GrokLaw shuts down in wake of Lavabit closure
August 20, 2013 5:00 AM   Subscribe

Last post at groklaw ~pj a.k.a. Pamela Jones, the writer behind the law analysis site groklaw, has decided to shut down in the wake of the closure of Lavabit confidential email service.

Show writes:
The owner of Lavabit tells us that he's stopped using email and if we knew what he knew, we'd stop too.
There is no way to do Groklaw without email. Therein lies the conundrum.

What to do?

What to do? I've spent the last couple of weeks trying to figure it out. And the conclusion I've reached is that there is no way to continue doing Groklaw, not long term, which is incredibly sad. But it's good to be realistic. And the simple truth is, no matter how good the motives might be for collecting and screening everything we say to one another, and no matter how "clean" we all are ourselves from the standpont of the screeners, I don't know how to function in such an atmosphere. I don't know how to do Groklaw like this.
Groklaw was a highly-respected source for explanations during technical lawsuits. The first post was
back in 2003, though the site really found its niche the next day when it stated covering the SCO vs. IBM trial.

In 2011 she handed over editorship of the site to Mark Webbink, but the site is still hers. And it continues to receive plaudits and win piles of awards even after a decade of great work.
posted by wenestvedt (249 comments total) 60 users marked this as a favorite

 
No? Wait. What?
No.
No.
No.
posted by Mezentian at 5:10 AM on August 20, 2013 [3 favorites]


I totally understand what she's coming from, but doesn't totally getting off the internet seem like a huge over-reaction to anyone else? If you're really that concerned over your emails getting snooped, the better solution is to install GPG and encourage other people to use it.
posted by gkhan at 5:14 AM on August 20, 2013 [12 favorites]


I totally understand what she's coming from, but doesn't totally getting off the internet seem like a huge over-reaction to anyone else?

No. She's making a point.

If encrypted data is kept for five years (and I'm assuming GPG is such an encryp-tech - I am not too techy), nothing is sacred.

There are ways of making end runs around snooping, but not, at the end of our hopes and the edge of our fears, we need to stand up and say, NO. So the governments of the world pretend not to be snooping.
posted by Mezentian at 5:19 AM on August 20, 2013


I totally understand what she's coming from, but doesn't totally getting off the internet seem like an over-reaction to anyone else?

Yes. Her decision makes no sense to me, but it's her decision to make. From the sound if it, she's being too cautious and worried, especially when the site does a lot if good.
posted by Brandon Blatcher at 5:19 AM on August 20, 2013


As someone whose life was significantly impacted by a comment I made on Groklaw, I am very sorry to see this happen.
posted by grimjeer at 5:20 AM on August 20, 2013 [1 favorite]


I sort of feel that it's an overreaction, but I presume she doesn't want to be forced to turn over her confidential discussions with informants. Also, using GPG is useless if your correspondents don't; also I suspect that the NSA has enough back doors into operating systems to make GPG useless: if they want your key they already have it.
posted by Joe in Australia at 5:21 AM on August 20, 2013 [1 favorite]


Chilling effects in action. We lost something amazing here. You don't have to agree with PJ's slant (and I didn't always) to see the tremendous benefit of her educational and informative explanations of law and how it relates to tech.

I can't blame her, but I'm very sad and angered. Our society has been at this degree of panopticon for almost a decade, and we're just finally getting confirmation. It's easy to ignore the implications of recent revelations because they are abstract and the consequences extremely squicky, but it doesn't surprise me that Groklaw's author wouldn't be able to stop reasoning until the terrible conclusion is clear.
posted by Llama-Lime at 5:21 AM on August 20, 2013 [15 favorites]


I totally understand what she's coming from, but doesn't totally getting off the internet seem like a huge over-reaction to anyone else?

Watch closely for the removal of this sign.
posted by Slap*Happy at 5:23 AM on August 20, 2013 [37 favorites]


If encrypted data is kept for five years (and I'm assuming GPG is such an encryp-tech - I am not too techy), nothing is sacred.

The NSA is storing encrypted web traffic in case the encryption might be cracked in the future.
posted by Foci for Analysis at 5:23 AM on August 20, 2013 [3 favorites]


.

Incidentally, I just got back into GPG and checked the MIT keyserver. I have keys and IDs in there dating back...good Lord...18 years. I haven't been so good at revocation. 7904A8EA is the most current.
posted by jquinby at 5:26 AM on August 20, 2013 [1 favorite]


Encryption is great, if you use it. But setting up and using email encryption is a major pain and it's simply unrealistic to expect normal people to do so. PJ's informers are vulnerable to retaliation by both government and industry (who work together despite claims to the contrary) and this is really the only practical way to protect them.
posted by tommasz at 5:27 AM on August 20, 2013 [1 favorite]


You don't expect a stranger to read your private communications to a friend. And once you know they can, what is there to say? Constricted and distracted. That's it exactly. That's how I feel.
I think thats the core of it. If you read and write every email thinking 'how would this look in my CIA file?' or 'how would this look in a court case' it gets hard to operate. Lack of privacy literally makes it hard to think.
posted by memebake at 5:28 AM on August 20, 2013 [37 favorites]


The thing that confuses me is that I don't know what has changed. For example, if you spend a little time reading about GPG, you'll read that it's vulnerable to the application of large amounts of computing power and you're basically hoping that you're not interesting enough and the computation is hard enough that it doesn't get broken in a time frame that's relevant to you. People tend to act as if email is secure, but it's not like it's news that it isn't and any discussion of security told you to assume it isn't secure. And so on.
posted by hoyland at 5:28 AM on August 20, 2013 [3 favorites]


It's a pain for web-based mail but I have to say that it's come a long way for mail clients like the Mail app for OSX, Thunderbird and whatnot.
posted by jquinby at 5:29 AM on August 20, 2013


The NSA is storing encrypted web traffic in case the encryption might be cracked in the future.

No, they're storing it in case it gets linked to something they want to know about. More importantly in the case of GPG: Since GPG explicitly links to the receiver, they're storing it so that they'll know who next to investigate should a trail include mail sent to that person. That's why the only terrorist that uses GPG is a really and truly dumb one.

Cracking the entire cryptosystem would be a bonus, of course, but they do have resource limits, and trying to deal with cracking every possible machine on the Internet probably exceeds them, and so far, we know the math behind GPG is solid. Properly implemented, it's not breaking anytime soon.

Then again, we honestly know very little about what their capabilities really are.
posted by eriko at 5:31 AM on August 20, 2013 [7 favorites]


I keep remembering the West Wing episode where Toby is feeling guilty about asking the secret service to not use the canopy for a Bartlett event, resulting in the president getting shot.

The agent in charge tells him, "it's my job to protect the president, and you're not going to stop me from doing that. If you tell me one way doesn't work for you, I find a better way to do it".

This is obviously as misty-eyed as the West Wing itself, but I do wish the covert agencies thought like this. "Oh, we can't use omnipresent surveillance any more? Fine, we'll find a better way of protecting our countries".
posted by bonaldi at 5:31 AM on August 20, 2013 [6 favorites]


hoyland: "The thing that confuses me is that I don't know what has changed."
It has been confirmed that the most powerful rogue state on earth is routinely saving everything for later use against you, and that there is no meaningful judicial oversight of this?
posted by brokkr at 5:32 AM on August 20, 2013 [11 favorites]


don't use pgp.mit.edu

the cryptopocalypse and why currently encrypted messages may not stay that way.

Technology is not a panacea, we need social solutions as well.
posted by Llama-Lime at 5:34 AM on August 20, 2013 [4 favorites]




The thing that confuses me is that I don't know what has changed. For example, if you spend a little time reading about GPG, you'll read that it's vulnerable to the application of large amounts of computing power and you're basically hoping that you're not interesting enough and the computation is hard enough that it doesn't get broken in a time frame that's relevant to you.

What's changed is that everything is now "interesting enough." I don't speak in code when I'm on my cell phone not because I don't think it's possible to listen in on my calls, but because there's no reason for someone to do so, so I don't worry about it. Except now, they don't need a reason.
posted by Holy Zarquon's Singing Fish at 5:35 AM on August 20, 2013 [4 favorites]


But setting up and using email encryption is a major pain and it's simply unrealistic to expect normal people to do so.

I spent about two years using GPG regularly, pretty much for the heck of it. It wasn't difficult to set up, nor really a pain to use. This was about 2006. It fell down in a couple places. I knew precisely one other person using it, so we could send encrypted emails to each other, but no one else. GPG doesn't mix well with webmail, which is probably the barrier to getting 'normal' people to use it. I seem to use webmail a lot less than most people. I think there are now Firefox plugins and whatnot to try and make it play well with Gmail, but I think it's still a bit cumbersome (but I haven't tried it). But occasionally I'd need to reference an email I'd sent to the other person when I was on campus or something and it would, of course, be encrypted. I set GPG up again recently, but all it's doing is letting me log into multiple accounts in Mutt with a single password, which is handy. I still know only one other person with a key set up (but it's a different person).
posted by hoyland at 5:37 AM on August 20, 2013 [2 favorites]


Just fyi, DemocracyNow is discussing Miranda's detention with Jacob Appelbaum (ioerror) and Gareth Peirce now.

We should start encrypting as much email communications as possible using 8192 bit GnuPG keys. Ain't cracking that anytime soon! And they'll be mighty disappointed to find my silly chat.
posted by jeffburdges at 5:39 AM on August 20, 2013


GPG can hide the content of your messages, but it can't hide who you're communicating with. Sure, if you're willing to go to the trouble of exchanging keys, you can keep the actual text out of the NSA's hands. But if the recipient is a "person of interest", then you have to ask yourself before hitting the send button: are you really willing to put yourself on the radar and bring all your other activities under scrutiny?

This line is a little bit buried toward the end of PJ's post, but I think it bears repeating:

My hope was always to show you that there is beauty and safety in the rule of law, that civilization actually depends on it. How quaint.

She's not just quitting because it turns out that her email isn't as private as she thought. She's quitting because the way it happened makes a mockery of what she's been writing about for the last decade.
posted by teraflop at 5:40 AM on August 20, 2013 [99 favorites]


If you're really that concerned over your emails getting snooped, the better solution is to install GPG and encourage other people to use it.

Given the NSA's track record and resources, I think that it’s a profound mistake to assume that crypto is a solution to this problem. This is a political problem, not a math problem.
posted by mhoye at 5:40 AM on August 20, 2013 [28 favorites]


Email encryption also doesn't encrypt the headers. Not sure if the programs encrypt the subject line.
posted by ryoshu at 5:41 AM on August 20, 2013 [1 favorite]


Email is not secure in two ways:
1. By default, it does not cloak the message.
2. It cannot hide the identities of the sender and receiver.

Point 1 is manageable. But point 2 is not manageable without breaking email (or by using TOR-type routing which, itself, can be compromised by monitoring entrances and exits). Usually, merely knowing who you're corresponding with -- and when -- is sufficiently useful information to the spy agencies. The data payload can be stored for the time it becomes useful to spend the effort necessary to crack it, or for the means of access to your keys.
posted by ardgedee at 5:42 AM on August 20, 2013 [1 favorite]


Pamela Jones, the writer behind the law analysis site groklaw, has decided to shut down in the wake of the closure of Lavabit confidential email service.

Related
posted by Thorzdad at 5:43 AM on August 20, 2013 [1 favorite]


Agreed. Also, the off-the-record messaging in Jitsi and Adium is far more user-friendly than GnuPG, assuming you're not worried about traffic analysis. It's amusing to make them work their asses off on your "rincin soup" recipe though.

There is experimental software like Pond that may provide resistance to traffic analysis, but they're not quite ready yet.
posted by jeffburdges at 5:46 AM on August 20, 2013


Our free iOS app Frank is end-to-end encrypted and the keys remain on the handset. They can be exchanged visually in person for complete anonymity.
posted by unSane at 5:51 AM on August 20, 2013 [5 favorites]


Chilling effect.
posted by jeffehobbs at 5:53 AM on August 20, 2013 [3 favorites]


There's absolutely no reason to do this. None.
posted by Ironmouth at 5:54 AM on August 20, 2013 [3 favorites]


I'm not a political person, by choice, and I must say, researching the latest developments convinced me of one thing -- I am right to avoid it.

This is not the conclusion that I'd have drawn from what is happening in the US right now. If half of non-voters came out and voted for privacy next election, you'd have a new president. Get political, and do it yesterday.

Not to say encryption isn't promising, but throwing people who illegally spy on their neighbours in jail for a long time is a political solution to this partly political problem. Checking out of democracy won't fix the NSA, it will only enable them further.
posted by the thing about it at 5:55 AM on August 20, 2013 [6 favorites]


Just fyi, DemocracyNow is discussing Miranda's detention with Jacob Appelbaum (ioerror) and Gareth Peirce now.

Applebaum just talked about how ICE agents separated him from his girlfriend for questioning one time, and later as she was asking ICE agents about him, they said he didn't exist, she was crazy, they were holding no such person, etc.

US law enforcement agents are using Zersetzung.

What the fuck?
posted by ryoshu at 6:00 AM on August 20, 2013 [50 favorites]


I think I just had an Arthur Dent/Big Mac moment. So much is being destroyed.
posted by jaduncan at 6:02 AM on August 20, 2013 [2 favorites]


I'm not all that familiar with groklaw, honestly. So it's not immediately clear to me just why authorities would want to snoop on her email. I imagine it as a site where people discuss various legal technicalities and the implications of court decisions, and why would you hide any of that? And how can you even snoop on something that's public to begin with?

To be clear, I realize I probably have it wrong and the person who runs the site knows much better than I how important email security is to what she does. I just mention that to provide context for my observation that, for me, the reason to shut down a site dedicated to explaining and commenting on the law is not the email issue but this:

You'll find all the laws in the US related to privacy and surveillance there. Not that anyone seems to follow any laws that get in their way these days. Or if they find they need a law to make conduct lawful, they just write a new law or reinterpret an old one and keep on going. That's not the rule of law as I understood the term.

In other words, to me, the real reason to shut down seems to be because it is simply no longer possible to meaningfully discuss the law in a world where the law is unknown and unpredictable. If the law is simply whatever those in power want it to be at any given moment, what purpose could this site serve?
posted by Naberius at 6:05 AM on August 20, 2013 [19 favorites]


All this NSA stuff in the news is making everyone really interested in the legal aspects of what they may or may not be doing. I personally wouldn't want to be seen as someone who will accept your inside info on secret laws. Then everything I do comes under scrutiny.
posted by ODiV at 6:07 AM on August 20, 2013


We're not saying that "crypto is a solution to this problem", mhoye, but that (a) crypto ameliorates the worst immediate effects by at least slowing down the police state apparatus, or even exposing by making them take your stuff physically, and (b) crypto provides an avenue for protest. We cannot simply "close up the journalism shop" because the NSA reads all journalists emails in case they find proof that John Brennan had Michael Hastings murdered or something.
posted by jeffburdges at 6:11 AM on August 20, 2013 [2 favorites]


My current fantasy is for the professional responsibility bar to come out saying that email is not secure for the purposes of attorney-client confidentiality.
posted by gauche at 6:15 AM on August 20, 2013 [30 favorites]




I'm not all that familiar with groklaw, honestly.

Me either, but it turns up.
It is useful.
posted by Mezentian at 6:20 AM on August 20, 2013


"The NSA has always had a problem with the open internet. Now a convergence of interests with large corporations is offering them the tools to destroy it." - Charlie Stross, The next moves in the Spooks v. News cold war
posted by jeffburdges at 6:22 AM on August 20, 2013 [3 favorites]


GPG can hide the content of your messages, but it can't hide who you're communicating with.

Hear, hear! This is called traffic analysis, and it's not a new idea. My grandpa did radio intel in the South Pacific during WWII, and this was one of the main tools they used all the time, and especially whenever the codes changed. :7)

For example, they were able to figure out an important fact -- the code name for Midway Island -- by sending out a bogus message saying “Midway short on water” and then watching for the response.
posted by wenestvedt at 6:24 AM on August 20, 2013 [2 favorites]


>There's absolutely no reason to do this.

US policy makes the site's goal - anonymous reporting & commenting on legal matters - impossible. Shutting down is a protest of this, or is like lavabit - shutdown in protest of actions we can't be told about.

(a) crypto ameliorates the worst immediate effects by at least slowing down the police state apparatus, or even exposing it, and (b) crypto provides an avenue for protest.

This is not correct. Crypto isn't 'slowing anything down' in this police state and does nothing as a protest. it's useful in very specific instances, just as when glen greenwalds husband was detained and the data he carried was encrypted. Otherwise it's a minor hurdle. Or to state another way; even if encryption was impossible to break, the actions of the state would still be a major problem.

"This is a political problem, not a math problem" as posted above is correct.
posted by anti social order at 6:26 AM on August 20, 2013 [13 favorites]


> Email is not secure in two ways:
1. By default, it does not cloak the message.
2. It cannot hide the identities of the sender and receiver.


Agreed with #1, but regarding #2, most mailservers on the Internet now use opportunistic TLS, which is basically encrypting the SMTP transaction after the initial greeting. Think automatic Web https for email.

Look at a few of your emails' extended headers for a Received: line that matches the hop from the sender to you, then spot the version=TLS bit. If it's there, the SMTP transaction between that hop was sent using TLS encryption, cloaking the identity of the sender and receipient addresses as it transited the Internet.
posted by Jubal Kessler at 6:26 AM on August 20, 2013 [5 favorites]


I remember coming across Groklaw when as a neophyte I was interested in linux and came across the SCO vs IBM law suite.

Groklaw was a great place to understand whats going on and even though I just lurked there .. it was good to be there.

.

I don't think she is doing this so much for practical reasons as for making the point about how the snooping affects the rule of law.
posted by TheLittlePrince at 6:27 AM on August 20, 2013 [1 favorite]


I don't think she is doing this so much for practical reasons as for making the point about how the snooping affects the rule of law.

gauche got it right upthread:
My current fantasy is for the professional responsibility bar to come out saying that email is not secure for the purposes of attorney-client confidentiality.
posted by gauche at 9:15 AM on August 20
posted by mikelieman at 6:30 AM on August 20, 2013 [2 favorites]


The thing I keep thinking is that the US govt followed the laws when the punishment for doing so was worse than the punishment for whatever it was they were trying to hide or cover up, and now whatever it is they're trying to protect from the greater public finding out is bad enough that they'll openly flout the law or bend it until it breaks, because the punishment for that is now less than the punishment for whatever else it is they were doing.

And this whole argument that they're doing it for our safety makes me feel like they're burning down the US in order to save it.
posted by nevercalm at 6:31 AM on August 20, 2013 [3 favorites]


To those who do not understand the reasons behind this, consider: The site specializes in legal analysis. They come up pretty high in Google searches for a lot of legal issues. People all around the world probably send them email with questions or looking for advice. Even if they only ever replied with "we don't answer questions," the damage would be done. If you know that email is being intercepted, then simply by writing about legal issues you could be putting people at risk.
posted by Nothing at 6:36 AM on August 20, 2013 [7 favorites]


We should start encrypting as much email communications as possible using 8192 bit GnuPG keys. Ain't cracking that anytime soon!

Assuming:
  • They have to brute force it (i.e., don't already know your private key)
  • There isn't a flaw in the encryption
  • They haven't made some unpublished advance in cracking
  • The entire communication pipeline is secure and your recipient is safe
posted by yerfatma at 6:39 AM on August 20, 2013 [1 favorite]


I always said that pen and ink would came back one day.
posted by Segundus at 6:42 AM on August 20, 2013 [3 favorites]


She's quitting because the way it happened makes a mockery of what she's been writing about for the last decade.

This, a hundred times. The notion that laws should bind the state and not merely its subjects was a radical proposition when it was invented. As an attorney you spend your career operating under the premise that the law isn't just a sword for the state but also a shield for its citizens, and discovering that actually the law does nothing at all to restrict the operations of the state unless the state allows you to pretend that this is the case. Well, what's the point of continuing? The state has broken its own foundations. Granted, there have always been hints that this is the case: the state is immune from lawsuit unless it "allows" itself to be sued; the government can simply shut the doors to the courthouse by claiming that allowing a suit to move forward would expose "state secrets," without giving any proof that such secrets actually exist or that their exposure would cause insecurity instead of embarrassment. That's a dead giveaway that this potential for lawlessness was always there, but they're not even pretending anymore.
posted by 1adam12 at 6:45 AM on August 20, 2013 [67 favorites]


There's only one way to bring the spying controversy to an end once and for all: convene a constitutional convention.

If the US constitution is a smelly old piece of parchment that's hopelessly out of touch with the modern world, lets codify that instead of chipping away with secret laws and rules.
posted by dr_dank at 6:46 AM on August 20, 2013 [3 favorites]


Assuming:
  • They have to brute force it (i.e., don't already know your private key)
  • There isn't a flaw in the encryption
  • They haven't made some unpublished advance in cracking
  • The entire communication pipeline is secure and your recipient is safe


You forgot
  • They don't have a rubber hose.
posted by Pope Guilty at 6:47 AM on August 20, 2013 [4 favorites]


.
posted by ioerror at 6:49 AM on August 20, 2013 [5 favorites]


Fortunately I just happen to be one of the principals in a new startup behind an app that not only generates one time pads, but also automatically summons a luxury black car to come pick it up (because your key exchanges are too important to be performed by some smelly bicycle courier) and safely deliver it to whomever you wish to securely correspond with over email.

No, you may not see our list of investors.
posted by RonButNotStupid at 6:54 AM on August 20, 2013 [2 favorites]


My current fantasy is for the professional responsibility bar to come out saying that email is not secure for the purposes of attorney-client confidentiality.

Yes. They have already shown they have no respect for confidentiality when clients are accused of terrorism. Lawyers need to wake up to this just like journalists are beginning to. In the words of the editor of the Guardian in an article in which he discussed the destruction of Guardian hard drives under the supervision of the government:

We are not there yet, but it may not be long before it will be impossible for journalists to have confidential sources. Most reporting – indeed, most human life in 2013 – leaves too much of a digital fingerprint.

Journalists or lawyers working on legal matters have every reason to be concerned the current surveillance regime puts them in a position where it is difficult to do their job safely when discussing with confidential sources.
posted by Drinky Die at 7:00 AM on August 20, 2013 [3 favorites]


It seems clear to me that the unintended but inevitable outcome of this is the Balkanization of the Internet. Am I alone in thinking this? It truly seems like a horrendous outcome for all parties.
posted by newdaddy at 7:02 AM on August 20, 2013 [2 favorites]


I always said that pen and ink would came back one day.
posted by Segundus at 6:42 AM on August 20


Only if you're planning to deliver it in person . . .
posted by fogovonslack at 7:02 AM on August 20, 2013 [3 favorites]


Even if the NSA/GCHQ/MOSSAD didn't exist, email still wouldn't be anything close to secure. The state of internet security is absolutely terrible. If I needed to worry about security, I wouldn't spend two seconds thinking about GPG and would instead spend every second worrying about whether my machine was being hacked.

The difficulty of security on the wire is negligible compared to security of the node. NSA is high profile at the moment and can go after the wire, but every other risk from 14-year-olds and up targets the node and gets even better results.
posted by kiltedtaco at 7:14 AM on August 20, 2013 [1 favorite]


For those of you saying that encrypting email should be sufficient to protect her privacy, metadata analysis can provide enough "evidence" for the government to get interested in you and start making your life difficult.

Using metadata to find Paul Revere
posted by Axle at 7:16 AM on August 20, 2013 [15 favorites]


Naberius: I'm not all that familiar with groklaw, honestly.

Groklaw, previously:
  • The Grinch Who Stole Linux (November 7, 2003)
  • J'accuse! French bus service Transports Schiocchet Excursions is suing a group of ten women who carpool to work every day, alleging unfair competition with their bus line. (July 12, 2005)
  • Economics of death - How should right and wrong be measured? (July 14, 2005)
  • I fought the linux, and the linux won... SCO got a delisting notice from Nasdaq (April 28, 2007)
  • Rock and Rule - Virgin v. Thomas, the first RIAA backed lawsuit to make it to a jury trial looks likely to proceed early in October in Duluth Mn. (September 28, 2007)
  • The software patent cold war is getting less cold - Sun Microsystems announced a counter suit against Network Appliance, wherein they will draw on their "defensive portfolio" which is "one of the largest patent arsenals on the internet". (October 26, 2007)
  • Monopoly is as monopoly does - Why Is Microsoft Seeking New State Laws That Allow it to Sue Competitors For Piracy by Overseas Suppliers? (March 24, 2011)
  • Battle at Troll Bridge - Apple has adopted new tactics in its patent war against the handheld industry (December 11, 2011)
  • Aaron Swartz' 14,500 page Secret Service file - The U.S. Secret Service has begun releasing their roughly 14,500 pages on Aaron Swartz in response to a FOIA lawsuit against the DHS by Kevin Poulsen (August 14, 2013)
As summarized on Wikipedia currently: "Groklaw was an award-winning website covering legal news of interest to the free and open source software community." The "grok" in Groklaw is often used as computer term, taken from Robert A. Heinlein's 1961 science-fiction novel, Stranger in a Strange Land, where it is defined as to understand so thoroughly that the observer becomes a part of the observed.
posted by filthy light thief at 7:17 AM on August 20, 2013 [25 favorites]


Anyone saying there's no such thing as chilling effects is either

a. dishonest

or

b. an idiot.
posted by anemone of the state at 7:17 AM on August 20, 2013 [11 favorites]


It's interesting watching Americans get butthurt about the NSA reading all of their email, just like they do for citizens of every other nation. How would you feel if it were the Russians, or the Chinese, or the European Union doing the monitoring instead?

The rest of the world has no legal recourse, no political vote, no means of influencing the US Constitution or it's enforcement in order to restore (attain?) privacy. Unless a technical solution is found that secures email against any government or corporate monitoring, then there will always be the risk that someone, anyone who operates or has unrestricted access to a link in the global communication network will be reading everything that passes through that link without regard for the laws in effect for the sender or the recipient.
posted by ceribus peribus at 7:20 AM on August 20, 2013 [17 favorites]


She had the scales dropped from her eyes, it sounds like, and can't keep doing what she's doing as a result.

Put differently: there are certain beliefs about how the legal system actually works that are easy to arrive at if you're an outside observer, but which cannot be held if you intend to have any influence on the opinions of people in the legal system itself.

In this case the recent revelations have tipped her into holding opinions that fall into that category, and being aware of that leaves her aware that she's now faced with a choice between biting her tongue or being honest-but-ineffective.

But that's just guesswork and runs the risk of putting thoughts and words into her mouth, so please don't take this as definitive or coming from a position of knowledge.
posted by hoople at 7:21 AM on August 20, 2013


inturnaround observed that "Edward Snowden picked Laura Poitras to reveal his story to was because she was so well-versed in wiping her tech because of her border crossings. I'm sure the US government didn't intend this, but law of unintended consequences...."

I wonder the consequences of making lawyers encrypt all correspondences with their clients might be?
posted by jeffburdges at 7:21 AM on August 20, 2013 [1 favorite]


I've followed Groklaw since day 1, and I totally understand Pamela here. She takes shit very seriously and thinks through each step. I respect her decision and I'm saddened she was forced into it.
posted by odinsdream at 7:22 AM on August 20, 2013 [3 favorites]


How would you feel if it were the Russians, or the Chinese, or the European Union doing the monitoring instead?

I wouldn't care as much, because they're not in a position to prosecute me for real or imagined crimes for political reasons.
posted by Slap*Happy at 7:33 AM on August 20, 2013 [14 favorites]


Why, filthylightthief, you have thoroughly upgraded my FPP. Thank you! :7)

And those titles are awesome, too.
posted by wenestvedt at 7:37 AM on August 20, 2013


Theoretically the US aren't for us either, but Khalid El-Masri tells a different story.
posted by jaduncan at 7:37 AM on August 20, 2013 [1 favorite]


I remember those halcyon days of 2007-08 when connections were being made between Obama and open internet advocate Lawrence Lessig, who were friends and fellow law professors at the U of Chicago. He was Obama's tech adviser during his campaign, if I recall, and it wasn't out of the question that he'd take a key cabinet position or tech role in the administration. Lots of technology freedom folks were enthusiastically for Obama for good reasons back then, actually. He was someone who was savvy and got it both technically and ideologically. It makes me sick to fast-forward to the present and see how dystopian and twisted it's all become.
posted by naju at 7:45 AM on August 20, 2013 [24 favorites]


The rest of the world has no legal recourse, no political vote, no means of influencing the US Constitution or it's enforcement

Actually, Americans are apparently in the same situation.
posted by echo target at 7:47 AM on August 20, 2013 [15 favorites]


While it's good to be aware that other people have it worse than you, the whole "cheer up, at least they're not summarily executing people publicly" argument is not a terribly effective one.
posted by entropicamericana at 7:52 AM on August 20, 2013 [5 favorites]


This, a hundred times. The notion that laws should bind the state and not merely its subjects was a radical proposition when it was invented. As an attorney you spend your career operating under the premise that the law isn't just a sword for the state but also a shield for its citizens, and discovering that actually the law does nothing at all to restrict the operations of the state unless the state allows you to pretend that this is the case. Well, what's the point of continuing? The state has broken its own foundations.
1adam12's excellent comment above is actually a good description of the end result of logical positivism as it affected the theory of law after we continued to build a system of legislation and jurisprudence based upon that theory from the New Deal era going forward, departing further from the natural law foundation of our legal system in America. There is actually a very excellent book probably in your library that covers this quite well, and those of you interested in intellectual history should consider it a must-read: Edward Purcell's The Crisis of Democratic Theory: Scientific Naturalism & the Problem of Value.
posted by resurrexit at 8:09 AM on August 20, 2013 [17 favorites]


See especially chapters 5, 9, and 11.
posted by resurrexit at 8:16 AM on August 20, 2013


I'm starting to think we need to invent a new form of government. It's similar to how N. Korea or a cult is setup.

Mexicanstandoffarchy.

It'd be a form of fascism. All the various corporations (I mean this in the original fascist sense, not the feel-good liberal calling republicans fascist sense) have every piece of dirt on all the others and they all are pointing the guns at each other.

It's similar to the patent war situation.

Essentially, a cold war amongst all the factions of government (wasn't the cold war really just a two player mexican standoff?)

I've been thinking along these lines after reading about the "Self Criticism" sessions in China, and the only way to prevent abuse is to have the leaders engage in these sessions just as much as any "counterrevolutionary".

It would be a form of democratic fascism where the leaders are held accountable to the same methods they use to control the public.

The problem here is the issue of bootstrapping any fundamental change. The people saying "it's a political, not technological, problem" are severely deluded if they think we've not reached the point of no return. Do you really think there is any political solution via the pseudo-"democratic"/representative system the US has currently instituted as its form of government? If so, then I guess you have no concerns about whether it's possible, but for some of us, we feel it is so fundamentally broken that there is only one form for change. That doesn't mean that we advocate for this. We would rather it be possible to have change via democratic methods.

The fact we live in an an illusory democracy and so many still believe in it is one of the great weapons they have against us in terms of our own freedoms. Nobody wants to face the actual terror of what living in a National Security State is like, and the terror here is that it is utterly mundane for 95% of people. "The good ones". Even the ones who "protest" minor distractions, but ultimately are playing partisan politics, aren't a real threat to that state.
posted by symbioid at 8:18 AM on August 20, 2013 [3 favorites]


You don't hire a tax lawyer because you want to pay more taxes, and you don't hire an environmental lawyer because you want your business to find more regulations to obey.

We hired a constitutional lawyer.
posted by jenkinsEar at 8:19 AM on August 20, 2013 [34 favorites]


Forgive my ignorance of current laws, as there's over a million on the books I'll never really know or fully understand....but why hasn't the core issue of civilian monitoring, enabled by section 215 of the Patriot Act, been addressed Supreme Court by now? If there are laws preventing it from reaching the Supreme Court for the sake of "national security," does that not still violate the very spirit of our 3 branch system and our constitution? I somewhat feel that certain mandates need to be set on civilian spying, as it seems like agencies are currently the writing the rules as they go, creating unorthodox shortcuts, and ignoring/redefining some fairly basic rights these civilians have. They're living in an alternate reality where the rules of the physical do not apply to the digital.

I'm not sure if I'm alone on this...I'm really no longer afraid of terrorism, even when it is imminent. I'm especially unafraid when comparing terrorism to domestic murders that are happening around me daily. I stand a far greater chance of being killed in a home invasion than being killed by a terrorist...and that's based off pre-patriot act, not today's near Orwellian reality. Terrorism, while "terrifying," extreme, and saddening in its application, pales to what we're giving up in return for being protected from it. It pales in magnitude to what we have to deal with daily within our own borders with gun violence and all sorts of non terroristic violence claims innocent lives.

The problem we're faced with right now, is one that I believe we somewhat created as citizens....perhaps not on our own, being guided by the media and politicians into a certain mind set. This mind set is that we have and always will hold the government accountable when terrorist attacks occur. And that's the main driver for the C.Y.A. approach the NSA and almost every other agency has taken in setting the anti-terrorism initiative into hyper-drive. These people working for these agencies are not nefarious or inherently evil....but they've been given an objective, and that objective works like a carrot in that they will often ignore their surroundings as they pursue it. I think we civilians have realized by now that preventing terrorism comes at a substantial cost. What's it worth to us?

Aren't we stronger and more resilient than this as a nation? Can we not be more stoic in the face of tragedy? These are the tough questions if we are to loosen up our security and allow foreign driven attacks to happen again. For me, while I don't want mass killings to be the new norm, I feel there has to be a better way, even if it's not the most "efficient" way.
posted by samsara at 8:20 AM on August 20, 2013 [5 favorites]


PSA: just in case anyone doesn't know about it, if you're technically adroit enough for Deep Unix, use OpenBSD. if there's an OS you can trust in this dumb, dumb world, it's that one.
posted by gorestainedrunes at 8:32 AM on August 20, 2013 [4 favorites]


I haven't made it through the whole thread yet, but it seems like there might be kind of a failure of imagination here? Even if you credit the assumptions PJ makes re: what Lavabit's people have said, what about a BBS-type private messaging hosted somewhere outside of US jurisdiction, accessible only over SSH or maybe even over a mesh-net run by journalists, activists and news organizations? (If traffic analysis is a concern).

Failing that, there's always physical documents and private couriers. Whistleblowing happened before the Internet.
posted by snuffleupagus at 8:32 AM on August 20, 2013


If the law is simply whatever those in power want it to be at any given moment, what purpose could this site serve?

This stuff has been the law for decades. People just couldn't take the time to learn it. Apparently including the paralegal who ran the site.

Personally, this appears to be an attention getting deal. I understand the E-mail service shutting down as an incorrect response to a court order, but this lady has not been served with anything at all. She just up and did it for no reason whatsoever.
posted by Ironmouth at 8:37 AM on August 20, 2013 [2 favorites]


Ironmouth, the surveillance of email goes far beyond pen registers. Please don't beat that drum here.
posted by anemone of the state at 8:41 AM on August 20, 2013 [15 favorites]


Forgive my ignorance of current laws, as there's over a million on the books I'll never really know or fully understand....but why hasn't the core issue of civilian monitoring, enabled by section 215 of the Patriot Act, been addressed Supreme Court by now? If there are laws preventing it from reaching the Supreme Court for the sake of "national security," does that not still violate the very spirit of our 3 branch system and our constitution?

That is not what that case is about. Bush's monitoring was illegal, there was no law supporting it. Those people were suing based on acknowledged illegal wiretapping, not the legally authorized what number called what number.
posted by Ironmouth at 8:42 AM on August 20, 2013


And incorrect response to a court order? You're pulling our legs, right?
posted by anemone of the state at 8:42 AM on August 20, 2013 [1 favorite]



Ironmouth, the surveillance of email goes far beyond pen registers. Please don't beat that drum here.


Its foreign sent or received emails. Its specifically authorized. Not same thing.
posted by Ironmouth at 8:43 AM on August 20, 2013


And incorrect response to a court order? You're pulling our legs, right?

You cannot shut down to avoid a court order.
posted by Ironmouth at 8:44 AM on August 20, 2013 [1 favorite]


There was a hilarious idea on That Other Site the other day on having everyone use slightly-more-than-trivial encryption on all of their electronic communications for a couple of days. Sort of DDoSing the collection system.

I don't think it ever took off.
posted by Slackermagee at 8:45 AM on August 20, 2013


You cannot shut down to avoid a court order.

No, but you can shut down to avoid whatever's coming next. Which is the implication here. No?
posted by snuffleupagus at 8:46 AM on August 20, 2013 [9 favorites]


Our free iOS app Frank is end-to-end encrypted and the keys remain on the handset. They can be exchanged visually in person for complete anonymity.

Thanks for the link. Apple gets a lot of grief for the walled garden approach with iOS, but there's something to say for enforcing policies of static libraries and digitally-signed apps. Makes it somewhat tougher for third-parties to insert code. Not impossible, sure, but it helps.
posted by Blazecock Pileon at 8:49 AM on August 20, 2013


Those people were suing based on acknowledged illegal wiretapping, not the legally authorized what number called what number.

...legalized in a completely secret court of course, that required a whistle blower/leaker/traitor (pick your spectrum) to verify to the public. There are documents floating around as well eluding to the broad collection of internet traffic, emails (including contents) and other digital communications which fall into the scope of what I was mentioning. The phone metadata is just an offering that we can now verify 100%, but it took someone giving up their safety and their entire life to find out what's being put into law without our consent.

That's the trickiness I'm eluding too...not so much the legality, but the legitimacy of the legality.
posted by samsara at 8:51 AM on August 20, 2013 [3 favorites]


I understand the E-mail service shutting down as an incorrect response to a court order, but this lady has not been served with anything at all. She just up and did it for no reason whatsoever.

There are none so blind as those who shut their eyes and yell "LALALALALA I CAN'T HEAR YOU" at the top of their lungs.
posted by Holy Zarquon's Singing Fish at 8:54 AM on August 20, 2013 [17 favorites]


You cannot shut down to avoid a court order.

So the Federal government can force you to run a business? Is that considered a taking?
posted by ryoshu at 8:54 AM on August 20, 2013 [2 favorites]


One of the great failures of the Internet boom has been giving up on end-to-end encryption. PGP dates back to 1991, 22 years ago, and gave us the technical means to have truly secure email between two people. But it was very difficult to use. And no one has ever meaningfully made email encryption really usable. Instant Messaging encryption is a little bit better, with OTR support in Adium and the like, but in practice isn't used much.

A big part of the problem is the architecture of the Web. Most of us host our email on a third party server like Gmail or Lavabit or whatever, and that makes true end-to-end encryption very difficult. Instead we have to trust our hosting service, and as we find even if they mean well the government can compel them to rat you out.

On top of this we have the architecture of SSL/HTTPS, the only real end-to-end encryption most of us use daily. But the key distribution is hopelessly centralized, authority rooted in 40+ certificates. At least 4 of those certs have been compromised by blackhat hackers in the past few years. How many more have been subverted by spying agencies?

The cypherpunks movement foresaw all of this surveillance risk and outlined principles to protect individuals. It failed to actually implement it.
posted by Nelson at 8:55 AM on August 20, 2013 [8 favorites]


Thanks for the link. Apple gets a lot of grief for the walled garden approach with iOS, but there's something to say for enforcing policies of static libraries and digitally-signed apps. Makes it somewhat tougher for third-parties to insert code. Not impossible, sure, but it helps.

In order of increasing paranoia,
1) What proof do we have that this app has correctly implemented its cryptographic approach?
2) Can we be certain that iOS does not have an NSA backdoor (which would make any encryption on the wire pointless)?
3) Maybe this app "Frank" is itself an NSA honeypot
posted by Pyry at 8:58 AM on August 20, 2013 [3 favorites]


Who cares about privacy when there's mad ducats to be made with the latest sharing-what-i-ate-for-lunch technologies?
posted by entropicamericana at 8:59 AM on August 20, 2013 [1 favorite]


Its foreign sent or received emails. Its specifically authorized. Not same thing.

PROVE those limits were properly observed in all cases.

See the issue here now?
posted by mikelieman at 8:59 AM on August 20, 2013 [10 favorites]


So the Federal government can force you to run a business? Is that considered a taking?

You're not forced to "run a business," you're prevented from vaporizing the business entity today in order to avoid complying a court order already in force yesterday.

If you think about it there are plenty of contexts in which you would be outraged by anything else; orders in environmental actions against polluting companies comes immediately to mind.
posted by snuffleupagus at 9:00 AM on August 20, 2013 [2 favorites]


You don't hire a tax lawyer because you want to pay more taxes, and you don't hire an environmental lawyer because you want your business to find more regulations to obey.

We hired a constitutional lawyer.
That is a great observation, jenkinsear. Unfortunately, we hired a constitutional lawyer whose view of the Constitution is that it's a living, breathing document, one that means new things to new generations of Americans. The problem with that theory of the law is that it's wholly subjective, relying solely on getting a "good guy" into office---but we are a nation of laws, not a nation of men. Right? Our constitutional lawyer has decided that, in the post-9/11 United States, the First and Fourth Amendments mean something different.
posted by resurrexit at 9:00 AM on August 20, 2013 [3 favorites]


I'd suggest you move Ironmouth's Lavabit derail here guys, but..
Lavabit reacted to a National Security Letter, not a court order. Lavabit complied with court orders.
posted by jeffburdges at 9:01 AM on August 20, 2013 [7 favorites]


More to the point on any commercial private messaging app, what happens when they get a National Security Letter that transforms them into a honeypot, even if they didn't start out that way?

Which, by the by, is closer to the scenario of the government forcing you to stay in business, as mentioned above.
posted by snuffleupagus at 9:02 AM on August 20, 2013 [1 favorite]


Jinx kinda -- you owe me an empty coke can.

What the hell are national security letters, anyway? Some kind of executive order I guess?
posted by snuffleupagus at 9:03 AM on August 20, 2013


In order of increasing paranoia,
1) What proof do we have that this app has correctly implemented its cryptographic approach?
2) Can we be certain that iOS does not have an NSA backdoor (which would make any encryption on the wire pointless)?
3) Maybe this app "Frank" is itself an NSA honeypot


1) We used standard methods. But the app is aimed at privacy rather than security. We make it hard to read your messages, not impossible. We certainly can't read them.

2) Good question. You need to answer this for yourself.

3) We're an open book. Three guys, based in Canada, privately held. We made the app because we believe in privacy. Again, you just have to decide whether you believe us or not.
posted by unSane at 9:05 AM on August 20, 2013 [1 favorite]


As we have seen from time to time, it doesn't do any good to hide in the attic. When they come, they will get you. You can hide in the attic only so long as your householders are around to feed you. Whacha-gonna-do when they come-for-U?

I agree with the ideas, stated above, that you have to take a stand, out in the open, and in the line of fire. Thinking about it asymmetrically, not everyone has to stand in front of the tank, but somebody's gotta do it.
posted by mule98J at 9:05 AM on August 20, 2013 [2 favorites]


> I always said that pen and ink would came back one day.

And homing pigeons. It is physically possible to completely remove the government from the loop with enough determination.
posted by bukvich at 9:08 AM on August 20, 2013 [1 favorite]


Ah. I hadn't realized Frank's developers are in Canada. Does Canada have any mechanism like the NSL?

And, although I haven't dug into any real legal sources, looking at the enabling structure suggests NSLs would appear to be properly classified as a form of administrative subpoena.
posted by snuffleupagus at 9:08 AM on August 20, 2013


Do not trust any close source crypto if your opponent is a nation state.
posted by jeffburdges at 9:09 AM on August 20, 2013 [3 favorites]


1) What proof do we have that this app has correctly implemented its cryptographic approach?

I don't know much about how that specific app was written, but if it uses OpenSSH or CommonCrypto routines, source code is available for review.

2) Can we be certain that iOS does not have an NSA backdoor (which would make any encryption on the wire pointless)?

Given the open-sourced code for cryptographic routines and network stack components in the Darwin kernel, a jailbroken iOS device should be easier to do forensics on and trace any kind of aberrant network behavior. Even if the kernel hides something going on, one could compare the output with the logs of a sniffer. If there's something unexpected, then you have something to investigate, presumably. I'd bet someone more paranoid than both of us has already done something like this.

3) Maybe this app "Frank" is itself an NSA honeypot

Fair point, but I was thinking more about the design that apps run on, which is starting to take hold on other platforms. Maybe an unintended side-effect, but it was interesting to me.
posted by Blazecock Pileon at 9:11 AM on August 20, 2013


Isn't now the time in the novel when Iceland or someplace which needs a post-crisis business model sets itself up as a data haven?
posted by shothotbot at 9:14 AM on August 20, 2013 [7 favorites]


Does Canada have any mechanism like the NSL?

Not right now, as far as I understand. There are fairly substantial privacy protections under Canadian law. There is a bill they've been trying to get through which has been fought successfully so far.

We've always said we'll comply with law enforcement, court orders etc but the app is designed to make any such co-operation fairly useless, since we never have access to anybody's keys or identities, and there are no accounts.
posted by unSane at 9:14 AM on August 20, 2013 [1 favorite]


mikelieman: "Its foreign sent or received emails. Its specifically authorized. Not same thing.

PROVE those limits were properly observed in all cases.

See the issue here now?
"

No, there's a democrat in the white house, you can totally take him at his word. Now, if there were a republican, then maybe we might have a problem, and i would totally change my stance!

/hamburger
posted by symbioid at 9:15 AM on August 20, 2013 [4 favorites]


OpenSSH or CommonCrypto routines

Sorry, OpenSSL, not OpenSSH.
posted by Blazecock Pileon at 9:16 AM on August 20, 2013


What the hell are national security letters, anyway?

Electronic Frontier Foundation on National Security Letters:

Of all the dangerous government surveillance powers that were expanded by the USA PATRIOT Act the National Security Letter (NSL) power under 18 U.S.C. § 2709 as expanded by PATRIOT Section 505 is one of the most frightening and invasive. These letters served on communications service providers like phone companies and ISPs allow the FBI to secretly demand data about ordinary American citizens' private communications and Internet activity without any meaningful oversight or prior judicial review. Recipients of NSLs are subject to a gag order that forbids them from ever revealing the letters' existence to their coworkers to their friends or even to their family members much less the public.

Internet Archive's Brewster Kahle on what it's like to receive an NSL.
posted by ryanshepard at 9:18 AM on August 20, 2013 [5 favorites]


To those who do not understand the reasons behind this, consider: The site specializes in legal analysis. They come up pretty high in Google searches for a lot of legal issues. People all around the world probably send them email with questions or looking for advice. Even if they only ever replied with "we don't answer questions," the damage would be done. If you know that email is being intercepted, then simply by writing about legal issues you could be putting people at risk.

If those are her reasons, it's odd that she doesn't state them. I mean, there would be no legal risk in saying "here are the specific negative consequences I could hypothetically see resulting from our continuing to operate." Her argument is purely emotive: that it's icky to think that someone is reading correspondence that you considered to be private--that it's analogous to the icky feeling you have when your house has been broken into and your stuff pawed over.

She also specifically limits her concerns (pace much of the discussion on this thread) to emails sent from overseas. But we have known for a long, long time; waaaaay before the Snowden revelations, that the NSA had the capability of sifting through emails which originated outside the US and was, at the very least, running automated word-string searches on large quantities of it. It is very hard to figure out what new information her action is based on, if any.
posted by yoink at 9:19 AM on August 20, 2013


I won't fly anymore. I am sure I am not alone. I refuse to participate in what I see as a terrible encroachment of the state into personal lives. I've written letters protesting the TSA. Does me shit for good, but there's some small impact economically. Now if I can't drive there it doesn't exist. I dread the idea of a border crossing.

I've removed my dropbox account, no longer use google+, etc. I treat email as though it's a postcard. I've set my home DNS to open DNS (when I am not running through a secure VPN). I've been thinking of closing my Amazon account.

I've been thinking of shuttering my sites as well. I for sure am planning to move to a self-hosted environment outside the US. When visiting a public website using a web proxy or IP masking can violate the Computer Fraud and Abuse Act it's time to admit the internet is no longer free.

Seriously, I've got nothing to hide, but that burden shouldn't be on me to prove.
posted by cjorgensen at 9:20 AM on August 20, 2013 [12 favorites]


Apparently "the government [must] rely on the judiciary for enforcing noncompliance with an NSL."
So ask yourself : Would they even let a judge see this NSL? If not, hey maybe you'll get away with violating it. Just take care because, as noted upthread, the state no longer obeys it's own laws.
posted by jeffburdges at 9:22 AM on August 20, 2013 [2 favorites]


I don't want to go into too much tech detail about what we do because I'm not the guy who knows about that stuff, but essentially we use concepts from server-proof hosting, with each handset as a client to an encrypted database, to which only the handsets have keys. We host a public server and we are in the process of developing a solution for third parties to host their own servers.

There is absolutely no reason why the entire communications infrastructure on the internet shouldn't run like this transparently, which of course is our Big Idea.
posted by unSane at 9:23 AM on August 20, 2013 [2 favorites]


We know things are bad. Worse than bad. They're crazy. It's like everything everywhere is going crazy so we don't go out anymore. We sit in a house as slowly the world we're living in is getting smaller and all we say is, "Please, at least leave us alone in our living rooms. Let me have my toaster, and TV, and my steel belted radials and I won't say anything." — Paddy Chayefsky, Network, 1976
posted by ob1quixote at 9:28 AM on August 20, 2013 [8 favorites]


Woah, I hadn't seen that 3Taps ruling previously [cjorgensen's link above]. However, though it raises concerns (and my hackles) reading the court's actual opinion suggests that the ruling may be somewhat limited to its facts -- which is to say, the ability of a public site operator to forbid a third party from scraping its content for commercial use (i.e. to run a content farm with marginal ads).

....under the plain language of the statute, 3Taps was “without authorization” whenit continued to pull data off of Craigslist’s website after Craigslist revoked its authorizationto access the website. As the “ordinary, contemporary, common meaning” of the word indicates, and as Brekka expressly held, “authorization” turns on the decision of the“authority” that grants–or prohibits–access. In Brekka, the authority was the employer.Here, it is Craigslist. Craigslist gave the world permission (i.e., “authorization”) to accessthe public information on its public website. Then, just as Brekka instructed that an“authority” can do, it rescinded that permission for 3Taps. Further access by 3Taps after thatrescission was “without authorization.”


The use of a proxy was unacceptable because it was an end run around the revocation of 'authorization' in the common sense meaning of the term.

To me this decision is more problematic regarding issues of speech rather than privacy.
posted by snuffleupagus at 9:38 AM on August 20, 2013


I'm sure ten years of reporting on and being targeted by patent trolls has made her a bit edgy when it comes to her privacy.

But I imagine she expected any negative consequences could be handled in the courts, and our strong tradition of respect for press freedom would shield her from anything too severe. It has become clear that for certain definitions of the world "journalism" this is not the case.

Also, PJ tried to shut it down before, or at least step away. I think this was just the last straw, like when Berke Breathed decided that the world was getting too cynical for Opus to inhabit.
posted by RobotVoodooPower at 9:39 AM on August 20, 2013 [3 favorites]


"self-hosted environment outside the US"

@cjorgensen, which country would you trust to host your stuff?
Shouldn't be an ally of the US, not and EU and NATO country, no China, no Russia.

I was thinking about the same but haven't found any reliable solution.
(what about a Kickstarter for an off-planet private satellite? (not kidding))

3rd world countries are so-so. Partly related but the startups favorite .ly TLD almost gone in the Arab Spring.
posted by bdz at 9:52 AM on August 20, 2013


My current fantasy is for the professional responsibility bar to come out saying that email is not secure for the purposes of attorney-client confidentiality.

"I am having some very concerned conversations about whether it's safe, or even ethical, to have confidential attorney-client communications by email."
posted by yerfatma at 9:59 AM on August 20, 2013 [5 favorites]


I think Mr. Miranda was carrying one-time pads. Or he should have been.
posted by George_Spiggott at 10:03 AM on August 20, 2013 [2 favorites]


Its foreign sent or received emails. Its specifically authorized.

By what?
posted by no relation at 10:05 AM on August 20, 2013


I won't fly anymore. I am sure I am not alone.

You're not.
posted by ChurchHatesTucker at 10:08 AM on August 20, 2013 [1 favorite]


Honestly, I wouldn't want to be in a position of speaking potentially inconvenient truth to powerful corporate entities when the government is operating a pervasive blackmail factory. This is woeful news but I understand her motivations. Anyone who sticks up for the little guy against authority now has to wonder what digital sword of Damocles is hanging over their heads or the heads of anyone they've interacted with.

It may not be the case that the NSA is a totally rogue agency operating outside the boundaries of any sort of civilian or executive branch oversight, underneath the protection of a massive blackmail shield of every embarrassing college party photo, every dirty e-mail, every flirtatious Facebook message, every angry venting rant against your terrible boss you've ever written, but from the outside, this is exactly what it looks like is going on. It looks like the inmates are in charge of the asylum.
posted by feloniousmonk at 10:10 AM on August 20, 2013 [4 favorites]


you're prevented from vaporizing the business entity today in order to avoid complying a court order already in force yesterday.
To my knowledge GrokLaw has received no court orders nor any sort of NSA letters. This is the genius behind her move... because she has not received any order, she is not compelled to act upon any order.

Now, in x number of hours/days/weeks/months/years... when the ephemeral "they" come knocking on her door asking for her privileged data she has no way of providing it because it was destroyed years ago when she closed up shop.

Notice the subtle-yet-extremely-important difference here. This is not an example of "I shut down x site because they want my data and I can do nothing to stop them." this is an example of "I'm afraid that they might one day want my data, at which time I will not be able to do anything to stop them, so I'm shutting down x site now, because now is the only time I will have a choice in the matter."
posted by Blue_Villain at 10:12 AM on August 20, 2013 [14 favorites]


Ah. I hadn't realized Frank's developers are in Canada. Does Canada have any mechanism like the NSL?

If Harper hasn't introduced something similar by now, I'd be very surprised.
posted by acb at 10:13 AM on August 20, 2013


@cjorgensen, which country would you trust to host your stuff?
Shouldn't be an ally of the US, not and EU and NATO country, no China, no Russia.


Iceland, I hear, is a good choice. Good connectivity, strong privacy laws (there are surveillance laws, but they only apply to carriers with allocated spectrum, so don't host your email with the local telco), a fairly robust culture of civil liberties, and recent resentment of British government abuse of antiterrorism laws.

I was actually thinking that the Guardian could do well to sell its shiny new headquarters at Kings Place (perhaps keeping a floor for a local bureau) and, with part of the money, buy some prime real estate in Reykjavík for editorial operations.

Perhaps an independent Scotland will turn out to be less of a pushover (if the independence agreement worked out beforehand doesn't give the British Deep State permanent secret hunting rights within its borders, of the sort the Allies had in occupied Germany).
posted by acb at 10:18 AM on August 20, 2013 [1 favorite]




No, there's a democrat in the white house, you can totally take him at his word. Now, if there were a republican, then maybe we might have a problem, and i would totally change my stance!

Well, in a recent video interview, Julian Assange said “The only hope as far as electoral politics presently, is the Libertarian section of the Republican party. [I] am a big admirer of Ron Paul and Rand Paul for their very principled positions in the U.S. Congress on a number of issues.” He also said “Matt Drudge is a news media innovator. And he took off about eight years ago [sic - it was 15] in response to the Monica Lewinsky scandal.” Assange claimed that Drudge made his name by “publishing information that the establishment media would not."

Of all the negative words I've had to describe Mr. Assange, I never thought I'd add "naive idiot" to the list. A President Rand Paul won't shut down the NSA, he'll just sell it to the highest corporate bidders.
posted by oneswellfoop at 10:23 AM on August 20, 2013 [5 favorites]


Also, PJ tried to shut it down before, or at least step away. I think this was just the last straw,

Wow. 2011 and Google was still the "good guy" company you automatically sided with against the Evil Empire of Micro$oft! That felt like such a blast from the past.

I'm still not clear what the "last straw" was, though. What do we know now about the way emails from foreign nationals into the US are treated by the NSA that we didn't know in, say, 2010?

Also, when has anyone ever thought that emails were truly "private" communication? "Don't write anything in an email that you wouldn't want to have read in public" has been pretty standard internet advice pretty much since emails first appeared. Here, for example, is a "how to use e-mail" instruction thing that dates from 1997. Here's what it has to say about privacy:
Privacy, Are You Kidding?

Stop right where you are and set aside a couple of brain cells for the following statement: there is no such thing as a private e-mail. I don't care what anybody says, states, swears or whatever, there is just no such thing as private e-mail. The reason? Keep reading.

With some e-mail systems, the e-mail administrator has the ability to read any and all e-mail messages. If this is the case where you are located you better hope that there is a honest and respectable person in that position.

Some companies monitor employee e-mail (I consider this one of the worst forms of censorship). The reasons for this obtrusive behavior range from company management wanting to make sure users are not wasting time on frivolous messages to making sure that company secrets are not being leaked to unauthorized sources.

E-mail software is like all software in that occasionally things go wrong. If this happens, you may end up receiving e-mail meant for another person or your e-mail may get sent to the wrong person. Either way, what you thought was private is not private anymore.

Somewhere in the world there is a person (usually a hacker) who is able to read your e-mail if he/she tries hard enough. Of course "Tries hard enough" is the key. It's not that simple to read another person's e-mail (usually). There are (usually) security measures in place to prevent this from happening, but no security is one hundred percent hacker-proof. I have "usually" in parenthesis in the prior two sentences because I'm making the assumption that the person/persons who install and operate your e-mail system have taken the necessary precautions. Of course, the same must also be true for the person/persons on the receiving end of your e-mail.

So where does this leave us. First, let me reiterate the initial statement: there is no such thing as a private e-mail. Got it? Second, don't send anything by e-mail that you would not want posted on the company bulletin board. If it's safe enough for the bulletin board, it's safe enough for e-mail. Finally, if you are debating whether or not to send something personal by e-mail, either deliver it by hand or send it by snail mail.
Is there anybody who hasn't heard that advice or given that advice themselves? The notion that email was "suddenly" revealed as something that uninvited third-parties might get access to in the wake of l'affaire Snowden is just nonsense.
posted by yoink at 10:24 AM on August 20, 2013


Guys don't you get it... "They hate us for our freedom."

If we get rid of all that pesky freedom, they will no longer hate us and then we WIN!
posted by symbioid at 10:29 AM on August 20, 2013 [3 favorites]


It is clearly the codification of this 'advice' into American legal policy and security apparatus that is at issue for Groklaw, Lavabit and other sites.
posted by Blazecock Pileon at 10:31 AM on August 20, 2013


If Harper hasn't introduced something similar by now, I'd be very surprised.

Read and weep.
posted by unSane at 10:32 AM on August 20, 2013


A President Rand Paul won't shut down the NSA, he'll just sell it to the highest corporate bidders.

I was going to argue the point, but then I remembered that I thought a Constitutional scholar wouldn't piss all over the Constitution. I apparently know nothing.
posted by ChurchHatesTucker at 10:36 AM on August 20, 2013 [5 favorites]


@acb
Iceland is a NATO founding member...

Otherwise I also heard good things about them. But as the country is a member of a military alliance (where the US is also present) I wouldn't trust them.
posted by bdz at 10:40 AM on August 20, 2013 [1 favorite]


The latest (and I guess last) news pick on Groklaw's sidebar: The NSA Reveals That It Does 20 Million Database Queries Per Month
posted by homunculus at 10:43 AM on August 20, 2013 [1 favorite]


> This is not an example of "I shut down x site because they want my data and I can do nothing to stop them." this is an example of "I'm afraid that they might one day want my data, at which time I will not be able to do anything to stop them, so I'm shutting down x site now, because now is the only time I will have a choice in the matter."

It's not even just this. It's also "I must presume they have already begun collecting and storing my communications, or will soon. One day they will want to look at some of it and will have the ability to do so. So I have to stop providing it to them right now."
posted by George_Spiggott at 10:46 AM on August 20, 2013 [3 favorites]


Does NATO cover law enforcement, or just acts of war? Could Iceland be obliged to let US/British goons raid its data centres under treaty provisions?
posted by acb at 10:46 AM on August 20, 2013


The NSA Reveals That It Does 20 Million Database Queries Per Month

...and with an estimated 2000 'errors' previously revealed, that's only a .01% chance of your rights being violated (needlessly) this month! Which is not bad for an automated system.

Remember that classic line spoken by the corrupt Vichy Captain Renault? "Round up the usual suspects?" That's the ONLY way to run the "War on Terrorism" (as well as the "War on Drugs" and the "War on Intellectual Property Theft" and any other law enforcement priority they choose to call a "War"). And with email metadata providing the identity of not only everyone you communicate with but everyone THEY communicate with, that list of "usual suspects" grows exponentially with every cycle in the NSA data center.

On the other hand, if there's a "shit list", there is probably also a "good guys list". So I recommend doing regular social emails with the NSA apologists participating in this and other MeFi threads. (You know who they are, and so do the Feds)
posted by oneswellfoop at 10:49 AM on August 20, 2013 [2 favorites]


I think the first truly privacy-safe data center will be in orbit. I don't think there is such a thing as the right combination of legal jurisdiction and bandwidth to render you truly safe against the NSA/CIA/etc. In a lot of ways, it's like the Aztecs trying to find somewhere to hide from the Spanish. Their power is vast. Even if you're also a state actor with an unfathomable budget they have a significant head start and the issues are not entirely technical in nature.
posted by feloniousmonk at 10:52 AM on August 20, 2013 [1 favorite]


> I won't fly anymore...

A true dilemma. I understand the whole "the only winning move is not to play" ordeal, but at some point this civil disobedience looks like self-censorship or some kind of self-imposed imprisonment. It's a form of protest, no doubt, yet I can't shake the feeling that moves like these still play exactly into someone's hands until you break free completely.

Which is what worries me so much about Lavabit, Groklaw, and others. These were good services that essentially championed the public interest in a time where that's vanishingly rare, and now we're losing them in a series of "catch 22" decisions made by their founders.
posted by Johann Georg Faust at 10:52 AM on August 20, 2013 [2 favorites]


I think the first truly privacy-safe data center will be in orbit.

'Oops. Sorry about that mysterious untracked piece of space-junk from some early test, weird how its orbit suddenly degraded like that. Anyway, too bad about your cute little satellite.'
posted by snuffleupagus at 10:57 AM on August 20, 2013 [6 favorites]


I suspect they have more sophisticated ways of finding the “usual suspects” than simple social network analysis. If Google's AdSense anti-fraud algorithms can find a Chinese car theft ring by correlating hundreds of attributes which, in isolation, mean nothing, and a department store coupon scheme inferred that a teenager was pregnant a few weeks before her parents knew, surely the NSA, with its mines of everyone's email, chat content, online activity, web browsing history, credit history, mobile phone locations, and the ability to infer sleep patterns, breaks from daily schedules, stress levels and other things from it, could do queries like “find all the people within 3 degrees of X who have issues with authority or relationship problems”.
posted by acb at 10:57 AM on August 20, 2013 [4 favorites]


A true dilemma. I understand the whole "the only winning move is not to play" ordeal, but at some point this civil disobedience looks like self-censorship or some kind of self-imposed imprisonment. It's a form of protest, no doubt, yet I can't shake the feeling that moves like these still play exactly into someone's hands until you break free completely.

In totalitarian societies, they called it internal exile.
posted by acb at 10:58 AM on August 20, 2013 [6 favorites]


I think the first truly privacy-safe data center will be in orbit

That's what I said too. But.

Even the astronauts tweeting from the ISS just tunneling into a NASA server at somewhere in the US.
So you have to have an uplink from a "safe" country which turns us back to the original question that which country would you trust to host your data?
posted by bdz at 10:59 AM on August 20, 2013


PROVE those limits were properly observed in all cases.

See the issue here now?


Don't worry, analysts have a wacky slide telling them to stop it and report themselves if they intentionally target a US person's communications.
posted by jason_steakums at 11:00 AM on August 20, 2013 [1 favorite]


I think the first truly privacy-safe data center will be in orbit.

That'd work just fine. As long as every user of the data is willing to go to the satellite every time they want to access it.
posted by George_Spiggott at 11:01 AM on August 20, 2013 [4 favorites]


So you have to have an uplink from a "safe" country which turns as back to the original question that which country would you trust to host your data?

Presumably in this scenario our routers are connected to personal satellite terminal/transceivers rather than terrestrial network endpoints. Or, what George Spiggott said.
posted by snuffleupagus at 11:03 AM on August 20, 2013


GPG can hide the content of your messages, but it can't hide who you're communicating with.
This is correct if you only use GPG. If you use GPG as a component of an anonymous remailer network, then you can at least make who you're communicating with a lot harder to discover.

If you send an encrypted message to Alice, and when decrypted with her key it says "wait 52 minutes, discard this padding and send this inner encrypted message to Bob", and the inner message decrypts to "wait 7 minutes and send these two inner inner encrypted messages plus some random padding to Carlos and Dave", etc., and if Alice and her friends are also regularly sending messages that aren't yours to each other, then it gets very hard for an outsider to follow the trail of any message, even if Dave turns out to be a planted spy.

I've avoided running a mixmaster node (or a freenet node, or tor node, etc) for any length of time in the past due to concern over how it would be used. It's not like there's an "evil bit" you can check to make sure that legitimate political dissidents' photos are being passed along and not kidnappers', for example. I suppose the ethical calculus is changing now, though, as the spies in the network seem to be doing their best to increase the volume of legitimate dissent.
posted by roystgnr at 11:11 AM on August 20, 2013 [3 favorites]


Popehat has a good take on why Groklaw is shutting down:

"I don't trust my government, I don't trust the people who work for my government, and I believe that the evidence suggests that it's irrational to offer such trust."

That quote almost hits the nail on the head. I have little agency over my government's actions, yet I am forced to trust them. There's a parallel to be drawn with Nelson's point above and the CA system: our web browsers trust all these different vendors to establish a "secure" communication channel, each of which we know very little about. Yet at least with a browser, if we choose to no longer trust a certificate authority (because they've been hacked or whatever), we can tell our browser to not accept that certificate as secure. Due to this, any website that uses that certificate will no longer work, but that's the principled stand to take.

This ability to choose who to trust does not apply when all communications are stored by the NSA. How exactly would one choose to no longer trust the United States government? I'm also looking at moving my sites abroad (Iceland seems most logical, but I haven't decided yet), but I don't know how much protection that really offers anyway.
posted by antonymous at 11:13 AM on August 20, 2013 [3 favorites]


Unintentionally related: Despite Obama's best efforts, millions aren't using the Internet

Old-fashioned methods still need to spy on 20% of Americans. Rats.
posted by oneswellfoop at 11:20 AM on August 20, 2013 [2 favorites]


Unfortunately, we hired a constitutional lawyer whose view of the Constitution is that it's a living, breathing document, one that means new things to new generations of Americans. The problem with that theory of the law is that it's wholly subjective, relying solely on getting a "good guy" into office---but we are a nation of laws, not a nation of men. Right? Our constitutional lawyer has decided that, in the post-9/11 United States, the First and Fourth Amendments mean something different.

This is a really ill-informed set of statements.

And I'm not cutting Obama much slack here, as I think he should be on the hook at this point, but let's not forget this infrastructure and these programs have been in place, subject to routine congressional reauthorizations, since the de facto Cheney administration ordered them into existence. In fact, by all accounts, these programs are now actually under more restrictive controls and more scrutiny than had been the case in the past. These programs are still too obscured under secret law, too much under executive control, and lacking real, meaningful public oversight, but this has nothing to do with the legal debate over strict constructionism (which is demonstrably gibberish as a legal concept and if taken literally would lead to all kinds of even more ridiculous legal outcomes).

This is actually a text book example of where strict constructionism fails: There are no specifically enumerated rights related to Internet use because there was nothing even remotely like the Internet in use or on the horizon when the Constitution was drafted. For that matter, there's absolutely no explicit right to privacy, though there's a long tradition of its being taken to be an implied, unenumerated right. There's not even an explicit authorization in the Constitution for secretive entities like the CIA, NSA, etc. to exist--they're just assumed to be part of the inherent powers of the executive branch.

And the courts and many members of congress (especially those that sit on the intelligence committees) have played a major role in creating and justifying this system, though of course now there's a rash of congress people trying to make sure they come out looking clean. Some of them, no doubt, absolutely were hoodwinked, but many were not.

Anyway, if you really want meaningful accountability that gets at the parties responsible and fixes the deeper problems that have been exposed here, you're best off looking to the entire orchestra, not just to the latest stooge to get caught without a chair when the music stopped. Unfortunately, Obama won't help you out there, and that's one of the things I'm most deeply disappointed in him about. He's reigned these programs in only so much as necessary to claim the fig leaf of external oversight, rather than actively working to undo them.
posted by saulgoodman at 11:24 AM on August 20, 2013 [6 favorites]


That'd work just fine. As long as every user of the data is willing to go to the satellite every time they want to access it.

Tape backups have extremely high latency even in comparison to something in orbit. If you have data to keep safe, suffering the latency of tapes to ensure its safety is no big deal.

Unfortunately, I don't think we're anywhere near the technology level required to run unmanned orbital data centers. Maybe Google or Facebook will get to the point where they have robots swapping out failed components and can run without staff. Of course, these are the people you'd least want running it in the first place after these revelations.

It's probably too Gibsonian an idea to be practicable anytime soon.
posted by feloniousmonk at 11:27 AM on August 20, 2013 [1 favorite]


Unfortunately, Obama won't help you out there, and that's one of the things I'm most deeply disappointed in him about. He's reigned these programs in only so much as necessary to claim the fig leaf of external oversight, rather than actively working to undo them.

After all that's been told about this story and all that apparently remains to be told, don't you kind of wonder what all of these programs gathered about Barack, Michelle, and their family prior to his winning the election? I don't think I'm necessarily willing to go so far as to say I think that's what has happened, but doesn't it seem more plausible than it should? I realize this has the makings of a Bill Hicks bit, but still.
posted by feloniousmonk at 11:30 AM on August 20, 2013 [2 favorites]


I wouldn't mind the panopticon government if it just provided better service. I forgot my password the last week, so reasonably enough I wrote the NSA to ask for it. Nothing. I wanted to know the name of that adorable shop I stumbled on the other day so I asked to look at the CCTV video or my phone movement track. Not even a form response. Is this the surveillance state we're paying for?
posted by George_Spiggott at 11:33 AM on August 20, 2013 [10 favorites]


feloniousmonk: Considering what may have happened to Spitzer as a result of the "Stellar Wind" program, it's not a completely unreasonable idea, but unfortunately, I think Obama may really believe these capabilities are valuable and necessary--and this is pure speculation, but I bet China and Russia have similar capabilities, too, and it would be viewed as unthinkable within US defense circles to let the US slip behind.
posted by saulgoodman at 11:36 AM on August 20, 2013


I agree that it's more likely that Obama was simply somehow won over to thinking he was doing the right thing. It's incredible to me that it's even possible to have a discussion that cuts so readily to the quick of our government's legitimacy, but we're all humans here and it's hard not to have a sense of the incredible opportunity to seize personal power that these tools represent. This opportunity also argues in favor of China, Russia, etc having them as well. Any government that can is probably trying, especially after all of this.
posted by feloniousmonk at 11:40 AM on August 20, 2013


1) What proof do we have that this app has correctly implemented its cryptographic approach?

I don't know much about how that specific app was written, but if it uses OpenSSH or CommonCrypto routines, source code is available for review.
One of the primary reasons that there is no technological solution for total privacy is that one must have complete trust in the hardware provider, the compiler writer, the library writers, and whoever touches or compiles code anywhere in the chain from circuitry design up to the UI. Having source code is not enough, because of the famous Ken Thompson hack, where secret code is attached inside a compiler, then removed from the compiler's source, and then this secret code perpetuates itself, invisibly, forever. There's no way to know if you have a pure compiler, you'll never be able to verify your code unless you audit the code at the machine instruction level, an incredibly error-prone process. And as pointed out by Ken Thompson himself, this hack doesn't have to be in the compiler, it can be in the linker, it can be in microcode. It can be in the CPU itself. Right now, many people are skeptical of Intel's hardware random number generator, and believe that there's a good chance that it has been compromised. (IMHO, this is probably not true, but there's no way to know, you have to trust that our government wouldn't do that. Trusting Intel gets you nowhere, because we don't know if Intel is under secret orders.)

So even if you're running OpenBSD, you're still using GCC or Clang as your compiler, and we don't know that they haven't been compromised. And if you bootstrap your own assembler and compiler, you're still running on Intel hardware. And all of this fails if you don't get really random numbers, and while you can validate random numbers in aggregate, how can you be sure that the final time you generate your key, for real, that that run actually had enough entropy?

There's this whole chain of trust behind every computer system that's inescapable. Implicitly, or explicitly, you're trusting all of technology when you think that you're actually encrypting your communications.

And when we can't trust a government, and that government has infinite power under secret interpretations and court rulings of vague laws to secretly demand any business to perform any action at all in order to get access to communications, and that government will imprison any person who lets out that this is going on, then you can't trust any of the technology.

This is entirely a social, political, and people problem. There is no technological out. Forget about GPG (or S/MIME), forget about TLS/SSL, all the web of trust crap. Without a functioning, non-authoritarian, and open government under which to construct all this technology, it means nothing. I'm not saying that the US government has backdoored CPUs, but there's no reason to believe they haven't, you have to trust them that they wouldn't do that. And as we've seen, they have the power to do that, and there's no reason to believe that they will not do what is in their power if they think it will stop terrorism. It's paranoid thinking. But what other option is there?

Completely opting out, as PJ has done, may be better for a person's sanity than selectively self-censoring. It can be easier just to say nothing than to think about every email and blog post, "Will there ever be somebody who misinterprets what I'm writing here? What positive defenses do I have that prove I'm of good will and not talking to somebody who knows somebody who's a terrorist?"
posted by Llama-Lime at 11:41 AM on August 20, 2013 [35 favorites]


Via the Ars Technica piece on the Groklaw shutdown, some secure email companies are taking a "privacy seppuku pledge", vowing to close down instead of complying with secret surveillance requests.
posted by filthy light thief at 11:42 AM on August 20, 2013


One of the first "hilarious" sidenotes to all this was that the NSA wiretapped Obama during his Senate run.
posted by Holy Zarquon's Singing Fish at 11:43 AM on August 20, 2013 [4 favorites]


This is actually a text book example of where strict constructionism fails: There are no specifically enumerated rights related to Internet use because there was nothing even remotely like the Internet in use or on the horizon when the Constitution was drafted.
-
The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.

Seems pretty clear to me. The problem is the adoption of the idea that this right is somehow forfeited when a third party is asked to secure the papers.
posted by Drinky Die at 11:50 AM on August 20, 2013 [1 favorite]


The internet is not a series of tubes that ships "papers" around. Under a strict constructionist interpretation, emails or data packets are not personal effects.
posted by saulgoodman at 11:53 AM on August 20, 2013 [2 favorites]


Yeah, I agree, it's pretty clear when you use common sense, but using common sense to interpret law is not the strict constructionist view of constitutional law.
posted by saulgoodman at 11:54 AM on August 20, 2013 [1 favorite]


Under a strict constructionist interpretation, emails or data packets are not personal effects.

I seriously doubt any of the Framers would see it that way. It's not like they had been bought out by the paper lobby.
posted by ChurchHatesTucker at 11:58 AM on August 20, 2013 [4 favorites]


One of the first "hilarious" sidenotes to all this was that the NSA wiretapped Obama during his Senate run.

Also that whole thing with Jack Ryan hiring someone to follow Obama with a video camera all day long when they were running against each other. Even if you somehow knew he was going to be president back then, you'd never guess the guy famously and publicly stalked by a camera against his will would become such a booster of this kind of thing.
posted by jason_steakums at 11:58 AM on August 20, 2013 [1 favorite]


But that's only your interpretation of the original intent, and so, not strict constructionist. I bet most people would say it's obvious the founders meant for basic rights like life, liberty and the pursuit of happiness to be universal, too, and yet, at one time in history, slaves did not enjoy those rights. Original intent is not at all always obvious or accessible to modern interpreters when dealing with historically novel developments.
posted by saulgoodman at 12:02 PM on August 20, 2013 [2 favorites]


We can safely assume it was not ever their intent for the 4th amendment to be practically useless due to changes in technology, I think.
posted by Drinky Die at 12:04 PM on August 20, 2013 [11 favorites]


saulgoodman, your whole argument is based on the only alternative to a living Constitution is strict constructionism. There are lots of interpretive alternatives. I was criticizing the interpretation that a provision literally means something completely different, or a certain interpretation is no longer expedient, etc.

You also bring up the "new technologies" criticism of an originalist/strict constructionist-genera of constitutional hermeneutics, but that is a question of application: it is not a stretch to apply the First Amendment to protect new methods of communicating speech or of peaceably assembling, nor is it unreasonable to apply the Fourth Amendment to protect Americans from warrantless searches and seizures of effects that are merely technological extensions of effects that did exist and were protected in the 18th c., especially where the proliferation of new technologies for exercising those rights would leave them effectively unprotected if not encompassed within the Bill of Rights.

And I'm not sure which "right to privacy" you're talking about--the Fourth Amendment right or the one seven lawyers found emanating from the penumbra in 1965. There is no disputing the right in the Fourth Amendment, while there is a great deal of dispute over the latter.
posted by resurrexit at 12:08 PM on August 20, 2013 [1 favorite]


We can safely assume it was not ever their intent for the 4th amendment to be practically useless due to changes in technology, I think.

I agree, but not on strict constructionist grounds. Sorry to keep beating this derailing horse (and this is my last piece of abuse), but it's really important not to conflate these current issues with unrelated legal debates or with any particular constitutional philosophy. The previous administration readily appointed "strict constructionists" to the courts while busily and eagerly setting up various constitution-shredding logical booby-traps (like Guantanamo and the rest of the extralegal secret detention system), so I'm just skeptical of any suggestion constitutional legal theories are somehow to blame.
posted by saulgoodman at 12:12 PM on August 20, 2013 [1 favorite]


How about the right to privacy enumerated here:
The enumeration in the Constitution, of certain rights, shall not be construed to deny or disparage others retained by the people.
and here:
The powers not delegated to the United States by the Constitution, nor prohibited by it to the States, are reserved to the States respectively, or to the people.
posted by no relation at 12:13 PM on August 20, 2013 [2 favorites]


"Strict constructionism" -- aka originalism -- is something of a double game. It's a single enshrined interpretation that attempts to elevate itself as being anti-interpretation, despite its adherents having no better access to the original context than the rest of us alive today.

Unfortunately, it tends to come off a little better when it's used to attack the recognition of rights that aren't directly traceable to some text found in particular clause (the "penumbral" rights); as opposed to when it's used to insist on a supposedly "original" meaning, which is a more obvious ploy.
posted by snuffleupagus at 12:14 PM on August 20, 2013 [3 favorites]


There are lots of interpretive alternatives.

No, I know that, but the original commenter I was responding to specifically held up strict constructionism as if it were the only alternative.

There is no disputing the right in the Fourth Amendment

Except that, as stated, it's a much more constrained set of rights than what we think of as "privacy" more generally. Specifically, it's more of a right to privacy at home, while we tend to have broader cultural expectations of privacy in practice. Anyway. This is definitely neither here nor there territory now.
posted by saulgoodman at 12:15 PM on August 20, 2013 [1 favorite]


feloniousmonk: "After all that's been told about this story and all that apparently remains to be told, don't you kind of wonder what all of these programs gathered about Barack, Michelle, and their family prior to his winning the election? "

Ever since ~1998/1999 I've sort of played with this idea, that they have the dirt on you and they sit you down in a room and tell you how it's going to be. I'm pretty sure I hadn't heard that Bill Hicks bit about the Kennedy Assassination (in fact, Kennedy never entered my mind). No - it was pure blackmail. Just a bunch of Security State Apparatchiks all giving an orientation with a very thinly veiled "capice"?
posted by symbioid at 12:16 PM on August 20, 2013


One of the first "hilarious" sidenotes to all this was that the NSA wiretapped Obama during his Senate run.

That actually explains a lot. A thousand little J. Edgar Hoovers - play ball, Mr. President. We can't let you go soft on Communism Terrorism.
posted by Slap*Happy at 12:18 PM on August 20, 2013 [2 favorites]


Anyway. This is definitely neither here nor there territory now.

I'm not so sure about that. Eventually someone may need to furnish some legal fiction that will allow the Originalists a graceful way out, if we hope to see a better opinion out of the Supreme Court any time soon given how long the recent appointees will be around.

Something recognizing that it was the right to be secure in "papers" in the sense of the words that one put down onto a page that was protected by the Founders, and those words being an arrangement of ink molecules is extensible, in a purely textual, Originally compatible sense, to an arrangement of electrons on a magnetic platter, or traveling through a digital circuit. Or that those are "effects" in the original sense, part of the subclass of manifestations of one's intellectual property.
posted by snuffleupagus at 12:24 PM on August 20, 2013 [1 favorite]


I don't trust the courts to properly extend rights anymore though. That tends to result in perverse outcomes like corporate personhood. The courts seem quite willing and able to extend rights in bizarre, counter-intuitive ways that favor powerful interests, but less willing and able to extend them in commonsense ways that meaningfully protect individual rights (like protecting free speech in one's private life from de facto private abridgment by employers, for instance).
posted by saulgoodman at 12:37 PM on August 20, 2013 [2 favorites]


No - it was pure blackmail. Just a bunch of Security State Apparatchiks all giving an orientation with a very thinly veiled "capice"?

It also makes me wonder about the musical chairs that's been going on with intelligence and defense leaders, a lot of whom were Bush appointees and probably were involved with or maybe even lead the creation of these programs.
posted by feloniousmonk at 12:37 PM on August 20, 2013


I don't trust the courts to properly extend rights anymore though. That tends to result in perverse outcomes like corporate personhood. The courts seem quite willing and able to extend rights in bizarre, counter-intuitive ways that favor powerful interests, but less willing and able to extend them in commonsense ways that meaningfully protect individual rights (like protecting free speech in one's private life from de facto private abridgment by employers, for instance).

I agree. We are experiencing a new period of Lochnerian jurisprudence from the Court, and it's unclear how long it will last.
posted by snuffleupagus at 12:40 PM on August 20, 2013 [2 favorites]


I'm pretty sure in their glossary of terms, the definition of "Community Organizer" is a single word, nine letters, starts with "T".
posted by George_Spiggott at 12:44 PM on August 20, 2013 [1 favorite]


"Tarpaulin"?
posted by Holy Zarquon's Singing Fish at 12:49 PM on August 20, 2013 [7 favorites]


Wow, that took 4 minutes 30 seconds longer than I expected :)
posted by George_Spiggott at 12:49 PM on August 20, 2013


"Tasmanian"?
posted by snuffleupagus at 12:50 PM on August 20, 2013 [3 favorites]


There's absolutely no reason to do this. None.
posted by Ironmouth


None that you know of. For instance, maybe the site got an email saying "I'm stuck in a foreign airport, can you help me with extradition laws..."
posted by 445supermag at 12:54 PM on August 20, 2013 [3 favorites]


> There's absolutely no reason to do this. None.

How do you know this?

As you are no doubt aware, in today's legal climate, the NSA can wander into a place of business any time they feel like it and say, "We're installing a tap on your server. Oh, if you tell anyone about this, including your family or your boss, you can be liable for a long stretch in jail."

Wouldn't this be a good reason to do this? If you were searching for people likely to commit crimes, what better place than a site that discussed controversial legal cases - like Groklaw?

And, if this was why she shut down, how would we ever know?
posted by lupus_yonderboy at 1:14 PM on August 20, 2013 [9 favorites]


As you are no doubt aware, in today's legal climate, the NSA can wander into a place of business any time they feel like it and say, "We're installing a tap on your server. Oh, if you tell anyone about this, including your family or your boss, you can be liable for a long stretch in jail."

Wait. Which is it? A) The NSA reads everything and can access any email or phone conversation it wants--even low level workers for affiliated companies can randomly access even the President's conversations if they feel bored. B) The NSA needs to physically access your servers in order to gain access to the emails that are sent to you, and they will need to tell someone in your organization that they are doing this; but they will kinda be dicks about it.

Both these things can't be true, can they?
posted by yoink at 1:27 PM on August 20, 2013


If she shut down because she received an NSL, I think she could simply say something to the effect of: "I can't talk about my day therefore the site is going down."

Would this dead canary be enough to warn the miners? Would this be saying too much?
posted by honestcoyote at 1:31 PM on August 20, 2013 [1 favorite]


Both these things can't be true, can they?

They're not talking about an email server.
posted by unSane at 1:33 PM on August 20, 2013 [1 favorite]


"Turducken"?
posted by no relation at 1:33 PM on August 20, 2013 [5 favorites]


I read the Udall and Wyden statement that "this confirmation is just the tip of a larger iceberg" as saying that yes the NSA read everything and uses considerable amounts illegally, yoink. Ain't likely they know if they've monitored all your communications even if they're trying though.
posted by jeffburdges at 1:36 PM on August 20, 2013



If she shut down because she received an NSL, I think she could simply say something to the effect of: "I can't talk about my day therefore the site is going down."

Would this dead canary be enough to warn the miners? Would this be saying too much?


Once she received the letter, not doing everything within her power to keep the site running, providing intelligence to the authorities and concealing this fact would be contempt. So, yes. And that counts cutesy tactics like removing a sign saying “THE NSA AREN'T TAPPING THIS SITE”.

The best time to shut down is before they commandeer you. Which means now.
posted by acb at 1:37 PM on August 20, 2013 [4 favorites]


jason_steakums: "One of the first "hilarious" sidenotes to all this was that the NSA wiretapped Obama during his Senate run.

Also that whole thing with Jack Ryan hiring someone to follow Obama with a video camera all day long when they were running against each other. Even if you somehow knew he was going to be president back then, you'd never guess the guy famously and publicly stalked by a camera against his will would become such a booster of this kind of thing.
"

Not being an apologist for complacency here, but there's a tremendous amount of path dependence going on in any large organizations. Even if he has a hand on the rudder you have to think that the entire ship has been on a U-turn for many years after the Patriot Act. Second there's the fact that power is intoxicating... once you're in power the rationalizations of power are probably even more intoxicating. None of this is surprising at a personal level.
posted by stratastar at 1:44 PM on August 20, 2013


Giorgio Agamben "The State of Exception" pretty much sums up the current situation with regards to the rule of "law". It's a rather dry book, but is nonetheless illuminating.
posted by nikoniko at 1:44 PM on August 20, 2013 [1 favorite]


Wait. Which is it? A) The NSA reads everything and can access any email or phone conversation it wants--even low level workers for affiliated companies can randomly access even the President's conversations if they feel bored. B) The NSA needs to physically access your servers in order to gain access to the emails that are sent to you, and they will need to tell someone in your organization that they are doing this; but they will kinda be dicks about it.

Both these things can't be true, can they?


Yes, they can. They have the abilities they do because they have already requested the access they need. When they don't have it, like in the case of Lavabit, they ask for it.
posted by Drinky Die at 1:45 PM on August 20, 2013 [1 favorite]


Ain't contempt until a judge says so, acb, even with NSLs. It's risky but, so long as arresting you might further expose classified information, they'd likely avoid doing so. You should obviously relocate outside the U.S. now though, obviously.
posted by jeffburdges at 1:46 PM on August 20, 2013 [1 favorite]


Wait. Which is it? A) The NSA reads everything and can access any email or phone conversation it wants--even low level workers for affiliated companies can randomly access even the President's conversations if they feel bored. B) The NSA needs to physically access your servers in order to gain access to the emails that are sent to you, and they will need to tell someone in your organization that they are doing this; but they will kinda be dicks about it.

Both these things can't be true, can they?
Say, what?!??! How, exactly, do you think that the NSA "reads everything" other than having a large number of taps in various private companies?

Without B, they cannot have A.

If I connect to your server using secure encryption, then (at least in theory), even if the NSA can see every bit that we exchange, they don't have a good way to decrypt the traffic. They need taps to the server that occur after the encryption.

It's certainly possible that the NSA has the ability to get pass https - spoofing or man-in-the-middle attacks seem the best candidate - but actually deciphering every https transaction everywhere is far beyond even the NSA's capabilities. Putting a thousand taps in a thousand key places is much better for them than putting a million taps absolutely everywhere.

> but they will kinda be dicks about it.

Threatening a long jail term is not well-described by "kinda being a dick".
posted by lupus_yonderboy at 1:48 PM on August 20, 2013 [2 favorites]


Ain't contempt until a judge says so, acb, even with NSLs. It's risky but, so long as arresting you might further expose classified information, they'd likely avoid doing so. You should obviously relocate outside the U.S. now though, obviously.

Though not to Britain. Or Canada.
posted by acb at 2:07 PM on August 20, 2013 [1 favorite]


I read the Udall and Wyden statement that "this confirmation is just the tip of a larger iceberg" as saying that yes the NSA read everything and uses considerable amounts illegally, yoink.

Oh for God's sake. Does nobody actually read the details of these things? Do you all just read the headlines and leave it at that? The VAST majority of the "compliance violations" revealed in that recent Snowden leak were utterly undramatic and technical. They weren't "ha ha, let me curl my mustache a little more while I snoop around on whoever the hell looks interesting to me." And if you're thinking "ah ha, well they would say that wouldn't they!" then do please remember that this is not what they said in responding to the leak it's what they said in the internal documents that were leaked. And they were mad about it and trying to fix it. In other words, one of the truly amazing things the Snowden leaks have revealed is that the NSA actually cares a damn about privacy regulations and works to ensure that they are followed. It's fair to say that "the regulations should be more strict" or to say "they need to work harder still" or what have you, but you are getting into a pretty whacky place where you need to believe either that Snowden is a dupe that the NSA deliberately set up with false information in order (in a bizarrely misguided scheme that has badly blown up in their faces) to make themselves look good to a public that was deeply suspicious about them OR that Snowden was part of a "fake NSA" which actually cares about all this stuff while the "real NSA" works behind the scenes laughingly disregarding privacy rules and the FISA court OR that Snowden himself is deliberately running a disinformation campaign.
posted by yoink at 2:18 PM on August 20, 2013


Say, what?!??! How, exactly, do you think that the NSA "reads everything" other than having a large number of taps in various private companies?

That makes precisely zero sense. You're saying they're an all-seeing, all-knowing super agency that can read every email sent in the entire world AND that they only way they can achieve this is by installing their software directly on the servers maintained by piddling little backwaters of the internet like Groklaw? In that case, in order to maintain their omniscience they would have had to send their agents to pretty much every single internet site in the entire country. About a quarter of the entire federal workforce would have to be employed by the NSA just to handle the paperwork of so many individual contacts.

That the NSA approaches sites like Facebook, Google, Yahoo etc or the ISPs, sure; that makes perfect sense. But it's just bizarre to suggest that they're going around one-by-one knocking on the doors of bloggers all over the nation and telling them they want to install taps on their servers "just in case somebody says something bad"--and then telling them they're "not allowed to tell anyone about it." It would be the least secret, clumsiest and goofiest operation imaginable.
posted by yoink at 2:25 PM on August 20, 2013


The NSA lies. They lie under oath to Congress to hide the scope of the snooping. They are willing to lie to Congress to pump their budget. If Senators who don't have a history of intentional public deception about these issues tell us that under the thousands of cases of abuse already revealed there is a tremendous iceberg of further serious violation I am inclined to believe them that the matter is troubling.

A veteran intelligence official with decades of experience at various agencies identified to me what he sees as the real problem with the current NSA: “It’s increasingly become a culture of arrogance. They tell Congress what they want to tell them. Mike Rogers and Dianne Feinstein at the Intelligence Committees don’t know what they don’t know about the programs.” He himself was asked to skew the data an intelligence agency submitted to Congress, in an effort to get a bigger piece of the intelligence budget.
posted by Drinky Die at 2:30 PM on August 20, 2013 [7 favorites]


Some people won't be happy until we have a full blown martial law police state.
posted by AElfwine Evenstar at 2:30 PM on August 20, 2013 [5 favorites]


That makes precisely zero sense. You're saying they're an all-seeing, all-knowing super agency that can read every email sent in the entire world AND that they only way they can achieve this is by installing their software directly on the servers maintained by piddling little backwaters of the internet like Groklaw?

yoink, the original statement you were discussing does not suggest they would have to, only that they could. What that means is that even getting off the public servers won't be a long term solution because the government may decide to take the Lavabit route and order you to install the monitoring software rather than simply respond to requests.

As you are no doubt aware, in today's legal climate, the NSA can wander into a place of business any time they feel like it and say, "We're installing a tap on your server. Oh, if you tell anyone about this, including your family or your boss, you can be liable for a long stretch in jail."
posted by Drinky Die at 2:34 PM on August 20, 2013


They weren't "ha ha, let me curl my mustache a little more while I snoop around on whoever the hell looks interesting to me."

Actually, that's pretty much it (plus or minus a mustache.)
posted by ChurchHatesTucker at 2:37 PM on August 20, 2013 [1 favorite]


yoink, the original statement you were discussing does not suggest they would have to, only that they could.

The original statement I was discussing floated this as a reason for GrokLaw shutting down. I.e., that it would make sense for GrokLaw to shut down out of fear that the NSA might show up and say "we want to install a tap on your server." That seems to me--for the reasons I have given--to make absolutely no sense whatsoever in relationship to her stated reasons for closing or to the many insistent assertions in this thread that the NSA is already reading all of the internet traffic everywhere.

The NSA lies.


No doubt. But in this case you have to believe either that they are lying to themselves OR than they are using Snowden to lie to you OR that Snowden himself is lying. Which of those options do you go for?

Again, the documents Snowden released; in other words, the internal NSA documents are documents detailing the "compliance violations," describing their (in the vast majority of cases risibly minor) extent AND clearly designed to highlight these as a problem that needs to be fixed. I'm not talking about anything anyone involved with the NSA has said in the wake of the release of this document, I'm talking about what is contained within the document itself. Now, is the NSA simply amusing itself by lying to itself about its own practices for no apparent reason or is it using Snowden, wittingly or unwittingly, to get a flattering version of its activities out to the public?
posted by yoink at 2:46 PM on August 20, 2013


The original statement I was discussing floated this as a reason for GrokLaw shutting down. I.e., that it would make sense for GrokLaw to shut down out of fear that the NSA might show up and say "we want to install a tap on your server." That seems to me--for the reasons I have given--to make absolutely no sense whatsoever in relationship to her stated reasons for closing or to the many insistent assertions in this thread that the NSA is already reading all of the internet traffic everywhere.

They would have to install directly because presumably Groklaw would be, like Lavabit, attempting to conceal the contents of their server with encryption. That doesn't mean the encrypted files aren't visible to the NSA when they go over the public network, just that they can't be read.

No doubt. But in this case you have to believe either that they are lying to themselves OR than they are using Snowden to lie to you OR that Snowden himself is lying. Which of those options do you go for?

It's entirely possible that they are lying to themselves. Lying to Congress is already, in the bigger picture, the government lying to itself. There are many reasons it can happen within institutions.
posted by Drinky Die at 2:55 PM on August 20, 2013


The issue of whether the NSA needs or can sustain individual access to random servers is a red herring. They have taps on ISP trunk lines. There is nothing on a blog server that they don't already have. If they are going after specific servers, it's because they contain secrets they want access to. This means encrypted data like Lavabit. They eavesdrop on everything transmitted in the clear and seek back door access to anything which isn't transmitted in the clear which attracts their interest.

The fact of the matter is that the NSA doesn't need to exert any special effort whatsoever to monitor everything that's been going on on the Groklaw site. They have access to the same stream of data as Groklaw's own analytics. They could reconstruct individual user's browser sessions. They know everything that Groklaw knows about their visitors and commenters. If Facebook and Google can create shadow profiles for people who have not created accounts by combining information from other users with browsing behavior across multiple sites correlated by the unique information contained in the browser user agent, or merely within cookies, you can bet that the NSA can do it too, and they have more data to correlate. This means they can infer a pretty decent amount of information about who those people are in real life.

Your Citizen Profile is probably more accurate as a consequence, but the NSA does wonder why you stopped visiting CNN in favor of Al Jazeera...
posted by feloniousmonk at 2:56 PM on August 20, 2013 [3 favorites]


Having source code is not enough, because of the famous Ken Thompson hack, where secret code is attached inside a compiler, then removed from the compiler's source, and then this secret code perpetuates itself, invisibly, forever.
Where by "forever" you mean "until that source is re-bootstrapped by a non-compromised compiler", i.e. "until the next pass through one of many regression test suites all over the world". You're not literally suggesting that maybe every compiler in existence has been independently corrupted in this way and nobody has found out, right? Even CPUs get reverse-engineered, and I suspect the corporate spies looking for engineering tricks would be satisfied to report "we can prove our foreign competitors can't be trusted with your data" instead.

So then, perhaps we can give some credit to the people who make privacy tools available? Even if we both admit that it would be better if the voters simply wake up en masse and tell every constitution-violating totalitarian to go find a new job? Technological fixes which won't stop working until every single computer system in the world has been compromised may be a decent stop gap while we wait for political fixes which won't start working until sociological problems as old as human history have been solved.
posted by roystgnr at 3:33 PM on August 20, 2013


I am actually building a feature right now which seems like a really dirty trick. In our context, it isn't, since it's business related, but this is just to give you an idea of some of the things which are possible.

We have a web form used by employees of a certain type of business as they carry out their daily tasks. Sometimes these employees aren't great at filling it out correctly or they manage to fill it out and then reset it, or at least claim to reset it, etc. After thinking about it, I realized that there was no reason to actually wait until they click "Save" to save their data, so we started saving it in real time, as they type it in. The end result of this is in, Metafilter terms, the ability to read the comments written by users who never actually posted them. There was a minimal engineering challenge involved in this feature. This is pretty innocuous by itself, but it serves as a reminder that a lot of assumptions that you make about how the technology you interact with actually works may be obsolete or otherwise flawed.

A quick hypthetical: one day, the app really catches the attention of the NSA. Maybe they think one of the employees is a member of a terror cell and is using this form to communicate with other cell members. Here's where it gets kind of interesting.

Because of their access to the ISP-level traffic, without our knowledge, they can take all of the traffic between our user interface and the server and build their own application which knows how to interpret each request/reply pair into entries in some centralized data warehouse. (You can think of PRISM as a tool which exists to automate this process by offloading the task of building the data extraction routine from the NSA to the owners of the systems being spied on.)

Now take this capability to intercept the raw traffic generated by a website and interpret it into data and imagine that it's had years to mature and can be applied to any website on the internet. This is where we are today.

In reality, we take steps to secure our traffic, so it wouldn't be quite that easy, but only a small percentage of the web uses HTTPS and the major providers notable for pervasive use participate in PRISM, so if they can't get the data by reconstruction they can get it at the source. Even a secured connection doesn't come with certitude due to the relationship between the root certificate authorities and the government.
posted by feloniousmonk at 3:35 PM on August 20, 2013 [2 favorites]


I'd avoid deploying features like that in countries with strong privacy protections, like Germany. Very small risk they'd try prosecute you over storing someone's accidental personal cut & paste.
posted by jeffburdges at 3:54 PM on August 20, 2013


The nature of the form really precludes any personal information being entered and it runs on their work tablets, but if it were for general consumption EU privacy regs would certainly be something to consider.

You can see in this simple discussion the beginnings of the balkanization of the web. Right now divisions are along language and sometimes cultural lines, but this is adding an additional level of legal differentiation. It's relatively minor for now, but it's not hard to imagine the next steps being more involved than a simple opt in/out for cookies. There is a tremendous amount of economic risk on this road as anything which risks upsetting the technology industry in the US risks upsetting the whole economy as a consequence.
posted by feloniousmonk at 4:03 PM on August 20, 2013 [3 favorites]


Just to point out something that should be obvious:

There's an entire field of cryptanalysis out there in signals intelligence that doesn't require access to the actual content of messages. Just the ability to record who is sending how much to whom is often enough to identify and crack the weak parts of a network of relationships.

So when they say, "we're archiving messages for future decryption," what I hear is, "we're modeling the networks of who's using encryption."
posted by CBrachyrhynchos at 4:14 PM on August 20, 2013 [7 favorites]


Having source code is not enough, because of the famous Ken Thompson hack, where secret code is attached inside a compiler

Llama-lime, both GCC and LLVM/clang, compilers used for building iOS apps and static library components, are open-sourced projects and their code is available for review (as is the code for the aforementioned OpenSSL and CommonCrypto APIs that would most likely be used for encryption of a SQLite, XML or other CoreData-fronted database in an iOS app). You could download Xcode, for instance, and compare signatures of compiler components with what's already available for download separately.

I'm not saying you're wrong, or that corruption of the build process and resulting libraries is impossible by the NSA directly without or with Apple's cooperation, but that many of these steps and components are verifiable with forensic tools and that it would perhaps be a significant effort to corrupt multiple pieces along the way without such a conspiracy being revealed — technically more significant than tracking email, which has many more and weaker points of failure by simple virtue of how data is transferred along the public Internet.

A lot of these tools, as it happens, are also used by the folks who run jailbreaking efforts and I'm certain it would be a major finding if they were to discover discrepancies along these lines — you'd hear about that kind of weirdness well before the latest crack gets announced for iOS 7 or whatever. If it hasn't been discovered yet, either the NSA is really good at hiding their work or it is perhaps likely that any eavesdropping takes place through other means.
posted by Blazecock Pileon at 4:31 PM on August 20, 2013


If it hasn't been discovered yet, either the NSA is really good at hiding their work or it is perhaps likely that any eavesdropping takes place through other means.

I think a more probable scenario is what we saw with Flame. A three-fold punch of:

1. A convenient Microsoft MD5 signature.
2. Cutting-edge research into the mathematics of the exploit to widen the crack just enough for...
3. A previously unknown supercomputer cluster devoted to producing the needed collision.

The paranoid takeaway is that someone out there has both the expertise and the hardware to turn marginal theoretical exploits into practical ones.
posted by CBrachyrhynchos at 4:53 PM on August 20, 2013 [2 favorites]


The paranoid takeaway is that someone out there has both the expertise and the hardware to turn marginal theoretical exploits into practical ones.

Forbes: How A 'Deviant' Philosopher Built Palantir, A CIA-Funded Data-Mining Juggernaut
posted by Brian B. at 5:11 PM on August 20, 2013 [1 favorite]


Not being an apologist for complacency here, but there's a tremendous amount of path dependence going on in any large organizations. Even if he has a hand on the rudder you have to think that the entire ship has been on a U-turn for many years after the Patriot Act. Second there's the fact that power is intoxicating... once you're in power the rationalizations of power are probably even more intoxicating. None of this is surprising at a personal level.

Or they have something on him.
posted by srboisvert at 5:42 PM on August 20, 2013


I'd expect several powerful spooks "have something on him", but just for their own ego trips. Way too risky using blackmail! What if he records the conversation and has secret service arrest you on the spot? Keith Alexander lacks the spin. John Brennan maybe theoretically, but he'd find another way.

Any president has become such an expert in campaigning even reaching even his proceeding office that interpersonal skills rule everything. Just sell your illegal activities using Hollywood terrorist scenarios.
posted by jeffburdges at 5:54 PM on August 20, 2013


No doubt. But in this case you have to believe either that they are lying to themselves OR than they are using Snowden to lie to you OR that Snowden himself is lying. Which of those options do you go for?

It's entirely possible that they are lying to themselves. Lying to Congress is already, in the bigger picture, the government lying to itself. There are many reasons it can happen within institutions.


There is also the possibility of unknown unknowns about potential abuses.

NBC: NSA had poor data compartmentalization, said the sources, allowing Snowden, who was a system administrator, to roam freely across wide areas. By using a “thin client” computer he remotely accessed the NSA data from his base in Hawaii.

One U.S. intelligence official said government officials “are overwhelmed" trying to account for what Snowden took. Another said that the NSA has a poor audit capability, which is frustrating efforts to complete a damage assessment.

posted by Drinky Die at 6:14 PM on August 20, 2013






I wondered about Obama from the start, when he declined to prosecute officials complicit in torture. Hell, he retained them and even promoted them. There's also the whole War on Terror business, and the poorly-scrutinised wars that the USA is conducting all over the world. Oh, and the War on Drugs, with his prosecutors going after people guilty of doing nothing worse than Obama himself did as a kid. None of this, none of this seems consistent with his public persona as a Senator or when running for President. You know how people made jokes about George Bush being stupid and all the decisions being made by Dick Cheney? Well, Obama's not stupid, but the nature of the decisions has remained the same.
posted by Joe in Australia at 7:04 PM on August 20, 2013 [2 favorites]


A major surveillance subcontractor for the the NSA has been tracking me regularly (every two weeks or so) for going on two years now through every client site I build, and, as far as I've seen from logs I have access to, other sites I log in to. My name is not associated with a majority of these these sites, and I don't link to them from any personal site. I've even used private domain registrations.

I am nobody. Most of the sites I build are small portfolios for artists and writers. Regardless, I've somehow been flagged as a person of interest based on, I guess, my past activist and protest activity.

Unless the subcontractor is hacking databases of these sites, the only thing I can figure is that they've been furnished with my IP. They're spidering everything I have admin access to.

If this is happening to *me*, it's obviously happening to thousands and thousands (and thousands) of other U.S. citizens who've done nothing wrong except have political or idealogical beliefs that our current government agencies don't like.

Encryption, for me, isn't going to solve this problem, it'll only flag me as someone to look even more closely at. I worry about contract projects I'm currently involved with, and I worry about whether to disclose the fact I'm being tracked to people who I partner with on these projects. I worry about my clients' privacy being compromised because I'm being tracked.

You better believe there's a chilling effect. And part of me thinks that's actually the intended result, and the reason they aren't masking their footprints very carefully.
posted by stagewhisper at 7:26 PM on August 20, 2013 [20 favorites]


ham radio and one-time pads?
posted by ergomatic at 8:06 PM on August 20, 2013 [1 favorite]


On the subject of the NSA, I today received a response to a FOIA request I filed a while back on my old cell number.

The response?

Basically that they can neither confirm nor deny that they have information about me.

Lovely.
posted by Samizdata at 8:23 PM on August 20, 2013


Oh, and...

.
posted by Samizdata at 8:27 PM on August 20, 2013


You better believe there's a chilling effect. And part of me thinks that's actually the intended result, and the reason they aren't masking their footprints very carefully.
posted by stagewhisper at 7:26 PM


Eponytragical?
posted by snuffleupagus at 8:50 PM on August 20, 2013


Chilling effect
"Even more importantly, we should take action and let the government know that NSA snooping hurts academic research. Ideally, I’d like to see an official statement from the AAA. Privacy isn’t just about protecting ourselves, it is about protecting the people we work with as well."
posted by unliteral at 9:20 PM on August 20, 2013 [1 favorite]


yoink: "Again, the documents Snowden released; in other words, the internal NSA documents are documents detailing the "compliance violations," describing their (in the vast majority of cases risibly minor) extent AND clearly designed to highlight these as a problem that needs to be fixed."

And among all that was buried the revelation that they don't believe that snarfing a US person's data (and processing it) is against the law until such time as they query their database in respect to that person. This is not the attitude of an agency committed to following the law, or even what little we know of their own regulations. I honestly don't see how you can argue with a straight face for giving them the benefit of the doubt.

One thing I think isn't helping in this conversation is that people are conflating all of the nefarious spying activities going on by various parts of our government. GrokLaw would be more likely to receive an NSL from the FBI or other law enforcement agency, who do not have the results of NSA's massive dragnet at their disposal. And the problem expressed with keeping GrokLaw running was not that an NSL might be issued for some data stored on the site's server, but that the site largely depends on people feeling free to communicate sensitive information without fear of being snooped on.

All the talk about GrokLaw not being likely to be subject to an NSL is completely irrelevant.
posted by wierdo at 10:14 PM on August 20, 2013 [2 favorites]


Yoink wrote: the internal NSA documents are documents detailing the "compliance violations," describing their (in the vast majority of cases risibly minor) extent AND clearly designed to highlight these as a problem that needs to be fixed."

Conor Friedersdorf has an excellent article explaining why the raw number of "compliance violations" is basically useless: The Wrong Way to Figure Out If the NSA Is Abusing Its Power

But I'd add to things to his analysis. Firstly, the NSA has admitted that its audits are incomplete and ineffective. Secondly, the NSA can probably record your communications entirely legally, even if you're a US person, by using its three-hop policy. This policy effectively connects most people via relatively-small groups of well-connected people who share an interest or an employer, and who communicate via a mailing list.

I don't know if you've ever emailed a US Senator, say, or someone who works for a newspaper? If you have, you're probably three hops away with anyone who has communicated with any other Senator or any other person at that newspaper. The same goes for other well-connected networks: if you are connected to a college (one hop) then you're connected to all academics at that college (two hops) and then to most academics in the entire world. If the NSA is investigating any one of those people then it can investigate you, too, without it counting as a violation of their policy - a policy that would have been secret if not for Edward Snowden, by the way. I think it's fair to say that an NSA employee would have little difficulty justifying a mistaken audit, if he or she had to do so.
posted by Joe in Australia at 11:48 PM on August 20, 2013 [1 favorite]


About Obama's excessive habit of accessing extra stuff and trampling the sacred Constitution. Here to stay?--or, Just a Fad?

Executive orders drive the government. See B43 for one example of how the CIC gets his way without having to say he's sorry. The executive branch accretes power. See The Patriot Act for one example of how that works--Congressional complicity (maybe the abdication of congressional responsibility) driven by who knows what theory of government. That's been happening since the founders signed off on the original document. You can google yourself into apoplexy by reviewing the big sticks accrued over the decades by inventive presidents and their legal advisors. They come up with new stuff all the time. The current fad seems to be "It's easier to apologize than get permission, and anyhow, it's done; so there."

Does anyone here actually believe a sitting president will do anything to diminish the power and authority his office has inherited?

Our--America's--global hegemony is waning. This is where the dog starts to chew off its own feet. I suppose hiding in Iceland works--being able to send private notes to your associates is a goal worth pursuing. You can email your relatives back home and see how things are working out, regarding the other excesses of the machine. Watch our for the drones, though.
posted by mule98J at 11:56 PM on August 20, 2013


Here to stay?--or, Just a Fad?

Here to stay.
posted by AElfwine Evenstar at 12:09 AM on August 21, 2013 [2 favorites]


Our--America's--global hegemony is waning. This is where the dog starts to chew off its own feet. I suppose hiding in Iceland works--being able to send private notes to your associates is a goal worth pursuing. You can email your relatives back home and see how things are working out, regarding the other excesses of the machine. Watch our for the drones, though.

Or if Iceland ever falls from being on the periphery of the American hegemony to being closer to the centre of, say, a Russian or Chinese one, it'll become a lot less hospitable to dissidents.
posted by acb at 2:14 AM on August 21, 2013


ham radio and one-time pads?

No encryption allowed on ham.
posted by jaduncan at 7:13 AM on August 21, 2013


Aww, but I want to make a creepy numbers station.
posted by Drinky Die at 7:35 AM on August 21, 2013 [1 favorite]


Some people won't be happy until we have a full blown martial law police state.

Who are these people? I want NAMES.
posted by gern at 9:31 AM on August 21, 2013


Who are these people? I want NAMES.

Funny, that's exactly what they said.
posted by jaduncan at 10:24 AM on August 21, 2013 [2 favorites]


Who are these people?

The people who make excuses and apologetics for the presence of totalitarian characteristics and practices currently being codified in our democratic institutions.
posted by AElfwine Evenstar at 10:44 AM on August 21, 2013 [3 favorites]


email is not secure for the purposes of attorney-client confidentiality

I don't think this will happen, because the type of monitoring that's going on could be argued to not impinge on attorney-client confidentiality since it's by definition extralegal. I've seen nothing to suggest that the communications between an attorney and client, if monitored by the NSA, would be admissible in court. So that puts it into the same realm as most other methods of communication: it's not that they can't be monitored -- the police could bug the room where an attorney is meeting with a client fairly easily, if they wanted -- but that the resulting information would be inadmissible and might taint a hypothetical case. It's that, rather than technical limitations, which stay the hand of the state. And it's why that I personally think that the rules concerning what can be done with information obtained by snooping is much more important than the snooping itself. You simply can't trust the government not to snoop, given that they have the capability; the question is what they're allowed (e.g. by the judiciary) to do with that information.

Although I have huge amounts of respect for PJ, I'm ... surprised at her surprise. Email has never been secure, from its inception.

Somewhere along the line, people started treating email as a secure channel. This was, in retrospect, an error. It was especially an error in that it slowed the adoption of email that might actually be secure (encrypted email), by virtue of having casual users convinced that it was "secure enough". But it was always protected mostly by the professionalism of the system administrators who ran the mailservers through which your messages traveled, and any number of other networking administrators and telecom people who could easily intercept data but don't. (And, particularly in the early years of the Internet, probably could have done so with relative impunity, since the monitoring systems that exist today to keep tabs on privileged users didn't really exist.)
posted by Kadin2048 at 11:34 AM on August 21, 2013 [2 favorites]


I've seen nothing to suggest that the communications between an attorney and client, if monitored by the NSA, would be admissible in court.

Well, obviously not if they said "hey, we were reading opposing counsel's e-mails and we found this incriminating evidence." But they could just use parallel construction and claim an anonymous informant sent them a tip, and nobody has to deal with that pesky fourth amendment.
posted by Holy Zarquon's Singing Fish at 11:50 AM on August 21, 2013 [6 favorites]


Oh HAI BoingBoing. Yes, that's them.
posted by stagewhisper at 12:47 PM on August 21, 2013 [1 favorite]


Whether you think they're necessary or not, there's no doubt these capabilities and programs have the side-effect of calling into question the integrity of our entire legal process and 4th Amendment protections, due to the ever-present possibility of the kinds of practices (so-called parallel construction) that the link in HZSF's comment describes.

At this point, I don't think there's a single unique feature of the original American form of constitutional republic left intact--separation of church and state is effectively gone with the adoption of faith-based program initiatives and various developments in state law; Freedom of Assembly is no longer an iron-clad right having been defined down gradually by the courts over so many years it doesn't really provide any practical right to assemble in its original sense; the General Welfare clause is for all purposes a dead issue; Free Speech no longer protects us from being punished by our employers for expressing political convictions in our personal lives, but it usually shields those same employers from being charged with fraud for misrepresentations in political or other advertising; the 4th Amendment no longer offers any meaningful legal protection due to parallel construction and online surveillance; our universal public education system is increasingly neither public nor universal; voting rights suppression is ongoing and the Supreme Court has declared it not a problem; and since we don't care much for Natural Rights based theories of law anymore, we now detain innocent people in secret prisons in extralegal jurisdictions forever where we can pretend those people don't enjoy any "inalienable rights," etc., etc.

Any constitutional scholars out there who can explain what, if anything, remains intact of the unique systemic features that originally set the US's form of constitutional republic apart from its historical predecessors? Anything left?

Whatever unique characteristics may have made our system of government and our political process unique enough to justify viewing ourselves as exceptional are no longer still features of our system, as far as I can tell. And we've spent at least the last 30 years reaching this point.
posted by saulgoodman at 1:54 PM on August 21, 2013 [8 favorites]


Kadin2048: "Email has never been secure, from its inception."

Neither have telephones, but at one time, they weren't monitored routinely. It's not just about admissibility, when it comes to attorney client privilege, in my view. Not that I'm an attorney, but how can you have a fair adversarial trial if the prosecution knows the defense's strategy?
posted by wierdo at 2:40 PM on August 21, 2013 [3 favorites]


If we are talking in context of potential terrorism accusations a hypothetical American client might not be worried about admissibility in court as much as a bomb being dropped on their head with no court happening at all.
posted by Drinky Die at 2:41 PM on August 21, 2013


I understand the E-mail service shutting down as an incorrect response to a court order, but this lady has not been served with anything at all. She just up and did it for no reason whatsoever.

But here's the thing: we can never know that. Maybe you can, by virtue of your job. But the vast majority of us here will never know that.

National Security Letters forbid the recipient from telling the world what happened. Maybe PJ got one. Maybe she was afraid of getting one.

Things have reasons. Things will always have reasons. Understanding reasons allows us to understand the world and make it a better place.

What we have right now is a great big legal apparatus acting as a Berlin Wall between reason and understanding.
posted by compartment at 10:25 AM on August 22, 2013 [4 favorites]




Four ways the Guardian could have protected Snowden – by THE NSA
.. 1. Encryption .. 2. Use clean machines .. 3. How to shift the data securely .. 4. Using hidden services ..

Section three omits using ssss shards when communicating keys, but that's probably find if your GnuPG keysize is big enough.
posted by jeffburdges at 7:03 AM on August 24, 2013


National Security Letter? More like Lettre de cachet.
posted by dis_integration at 7:31 AM on August 25, 2013 [1 favorite]


Heh. Report: Snowden stayed at Russian consulate while in Hong Kong

If the USAn government knew about this at the time they'd probably have said something, right? So all the NSA's surveillance, the bugging of embassies, tapping of phones, goodness knows what else ... none of this was able to track a former government employee walking around in the streets of a friendly city.
posted by Joe in Australia at 6:28 AM on August 27, 2013








« Older New Orleans Firemen rescue hawk   |   Penguin Dilemma Newer »


This thread has been archived and is closed to new comments