It is time for software companies to unite. Feds can't just continue roaming around, asking companies for their users' password hashes and other things.
In the current state, some big companies have the means to fight such requests, some big companies are very willing to cooperate, and small companies rarely have the means to go into a legal battle.
Because of the current fragmentation and secrecy surrounding feds' requests with software companies, users do not have the possibility of knowing what they're in for with which company. Also, the divide and conquer tactics used by the Feds really allow them to extract much more information than what would otherwise be the case. Ideally there should be a union for software companies, which makes agreements with the feds concerning their access rights; agreements which then apply to all members of the union.
Currently I have two rules of thumb: 1) for critical services, avoid companies located or significantly involved in the US or UK and 2) at all costs, stay away from Microsoft.
This is more apt advice. At Hacker News we are swimming in a sea of start-ups, who are constantly evangelising the 'cloud' (it's often their bread and butter). But if you genuinely want privacy then keep it local and locked down. Stick to mainstream open source products and keep things as simple as possible.
I've been saying the same thing for a while. Many companies need to form some sort of alliance against government censorship and surveillance, not just in US, but globally. One company alone, even one as big as Google, can't stand up to a government like the Chinese one. 100 big American companies that are vital for their economy, might be able to do it.
Ditto. I'm of the notion that the government can't put the entire company in jail. Could you imagine if Google, Microsoft, and Yahoo were effectively put out of business for these decisions? The repercussions would be devastating. Even placing a lot of key officials from these companies in jail would have lasting effects.
To me this is the prime definition of "too big to fail". It would only require a small percentage of these companies uniting "for the greater good" to produce meaningful results. Not cowing to the NSA is not treason in this instance so I can't even possibly understand why complying with "laws that aren't on any books so are they really laws?" has any positive merit.
Yes, but they won't do it until it hurts their bottom line. If I owned a European cloud business of any kind I would be heavily advertising to the US market right now. When customers start leaving major US internet companies because they no longer feel that they adequately protect their data and privacy, things will change.
Well that sounds great if the large companies fight the good fight. If they don't, you have a very large, unaccountable companies, able to fight the governments to get [lower taxes/lower wages/monopolies]
Do we think that services like Mint are handing over all our financial data to the government (making it easy for them to have a picture of your entire finances)?
If so, are there any viable, offline alternatives?
Never mind Mint, if your bank accounts are in the US your financial data is already available for inspection by the IRS, DHS, and probably many other three letter agencies. I'd wager that Mint, not being a bank, has far less an obligation to hand over your financial data than the banks you have accounts with.
The US already has complete financial surveillance over all US financial activity that isn't a cash trade, and they've been expanding it around the globe aggressively. For decades.
In this day and age where everyone does everything through credit cards, everyone already has all your financial data. Certainly the government does, and the credit card companies hand information out like candy.
For what it's worth, I'm working on a Mint competitor of sorts (that takes advantage of Machine Learning to automatically help you save. It will be based in Australia, not the US, and the basic app will be released as open source for personal self hosting.
The government having access to your financial data is a prerequisite for a functioning tax system. If you are audited, the IRS has the right to look inside your bank accounts.
The policies (or location) of online budgeting tools are entirely irrelevant. Hiding financial data from the government involves well established trades dating to long before the internet (or PRISM): money laundering and tax evasion.
Check out GNUCash. I've been using it for about a year. Entering all your stuff is tedious, but it's open source and integrates with some banks (also import from Quicken and CSV).
I could never sign up for Mint. I see the value in it, but providing a private business with a view into all my financial accounts just seems like a huge mistake.
text files, paper statements and your file cabinet. There are various open source check register and book keeping packages. GnuCash is complete but possibly overkill for some people.
What part of "privacy is dead" do people not understand? You think multi-core processors in your iPhone or android is to make the calls more clear? How many people here can say they haven't integrated a "smart" Apple or Google phone into their lifestyle? Someone with more HN love should post that poll.
Everyone needs to reconsider their worldview and a few important definitions they hold. One of those is privacy.
My definition of privacy: anything I relay to ANY one person is no longer private. What's the old saying about three people keeping a secret? Information wants to be free and privacy is not its natural state. It's always been this way, but the physical barriers to diffusion have been completely decimated in the past two decades.
This is not a mere blip in a long term trend, it is fundamental, IMO.
That being said, I believe there are new values we can all embrace to make the most of the state of the human experience today. Perhaps someone should can a thread on Internet values for the 21st century and beyond.
PS - Anyone ever wonder how MSFT got an anti-trust pass in the US, but not in the EU?
Hear me out: with a sensible court order and oversight, requesting a single user's password makes a lot of sense. Let's say you've taken a suspect in to custody, but want to capture their co-conspirators [1]. One way to do that might be to impersonate them online so as to keep their plot moving forward.
In what ways is it in a different category to their phone company handing over their call logs and getting someone to impersonate their voice (or send a text message) to an associate?
A single password, in an active situation, with oversight [2], is a totally different proposition from something like Prism or handing over SSL private keys.
[1] Not sure about US law on entrapment, but "bring the kit, we're doing it tonight, rendezvous is XYZ" and then seeing who turns up with what doesn't sound like entrapment to me.
[2] I have no idea what oversight might or might not be applied. "No comment" from the government is admittedly not an encouraging sign.
This sounds far too analogous, but not exactly homologous, to suggesting that Feds ought to be able to get a court order to request a safe manufacturer supply them a workable combination to get into a safe, which only the rightful and legal owner of the safe possesses but does not wish to divulge. Or a locksmith make a key to fit a particular lock for which there is only one possible key that is held by the rightful and legal owner who has invoked her right not to do so for fear of incrimination.
Going to the companies who have to validate user passwords to get a password a user is unwilling or unable to divulge is wrong. Going beyond that in asking for details on how passwords are salted, hashed, what the salts are, etc. ... more wrong still.
That the practice has been revealed should be all any internet startup/company/organization should need to never, ever store a user's password again. Ever.
Actually the legal standard (in the US) to compel someone to turn over a physical key (and I think combination to a physical safe) is fairly low, relative to information. One of the big debates is whether compelled disclosure of a password is information (high protection) vs. access (low protection). Marcia Hofmann from EFF talked to a few people at Hope for about an hour on the finer points in specific situations.
This is a whole other thing, this is a single users password, I think in the article they are talking about every user's password, correct me if I'm wrong.
And even then, a password should be encrypted. If there is a court order to reveal information, then there has to be a way to get this information rather than sending unencrypted passwords to the government so they can snoop through your mail without even being proven that you are guilty.
No because competent companies don't just have peoples' passwords. They would have to give the encrypted password, encryption method and salt which would greatly weaken the companies own internal security because now a bunch of people know a lot about the encryption system of the company and those people can't be trusted to keep the information secure.
Good encryption systems assume that the algorithm is known and still are secure in face of that requirement. So if publishing the method makes your system insecure then it's already insecure by design. Security through obscurity is not a viable approach.
There should at least be some burden to notify you that your account has been compromised; that is, you should be notified if you are a 'person of interest.'
This strikes me as a very thin story with a lot of filler added. A red flag for me with the article is that the headline uses the word "tell" while quotes from anonymous sources use the word "request". There's nothing wrong with the government asking for access to a user account if they have a legitimate (ie. named) court order.
This is the most important story for this country since 9/11. Third rate journalism won't be part of the solution.
There's been a few articles like this recently. The problem is, it's so easy to flip a world like "request" to "tell", or drum up a government looking document asking for xyz. There's just no way to determine the validity of this stuff.
For the general public this type of article works well. The filler is useful because a lot of people are coming to the issue for the first time. Hopefully NBC &c. will also fill in pertinent background information as they bring their audiences up to speed.
I'm well aware of Journalism's yellow history, I feel like things have devolved quickly and depressingly in the era of the blog and the pageview/story break Twitter one-upsmanship that exists today.
You do recognise the author, right? It's not some random hack - Declan M has a long history and a good reputation. I'd take his word over some random HN doubter any time.
Good reporting isn't about taking someone's word for something. It's about facts. The story has little substance to it. Who wrote it is besides the point.
Welcome to the world, this is a webcam, put it on your head so we can watch your every move at all times.
What the hell is wrong with the government, is it really their business to interfere with personal life? It's their job to facilitate the community, to find solutions for peoples lives, this is not a solution, they are creating overly complex problems, unnecessary spent money. We need less government, less people there with less money, it seems they have too much of it and way too much time.
You're asking the wrong question. They don't need this data, but they can acquire it. Why can they? Because nobody has said otherwise.
I don't expect a quick resolution to this problem and others. Political philosophy and legal theory have not kept up with technical advancements in society.
With respect, I don't think government should be facilitating the community or finding solutions for people's lives, as that quickly becomes a license to violate the rights of some individuals in order to give a benefit to some others.
I'm not sure how beneficial it is to ask for salted password hashes, when a simple change in the wording of the request to a judge (or the FISA court rubber stamp factory) would yield an order for the provider to capture and turn over the plaintext password the next time the user logs in. US judges will do almost anything they are asked, especially if the requesting agency uses the "T" word. Either these agencies don't know what to ask for, or they are already doing this and no one has written a story about it.
Throwaway account just to post this.
Of course the Feds will have access to whatever they deem necessary even if it takes them time to get the pieces in place. It's the users who ultimately lose the most.
I'm learning the hard way just how much the user is the one ultimately screwed when it comes to account access. My father just recently died very unexpectedly and tragically. He was generally retired but still doing a dozen or so small tech consulting projects here and there and using his personal accounts on Gmail/Facebook/etc. for everything.
Facebook simply will not give any family member access to a deceased person's account. Google will consider it after you fill out a form and send them a bunch of documentation. Then they will consider and may possibly end up sending you off to get a court order and the like, but you're entirely subject to their own decision about whether you can get access to your deceased family member's main form of personal and business communication. You do not own your Gmail account, regardless of the shit they spout about you being able to download your data using takeout. If your estate can't get "your" data, you didn't really own it.
Yes, I know there are steps that could have been taken to have given access to others on the event of one's death, but realistically what percentage of Gmail/Facebook users have taken those steps? And why should those accounts be different from normal digital accounts like bank accounts where a standard court estate document is enough?
I never said I expected them to accept a court order without verification. Simply that there should not be discretion on their part if proper estate documents are presented. They have made it clear that they have discretion, so the account itself it not actually considered part of the estate by Google.
This is probably a stupid comment to make, but when the feds request these passwords what is stopping a firm from giving over a set of tampered passwords?
Let's say a request is made for Google give over loads of Gmail passwords. Could they not silently implement an extremely strong password encryption on the affected accounts, and hand over these passwords, knowing that the feds wouldn't be able to crack them without a significant amount of time.
Also, are the feds likely to check to see if these passwords are legitimate? If my password was 12345 and Google simply told them that my password was 54321 then how could the feds possibly know that the passwords sent over are real?
EDIT: Obviously, I know this is highly illegal, and would land any company in trouble. I'm just wondering whether, theoretically, this is possible for a firm to do to circumvent any action from the feds.
Silently sabotaging LEOs efforts like that would be rightfully highly illegal. "Perverting the course of justice" in the UK. I assume there's a US equivalent.
It's just not worth a company risking this kind of tampering. They could go to jail for that.
By all means, companies should fight back legally, and it sounds like they all are. I applaud them for that. But I think it's unreasonable to expect them to break the law for you.
You're absolutely right. However, is it a crime that could be tracked, without an employee explicitly whistle-blowing to the feds? Even then, could the feds prove this? I'm no expert, and I'm probably wrong in saying this, but in my mind it'd be near impossible to prove that a provided hash had been tampered with, instead of a user just changing their password.
It's morally wrong, and obviously I'm not saying it's the way to go. It's just a theory that I had, and I wanted to know if it was feasible for a company to do this.
>Also, are the feds likely to check to see if these passwords are legitimate? If my password was 12345 and Google simply told them that my password was 54321 then how could the feds possibly know that the passwords sent over are real?
Well, they're not going to crack a ton of passwords that quickly, and I'm guessing that they're testing against the live server, so if the password doesn't work then surely the most obvious answer is that the password has changed.
A lot of people have already stated that one way around this would be to change your password before the feds have had a chance to crack the provided hashes. This would surely be a similar system.
Of course, I don't know if this would work at all. I was basically thinking aloud to see if this idea would have some merit.
We really need to systematically implement in our login systems what many ssh access does when you login : "Hello <username>. Your last login was at <time> from <ip>".
It won't solve the problem, but it'll certainly help a bit.
EDIT after a few comments :
This will not make it impossible to steal identity. But this will cost us almost nothing and imply high cost for spooks : if you have a user password, you can use it on many website, for common users, without the related company even knowing it. If you implement last login timestamp, it's something you can do within hours, without any need for heavy architectural changes, and it will cost a lot to spooks to try to fake it on every websites, for a large amount of users.
Cheap to us, costly to them. That's the way to go for me.
Google already does this with GMail. Scroll down to the bottom and it's in the lower right corner.
Facebook also provides access to all recent/active sessions and their last accessed time under Settings -> Security. They've got all kinds of other good security features that are worth enabling too.
I suspect a better long-term approach here is going to be something like Mozilla Persona (with the option of easily using your own domain for auth & auth if you like). Then the service doesn't have your password. They could still give the Feds access to your data, but at least the Feds won't be able to leverage your password against other services (greater adoption of password managers would also help this scenario).
And of course, enable two-factor auth on any site that supports it.
Yes, a friend of mine mentionned the google feature. I never noticed it.
But as I say, we need something that everyone can implement right now and that makes mass surveillance cost too expensive to be realistic. Log history and 2 steps login (for example) are something that need heavy architectural changes, while showing the last log can be done at no cost.
Well, in the context of a specific targeting, certainly. I have no problem with that.
What is a problem is mass surveillance. A simple measure like that could make it very costly to achieve mass operations.
EDIT : also, please note that the problem with password is that once you get one, for common people, you can hope they used it on many other sites. This allow feds to access website without the company even knowing it. If you have to fake login timestamp, all related companies must be aware of your action.
Readit News
In the current state, some big companies have the means to fight such requests, some big companies are very willing to cooperate, and small companies rarely have the means to go into a legal battle.
Because of the current fragmentation and secrecy surrounding feds' requests with software companies, users do not have the possibility of knowing what they're in for with which company. Also, the divide and conquer tactics used by the Feds really allow them to extract much more information than what would otherwise be the case. Ideally there should be a union for software companies, which makes agreements with the feds concerning their access rights; agreements which then apply to all members of the union.
Currently I have two rules of thumb: 1) for critical services, avoid companies located or significantly involved in the US or UK and 2) at all costs, stay away from Microsoft.
To me this is the prime definition of "too big to fail". It would only require a small percentage of these companies uniting "for the greater good" to produce meaningful results. Not cowing to the NSA is not treason in this instance so I can't even possibly understand why complying with "laws that aren't on any books so are they really laws?" has any positive merit.
If so, are there any viable, offline alternatives?
http://www.motherjones.com/kevin-drum/2013/06/wsj-nsa-progra...
The policies (or location) of online budgeting tools are entirely irrelevant. Hiding financial data from the government involves well established trades dating to long before the internet (or PRISM): money laundering and tax evasion.
http://en.wikipedia.org/wiki/Comparison_of_accounting_softwa...
Dead Comment
Everyone needs to reconsider their worldview and a few important definitions they hold. One of those is privacy.
My definition of privacy: anything I relay to ANY one person is no longer private. What's the old saying about three people keeping a secret? Information wants to be free and privacy is not its natural state. It's always been this way, but the physical barriers to diffusion have been completely decimated in the past two decades.
This is not a mere blip in a long term trend, it is fundamental, IMO.
That being said, I believe there are new values we can all embrace to make the most of the state of the human experience today. Perhaps someone should can a thread on Internet values for the 21st century and beyond.
PS - Anyone ever wonder how MSFT got an anti-trust pass in the US, but not in the EU?
"In the interest of national security..."
In what ways is it in a different category to their phone company handing over their call logs and getting someone to impersonate their voice (or send a text message) to an associate?
A single password, in an active situation, with oversight [2], is a totally different proposition from something like Prism or handing over SSL private keys.
[1] Not sure about US law on entrapment, but "bring the kit, we're doing it tonight, rendezvous is XYZ" and then seeing who turns up with what doesn't sound like entrapment to me.
[2] I have no idea what oversight might or might not be applied. "No comment" from the government is admittedly not an encouraging sign.
Going to the companies who have to validate user passwords to get a password a user is unwilling or unable to divulge is wrong. Going beyond that in asking for details on how passwords are salted, hashed, what the salts are, etc. ... more wrong still.
That the practice has been revealed should be all any internet startup/company/organization should need to never, ever store a user's password again. Ever.
And even then, a password should be encrypted. If there is a court order to reveal information, then there has to be a way to get this information rather than sending unencrypted passwords to the government so they can snoop through your mail without even being proven that you are guilty.
I must point out, "snooping through your mail" requires probable cause, not proof of guilt (that's for a court to decide).
This is the most important story for this country since 9/11. Third rate journalism won't be part of the solution.
His main sources are "...one internet industry source" and "...a person who has worked at a large Silicon Valley Company."
That's about as vague and unverifiable as you can get for the foundation of a story like this.
What the hell is wrong with the government, is it really their business to interfere with personal life? It's their job to facilitate the community, to find solutions for peoples lives, this is not a solution, they are creating overly complex problems, unnecessary spent money. We need less government, less people there with less money, it seems they have too much of it and way too much time.
I don't expect a quick resolution to this problem and others. Political philosophy and legal theory have not kept up with technical advancements in society.
Deleted Comment
I'm learning the hard way just how much the user is the one ultimately screwed when it comes to account access. My father just recently died very unexpectedly and tragically. He was generally retired but still doing a dozen or so small tech consulting projects here and there and using his personal accounts on Gmail/Facebook/etc. for everything.
Facebook simply will not give any family member access to a deceased person's account. Google will consider it after you fill out a form and send them a bunch of documentation. Then they will consider and may possibly end up sending you off to get a court order and the like, but you're entirely subject to their own decision about whether you can get access to your deceased family member's main form of personal and business communication. You do not own your Gmail account, regardless of the shit they spout about you being able to download your data using takeout. If your estate can't get "your" data, you didn't really own it.
Yes, I know there are steps that could have been taken to have given access to others on the event of one's death, but realistically what percentage of Gmail/Facebook users have taken those steps? And why should those accounts be different from normal digital accounts like bank accounts where a standard court estate document is enough?
So you expect them to accept any old paper that looks like a court order without a vetting and verification process?
>If your estate can't get "your" data, you didn't really own it.
If you can't legally prove that you are part of "your" estate, then you're SOL. And getting anything done legally takes time. Sometimes lots of it.
It looks like you are SOL no matter what you prove.
Let's say a request is made for Google give over loads of Gmail passwords. Could they not silently implement an extremely strong password encryption on the affected accounts, and hand over these passwords, knowing that the feds wouldn't be able to crack them without a significant amount of time.
Also, are the feds likely to check to see if these passwords are legitimate? If my password was 12345 and Google simply told them that my password was 54321 then how could the feds possibly know that the passwords sent over are real?
EDIT: Obviously, I know this is highly illegal, and would land any company in trouble. I'm just wondering whether, theoretically, this is possible for a firm to do to circumvent any action from the feds.
It's just not worth a company risking this kind of tampering. They could go to jail for that.
By all means, companies should fight back legally, and it sounds like they all are. I applaud them for that. But I think it's unreasonable to expect them to break the law for you.
It's morally wrong, and obviously I'm not saying it's the way to go. It's just a theory that I had, and I wanted to know if it was feasible for a company to do this.
By them NOT WORKING?
A lot of people have already stated that one way around this would be to change your password before the feds have had a chance to crack the provided hashes. This would surely be a similar system.
Of course, I don't know if this would work at all. I was basically thinking aloud to see if this idea would have some merit.
It won't solve the problem, but it'll certainly help a bit.
EDIT after a few comments :
This will not make it impossible to steal identity. But this will cost us almost nothing and imply high cost for spooks : if you have a user password, you can use it on many website, for common users, without the related company even knowing it. If you implement last login timestamp, it's something you can do within hours, without any need for heavy architectural changes, and it will cost a lot to spooks to try to fake it on every websites, for a large amount of users.
Cheap to us, costly to them. That's the way to go for me.
Facebook also provides access to all recent/active sessions and their last accessed time under Settings -> Security. They've got all kinds of other good security features that are worth enabling too.
I suspect a better long-term approach here is going to be something like Mozilla Persona (with the option of easily using your own domain for auth & auth if you like). Then the service doesn't have your password. They could still give the Feds access to your data, but at least the Feds won't be able to leverage your password against other services (greater adoption of password managers would also help this scenario).
And of course, enable two-factor auth on any site that supports it.
But as I say, we need something that everyone can implement right now and that makes mass surveillance cost too expensive to be realistic. Log history and 2 steps login (for example) are something that need heavy architectural changes, while showing the last log can be done at no cost.
What is a problem is mass surveillance. A simple measure like that could make it very costly to achieve mass operations.
EDIT : also, please note that the problem with password is that once you get one, for common people, you can hope they used it on many other sites. This allow feds to access website without the company even knowing it. If you have to fake login timestamp, all related companies must be aware of your action.
But the cost to apply this to every single website they want to spook on will be prohibitively high to implement massive use.