Congress Passes Bill Allowing Warrantless Forfeiture of Private Communications

Prune writes Congress has quietly passed an Intelligence Authorization Bill that includes warrantless forfeiture of private communications to local law enforcement. Representative Justin Amash unsuccessfully attempted a late bid to oppose the bill, which passed 325-100. According to Amash, the bill "grants the executive branch virtually unlimited access to the communications of every American." According to the article, a provision in the bill allows “the acquisition, retention, and dissemination” of Americans’ communications without a court order or subpoena. That type of collection is currently allowed under an executive order that dates back to former President Reagan, but the new stamp of approval from Congress was troubling, Amash said. Limits on the government’s ability to retain information in the provision did not satisfy the Michigan Republican."

Re:Congressman Amash’s letter sent to Collea

[Qzukk]

I urge you to join me in voting “no” on H.R. 4681, the intelligence reauthorization bill, when it comes before the House today.

Thank you for posting the bill number, since neither slashdot nor the hill thought we should be able to look it up and see who voted for this bullshit.

It appears in the Senate it was passed by voice vote by a bunch of cowards that did not want their name attached to the bill.

Re:PRIVATE encryption of everything just became...

Why not use the protocol that PGP uses? The data is encrypted with one symmetric key that is unique to each packet or archive. Then copies of that symmetric key are encrypted with each party's public key. So, the sender sends to nine others, there are ten public keys attached that can decrypt the data's volume key, assuming the sender wants to retain the ability to read the contents.

The hard part is making sure the keys belong to the right people. However, this isn't that difficult. That is what keysigning parties and a web of trust is for. In fact, because a keysigning party is about validation, just handing every guest a printed sheet showing people's key ID and thumbprint, then having the guests cross-check them and physically tick off the ones they have vetted is good enough.

I once worked on a project for a company that had multiple offices for messaging around the globe. All messages were encrypted with the receiver's key and had an expiration date. They were dropped into a message pool, propagated to the other sites. The receivers had special software which looked for their key ID, pulled messages out, and the user could decrypt them at their leisure. Since the data was pushed out similar to NNTP, only the site where the message originated from knew who the sender was, because it was just a part of the changes propagated to the other sites. To save space, all messages expired after a time.

The result of this was a messaging system that was secure, and was plausibly deniable. The sender and receiver got their messages, but the sending site didn't know where the receiving site was, and vice versa.

This was done internally because one of this startup's site was in a very repressive country (no, NOT the US or the UK...), and needed to communicate securely and freely about some topics.

Re: PRIVATE encryption of everything just became..

[Frobnicator]

But cloud is great, right? They told me cloud is great!

Yes, cloud is great as a convenience for you.

It is also great as a convenience for NSA and other agencies. The text of the bill allows that anything that was encrypted can be kept indefinitely. If your web site says HTTPS then it is fair game for permanent governmental storage.

Also, they can retain it forever for a number of reasons:

From the bill now on its way to the President's desk: "(3)(B) A covered communication shall not be retained in excess of 5 years unless ... (ii) the communication is reasonably believed to constitute evidence of a crime ... (iii) the communication is enciphered or reasonably believed to have a secret meaning; (iv) all parties to the communication are reasonably believed to be non-United States persons;"

#2 should be troubling. Does your communication (which is not limited to just email, but also includes web pages and any other data) have any evidence of a crime? Evidence that you downloaded a movie or software from a warez site, or looked at porn as a minor, or violated any of the policy-made-crimes that even the federal government has declared they are not countable? With an estimate of over 300,000 'regulations-turned-crime', plus laws that incorporate foreign laws (the Lacey Act's criminalization of anything done "in violation of State or foreign law"), pretty much anything you do probably violates some law somewhere in the world. Better preserve it just in case somebody eventually wants to prosecute you for that crime someday.

#3 refers back to a vague definition of "enciphered" that does not just mean encryption. The "secret meaning" could be as simple as data inside a protocol, Who is to say that the seemingly random bytes "d6 0d 9a 5f 26 71 dd a7 04 31..." used as part of a data stream are really not an encrypted message? Better record it just in case.

And of course #4, the law has a careful wording about communications between "non-United States persons". Considering the "internet of things", all those devices talking to other devices are not communications between United States persons. It was your camera (a non-United States person) communicating with a data warehouse (a non-United States person), so better exempt that from the 5-year retention policy as well.