DoJ worries messaging apps could hide evidence of crime, corruption The United States Department of Justice is considering new guidelines for how businesses use messaging apps, so that they're not employed as a back channel to hide corrupt behavior. The DoJ's interest in messaging apps was first stated in a September 2022 memorandum [PDF] on Corporate Criminal Enforcement Policies penned by …
Why should DoJ, Feds, Police etc require companies to keep records of communications when back in the olden times (1980's and earlier) this was conducted on paper stuffed in packets and sent via a man called Geoff with no records unless you used carbon paper between 2 pieces of paper..........
Going further back business was done in person with only a secretary to keep 'minutes' and the secretary could be instructed don't write this next bit......
And the bad guys won't comply anyway......... c..f. various politicians....
Want to bet that the DoJ is already getting calls from politicians about ensuring that the need for transparency only applies to businesses - and then only to businesses that don't provide services for them?
Some years ago I attended a keynote speech by Colin Powell. He said that when he was Secretary of State the the department was a bit behind technologically, but that the department made great strides since. "These days Secretaries of State are running their own mail servers", he quipped.
The DoJ is making exactly the point the ICO has been making - using peer to peer platforms and social networks means there's no way of retaining and monitoring the discussions. That's okay in private life, but in business and government it inevitably leads to opacity and corruption.
https://www.reuters.com/world/uk/uk-watchdog-seeks-review-into-government-use-whatsapp-messaging-apps-2022-07-11/
......with a peer-to-peer messaging application using Diffie-Hellman. In such an application:
(1) The heavy lifting would be done on the peer device.
(2) The encrypted message would be saved as it traversed the network.....but....
(3) ....only the D/H tokens would be visible, and these would have nothing to do with....
(4) ... the different random secret key used to encrypt/decrypt each message, and then thrown away
Net, net....no persistent keys....only encrypted messages in corporate backups!
Of course, if any of the peers were to save DECRYPTED messages, then, of course the game is up...........
.....unless the application forces the deletion of those as well...........
P.S. Even with 60,000 bit primes in use by D/H, the messaging takes less than a second per message at each peer!!!
As a recent user of Matodon, now with my own server, I wonder how a completely federated network design is going to respond to the US DoJ?
Will I be expecting an email I wonder?
With hundreds (and climbing) of servers located in many different legal entities I think that the crims already have an alternative. With Tor already in wide use the horse has already bolted.
The DoJ message isn't aimed at the networks or its users. It's aimed at big companies and telling them "you can't just allow your employees to do business on platforms you can't monitor and then shrug and say you didn't know when it turns out they were paying bribes". Either the companies have to work out how to monitor/review those communications in some sensible way or they have to tell their employees not to talk business on those platforms.
Except that's the way it has and will be for some time. Businesses already have several unmonitored ways to communicate. For example, an employee can just pick up the phone and call another one. Unless this business has a legal requirement to record all phone lines, it's likely they will have a record that a call took place but can't provide a tape of it on request. The same is true for most voice or video systems the company provides (yes, they all have a recording capability, but most meetings aren't recorded unless that's expected). If businesses have to find a way to prevent people from sending text messages through some system, why don't they have to record all calls, or for that matter find some way of preventing a covert conversation taking place in person?
In those businesses that don't have a legal requirement to record everything, this is not news (some evidence may not exist by the time law enforcement knows they want it) and even when such a requirement exists, it's still not (some people when doing illegal things will use a communication method that's not recorded). Any business that has a legal requirement and wants to adhere to it will have restrictions to enforce what they can, and there is no rule mandating anyone else to care.
Often the content of the communication isn't needed to imply wrong doing, merely its existence. If party A is found to have sent a secure message to party B every morning just before an important bank rate is set in their favour, that will trigger an investigation.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
