Technical Risks of the US Protect America Act

A group of respected security researchers has released a paper on the security holes that would be opened up if a broad warrantless wiretapping law is passed. The subject could hardly be more timely, as Congress is debating the subject now. Steve Bellovin, Matt Blaze, Whit Diffie, Susan Landau, Peter Neumann, and Jennifer Rexford have released a preprint of Risking Communications Security: Potential Hazards of the Protect America Act (PDF), which will appear in the January/February 2008 issue of IEEE Security and Privacy. It will hit the stands in a few weeks. From Matt Blaze's blog posting: "As someone who began his professional carrier in the Bell System (and who stayed around through several of its successors), the push for telco immunity represents an especially bitter disillusionment for me. Say what you will about the old Phone Company, but respect for customer privacy was once a deeply rooted point of pride in the corporate ethos. There was no faster way to be fired (or worse) than to snoop into call records or facilitate illegal wiretaps, well intentioned or not. And it was genuinely part of the culture; we believed in it, even those of us ordinarily disposed toward a skeptical view of the official company line. Now it all seems like just another bit of cynical, focus-group-tested PR."

spot on

[kneemoe]

unfortunately you got the right impression. living/working in Albany, NY I get to see a lot of this with friends that work in (state) senators' offices, nothing ever gets to them without being filtered and they already know where they stand on bigger issues and outright ignore their constituents unless the media gets involved (like spitzer and his give illegals drivers licenses thing)
heck I've written our 'good' senator Schumer a number of times on big issues and all you ever get back is a form letter written by an office intern, no big deal there but you have to know he never reads any of those emails, they get read by the same intern and if you're lucky he summarizes a few of them to his boss later.

Re:Call your senators

[Bill,+Shooter+of+Bul]

My senator is too busy running for president, the other one is too busy running the senate. Even when the candidate was a freshman, he was too busy to take calls from a previous boss. Didn't even say " we're looking at the situation", just "The senator declines to speak with you on this matter". And that was on an issue of international security. Sorry for being cynical, maybe other states have less involved senators that have time to pretend to care about important issues.

Re:Call your senators

[russ1337]

Which leads me to believe, that the people the senators hire (which obviously fall in line with the senators agenda), have no interest in hearing from constituents, but rather already have the answer, and are only really researching the questions

If that approach is systemic then things are really bad but the question is 'how can someone change that?'

believe it or not young-unz, but...

[jdogalt]

The fourth ammendment to the constitution and the Geneva Conventions used to be a strong part of the ethos of american culture.

But those were the good ol' pre-9/11 days.

Wake up and smell and the realized nightmares of the founding fathers, and don't waste your time thinking that whatever is left of their foundation of democratic principles can help us.

We are sliding full speed down the slippery slope already. The only hope is that america will survive the impact at the bottom, and that the result will be painful enough, that the constitution gets ammended, and a new dawn of liberty arises.

I was the longest holdout in believing that intelligent debate could actually help. It is clear to me that the only thing to do is to sit back, suffer the consequences along with everyone, and hope that people are capable of learning from their mistakes.

O what a brave new world. Human cloning, animal-human hybrid research, warrantless wiretaps. Someone could really write a good book about all of this... But these days you probably wouldn't want to purchase it or check it out of a library, lest your name be put referenced in database queries for threat index assessments.

-dmc

Re:Call your senators

[Relic+of+the+Future]

And that's the thing, isn't it?

Everyone complains about "the congress", and yet, everyone keeps re-electing the same scumbags back into it!

"Oh, no!" they say, "_my_ congressperson is doing a fine job! It's everyone _else's_ that's a problem!" Which really means "My guy brings the pork home, and that's good; but yours brings YOUR pork home, and that's bad!" And with the way the rules in congress works, a junior member has a lot less pull to bring that pork home; so 90% of the time, the incumbant wins.

Or they say "I would, except, $MY_PARTY keeps putting up the same choice for re-election, and I'm certainly not going to vote for $OTHER_PARTY," which is an appeal to how poorly the First Past the Post method of adjudicating elections works. With any more-robust voting method, parties could run multiple candidates without risks of spliting the vote and losing, or, *gasp*, third-party candidates could have a real chance, without acting as spoilers (damn you Ralph Nader!)

But again, that's just pointing out the problems. How do you fix the bylaws in congress, when those who benefit from them are the only ones with the power to change them? How do you change voting practices when all the lawmakers in power owe their position to the current method?

All I can think of, is start at the bottom. You can't change the nation before you change your state, and you can't change your state before you change your town. So, in order to fix the US Congress by, oh, 2020, run for town council today.

Domestic traffic that leaves the country

[Sloppy]

On around page 28 of the PDF, it talks about domestic traffic (where both participants are inside the US) that may cross the border, due to network routing that goes through Canada, Skype relay nodes, etc. If you intercept all traffic that crosses the border, you may end up intercepting US-citizen-to-US-citizen communications.

But wouldn't Big Brother counter that the mere fact that the traffic crosses the border, makes it fall under their 'legitimate' border-protecting authority anyway, regardless of the apparent endpoints? So what if it's "virtually" domestic traffic -- physically it's not, and that alone possibly makes it fall under their authority. And we have a (regrettable) historic precedent that even US citizens lose some rights when they interact with the border (e.g. You can be searched for drugs w/out a warrant, whenever you enter the country).

Also, keep in mind that of you're communicating through a proxy, then that's an opportunity to set up a covert channel to a third party. For example: I talk to grandma through a foreign proxy. My conversion seems to be "Hello grandma, I got the cookies you sent me last week." A steganographic bit is seen by the proxy, and I just transmitted "0" (meaning: "sorry, I will not have collected the resources in time for next week's attack") to my mission control in Afghanistan. (Not that the NSA, even if it had legal authority to tap my call to grandma, would be able to detect whether I'm doing that or not...)

I'm strongly opposed to warrantless domestic eavesdropping, but I think the argument that sometimes domestic traffic leaves the country, is not a valid argument against spying on border-crossing traffic. A lot of other good points in the PDF, though.