Technical Risks of the US Protect America Act

A group of respected security researchers has released a paper on the security holes that would be opened up if a broad warrantless wiretapping law is passed. The subject could hardly be more timely, as Congress is debating the subject now. Steve Bellovin, Matt Blaze, Whit Diffie, Susan Landau, Peter Neumann, and Jennifer Rexford have released a preprint of Risking Communications Security: Potential Hazards of the Protect America Act (PDF), which will appear in the January/February 2008 issue of IEEE Security and Privacy. It will hit the stands in a few weeks. From Matt Blaze's blog posting: "As someone who began his professional carrier in the Bell System (and who stayed around through several of its successors), the push for telco immunity represents an especially bitter disillusionment for me. Say what you will about the old Phone Company, but respect for customer privacy was once a deeply rooted point of pride in the corporate ethos. There was no faster way to be fired (or worse) than to snoop into call records or facilitate illegal wiretaps, well intentioned or not. And it was genuinely part of the culture; we believed in it, even those of us ordinarily disposed toward a skeptical view of the official company line. Now it all seems like just another bit of cynical, focus-group-tested PR."

spot on

[kneemoe]

unfortunately you got the right impression. living/working in Albany, NY I get to see a lot of this with friends that work in (state) senators' offices, nothing ever gets to them without being filtered and they already know where they stand on bigger issues and outright ignore their constituents unless the media gets involved (like spitzer and his give illegals drivers licenses thing)
heck I've written our 'good' senator Schumer a number of times on big issues and all you ever get back is a form letter written by an office intern, no big deal there but you have to know he never reads any of those emails, they get read by the same intern and if you're lucky he summarizes a few of them to his boss later.

Re:Call your senators

[Bill,+Shooter+of+Bul]

My senator is too busy running for president, the other one is too busy running the senate. Even when the candidate was a freshman, he was too busy to take calls from a previous boss. Didn't even say " we're looking at the situation", just "The senator declines to speak with you on this matter". And that was on an issue of international security. Sorry for being cynical, maybe other states have less involved senators that have time to pretend to care about important issues.

Re:Call your senators

[russ1337]

Which leads me to believe, that the people the senators hire (which obviously fall in line with the senators agenda), have no interest in hearing from constituents, but rather already have the answer, and are only really researching the questions

If that approach is systemic then things are really bad but the question is 'how can someone change that?'

believe it or not young-unz, but...

[jdogalt]

The fourth ammendment to the constitution and the Geneva Conventions used to be a strong part of the ethos of american culture.

But those were the good ol' pre-9/11 days.

Wake up and smell and the realized nightmares of the founding fathers, and don't waste your time thinking that whatever is left of their foundation of democratic principles can help us.

We are sliding full speed down the slippery slope already. The only hope is that america will survive the impact at the bottom, and that the result will be painful enough, that the constitution gets ammended, and a new dawn of liberty arises.

I was the longest holdout in believing that intelligent debate could actually help. It is clear to me that the only thing to do is to sit back, suffer the consequences along with everyone, and hope that people are capable of learning from their mistakes.

O what a brave new world. Human cloning, animal-human hybrid research, warrantless wiretaps. Someone could really write a good book about all of this... But these days you probably wouldn't want to purchase it or check it out of a library, lest your name be put referenced in database queries for threat index assessments.

-dmc

Re:The U.S. government is very corrupt.

[Bill,+Shooter+of+Bul]

The U.S. government has become extremely corrupt

Welcome to the 1800's.

Re:Call your senators

[Relic+of+the+Future]

And that's the thing, isn't it?

Everyone complains about "the congress", and yet, everyone keeps re-electing the same scumbags back into it!

"Oh, no!" they say, "_my_ congressperson is doing a fine job! It's everyone _else's_ that's a problem!" Which really means "My guy brings the pork home, and that's good; but yours brings YOUR pork home, and that's bad!" And with the way the rules in congress works, a junior member has a lot less pull to bring that pork home; so 90% of the time, the incumbant wins.

Or they say "I would, except, $MY_PARTY keeps putting up the same choice for re-election, and I'm certainly not going to vote for $OTHER_PARTY," which is an appeal to how poorly the First Past the Post method of adjudicating elections works. With any more-robust voting method, parties could run multiple candidates without risks of spliting the vote and losing, or, *gasp*, third-party candidates could have a real chance, without acting as spoilers (damn you Ralph Nader!)

But again, that's just pointing out the problems. How do you fix the bylaws in congress, when those who benefit from them are the only ones with the power to change them? How do you change voting practices when all the lawmakers in power owe their position to the current method?

All I can think of, is start at the bottom. You can't change the nation before you change your state, and you can't change your state before you change your town. So, in order to fix the US Congress by, oh, 2020, run for town council today.

Re:I don't think it'll help

[Lilith's+Heart-shape]

Some of the more cynical among us might be inclined to wonder if the abuse is the real purpose. Call me paranoid, but I don't just wonder if abuse is the real purpose. I am convinced that it is. After a while, the governing class stops looking for excuses to obtain power: power itself becomes the excuse. Show me a man running for office for the first time, and I'll show you a powerslave in the making.

Domestic traffic that leaves the country

[Sloppy]

On around page 28 of the PDF, it talks about domestic traffic (where both participants are inside the US) that may cross the border, due to network routing that goes through Canada, Skype relay nodes, etc. If you intercept all traffic that crosses the border, you may end up intercepting US-citizen-to-US-citizen communications.

But wouldn't Big Brother counter that the mere fact that the traffic crosses the border, makes it fall under their 'legitimate' border-protecting authority anyway, regardless of the apparent endpoints? So what if it's "virtually" domestic traffic -- physically it's not, and that alone possibly makes it fall under their authority. And we have a (regrettable) historic precedent that even US citizens lose some rights when they interact with the border (e.g. You can be searched for drugs w/out a warrant, whenever you enter the country).

Also, keep in mind that of you're communicating through a proxy, then that's an opportunity to set up a covert channel to a third party. For example: I talk to grandma through a foreign proxy. My conversion seems to be "Hello grandma, I got the cookies you sent me last week." A steganographic bit is seen by the proxy, and I just transmitted "0" (meaning: "sorry, I will not have collected the resources in time for next week's attack") to my mission control in Afghanistan. (Not that the NSA, even if it had legal authority to tap my call to grandma, would be able to detect whether I'm doing that or not...)

I'm strongly opposed to warrantless domestic eavesdropping, but I think the argument that sometimes domestic traffic leaves the country, is not a valid argument against spying on border-crossing traffic. A lot of other good points in the PDF, though.

Re:Amend the constitution?

[wurp]

First, simply that one should have the right to carry on with your business without being stopped by the police. If you are doing nothing wrong, the police can stop you and if you happen not to have the correct papers on you, now you have committed a crime. It turns from a free society where one assumes their rights are secure, to one in which you must get permission from the state simply to exist.

Second, it allows a police officer to harass you. If you do something (or are something) that they simply don't like, not only can they select as the one person from a crowd who must 'show their papers', but moreover now they know who you are and where you live, and can look up vastly more information later. If they decide they don't like you, they can come to your home.

Finally, why are such identifications necessary? Why can't I simply secure my finances with a password, without disclosing my identity? For some things, you need to provide collateral (hotel rental, buying a home, etc), and identifying yourself makes sense. But why must I identify myself to deposit money in a bank, buy something which I pay for up front, etc? The only possible reason is to give power to these other entities and to the government which ostensibly should be serving you, not controlling you.

Re:Get with the times

[bn0p]

It is a stretch to say that the scenarios of abuse of power are "fantastic". The administration repeatedly stated publicly that no one's rights were in danger, that the surveillance they were undertaking required a warrant. This was the whole point of the FISA law, to allow the government to perform surveillance on those who might want to harm us while preventing any potential abuses of the ability to monitor communications.

Then the administration was caught doing an end-run around the FISA law by doing "wiretaps" without bothering to obtain a FISA order (similar to a warrant) even though FISA allows the order to be obtained after the fact and the FISC (FISA court) created by the law virtually never denied a request for an order.

A major issue many people have with the law currently before the Senate is the retroactive immunity for the telecom companies, especially in light of allegations that the NSA was monitoring communications without obtaining the required FISA orders seven months *before* the 9/11 attack. If the telecom companies were not doing anything illegal, why is the immunity necessary?


Never let reality temper imagination

Re:Thank you Matt Blaze

[maxume]

Does security equal privacy? Not always, so maybe it is better to say that privacy increases security, or is one way to provide security.

Re:It runs deeper than that.

[rprycem]

In order to change the way things are going, running for office can certainly help. You'll be bringing awareness to fresh concerns and issues just by voicing your platform, even if you have worse odds than a snowball in hell.

I am doing just that. My name is Richard Matthews and I am a Network and Security Engineer by trade and I am running for Congress Maryland's Second Congressional District.

I am a Republican standing for small government, civil liberties and following the US Constitution. My Democratic opponent Dutch Ruppersberger has voted for the reauthorization of the Patriot Act and many Iraq War spending bills. I will be monitoring closely his vote for this act and will comment accordingly at my website.
http://www.richardmatthews.org/