Verizon "End-to-End" Encrypted Calling Includes Law Enforcement Backdoor 170
An anonymous reader sends this quote from TechDirt:
As a string of whistle blowers like former AT&T employee Mark Klein have made clear abundantly clear, the line purportedly separating intelligence operations from the nation's incumbent phone companies was all-but obliterated long ago. As such, it's relatively amusing to see Verizon announce this week that the company is offering up a new encrypted wireless voice service named Voice Cypher. Voice Cypher, Verizon states, offers "end-to-end" encryption for voice calls on iOS, Android, or BlackBerry devices equipped with a special app made by Cellcrypt.
Verizon says it's initially pitching the $45 per phone service to government agencies and corporations, but would ultimately love to offer it to consumers as a line item on your bill. Of course by "end-to-end encryption," Verizon means that the new $45 per phone service includes an embedded NSA backdoor free of charge. Apparently, in Verizon-land, "end-to-end encryption" means something entirely different than it does in the real world.
Verizon says it's initially pitching the $45 per phone service to government agencies and corporations, but would ultimately love to offer it to consumers as a line item on your bill. Of course by "end-to-end encryption," Verizon means that the new $45 per phone service includes an embedded NSA backdoor free of charge. Apparently, in Verizon-land, "end-to-end encryption" means something entirely different than it does in the real world.
Depends... (Score:5, Funny)
Re:Depends... (Score:4, Informative)
Nobody is being "backdoored" here except as required by law. The linked story summary is a troll for mentioning the NSA - it has nothing to do with them, but either the writer doesn't know what they're talking about or they just figured that would get more clicks.
Telecom providers are required to make sure that any voice service they sell is compliant with CALEA [eff.org]. There is no direct CALEA equivalent today for data services, interestingly - this is how far behind the times the Feds can be. And yes everything in LTE is data but for the purposes of the law, anything where you are talking - for example VoIP - is considered a voice service.
CALEA basically means that if you (the telecom) get a wiretap order - signed by a judge - from a law enforcement agency, you need to wiretap and record that user's calls for the specified time period, decrypt them if necessary, and then turn them over to the law enforcement agency. Verizon had to make this service CALEA compliant, or they couldn't have offered it. And remember that CALEA is not about mass wireless surveillance a la NSA but is actually about targeted recordings of specific individuals where there is probable cause enough to get a judge to sign off on the wiretap order. Very different things. You can dislike CALEA but you can't blame Verizon for putting in some magical backdoor - that has absolutely zero to do with the NSA - which they are required by law to have.
However for the privacy-minded it should be noted that the way things work, CALEA only applies to telecom providers. If you bought the same software from a non-telecom source (e.g. the software OEM themselves) and put it on your phone, then CALEA won't help law enforcement because Verizon wouldn't have the key to decrypt your calls with and could only turn over the encrypted stream. So if you are worried about being wiretapped by the police, don't buy your encryption service from your phone company.
Re:Depends... (Score:5, Informative)
From TFA:
"...the legislation known as the Communications Assistance for Law Enforcement Act requires phone carriers to decrypt communications for the government only if they have designed their technology to make it possible to do so. If Verizon and Cellcrypt had structured their encryption so that neither company had the information necessary to decrypt the calls, they would not have been breaking the law."
Re:Depends... (Score:4, Informative)
From TFA:
"...the legislation known as the Communications Assistance for Law Enforcement Act requires phone carriers to decrypt communications for the government only if they have designed their technology to make it possible to do so. If Verizon and Cellcrypt had structured their encryption so that neither company had the information necessary to decrypt the calls, they would not have been breaking the law."
TFA is a plain ol' troll. CALEA indeed requires any switching systems used for voice traffic (land lines and cell phones) to allow for electronic eavesdropping of all calls going through them. The only caveat is that replacing/upgrading every switching system is completely impractical, even in decades-long time frames, so the FCC has been granting extensions for non-compliance. If Verizon went to the FCC saying that they were going to put software in that started to roll back CALEA compliance from any call that happened to be made using a pair of their cellphones running their provided encryption software, they would have thrown the book at them. New systems *do* have to be CALEA compliant.
Re: Depends... (Score:2, Interesting)
Not a troll. They advertise it as end to end and it is not.
Re: (Score:3)
This has never been about whether the current U.S. government is trustworthy, but whether the future U.S. government is, and no one can ensure that. Would you trust promises from the Chinese government to always get warrants, or trust the quality of the warrants if they did? Governments are made from people and the people change. You may trust the U.S. government now, but you should not trust the U.S. government of the future further than necessary.
Re:Depends... (Score:4, Insightful)
Nobody is being "backdoored" here except as required by law.
An unconstitutional law is actually not a law at all.
Re: (Score:3)
Further, the presumption that because it falls under the umbrella of law, it is somehow made "ok", is utter nonsense from word one.
Re: (Score:2)
Any law has to be tested and evaluated. Never follow any laws blindly for this is what makes dictatorships possible in the first place. And don't think "I was just following orders" will eventually save you.
Laws must not be an excuse to do what simply is not right.
Re:Depends... (Score:5, Informative)
An unconstitutional law is actually not a law at all.
What's unconstitutional about CALEA? It requires police to show probable cause and have a judge sign off on a request, just as if it were a warrant for arrest or any other search and seizure of personal records. Whether it does so in practice is a different question, but in theory the law itself is at least designed to be fully compatible with the Fourth Amendment.
NSA warrantless wiretapping? Almost certainly unconstitutional, by any reading other than Dick Cheney's. CALEA? Probably not so much.
And BTW an unconstitutional law is still a law. Not sure where you learned your legal theory. A law that's unconstitutional should in theory be overturned by the courts so that it's not a law anymore - that's how "checks and balances" work - but until such time, it is most definitely a law and entirely enforceable!
Marbury v Madison "null and void" (Score:3)
The Supreme Court says they are null and void, iow not law.
Thomas Jefferson, Alexander Hamilton, and other founders also expressed this principle.
"All laws which are repugnant to the Constitution are null and void.â (Marbury vs.Madison, 1803.)
âoeEvery law consistent with the Constitution will have been made in pursuance of the powers granted by it. Every usurpation or law repugnant to it cannot have been made in pursuance of its powers. The latter will be nugatory and void.â (Thomas Jefferson
Re: (Score:3)
From what little I know, the NSA doesn't actually spy on US citizens en mass. Instead, it has contracted other extra-national agencies to do it, specifically to get around the letter of the law. These are quid pro quo arraignments with agencies like Britain's MI6. We monitor them, they monitor us, and we exchange data.
So technically, they don't spy on us, but the result is the same.
Re: (Score:3)
My kingdom for a modpoint! This whole submission is a troll right down to the last line, "Apparently, in Verizon-land, "end-to-end encryption" means something entirely different than it does in the real world." Thinking that a large, federally regulated business is going to push a system without a central keystore (what they meant to jab at instead of the "end-to-end" nature) is laughable. Trying to make Verizon out as the bad guy over this is just taking away time that could be spent making them out as
Re:Depends... (Score:4, Interesting)
I would say that advertising the 'service' as end to end when it isn't even legal for it to actually be end to end is a legitimate moral shortcoming.
Re: (Score:2)
Well, there is end-to-end crypto, technically speaking. They're 'just' deliberately misleading the customer as to its utility.
Re: (Score:2)
I would say that advertising the 'service' as end to end when it isn't even legal for it to actually be end to end is a legitimate moral shortcoming.
The term "end-to-end crypto" says nothing about who else might have the crypto key. Just blindly assuming that no one in the middle has it, it is a real shortcoming. The only way for a system like you are imaging (where only the caller and receiver have the key) to even work is for you to somehow establish a trusted key with every person you call, on the fly. How do you know no one is in the middle, ready to intercept the key before the first call? The only reason SSL/TLS is reliable is that there is a
Re: (Score:2)
If anyone else has the key, then the system is pretty much useless. Cell networks already use encryption between your handset and the towers (which gets stronger periodically as folks crack the existing protocols), and the wires are only tappable by the government, realistically, which means Verizon's end-to-end encryption offers you exactly
Re: (Score:2)
Agreed, to actually be sure, the software needs to be at least verified by someone you trust. It would not be wise for that someone to be a telco. However, end-to-end has a specific meaning and Verizon's service isn't it.
As for the keys, you can identify the party through conversation. If you've never met, you would need a trusted introducer in a 3 way call to verify each of you to the other. Then transmit public keys around and read back the key fingerprints. In other words, use the PGP/GPG web of trust ra
Re: (Score:3)
But they DIDN'T have to falsely advertise it as end-to-end encryption when it clearly is not.
Re: (Score:2)
Just out of curiosity, how do you identify voice data when it's encrypted?
Re: (Score:2)
Re: (Score:2)
or the average contemporary game talking to its "always on" server, encrypted to avoid cracks. Or the average MMO communicating with its server, encrypted to make botting harder. Or maybe games isn't interesting enough, how about an encrypted VPN connection tunneling a Windows/XWindow session?
Voice is by no stretch the only real time dependent form of communication.
Re: (Score:2)
Didn't say it was. It's the pattern of usage, though, not any real time constraints. Server-based games tend to be receive-heavy rather than symmetric; they're sending the user's actions but updating the entire environment around the user. Always on DRM is basically periodic license re-validation, relatively low frequency. UI remoting is again going to be extremely receive-heavy; keystrokes and coordinates take up much less space than graphics pushes.
You might have difficulty distinguishing one voice ap
Re: (Score:2)
As this is called "end-to-end" encryption, any intentionally-created possibility to eavesdrop is a "backdoor", as it represents an "attack". That such practices may be legal in some broken legislations does not change their nature.
Re: (Score:3)
Telecom providers are required to make sure that any voice service they sell is compliant with CALEA [eff.org]
In that case, CALEA would effectively render end-to-end encryption illegal. So, IMHO, they should be hunted down by lawyers for either not complying with CELEA or for not offering what they advertise.
And remember that CALEA is not about mass wireless surveillance a la NSA but is actually about targeted recordings of specific individuals where there is probable cause enough to get a judge to sign off on the wiretap order. Very different things.
Indeed. But there's nothing that keeps the NSA from using the same interface, too. either by serving wiretap orders themselfs (decorated with a nice gag order) or by targetting the CELEA equipment.
Re: (Score:2)
I don't have anything against law enforcement having the ability through the court system to wire tap. What I am against is when phone companies pretend that this doesn't exists. So this is not "end-to-end" encryption, it should be called "end-to-end except as required by law" encryption
Re: (Score:2)
Nobody is being "backdoored" here except as required by law
That may be what they intended.
But when it comes to security, adding a backdoor for one means adding an unpatchable gaping security hole for the entire world.
Either nobody can spy or everybody can spy.
Re: (Score:2)
With no anal lube either.
computer with a phone add-on (Score:3)
People are running around with computers in their hands, the phone is now nothing but an add-on feature, as such we should be able to have a real p2p encrypted channel with communications over it, so for people with data plans this shouldn't be a problem. I am more interested seeing if we can have a system that uses voice to send encrypted data over it...
Re: (Score:3, Funny)
Perhaps if we could figure out some way to "modulate" encrypted digital data into sounds, and then "demodulate" the sounds into data on the other end, we might have something on our hands.
Re: (Score:2)
So write the software. Nobody is stopping you.
Re: (Score:2)
Redphone: https://whispersystems.org/ [whispersystems.org] Not P2P, but beats this offering.
Re: (Score:2)
You right, the obvious solution is just have the handsets negotiate. There is absolutely no "good" reason call setup between two cellular handsets should not feature some kind of certificate validation step between the end points followed by the exchange of uniquely per call generated symmetric key exchanged securely using the same PKI used to validate the certificate authenticity. Essentially SSL for phone calls.
People could use third party CAs like they do for the web today for most callers. Phone soft
This should be free (Score:5, Insightful)
Aren't our calls supposed to be encrypted anyway? I mean, so some jack ass with a radio can't listen to them? So what are they charging me for here?
Sounds like a reasonable product for the government.
For the consumer though, you have to ask yourself what you're actually getting with this? Doesn't appear to be anything. After all, the only people that could normally break into your communications would be the government anyway.
Re: (Score:3)
Re: (Score:2)
Frankly, in the long term I see us going to peer to peer VOIP in any case. Everything in between doesn't need to encrypt or know my encryption keys. All it needs to know is how to route my data stream to my target.
As it stands, if I want to make a secure call, I can already do it... for free. There are lots of VOIP programs that do it. The only issue is interlocking the VOIP systems with the old phone networks. And again, you can do that in your own home without a lot of trouble.
Re:This should be free (Score:5, Informative)
Aren't our calls supposed to be encrypted anyway? I mean, so some jack ass with a radio can't listen to them?
Cellular communications are encrypted between the handset and the tower to prevent the radio buff from listening in. How effective that encryption is is up for debate. This means any end-to-end encryption would actually be double encrypting the data as it passed between handsets and towers, once for the cellular signal, and once for the end-to-end system.
Apparently, in Verizon-land, "end-to-end encryption" means something entirely different than it does in the real world.
Also I believe the summary is misleading. This probably is an end-to-end encryption system, meaning the call is encrypted at one handset and the encrypted data travels to the other handset before being decrypted for the purpose of the call. If there is a backdoor that compromises the encryption key, that doesn't change that the system is end-to-end encrypted, just that a snooper would be able to decrypt the traffic.
Re: (Score:3)
if the keys aren't private then it is hard to claim the encryption is worth anything..
Re:This should be free (Score:5, Informative)
The issuer generally doesn't have a copy of your private key. You make a public-private keypair, put the public key into a certificate request, send the request to a CA, and the CA generates a signed certificate from it that includes the public key. The private key is not seen by the CA at any point.
You of course *could* have the CA generate both parts and then send you both the public and private key, but that's not nearly as good a solution and is much less common. Most of the CAs I've seen that provide "easy to use" interfaces generate the keypair in the Web browser so that the private key doesn't have to be transmitted.
Re: (Score:2)
Well said. More info, for the curious: http://en.wikipedia.org/wiki/C... [wikipedia.org]
A lot of people don't even realize that web browsers have the ability to generate key-pairs of which only the public portion is ever sent to a CA or anybody else. It's actually a fairly sane system. If you need to export the private key (for example, to copy it from your PC to your phone, or to back it up) then you have to do so through the web browser or through whatever keystore it uses (Windows, for example, has a built in one you ca
Re: (Score:3)
We've been watching the evidence of their issues for several years now as one holder of CA licenses after another gets compromised and fucks everyone over in the process.
Only two entities should have the keys. The source and the destination. And there is even an argument for having more tightly regimented systems then that.
What you're basically saying is "are you implying that our widely used encryption systems are bad!?"
Yes... they're trash. I thought everyone here already knew that.
Re: (Score:2)
You might want to enlighten us what system you would present to replace CAs. It should at the very least solve this problem: How do I verify the identity of the other end?
Re: (Score:2)
The key management is pretty much as you've stated: the website I connect to has a public key and only they know their private key. To allow them to talk to me, I generate a public key and keep the private key. Once we've negotiated that, we settle on a symmetric key that only we know.
What the CA system does is try to provide some assurance that I know whom I am talking to. If I do, everything's peachy. If not, I'm vulnerable to a man-in-the-middle attack. This is not because our encryption systems
Re: (Score:2)
Verification of identity is self evident if only the source and destination can decode a message. A man in the middle attack gets garbage if they don't have the key.
The only way a man in the middle attack works in this system is if you're passing keys back and forth and the man in the middle intercepts the key.
There are a variety of means of avoiding that besides using a trusted third party. After all, how do you know that the trusted third party isn't compromised?
They are themselves verified by having some
Re: (Score:2)
As to key distribution and management, yes it is easy actually. It simply requires that the source and destination are not idiots.
Managing a security system amongst idiots is in practical terms impossible. People that are not idiots have to be in control of it. And if the source and destination are clueless then an educated third party has to manage it.
However, assuming neither source nor destination are clueless... it can be done easily. And it is done all the time by those that aren't clueless.
Re: (Score:2)
And if the source and destination are clueless then an educated third party has to manage it.
... an educated and trustworthy third party. And that's where it becomes difficult...
Re: (Score:2)
No third party is ultimately trustworthy.
Re: (Score:3)
You do not understand what "end-to-end encryption" means. The end isn't where ever you feel an "end" is. It's the other end that you are communicating with. That's why it's called "end-to-end" and not "end-to-middle" or "end-to-system" or any other variations.
Re: (Score:2)
You do not understand what "end-to-end encryption" means. The end isn't where ever you feel an "end" is. It's the other end that you are communicating with. That's why it's called "end-to-end" and not "end-to-middle" or "end-to-system" or any other variations.
How did this get modded up? The "ends" are the handsets. As I said "the call is encrypted at one handset and the encrypted data travels to the other handset before being decrypted for the purpose of the call". One handset encrypts it and the other decrypts it. The encrypted data is sent from one handset to the other with the transport system as designed not decrypting the data anywhere in the middle. That is the definition of end-to-end encryption. The only way to push the endpoints further out, assum
your best value in "open to bad guys" (Score:3)
as we have pre-selected the best of the bad guys to listen in on all your calls! this handy feature is worth twice the price!
It's required (Score:3, Informative)
See the CALEA Act [wikipedia.org] passed in 1994. Telecom providers HAVE to provide that backdoor. If not - they are subject to fines of up to $10,000 per day per connection not in compliance, and having their network shut down until it comes into compliance.
Your indignation should not be directed at Verizon - it should be directed at Washington, DC.
Re:It's required (Score:5, Informative)
False.
CALEA only requires the backdoor to exist if it's technically possible. TFA is pretty clear that other manufacturers and carriers have chosen to implement end-to-end encryption that doesn't have the ability to be backdoored, and as such, there's no need to provide the (non-existent) backdoor to the feds.
Re: (Score:2)
Firstly, if you can facilitate multi-way calling then it is clearly technically feasible to support a wire tap. Secondly, unlike many other snooping regulations, CALEA explicitly obliges telecommunications companies to modify their systems and equipment in order to facilitate "lawful access" (sic). Verizon are a telco, not an app company, so they are bound by CALEA in ways that people like Silent Circle [silentcircle.com] or CellTrust [celltrust.com] are not.
Re: (Score:2)
In this case there would have been nothing easier than create a new company out of thin air that sells the service that is no telco. It's not like creating a new virtual company is hard in this country.
Re: (Score:2)
Nonsense. Multi-way can also be end-to-end encrypted with no way to intercept. Maybe read up on crypto before claiming BS?
Re: (Score:2)
But that can easily be prevented in a public key system. Just a simple example that I am formulating as I type. The peers elect a master based on any arbitrary criterion (pick a number, who has the lowest mac address, who called in first, whatever). Everybody else hands it a public key. The master generates a session key and encrypts it with each authorized public key to distribute it. If LEO taps in, he gets nothing unless he can convince the master to accept his public key. If there are supposed to be 3 p
what if the backdoor is always the master (Score:2)
what if the backdoor is always the master
Re: (Score:2)
The legit parties to the conversation would notice that none of them are the master. Or choose an election system that makes one of them the master every time.
Re: (Score:2)
False.
CALEA only requires the backdoor to exist if it's technically possible. TFA is pretty clear that other manufacturers and carriers have chosen to implement end-to-end encryption that doesn't have the ability to be backdoored, and as such, there's no need to provide the (non-existent) backdoor to the feds.
Can you design a system you would solely supply for encrypted end-to-end communications that could NOT have a backdoor implemented? If you implement the end-points, then a back-door is automatically possible - you control the encryption/decryption on the ends.
Re: (Score:2)
what makes you people think that any of your electronic communications are secured from the government?
What makes you think the government has a polynomial prime factoring algorithm?
Re: (Score:2)
Why would they need one if either or both the random number generator is weak or the encryption algorithm is vulnerable to cryptanalysis?
Re: (Score:3)
What makes you think they don't? What makes you think they even need one? What makes you think they don't hire, and utilize, some of the most powerful math-heads out there? What makes you think that something that can't be broken today won't bring you to the vale of tears days, months, even years later, if that's what it takes? What makes you think they don't have, or won't have, some kind of quantum computing device that obviat
Re: (Score:2)
What makes you think they don't hire, and utilize, some of the most powerful math-heads out there?
They do - and they still haven't solved Kryptos, let alone polynomial prime factoring. Hard problems don't magically become easy because "it's the government."
Re: (Score:2)
You don't know if they've solved (the last part of) Kryptos. You just know the public hasn't.
The difference between what you think you know, and what you actually know, is often quite significant.
As for the "magic" straw man, not worthy of a response.
Re:It's required (Score:5, Insightful)
Re: (Score:2)
They are providing end-to-end encryption. They probably just control the keys.
Re: (Score:2)
Re:It's required (Score:5, Insightful)
Your indignation should not be directed at Verizon - it should be directed at Washington, DC.
A fun part of this is that the government employees at ARPA back in the 1960s explained it all to us. They firmly rejected building any sort of encryption into the network itself, on the grounds that such software would always be controlled by the "middlemen" who supplied the physical connectivity, and they would always build what we now call backdoors into the encryption. They concluded that secure communication between two parties could only be done via encryption that they alone controlled. Any encryption at a lower level was a pure waste of computer time, and shouldn't even be attempted, because it will always be compromised.
This doesn't seem to have gotten through to many people today, though. We hear a lot about how "the Internet" should supply secure, encrypted connections. Sorry; that's never feasible, unless you own and control access to every piece of hardware along the data's route. And the ARPA guys didn't consider that, because that first 'A' stands for "Army", and they wanted a maximally-redundant, "mesh" type network that would be usable in battle conditions. They went with the approach that you use any kind of data equipment that's available, including the enemy's, and you build in sufficient error detection to ensure that the bits get through undamaged,. Then you use encryption that your team knows how to install on their machines and use. And you probably change the encryption software at irregular intervals.
Anyway, the real people to direct your anger at are the PR folks in both industry and government, who keep trying to convince you that they can supply encryption that's secure. Yeah, maybe they can do that, but they never have and they never will. And the odd chance that they've actually done so in some specific case doesn't change this. The next (silent, automatic;-) upgrade will introduce the backdoor.
Unless you have all the code, compile it yourself, and have people who can understand its inner workings, you don't have secure encryption; you have encryption that delivers your text to some unknown third parties. It's the US government's own security folks who explained this to us nearly half a century ago.
Re:It's required (Score:4, Informative)
And the ARPA guys didn't consider that, because that first 'A' stands for "Army"
The "A" stands for "Advanced". I think they were more interested in a research network than a tactical (battlefield) network. I think it's still true that "one organization controls all the infrastructure between two points on the Internet" was *not* the model of the Internet they were envisioning at the time.
Re: (Score:2)
ARPA was also called DARPA at various times, where "D" stands for "Defense", and the ARPANet was therefore called DARPANet at those times.
Back in the day when the only people on the 'net were military, schools, and tech companies... long long before Canter and Siegel's Green Card spam.
Re: (Score:2)
It was the 1960s. You were lucky to have a 300 baud modem, they wanted to save two bits by chopping the "19" off 1960 and encryption was regulated as munitions. Heck, even in the 1990s they wanted to restrict my browser to 40 bits so I didn't have "export grade" cryptography. I still hear cost for servers and battery life on clients as an argument for why sites don't move to HTTPS, The very idea to build the Internet with strong encryption by default was ridiculous on technical merits and I don't recall any
Sell the key (Score:5, Funny)
Verizon sells you end-to-end encryption and then sells NSA the key.
Re: (Score:2)
And then the next Snowden sells the back door key to whoever he wants!
Re: (Score:2)
The real cost of the service is $90 per line. The other $45 is subsidized by the NSA.
Who are you defending against? (Score:3)
If you think you're defending against the NSA with encryption provided by a big telecom company, you're fooling yourself, even if this policy weren't public. If, on the other hand, you're defending against basic hackers hired by a competitor, then perhaps this would be a reasonable option. It's like locking your doors, putting bars on all your windows, and putting your stuff in a safe. Sure, that'll keep most burglars out, but do you think the NSA wouldn't be able to get to your stuff?
This is the part that bugs me: "so long as they're able to prove that there's a legitimate law enforcement reason for doing so." It used to be that meant demonstrating to an impartial judge that they had probable cause, which takes the form of a warrant. However, it doesn't say they need a warrant...so now it's a Verizon employee rather than an impartial judge who gets to decide if there's probable cause.
Re: (Score:2)
Also, FTA:
Verizon believes major demand for its new encryption service will come from governmental agencies conveying sensitive but unclassified information over the phone, says Tim Petsky, a senior product manager for Verizon Wireless.
Sensitive, but unclassified. That should give an indication as to the level of security they expect it to provide.
Re: (Score:3)
1. That's pretty common simply because getting anything approved for encryption above the SBU level is difficult and expensive. (It also requires, in essence, review by and the approval of NSA.) So tons of encryption products are made only up to the SBU level.
2. Even with end-to-end encryption, it's unlikely that they would approve classified data transiting the Internet.
Re: (Score:2)
In this context a legitimate law enforcement reason means a warrant would indeed be needed. Companies are increasingly challenging governmental and law enforcement requests for data in several different venues. Including telecommunication data, data stored in data centers, and video surveillance collected from publicly mounted cameras. Even when the FBI attempted to slap a GPS tracker to a suspects car without a warrant resulted in the evidence collected being thrown out of court. There is a system in place
Re: (Score:2)
Are you mad? They don't even insist on warrants when they can't meet the requirements of the 4th amendment, preferring to focus cluelessly upon the word "unreasonable" and ignoring the litany of probable cause, supported by oath or affirmation that were put there to explicitly define what "reasonable" is. They just break your door down, and shoot you -- and your pets.
And you think a law that doesn't even say a warran
Re: (Score:2)
Give a real life example of someone prosecuted and convicted of a crime using evidence from data collected without a warrant or using a NSL Add FISA warrants into the mix as well. Although I am sure you know that any evidence collected using a FISA warrant is in admissible and can not be used in court against a defendant. Evidence collected under a FISA warrant are used to collect enough evidence to obtain a regular court warrant. And if so was the issue addressed in a court of law to support the defense? A
They don't need no steenking warrants (Score:2)
Hysteria, eh? Well, let's just drag a few facts out. Here we go:
o Straight-up misconduct [policemisconduct.net]
o Botched paramilitary police raid data [cato.org]
o Judge, jury and executioners in blue: The death penalty -- without a court [mintpressnews.com]
o Warrants "not required" data [aclu.org]
o Seizure of property without warrants details [thenewspaper.com]
o $2.02 billion dollars in cash and property seizures for/in which no indictment was ever filed [washingtonpost.com]
o Other illegal horrors [mic.com]
Just a little information -- what we know -- showing our government at work, cavreader. Now, I don't know how you w
Re: (Score:2)
There have been a total of two attempted prosecutions under provisions in the Patriot Act
And how many NSLs have been issued to force the cover-up of these constitutional violations?
Re: (Score:2)
Any voice or text entered will just be collected on the device before the encryption software.
Think about a number station or one time pad. Anyone can hear that long list of personal messages.
Verizon admits it's a "weakness" (Score:2)
Seth Polansky, Cellcrypt's vice president for North America, disputes the idea that building technology to allow wiretapping is a security risk. "It's only creating a weakness for government agencies," he says. "Just because a government access option exists, it doesn't mean other companies can access it."
I doubt it will be very long before third parties apart from government figure out how to access their backdoor.
Re: (Score:2)
I doubt it will be very long before third parties apart from government figure out how to access their backdoor.
No, because the "backdoor" is getting a judge to sign a warrant for the police to wiretap you, and the police submitting that request to Verizon through official channels so that Verizon uses the keys that they have to decrypt the communication and give it to the police.
How is a third party going to use that?
Re: (Score:2)
Well it depends.
Mr. Polansky himself (while certainly not a security expert or a cryptographer) describes it as a "weakness" built into the system. The streets are littered with products and systems built with backdoors/weaknesses that are found & exploited by attackers (sometimes an insider who knows about or helped implement the weakness.)
On the other hand, while still subject to abuse, if the "weakness" is a 2nd, high entropy key, then you either have to get the key, or break the crypto (getting
Re: (Score:2)
"No, because the "backdoor" is getting a judge to sign a warrant for the police to wiretap you"
The police and the police only? In each and every case?
US Corporation... (Score:3)
...US Laws.
'nuff said.
No, seriously, can we please stop being shocked and appalled over the (ancient) concept that a US Corporation would beholden a US Citizen with any form of communications service that also contains a back door for the US Government? The OMGWTFEFF attitude is wearing thin.
US Corporation. US Laws. CALEA is twenty years old now. You have no Right to privacy anymore with any US-based communications service.
Oh, and according to this Administration, you just might be a terrorist if you think or assume otherwise. Have fun.
Re: (Score:2)
The pattern repeats itself. There are quite a few obvious spots in human history where things like this have been done before, and universally with catastrophic consequences.
There is no "law enforcement only" backdoor (Score:5, Insightful)
Any backdoor is by definition available to everyone. Some may have a key, the others have lockpicks.
Re: (Score:3)
How is this insightful? What does "backdoor" have to do with it then? If anything with keys can be picked, then all encrypted communication is vulnerable and adding a backdoor would just be meaningless.
All communication has to be decryptable or it isn't communication. (How would one-way communication work? exactly like a write-only memory chip). So someone always has to have a key, but that doesn't always have to be the NSA or government or even Verizon.
Re: (Score:2)
The bigger the group of people who have access to resources that are to remain secret, the bigger the threat that the secret gets out. It just takes one link in the chain to break it, and only one to talk to render a key useless.
Or, in other ways, while breaking a key may be impossible, breaking a kneecap isn't.
Re:How is this different than the clipper chip? (Score:4, Insightful)
Yeah, so they clandestinely compromised your software and network transceivers and near silently passed legislation to make it all retroactively legal tacked onto other bills instead. That'll teach you to stick up for your rights you worthless proletariat.
Like that bit about Congress deciding parallel construction due to NSA cellphone taps does not violate your 1st, 4th or 5th amendment rights. We all know damn well that those assholes were NOT representing their constituents when they voted on that one. If that passes SCOTUS, basically all is lost and everything just gets worse until it affects rich folks enough that they get pissed off, arm a bunch of people and organize.
Make no mistake, the current regime (government and large corporate) views you as the enemy. An inconvenience in their way. And the more inconvenient you are, the less they care about breaking any and all laws to see you silenced or discredited. Welcome to Hell folks, it only gets worse from here.
Re: (Score:2)
If that passes SCOTUS, basically all is lost
Is this a case? Can someone drop the name or a link to the docket so I can follow it? (Typed in total sincerity. No sarcasm here.)
Re: How is this different than the clipper chip? (Score:5, Interesting)
It's simple: you can't. They won, let's face it. There's nothing anyone can do.
Unless they make the same mistake the Nazis did and start persecuting the rich, no one will have the funds or manpower to organize an effective resistance. And due to very effective media manipulation techniques, anyone else who tried to rise would be labelled a lone, kiddie murdering, child molesting, atheist, serial rapist that preys on cute rich white girls.... and boys. And the cops will obviously be in fear for their lives as they shoot you in handcuffs.
They aren't making the same mistake the Nazis did. This is not race warfare. This is not religious warfare. This is CLASS warfare. And you aren't part of their class but they will never truly admit this to you directly. They'll just have you pulled over for your car being too old, shoot your dog in the backseat, and tell you to stop resisting as they cave your face in with onlookers doing nothing because you dared look them in the eye. And the perpetrators of the violence will investigate and clear themselves. Welcome to 21st century America.
Re: (Score:2)
That's the new democracy. You keep voting until the outcome the aristocracy wants happens. But you have the total choice, provided you can be available at 2am at the bottom of the ocean where the free election is going to be held.
Re: (Score:2)
The Clipper chip and similar things were, as I remember, key escrow. That was a major security problem, and meant that government agencies (and anybody who could fake being one or hack into some badly protected server) could decrypt anything you sent. CALEA doesn't require that; all it says is that the government has to be able to tap the communications channel when a warrant is presented. This is much more secure, and does not permit retroactive fishing expeditions.
Re: (Score:2)
FTA:
Phone carriers like Verizon are required by U.S. law to build networks that can be wiretapped. But the legislation known as the Communications Assistance for Law Enforcement Act requires phone carriers to decrypt communications for the government only if they have designed their technology to make it possible to do so. If Verizon and Cellcrypt had structured their encryption so that neither company had the information necessary to decrypt the calls, they would not have been breaking the law.
Re: Actually, not free of charge (Score:2, Informative)
Why wouldn't you just install Signal?
It's free, open-source, and the team is headed by someone respected in the security industry. (Moxie)
Better yet, with TextSecure integration into Signal -- coming soon to IOS (beta) already available for Android as standalone app -- one's text messages are also protected.
Re: (Score:2)
Rather unlikely after this revelation.
People who don't care about a secure communication line won't buy it because they don't care about having a secure communication line.
People who do care about a secure communication line won't buy it because they do care about having a secure communication line.