Law Professor: Tech Companies Are Our Best Hope At Resisting Surveillance

An anonymous reader writes: Fusion has an op-ed where Ryan Calo, Assistant Professor of Law at the University of Washington, argues Google, Apple, and Microsoft pushing back against government surveillance may be our only real hope for privacy. He writes: "Both Google and Yahoo have announced that they are working on end-to-end encryption in email. Facebook established its service on a Tor hidden services site, so that users can access the social network without being monitored by those with access to network traffic. Outside of product design, Twitter, Facebook and Microsoft have sent their formidable legal teams to court to block or narrow requests for user information. Encryption tools have traditionally been unwieldy and difficult to use; massive companies turning their attention to better and simpler design, and use by default, could be a game changer. Privacy will no longer be accessible only to tech-savvy users, and it will mean that those who do use encryption will no longer stick out like sore thumbs, their rare use of hard-to-use tools making them a target."

Get a bear to guard your honey

[markdavis]

>"Law Professor: Tech Companies Are Our Best Hope At Resisting Surveillance"

Except they (tech companies) are just as guilty for surveillance. Plus, all the data they do gather is still information that the government can obtain legally through warrants and "illegally" through other means (which WILL continue).

Re:Get a bear to guard your honey

[TheRaven64]

Exactly. With the exception of Microsoft (which sells software, yet still doesn't have a great track record, especially with the Windows 10 fiasco), all of the listed companies have business models that rely on collecting as much information as they possibly can from their users (not to be confused with their customers). If you want to resist surveillance, then don't buy into large centralised communication systems.

Re:Get a bear to guard your honey

[Z00L00K]

Just look at the Microsoft monitoring items.

But I think it will develop to some kind of trench warfare between those performing surveillance and those that will protect us against it.

Re:Get a bear to guard your honey

On most sites with a lesser proportion of tinfoil hatters than this one, people are welcoming Windows 10 with open arms (it's free!) and people concerned about the ads or telemetry are either told to stop being paranoid or that their concerns are moot since google/apple/facebook/supermarkets/governments/insurers/everyone is doing the same thing and everybody loves tagrted advertising and smartphones and in-app purchases and everybody is fine with that so just shut up and what are you trying to hide anyway, you deviated prevert?

Denial and ambivalence against something you're powerless to prevent is a powerful and very real thing. The battle is already lost for the majority who are just happy they get to specify the color of the gilding on the cage being built around them.

Re:Get a bear to guard your honey

[dryeo]

Microsoft is also embracing the collecting info on their users business model with free Win10 that collects lots of info and sends it home, and the functionality has been backported to Win7 and Win8. Seems there is a lot of money in targeted advertising.

Re:Get a bear to guard your honey

Bullfuck. I work with some technologically very average people in academia and they're all both interested and shocked to have read about just how much data Microsoft collects about the user's behaviour in Windows 10. I had an, "I'm glad I didn't download the upgrade - I've only heard bad things about it," only a few hours ago from a relative technophobe who just wants to use their computer as a tool and otherwise be left alone.

And it's hardly tinfoil-hattism when even Apple has just opened their browser platform to ad blockers - yes, this will favour iAds, but Apple know their fanbase and wouldn't offer what they don't think is going to sell. Hell, even Adblock managed to get fat heaps of cash from advertisers to whitelist their platforms because the latter knows that more than a handful of paranoids are keen about blocking ads.

Re:Get a bear to guard your honey

[swillden]

>"Law Professor: Tech Companies Are Our Best Hope At Resisting Surveillance"

Except they (tech companies) are just as guilty for surveillance. Plus, all the data they do gather is still information that the government can obtain legally through warrants and "illegally" through other means (which WILL continue).

OTOH, the end-to-end encrypted e-mail solutions Google and Yahoo are building will keep them from seeing your email as well.

Re:Get a bear to guard your honey

[chihowa]

Which should honestly make us wonder if these solutions are trustworthy. What do Google or Yahoo have to gain from cutting off their own access to their users' email contents? If they're willing to not scan their users' email, they could start by no longer scanning their users' email, today.

There are many different ways for Google to subvert this system, being that it is an extension that runs in Google Chrome, stores the keys in Chrome, and will assumedly be provided and (silently) updated by Google. The OpenPGP spec itself allows for options like "--hidden-encrypt-to", so unwary users could still end up sharing all of their information with Google or whoever else.

TL;DR - Why should we trust Google or Yahoo here?

Re:Get a bear to guard your honey

[swillden]

Depending on how far you're willing to go to assume bad faith, there's no way for them to really prove they don't have some way to sneak access to your data. But, they're making it all open source and calling for extensive public review. Also, if they were to be caught lying about this it would cause a huge PR shitstorm. Also, keep in mind that Google is under ongoing scrutiny from the FTC related to its privacy practices, since it signed a consent decree.

I'm neither a PR flack nor an attorney, but it seems to me that building a secret backdoor in to be able to read your e-mail while telling you that it's secure would be a fantastically risky proposition, and one without much upside for companies that have the all-your-data-are-belong-to-us attitude that you ascribe.

It's much more plausible to believe that Google and Yahoo actually believe people should be able to have privacy when they want it -- and that people should be able to trade privacy for services when they want that.

Re:Get a bear to guard your honey

You know that Bing Ads is one of the largest ad networks around, right? Ads are certainly a big part of Microsoft's business model, especially now that it's moving more into services.

Apple, though they have their iOS-only iAd, is more of an outlier here.

Re:Get a bear to guard your honey

The reason why they're building it as an extension rather than the default is so that most people don't use it, just the privacy-conscious do. This way, they still get the info they need from the "normals", the privacy-conscious continue to use their services, and people have a better image of Google/Yahoo because this shows they care about privacy.

Re:Get a bear to guard your honey

[chihowa]

I'm not presuming bad faith and I agree that it would be extremely risky to put a backdoor in this system. At the same time, there's no reason to trust Google and this extension doesn't align with their demonstrated motives, so your original comment doesn't really give any solace.

I'm also annoyed that this isn't a genuine attempt to make securely encrypted email mainstream, since mainstream use of encryption would limit Google's ability to harvest data and harm the core of their business. They can't make this system too easy to use (encrypt by default) or too many people will use it, so it's not targeted at "normal" people. It'd be pretty stupid of them to put a backdoor in such a system, but it'd be just as stupid to blindly trust them not to do so. Privacy-conscious people have just as much reason to distrust Google as any other third party, so who exactly is this targeted at?

Re:Get a bear to guard your honey

[swillden]

I'm also annoyed that this isn't a genuine attempt to make securely encrypted email mainstream

What makes you think it's not, other than your assumption that Google wouldn't do something to harm their business model?

Re:Get a bear to guard your honey

Is that not enough?

Re:Get a bear to guard your honey

[swillden]

No, an assumption is not enough.

Re:Get a bear to guard your honey

[TheRaven64]

You know that Bing Ads is one of the largest ad networks around, right?

Actually, I had no idea - I've never seen one. Apparently they have 15.6% of the US market share, though it's not clear how much they have worldwide. Thanks for the info.

Re:Get a bear to guard your honey

Well, it's assumptions either way. At least one of them is credible.

Re:Get a bear to guard your honey

[swillden]

Well, it's assumptions either way. At least one of them is credible.

One of them is "assume that the company with a lot to lose if it lies is telling the truth". The other is "assume that the company is lying, and risking a serious PR and possibly regulatory backlash". Yes, one of those is credible. Buttressing its credibility is the fact that the system is being built completely in the open, and security experts the world over are being invited to scrutinize it for any flaws, including any that could permit Google to get at the data.

Barring heavy confirmation bias, I see only two realistic explanations. First, that it's completely legitimate and that Google thinks its more important to enable private communications than to be able to advertise based on the contents of those communications (which I suspect wouldn't be a huge hit to Google's revenue, and might result in a net goodwill benefit). Second, that Google doesn't expect to ever actually deploy the thing.

I happen to know that the guys who came up with the idea and are building it strongly believe the first interpretation, and so far management is encouraging them, not telling them to stop. But given a sufficiently-powerful dose of confirmation bias, it's easy to just assume I'm in on the scam, so that doesn't mean much.

Or the Gordon Dickson approach

[smittyoneeach]

Would it not be ironic if a parallel, completely pre-Information Age system of handwritten, couriered messaging evolved in response to the whole Big Brother thing?

Re:Or the Gordon Dickson approach

There is a special government program going on in the US right now where for $0.49 a uniformed representative of the government will hand deliver your sealed correspondence to its destination.

I find this to be a useful way to communicate and do business in the Digital Age.

Re:Or the Gordon Dickson approach

Isn't Beijing doing a great job?

Re:Or the Gordon Dickson approach

Therein lies the rub. The laws regarding the sanctity of the mail were written prior to the wholesale auction of the government, and the entire distribution chain is controlled to where any shenanigans by either the government or private entity is obvious. I've even had mail carriers inform me of my right to refuse a package when there were signs of tampering or something else seemed amiss, thereby limiting my legal liability for the contents. Try getting that from a private business without the NSA breathing down your throat.

The truly paranoid still make regular use of the mail as the manpower required to monitor it is prohibitive, and you are pitting government agency against government agency in maintaining its fidelity.

Re:Or the Gordon Dickson approach

Would it not be ironic if a parallel, completely pre-Information Age system of handwritten, couriered messaging evolved in response to the whole Big Brother thing?

When you speak of the "Godon Dickson approach" what are you talking about? Is it a book or a short story written by the author? I would like to know more, please, as I have been searching for a while and I haven't found anything.

Sorry, I'm just very curious.

Re:Or the Gordon Dickson approach

[GLMDesigns]

Wholesale auction? Surveillance is not a bug - it's a feature of government.

You want less surveillance? Then you need a government that does less. You know "small government." ooooooo can't have that.

Re:Or the Gordon Dickson approach

Haven't played Mirror's Edge I take it?

Re:Or the Gordon Dickson approach

That is a pretty simplified view. It is always more government or less government, but never better government.

And it's not even a question of more or less surveillance, but accountable surveillance, especially with the point that it isn't unidirectional. Little Sister is able to point the camera right back so we all have skin in the game. Now what level of surveillance is truly required for a Republic? That was the environment for crafting of laws regarding the Post Office.

See the recent scandal regarding Hilary Clinton's email server. The fact that it is even an issue instead of just being numbly accepted as the status quo means government has a role beyond private entities.

Re:Or the Gordon Dickson approach

[drooling-dog]

I'm trying to imagine, at the time the postal service was organized, what the public reaction would have been if it was announced that your mail would be opened and read, and the information so gained would be sold to merchants, employers, and police in your area. Would people have accepted that in exchange for free postage?

Re:Or the Gordon Dickson approach

[plopez]

I disagree. If you look at how government was done in the 1800's or early 1900's things *are* better. Better support of health and safety, education, research, a professional civil service, product safety, help for the elderly, assistance for the elderly etc. Unfortunately there are forces that want to gut these initiatives and turn back the clock to the 1800s.

Re:Or the Gordon Dickson approach

"US right now where for $0.49 a uniformed"

They can't access the specific messages (yet) but mail departure/destination information is being tracked by the government.

"the Mail Isolation Control and Tracking program, in which Postal Service computers photograph the exterior of every piece of paper mail that is processed in the United States — about 160 billion pieces last year. It is not known how long the government saves the images."

http://www.nytimes.com/2013/07/04/us/monitoring-of-snail-mail.html?_r=0

Re:Or the Gordon Dickson approach

[smittyoneeach]

I was thinking Dorsai, where countermeasure have driven everything to a bare physics level, even below an organized Postal Service.

Re:Or the Gordon Dickson approach

[dryeo]

Here in Canada we've got a right wing authoritarian government (the only kind of right wing government that seems to have success in a democracy).They've been preaching and shrinking government as much as they can as they believe the only functions of government are helping the oil business, bombing brown people and especially spying on the citizens. Small government doesn't help if you're only left with the spying (too expensive to monitor the spies) part of government.
Unluckily fear is a great way for a government to maintain power. Bomb people on the other side of the world to create hatred and terrorism, then offer protection in return for the removal of rights. Throw in some tax cuts and the libertarian types go right along with it as they seem more interested in tax cuts then freedom.

Re:Or the Gordon Dickson approach

[GLMDesigns]

Do you not feel that we have gone too far in the way of centralized control? You're not horrified at a child's lemonade stands being closed down due to lack of licensing? Or that you must have a fence around your pool else a trespasser who falls in your pool can sue you?

Is there no happy medium between regulatory micromanagement and your description of how horrible it was in the 1800s?

Re:Or the Gordon Dickson approach

[Anubis+IV]

The truly paranoid still make regular use of the mail as the manpower required to monitor it is prohibitive, and you are pitting government agency against government agency in maintaining its fidelity.

Which is why Snowden's leaks revealed that the NSA is routinely intercepting electronics packages heading to surveillance targets, installing surveillance software/malware, repackaging them as if they were new, and then sending them on their way. The leaks indicated that they were even jailbreaking iPhones in order to install their surveillance package, before repackaging the phones and making it look like they were still brand new.

The battle over maintaining the fidelity of the mail system was silently lost long ago.

Re:Or the Gordon Dickson approach

[crtreece]

And, they are only sure to scan the item to log the source address, destination address, and post office where the item was postmarked.

Don't worry though, the Postmaster General says they only keep the data for 1-4 weeks.

Re:Or the Gordon Dickson approach

[kellymcdonald78]

As much as I dislike the Harper Government, in Canada, what we call "Authoritarian right-wing" is the equivalent of "left of the Democrats" in the US.

Re:Or the Gordon Dickson approach

Except that the TLOs have been shown in the past to intercept this and read it as well.

Re:Or the Gordon Dickson approach

If you believe that bit of stupidity you haven't fucking been paying attention and are justly parroting something you heard once like a fucking moron.

Between tough on crime legislation which is unconstitutional, or surveillance legislation which is unconstitutional, or bringing in US style "politics is money is free speech" ... Harper is no no fucking way "left of the democrats".

It's a cute fucking meme, but you're apparently too fucking stupid to know what it means or why it's wrong.

It's the same faux-libertarian economics and social conservatism which panders to the rich and corporations while ignoring everybody else.

Please, just shut up if you're not even going to bother.

Re:Or the Gordon Dickson approach

[plopez]

"Do you not feel that we have gone too far in the way of centralized control?"

Yes, corporations need to be less centralized and more focused on human values.

"You're not horrified at a child's lemonade stands being closed down due to lack of licensing?"
Citation please.
"Or that you must have a fence around your pool else a trespasser who falls in your pool can sue you?"

That's just common sense. I would do it any way as I do not want children or pets drowning.
"
Is there no happy medium between regulatory micromanagement and your description of how horrible it was in the 1800s?"

Yes there is and I think we were close in the 1970s

Re:Or the Gordon Dickson approach

And, they are only sure to scan [nytimes.com] the item to log the source address, destination address, and post office where the item was postmarked. Don't worry though, the Postmaster General says [ap.org] they only keep the data for 1-4 weeks.

The Postmaster General is probably telling the truth.

But if it's legal for NSA to attack Yahoo, Microsoft, and Google's intra-datacenter communications, it's just as legal for NSA to attack USPS's rolling archives.

Domestic surveillance isn't just bad for democracy, it's bad for American business.

Re:Or the Gordon Dickson approach

[GLMDesigns]

Re lemonade stand: http://www.cnn.com/2015/06/11/...

and instead of thinking I was bull$hitting you could have googled it: The following will give you a good list.

https://www.google.com/webhp?s... Re 1970s - I agree in a large part of everday life - except for the ridiculous laws on drugs, sex.

But the overwhelming mercantile regulations were bad then too. You are a big corporation (airlines) you get protected. You make money. No competition. And prices are out of reach for everyone but the wealthy.

Re:Or the Gordon Dickson approach

[dryeo]

Actually Harper is so far right that he is actually to the right of Obama. Slightly more authoritarian too. See the political compass. http://www.politicalcompass.or... http://www.politicalcompass.or...

Re:Or the Gordon Dickson approach

[plopez]

No, it is not my job to provide your references for you. YOU are making the positive assertion, YOU have to back it up. Not me.

Re:Or the Gordon Dickson approach

[GLMDesigns]

That's true. Fair enough.

Re:Or the Gordon Dickson approach

[kellymcdonald78]

Perhaps I was being slightly facetious, and I agree that the Convervatives have shifted more authoritarian in the past few years (which is why they have lost my support). While I'd agree that they are fiscally more right than the democrats, as hard to believe as it is, the Conservatives (when compared to the US) are left. Abortion, same sex marriage, healthcare, campaign finance reform, prostitution, while perhaps not vocally supportive of these, the Conservatives have remained largely hands off (when they could have easily passed laws on any of these). Our controversies de jour are Senate expense scandals, the long form census, and long gun registry. The biggest issue we face is bill C-51 (which even the Liberals supported), and the increasing beating the drum of "terrorism" when I'm still more likely to be killed by a moose.

Re:Or the Gordon Dickson approach

[dryeo]

Harper is smart and knows that if he raises most of those issues, he'd be gone to the same fate as the Reform Party. Instead he is doing the slow frog thing, small changes that add up. Instead of attacking health care, underfund it until people get pissed off enough to reject. Campaign Finance reform. First thing he did when he got the majority was cut public funding. Then with the "Fair Voting Act" he snuck in a bit about if the election was longer then the usual 6 weeks, spending limits go up. Notice how long this election is and how the Conservatives were the only party prepared to spend the extra that the long campaign allowed. The important thing to him is being able to out spend everyone else.
Prostitution, well he just made buying sex illegal and made it illegal to sell sex within miles of schools etc.
He is still limited by the Constitution so same sex marriage isn't worth worrying about, especially since the majority of Canadians are OK with it,
He's also done the right wing things like fuck the environment, Ran the biggest deficits in our countries history while claiming that they're the only fiscally responsible ones. No thought given to paying of the debts that he racked up either. Continuous war. No more peace keeping, just bombing civilians as long as they're not white. Total support of Israel to the point of mumbling about charging anyone who talks bad about them with hate crimes.
And of course the attacks on our democracy. Robocall scandals. Disenfranchising parts of the electorate. Neutering Elections Canada, to the point they can't even encourage people to vote. And of course the attitude that openness means everyone but him.

The professor is an optimist

[Mostly+a+lurker]

Big Brother is here to stay. Surveillance tools are being built into the hardware and BIOS. End to end encryption becomes moot when the data is collected at source.

Re:The professor is an optimist

[rmdingler]

It seems the consortium of Google, Apple, and Microsoft would have little incentive to push back against the governments' surveillance, except perhaps where those acts of surveillance hinder the corporations' operations and profits.

There does not, as yet, appear to be enough (or even any) outrage from the average internet user that might inspire the Big 3 to go to the trouble. The social media crusaders are busy wielding the power of the electronic mob for other inferred social injustices.

Realistically, unless the governments begin selling data that is the bread & butter of these tech giants, I just don't see enough incentive for them to initiate any real reforms.

Re:The professor is an optimist

The consortium does have a very large incentive to work against US government surveillance. Their profits and potential profits are and will be reduced because of this surveillance. If you were in the European Parliament you could make the sale of US designed software or hardware (for example routers) either difficult or impossible. The Russian and Chinese markets have already been partially closed down and more will surely come even without action by American companies. There will not be a large market in China for Windows 10 without the approval of the Chinese government. Internally within the US there are professional and companies and organizations that have legal moral and ethical duties to protect information. The professional associations of the legal, medical, and accounting fields are just a few of these groups. The current situation is a high stakes poker game where the concerns of the average internet user are not as important as the interests of governments, corporations and NGOs. It all comes down to it just is not as much a democracy as it used to be.

Re:The professor is an optimist

If you were in the European Parliament, you would be ignored by the European Commission that actually calls the shots and will have the TTIP approved whether you like it or not. The EU has shot its own economy in the balls by sanctioning Russia on the orders of the US and you expect its institution to actually oppose the US for its consumers' privacy? Don't be a dummy all the time. This is not even cute or naive, you're being a deluded fool.

No

[TCM]

Cryptographers are our best hope.

What is this headline supposed to suggest? Trust cloud providers? LOL.

Re:No

Cryptographers are our best hope.

What is this headline supposed to suggest? Trust cloud providers? LOL.

But we rely on the software vendors to implement the good choices, not the weak choices, in cryptography, so I'd say Yes, we are reliant on Apple / Google / Microsoft. If they secure the data correctly, privacy is maintained, cloud or not. We're mostly using devices running their software to access the Internet in the first place.

Re:No

Putting your hopes in someone or a group of someone's who have a vested interest in the opposite of what you 'hope' they'll do is beyond foolish. This professor is an idiot.

Re:No

[sociocapitalist]

Cryptographers are our best hope.

What is this headline supposed to suggest? Trust cloud providers? LOL.

I'll see your cryptographers (in the public domain) and raise you an NSA with a virtually unlimited budget and fuckloads of computing power.

Cryptographers in the corporate world are at the mercy of corporate interests that are willing to take money to install backdoors.

Re:No

[jbmartin6]

There is plenty of great encryption already, it hasn't helped much unless someone implements it. There is also the problem that at some point it has to be decrypted to be used.

Re:No

[Sloppy]

Communication is too basic to not be a commodity. If you have a software "vendor" then you're doing it wrong.

What is really getting fucked up here, is that we are using the names of these three companies in our discussion, rather than the names of standard protocols. Because the public isn't using standard protocols. That's intolerable.

Re:No

Cryptographers are our best hope.

That's like saying in the fight between police and gangs, our best hope is the arms dealers that will sell us guns... are you American, by any chance?

Re:No

I'll see your cryptographers (in the public domain) and raise you an NSA with a virtually unlimited budget and fuckloads of computing power.

Fortunately, it is easy enough to select a keylength such that the NSA can't brute-force it in 50 years - even if those years bring them computers that are a billion times faster than todays finest. And that assumes your secrets are the only one they're trying to crack. If a few other guys uses real encryption too . . .

Cryptographers in the corporate world are at the mercy of corporate interests that are willing to take money to install backdoors.

Indeed. Which is why you encrypt a file outside the corporate email system first. Then you send is through weakly encrypted corporate systems, as an attachment. When they buy/coerce the corporate key, or rely on corporate protocol weaknesses, they only discover another better encryption layer.

Re: No

Encrypt away. They'll simply order you to surrender the keys. Don't want to? Go to jail. Forgot them? Go to jail. Oh, maybe just 5 years, but even if you get out of jail alive - which is not granted at all - you'll have lost 5 years of your life you'll never get back and you'll be unemployable. You cannot win against the might of the State.

Re:No

[Bob+the+Super+Hamste]

The key in your statement is backdoors and people suspect that some may have been put in to things like bitlocker, Android and iOS full device encrypt and other closed source products. This however doesn't prevent you from using things like TrueCrypt (included because there hasn't been shown to be any real red flags even with the limited audit), PGP/GPG, the various TrueCrypt successors, other encryption programs. Something that requires 2^256 bit flips is going to be awfully energy intensive even if it is done with the magic of quantum computers which can speed up the process but not that much (I want to say it can cut the exponent in half but I may not be remembering it correctly). So if we take an optimistic view with quantum computers that still means it takes 2^128 bit flips and good luck finding enough energy to do that. Basically proper cryptography without backdoors or flaws is something that cannot be broken even using all of the available energy in the universe. If that doesn't offer enough protection then you could always use a one time pad.

Re:No

[sociocapitalist]

The key in your statement is backdoors and people suspect that some may have been put in to things like bitlocker, Android and iOS full device encrypt and other closed source products. This however doesn't prevent you from using things like TrueCrypt (included because there hasn't been shown to be any real red flags even with the limited audit), PGP/GPG, the various TrueCrypt successors, other encryption programs. Something that requires 2^256 bit flips is going to be awfully energy intensive even if it is done with the magic of quantum computers which can speed up the process but not that much (I want to say it can cut the exponent in half but I may not be remembering it correctly). So if we take an optimistic view with quantum computers that still means it takes 2^128 bit flips and good luck finding enough energy to do that. Basically proper cryptography without backdoors or flaws is something that cannot be broken even using all of the available energy in the universe. If that doesn't offer enough protection then you could always use a one time pad.

You're making the assumption that those attacking it are using the same technology that you are aware of - which may be the case. Then again it may not.

Whatever you rely on, there will be ways around it and governments just have a lot more resource to throw at something than you do. Of course they probably don't care enough to make the effort.

Re: No

read up on the early Anarchist movement, on the circumstances surrounding the death of archduke Ferdinand, and on the American Revolution, and then say that again, the bit about "cannot win against the might of the State". Fuck the crown :)

Re:No

[Forgefather]

Hence, why the big three play such an important roll in protecting privacy. Yes, the NSA can circumvent just about any safeguard, beyond encrypting the entire hard drive before unplugging the machine and destroying the keys, but that is only the case for one person.

Why are they in such a tizzy about google and apple's default encryption? Because when everyone is encrypted it means no more free lunch. They will have to dedicate resources at the individual level, and that will obscure the normal persons data. In order for them to justify the time an expense of cracking encryption they will need prior evidence that indicates the time and expense will be worth the effort which brings us closer to where we should be in law enforcement. It will mean greater attention to physical evidence.

Re: No

It was mentioned above: the HARDWARE is compromised to begin with.

All of these arguments about not being able to decrypt X are just a distraction while they root your firmware.

Re: No

Yes, because now you can do all of that stuff, sure... (snicker). What about you learn to live in the real world, instead of your own version of the Matrix where you're a gravity-defying, gun-wielding superhero? I know, this is the world where you crap your pants when a mall cop passes you by, but it's the only reality that there is. Suck it up.

Re:No

NO THEY'RE NOT.
ANY "government" can pass a law right now today that will wipe out both these companies and cryptographers.

Your only best real hope is to GET THE FUCK UP OFF YOUR LAZY ASSES, go get 10 of your friends, and go have a little sit-in at your congresscritters office TILL YOU GET WHAT YOU WANT.

Which these days is control over your so called "government" back. specifically them being servants to you, the people, not corps, not money, and not each other.

Re:No

[Bob+the+Super+Hamste]

You're making the assumption that those attacking it are using the same technology that you are aware of - which may be the case. Then again it may not.

At this point if they have something more than a dwave quantum annealer or I'll go so far as to even say a theoretical 256 bit quantum computer for technology then they likely have moved into the realm of magic pixie dust and unicorn farts. Even assuming that they have some magical theoretical device that is capable of cycling through a 256bit key space without actually destroying data, i.e. the bit flips cost zero energy, they still wouldn't have done any checks on those keys which will take energy at least comparable to the energy to do the 2^256 bit flips. Since none of the leaks from the NSA indicate that they somehow have under their control a separate universe to suck energy out of I'm not worried about that type of attack as brute force is hard.

That said yes they do have some very smart people working there but there are also a lot of very smart people outside the NSA as well doing crypto work. Given this even the best attacks on something like twofish still are at best theoretical and require vast amounts of power and resources. So if one assumes that indeed twofish is susceptible to this type of attack then the solution is to do what most tools allow which is a cascading of algorithms like TrueCrypts AES->Serpant->Twofish. Add in additional algorithms like 3DES and IDEA and you make it so even if one is compromised or "easier" to attack it doesn't mean that the entire chain is compromised.

If the government wants to decrypt your stuff the most effective type of attack is the $5 wrench or rubber host type of cryptanalysis. If they are willing to go to that level of effort for your stuff you are fucked anyways. Also if you use a one time pad and then destroy your pad once done like you should then there is no way that the data can be decrypted even with rubber host cryptanalysis, that is unless you memorized the pad which would seem to be an exercise in futility. Cryptography is not going to be the weak link in most cases unless you roll your own algorithm, allow weak ciphers, or do stuff like keep the keys around. More than likely the problem will be with the user doing dumb things like leaving the key under their keyboard, or leaving encrypted volumes open all the time even when the data should be a rest.

Microsoft, really?

Windows 10 has telemetry and backdoors that no user asked for. It looks like it was designed with the NSA in mind.

Re:Microsoft, really?

[Z00L00K]

I'm also worried about the later Linux kernels - how much hidden features are there in them?

An independent review of one of the later kernels should be worth considering. However this doesn't really help against a leaking BIOS.

If I want to be clandestine and run a reasonably secure solution with encryption I would look at designing something using an old 8-bit microprocessor.

Re:Microsoft, really?

[Endymion]

The problem is Intel's new SGX ("Software Guard Extensions"). They allow the creation of memory regions that "maintain confidentiality even when an attacker has physical control of the platform and can conduct direct attacks on memory". The CPU encrypts RAM so you cannot pull keys out of it with a cold boot attack or a logic analyser on the memory bus.

Of course, the rare news article about SGX likes to assume this is something intended for the user so they can protect their GPG keys. What nobody is talking about is that this lets, for example, Microsoft create unbreakable DRM. MS will finally have their infamous Palladium "trusted computing" platform. They have already started the chain-of-trust with UEFI's SecureBoot. I hope people are taking the hint now with the Windows 10 scandal and fleeing the platform, because you aren't going to be able to remove their spyware once it is in the "trusted" enclave.

If that isn't worrying enough, consider what hidden SGX enclaves means for Intel's System Management Mode - the network enabled BIOS feature that allows remote access - which is already in your computer if have an Intel system newer than ~2010. This even works independent of the installed OS, so you can't get away from SMM by using Linux.

Ever get the feeling you don't actually own your computer? Current "trusted computing" design allows an untrusted OS to run most of the time by implementing the DRM/spyware at a lower hardware protection ring while making sure plaintext never leaves the CPU.

Re:Microsoft, really?

[JohnFen]

Fortunately, we have choices that are not Intel or Microsoft. BIOS is s tougher problem, but hardly insurmountable.

Uh uh

Just make sure you get the source code and verify that it matches the binary you run. Not gonna happen? Exactly.

Re:Uh uh

Well - using gentoo gets you this exactly. Everything is compiled on your computer, so of course binaries matches the source. You are your own supplier of binaries.

You may still want to check parts of the source for exploits - a big boring job, but it is easier with source than with compiled software.

Re:Uh uh

[beelsebob]

Being compiled on your computer doesn't imply that the binary matches the source code. Your compiler may be maliciously inserting code into other binaries.

Re:Uh uh

Is that Microsoft Gentoo, Apple Gentoo or Google Gentoo?

Windows 10 = privacy tool

I'd say Free Software is our best hope, not companies like Microsoft who build surveillance into the operating system and encourage people to store all of their files in the cloud. Didn't Microsoft destroy Skype's decentralized architecture so that they could make it possible to wiretap?

Re:Windows 10 = privacy tool

[GameboyRMH]

Didn't Microsoft destroy Skype's decentralized architecture so that they could make it possible to wiretap?

Oh no no no, they did it for "performance reasons" ;-)

google, facebook, etc....

their actions are not for OUR benefit.. but for theirs. spying on users is what they do and they don't like competition regardless of where it comes from.

Winston, hide your razor blades

[Jahat]

Just look at all the ways that big tech companies partner with the very governments we are supposed to be protected from. Google especially looks like a branch of DARPA.

While Microsoft hands them the keys

Windows 10 will safely backup your key to the cloud whenever you encrypted data with Bitlocker. Making the whole process useless. Any government agency, Microsoft employee or hacker who can get in there has full access to your data.

Hotmail wouldn't attach encrypted zip file

[sasparillascott]

Yesterday I wanted to get a small file from one computer to another, didn't want to use a thumb drive (didn't have cloud storage on one as well) so I just figured I'd Hotmail myself (via its web interface) an e-mail with the attached file zipped and encrypted (it was a tax doc) to another e-mail address of mine...no problem right? So I try to attach the file and Microsoft decided it had to be able to scan and identify (and log?) what I had in that zip file before it would allow it to be attached (since it was encrypted it wouldn't allow it to be attached...tried it several times...the NSA must be pleased)....so much for user's privacy.

With all the information, since Snowden, about Microsoft working hand in glove with the U.S. government I have to laugh a little at them being included here - as it seems a PR stunt on their part.

http://www.theguardian.com/wor...

Re:Hotmail wouldn't attach encrypted zip file

Assuming the file is below whatever the attachment size limit for Hotmail, try renaming it to a JPEG or some other picture format file extension.

Re:Hotmail wouldn't attach encrypted zip file

Had this problem when I was in the military. Charged the extension to .txt or .ppt to get around it.

Re:Hotmail wouldn't attach encrypted zip file

[N1AK]

That would likely allow you to send the file, but you're rather missing the point: By sending the file in that way it is in no way encrypted or protected. The file data would make it clear what kind of file it actually was, and the content of the file would remain unchanged. Security sufficient to stop casual uninterested parties isn't hard (in fact it's hardly needed), but things like this make real security (sufficient to actually be of use against someone interested) much harder.

Re:Hotmail wouldn't attach encrypted zip file

[Nemyst]

The parent meant sending the encrypted zip file with a JPEG extension, thus generally bypassing zip archive recognition and analysis.

Re:Hotmail wouldn't attach encrypted zip file

Do they detect an encrypted archive .rar'd inside an unencrypted archive? and so on?
Try emailing yourself a zipbomb :)

Re:Hotmail wouldn't attach encrypted zip file

Bah, get yourself real email then. There are plenty of email clients that don't care what you send - no mandatory "scanning". There are even plenty of webmail systems that don't pull shitty stunts like this.

So now we know that hotmail isn't so hot - in yet another way.

Re:Hotmail wouldn't attach encrypted zip file

[N1AK]

Thanks for explaining, I hadn't considered that possibility.

If that is true....

[Revarg]

... we are screwed. If our best hope against government surveillance are companies who spend most of their time collecting our information to sell to the highest bidder, then we are in for some heavy government surveillance.

Re:If that is true....

[drooling-dog]

That's completely untrue. The lower bidders get a lot of that sweet data as well.

Re:If that is true....

[Revarg]

Correct. At the end of the day the companies don't care about the government having the information, they just to sell it to them, not have the gov collect it on their own.

Re:If that is true....

[geekmux]

... we are screwed. If our best hope against government surveillance are companies who spend most of their time collecting our information to sell to the highest bidder, then we are in for some heavy government surveillance.

What makes that even more disgusting is the way in which our government is "paying" these companies in exchange for information.

Tell me IRS, how much did these companies pay in taxes in recent years as the largest entities in the history of capitalism?

Yup. Thought so.

Oh yes lawmakers, tell us again how we should raise taxes. I just love hearing that fucking line again...

Hey - hear him out!

[megaronic]

His argument comes with the weight of jurisprudence.

Really good for him to put the facts on the table for all to appreciate.

And it's also been very brave of Google, Apple, Microsoft and Facebook to criticize governements and corporations who don't have high standards of privacy or care to protect the rights of others.

Well done these four!

They all deserve a big award.

Who guards the henhouse?

[soap_and_dish]

Not that I'm disagreeing with the summary, but the idea that we're resting our hopes of protection from spying on a different group of spies is probably cause for concern. The government gets away with this thanks to voter apathy. The private companies get away with this thanks to consumer apathy... While more ubiquitous encryption is only something to celebrate, the real cause for celebration might simply be that its presence calls attention to itself and maybe possibly gets people to be slightly less apathetic.

Tech companies = front door surveillance?

As a European:
Goverments have no credibility, especially US gov.
Corporations in general has no credibility, especially Microsoft and all telecoms companies

I suggest letting privacy oriented organizations dictate terms to both governments and corporations, and let the shitshow play out.

End-to-end..

It's not end-to-end encryption if middlemen (Google, Yahoo, Apple, ...) are doing it for you to make it "easier". For actual end-to-end encryption we already have OpenPGP that far too few people use.

Why don't you install Enigmail to Thunderbird or try some natively OpenPGP-capable email client and give it a shot? Then you just need to convince your friend to try it as well to actually use encryption.

Law Professor

If there ever was a broader crevasse between theory and application...

The US constitution would dictate the you are safe in your correspondence and encrypting it would be within your rights, try exercising it and a jack boot will leave a print on your door. So you must trust your friendly corporations to protect that for you... doublespeak at it's best !

Rapists in savior's clothing

[macraig]

"Tech companies" are no saviors of anyone but their executive staff and their shareholders. It has been well established that, as a general rule, sociopaths are in executive control of virtually every human hierarchy, be it a corporation or gang or government or military. The Peter Principle is a myth, a misdirection; the real principle at work is that sociopaths willing to make the "hard" unethical decisions that disproportionately benefit each organizational tribe are the ones who consistently get elected, appointed, promoted. Tribalism is very alive and well, and it's sociopaths who benefit the most from exploiting it.

In the case of tech companies, at the same time they appear to be resisting government oppression they are also supplying government (and anyone else with cash in hand) with the tools it needs to oppress. That doesn't sound messianic to me at all.

So who is this Ryan Calo that he is motivated to publish such misdirecting tripe?

You don't fool me Microsoft!

[AndyKron]

Microsoft pushing back against government surveillance on the one hand, while monitoring our computer usage on the other.

Re:You don't fool me Microsoft!

Microsoft pushing back against government surveillance on the one hand, while monitoring our computer usage on the other.

No conflict of interest there. Microsoft (and Apple, and Facebook, and Google, and Yahoo, and all the rest of the Big Data industry) don't like competition. NSA's desired vision - and FBI per James Comey's even worse vision - makes their products valueless and would wipe their stock prices out in an instant.

But that doesn't mean they don't want your data for their own corporate interests. It just means that they have to defend, not just against FSB/PLA crackers, but against NSA crackers too.

Govenment Is Not Working For It's People

[BrendaEM]

Is this how it ends?

Naive

Serfs with Stockholm syndrome look to their corporate robber barons for protection. Welcome to Feudalism 2.0.

Trouble is

[JRV31]

The corporations want to protect your data; from everyone but themselves.

Encryption doesn't help most people.

Most people can't avoid installing random apps on their phones that require access to their identity, files, messages, etc. And on PCs they install adware and malware that can easily bypass encryption. They are trivially vulnerable to phishing and other forms of social engineering.

What the hell sort of propaganda is THIS!?

[kheldan]

..Google, Apple, and Microsoft pushing back against government surveillance..

Are you FUCKING KIDDING ME!? Especially Microsoft, with it's gods-be-damned spyware package entitled "Windows 10"!? Seriously!? What the actual fuck!?

Re:What the hell sort of propaganda is THIS!?

They are claiming to be protecting you from the NSA spying on you. They never claimed to have any qualms about spying on you themselves.

Re:What the hell sort of propaganda is THIS!?

[kheldan]

'Claiming' being the operative word, there. "Here, we'll save you from the nasty 'ol NSA! Trust us!" Yeah sure whatever you say. Sounds like misdirection to me. Here's an idea: How about they collect no data of any kind, that way there's nothing for the NSA to seize from them! What a concept!

The law is the problem

[epyT-R]

Until the law is changed, providers cannot be trusted as they can be compromised with an NSL.

End-to-end encryption in email

[nickweller]

"Both Google and Yahoo have announced that they are working on end-to-end encryption in email."

Unless the keys reside only on the end devices then it ain't secure.

If that's true, then we're doomed

[JohnFen]

All of those companies (albeit Apple least of all) are pretty cavalier about their own invasions of our privacy. None of them are defenders. At best, they're just giving us the choice of who will be spying on us.

If they are our best hope, then we've already lost.

well that is that then.

We are fucked.

Re:Techy people themselves are... apk

[nvm_my_comment]

DRASHEK.... Welcome back! we missed you from the inquirer days.

Techy people themselves are... apk

It's partially what I've been up to here -> APK Hosts File Engine 9.0++ SR-2 32/64-bit http://start64.com/index.php?o...

FREE & adds speed, security, + reliability, doing more with less, more efficiently vs. browser addons & locally installed DNS servers @ home + fixes DNS' redirect security issues - obtaining its data vs. online threats & adbanner blocking from 10 reputable sites in the security community - using something you already have vs. "bolting on browser addons 'MOAR' that's usermode slower & increases messagepassing, cpu + ram overuse overheads & actually SPEEDS YOU UP 2 ways (adblocking + locally cached in RAM favorites placed @ the TOP of hosts for fastest resolution speed), whereas by way of comparison, other "so-called security 'solutions'" SLOW YOU DOWN!

* :)

MalwareBytes' hpHosts Admin (MalwareBytes employee) hosts & recommends it -> http://hosts-file.net/?s=Downl... & MalwareBytes = BEST antivirus per this VERY recent testing of them all http://www.av-test.org/en/news...

&

It's GUARANTEED safe & clean per it being checked by 57 antivirus programs recently in BOTH its 64-bit model https://www.virustotal.com/en/...

+

In its 32-bit model also https://www.virustotal.com/en/...

---

"The premise is quite simple: Take something designed by nature & reprogram it to make it work for the body rather than against it..." - Dr. Alice Krippen: "I am legend"...

APK

P.S.=> By "yours truly" - "The Lord of Hosts" so-to-speak:

PERTINENT QUOTE/EXCERPT:

"The image this title brings to mind is of a mighty military commander, one who can at a mere word summon rank upon rank of protective power" from https://answers.yahoo.com/ques... & THAT WORD = hosts!

(Accept NO substitutes!)

...apk