to minimize intrusions into the phones of other citizens, and if there are effective procedures in place to safeguard the handling of that data."

> If another user cares to discuss these issues, I'll gladly take them up on the offer.

@adventured, the ball's yours.

I don't know much about either of you but would like to add here that you were --- no harm, no foul --- comprehensively wrong about CALEA. The law itself refutes your claims about its impact on software companies, right up front in the "definitions" section.

Haha, thanks Thomas.

I'm half in agreement with you about CALEA, but think the thread missed the larger point. Forests and trees and all of that.

If one were to take my point as a specific claim about only CALEA and as a specific claim only about key (and not data) escrow under a strong letter of the law reading, then yes most certainly I was wrong.

However this interpretation of the thesis is/was an injudicious one. There are laws requiring plaintext access to communications records and computing services records upon lawful request. CALEA does have a section on this (focused on telecommunications, which have been expanded to include digital transport such as VOIP technologies), as does 18 U.S.C. § 2703(f) (which do apply to digital services such as cloud technologies), as do others.

The thread fixated on CALEA - yet from the beginning my thesis was about a constellation of laws and the interpretation of these laws under EO 12333 and the Third Party Doctrine, current political climate and the real world pragmatic implementation of policies in tandem with the private sector (e.g. telecoms in America today do not provide strong escrow-less crypto).

From what I can ascertain for large providers the Department of Commerce streamlines the process. Telecommunications have been streamlined since the late 90s. Internet services are still in the process of being streamlined - PRISM was one of said programs. For smaller providers requests/demands are run when the value of ends supersedes the cost of means. Lavabit is an extreme example of how leverage has been applied to acquire plaintext access to communications.

If a law exists that requires a software company to retain the capability to provide plaintext transcripts of encrypted messages, and to provide those transcripts on demand, you've been unable to provide any citation to it.

Lavabit is exactly the problem with your analysis. The core problem of Lavabit wasn't that that the government compelled Levison to retain the ability to decrypt messages. No, Levison chose to do that, because the market punished real secure message providers for forcing users to install software. (a) If you have the ability to decrypt messages, (b) the government is allowed under current law to exploit that. Now Levison's defenders want to point the finger at the DOJ and surveillance law, insulating him from the consequences of his own (frankly) terribly irresponsible decision to expose his users secrets in exchange for market share.

The original citation to CALEA which people "fixated" on was yours. Your claim was that CALEA compelled software companies like Apple to backdoor encryption. It does no such thing.

No law exists preventing anyone from building a truly secure messaging service. TextSecure and Silent Circle are doing it out in the open right now. A disinformation campaign suggesting otherwise would be harmful to end-users.

What do you think about 18 U.S.C. § 2703(f)?

I think that it says nothing whatsoever about encryption. What am I missing? If you're going to claim something in here could be interpreted to apply to encryption, cite some authority that says so. In the unlikely event that you're right, a lot of big companies are in serious legal trouble.

I included this law in the discussion since it applies to digital services.

What you are missing is that unless encryption is used directly by the endpoints (not added by the provider) by definition (a) holds from your previous comment.

Skype is an example of a communications service (like TextSecure) that offered secure E2E communications but was stripped of that functionality.

Blackberry is an example of a company that has drowned because political pressure to backdoor communications was greater than the market incentive to provide real security.

Apple today stores electronic communication and service records, logs and artifacts from your phone encrypted in the cloud. But it will decrypt for law enforcement upon request. Are you suggesting they do this voluntarily or are they compelled to by law?

http://images.apple.com/privacy/docs/legal-process-guideline...

For the record I am a strong advocate of TextSecure/Silent Circle/others. To be a strong advocate, however, one must be a strong skeptic. So far I do not believe these two projects have been compromised ("CryptoCat" on the other hand...)

I do not believe that there are laws requiring all crypto implemented by every provider everywhere to be subverted. The laws that exist however do ensure that any encryption provided transparently are subverted. When E2E crypto becomes a problem (e.g. Skype) the intelligence community has other ways of dealing with it.

What this means for the surveillance state is that anything that becomes popular enough to represent a non-neglegible portion of traffic will be subverted. Mom and pop can't have secure communications. It's only us cipherpunks who get to have any short reprieve.

I'm lost. You claimed in the previous thread you linked to that CALEA (or, charitably, some other law) required US companies to backdoor their encryption schemes. I said you were wrong about that. You claimed I was merely fixating on the specific law you cited, to the detriment of the more general truth of your argument. I asked you to cite any authority anywhere backing that argument up. Your response is to cite examples of crappy software security, and then to sneakily reformulate your argument so that it applies only to encryption that isn't "end-to-end".

The saving grace of this unproductive conversation is that we at least agree that end-users should reject forms of encryption that don't require them to install anything.

> You claimed in the previous thread you linked to that CALEA (or, charitably, some other law) required US companies to backdoor their encryption schemes.

As a customer, encryption provided by a third party (especially in situations where it is difficult or impossible to provide my own encryption - like how would I provide my own encryption that goes over Skype?) which is designed to be removed upon request by the government is backdoored.

> I asked you to cite any authority anywhere backing that argument up. Your response is to cite examples of crappy software security, and then to sneakily reformulate your argument so that it applies only to encryption that isn't "end-to-end".

Neither Blackberry nor Skype were crappy software security solutions until they were subverted. They were subverted on purpose. It's disingenuous to call them crappy without digesting the context by which they came to remove strong security garuntees. Like the case with Apple (you didn't reply to that) either this subversion was done voluntarily or it was compelled.

My thesis is that the constellation of laws and their interpretation are such that the any products which become leading communication services will be subverted. Through mandatory data ecrow and the TPD as we spoke about earlier, and through financial and political pressures, incentives and (as we know in extreme cases from the Snowden docs) sabotage.

So perhaps it's a vocabulary issue? Companies that will sell in-transit encryption but remove it or store plaintext I would call a backdoor. We agree that this is required by law.

Where we seem to disagree most is the canonical case of Skype. Skype was purposefully subverted and I argue that the constellation of laws we've been discussing were used to do it. I can imagine two other stories one could tell:

1) E2E encryption was removed voluntarily; no compulsion (I would need a lot of convincing)

2) E2E encryption removal was a silly regression that has been noted but not fixed for years (I would need even more convincing)

I would agree wholeheartedly that when it comes to the Skype case there are technically, by letter of law, no laws that force companies to remove or backdoor E2E.

I think here is where we disagree: I think in practice, by the examples we've been able to witness, that broad interpretations of these laws, in conjunction with financial and political pressure are in fact used to leverage changes law enforcement and intelligence community members need.