[liberationtech] Trusting tools under US jurisdiction

carlo von lynX lynX at time.to.get.psyced.org
Sun Nov 29 06:40:20 PST 2015 

Sorry for getting everyone into defensive mode again. This is NOT about
the cultures, the values, the good intentions the road is paved with. I
was merely pointing to a legal situation that appears obvious to me but
isn't to everyone, and the consequences we should probably take - even
if those services are provided by the best of the best.

Unfortunately none of the replies answered my question whether bulk 
collection of intelligence on humans is still enforceable by law in the
US (and I add Germany to the list of countries with suchlike phony 
legislation), but you may find theories raised interesting.

On Sat, Nov 28, 2015 at 12:34:03PM -0500, Shava Nerad wrote:
> Let's take the example of DuckDuckGo first.  Here is a search engine that
> does not log searches, does not use cookies, and does not track users.  So
> unless you think they are doing that, even though they say they do not,
> there is no information for the NSA to requisition.
> 
> This is very similar to Tor, for example, where you don't have to trust the
> system because the system does not retain logs etc. (although in the case
> of Tor, exit node operators have abused the system historically, if users
> are cautious the damage from such abuse is minimized).

Excuse me, Shava, but DuckDuckGo is *totally* unlike Tor. While Tor is
a system that by design does not allow anyone to decide whether they
should keep logs except for the user (the exit nodes only see what the
user has submitted, not who they are), DuckDuckGo *takes* that decision
and builds a business around it without being able to guarantee that it is
accurate. Not only are we unable to check what is being logged, it doesn't
even matter as long as somebody leaked the server encryption keys to the
NSA, enabling it to keep complete recordings of all transactions in the
clear without ever touching the DuckDuckGo servers. There are so many
ways how the treason against the users can be organized that the users
will never find out - that even the people at the company will not be able
to detect. Have you ever spoken to Google employees? They truly claim or
believe what the NSA has done isn't possible, so it can't have happened.
It's surreal. Everywhere there is a move towards repeatedly claiming
falsehoods knowing that the truth will have a hard time being considered.

In fact there are more than one technical possibilities to get at our 
information and if a break into the systems wasn't succesful one well 
chosen single person in a company or organization is sufficient to make 
the entire security architecture tumble down. Programs such as JTRIG and 
KARMA POLICE have surely shown that the Five Eyes know how to find that 
weakest link in the system and talk to them using the words they 
understand. We've seen the evidence of this happening. Assuming that now
that we know about it it will suddenly stop is more than naive.

> In the case of riseup, with which I'm less familiar -- but I'm familiar
> enough with the sort of situation they might be in -- I'd assume they'd do
> a Lavabit if necessary.  But that might be a lot to expect.  Knowing that
> they would is often enough to keep such things at bay.

Lavabit has been a one-off event. The man took a risk, since he was not
supposed to speak openly. And the man was probably the only person they
could reach out for, given the size of the company. There probably was
neither a weak link nor a security issue with Lavabit, so for once the
method failed. Probably the NSA has learned from that experience, but not
in a way that we would like to, because it is illogical to think that a
organization of that size is suddenly capable of taking ethical decisions
just because it got caught with the hands in the cookie jar. Literally.

On Sat, Nov 28, 2015 at 03:02:59PM -0500, Alfredo Lopez wrote:
> Just to be clear, Riseup has never turned information over to anyone and

Since whichever individual(s) would not be allowed to safely admit if 
they knew, this appears to me a legally untenable statement. You cannot
possibly know. But interestingly this is the same thing the Google
people say about things like PRISM having access to all of gmail:
It's not happening because I would know.

> I would know. Both us at May First and Riseup have fought intensely
> (sometimes together) to stop NSA data theft and other forms of
> informational bullying and so far we've been successful. It's a fight
> but riseup takes it on and that *does* separate it (and us at May First)
> from the commercial server crowd. We fight this fight every
> day...believe me.

I believe you, but why should the NSA stop bullying you just because
it found somebody to hand them the private server keys? Wouldn't that
make you worry if something is wrong? So they have to insist on annoying
you even if, by my understanding of US law and NSA mission and practices,
it would be close to absurd to think they don't have access.

> I've written a whole bunch on NSA surveillance and the main theme is
> that nobody is protected from it. National borders mean absolutely
> nothing. While it's true that the European Court recently seemed to
> outlaw data gathering under PRISM, it's also true that the Trans Pacific
> Partnership makes lots of data sharing among spy agencies not only legal
> but obligatory.

Fully agree, but it still makes a difference if you can try to operate
a server without letting the Five Eyes in or you are legally unable to.

On Sat, Nov 28, 2015 at 12:34:03PM -0500, Shava Nerad wrote:
> When I was running the Eugene Free Net/Oregon Public Networking, we
> regularly got improper requests for access from LE, and we regularly
> resisted them.  This likely resulted in an attempt by the IRS to shut us
> down, which we parlayed into a four year PR fight making the exempt
> organizations branch of the IRS look rather bad.  Dead man switches and
> those willing to sacrifice to make the administration look like raptors --
> which big data is not willing to do -- is an odd sort of armor.

That was legal enforcement. The Five Eyes have regularly shown that they
have little to do with legal enforcement. They are about strategies for
national interest. They only collaborate with LE when it is advantageous
to themselves. Did the Five Eyes impede the attacks in Paris? They had all
the data at their hands. Why didn't they do anything? Do we still presume
apparent incompetence or do we start wondering on which side they stand?
Where did the media spin come from, that encryption were to blame?

> Honestly, I suspect entities such as riseup are more likely to be hacked
> than served with NSLs.  I doubt they invest enough in security to withstand
> penetration, but I could be wrong.  Happy to be corrected and find out that
> they have enterprise level pentesting and such.  But most lefty
> organizations are not budgeted for anything close to that level of
> security, and that level of security might still not keep out a state level
> actor.  (Regardless of where the machines were hosted, of course -- we are
> not unique in this.)

Yes, a hack is also a possible problem solution for the NSA. There are plenty.

> We are not exactly passive naifs over here, those of us who are fighting
> for privacy.

There is hardly a way a server-based offering can be made secure by design,
let alone hosted on US soil. Those of us who are fighting for democracy are
in a very disadvantageous position. With all the spin and manipulation we
aren't even able to figure out what the best things are we should be doing.

> You have Lavabit as an example, and you have Calyx, and you have folks such
> as myself, and you have folks such as the Lebanon Library System who, when
> the DHS put pressure on them to not have a Tor relay in their library and
> it made national and international news, stood by their guns and politely
> told the DHS to stick it.

Maybe the NSA told the DHS not to worry about it any further, since they
got themselves an access to that relay. Or maybe it is indeed a success
story for freedom. There are millions of people in the USA who want all
the right things. I would assume we are the 99% all over the world, yet
it is getting difficult to be aware of ourselves and impossible to stop
digital abuse while using insecure technologies by design.

> That said, there is nowhere on this earth safe from the NSA.  The various

That the NSA loves to make everyone believe, so they don't even try to
fix their assets. Probably there are some countries that are indeed hard
to manipulate and using up 0days and emergency backdoors on them is just
too expensive. So I am *convinced* there are possibilities for privacy
if you start with not using the - by law - obviously untrustworthy ones.

> revelations have shown that it is not only US companies that are intruded
> upon.  Ask Merkel's administration how they feel about their privacy, if
> you would.  This is not a menace special to us, although we are subject to
> special laws -- but that means we know more what to look for, as US based
> privacy advocates.

I was only looking at the aspect of the legal framework making it legally
impossible to have actual privacy on US soil. Germany has a similar regulation
once a service exceeds 10'000 users and no access to JTRIG-like data as that
would be an obvious 2.0 reincarnation of Stasi. I don't know about other
countries.

On Sat, Nov 28, 2015 at 11:09:23AM -0800, Al Billings wrote:
> Which country do you suggest they operate from?

That is a good question and, before even looking at technical aspects, it
would be interesting to know which other countries have introduced legal
means for bulk surveillance. After all it is a message of hope that this
behavior is illegal in most countries, right?

On Sat, Nov 28, 2015 at 03:02:59PM -0500, Alfredo Lopez wrote:
> What's more, because the commercial providers are all on Cloud storage
> systems, which are spread internationally, you can't protect data in one
> country. Any company, like Google, can pull its data from all its
> servers internationally as long as pieces of that data are in the U.S.

I was certainly not going to defend cloud technology next.

> Thing is most data has no national boundary, it moves back and forth
> across every ocean and the NSA (and its sister spy agencies in Europe)
> can intercept that data at any moment.

Yes, using SMTP, XMPP, IRC networks or cloud technology for privacy
is all not going to be very successful in any future, but my mail was
not about my general view on OPSEC but on a specific detail which
appears so obvious to me.. that it isn't even legally possible to
offer secure services in the US. But I understand the many interests
in making it look different somehow.

> No, your data isn't safe because you're in the U.S. but the point is
> that it's not safe anywhere unless you stake steps to secure it and
> fight politically to make surveillance of this type illegal. In the
> world of communications, the Internet makes national boundaries irrelevant.

Yes, that is what I do when don't write this mail. I started a law proposal
on requiring a secure Internet by law.

On Sat, Nov 28, 2015 at 12:34:03PM -0500, Shava Nerad wrote:
> I hope and pray that as privacy advocates overseas, your SIGINT and HUMINT
> vulnerabilities do not lead you into bad places.  Because the fact is we
> have many more laws protecting us from the NSA than you do, and a few that
> make us vulnerable.

Uh oh, how does it matter that you have some laws and even constitutional
emendments supposed from keeping the NSA from doing what it is doing if in
fact it continues to be doing what it is doing and you have little 
possibility of having your laws be respected when there is this meta law
that allows to set up any kind of surveillance and leaves it to the NSA
to decide whether the bulk acquisition of SIGINT is breaching your
constitution or not. Can the USgov even strategically afford to stop
spying on everyone, US citizen included?

All governments are in a race to the bottom to maximize spying on every
human being on Earth. My question is, if the US and Germany are the only
countries that even allow this to happen by law.

> But as foreign nationals, you are the NSA's special prey, for which I
> abjectly apologize, and wish it were not so.

That is only the excuse by which it continues to be possible for the
Five Eyes to hoover up everything about everybody, then decide later
whether to apply the laws during the evaluation of the data. Only if
all of the Five Eyes stopped bulk collection of everybody there would
be a chance that US nationals are occasionally exempted, like when US
traffic doesn't cross China by mistake. I heard many of the US activists
tripped over the fallacy of thinking only foreigners are affected. What
a mistake.

> Keep your opsec up. :)   We'll try to watch your back and do everything we
> can to reform things from here.

Here in Germany we are only little better off. Authorities can get
access to all mail systems of all German ISPs from what I heard, 
but it is no longer obvious to think they will share that access 
with XKEYSCORE. So when it comes to putting up servers in this or
that country it's also a question of who is phony legislation going 
to empower? Which other phony legislation is in place that I do not
know of? I keep on not seeing an answer to that one.


-- 
  E-mail is public! Talk to me in private using encryption:
         http://loupsycedyglgamf.onion/LynX/
          irc://loupsycedyglgamf.onion:67/lynX
         https://psyced.org:34443/LynX/

More information about the liberationtech mailing list