[aspenmayer]

This is magical thinking, because it’s using the legal system to solve a technical and social problem. It’s probably possible to create standards that don’t leak PII and other forms of metadata that are unique. That is probably the only solution going forward to reduce possible interdiction by extralegal third parties. However, Comcast can only be enjoined from doing this legally, and will likely not do anything that isn’t implemented by standards bodies, such as WiFi standards. The fact that these capabilities are available to Comcast corporate is because OEMs that make set top cable receivers and combination cable modem WiFi routers provide these capabilities. I’m not sure if these features are standard or require a special order. Once Comcast has the data, it is available to law enforcement via the Third Party Doctrine, which isn’t going away anytime soon.

[maxerickson]

You seem to think that it would be impossible to instruct Comcast to implement on/off for the feature? That's the sort of thing that the legal system is for.

[aspenmayer]

I don’t think that this would be likely to pass Congress. Even if it were, if Comcast failed to uphold its obligations due to receiving a National Security Letter (NSL) then they would be hamstrung, unable to comply and unable to protest publically.

It’s almost a legal impossibility and would be a bad move geopolitically to give up this full take capability and it is not happening. It’s wishful thinking to believe otherwise.

https://en.wikipedia.org/wiki/Room_641A

[dylan604]

These companies are so big now, and more importantly their lobbyists are, that it is unlikely any regulations would ever come that would limit their abilities to make money off of your PII.

[aspenmayer]

All these already existing dragnets make oldies like the Clipper Chip seem like a weekend hackathon project.

The irony is that all of these metadata leaks and correlation attacks etc were theoretical at the time these technologies were created and developed, unless you’re NSA level compute power, both human and silicon. Now, any script kid has enough info to try to build an array of SDRs to do the same thing, and no one will care when they do besides the feds who cry foul about their turf being stepped on by plebeians. The public will never care because their eyes will already have glazed over once you mention MAC addresses and SSIDs.

[fc417fc802]

> any script kid has enough info to try to build an array of SDRs to do the same thing

It doesn't particularly matter what hobbyists get up to. It matters what's available at scale on the mass market, what's widely deployed, what data is legally permissible to collect on a large scale, and what data is legal to sell.

Law enforcement can't subpoena that which does not exist. The best defense to these sorts of things is often to place legal limits on collection, retention, and sale.

Your take is both alarmist and defeatist.

[aspenmayer]

> Your take is both alarmist and defeatist.

Legal limits on national security agencies are not enforceable due to Five Eyes etc. Allied foreign spies do what American spies don’t. I’m just admitting the political reality of the situation. What you do with that information may be limited, but it’s not a failing on my part that this is the status quo.

[Dylan16807]

> Legal limits on national security agencies

You're not talking about what they're talking about. They're talking about limiting corporate data collection. If companies don't build this into routers, then 99% of routers won't be collecting this data, and foreign spies won't have any data to steal.

[aspenmayer]

They will classify the data as necessary for business purposes and collect it under a different name. They will be obligated to pass full take information if necessary, and it will be tapped at any point by employees who are given NSLs and asked/told to do things under penalty of law where applicable, and on threat of arrest or dismissal if not, or by federal agents themselves or their deputies or other approved third parties. Your modem may be intercepted in the mail and reflashed if necessary or over the wire, and that functionality is part of the operating standards of the modems. You could find a way to secure this on your own maybe, which is perhaps just another signal which flips a bit somewhere and may be logged. You can’t close Pandora’s box. It doesn’t matter if Comcast has the WiFi data to sell because they will have access to the information due to how the WiFi signals propagate. It’s diagnostic data. It’s the signals themselves. So all this is perhaps a misdirect, as any third party in range of the WiFi network can likely do the same thing passively, so it is a moot point. The data being gathered and sold should be legislated, but I don’t think that it will affect any of the actual concerns raised, because feds will still legally do whatever they are authorized to do, the justification and doctrine may not be public information. You probably won’t know, so you won’t object. Third parties who lack principles will gather the data regardless of legality. I don’t know how you could even legislate against passive monitoring unless you could demonstrate intent to harm or violate FCC regulations and applicable laws about harming people or computer systems like CFAA, which is a whole other issue.

[fc417fc802]

> This is magical thinking, because it’s using the legal system to solve a technical and social problem.

Is that not literally the entire purpose of the legal system?

> will likely not do anything that isn’t implemented by standards bodies, such as WiFi standards

I imagine beamforming techniques are only going to become more commonplace over time.

> Once Comcast has the data, it is available to law enforcement via the Third Party Doctrine

Unless they were legally obligated to purge it from their servers after a few weeks. Or if they employed E2EE so as not to have access to the data in the first place.

[aspenmayer]

> > This is magical thinking, because it’s using the legal system to solve a technical and social problem.

> Is that not literally the entire purpose of the legal system?

The legal system is subverted by the national security apparatus by necessity and by design. The information gathered by ISPs is necessary to prevent interference with ground-based radars around airports, and is necessary for fraud detection and internal security of the network. It would be feasible to make it so that this information would be gathered and retained only for a short period of time to establish and maintain network integrity, such as handshakes and other bits and bytes exchanged and retained inherent to the protocols used. The legal doctrines that establish the legality of full take surveillance have been argued before FISA courts, so an act of Congress or a test case would likely be necessary to prompt any legal reexamination of the relevant issues. However, national security issues are not really able to be resolved legislatively, because executive orders will always enable that which cannot be done on the books, which presupposes that which is done is done by the book to begin with.

What is done in the shadows must stay obscured due to means and methods, and this ideology isn’t amenable to change, political or otherwise. There is not much else to say on that point as it is observational and experiential based on my lived experience and history of interactions with law enforcement, national security professionals, and private security as a service provider and former licensed security guard, as well as being a victim of police overreach and charge stacking. I’ve worked with law enforcement and been work for law enforcement. I’ve fought the law to a draw, and I’ve fought the law and lost due to bad calls by refs. I’m working on becoming a better citizen and community member so that I can be a helper. More than that, I can’t say. The future is hopeful and yet the challenges are real, and changing. Old guards are giving way to young Turks. It’s an interesting time to be alive.

> > will likely not do anything that isn’t implemented by standards bodies, such as WiFi standards

> I imagine beamforming techniques are only going to become more commonplace over time.

The beamforming and other technologies used with modern WiFi are what enable the motion detection “for free” because the WiFi signals act as radar signals, the contours of the perturbations of which are already baked into the WiFi protocol. It’s insecure by design against this side channel attack.

> > Once Comcast has the data, it is available to law enforcement via the Third Party Doctrine

> Unless they were legally obligated to purge it from their servers after a few weeks. Or if they employed E2EE so as not to have access to the data in the first place.

You would have to reimplement the standards to make everything that squawks rotate their identifiers regularly, ideally after every transmission. It’s possible I suppose. I don’t think the political will is there to mandate this, and there are not that many people who work on these kinds of problems. Look at who created TOR. You’d have to run that kind of system everywhere, and only use it for everything, and that system would have to be part of the protocol or otherwise unable to be disabled by end users. Otherwise, you’re at the status quo we have now, where the weak links are the first to break.

If this sounds like a stretch, the weak links are always people, not protocols or pipes. That’s why this is magical thinking. As principled as you and I are, bad guys don’t have principles. Those who fight bad guys have principles, and they also have more coffee and mathematicians and hashrate.

Congress will never rule against the national security apparatus because there is no political will to do so. I can count on one hand the folks in Congress who are on relevant committees to even consider legislation on these matters who is in any way critical at all, and they largely agree with you that something needs to be done. But they don’t have the votes to do anything because the issues aren’t relevant to voters. No one cares the way you or I do, or they would probably become lawyers or politicians, as well as soldiers and broadcasters.

If you think something constructive and positive needs to be done, I would likely agree that the impetus for change exists. I’m all ears.