The law could have been written to say they can't legally transmit encrypted data, or that encryption keys must be made available to law enforcement in order to decrypt encrypted data (see the UK's RIP Act).
Imagine if you're an telecom provider, a cop's trying to wiretap a customer of yours, who's using encryption, and this provision didn't explicitly exist. CALEA says you're required to provide the data to the cops, and you didn't. What, exactly, is your liability here? What would your legal department advise? How would some overzealous prosecutor interpret the law when he realized his case was torpedoed by the suspect's use of encryption?
Perhaps after a few incidents such as the above, telecom providers would start attempting to block transmission of encrypted data, in order to shield themselves against potential liability "just in case." Perhaps "legitimate" (as defined by corporate America) usages of encryption would still be permitted (HTTPS to well-known websites such as banking sites), but other things such as PGP/MIME email or SSH to arbitrary hosts would be blocked, again, "just in case."
Therefore, this provision needs to exist in order to make sure none of the above possibilities come to pass.
Also, carefully reading the provision, it does say telecom providers are required to decrypt communications if possible (in other words, if they do in fact possess the keys to do so). So the provision certainly goes beyond simply stating the obvious.
They do have to honor put-back requests, but there's a 10-14 day delay required by the law in question before taken down material can be put back. This gives people who want to have time-sensitive material removed from the site (e.g., content that could affect an election, or a protest, or somesuch, a couple days from now) a very big advantage.
Yes, in my comment I was specifically talking about websites that the ISP owns: company website, support site, whatever. Obviously not something an ISP's customers spend a lot of time at, but every little migration to HTTPS helps.
Slashdot has the HTTPS server for signing up for subscriptions, I believe. Since HTTPS adds a bit of overheard to do the encryption, supporting site-wide HTTPS for a busy site like Slashdot would probably require a lot more hardware, so that's probably why they push ordinary browsing back to HTTP. Kuro5hin is nicely browsable entirely through HTTPS; they set up HTTPS for similar reasons but don't force people off of it for browsing the site.
It's not twice as many webservers, it's the same server (both in the hardware and software sense) with two <VirtualHost> blocks and an extra port open.
Then what you (or whoever is responsible for this at your ISP) need to do is make sure this procedure is accurately and vigorously followed. Make it expensive and time-consuming for them to go on fishing expeditions under this law.
Too many ISPs and telecommunications providers comply with subpoenas and/or court orders authorized under laws like this, the DMCA, OCILLA, and so on, when such orders were in fact invalid for a variety of reasons. Worse, the government is also in the habit of making noncompulsory information requests to ISPs (I can't find the documentation right now, but IIRC it's justified under some sort of "emergency situation" legislation), which most ISPs just blindly follow as if they were compulsory court orders.
What happened in 1974-11? From this list, are you talking about:
Democrats make significant gains in the U.S. Congressional midterm elections, as voters punish the Republican Party over the Watergate scandal.
What, Democrats wrecking the country? I'd pick FDR (ca. 1933) if I wanted to point to a turning point in which the Democrats got a bunch of overbearing laws passed, not 1974. Or perhaps 1917-1918, with the passage of the Sedition Act and Espionage Act, under president Wilson. But plenty of things happened prior to even that that have slowly eroded any meaning of "republic" or "freedom" in this country.
It was in 1886 when corporations really got free reign to run this country.
In 1861, a constitutional crisis over secession by states was settled through war, by a president who also suspended the Constitution, instituted the first military draft, had congressional opponents accused of treason, and began printing massive amounts of paper fiat currency, among other things. The outcome of the war was also the beginning of rapid industrialization in the United States, turning the vast majority of Americans into wage slaves working in factories. This one is of course particularly ironic because it's been justified as a war for freedom.
And as for the first power grab by the federal government? Let's look at the passage of the U.S. Constitution itself, replacing the much weaker Articles of Confederation, justified as a response to
Shays Rebellion:
[T]he nationalists took advantage of a propitious rebellion, that of Daniel Shays,...
[T]he nationalists wanted to scare the country into supporting a more vigorous government. George Washington was terrified. "We are fast verging toward anarchy and confusion," he wrote. His nationalist friends did their best to heighten his terror. Henry Knox wrote Washington of the Shaysites that "their creed is that the property of the United States" having been freed from British exactions "by the joint exertions of all, ought to be the common property of all." This was utterly false, but it did the trick. Washington agreed to be the presiding officer at the constitutional convention. Later, [James] Madison in Federalist No. 10 warned that without the strong arm of a vigorous central government, the states would be vulnerable to movements motivated by "a rage for paper money, for an abolition of debts, for an equal division of property" and for other "improper or wicked project[s]."
Those all seem to fall under "information services" and "electronic messaging services" according to the law, from my IANAL reading of it. Of course, the question is, if the ISP is approached by law enforcement with a wiretap demand under CALEA:
Will the ISP understand the request is invalid?
If so, will they bother fighting it realizing it'll cost the money to do so?
If so, and if the ISP also provides "telecommunications services", will the courts find some arcane way of labeling the email/web/FTP service as part of it, just so the wiretap can be granted?
ENCRYPTION- A telecommunications carrier shall not be responsible for decrypting, or ensuring the government's ability to decrypt, any communication encrypted by a subscriber or customer, unless the encryption was provided by the carrier and the carrier possesses the information necessary to decrypt the communication.
You're right that current implementations of things like SSMTP and IMAPS (using SSL) have the private key on the server-side, but SSL also allows for client-side certificates. As part of your installation when you sign up with an ISP (don't all ISPs give you those dinky CDs with their "welcome package" and branded versions of mainstream software on them?), it could generate a private key for you.
There's also the potential workaround of the ISP moving to keep its "information" and "electronic messaging" portions of its business separate from it's "telecommunications" service. Then the email keys aren't under the purview of the "telecommunications service" and are out of reach.
My employer is in the process of migrating all of us from one email system to another. The new email system does not support plaintext IMAP, POP, or SMTP access. We're also migrating all our websites to new servers; the ones that require authorization forcibly redirect to the HTTPS version of the site.
This is the same route ISPs could take. An HTTP->HTTPS redirect for the company website is transparent to the end-user. For services like email, they can provide detailed instructions on how to reconfigure user agents to use the encrypted ports (even Outlook supports them), then after a migration period, shut down the plaintext ports.
Are there any services like this located in known "shelter"/"haven" countries like Luxembourg, Switzerland, the Cayman Islands, and so on? These countries are already pretty well-versed in giving the finger to tax authorities around the world and protecting client confidentiality in other ways; what about ISPs?
If that ISP of yours is only providing you with email, they're not bound by CALEA. See #19102005 and #19102011.
A good business decision by ISPs that provide both connectivity and Internet services (i.e., most ISPs) might be to spin off their services to a subsidiary, provide only encrypted access to the them (SSMTP, IMAPS, POPS for email; HTTPS for the company website) for customers, and then when the feds demand to wiretap a connection, they won't be able to get much.
Hopefully this will drive people and information service providers to use encryption wherever they can. Web (SSL/HTTPS), SMTP ("STARTTLS" over port 25 or SSMTP over port 465), IMAPS, POPS, SSH, VPN (SSL or IPsec), and so on. Some IRC servers and IM protocols offer SSL connections. There're a few encrypted p2p services such as Freenet or I2P. Practically all your basic Internet services can be encrypted nowadays; for the rest, there's SSH tunneling to a safe place so the plaintext traffic doesn't originate from your box/network.
Hah, like the old trick of including suspicious keywords in your email signature to fuck with Echelon, eh?
Something as simple as a Perl script googling for suspicious keywords (e.g., "kiddie porn", "assassinate president", "jihadi", "moqawama", "site:.sa", "site:.lb",...) and then fetching some/all the results at random would do what you want.
Look into the LWP::Simple and HTML::LinkExtor Perl modules to get started. Make sure you set the user-agent line to something like Internet Explorer or Firefox uses, use random sleep()s to make requests look like human downloading, &c.
It's important to note that CALEA doesn't apply to "information services" or "electronic messaging services", only "telecommunications". Here are the relevant parts of the actual law:
SEC. 102. DEFINITIONS. For purposes of this title-- [...] (4) The term `electronic messaging services' means software-based services that enable the sharing of data, images, sound, writing, or other information among computing devices controlled by the senders or recipients of the messages. [...] (6) The term `information services'-- (A) means the offering of a capability for generating, acquiring, storing, transforming, processing, retrieving, utilizing, or making available information via telecommunications; and (B) includes-- (i) a service that permits a customer to retrieve stored information from, or file information for storage in, information storage facilities; (ii) electronic publishing; and (iii) electronic messaging services; [...] (b) LIMITATIONS- [...] (2) INFORMATION SERVICES; PRIVATE NETWORKS AND INTERCONNECTION SERVICES AND FACILITIES- The requirements of subsection (a) do not apply to-- (A) information services [...]
This law actually makes a special exception for encrypted data:
Section 103(b)(3) ENCRYPTION- A telecommunications carrier shall not be responsible for decrypting, or ensuring the government's ability to decrypt, any communication encrypted by a subscriber or customer, unless the encryption was provided by the carrier and the carrier possesses the information necessary to decrypt the communication.
Why the f!#@ SHOULD my lovable grandma have to learn all about
URLs, forged emails and the arseholes (more than likely with
a technical bent) that prey on the vulnerable - just because
her bank has forced her into the 21st century where you can
get carjacked online ?
This is actually a pretty good comparison. She learns how to read a URL before she tries to use a computer to access her bank, for the same reason she'd learn to lock her car doors and roll up her windows before driving into a bad neighborhood. If you want to go around being willfully ignorant and acting entitled to be as such, well, then what happens happens.
Let's say you use a password to store your banking information, and that password is "dumbass5." Now a blog posts that your password to your banking account is "dumbass5." Would you call it censorship when you retained an attorney to shut down that blog/forum/site? More specifically, would you call it censorship that infringed on your rights?
No, I'd change my password.
This is a bad analogy for two reasons: First, this key can't actually be changed easily, unlike a password. Secondly, the incident with this key is more akin to me embedding my password in a million different objects, distributing these objects to millions of unknown people, at which point I've lost all physical control of the objects, and then telling each of these people, "If you peek and get password, I'm going to be very, very angry." Of course, such a course of action would be Really Stupid(TM), so I would never do such a thing.
As for the mercury, an incandescent light releases more mercury into the environment than a CFL bulb would if you were to take it, crack it open, and run it through an aerosolizer. How? Power plant mercury emissions.
This may be true, but some people aren't concerned so much with the overall mercury output but the mercury being in their own homes, such as the woman in the article paying $2k to clean it up. Externalizing costs ("not my problem") is pretty basic human behavior.
A certificate being issued by the secretary of state to a corporation upon incorporating does not necessarily preclude private businesses such as VeriSign from continuing to sell certificates to other entities. But rolling SSL certificates into the incorporation process would mean a business could get certs for no additional cost.
Perhaps a more meaningful place to "bundle" SSL certs, however, would be at domain registration, since the relationship between business name and domain name(s) might not exactly be one-to-one mapping. How about a domain registrar that offers a wildcard cert along with each domain registration?
The law in question includes the "lacks serious literary, artistic, political, or scientific value" clause.
Looking at the other stuff this guy was convicted of -- possession of actual images of children, and having done all this on a government computer at his place of employment, and being an already-convicted sex offender, I wonder if this is just another example of prosecutorial "piling on." Throw as much at him as they possibly can. With all this, he'd make a hell of a bad "test case" for overturning this clause, so in some prosecutor's mind it was probably thought to be reasonably safe that it'd not be challenged.
Slashdot Mirror
The law could have been written to say they can't legally transmit encrypted data, or that encryption keys must be made available to law enforcement in order to decrypt encrypted data (see the UK's RIP Act).
Imagine if you're an telecom provider, a cop's trying to wiretap a customer of yours, who's using encryption, and this provision didn't explicitly exist. CALEA says you're required to provide the data to the cops, and you didn't. What, exactly, is your liability here? What would your legal department advise? How would some overzealous prosecutor interpret the law when he realized his case was torpedoed by the suspect's use of encryption?
Perhaps after a few incidents such as the above, telecom providers would start attempting to block transmission of encrypted data, in order to shield themselves against potential liability "just in case." Perhaps "legitimate" (as defined by corporate America) usages of encryption would still be permitted (HTTPS to well-known websites such as banking sites), but other things such as PGP/MIME email or SSH to arbitrary hosts would be blocked, again, "just in case."
Therefore, this provision needs to exist in order to make sure none of the above possibilities come to pass.
Also, carefully reading the provision, it does say telecom providers are required to decrypt communications if possible (in other words, if they do in fact possess the keys to do so). So the provision certainly goes beyond simply stating the obvious.
They do have to honor put-back requests, but there's a 10-14 day delay required by the law in question before taken down material can be put back. This gives people who want to have time-sensitive material removed from the site (e.g., content that could affect an election, or a protest, or somesuch, a couple days from now) a very big advantage.
Yes, in my comment I was specifically talking about websites that the ISP owns: company website, support site, whatever. Obviously not something an ISP's customers spend a lot of time at, but every little migration to HTTPS helps.
Slashdot has the HTTPS server for signing up for subscriptions, I believe. Since HTTPS adds a bit of overheard to do the encryption, supporting site-wide HTTPS for a busy site like Slashdot would probably require a lot more hardware, so that's probably why they push ordinary browsing back to HTTP. Kuro5hin is nicely browsable entirely through HTTPS; they set up HTTPS for similar reasons but don't force people off of it for browsing the site.
It's not twice as many webservers, it's the same server (both in the hardware and software sense) with two <VirtualHost> blocks and an extra port open.
Then what you (or whoever is responsible for this at your ISP) need to do is make sure this procedure is accurately and vigorously followed. Make it expensive and time-consuming for them to go on fishing expeditions under this law.
Too many ISPs and telecommunications providers comply with subpoenas and/or court orders authorized under laws like this, the DMCA, OCILLA, and so on, when such orders were in fact invalid for a variety of reasons. Worse, the government is also in the habit of making noncompulsory information requests to ISPs (I can't find the documentation right now, but IIRC it's justified under some sort of "emergency situation" legislation), which most ISPs just blindly follow as if they were compulsory court orders.
What happened in 1974-11? From this list, are you talking about:
What, Democrats wrecking the country? I'd pick FDR (ca. 1933) if I wanted to point to a turning point in which the Democrats got a bunch of overbearing laws passed, not 1974. Or perhaps 1917-1918, with the passage of the Sedition Act and Espionage Act, under president Wilson. But plenty of things happened prior to even that that have slowly eroded any meaning of "republic" or "freedom" in this country.
It was in 1886 when corporations really got free reign to run this country.
In 1861, a constitutional crisis over secession by states was settled through war, by a president who also suspended the Constitution, instituted the first military draft, had congressional opponents accused of treason, and began printing massive amounts of paper fiat currency, among other things. The outcome of the war was also the beginning of rapid industrialization in the United States, turning the vast majority of Americans into wage slaves working in factories. This one is of course particularly ironic because it's been justified as a war for freedom.
And as for the first power grab by the federal government? Let's look at the passage of the U.S. Constitution itself, replacing the much weaker Articles of Confederation, justified as a response to Shays Rebellion:
Those all seem to fall under "information services" and "electronic messaging services" according to the law, from my IANAL reading of it. Of course, the question is, if the ISP is approached by law enforcement with a wiretap demand under CALEA:
That's what PKI is for.
You're right that current implementations of things like SSMTP and IMAPS (using SSL) have the private key on the server-side, but SSL also allows for client-side certificates. As part of your installation when you sign up with an ISP (don't all ISPs give you those dinky CDs with their "welcome package" and branded versions of mainstream software on them?), it could generate a private key for you.
There's also the potential workaround of the ISP moving to keep its "information" and "electronic messaging" portions of its business separate from it's "telecommunications" service. Then the email keys aren't under the purview of the "telecommunications service" and are out of reach.
There's more than one definition of "drive."
My employer is in the process of migrating all of us from one email system to another. The new email system does not support plaintext IMAP, POP, or SMTP access. We're also migrating all our websites to new servers; the ones that require authorization forcibly redirect to the HTTPS version of the site.
This is the same route ISPs could take. An HTTP->HTTPS redirect for the company website is transparent to the end-user. For services like email, they can provide detailed instructions on how to reconfigure user agents to use the encrypted ports (even Outlook supports them), then after a migration period, shut down the plaintext ports.
Are there any services like this located in known "shelter"/"haven" countries like Luxembourg, Switzerland, the Cayman Islands, and so on? These countries are already pretty well-versed in giving the finger to tax authorities around the world and protecting client confidentiality in other ways; what about ISPs?
If that ISP of yours is only providing you with email, they're not bound by CALEA. See #19102005 and #19102011.
A good business decision by ISPs that provide both connectivity and Internet services (i.e., most ISPs) might be to spin off their services to a subsidiary, provide only encrypted access to the them (SSMTP, IMAPS, POPS for email; HTTPS for the company website) for customers, and then when the feds demand to wiretap a connection, they won't be able to get much.
Hopefully this will drive people and information service providers to use encryption wherever they can. Web (SSL/HTTPS), SMTP ("STARTTLS" over port 25 or SSMTP over port 465), IMAPS, POPS, SSH, VPN (SSL or IPsec), and so on. Some IRC servers and IM protocols offer SSL connections. There're a few encrypted p2p services such as Freenet or I2P. Practically all your basic Internet services can be encrypted nowadays; for the rest, there's SSH tunneling to a safe place so the plaintext traffic doesn't originate from your box/network.
Hah, like the old trick of including suspicious keywords in your email signature to fuck with Echelon, eh?
Something as simple as a Perl script googling for suspicious keywords (e.g., "kiddie porn", "assassinate president", "jihadi", "moqawama", "site:.sa", "site:.lb", ...) and then fetching some/all the results at random would do what you want.
Look into the LWP::Simple and HTML::LinkExtor Perl modules to get started. Make sure you set the user-agent line to something like Internet Explorer or Firefox uses, use random sleep()s to make requests look like human downloading, &c.
It's important to note that CALEA doesn't apply to "information services" or "electronic messaging services", only "telecommunications". Here are the relevant parts of the actual law:
This law actually makes a special exception for encrypted data:
Full text here.
Do you go around posting "You're using an argument from 1791?" when people defend First Amendment rights?
This is actually a pretty good comparison. She learns how to read a URL before she tries to use a computer to access her bank, for the same reason she'd learn to lock her car doors and roll up her windows before driving into a bad neighborhood. If you want to go around being willfully ignorant and acting entitled to be as such, well, then what happens happens.
Try it. Firefox warns about URLs like that now.
Yep, just like the North Koreans have their "dear" leader.
And the base32 version: BH4RCAU5OTRVXWCBK3CWGVUIYA.
And for you PGP/GPG users: Algol Waterloo Athens aftermath quadrant hydraulic tissue exodus stormy decadence egghead resistor flatfoot escapade newborn recipe!
No, I'd change my password.
This is a bad analogy for two reasons: First, this key can't actually be changed easily, unlike a password. Secondly, the incident with this key is more akin to me embedding my password in a million different objects, distributing these objects to millions of unknown people, at which point I've lost all physical control of the objects, and then telling each of these people, "If you peek and get password, I'm going to be very, very angry." Of course, such a course of action would be Really Stupid(TM), so I would never do such a thing.
Well, if they censor that, will they go after CfkRAp1041vYQVbFY1aIwA or BH4RCAU5OTRVXWCBK3CWGVUIYA next?
This may be true, but some people aren't concerned so much with the overall mercury output but the mercury being in their own homes, such as the woman in the article paying $2k to clean it up. Externalizing costs ("not my problem") is pretty basic human behavior.
I believe it is in fact a series of tubes.
A certificate being issued by the secretary of state to a corporation upon incorporating does not necessarily preclude private businesses such as VeriSign from continuing to sell certificates to other entities. But rolling SSL certificates into the incorporation process would mean a business could get certs for no additional cost.
Perhaps a more meaningful place to "bundle" SSL certs, however, would be at domain registration, since the relationship between business name and domain name(s) might not exactly be one-to-one mapping. How about a domain registrar that offers a wildcard cert along with each domain registration?
The law in question includes the "lacks serious literary, artistic, political, or scientific value" clause.
Looking at the other stuff this guy was convicted of -- possession of actual images of children, and having done all this on a government computer at his place of employment, and being an already-convicted sex offender, I wonder if this is just another example of prosecutorial "piling on." Throw as much at him as they possibly can. With all this, he'd make a hell of a bad "test case" for overturning this clause, so in some prosecutor's mind it was probably thought to be reasonably safe that it'd not be challenged.