EARN IT
Would be a huge foot self shoot by the American Gvt.
So, it'll probably happen :-)
Secure messaging app developer Signal says its US operation hangs in the balance due to a proposed law in America. In a blog post on Thursday, the non-profit said it will have to shut down it stateside presence should the EARN IT Act be passed and signed into law. Legal and liability concerns would make it impossible to …
They've tried terrorism, drugs, and now child porn.
It is nothing new, they are the Four Horsemen of the Infocalypse a term coined in 1988.
The USA shouts 'repression' when this happens in China, Egypt, ... but then claims that 'it is for your good' when they do it.
"If this bogeyman doesn't work I would predict that they will try to use COVID-19"
Both Google and Apple were happy to announce that tracking of anyone nearby via Bluetooth will be integrated into operating system and reports sent to mothership *every 15 minutes*.
You can bet you can't turn that *feature* off and another way of spying, not only you, but *everyone* around you*.
Also it was very depressing to read the colossal stupidity The Verge published as article:
"Apple and Google are building a coronavirus tracking system into iOS and Android"
*People* tracking system it is and these morons have no clue at all. And as it's bolted to the OS, there's no way to remove or disable it. *More data to sell*, in reality and even less privacy for everyone.
https://www.theverge.com/2020/4/10/21216484/google-apple-coronavirus-contract-tracing-bluetooth-location-tracking-data-app
"While the app regularly sends information out over Bluetooth, it broadcasts an anonymous key rather than a static identity, and those keys cycle every 15 minutes to preserve privacy."
Irrelevant when *OS* (not the application as article tries to claim) sends the key and IMEI to mothership at the same time. Or it uses key generated in mothership (which keeps track on them).
This thing has 0 privacy from the start and all the talk about keys is just bullshit trying to hide it.
They could as well use IMEI directly: OS knows it, any application knows it, so Google knows it *and* it knows the "private key". Smoke and mirrors.
While I wholly understand the thinking and necessity for trying to do these simple things to slow the spread of a disease, I have to question:
-If Android and iOS are going to track me without my consent, is there a lawsuit waiting to happen there?
-Doesn't the US Constitution include something about a right of assembly? I can't believe someone hasn't tried to kick up a fuss about that yet. (Yes, they'd be pigheaded and idiotic to do so, but there's quite a lot of those people not just in the US but in the world as a whole.)
Actually there is a pretty huge fight brewing on this. Our Attorney General issued a warning this weekend State and local governments cannot harass citizens for attending Church at Easter as long as the church is practicing social distancing safety. Several local and state government agencies were trying to ban drive in Easter Services. For those who don't know a drive in service is where people stay in their cars 6 ft (2 m) apart much like an old time drive through movie theater. This was lost on these officials who decided that there must be NO gatherings. Though it is perfectly ok to go to the grocery store, liquor store, pot dispensary etc. They were also trying to go after Gun Stores also but again they were shut down.
As I understand it, the contact tracing app's supposed to use Bluetooth to sense proximity to other users, so presumably you can turn that off -- in the unlikely event they try to force-install the thing, which I really can't see. They wouldn't need to: simple social pressure would do it. Especially if the thing had a way of alerting you that there's a phone in your vicinity that's NOT running the app...)
You wouldn't need 100% coverage to get substantial benefit for the stated purpose, anyway; IDK what the curve would look like - the square of the number of users?
Of course that's just the stated purpose of the "NHS app" -- there's already a leak in the Grauniad suggesting that they're perfectly well aware of the potential for illicit, malevolent misuse by the state:
https://www.theguardian.com/world/2020/apr/13/nhs-coronavirus-app-memo-discussed-giving-ministers-power-to-de-anonymise-users
It will be the very people who promote encryption publicly who are likely to profit the most from an end to most encryption. Currently, many of those who provide encrypted platforms are the same people who make a living out of selling as much of everybody's data as possible, makes you wonder what kind of conversations their lobbyists have behind closed doors.
Do they? The only one that comes immediately to mind is the chat app WhatsApp, which is Facebook-owned. The rest of the big players only seem to offer end-to-end on things they get paid for, and don't bother with it for other communications they work with. Apple, for example, offers relatively good encryption for many of their things, including end-to-end on some, but to use any of those, you have to already have purchased an Apple device. Anything that is clearly mined, such as email services from Google and the like, are not encrypted and there's no pretense that they are. The clearest providers of completely encrypted communication services I can think of are all smaller nonprofits, such as Signal, Tor, or Telegram.
Skype is owned by Microsoft. Apparently it supports end to end encryption
And WhatsApp switched to using the Signal protocol for encryption a few years ago, not least because this would leave it less open to lawsuits when its own shitty protocol was compromised. Not sure how it handles groups, not least because I don't use WhatsApp, but it seems more than happy to scrape (and leak – in a group everyone's telephone number is visible to everyone else) metadata, but zero-knowledge encryption for groups is difficult as recent reports from Signal show. I guess the NSA wants to hold the tide back before the proposed zero knowledge group code becomes generally available.
No, it does not devote a lot of attention to national security, it devotes a lot of attention to the excuses that allow it to pretend that national security is its focus.
In reality, it just wants the means to spy on everyone without bothering with the Constitution of its own country.
Because that is so much easier than paying attention when the CIA warns them that Al Qaeda terrorists are getting flying lessons on US soil.
It was actually the FBI who flagged that up. When the FBI asked the CIA if they had info in their files about any of the names on the FBI's list of arabs attending US flight schools, the CIA hid the fact that two people on the FBI's list were known al-Qaeda members.
At a very basic level, if you don't operate in the U.S. and you don't need things from the U.S., then the American government can't do anything to you from their law. They can try to encourage your country to go after you, and it has a decent chance of working for them, but they don't have legal methods. So that would be a drastic method, essentially cutting off all of the U.S. The less drastic method that also has some chance of working is to move all operations and supply chains out of the U.S. but continue to allow Americans to use the service. That is technically operating in the U.S., and the U.S. can issue legal complaints, fines, or prison terms, but if you don't live there or have stuff there they can take they may find it difficult to enforce those. That approach could work for Signal, while there are numerous other types of organizations for which that would be a non-starter.
This wouldn't be the first time that US laws on encryption have left them using a lower grade system than the rest of the world. When they limited the encryption levels that could be sold to non-US customers a number of companies went 'Rest of the world only' and increased bitness well beyond that available in the US. Net result was the US Government caved in so they could catch up
other than ban any US-company dealing with you, handling your payment, etc, etc. There are many, many ways for the US government to demonstrate a world-wide "influence", without bombing the evild-doers out of their evil glass/desert/mountain/forest/underground/underwater hole. And all that - to protect US citizens from filth, depravity, threat to their lives and property around the globe (and elsewhere). Impressive, eh? :(
If you operate with a franchise, that doesn't help. First, you are essentially handing that franchise-owner over for all punishments, which isn't very nice. Second, if your franchise does anything, then when their stuff is affected by legal matters you have much more disruption. Third, it doesn't stop you being responsible legally, and you can still get arrested if you show up there. If you can operate electronically, it works similarly except they don't have anyone they can arrest immediately. Their only choices are to try to put pressure on countries you need stuff from or try to block you.
"Third, it doesn't stop you being responsible legally, and you can still get arrested if you show up there."
On what charge? (Come to that why would I want to show up there?) You do your stuff in a jurisdiction where it's legal. The franchisee buys a service from you in that jurisdiction and sells it in the US. If no franchisee is willing to take on the risks the US doesn't get that service or, to look at it another way, the US gets the service it deserved by electing the governments it did.
Franchising is weird when the service being provided isn't physical. Usually, you don't need one and you don't have one, and most exceptions only have local affiliates (usually not franchised) to provide local support. Signal doesn't have national franchises now, and for a very good reason: they'd be useless. But let's assume that they did set one up. Essentially, they provide the main system and a national franchise is created which links citizens to it. If the local franchise is connecting people to an encrypted system, they can't access the data being sent. If they were sent an order to divulge that data, they wouldn't be able to comply and could be charged. The owners of the company who authorized the franchise could also be charged on the basis that they did not intend to follow the laws when they agreed to establish a franchise. Enforcing that charge if the owners were out of the country would be difficult, and getting judges and juries to agree would also be tricky, but it is certainly possible in the law to do so.
Consider a simpler example of a franchise: an international chain restaurant. If a local franchise is formed which needs to get ingredients, and the ones they are required to buy break local health laws, the owners of that franchise can be charged for that violation. In addition, the owners of the main business can be charged with breaking the same laws by making that requirement, which is illegal. Again, this isn't a guarantee of a legal victory, but it is a case that can be made which often leads lawyers to try to avoid that risk.
If an organisation (corporation, business, foundation, etc.) is fomed in another nation and is not wholly-owned by a US otganisation, it is not American-owned. There is no way a court would accept that it was American-owned if it couldn't be shown to be American-owned. Otherwise the US Government could just decide ARM, Samsung, Huawei, Alphabet, Apple (Ireland), TSMC, etc. were all US-corporations therefore subject to US taxation and laws.
Signal is all software, not hardware based, so there is no American "made" components in it. Also, see PGP History:
Shortly after its release, PGP encryption found its way outside the United States, and in February 1993 Zimmermann became the formal target of a criminal investigation by the US Government for "munitions export without a license". At the time, cryptosystems using keys larger than 40 bits were considered munitions within the definition of the US export regulations; PGP has never used keys smaller than 128 bits, so it qualified at that time. Penalties for violation, if found guilty, were substantial. After several years, the investigation of Zimmermann was closed without filing criminal charges against him or anyone else.Zimmermann challenged these regulations in an imaginative way. He published the entire source code of PGP in a hardback book,[23] via MIT Press, which was distributed and sold widely. Anybody wishing to build their own copy of PGP could cut off the covers, separate the pages, and scan them using an OCR program (or conceivably enter it as a type-in program if OCR software was not available), creating a set of source code text files. One could then build the application using the freely available GNU Compiler Collection. PGP would thus be available anywhere in the world. The claimed principle was simple: export of munitions—guns, bombs, planes, and software—was (and remains) restricted; but the export of books is protected by the First Amendment. The question was never tested in court with respect to PGP. In cases addressing other encryption software, however, two federal appeals courts have established the rule that cryptographic software source code is speech protected by the First Amendment (the Ninth Circuit Court of Appeals in the Bernstein case and the Sixth Circuit Court of Appeals in the Junger case).
The US is pretty good at enforcing its laws in other jurisdictions using things like the Magnitsky Act, or declaring any particular group or country as "terrorist". But the problem they face with Signal is that the code and research (the peer reviewing and theoretical validation is perhaps as important here) is already public so it would likely become a whack-a-mole and some countries might have problem complying with US demands and their own laws, relying on lax enforcement, or using that US stalwart the anonymous shell company or trust to obscure everything.
But when has that every stopped them? Hard to think of anything more sinister and pointless than the Committee for Unamerican activities but I'm sure history is replete with them. :-/
The US is pretty good at enforcing its laws in other jurisdictions using things like the Magnitsky Act, or declaring any particular group or country as "terrorist".
But the US are starting to notice some push back as ohter jurisdictions are also starting to enforce their own laws within the USA (e.g. the European GDPR). And it is rapidly approaching the point where other jurisdictions get together for the sole purpose of pushing back. I wonder how long it will take some countries to put the CIA and all of its operatives on the terrorist watch list (where it already belongs anyway).
Not really, if you think how effective the US has been over Iran sanctions: it controls the dollar trade and has no problem enforcing sanctions on subsidiaries or associated companies that want to continue trading in America.
The only country that is really able to largely ignore such heavy-handedness is China, and that only in countries (such as large parts of Africa) where the rule of law required to enforce US extraterratorial claims is often absent. Currently, the US economy is simply too important for many countries.
But the rules around IP and specifically encryption are definitely changing.
declaring any particular group or country as "terrorist"
How much of its tech industry does the US have to expel in this way before a tipping point is reached and it has to define the entire rest of the world as "terrorist"?
Perhaps this is more easily seen from the PoV of an elderly Brit. The UK is a post-imperial power. When I was born the possibility that this could happen would be inconceivable to most people (many seem unable to grasp that fact even now) but it is the case. It must seem as inconceivable to must USians but, having watched it happen to the UK, I have no difficulty visualising it happening to the US.
<quote>When I was born the possibility that this could happen would be inconceivable to most people (many seem unable to grasp that fact even now) but it is the case. It must seem as inconceivable to must USians but, having watched it happen to the UK, I have no difficulty visualising it happening to the US.</quote>
It will be a shocking day when the rest of the world stands up and tells the US Gubmit to
"FUCK OFF!!!!"
An appropriate icon: https://c7.uihere.com/files/534/152/58/the-finger-fuck-decal-youtube-youtube.jpg
However, this government is known IT-utterly-incompetent, and the military is just now outsourcing all its IT and even secure stuff to ...Microsoft (or Amazon, depending on whose lawyers win).
The crypto is the easy part anyway - See Bruce Schneier and friends. It's avoiding all sorts of pitfalls and side channel attacks that is hard. Ask Intel about that one.
One wonders, however. Since it's well known that the agencies can pretty much compromise any device - and therefore get plaintext before (or after) either "end" of end to end encryption...and even though they complain, it seems the FBI can buy exploits to get into those "locked phones" and does so just before they lose in court (more than once!) - maybe this is all just a smokescreen to make people THINK they don't already have the goods - they just want the messaging platforms to do all the work of screening, and take the blame in the event of failure.
That's not how this goes down.
1) If the US military is a heavy user of Signal, then the NSA has signed off on it.
2) No way in ******* **** that the NSA approves such without source code, fully analyzed.
3) Almost as unlikely that they would be using Signal's servers, if for no other reason than that they are not hardened against physical attacks by hostile actors.
4) Which means that they are using military servers. If Signal pulls out of the US, this has 0 effect on this application.
5) It's not legal for my to own a B83--does not mean that the military does not have them.
Sadly, I expect you'd see this timeline:
1. Law: Is passed.
2. Signal: Is forced overseas.
3. U.S. enforcement body: Tries to pursue Signal legally, can't find a way, blocks them.
4. Legislators: "We want our secure communications."
5. Law: Is modified saying government can use these apps but citizens can't.
6. Signal: Decides that if citizens aren't allowed, government isn't either. Blocks them.
7. Legislators: Write law: "Somebody make us a version of Signal that works for us."
8. NSA: "We'd be happy to. The code is open source anyway. We're just going to stand up a server of our own."
9. Legislators: "Perfect. Send us a link, would you?"
10. NSA: "We have finished setting it up. Now if you could reauthorize our data collection stuff for a century or so, we think we can send you a link."
11. Legislators: "Weird. They thought we were ever going to balk at that. We've been fine with it for two decades; why do they think that's going to change? Well then..."
12. Reauthorization law: Is passed.
13. NSA: Sends link to signal.gov client.
14. Legislators: Install the app.
15. Legislators: "Hey look! It works the same as the last version! Thank you, NSA."
16. Military: "The encryption system we had just got hit with the original law. Can we use this too?"
17. NSA: "Absolutely!"
18. Military: Starts to use the app.
19. NSA: "Any congresspeople being potentially annoying today?"
20. NSA analyst: "Actually yes. There was a new one elected and they're chatting about an oversight bill over us."
21. NSA: "What do we have on them?"
22. NSA analyst: "Everything they've ever sent or received. I'm sure we can find something out of context that can be used against them."
23. NSA: "Wonderful! Do that then."
24. Newspaper: "Newly elected representative [name] who stood for election on a platform of public privacy faces ethics committee investigations."
25. NSA: Evil laughter.
> dystopian
You think? Remember, Murphy's law is part of the Constitution of Reality.
As about the OP, I think he is rather optimistic, in that he assumes the agency will only use that power to defend itself, and its bosses will not abuse their power to go on a rabid crusade to protect the country from itself (something called an "auto-immune reaction" in medicine). US TLAs are prone to that kind of behavior.
There are internet-based channels of communication which are 1:1 (or 1:few, if we include conference calls). These include some messaging platforms and all internet commerce and banking. I don't have a problem with these operating under the usual rules on carrier protection. Phone taps require a warrant and the participants have a reasonable expectation of privacy.
Then there are internet-based channels of communication which are 1:many, where the "many" are unknown to the 1. These include social media and news outlets, but also anyone offering blogging services or similar to the general public. Similar services in the non-internet world are TV, radio and print publishers and everyone expects these to be regulated because there is no control over the audience. Sure enough, they are all regulated.
Apparently this distinction, so easily made by people for the past few centuries, has now become Really Hard To Grasp and we get bills like EARN IT which (as far as I can tell from the coverage) are trying to use the "broadcast" justification to overturn the "reasonable expectation of privacy" on a 1:1 call.
"Apparently this distinction, so easily made by people for the past few centuries, has now become Really Hard To Grasp"
I don't believe that a second: This is a deliberate attack against *any* privacy/encryption people might have.
You could try to explain it with stupidity, but AG Barr suggested that they should give Barr himself the power to decide "suitable guidelines" restricting encryption.
It is publicly known that Barr's main goal is to ban encryption, all of it, and enable law enforcement access to any online conversation. *Any* online conversation.
Barr isn't even bothering to hide his goals and he wants personal power to define what kind of encryption is allowed. Or none, as he'll order in a heartbeat if he can.
@Ken_Hagen
There's another perspective on this. There's an ASSUMPTION that ALL the participants in some internet communication can be identified (e.g. they have contract and a registered credit card with a mobile phone company, or they have an FB account in their own name, or they have an identifiable email account, or they have a broadband account registered to a person with a physical address....and so on).
*
This assumption is false. People carry pay-as-you-go mobiles paid for in cash (so called burner phones). People use throwaway email addresses and emails sent and received in internet cafes (or sent and received using hijacked WiFi). This message in El Reg is sent by AC -- and how would "the authorities" identify the sender or any of the readers? ....or they use a VPN in addition to any of these other methods.....
*
So.......not only do "the authorities" need to read the plain text of messaging....they also need to identify the sender and the recipients. And time is on the side of the "bad guys".....if it takes weeks to decipher a private cipher, and the sender and recipients of the message can't be identified.....what good is some more legislation?
Just promise them a new lolcat a day and everybody will accept.
Or just wait a couple days, or till the next celebrity scandal takes over public interest, and use the general and complete indifference to pass the bill.
While individuals can be intelligent, masses are appallingly stupid, and politicians know that, it's their livelihood. Individually we might think "Do you really take me for a moron?", but collectively we're all just drooling "oooh, shiny...". :-(
If the so called "bad guys" use private encryption BEFORE their messages enter a public channel, then the whole "end-to-end encryption" debate is moot!
*
I know, I know......experts say private encryption is "very weak". If that is true, how come two of three Beale papers are still secret after more than a century? And even if it is true, privately encrypted messages ARE private for as long as it takes to break them.....which might be quite long enough for bad things to happen!
*
So tell me again what this legislation achieves....apart from providing a grandstanding photo opp for stupid politicians?
*
And if private ciphers are so easy, maybe an expert can decipher this:
*
0pB$0hM80ZNp104o10Ri069e0BDw0Fc00zqa00pl
1LsP0Vjx1XVx0KDJ1i5$0qaU0MNr0uLf045J15lu
1XQy19=v1NMb0Pif134m0qI=0pZW1FLb1Ckm0Hs2
03Gp0Zdm0dNV1fv30f$x0kdU0U=v1Jj80U4u0thP
0qbN1m0u0FVx1Nca1cIP0c6o0feb16Z50MrH1Fon
1chV0J1x
*