If you are specifically targeted in an investigation [...]
The purpose of services like DDG is to reduce the amount of casually collected, personally-identifiable private data you might be strewing about - data that might potentially be recovered and might potentially be used against you or used in ways that you don't like.
If you are specifically targeted by an investigation, a law-enforcement agency like the FBI, armed with probable cause and warrants can tap your phone, search your house, track your location, log your keystrokes, etc, etc. DDG can't help you there, you'd also be vulnerable even when using a service provider which really doesn't have access to your data, like tarsnap. DDG is not going to magically protect you from targeted (and perfectly legal, civilian, non-NSA-related) surveillance if you happen to have the bad luck of being a subject of such an investigation. It's a silly standard to hold any service provider to.
1. Since the U.S. government has given itself both the power to compel U.S. corporations to spy for them and the power to prevent them from revealing this, we can't take the claims of any U.S. corporation at face-value.
Problem is, even if DDG would be hosted in, say, Europe, the NSA would still be able to snoop on the traffic. As has been recently revealed, the German BND may siphon off up to 20% of the traffic at DE-CIX (Internet exchange in Frankfurt) and on average siphons off 5% [1]. The BND closely cooperates with the NSA. As we've seen in the last couple of weeks, Europe is basically a US colony and Germany in particular is not a true sovereign state. [2] What to do? Host in Russia, Latin America?
(Disclosure: I am German and DDG is my default search engine.)
3. It would be almost trivial for the U.S. government to snoop on DuckDuckGo's traffic at the switch or cloud provider level even without informing DuckDuckGo of this. I believe they host at EC2 East, which is in DC and a major U.S. government linked hosting provider (see Amazon FedRamp).
Do we have any evidence the US asked any corporations to spy? The only instances I am aware of of the US asking corporations for help was requesting/ordering access to data the the company was already collecting.
I like the blog post, but I think that it is somewhat unfair against DDG since the argument works against any internet company. The argument rests essentially on two points:
1. Client/Server architecture has a single point of failure, namely the server. ( Or the network equipment directly upstream of the server.) So that whatever nasty surprise is embedded directly at the server, or in the jurisdiction the server is in, affects whoever is using the server.
2. We do not have a treat model for the NSA, they are somewhere between a usual state level attacker and Cthulhu. We do not really know, what the NSA can or can not do, can they crack the discrete log or factor large numbers? Or do they 'just' have a assorted 0day collection? Is it realistic that they can coerce anyone into revealing public keys? And if they can actually break TLS, can they also break all TLS or does this require some not insubstantial effort on their part?
So both of these are real problems and the combination is potentially undermining the trust into the entire internet. But it is not really about DDG.
"... it is somewhat unfair against DDG since the argument works against any internet company"
What other search engines are being suggested for use as a safer alternative to the major search engines? Did any of those companies respond by affirming their ability to protect your privacy in a way that is not technically possible?
The author's point is that you can't dodge the NSA's scrutiny, and if you think you can then you are either lying or uneducated about the NSA's capabilities.
UPDATE: What I'm trying to say is that the article doesn't really work when directed at Google or Yahoo because we already know that our privacy is compromised there.
"We do not have a threat model for the NSA, they are somewhere between a usual state level attacker and Cthulhu" just about made my day! Awesome description.
"Option 2
Many smaller internet companies, including DuckDuckGo, do not operate their own data-center, but instead are “hosted” in another provider’s datacenter. In DuckDuckGo’s case, they are hosted by Verizon Internet Services. We’ve all learned about the cozy relationship between the NSA and Verizon, it is quite imaginable that Verizon would simply give them access to a DuckDuckGo server, or the load-balancer which is likely owned and operated by Verizon and upon which the SSL decryption key is installed. They don’t need continuous access, 30 seconds is all that would be necessary to copy the cert."
And Gabriel's response to that:
"There are many additional legal and technical inaccuracies in this article and I will not address all of them in this comment. All our front-end servers are hosted on Amazon not Verizon, for example."
Might as well %s/Verizon/Amazon/g…
I also found what Gabriel said here to be interesting:
"We have not received any request like this, and do not expect to. We have spoken with many lawyers particularly skilled and experienced in this part of US and international law. If we were to receive such a request we believe as do these others it would be highly unconstitutional on many independent grounds, and there is plenty of legal precedent there. With CALEA in particular, search engines are exempt."
So apparently speaking to a couple of lawyers who are probably not upon the FISA court (who apparently pretty much just stamp what has been decided) now have a say in whether such actions can be taken by the NSA and whether they are unconstitutional are not?
Don't get me wrong, I've been using DuckDuckGo for a couple of years now, but that's laughable.
There are plenty of reputable lawyers, especially with the ACLU, who have been fighting in public courts against this secret parallel court structure.
Early on, claims were simply thrown out due to "state secrets," presented in sealed folders only to the judge. Over time, the lawyers and organizations gained experience (a la Minesweeper) and got more substantive rejections from judges. The first win was with Nicholas Merrill, about five years in, though it took another three or four years for the gag order preventing him from talking about it to also be lifted: http://www.aclu.org/national-security/doe-v-holder and http://www.wired.com/threatlevel/2010/08/nsl-gag-order-lifte...
So speaking with those sorts of lawyers? Who have won fights against this secret system through a public court of law? Yep, those exist.
Keep in mind, those we disagree with within the federal government aren't malicious or evil. They think they're protecting us, and they think they're acting lawfully. It's therefore reasonable to me that they see themselves as bound by the legal system because otherwise, how can they think of themselves as acting lawfully? And as much as the legal system has been stacked in their favor, when they lose, they likely abide by those rulings against them. At least, that's my read out of how much effort those folks put into (successfully) updating the law to reauthorize their behavior when we get a rare win.
Now, our take is that the legal system has been grossly abused to carve out all of their current authority on surveillance. But that's where I think they're coming from.
"We have not received any request like this, and do not expect to. We have spoken with many lawyers particularly skilled and experienced in this part of US and international law. If we were to receive such a request we believe as do these others it would be highly unconstitutional on many independent grounds, and there is plenty of legal precedent there. With CALEA in particular, search engines are exempt."
This is a great response, except for the fact that it's completely irrelevant, because it doesn't tell you what would happen. Courts order things that are illegal all the time, and they don't always get stayed.
If they were served with a court order they felt was illegal that had not been stayed, could not get it stayed pending appeal, etc, would they siphon the data (or turn over data), or would they take contempt/jail?
If the answer isn't the latter, than the rest, IMHO, doesn't matter. I'm not saying they should, mind you, i'm saying i don't believe they are really better than anyone else here.
The same question should be raised about other countries.
They will, eventually, be asked to siphon off user data in various countries (and not oddball third world dictatorships, instead, large EU based and other countries). Will they do it, or will they block those countries/risk arrest?
We have not received any request like this, and do not expect to.
I think this answers the important question in the article, which is whether DuckDuckGo have received any of these requests.
now have a say in whether such actions can be taken by the NSA and whether they are unconstitutional are not?
We all have a say to the extent that we cooperate or not with requests like that, I don't find their preparations laughable at all. What do you expect them to do in response to the possibility of FISA requests?
Response from DuckDuckGo CEO from the article comments:
"Hi, this is Gabriel Weinberg, CEO and founder of DuckDuckGo. I do not believe we can be compelled to store or siphon off user data to the NSA or anyone else. All the existing US laws are about turning over existing business records and not about compelling you change your business practices. In our case such an order would further force us to lie to consumers, which would put us in trouble with the FTC and irreparably hurt our business.
We have not received any request like this, and do not expect to. We have spoken with many lawyers particularly skilled and experienced in this part of US and international law. If we were to receive such a request we believe as do these others it would be highly unconstitutional on many independent grounds, and there is plenty of legal precedent there. With CALEA in particular, search engines are exempt.
There are many additional legal and technical inaccuracies in this article and I will not address all of them in this comment. All our front-end servers are hosted on Amazon not Verizon, for example."
The beauty of the NSL system and the NSA acting outside the constitution is that no matter what anyone says there is no way to prove any statement made about receiving or not an NSL. In fact it wouldn't surprise me that if the NSA wanted the data they could compel someone lower in the company and the CEO might never know. How do you prove you are NSA-free if you are the CEO of an American based company? Really the only thing statement that people would believe today is actually showing your NSL publicly and telling the NSA to stuff it. If you haven't been targeted (or someone in your organization was) there is no way to prove it.
The key thing about Google et al is that they maintain user accounts and try to get you to stay logged in which means (a) they maintain huge data stores that are (b) tracked by user. While DDG can be required to turn over its records, could theoretically hand its unencrypted traffic over to the NSA, and in any event the NSA could simply pluck the packets off the air en route, it would then have to figure out which packet was from whom and join the dots itself. This is essentially no different from what I assume the NSA can do with any damn website, foreign or domestic, it likes.
As a further wrinkle, if you are logged into Google then it can watch your web surfing activity onto any website with embedded google code (analytics, adwords) which is pretty much most websites.
All of this comes down to Google is an advertising company. If DDG becomes an advertising company, watch out.
How is DDG not an advertising company already? One of the top hit on every search I do on DDG is an ad (actually in my testing I found if I do an informational search like "Barack Obama" I get an ad on DDG and none on Google). If advertising itself is the problem, DDG has already doomed itself.
This almost makes no sense. Hidden Services exist to hide the location/identity of the server. You gain the same anonymity by visiting ddg.com via Tor. It's cool that they're running a relay though.
> "DuckDuckGo can easily be compelled either under the Communications Assistance for Law Enforcement Act (CALEA), standard court orders, or by secret orders from the Foreign Intelligence Surveillance Court (FISA) to provide tap-on-demand"
Can they actually do that? I mean it's one thing to just "hand over the data" you already have about the user, and maybe even compel the company to decrypt it (although I still think that's BS [1] and companies should fight against it), but can they actually force a company to spy for them, and change their service in such a way that makes it possible? Does FISA and the Patriot Acts actually imply that? Or does he mean it might be yet another one of their "interpretations" of the laws?
Either way, if that's possible, just start using StartPage.com. They're based in Norway.
> but can they actually force a company to spy for them, and change their service in such a way that makes it possible?
Hushmail is the standard example here. They provide encrypted email. Criminals used them for communications. Law enforcement went to hushmail with correctly formed legal documents, and Hushmail handed over plain text from users.
There are two ways that plain text is available: using the web client encryption is done on the server. There's a step where plain text is available to Hushmail.
Or if users are using the Java client Hushmail could push a malformed version to the user. This is something that Hushmail has said themselves.
This wasn't under any weird FISA or patriot act law either.
What makes you think that hosting a server in one of the world’s oldest democracies, the country among the first to have a written constitution and a strong bill of rights, the land of the free, would not be a breach of privacy?
Before drawing any conclusions from this, I recommend reading Gabriel Weinberg's response in the comment section. I felt considerably better after reading it.
I felt considerably worse, because he takes a very naive view of the legal realm.
Let me expand a bit: I don't think Gabriel is lying/dumb/whatever. However, the statement given essentially comes out to "If we had to, we would fight the good fight and we very strongly believe we would win". I'm all in favor of fighting as hard as you can against broad/illegal/user harmful orders/etc.
But at some point, you will lose, even with the law and moral justice on your side. This is a certainty. Google has lost. Yahoo has lost. Twitter has lost. Microsoft has lost. Contrary to the belief that they are cooperative, they don't want anything to do with anything, and fought with more resources and energy than DDG probably can muster (again, no offense to Gabriel).
Let's ignore for a second whether they have any data to give or not. The point is that at some time in the future you will not just lose temporarily, you will lose in a way that you have to make a choice because yourself/your business/your livelihood and your users privacy.
MegaUpload, LastPass and others are provably not able to access your information. Storing the encryption key yourself is the way to go.
But then the govt can capture you and make you give up the key. A whistleblower can threaten to have more incriminating evidence disseminated encrypted somewhere, and if he doesnt check in every 30 days it gets released ... but then the government can just torture him until it makes him give up the key he uses to check in every 30 days. It wouls take a really stubborn guy to persist and let the information be released. Since you dont have any information like that anyway, just assume that if you can access your own data the govt can compel you to do it for them.
Hmm, CALEA is really not the right law to be referencing. CALEA generally applies to wiretaps and specifically derives from telephony surveillance and is more relevant—and worrying—to a Twilio or SendHub, rather then DDG.
It's more likely to be a portion of the PATRIOT Act (Sec. 215 and possibly 217, h/t to Marcy Wheeler for the education here: http://www.aclu.org/free-speech-national-security-technology... and http://cyber.law.harvard.edu/privacy/Introduction%20to%20Mod...) or the specific update to it (Protect America Act of 2007, FISA Amendments Acts of 2008 and most recently 2012) to bring the warrantless wiretapping scandal back into "compliance," and seemingly updating PATRIOT for the current round of surveillance, which was likely reauthorized Dec '12.
Now, the FBI recently floated a trial balloon of what we're calling CALEA II, but that's focused more on compelling the providers of in-browser chat products to create backdoors for surveillance: https://www.cdt.org/files/pdfs/CALEAII-techreport.pdf It's not current law yet, and we're fighting to prevent the proposal from becoming law.
It's a point of precision that doesn't detract from the author's main point.
Just as an update, the legal debate is continuing over both the NSLs themselves and their related gag orders: http://www.networkworld.com/community/blog/fbis-national-sec... I'm not sure how or where this case escalated to, but the last time a court declared the gag order to be unconstitutional, it took an act of Congress to reauthorize it, which will be a difficult sell right now.
And for full disclosure: I consult with Center for Democracy and Technology (CDT) on reforming Electronic Communications Privacy Act (ECPA) of 1986, which is a similar but not directly related issue.
Thus article states that the NSA will get the information anyway. Even if this is true it may be a good thing to choose a search engine that makes a point of at least not tracking you itself. Sadly Google has much better search results...
The article is completely missing the point. Of course the NSA can get information from DDG, the point is that there is not much information to be earned there in the first place, and the searches are not associated with your google account, let's say.
Lots of comments here. Not sure if it is already covered or not. So I will be brief.
DDG, hushmail, etc. Doesn't really matter does it if the NSA gets you at your internet connection and reads what you are doing from your service providers trunk?
You can DuckDuck and Go and hush your email. If they are grabbing it at the point of your modem and your internet provider, the illusion is you are secure but really you are not.
>> Can they refuse to collaborate with the NSA if approached?
What I would like to know if they can really refuse when big corps such as Google, Microsoft and others can't?
>> Gabriel Weinberg comment: We have not received any request like this, and do not expect to.
But if they receive such request can they just really say NO while other big companies can't?
EDITED: Thanks guys, it seems like I managed to paste over most of my post with the clipboard filled with the last one. Thanks for being so nice pointing it out. Sucks, the on topic one i destroyed was leaps above the banal content that replaced it. Let something here to avoid you guys being orphaned. Sorry for reducing the signal to noise ratio!
[+] [-] glurgh|12 years ago|reply
The purpose of services like DDG is to reduce the amount of casually collected, personally-identifiable private data you might be strewing about - data that might potentially be recovered and might potentially be used against you or used in ways that you don't like.
If you are specifically targeted by an investigation, a law-enforcement agency like the FBI, armed with probable cause and warrants can tap your phone, search your house, track your location, log your keystrokes, etc, etc. DDG can't help you there, you'd also be vulnerable even when using a service provider which really doesn't have access to your data, like tarsnap. DDG is not going to magically protect you from targeted (and perfectly legal, civilian, non-NSA-related) surveillance if you happen to have the bad luck of being a subject of such an investigation. It's a silly standard to hold any service provider to.
[+] [-] brown9-2|12 years ago|reply
[+] [-] beloch|12 years ago|reply
2. DuckDuckGo is a U.S. based company.
[+] [-] blumentopf|12 years ago|reply
(Disclosure: I am German and DDG is my default search engine.)
[1] http://h-online.com/-1909989
[2] http://sz.de/1.1717216
[+] [-] nolok|12 years ago|reply
[+] [-] api|12 years ago|reply
The cloud is not private, period.
[+] [-] gizmo686|12 years ago|reply
[+] [-] yk|12 years ago|reply
1. Client/Server architecture has a single point of failure, namely the server. ( Or the network equipment directly upstream of the server.) So that whatever nasty surprise is embedded directly at the server, or in the jurisdiction the server is in, affects whoever is using the server.
2. We do not have a treat model for the NSA, they are somewhere between a usual state level attacker and Cthulhu. We do not really know, what the NSA can or can not do, can they crack the discrete log or factor large numbers? Or do they 'just' have a assorted 0day collection? Is it realistic that they can coerce anyone into revealing public keys? And if they can actually break TLS, can they also break all TLS or does this require some not insubstantial effort on their part?
So both of these are real problems and the combination is potentially undermining the trust into the entire internet. But it is not really about DDG.
[+] [-] MarkHarmon|12 years ago|reply
What other search engines are being suggested for use as a safer alternative to the major search engines? Did any of those companies respond by affirming their ability to protect your privacy in a way that is not technically possible?
The author's point is that you can't dodge the NSA's scrutiny, and if you think you can then you are either lying or uneducated about the NSA's capabilities.
UPDATE: What I'm trying to say is that the article doesn't really work when directed at Google or Yahoo because we already know that our privacy is compromised there.
[+] [-] rfctr|12 years ago|reply
It is against the unreasonable expectations for privacy when using DDG.
[+] [-] nmcfarl|12 years ago|reply
[+] [-] cinquemb|12 years ago|reply
And Gabriel's response to that: "There are many additional legal and technical inaccuracies in this article and I will not address all of them in this comment. All our front-end servers are hosted on Amazon not Verizon, for example."
Might as well %s/Verizon/Amazon/g…
I also found what Gabriel said here to be interesting:
"We have not received any request like this, and do not expect to. We have spoken with many lawyers particularly skilled and experienced in this part of US and international law. If we were to receive such a request we believe as do these others it would be highly unconstitutional on many independent grounds, and there is plenty of legal precedent there. With CALEA in particular, search engines are exempt."
So apparently speaking to a couple of lawyers who are probably not upon the FISA court (who apparently pretty much just stamp what has been decided) now have a say in whether such actions can be taken by the NSA and whether they are unconstitutional are not?
Don't get me wrong, I've been using DuckDuckGo for a couple of years now, but that's laughable.
[+] [-] HistoryInAction|12 years ago|reply
Early on, claims were simply thrown out due to "state secrets," presented in sealed folders only to the judge. Over time, the lawyers and organizations gained experience (a la Minesweeper) and got more substantive rejections from judges. The first win was with Nicholas Merrill, about five years in, though it took another three or four years for the gag order preventing him from talking about it to also be lifted: http://www.aclu.org/national-security/doe-v-holder and http://www.wired.com/threatlevel/2010/08/nsl-gag-order-lifte...
So speaking with those sorts of lawyers? Who have won fights against this secret system through a public court of law? Yep, those exist.
Keep in mind, those we disagree with within the federal government aren't malicious or evil. They think they're protecting us, and they think they're acting lawfully. It's therefore reasonable to me that they see themselves as bound by the legal system because otherwise, how can they think of themselves as acting lawfully? And as much as the legal system has been stacked in their favor, when they lose, they likely abide by those rulings against them. At least, that's my read out of how much effort those folks put into (successfully) updating the law to reauthorize their behavior when we get a rare win.
Now, our take is that the legal system has been grossly abused to carve out all of their current authority on surveillance. But that's where I think they're coming from.
[+] [-] DannyBee|12 years ago|reply
This is a great response, except for the fact that it's completely irrelevant, because it doesn't tell you what would happen. Courts order things that are illegal all the time, and they don't always get stayed.
If they were served with a court order they felt was illegal that had not been stayed, could not get it stayed pending appeal, etc, would they siphon the data (or turn over data), or would they take contempt/jail?
If the answer isn't the latter, than the rest, IMHO, doesn't matter. I'm not saying they should, mind you, i'm saying i don't believe they are really better than anyone else here.
The same question should be raised about other countries.
They will, eventually, be asked to siphon off user data in various countries (and not oddball third world dictatorships, instead, large EU based and other countries). Will they do it, or will they block those countries/risk arrest?
[+] [-] grey-area|12 years ago|reply
I think this answers the important question in the article, which is whether DuckDuckGo have received any of these requests.
now have a say in whether such actions can be taken by the NSA and whether they are unconstitutional are not?
We all have a say to the extent that we cooperate or not with requests like that, I don't find their preparations laughable at all. What do you expect them to do in response to the possibility of FISA requests?
[+] [-] denzil_correa|12 years ago|reply
[+] [-] evolve2k|12 years ago|reply
"Hi, this is Gabriel Weinberg, CEO and founder of DuckDuckGo. I do not believe we can be compelled to store or siphon off user data to the NSA or anyone else. All the existing US laws are about turning over existing business records and not about compelling you change your business practices. In our case such an order would further force us to lie to consumers, which would put us in trouble with the FTC and irreparably hurt our business.
We have not received any request like this, and do not expect to. We have spoken with many lawyers particularly skilled and experienced in this part of US and international law. If we were to receive such a request we believe as do these others it would be highly unconstitutional on many independent grounds, and there is plenty of legal precedent there. With CALEA in particular, search engines are exempt.
There are many additional legal and technical inaccuracies in this article and I will not address all of them in this comment. All our front-end servers are hosted on Amazon not Verizon, for example."
[+] [-] coldcode|12 years ago|reply
[+] [-] Tloewald|12 years ago|reply
As a further wrinkle, if you are logged into Google then it can watch your web surfing activity onto any website with embedded google code (analytics, adwords) which is pretty much most websites.
All of this comes down to Google is an advertising company. If DDG becomes an advertising company, watch out.
[+] [-] Kylekramer|12 years ago|reply
[+] [-] DannyBee|12 years ago|reply
Seriously, what is the business model they could have that would not result in them collecting some set of info?
Donations?
[+] [-] samwillis|12 years ago|reply
[1] http://www.gabrielweinberg.com/blog/2010/08/duckduckgo-now-o...
[+] [-] nly|12 years ago|reply
[+] [-] mtgx|12 years ago|reply
Can they actually do that? I mean it's one thing to just "hand over the data" you already have about the user, and maybe even compel the company to decrypt it (although I still think that's BS [1] and companies should fight against it), but can they actually force a company to spy for them, and change their service in such a way that makes it possible? Does FISA and the Patriot Acts actually imply that? Or does he mean it might be yet another one of their "interpretations" of the laws?
Either way, if that's possible, just start using StartPage.com. They're based in Norway.
[1] http://paranoia.dubfire.net/2010/09/calea-and-encryption.htm...
[+] [-] pjmlp|12 years ago|reply
Never been to the US, but I grew up in a country trying to recover from a dictatorship, so I never believe that secret services have any law to obey.
[+] [-] DanBC|12 years ago|reply
Hushmail is the standard example here. They provide encrypted email. Criminals used them for communications. Law enforcement went to hushmail with correctly formed legal documents, and Hushmail handed over plain text from users.
There are two ways that plain text is available: using the web client encryption is done on the server. There's a step where plain text is available to Hushmail.
Or if users are using the Java client Hushmail could push a malformed version to the user. This is something that Hushmail has said themselves.
This wasn't under any weird FISA or patriot act law either.
(https://en.wikipedia.org/wiki/Hushmail#Compromises_to_email_...)
[+] [-] brown9-2|12 years ago|reply
[+] [-] ziodave|12 years ago|reply
Do you think this is reliable information?
[+] [-] gurkendoktor|12 years ago|reply
[+] [-] claudius|12 years ago|reply
Oh wait…
[+] [-] brianwillis|12 years ago|reply
[+] [-] DannyBee|12 years ago|reply
Let me expand a bit: I don't think Gabriel is lying/dumb/whatever. However, the statement given essentially comes out to "If we had to, we would fight the good fight and we very strongly believe we would win". I'm all in favor of fighting as hard as you can against broad/illegal/user harmful orders/etc.
But at some point, you will lose, even with the law and moral justice on your side. This is a certainty. Google has lost. Yahoo has lost. Twitter has lost. Microsoft has lost. Contrary to the belief that they are cooperative, they don't want anything to do with anything, and fought with more resources and energy than DDG probably can muster (again, no offense to Gabriel).
Let's ignore for a second whether they have any data to give or not. The point is that at some time in the future you will not just lose temporarily, you will lose in a way that you have to make a choice because yourself/your business/your livelihood and your users privacy.
Believing otherwise makes you naive in my eyes.
[+] [-] pjmlp|12 years ago|reply
If the information flows via machines located in the US, NSA can get to the information at several levels.
Then it also depends how much of the law, NSA makes for itself.
Like any HN reader that lived through dictatorship governments can attest, what the law says and the secret services do, doesn't need to be in sync.
And opposing them, well, there are plenty of ways to change people's mind that the right way is to help them.
If this is the direction the government will carry on doing, good luck opposing them just by switching providers, without doing anything more active.
[+] [-] cuillevel3|12 years ago|reply
How uninformed and naiv can one CEO be? Did he hear about the secret courts at all?
[+] [-] EGreg|12 years ago|reply
But then the govt can capture you and make you give up the key. A whistleblower can threaten to have more incriminating evidence disseminated encrypted somewhere, and if he doesnt check in every 30 days it gets released ... but then the government can just torture him until it makes him give up the key he uses to check in every 30 days. It wouls take a really stubborn guy to persist and let the information be released. Since you dont have any information like that anyway, just assume that if you can access your own data the govt can compel you to do it for them.
[+] [-] dchest|12 years ago|reply
Where can I find the proof you're talking about?
[+] [-] mtgx|12 years ago|reply
[+] [-] HistoryInAction|12 years ago|reply
It's more likely to be a portion of the PATRIOT Act (Sec. 215 and possibly 217, h/t to Marcy Wheeler for the education here: http://www.aclu.org/free-speech-national-security-technology... and http://cyber.law.harvard.edu/privacy/Introduction%20to%20Mod...) or the specific update to it (Protect America Act of 2007, FISA Amendments Acts of 2008 and most recently 2012) to bring the warrantless wiretapping scandal back into "compliance," and seemingly updating PATRIOT for the current round of surveillance, which was likely reauthorized Dec '12.
Now, the FBI recently floated a trial balloon of what we're calling CALEA II, but that's focused more on compelling the providers of in-browser chat products to create backdoors for surveillance: https://www.cdt.org/files/pdfs/CALEAII-techreport.pdf It's not current law yet, and we're fighting to prevent the proposal from becoming law.
It's a point of precision that doesn't detract from the author's main point.
Just as an update, the legal debate is continuing over both the NSLs themselves and their related gag orders: http://www.networkworld.com/community/blog/fbis-national-sec... I'm not sure how or where this case escalated to, but the last time a court declared the gag order to be unconstitutional, it took an act of Congress to reauthorize it, which will be a difficult sell right now.
For a final note, here's a counter by the DoJ about how I'm wrong, for whatever that's worth: http://www.justice.gov/archive/ll/subs/add_myths.htm
And for full disclosure: I consult with Center for Democracy and Technology (CDT) on reforming Electronic Communications Privacy Act (ECPA) of 1986, which is a similar but not directly related issue.
[+] [-] bombarolo|12 years ago|reply
[+] [-] DoubleCluster|12 years ago|reply
[+] [-] ekianjo|12 years ago|reply
[+] [-] p37307|12 years ago|reply
DDG, hushmail, etc. Doesn't really matter does it if the NSA gets you at your internet connection and reads what you are doing from your service providers trunk?
You can DuckDuck and Go and hush your email. If they are grabbing it at the point of your modem and your internet provider, the illusion is you are secure but really you are not.
[+] [-] nine_k|12 years ago|reply
Bugging your computer (and/or phone) is probably the best way to track your communications clandestinely.
[+] [-] jister|12 years ago|reply
>> Gabriel Weinberg comment: We have not received any request like this, and do not expect to. But if they receive such request can they just really say NO while other big companies can't?
[+] [-] trotsky|12 years ago|reply
[+] [-] Ihmahr|12 years ago|reply