[nickpsecurity]

In short: no. This is a political problem that must be solved by laws that people push for. People have been supporting surveillance state or apathetic. Hence, it's winning and their combo of police power + secrecy + immunity is stronger than crypto.

[drdaeman]

Strongly disagree.

Legal protection provides a recourse after everything happens. Technological measures don't let it happen in the first place. Or, well, to be more correct - make it significantly harder to happen.

Consider: we can send all our email as non-enveloped postcards and rely on the laws that our correspondence privacy is protected. But for some reason we don't. Why we still send send out our Internet correspondence completely unprotected is beyond me.

It is important that we have laws, so we can get a legal recourse if something goes wrong. But it's extremely naive to think that no one would violate those laws just because they are in place.

Even more, I believe that technological measures must come first. Because if a law comes first, the public relaxes, thinks they're safe now, and few bother about actually putting a lock on the door.

[nickpsecurity]

"Legal protection provides a recourse after everything happens. Technological measures don't let it happen in the first place. Or, well, to be more correct - make it significantly harder to happen."

It actually prevents many things when the law is clear. Your email example misses the entire point. So, let's use it to illustrate the point. I create an encryption system to protect email. It gets large uptake to point NSA and FBI are pissed by it. With current laws, they will feel free to:

1. Hit me with a FISA warrant to order a backdoor or key leak.

2. Hit me with court order to do the same.

3. Parallel construct some dirt on me.

4. Use NSA TAO or TAREX to smash my systems for their benefit.

5. Use FBI to raid my stuff or seize my property.

6. Have me audited by SEC or IRS depending on my company structure.

We've seen stuff like this happen to leakers, supporters of Wikileaks, companies resisting subversion, etc. You can build all the tech in the world but it's not that helpful if legal system is set up to destroy the user or developer easily. Those laws need to be rolled back. Only the people can do that. They don't give a shit enough to act. So, it's a political problem rather than technical one.

Feel free to continue to deploy and use tech to protect yourself. Just know the bigger problem is what's enabling their surveillance dragnet and police state problem in first place. The things that can get you with or without crypto. The things that have to go away to maintain democracy.

[drdaeman]

Ah, sorry, I see your point now. I suppose I got it wrong when I replied to your comment. Yes, I fully agree with you here on the point that the laws that allow this are wrong and they must be rolled back. Those are legal issues and they must be fixed as such.

I must make it clear that I stand that both legal and technological measures are necessary and are equally important. And I believe that neither would work well without the other one.

Current mass surveillance relies on lack of technical measures that protect from one. So, I believe that if everyone and their dog encrypts their correspondence in a secure manner, it would cause much greater hit on mass surveillance programs than any lawmaking could do. Please note I don't say that lawmaking is not necessary here. On the contrary, it is equally important to prevent TLAs from even trying to break technological measures and hold them responsible for their actions.

[nickpsecurity]

"I must make it clear that I stand that both legal and technological measures are necessary and are equally important. And I believe that neither would work well without the other one."

100% agree. The overall solution will combine technological methods and legal reforms. We continue developing and implementing what technical solutions we can for privacy and security in general. Just have to never fool ourselves on what it will take to stop the huge internal threat.

[maxerickson]

Pointers to (seemingly) frivolous prosecutions (3) and pointers to anything resembling 4 or 6 would make them a lot more interesting.

Without just a little bit of evidence, they are like saying the NSA will shoot your dog.

My naive, facile reading suggests that systems like Signal, Pond and Tor tend to be more effective at actually securing communications, so it would be especially interesting to hear about the jackboots kicking them.

[nickpsecurity]

The technique used for No 3 is here and other documents suggest they work with many agencies rather than just DEA:

http://www.huffingtonpost.com/peter-van-buren/parallel-const...

Number 4 we're not going to get examples of: TAO & TAREX operate in a bubble. There are two known efforts to do this sort of thing but tactics are unknown. One is BULLRUN:

http://securityaffairs.co/wordpress/17577/intelligence/nsa-b...

Additionally, the ECI leaks mention that the "FBI compels" firms to "SIGINT-enable" their stuff. This means the FBI has some way of coercing companies to backdoor things. The specifics were left out. That they've been doing it for years with no details public indicate even talking about it must be a crime. Like the other stuff.

IRS, SEC, whoever being used against people is a tactic with a long history. My bookmarks aren't giving me a link right now. I do recall Nacchio of Qwest claiming government came after him for being only ones not helping NSA. A quick Google had Binney saying IRS and NSA worked tight together albeit with speculation on Tea Party rather than obstacles to SIGINT as target.

http://www.wnd.com/2014/07/whistleblower-irs-in-cahoots-with...

And FBI raiding and seizing opponents stuff is well-known, happening to most leakers, too. Civil forfeiture is another weapon with a long history at FBI and DEA especially. Some journalists during Bush-Cheney Administration ended up on Do Not Fly list. Tor project people like Applebaum get harrassed at borders. So on and so forth. Many methods they can use without ever doing time for the abuse.

What they will do to you depends on who you are, what you're doing, what dirt they have on you, your resources, and so on. The uncertainty is one of their most powerful weapons. Never know when hammer will drop on you or how hard.

[maxerickson]

Specific examples are more interesting than raising the specter. You've doubled down on raising the specter.

[nickpsecurity]

Think I could've done better? Just file some FOIA requests and lawsuits on the subject requesting all specific examples of cooperation between NSA and other LEO's plus list of all TAO and BULLRUN activities against Americans. Bet you'll have less than I posted.

Btw, a manual for DEA of using NSA's evidence isn't a specter: means it's ongoing.

[csandreasen]

If you're going to use the envelope analogy, also consider that we don't put our mail in envelopes to prevent the police from intercepting it; we put them in envelopes to prevent access by all of the people handling the mail between the sender and intended recipient. A cop with a warrant can rightly get access to a person's mail in transit. The envelope also isn't particularly difficult to get around - we don't secure our mail through technical measures but instead by putting stiff legal penalties on tampering with it.

[woah]

Wrong. The surveillance state does not follow laws, and it has all the dirt it could ever want on politicians. Laws are not a solution here. The first rule of security is "don't trust the network". Computer scientists and developers who build systems that require users to trust the network are uniquely culpable. This is an unpopular opinion here because many of us would like to continue collecting hefty paychecks while washing our hands of any responsibility for our actions.

[nickpsecurity]

You're way off. The people and politicians knew to get a grip on this decades ago when they discovered all the abuses of CIA, etc. They had two main choices:

1. Create accountability mechanisms a la GAO working alongside these organizations ensuring they follow the law and imprison offenders.

2. Create a court that approves most of what they do, never imprisons offenders, and operates in secret.

America went with No 2. Further, most of those caught red-handed didn't do time. Americans also didn't push hard for reform with their votes. Intelligence and oversight fought back and forth but effective immunity let their corruption and power expand over time. It went into overdrive post-9/11 where people not only didn't do crap: they encouraged giving secrecy, vast power, and criminal immunity to the very groups that failed pre-9/11.

So, this didn't happen in a vacuum and isn't today. American's apathy and frankly ignorance is what gave scumbags a series of blank checks with immunity. Americans didn't do anything learning about Iraq WMD's, 2008 frauds, Snowden leaks, and so on. Largely nothing but griping. Meanwhile, in Iceland, they straight up overthrew their dirty government after 2008 abuses and passed new laws protecting their citizens. Exactly what Americans have to do.

Let's say they don't. Then, Congress continues passing police state style legislation, secret agencies bribe our ISP's/whoever, fabs eventually get compromised, dissidents are harassed via many means, opponents with dirt are jailed via parallel construction, patent system will be used against tech companies trying to solve it, and so on. Damn near pointless to try to technologically solve a problem that a country's citizens and politicians are creating and expanding with laws that can attack users of the tech.

All this shit is Americans' fought. Their common sense should've told them giving God-like knowledge and power to already-dirty groups was stupid. Doing it with secrecy and immunity was stupider. Not doing anything post abuses was foolish. My money is on them still being fools aiding surveillance state 5 years from now. They have to wise up and remove the internal threats' legal authority before technical solutions have a chance.

[woah]

This comment doesn't make a whole lot of sense to me.

What's all this talk about America? We've been talking about China the whole time. You're seriously blaming the Chinese people for their heavy-handed government? By focusing their work in directions that harm freedom, computer scientists and developers make it easier for the Chinese government to use surveillance to hold onto power.

[nickpsecurity]

I'm talking about the surveillance state in America. My points apply to surveillance states in most democracies, though. China is a rather extreme situation. Yet, the points still apply: their people at the mercy of a corrupt government means the government can use laws and money poured into harmful tech to continue to hold them down. The solution, even there, will be aimed by the people straight at the government.

[im2w1l]

>You're seriously blaming the Chinese people for their heavy-handed government?

Yes.

[silentplummet]

>American's apathy and frankly ignorance is what gave scumbags a series of blank checks with immunity. Americans didn't do anything learning about Iraq WMD's, 2008 frauds, Snowden leaks, and so on. Largely nothing but griping.

Hold on, I think you're giving the average American way too much credit here. My mom has at various times said that the police state is a good thing, the FBI should be able to view anybody's data for any reason, and groups the state names as terrorists should be denied freedom of speech.

[nickpsecurity]

Yeah, there are plenty of those... an even bigger problem.

[JustSomeNobody]

The legal aspect was taken care of by the Bill of Rights. The govt is trying to erode them and so now we need to "fight" against it.

[tptacek]

I'm not with 'nickpsecurity on this issue, but what you just said is not a valid argument.

Cryptography enables individuals to override the interests of any element of the state, no matter how compelling those interests are.

Any way you read the Fourth Amendment, even the wrong way that implies that the government requires a warrant for any conceivable search, there remains a pathway through which the state can compel the production of data. Congress may have to enact a law to authorize the compulsion, and a judge may need to sign off on the warrant, but at the end of the day, the government has the authority to compel production.

I think cryptography is mostly orthogonal to the Fourth Amendment, but to the extent it isn't, its main implication is that it thwarts the Fourth Amendment.

[Zigurd]

First, the Constitution as a whole is "addressed" to the government, not the people. That is, the Constitution tells the government what it may do. In the case of the IVth, it tells the government search powers are limited to those allowed by the Constitution.

If the Constitution is amended to say "Government officials may levitate" it does not confer the power to make gravity illegal.

Similarly, if encryption can build an uncrackable "safe" for your documents - moreover one that can be made invisible and deniable - government search powers are as limited by mathematics as they are by gravity. The only difference is that government officials don't actually expect to levitate.

That means when the people invent something that thwarts government power, there is nothing in the Constitution that says anything about that. Even less does it say "No, the people can't have that."

[nickpsecurity]

My position is that possession and use of cryptography won't protect individuals against government's illegitimate actions if citizens let that governments rogue agencies continually amass more power, surveillance, and control over IT.

If you're against that position, please tell me why crypto alone (not active democracy) is all one needs to be safe against state abuse in a surveillance state that targets crypto users. I'm sure any activists aiding Chinese and North Korean dissidents will appreciate your tips, too. They, like I, have been under the same delusion that TLA's legal power matters and must be dealt with.

[nickpsecurity]

It wasn't: that was only the beginning. Democracy, like security, is a process rather than a thing you do once. So, people have to be "eternally vigilant" fighting off advances against their established rights in legislature and in court rulings. People can sit on the sidelines of corruption and have a democracy. That's what's happening now. It's why we're pretty far from the Bill of Rights in practice but still have enough to reform with.

People just got to put it to use.