US Policy Would Allow Government Access to Any Email

An anonymous reader writes "National Intelligence Director Mike McConnell is currently helping to draft a new Cyber-Security Policy that could make the debate over warrantless wiretaps seem like a petty squabble. The new policy would allow the government to access to the content of any email, file transfer, or web search."

Really?

And what is it going to do about my encryption keys?

Not that I support this, but I sure as hell don't intend to make it easy for people to invade my privacy when I'm not doing anything illegal.

Re:Really?

[gnick]

And what is it going to do about my encryption keys? If things go really badly, they could pass legislation similar to the UK's that makes it illegal to withhold encryption keys and passwords if you're hit with a warrant. I'm sure if anyone has tried the "I forgot" defense yet.

Re:Really?

[ashridah]

Taking your comment on face value, this only really works if you're communicating with a peer whom you already know, *and* whom you already have exchanged public keys with, in a trusted manner (no, a key on a public key chain isn't trusted, if you don't know why, then you fail at cryptography).

This doesn't work for public discussion lists, or even private ones, unless they're very strictly controlled.
It also doesn't help for p2p traffic, as those are between two essentially anonymous parties, and thus, have no way to prevent a man in the middle attack, even if they DO use encryption (unless the tracker mediates, which, for most implementations that I've seen, it doesn't, even if it's using SSL)

The simple fact of the matter is that encryption is the wrong mechanism to solve this problem. Removing power from your government is the right mechanism, ideally.

Re:Really?

[Fulcrum+of+Evil]

I'd just go with the 5th ammendment defense - I don't have to tell you things that could incriminate me.

Re:Really?

[WaltBusterkeys]

In contrast, I'm posting not as AC and taking the risk.

That said, there are NO sources for this statement. The PDF link gives a 404 and they don't explain what they meant other than using broad terms. It sounds like a lot of FUD without a source to back it up. Does anybody have the PDF? If not then I'd like to see more sources than just an un-signed editorial on Raw Story.

Re:Really?

[turbidostato]

"I'd just go with the 5th ammendment defense - I don't have to tell you things that could incriminate me."

So, how exactly is revealing a password any more incriminating than say, allowing police into your home -which is "standard practice"?

-Don't tell us that you killed her -which would be incriminating, just tell us your password -which is something absolutly neutral.

Re:Really?

your password -which is something absolutly neutral Not necessarily. My password is "I'm planning a massive attack on U.S. soil."

Re:Really?

[Firethorn]

You don't have to 'let' them into your home - they need a search warrant for that. Enough evidence and they can even drill the lock and such - you don't have to tell them where your key is.

Still, as long as the constitution holds out, they can ask you your password and you can plead the fifth.

Re:Really?

[iminplaya]

...as long as the constitution holds out...

C'mon. You should know by now that the constitution went belly up back in 1798. Well, the bill of rights anyway. The parliamentary stuff in the main body is still holding up.

Re:Really?

[Shakrai]

I wonder if that gives me any true additional protection or not.

No, it doesn't. See sneak and peek warrants.

You can try encrypting all of your files but if they can gain physical access to the machine(s) in question without you knowing about it then it's a simple matter to install a keylogging device and obtain any passwords needed to decrypt your data.

Re:Really?

[Shining+Celebi]

That said, there are NO sources for this statement. The PDF link gives a 404 and they don't explain what they meant other than using broad terms. It sounds like a lot of FUD without a source to back it up. Does anybody have the PDF? If not then I'd like to see more sources than just an un-signed editorial on Raw Story.

If you RTFA, it's from The New Yorker. Or, at least it was in TFA when I read it earlier today before Slashdot posted it.

I'm too lazy to check to see about the link now, but fortunately, since I thought the article interesting, I saved it. So here it is. It's an 18 page PDF, The proposal is mentioned on page 11.

Re:Really?

[ecitizen]

As Benjamin Franklin said, "Those who desire to give up freedom in order to gain security will not have, nor do they deserve, either one." In this case, the Supreme Court ruled years ago that privacy is a freedom. If you look at what the FBI did to Martin Luther King years ago in their attempts to discredit him, you'll see what happens when you lose your privacy. If you give government power, eventually, they will abuse it. --E-Citizen

Re:Really?

[berzerke]

I don't feel comfortable taking such a narrow interpretation of the bill of rights that only things that are literally and directly incriminating are protected.

Sadly, it doesn't matter what you feel comfortable with. It's what a judge feels comfortable with. And lately they seem to be quite comfortable with broad, in some cases overreaching IMHO, interpretations of the bill of rights.

Re:Really?

[FrozenGeek]

So, suppose Alice and Bob use asymmetric crypto to encrypt the email (and not just to share a symmetric session key but to actually encrypt the plain text). Yes, I know it's horribly inefficient, but cpu cycles are cheap and most email is only a few KB long, so it's not that horrific a thought. If No Such Agency hassles Alice over an encrypted email she sent to Bob, she says that she used Bob's public key and cannot decrypt it - only Bob can do so. Assuming Bob lives somewhere that No Such Agency can hassle him, he hands them his "private key" that decrypts the email to rubbish and says "Sorry, Alice must have screwed up the encryption". Worst case scenario, both Bob and Alice are screwed. Best case, No Such Agency is very unhappy.

Re:Really?

[rtb61]

What is dangerous about this is, it is not about just email, it is about all you Internet communications. Searching, file download, web sites visited (you download html), so the can create a full, in their interpretation psychological profile of you ie. we think you are guilty hence you are. Want to be a free thinking democratic voter under a republican government, based upon failing a range of pre established filters and data relations, they can ensure you are excluded from society as much as possible, no access to any public transport, no access to any government employment, no access to any 'secure' contracted to government private employment, random destructive searches of your person and property as well as all the members of your family resident at that address.

Want to try to deny you disagree against government policy, or that you wont vote to keep them in power, or that you don't 100% agree with a corporation that supports the current government and your life and the future of your family will be systemically targeted. Unless you publicly support them and their chosen evangelical religion of power and control, you will become the enemy, and will be accused and judged by the 21st century Internet inquisition and potentially targeted for harsh interogation techniques.

Don't fit their current preferred 'mold' of what they define to be a good, white, evangelical, american and honestly how well will you and your family fare under the 21st century Internet inquisition. Conspire to be free and believe in democracy and justice and you will learn how easily conspiracy laws can be abused.

The Constitution...

[zulater]

...is sadly dying. But it's ok because if you are doing nothing wrong you have nothing to hide right?

Re:The Constitution...

[LWATCDR]

Well except that there is no proof that this is true. That story is kinda short on any proof at all.
email? Does anybody think that email is private? It is sent in clear text so I would say that it is as private as a postcard.
There is an election coming soon. So for those that really fear this find out where the candidates stand on it.
Then vote.
BTW don't focus so much on the President BTW take a hard look at your congressional reps.

Re:The Constitution...

[timmarhy]

why must we have to justify privacy? it's obvious to anyone that if a letter isn't addressed to you then it's an invasion of privacy regardless of the measures we take to stop you.

Re:The Constitution...

[Chris+Burke]

email? Does anybody think that email is private? It is sent in clear text so I would say that it is as private as a postcard.

As I say in every discussion of this nature, "private" in the sense of "can a police officer legally look at this and use it as evidence?" is completely different than in the sense of "could a malicious person who wanted to snoop on what I was saying possibly look at this, the law be damned?"

E-mail is about as physically private as a letter. They are fairly trivial to read but it does require you take take deliberate action to do so. As opposed to a post card which could literally fall out of the postman's hand text-up and be read by accident, other people's emails don't just randomly show up on your screen even if you are an email server sysadmin.

And thanks to recent precedent email is becoming -legally- as private as a letter. Which to repeat, is a different standard, and regardless of the fact that letters are easy to read, they are still considered private. So while a malicious mail man could read your mail whenever they chose, a cop who wanted their evidence to stand up at trial could not without a warrant.

We need to remember both of these. First if you want real privacy even from malicious people, you need to encrypt your email. Second, we still need to keep unencrypted email to be legally private, since otherwise the idea is that if the police -can- read your encrypted emails then they don't count as private and thus no warrant is needed.

There is an election coming soon. So for those that really fear this find out where the candidates stand on it.
Then vote.
BTW don't focus so much on the President BTW take a hard look at your congressional reps.

True that. Sadly enough it's hard enough to get specific answers on what the Presidential candidates' stances are on the subject, much less all the representatives.

Re:The Constitution...

[pilgrim23]

A new product is all the rage in the District these days:
    Bill of Rights Toilet Paper (tm)
It comes with all 10 printed on each sheet. Congress Critters find it to be heavy duty absorbent. Somehow though, that stuff you water the Tree of Liberty with seems to slip through anyway, just a little, but it slips through....

Luddite revolution

[ari_j]

I guess we'll just have to do this the old-fashioned way. Now accepting (paper) applications for the next Paul Revere.

He's just stretching the constraints

[blair1q]

so he can get through something we would consider "less onerous" but is still an affront to the Constitution.

They found a way to make encryption mainstream!

[Drake42]

Because you can be damn sure that if they pass this law people will finally make sure to heavily encrypt what they say on the internet.

Then again, it's almost certain that they're already reading all the e-mail. This law is probably just to prevent them from getting sued about it later. Ug

I got an idea....

[bherman]

When the White House produces their missing emails, we'll produce ours
That should sufficiently prevent this from becoming law!

Re:I got an idea....

[EriDay]

The Ass Hats running our government have it backward. We're supposed to be able to read their communications, and they aren't supposed to be able to read ours.

Sounds like FUD

[MobyDisk]

This article is entirely speculation. The only source it links to is an article that was not printed, and the link points to a 404 page.

PGP + Constitution

[Rinisari]

Gnu Privacy Guard (or other PGP) + Judge: Man can't be forced to divulge encryption passphrase = safety in communications.

You can't let the terrorists win

[MosesJones]

You need to have this sort of thing because you can't let the terrorists win, so what if you have to give up basic fundamental rights like privacy at least the terrorists won't have won.....

Oh hang on we were fighting for freedom and liberty weren't we? So you need to give up all your freedoms to protect your freedom? You'd almost thought that the government was a repressive regime that wanted to subjugate people.

Re:You can't let the terrorists win

[chuckymonkey]

The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.

As this applies to regular mail, I think that it applies to email as well despite the government not getting a cut of the money.

No person shall be held to answer for any capital, or otherwise infamous crime, unless on a presentment or indictment of a Grand Jury, except in cases arising in the land or naval forces, or in the Militia, when in actual service in time of War or public danger; nor shall any person be subject for the same offence to be twice put in jeopardy of life or limb; nor shall be compelled in any criminal case to be a witness against himself, nor be deprived of life, liberty, or property, without due process of law; nor shall private property be taken for public use, without just compensation.

Self Explanatory, encrypt. Also as the beginning states they cannot do anything to you unless they bring you before a Grand Jury. The wording is clear that the only exception are members of the Military. Which brings me to a fun story.

When I was in the Army deployed to Iraq they told us that they had to scan our computers before we left to look for secrets and obscene material. Well this made me very angry so first I offered my services to a few friends and setup truecrypt volumes for them. Then I took a picture of myself flipping off a camera, labeled them things like Fuck Me hard(several different variations on that theme) and distributed 30,000 copies all over my hdd. Let's just say that when they put in the scanning disk the person performing the scan got really tired of seeing me flip him off and they didn't find anything. I know it was petty and he really wasn't doing it because he wanted to, but I think that I made a point even if it was in a very small way. The leadership never ever scanned anything of mine again.

Re:You can't let the terrorists win

[chuckymonkey]

Huge Wall O' Angry Rant Follows

Let me put it as easily as I can, we all worked a ummmm special mission. We were all very well trained with how to handle security and put in a position of trust. Yes it was my personal laptop and yes they can scan it which pretty much says that they don't trust me. However as you seem to be an officer just what would you have done? Can you punish me for having pictures of myself on my personal computer? Would JAG back that up? Also a few more circumstances here, they do care about obscene material as they scanned my computer mid tour and found some nude pictures of my wife and demoted me for that. I also was the guy that as a specialist redesigned the entire IT infrastructure that we were using to increase productivity substantially, I ran the entire network by myself, I ran a pacing item by myself, ran the websites by myself, built a server for them, and was the main CRO all that in addition to my regular job of 98C. Another thing that was fun was whenever the Trojan Spirit II went down they had to call me in no matter what time it was to come fix it(at least once a week because no matter how hard I screamed for them I couldn't get the A/C units fixed). I asked for people to train on the various systems, but they couldn't spare even one tech oriented person even though I had guys volunteering for it. I spent three days in the back of that damned thing working on it one time without sleep or food because my NCO's couldn't be bothered to at least bring me food, towards the end of that the ACE Cheif came to bitch about it not working. I politely told him to shut the fuck up and let me finish my job. So if I wanted to do some damage or betray anyone I damned well knew how to do it, scanning my personal equipment was a slap in the face to me and did not deserve my cooperation. Needless to say I had no respect for any level of my leadership as I was trying my hardest for a long time to be a good soldier and cooperate only to be fucked constantly. Yes, my point of view is one sided, but if they had a real problem with me then dammit that's what a counseling statement is for(I was an NCO for a while until the incident) and it could have been spelled out so I could fix it. I just didn't play games and called people out on bullshit so they didn't like me. So fuck the Army, I'm out now and they can kiss my ass.

It's in the New Yorker's print edition

As re-reported in Raw Story:

National Intelligence Director Mike McConnell is drawing up plans for cyberspace spying that would make the current debate on warrantless wiretaps look like a "walk in the park," according to an interview published in the New Yorker's print edition today. ...

McConnell is developing a Cyber-Security Policy, still in the draft stage, which will closely police Internet activity.

"Ed Giorgio, who is working with McConnell on the plan, said that would mean giving the government the autority to examine the content of any e-mail, file transfer or Web search," author Lawrence Wright pens.

"Google has records that could help in a cyber-investigation, he said," Wright adds. "Giorgio warned me, 'We have a saying in this business: 'Privacy and security are a zero-sum game.'"

Who cares?

[GodfatherofSoul]

Regardless of the laws, we've already seen that the telecoms will grant the government whatever access it wants. If they get busted, they'll go cry to Congress for retroactive protection. Same results with or without legal protection of your privacy.

Re:Diminishing returns

[cptdondo]

I think you miss the point. The data will be mined after the fact or to build a case against someone the gov't doesn't like.

Let's say you do something to piss some mucky-muck off and you get on the monitor list. It's only a matter of time before you mention in passing that you copied a DVD or any other heinous crime and bingo! The FBI/Federal marshals/etc are at your door.

Paranoid? I grew up in a communist state. I hate to think I've escaped to one, too....

Make your voice heard

[cohomology]

Tell the highest levels of the intelligence community what you think about this idea by picking up a phone and calling any number.

I know, it's not original.

Re:And what about foreign nation TLD's?

[nuzak]

> We'll see what our governments have to say about that.

Something along the lines of "More! More! Harder! Deeper!" is my guess.

Re:Diminishing returns

[KublaiKhan]

That's really the only way it could be useful at all; as a method of detection, there's no real way that one could find anything useful with that sort of shotgun approach at all.

But if the government really wants your hide, then they'll have it whether they have any real evidence or not--witness Cardinal Richelieu's words: "Give me four lines written by the most innocent of men, and in them I will find something to hang him." That was just as true then as now.

Encrypt your email

[gillbates]

Seriously. There are already libraries such as FLTK and QT for the graphic front end. For the back end, you could use XySSL, OpenSSL, or even GNU GPG.

I'm about 20 hours into an encryption client, and I've already got people using it. I initially wanted to use GPG, but realized that most technophobes won't go for a command line application. So I pulled out FLUID (the FLTK design utility) and had a prototype working within hours.

Today, there's no excuse for not encrypting your email. I realize that you may think you have Constitutional rights in this regard, but GW & Co. have the guns, the taxpayer financing, and even the (unsolicited!) cooperation of the major network carriers. It doesn't matter what you think the Constitution says if you can't even get a trial. You're on your own from here on out.

So why encrypt, even if you've nothing to hide? Well, simple, really. Why let the government violate the 4th ammendment with impunity? If you encrypt your email, the government can't perform secret, mass surveillance. Sure, they can pound on your door, and even demand the key. You might even have to give it to them. But in them doing so, you've achieved three key goals:

1. In order to get the key from you, they'll have to contact you. So they can't secretly eavesdrop on your communications.
2. Should you refuse the key, they will have to convince a judge to order you to divulge it - thus, your 4th ammendment rights are preserved - the judge will require probable cause before issuing the order.
3. In demanding the key, the issue will move from the administrative branch to the judicial branch. You want to force the government into the courtroom so that your other rights are not trampled as well.

Encryption is highly Constitutional (TM) software. It keeps terrorists from eavesdropping on our conversations, knowing our whereabouts, and stealing our valuable intellectual property. If the government can't read my email, neither can the terrorists.

Be patriotic. Support the Constitution. Encrypt everything.

Re:Diminishing returns

[Deadstick]

Well, at least the government would get lots of instruction on how to make its pecker bigger. And considering what it's already doing to us, that's not a very good thing.

rj

Unless it's bundled with Windows...

[Joce640k]

Unless it's bundled with Windows then a mass change to encrypted email simply isn't going to happen.

Encryption should have been built into the protocols from the start but now I'm afraid the horse has bolted.

No sources

[WaltBusterkeys]

It seems the above comment focuses on "will probably" without sources, much like the Raw Story unsigned editorial.

Has anybody actually SEEN the draft so that we can comment on it intelligently without relying on "I think the US government is bad, so I'm going to assume they're doing horrible things"? The PDF link in the Rawstory unsigned editorial doesn't work, so it's awfully hard to evaluate their claims. The homepage of Rawstory makes their bias pretty clear, so I'm inclined to not just take their word.

Re:At least they won't be able to mass-scan...

[Bungie]

The main obstacle to mass encryption these days is Microsoft. I expect to be skating over Hell's frozen wasteland before Microsoft adopts encryption in Outlook/Hotmail.

I've been encrypting and signing mail in Outlook Express and Outlook for years. The certificates are installed via XENROLL.DLL or CERTENROLL.DLL. Windows actually has a really good encrytion API.

If you go here you can get a free e-mail certificate. Once you install it to the cryptography store you can sign and encrypt mail in any Microsoft email program. If you use the Windows Live Mail application you can encrypt messages in Hotmail too.

Or You Could Go With the Reagan/Bush/Rove/Cheney

[NeverVotedBush]

Defense...

"I don't recall"

Re:At least they won't be able to mass-scan...

[cayenne8]

"Does GMail support encryption though it's web client? Does Yahoo?"

There is a firefox plugin Firegpg that you can use with gmail to encrypt, sign, and decrypt email.

I dunno if it works with yahoo....it might...