Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
Encryption The Courts Businesses Privacy United States Technology

US Says It Doesn't Need a Court Order To Ask Tech Companies To Build Encryption Backdoors (gizmodo.com) 248

schwit1 shares a report from Gizmodo: According to statements from July released this weekend, intelligence officials told members of the Senate Intelligence Committee that there's no need for them to approach courts before requesting a tech company help willfully -- though they can always resort to obtaining a Foreign Intelligence Surveillance Court order if the company refuses. The documents show officials testified they had never needed to obtain such an FISC order, though they declined to tell the committee whether they had "ever asked a company to add an encryption backdoor," per ZDNet. Other reporting has suggested the FISC has the power to authorize government personnel to compel such technical assistance without even notifying the FISC of what exactly is required. Section 702 of the Foreign Intelligence Surveillance Act gives authorities additional powers to compel service providers to build backdoors into their products.

US Says It Doesn't Need a Court Order To Ask Tech Companies To Build Encryption Backdoors

Comments Filter:
  • They are correct (Score:5, Insightful)

    by Anonymous Coward on Tuesday December 05, 2017 @10:34PM (#55685437)

    And companies don't need a court order to ignore them.

    • Re:They are correct (Score:4, Interesting)

      by Billly Gates ( 198444 ) on Wednesday December 06, 2017 @03:55AM (#55686219) Journal

      And companies don't need a court order to ignore them.

      You know the federal government has tens of millions of seat licenses of sales to keep your share prices high.

      It would be a shame if something happened to that deal?

      • by Opportunist ( 166417 ) on Wednesday December 06, 2017 @04:21AM (#55686289)

        And governments as well as corporations abroad have even more.

        You can now choose between pissing off about 5% of your market share or 95% of your market share when it comes out that you bent over and sold the 95% out to the 5%.

    • Re: They are correct (Score:2, Informative)

      by Anonymous Coward

      Just like Qwest?

    • The US Constitution prohibits searches without a warrant. Doing "Jobs" for the government makes you an employee of the government and therefore subject to the Constitution, so this should be illegal. Of course the Federal Government chooses the supreme court judges so the law can be interpreted.
    • Right. "Backdoors" are essentially fake encryption and the tech companies are distinctively aware of this even if legislators think it is like the stuff they see on hacker movies. You technically cant call it encryption if you don't control the key. It is mathematically incorrect.

  • by FrankHaynes ( 467244 ) on Tuesday December 05, 2017 @10:36PM (#55685443)

    when heavy-handed coercion will do the trick every time?

    • by AHuxley ( 892839 )
      Once the tech sector had a few bankruptcies described to them even the most dim witted management teams understood no court order was needed.
  • boil it down (Score:5, Interesting)

    by TheGratefulNet ( 143330 ) on Tuesday December 05, 2017 @10:38PM (#55685447)

    its boils down to:

    "I want this. give it to me!"
    "why? you have shown you can't be trusted with this. and, math also says its not possible."
    "I don't care. I'll force you if you don't volunteer."
    "looks like you want a fight. bring it."

    and so on, and so on.

    some companies will cave in, some will give the impression they are standing tall but actually do cave in. MAYBE there are actual companies that have enough power to say 'no' to the various governments, but I kind of doubt it.

    its sad to see the schoolyard bully - who has a power complex - unwilling to give in. every few weeks or so, we have another story about how some official wants to have access to ALL your shit and he will simply stomp his feet, cry and whine until he gets it.

    its a tiring process and such a waste of time and energy. and yet, here we are, revisiting this issue yet another time.

    • Re:boil it down (Score:5, Interesting)

      by rtb61 ( 674572 ) on Tuesday December 05, 2017 @11:14PM (#55685575) Homepage

      Too which the response is, "fine, if I can't have it than, fuck you, you can't have it either". You do that by shifting the encryption coding bit to FOSS, as a network add on and they can try to stick the back door in free open source code, which you can locally compile and then add to you software than lacks a network connection module. The encrypted network connection module can be served up by anyone and if they really need to hack your computer, they can hand you a national security letter and demand you hack yourself or just fucking apply for a search warrant and get busy with cameras and wires and people in the field, no 'bullshit control freak spy a thon for you' more specifically them. There was a time due to US regulation I had to download 128 bit encryption from the internet and install it myself, so, so hard, to do it again, in fact the US government drove FOSS encryption.

      • by Xyrus ( 755017 )

        And your ISPs terminate all your traffic for not complying, which they now can with the upcoming repeal of net neutrality.

        Brave new world.

    • Re:boil it down (Score:4, Interesting)

      by Puls4r ( 724907 ) on Tuesday December 05, 2017 @11:39PM (#55685673)
      It's usually not argued nearly that seriously. What CEO or corporation would argue with a government willingly knowing that the end result is going to be a cessation of government contracts, barring from export, and anything else the government has that they can legally do that are in there powers?

      It's usually held behind closed doors and handled, and if it isn't like the Apple issue, then there is a reason you and I don't know about. It will STILL get handled behind closed doors, the government will just have to give something up in return like looking the other way on Irish tax havens, etc.
      • restricting crypto (Score:2, Interesting)

        by Anonymous Coward

        It's usually not argued nearly that seriously. What CEO or corporation would argue with a government willingly knowing that the end result is going to be a cessation of government contracts, barring from export, and anything else the government has that they can legally do that are in there powers?

        Export of what exactly?

        For hardware, most things are made outside of the US, so they're actually "imported" by American consumers.

        For software, you shift the crypto component offshore, and US customers "import" that component. OpenSSL (then SSLeay) actually began in Australia during the first 'Crypto War' of the 1990s to get around the US ITAR restrictions. Ditto for for OpenBSD: strong crypto coded in Canada. Debian had a "non-us" repo for strong crypto:

        * https://wiki.debian.org/non-US

        As did FreeBSD:

        * http

      • ...and anything else the government has that they can legally do that are in there powers?

        "Legally?!" You're a funny guy.

      • What CEO or corporation would argue with a government willingly knowing that the end result is going to be a cessation of government contracts, barring from export, and anything else the government has that they can legally do that are in there powers?

        I don't know, but it suggests that companies barred from government contracts or exports are probably the companies with integrity that you want to do business with.

    • A lot of computer owners would probably wind up keeping certain computers completely off any network connected to the Internet if the government had the ability to force the of use backdoors.

      That would be worse for the value of the Internet than anything else I can think of.

      • Already do.
        I have three networks at my house:
        * Internet connected (through IPFire and PiHole) LAN access (Wired/WiFi WPA2)
        * Internet connected (through IPFire and PiHole) WiFi open (NO LAN access) labeled GuestMonitoredConnection
        * Isolated. No Internet connection, different physical layer, no WiFi. Accessed through Bastion host that has IpKVM type connection to internal LAN. The bastion is able to RDP to all machines on isolated network, and it is connected to through use of a Raritan IPKvm on the LAN.

        • So your hacker access point is the WPA2. Hope you have logs.

          • Of course I have logs, I also have physical remoteness and a couple other measures (remember everything is moderated through IPFire, which supports RADIUS authentication).

    • by Anonymous Coward

      Except they don't say no, remember Microsoft? Keen to get lots of surveillance contracts bent over backwards to give them disk encryption keys.

      https://www.theguardian.com/world/2013/jul/11/microsoft-nsa-collaboration-user-data

      " Microsoft helped the NSA to circumvent its encryption to address concerns that the agency would be unable to intercept web chats on the new Outlook.com portal; The agency already had pre-encryption stage access to email on Outlook.com, including Hotmail; The company worked with the

  • Buy Chinese (Score:5, Insightful)

    by PPH ( 736903 ) on Tuesday December 05, 2017 @10:42PM (#55685463)

    They may be spying on you as well. But they won't be using what they get for any parallel construction.

    • Re: (Score:2, Insightful)

      Yeah, this is why the intelligence community always freaks out about Chinese backdoors and such. This is their turf! Only they can spy on us!

      Unless your job is handling classified material, then you have nothing to fear from the Chinese government going through every bit of data you ever generate. They literally have no way to harm you. On the other hand, the US government has not only the means but the motivation to harm you.

      I remember some .ru email service was being promoted on Slashdot, and peop

      • I remember some .ru email service was being promoted on Slashdot, and people were shouting, "It's bugged by the KGB, don't use it!" Like, who cares? They're not going to care one whit about my life. The same with Kapersky anti-virus.

        This implies that you believe all the politics theater that you see in the press about how adversarial the relationship between the US and Russia is. But it is both cooperative and competitive in the region of information. We share some information. It's not safe to assume that your government isn't getting your personal information from some other government, in exchange for providing them the same kind of information about their own citizens.

    • by gweihir ( 88907 )

      You have a point. What a sad, sad state of affairs.

    • Absolutely. If you are a government or a corporation, foreign spying is bad. If you are an individual, foreign spying is a whole lot more benign than domestic spying.

  • by ad454 ( 325846 ) on Tuesday December 05, 2017 @10:54PM (#55685501) Journal

    They did not need a court order to get Intel to install a backdoor into ME, AMD to install a backdoor into PSP, or Microsoft to install a backdoor into Windows 10, since they all did so quite willingly.

    It is a shame consumers can no longer fully own their modern computers. And yet these government agencies refuse to cover any part of the cost of new computers which they have some control over.

    • No, that was achieved entirely by the Independent Coalition For The Continued Sales Of Tin Foil Hats!

      Incidentally we're looking for a new acronym because ICFTCSOTFH doesn't really roll off the tongue.

    • by AmiMoJo ( 196126 )

      There are plenty of ARM based systems available that don't contain these backdoors. Many use CPUs from non-US companies that are at least unlikely to have FIVE EYES backdoors in them, and some have extremely minimal ROMs that limit the scope for malware anyway. Plus those ROMs are real ROMs (not flash).

      There are RISC V boards that can run Linux too. You still have to trust the fab didn't backdoor the design, but it's about as good as you can get short of making your own CPU out of twigs and string.

    • ...and so it'll continue.

      Let's say it'll cost $100 million to get the laws in place, and then to actually get all the tech companies to comply. Instead, just spend that money to 'motivate' those companies to do it for you without the laws and without the publicity.

    • Citation please.

      There is *no* intentional back door in Intel ME up to version 9 (I left the company before 10 shipped, so can make no comment).

      I am not gagged about not revealing anything via any NSL, and while I will respect my NDA with my former employer (even though the current CEO is a top shelf Asshat) I had full access to the source code, and had direct work with the authentication subsystem of the ME portion (NOT AMT) and I can categorically state that there was *NO* back door for any government in

  • by Locke2005 ( 849178 ) on Tuesday December 05, 2017 @10:59PM (#55685513)
    Sure, they can ask, and any enlightened company will politely tell them, "No way!" And as long as companies are honest and upfront about whether or not they have built in back doors, so that their customers can chose whether or not they want to deal with the risk, I'm fine with it. The problem is, aren't the criminals the most likely to avoid all the tech with back doors? In other words, voluntary weakening of security doesn't really accomplish anything, does it?
    • by AHuxley ( 892839 )
      Re "the criminals the most likely to avoid all the tech with back doors? "
      Criminals will respond in a few ways.
      What the GCHQ always warned about, going dark, just stopping using any collect it all communications after some other gov talks about collection too much.
      Criminals will use expendable front groups to bait the networks and see what agency comes looking.

      Telco work in the street. A new FBI utility pole surveillance cam was installed.
      A small aircraft takes off at an airport, stays over a part o
      • You have an awfully high opinion of the sophistication of criminals. Everything you describe could only possibly be undertaken by the most elite organized crime orgs in the world. For the other 99.99% of criminals, they'll just continue carrying on over plain old SMS and cell phones just like they do now, even in the face of secure alternatives. There's a small subset that are slightly more sophisticated that laws on built in encryption matter; but let's face it, this really has nothing to do with criminals
    • by Bert64 ( 520050 )

      But why would they?
      Companies are run for short term gain... Deploying a backdoor could get you a short term injection of cash from the government for whom you created the backdoor.
      Sure there is a risk the backdoor will be leaked in the future, but by then the people who made those decisions have taken their cash and run so they won't care.
      Also even if a backdoor is discovered, it can usually be explained away as a bug. Even when obvious backdoors are found (see the recent juniper ssh backdoor) they can clai

  • I wonder, are any of these people elected? Do they think that they owe any allegiance to the elected US government, seeing that it changes all the time? And when the elected government tries to control them, they hiss and threaten to strike back [washingtonexaminer.com]. If they don't think they should be under the control of the elected government, what's to stop them from doing any damn thing they please?
  • by kenh ( 9056 ) on Tuesday December 05, 2017 @11:19PM (#55685591) Homepage Journal

    ASKING doesn't require a court order, and compliance is OPTIONAL .

  • the weasel words about PRISM.
    If a company never refuses the gov, legal protections never had to be mentioned.
    If the brand never says no the gov, they never have to tell their own legal department.

    The Rules of Collect it all Club.
    First rule of collect it all club, never tell an in house lawyer.
    Someone yells whistleblower, goes bankrupt, sells out, the collection is over.
    No lawyers, no admins.
    One agency at a time.
    Collection will go on as long as it has to.
    If this is your first connection to the Coll
  • I could ask a company to put a backdoor in their product if I wanted to. I might be laughed at, but I can certainly ask.

    A court order is only required if you need to force the recipient to comply.

    • by gweihir ( 88907 )

      You need a court-order to ask, if what you are asking is actually illegal, not just morally reprehensible.

      • by mark-t ( 151149 )
        It's not generally illegal to simply ask someone to put a backdoor in their product, nor is it typically illegal for them to comply with such a request voluntarily unless there were patently obvious negative implications to public safety and security.
    • "You can get much further with a kind word and a gun, than with a kind word alone"

      I think Abraham Lincoln said that.

  • by rsilvergun ( 571051 ) on Tuesday December 05, 2017 @11:31PM (#55685643)
    Keep putting millionaires and billionaires in charge. I'm sure they'll drain the swamp any moment now. And if they're not to your liking how about a nice blue dog democrat? He (or she) will promise not to raise your taxes, doesn't hate gay people and won't touch Social Security or Medicare (or anyone over 55). Remember folks, if you don't keep putting pro corporate, right wing people in charge those tax and spend liberals will raise your taxes. And if you're readying this and you're American than I know 60% of you are living paycheck to paycheck (google it) and can't afford it, right?

    The important thing is to remember to know your place, stay in your class, respect your betters, and don't ever screw with the aristocracy. Don't even suggest taking their money away, that would be morally wrong. You learned that in grade school economics. Capitalism got you into this mess and only capitalism can get you out of this mess.

    Can you tell I'm bitter and angry? I don't suppose there's anybody on this forum that can make an ounce of that anger go away, is there? Well guess what, there's millions of guys just like me. And guess what happens when there's too many of us? What happened in the 20s? How about the 40s? Anyone want to take a crack at proving me wrong and injecting a little hope into this thread?
  • The tech companies need to ask the feds if they want a modern internet with secure banking and communications. Cause if they DO, the whole "backdoor" nonsense is a nonstarter. If you compromise a mathematically-proven and trusted system, guess what? No one can trust it anymore. On the other hand, if the feds really don't care if there's secure online communications or not, then hey, no problem.

    What we seem to have are people who keep asking for the impossible without understanding what's really at stake.
  • and I will adapt!
  • I'm sure it'll be VASTLY entertaining when they get told to pound sand.

    The second it's been found out one of these companies has compromised their encryption this way, it's The End for them.

  • People were comparing germany to stasi and worst here :
    https://yro.slashdot.org/story... [slashdot.org]

    Note that this article is from a local unknown journal, with NOBODY confirming what it pretend is happening, to my knowledge not even the local CCC knows about it, and at least if it tries to put it as law there will be a PUBLIC DEBATE, and this is the Germany, not the US, people tend to really debate such things.

    And here were have the US saying "fuck that we have above the law we can stamp you with FISC to have yo
    • It's a bit like if the US went and shot a person in public vs. North Korea doing it. In the US it would be an outrage. In NK, well, we kinda expect that by now.

      Same here. Domestic spying, privacy elimination, trying to establish a Fascist regime... that's something we had come to expect from the US, hearing this from Germany is so odd and unfathomable.

  • US government is forcing encryption specialists to move out of the US by implementing draconian laws.
  • There was all this hand waving about the Chinese and Russians having backdoors to stuff sold in the US. How will the US having backdoors be any better, to any other government?

    If it is a question of backdoors, then you might as well have low grade encryption, since it is probably not much better than the master key getting leaked?

  • How much of an idiot do they think I am. Anyone would know that someone, somewhere, is going to exploit, and hack into that backdoor they created. So I need a list of idiot software to avoid.
  • and I mean *ALL*. every bit of VPN and encrypted data you generate should be sent to the FBI so they won't have to work so hard to collect what they want. I'm sure they have enough storage and bandwidth to handle it.
  • Seriously, why is this an issue?

    Public/private key cryptography has been proven secure. HTTPS is based on it, and it is strong enough for me to do banking on-line.

    For cases like the police needing to get into an iPhone, all that needs to be done is to take the phone secret (say, an AES key or the phone unlock code) could be encrypted using Apple's public key, and this encrypted secret could be made public (or presented over the USB port). Nobody can do anything with it, except the people who hold the priv

    • Have I missed something?

      Several things, actually. First, your scheme requires the ability to export the private key from the device (even if it is encrypted). This is poor security practice. The current trend—long overdue, and implemented in response to real security breaches—is to generate and store the private key in a tamper-resistant secure chip, with no external access to the key material. All operations involving the key occur inside the chip. This protects against vulnerabilities in the operating system as well

      • by harrkev ( 623093 )

        You missed a couple of things...

        First, your scheme requires the ability to export the private key from the device (even if it is encrypted). This is poor security practice.

        Why? If RSA and/or ECC are really "uncrackable", and is mathematically proven so, I fail to see the problem.

        generate and store the private key in a tamper-resistant secure chip

        Absolutely true. However, it has to be tamper-resistant because this chip stores PLAIN-TEXT KEYS. If they keys are stored encrypted, the the key encryption key

  • You in the XXX organization of government have no right to use official resources to ask third parties to do things that go against our interests.

    Congress hasn't passed an act directing you to "ask" companies to embed concealed defects into their products that you sell to the people, therefore, you doing so is an ABUSE.

    Now if your directors of departments want crypto backdoors in YOUR OWN GOODS that you buy for the use by that government department from those same companies, that's a different matt

  • That's the only appropriate response to this. They can't 'force' anything. If they could, then the entire premise behind what the United States was founded on and ostensibly stands on becomes invalid.

There are two kinds of egotists: 1) Those who admit it 2) The rest of us

Working...