Slashdot Mirror

← Back to Stories (view on slashdot.org)

Congress Passes Bill Allowing Warrantless Forfeiture of Private Communications

Posted by timothy on from the stinkin'-badges-apparently-suffice dept.

Prune writes Congress has quietly passed an Intelligence Authorization Bill that includes warrantless forfeiture of private communications to local law enforcement. Representative Justin Amash unsuccessfully attempted a late bid to oppose the bill, which passed 325-100. According to Amash, the bill "grants the executive branch virtually unlimited access to the communications of every American." According to the article, a provision in the bill allows “the acquisition, retention, and dissemination” of Americans’ communications without a court order or subpoena. That type of collection is currently allowed under an executive order that dates back to former President Reagan, but the new stamp of approval from Congress was troubling, Amash said. Limits on the government’s ability to retain information in the provision did not satisfy the Michigan Republican."

31 of 379 comments (clear)

  1. PRIVATE encryption of everything just became... by Karmashock · · Score: 5, Insightful

    ... mandatory. Seriously, what is the NSA going to do when the consequences of their arrogance propagate fully through our information culture? Eventually, everything of consequence is going to be held on private servers using private encryption keys that no one has access to but the users. The actual servers that push the information around are going to be shuffling around black boxes.

    --
    I've decided to stop wasting my time responding to AC trolls/sockpuppets... so if you want a response from me... login.
    1. Re:PRIVATE encryption of everything just became... by Karmashock · · Score: 4, Informative

      They can't practically stop people from using any kind of encryption. Once the encryption procredure is handled entirely client side, how would you even know if the data was encrypted to spec unless you tried to decrypt it? And that's an awkward thing to admit to people that are assuming your service doesn't even try to do that.

      Really, the whole NSA mission against general data has a big expiration date hanging on it. The cloud concept is obviously dead in the water in the long term unless the encryption keys and engine is kept client side. And are the terrorists of the future really going to be sending their terrorist plots over email and conventional cell phone calls? I can think of hundreds of ways to send information of an extremely criminal and national security relevant nature... completely anonymously... forever.

      The only reason they're getting anything now is because our enemies are computer illiterate. That is like relying on your enemy being literally illiterate... forever. It isn't going to happen.

      The whole thing is a giant waste of time and money. IF they had half a clue, they'd do their best to convince everyone that they're not actually going to wire tap everyone secretly. I know they say that all the time but they're not very convincing at it are they? Exactly. To be convincing, they need to be subtle. Which means the giant data centers and big laws flowing through congress are the opposite of what they should be doing IF they had a clue.

      But they quite clearly don't have a clue so they're just going to spend billions of tax payer dollars to accomplish jack shit. As usual.

      --
      I've decided to stop wasting my time responding to AC trolls/sockpuppets... so if you want a response from me... login.
    2. Re:PRIVATE encryption of everything just became... by AaronLS · · Score: 3, Informative

      Not disagreeing with you, but want to clear up what it means to make cloud storage, or any type of server storage, secure and inaccesible from court orders:

      In the case of dropbox, data is stored encrypted, but the server software holds the encryption keys so it can serve the data to clients unencrypted. This means subpeanas and other legal/law enforcement actions can access the data by going to the server operators, who likely will not challenge the order.

      If you instead encrypt the data client side before you send it to the server, then everyone who accesses the data must also have the key.
      What if you want to revoke access for one person? You have to download the data client side, decrypt/re-encrypt with a new key, reupload, provide key to remaining sharers. So this technique only really works for data that you do not share, i.e. just your personal stuff, and is essentially what people do now when they encrypt data before uploading it to dropbox.

      Asymmetric techniques don't really apply here unless you're only sharing with one party. You combined your private key and their public key to encrypt the data, then only they can decrypt it. This does not work when dealing with 3 or more parties, unless some are going to share the same key for one side of the asymmetric encryption, in which case you're back to the same problem we had with sharing a symmetric key.

    3. Re:PRIVATE encryption of everything just became... by mi · · Score: 4, Informative

      Don't forget it is the NSA who approves what type of encryption are legal for citizens to own.

      There is no illegal encryption — not in the US. You can use anything you can get your hands on.

      Now, getting your hands on something, the NSA can't break, may be difficult — because they have sabotaged efforts to develop strong crypto. But not because it is illegal.

      That said, the existing freely available software — including OpenSSL — can be used properly to defeat would-be spooks. We know this — and the observation is confirmed by occasional stories on how the government leans on companies to reveal the private keys. If they could break the encryption itself, they wouldn't be demanding keys...

      --
      In Soviet Washington the swamp drains you.
    4. Re:PRIVATE encryption of everything just became... by Anonymous Coward · · Score: 3, Interesting

      Why not use the protocol that PGP uses? The data is encrypted with one symmetric key that is unique to each packet or archive. Then copies of that symmetric key are encrypted with each party's public key. So, the sender sends to nine others, there are ten public keys attached that can decrypt the data's volume key, assuming the sender wants to retain the ability to read the contents.

      The hard part is making sure the keys belong to the right people. However, this isn't that difficult. That is what keysigning parties and a web of trust is for. In fact, because a keysigning party is about validation, just handing every guest a printed sheet showing people's key ID and thumbprint, then having the guests cross-check them and physically tick off the ones they have vetted is good enough.

      I once worked on a project for a company that had multiple offices for messaging around the globe. All messages were encrypted with the receiver's key and had an expiration date. They were dropped into a message pool, propagated to the other sites. The receivers had special software which looked for their key ID, pulled messages out, and the user could decrypt them at their leisure. Since the data was pushed out similar to NNTP, only the site where the message originated from knew who the sender was, because it was just a part of the changes propagated to the other sites. To save space, all messages expired after a time.

      The result of this was a messaging system that was secure, and was plausibly deniable. The sender and receiver got their messages, but the sending site didn't know where the receiving site was, and vice versa.

      This was done internally because one of this startup's site was in a very repressive country (no, NOT the US or the UK...), and needed to communicate securely and freely about some topics.

    5. Re:PRIVATE encryption of everything just became... by currently_awake · · Score: 4, Insightful

      Private spying gets you information, public spying gets you intimidation. Possibly they have changed their goals.

  2. Over to you, SCOTUS by Tokolosh · · Score: 5, Insightful

    If you do not declare this unconstitutional, immediately and unambiguously, then you have failed The People.

    Your credibility is already hanging by a hair.

    --
    Prove anything by multiplying Huge Number times Tiny Number
    1. Re:Over to you, SCOTUS by Anonymous Coward · · Score: 3, Informative

      The same SCOTUS that just said your employer can order you to do 25 minutes of security checks without compensation? The copyright extension SCOTUS? The fascism rubber-stampers in black robes? Good-luck.

    2. Re:Over to you, SCOTUS by BarbaraHudson · · Score: 5, Insightful

      What if those communications are contained in your phone, tablet, laptop or home computer. Sounds like they can seize all that without a warrant as well ...

      --
      "Transparent" is a shit show that trades on every stereotype going. A man in drag is NOT a transsexual.
    3. Re:Over to you, SCOTUS by mythosaz · · Score: 3, Insightful

      While I disagree with the 25-minute screenings, I'm not paid for walking through security, taking the elevator and logging into my workstation either.

      SCOTUS merely maintained what was already in the Portal to Portal act: that things relevant to the job itself (e.g. butchers sharpening their knives) got paid, and that security searches were analog to time spent driving to work or taking the a long flight of stairs to your office.

      Integrity Staffing Solutions, Inc. are, unquestionably, a bunch of shit-bags who should move the time-clocks to the other side of the sometimes up-to 25 minute screening machines, but it's not exactly like SCOTUS is out to screw people on this one. Someone in risk management there realized that they'd still be more profitable with the tiny bit of bad press and some legal fees than to pay overtime.

      Eat a bag of dicks Integrity Staffing Solutions, Inc. -- but I don't blame SCOTUS.

    4. Re:Over to you, SCOTUS by mythosaz · · Score: 4, Informative

      Vote was reasonably even across party lines.
      https://www.govtrack.us/congre...

      71% of (D) voted for it.
      80% or (R) voted for it.

      9 congresscritters didn't vote, split 5(D), 4(R).

  3. Re: PRIVATE encryption of everything just became.. by Anonymous Coward · · Score: 4, Funny

    But cloud is great, right? They told me cloud is great!

  4. Ok Justin by Anonymous Coward · · Score: 5, Insightful

    I have actually met this guy in person, I have nothing against him, but holy shit. Before he actually cared and I would have backed him up 100% opposing this without question. But he seems to have gone for the republican kool aid and somehow wants to blame this on.... the executive branch.

    Look man, the executive branch doesn't make laws and the law enforcement agencies that report to it already had this power. This is congress who isn't part of the executive branch passing the law. Don't go in there a decent guy and come out a soulless husk spewing what you hear on Fox News. Don't try to shift blame on that 'Obama' fictional character everyone seems to want to. You're better than that.

    1. Re:Ok Justin by wiredlogic · · Score: 3, Informative

      and the law enforcement agencies that report to it already had this power.

      The summary is wrong. The unlimited, open-ended collection powers enacted by EO12333 only apply to government employees and employees of contractors subject to background investigation for national security reasons.

      --
      I am becoming gerund, destroyer of verbs.
  5. Congressman Amash’s letter sent to Colleague by Anonymous Coward · · Score: 5, Informative

    Dear Colleague:

    The intelligence reauthorization bill, which the House will vote on today, contains a troubling new provision that for the first time statutorily authorizes spying on U.S. citizens without legal process.

    Last night, the Senate passed an amended version of the intelligence reauthorization bill with a new Sec. 309—one the House never has considered. Sec. 309 authorizes “the acquisition, retention, and dissemination” of nonpublic communications, including those to and from U.S. persons. The section contemplates that those private communications of Americans, obtained without a court order, may be transferred to domestic law enforcement for criminal investigations.

    To be clear, Sec. 309 provides the first statutory authority for the acquisition, retention, and dissemination of U.S. persons’ private communications obtained without legal process such as a court order or a subpoena. The administration currently may conduct such surveillance under a claim of executive authority, such as E.O. 12333. However, Congress never has approved of using executive authority in that way to capture and use Americans’ private telephone records, electronic communications, or cloud data.

    Supporters of Sec. 309 claim that the provision actually reins in the executive branch’s power to retain Americans’ private communications. It is true that Sec. 309 includes exceedingly weak limits on the executive’s retention of Americans’ communications. With many exceptions, the provision requires the executive to dispose of Americans’ communications within five years of acquiring them—although, as HPSCI admits, the executive branch already follows procedures along these lines.

    In exchange for the data retention requirements that the executive already follows, Sec. 309 provides a novel statutory basis for the executive branch’s capture and use of Americans’ private communications. The Senate inserted the provision into the intelligence reauthorization bill late last night. That is no way for Congress to address the sensitive, private information of our constituents—especially when we are asked to expand our government’s surveillance powers.

    I urge you to join me in voting “no” on H.R. 4681, the intelligence reauthorization bill, when it comes before the House today. /s/

    Justin Amash
    Member of Congress

  6. At least there's no pretense here... by Kazoo+the+Clown · · Score: 5, Insightful

    No pretense they have any respect for the Constitution, due process or the privacy of citizens. There's no doubt everyone will have to take matters into their own hands now. No doubt they'll make that illegal too, at which point only criminals will have any privacy.

  7. That's not how it works by Sycraft-fu · · Score: 4, Informative

    The court can't just jump up and say "We don't like that, it goes out." They have to follow procedure which means a challenge has to appear in front of them. That challenge can also only be brought by someone with standing, meaning that this law had a negative impact on you somehow.

    That's one of the reasons the government loves the secret gathering so much, makes it harder for it to get challenged. If you can't show this harmed you, then you can't fight it in court.

    So someone has to be impacted by this, challenge it, and it has to be appealed up to the SC. Then and only then do they rule on it.

  8. Sid Meier is a time traveler by C.+Mattix · · Score: 4, Insightful

    I get to break this out again:

            As the Americans learned so painfully in Earth's final century, free flow of information is the only safeguard against tyranny. The once-chained people whose leaders at last lose their grip on information flow will soon burst with freedom and vitality, but the free nation gradually constricting its grip on public discourse has begun its rapid slide into despotism. Beware of he who would deny you access to information, for in his heart he dreams himself your master.
                    Commissioner Pravin Lal, "U.N. Declaration of Rights"
                    Accompanies the Secret Project "The Planetary Datalinks"

  9. Everyone who blamed Bush for everything... by FlyHelicopters · · Score: 4, Insightful

    Obama is just as bad... that doesn't excuse Bush from his errors, and he had many...

    But frankly, if Obama doesn't Veto this, then he is the same scum of the Earth and frankly both sides need to be tossed out on their bums...

    Voting third party may not bring in "better", but it will at least do SOMETHING different than the Repubs and Dems who are different sides of the same coin...

  10. Re:Congressman Amash’s letter sent to Collea by Qzukk · · Score: 4, Interesting

    I urge you to join me in voting “no” on H.R. 4681, the intelligence reauthorization bill, when it comes before the House today.

    Thank you for posting the bill number, since neither slashdot nor the hill thought we should be able to look it up and see who voted for this bullshit.

    It appears in the Senate it was passed by voice vote by a bunch of cowards that did not want their name attached to the bill.

    --
    If I have been able to see further than others, it is because I bought a pair of binoculars.
  11. Cutting through the alarmist deceptive stuff. by Verdatum · · Score: 3, Insightful
    Here's the important part: "That type of collection is currently allowed under an executive order that dates back to former President Reagan, but the new stamp of approval from Congress was troubling, Amash said."

    In other words, the only issue he has with this bill is that it acknowledges an Executive Order is in place. It doesn't even particularly bless it. Nothing is changing other than a slightly-less tacet approval of an order that has been around for decades. It's not a terribly long bill, check it out yourself

  12. Re: PRIVATE encryption of everything just became.. by roc97007 · · Score: 3, Insightful

    Unfortunately, I suspect that anyone who is not a geek or privacy advocate still believes it.

    --
    Oliver's law of assumed responsibility: If you're seen fixing it, you will be blamed for breaking it.
  13. Re: PRIVATE encryption of everything just became.. by Anonymous Coward · · Score: 5, Insightful

    Anyone who is a geek and/or privacy advocate never believed it.

  14. Re: PRIVATE encryption of everything just became.. by Karmashock · · Score: 4, Informative

    Good thing geeks are responsible for building the entire information backbone.

    Look, decoding things client side isn't expensive. It isn't a big deal. All you have to do is retrain a copy of the decryption engine and key client side. Which means if you're running a large company network that hosts all company files on data centers in the "cloud" then all the IT guy has to do is maintain ONE tiny server client side that serves those two things to the clients. Which they download as part of their login script... etc etc etc.

    It isn't hard. And when that is in place... assuming the NSA has total control over the data center that is the cloud... what exactly do they have? Jack and shit.

    --
    I've decided to stop wasting my time responding to AC trolls/sockpuppets... so if you want a response from me... login.
  15. Glad to see this pushed through by hackshack · · Score: 5, Informative

    So they can't settle on a decent healthcare system for us, but when it comes to spying on us... push it right through!

    --
    Wrists killing you? Not in 2 weeks. Learn Dvorak.
  16. Who voted "YEA" to this crap? by MinamataHG · · Score: 4, Informative

    https://www.govtrack.us/congre...

    If your congressman voted YEA and you don't agree, write to him/her.
    They are representing you.

  17. Re: PRIVATE encryption of everything just became.. by currently_awake · · Score: 3, Informative

    A law giving the NSA authority to intercept all communications means that your corporate crypto server will be copied, giving them all your keys so they can decrypt everything. If you want security it must be done entirely at the client side, with only the client having the keys. Any central crypto means they get everything. Also you should assume Microsoft and Google are working for the NSA, so they can patch your OS to copy your client side keys to the NSA if required.

  18. Re: PRIVATE encryption of everything just became.. by Karmashock · · Score: 3, Informative

    You missed everything I said about keeping the keys and decryption engine private... didn't you? Read that again and then comment please... you'll sound less stupid.

    --
    I've decided to stop wasting my time responding to AC trolls/sockpuppets... so if you want a response from me... login.
  19. Where are you going to keep your files?? by Taco+Cowboy · · Score: 5, Insightful

    You missed everything I said about keeping the keys and decryption engine private

    With NSA and all the spooks being given the blank check in snooping into every nook and cranny everywhere where do you think you gonna keep your files private ?

    How long you think your files can be safely kept private?

    The problem with the American government - no, not just the POTUS, not just the NSA, not just the Congress, not just the Court System, it's everything - is that it is turning into a totally uncontrollable monster, and it is getting uglier by the day

    --
    Muchas Gracias, Señor Edward Snowden !
  20. Re: PRIVATE encryption of everything just became.. by Frobnicator · · Score: 4, Interesting

    But cloud is great, right? They told me cloud is great!

    Yes, cloud is great as a convenience for you.

    It is also great as a convenience for NSA and other agencies. The text of the bill allows that anything that was encrypted can be kept indefinitely. If your web site says HTTPS then it is fair game for permanent governmental storage.

    Also, they can retain it forever for a number of reasons:

    From the bill now on its way to the President's desk: "(3)(B) A covered communication shall not be retained in excess of 5 years unless ... (ii) the communication is reasonably believed to constitute evidence of a crime ... (iii) the communication is enciphered or reasonably believed to have a secret meaning; (iv) all parties to the communication are reasonably believed to be non-United States persons;"

    #2 should be troubling. Does your communication (which is not limited to just email, but also includes web pages and any other data) have any evidence of a crime? Evidence that you downloaded a movie or software from a warez site, or looked at porn as a minor, or violated any of the policy-made-crimes that even the federal government has declared they are not countable? With an estimate of over 300,000 'regulations-turned-crime', plus laws that incorporate foreign laws (the Lacey Act's criminalization of anything done "in violation of State or foreign law"), pretty much anything you do probably violates some law somewhere in the world. Better preserve it just in case somebody eventually wants to prosecute you for that crime someday.

    #3 refers back to a vague definition of "enciphered" that does not just mean encryption. The "secret meaning" could be as simple as data inside a protocol, Who is to say that the seemingly random bytes "d6 0d 9a 5f 26 71 dd a7 04 31..." used as part of a data stream are really not an encrypted message? Better record it just in case.

    And of course #4, the law has a careful wording about communications between "non-United States persons". Considering the "internet of things", all those devices talking to other devices are not communications between United States persons. It was your camera (a non-United States person) communicating with a data warehouse (a non-United States person), so better exempt that from the 5-year retention policy as well.

    --
    //TODO: Think of witty sig statement
  21. I wish I had a deeper, more meaningful response... by Loki_1929 · · Score: 3, Insightful

    But fuck these assholes. Fuck all of them; every one of them who voted for this shit. Fuck them regardless of their party or their stances on other issues, or their charity work, or their stupid kids, or their veteran status. Fuck 'em. Burn in Hell you pieces of shit.

    --
    -- "Government is the great fiction through which everybody endeavors to live at the expense of everybody else."