CALEA 2 and Tor

Journalists and activists have been asking me this week about the news that the Obama administration is now considering whether to support the latest version of the FBI's "Going Dark" legislation. Here are some points to add to the discussion.

  • This is far from law currently. Nobody's even published any proposed text. Right now the White House is considering whether to back it, and now is a great time to help them understand how dangerous it would be for America.
  • Forcing backdoors in communication tools is a mandate for insecurity. Haven't they been paying attention to just how much these same systems are under attack from foreign governments and criminals? Did they not learn any lessons from the wiretapping scandals in Greece and Italy, where CALEA backdoors were used to surveil politicians, without law enforcement even knowing about it? You cannot add a backdoor to a communications system without making it more vulnerable to attack, both from insiders and from the outside.
  • The Justice Department is being really short-sighted here by imagining that the world is black and white. We've heard from people at the FBI, DEA, NSA, etc who use Tor for their job. If we changed the design so we could snoop on people, those users should go use a system that isn't broken by design — such as one in another country. And if those users should, why wouldn't criminals switch too?
  • In any case, it seems likely that the law won't apply to The Tor Project, since we don't run the Tor network and also it's not a service. (We write free open source software, and then people run it to form a network.)
  • The current CALEA already has an ugly trickle-down effect on the citizens of other countries. Different governments have different standards for lawful access, but the technology doesn't distinguish. So when the Egyptian general plugs in his telco box and sees the connector labelled "lawful access", he thinks to himself "I *am* the law" and proceeds with surveilling his citizens to stay in power. To put it bluntly, America's lawful intercept program undermines its foreign policy goals.

And lastly, we should all keep in mind that they can't force us to do anything. You always have the alternative of stopping whatever it is you're doing. So for example if they try to "force" an individual directory authority operator to do something, the operator should just stop operating the authority (and then consider working with EFF and ACLU to establish precedent that such an attempt was illegal). And so on, all the way up the chain. Good thing the Internet is an international community.

For those who don't already know, we also have a FAQ entry about Tor and backdoors:
https://www.torproject.org/docs/faq#Backdoor

Can you give some context as to what is going on here?
I use Tor everyday to post online anonymously...what is Obama up to now?

That's why I linked to the NYT article at the beginning:
http://www.nytimes.com/2013/05/08/us/politics/obama-may-back-fbi-plan-to-wiretap-web-users.html

You are missing the point. The law is irrelevant. For will be made illegal, or just fined to death and dragged through court for a decade until there is no more for. This is not a technical problem to solve. This is about control and abuse of power.

The law is clearly relevant, or there would be no attempts to outlaw it.

Right now, Tor has not been "fined to death" (it cannot be fined unless it is illegal) or "dragged through court for a decade" (because doing that to a legal organization is bad publicity; ask Apple about Samsung).

If things were as bad as you said, Tor wouldn't exist right now.

Apparently your keyboard mixes up 'F' and 'T'?

If Ron Paul had won the presidential election then maybe we wouldn't be having this problem.. But, since Americans have lost all understanding of the meaning and value of liberty, they have therefore voted themselves into slavery....

If you are too dumb to live in a liberal democracy then you will live in a totalitarian police state.

"...they can't force us to do anything. You always have the alternative of stopping whatever it is you're doing. So for example if they try to "force" an individual directory authority operator to do something, the operator should just stop operating the authority..."

I think they can force people to do things, including continuing to operate while compromised and keeping it a secret.

Remind me not to have you run a directory authority, or make compliance decisions of any sort for us. You always have a choice!

I'm actually the kind of person who would strongly consider going to prison for disobeying the government. In the United States, librarians were forced to hand over checkout histories to the federal government, and keep quiet about it. A few of them leaked it, and were imprisoned for saying something.

I think he's right. Isn't that what happened at Hushmail? And that was Canada.

No, Hushmail chose to put a backdoor into their system and continue operating in Canada. Then I guess they moved most of their budget into PR to convince people that Hushmail was great and safe. Standard tactics from for-profit companies -- I'm glad we don't have shareholders.

"Standard tactics from for-profit companies -- I'm glad we don't have shareholders."

But plenty of your funding sources are for-profit companies, are they not?

Hushmail is still better than Gmail though...... right?

What about TorMail?

I, too, would like to see an official statement from the Tor Project on Tormail.

Tormail has nothing to do with Tor.

I wouldn't be so sure of that.

What about the argument by using a service like Hushmail, one is effectively *announcing*, "I've got something to hide..."?

It could possibly be said that there's a certain "safety in numbers" in the likes of Gmail; getting lost in the crowd.

This is a process of accumulating and valuing associations, not determining a single value for a data point that applies to everyone. The model is not "if the number of emails from everyone containing the word 'Snowden' is big enough, it moves from suspicious activity to harmless for everyone"; the value of a data point fluctuates based on the other data points connected to it.

Consider a database query cross referencing every Gmail identity with at least one message containing 'Wikileaks' with Google searches for Tor. Then do it against sets like signers of online petitions and contributors to EFF. Now repeat with data of offline activity like protest attendance, membership in the ACLU, travel to London and Madrid (which both had train bombings) and purchases of books by Cory Doctorow. Once a threshold is passed, the value of an email that includes "Snowden" from the same account increases because the entire history is scrutinized for information that supports further investigation. None of the individual data points is illegal or even suspicious on its own, but together they are used to build a character sketch that triggers further intrusion.

Cherry-picking data carries a substantial danger of confirmation bias. Like someone in a messy breakup can easily fall into the trap of recalling the entire relationship and recasting every innocent mistake and misspoken word to support a case that the partner was betraying him the whole time, the context assigns motivations after the fact. These are based on the subjective interpretation of the analyst once the breakup has taken place rather than the motivation of the subject when she performed the acts in question. Positive mitigating factors like shared experiences and values are ignored and forgotten because they do not contribute to the predetermined judgment.

Herd immunity relies on storage and searching being relatively time consuming and expensive processes. Since these are now incredibly fast and cheap (and the budget virtually unlimited), the limiting factor moves down the line to how the information is used. Without meaningful oversight and respect for democratic values, the momentum is toward greater scope and secrecy with less responsibility for the watchers and fewer rights and protections for the people.

Tl;dr: There is no safety because you can't get lost.

Arma, could you please clarify what you mean by "backdoor" in Hushmail?

I know that Hushmail complies with legal warrants, and I am perfectly ok with that. Have I missed something else? Please give references to articles.

I want also to thank you for all your work with Tor and helping to protect us netizens.

Well, there's this from the article:

"Instead, the new proposal focuses on strengthening wiretap orders issued by judges. Currently, such orders instruct recipients to provide technical assistance to law enforcement agencies, leaving wiggle room for companies to say they tried but could not make the technology work."

So judges are even now forcing companies to engage in affirmative actions, to assign staff to work on wiretapping attempts.

The AP should have been using TBB and Tails:)

Sounds pretty weak, almost like you would comply if the law told you to put a backdoor in tor. Pretty sad, FOSS is supposed to be immune from this stuff.

This law or a law like it will eventually be passed. Every law they want to pass they pass.

You should disobey the law. If they come for you, do worse to them than what they would do to you.

The "we don't think it is a good idea" I'm hearing from the FOSS community sounds like something out of soviet russia. Very weak.

Should be "fsk you, we will not capitulate, ever, even if that means a shooting war and our deaths"

Disobey what law? There isn't even any proposed law yet.

I tried for a while to work in a reference to https://www.torproject.org/docs/faq#Backdoor

But in the end I decided that this wasn't the right point for aggressively picking a fight. IMO the feds would be mighty foolish to pick a fight with Tor, first because we are the extreme example of why their upcoming law doesn't take reality into account, and (related) because we have so many friends around the world who would get upset alongside us, and help make sure the attempt backfires.

If they really want to make this our fight, we'll oblige them. But we've got a lot of other fights to fight, so I am not too eager to get too distracted from the rest of them.

(Historically, we're a "write code to make the world better" company, not a "stand around in a courtroom explaining how we want the world to be" company. I think we do better at the former. Also there are plenty of organizations who can do the latter.)

"If we changed the design so we could snoop on people,"

Why are you even contemplating obeying them?
The law is not your religion, it is the dictates of some overbearing enemy.
Why would you obey them?

A conditional statement does not imply what people intend to do.

With the latest scandals in the USA Government vs. The People, we can easily understand their motives with CALEA 2 and so on. Absolutely no more authorities for the Government criminals! Not that they matter anyway really...

I hope you guys will at least have the decency to tell us Tor users, once you are forced by the government to put a backdoor in to Tor.

First they came for the Tor users, and I didn't speak-out because I wasn't a Tor user, and I figured, "If you've got nothing to hide...."....

Syndicate content Syndicate content