It is really tragic that we have reached a point where something so wonderful as Groklaw cannot effectively function.
Nearly 200 years ago, de Tocqueville asked why the American experiment in self-government succeeded while its French counterpart led to the guillotine, mob excesses, and ultimate tyranny and he gave a complex answer whose core was that private moral restraints in the populace served to check the unbounded passions in people that lead to oppression. In other words, the private life that each of us leads will hugely influence the way we are governed.
Governments are always ready to grab the greatest degree of power that the people will give them. That is the default because it is hard-wired into the human condition. And this is the major factor not grasped by those today who assume that society is evolving to a point that, if only right-thinking people with good motives are given enough power over our lives, they will somehow magically transform society for the good through government action. In reality, if any persons - right-thinking or not - are given largely unchecked authority over our lives, abuses will inevitably follow. As they gather huge amounts of power, their purpose in life becomes to guard that power jealously and to increase it as opportunities permit. No bureau has ever abolished itself. Farm programs from the depression era thrive today as ever, though the logic for their existence has long since vanished. Politicians of all stripes promote expanded budgets for their own areas of preferred government expansion and spend money they don't even have in vast quantities with little or no accountability to the people they supposedly serve.
This is why it is vital in a free society that its people be educated and morally grounded to value their rights as individuals and to resist and distrust unchecked authority in the state. Do we have that today? Perhaps, but only in a very weakened form. Many people today do not even give pause over the idea that the government claims huge amounts of unchecked power, whether it is to fight terrorists or to expand social programs. There is very little residue in our society of the old-fashioned principled belief that it is wrong to have vast centralized power with very few checks upon it. In her sign off piece, PJ notes: "Not that anyone seems to follow any laws that get in their way these days. Or if they find they need a law to make conduct lawful, they just write a new law or reinterpret an old one and keep on going. That's not the rule of law as I understood the term." This is lamentable but it is a mere symptom, and not the cause, of our ills. Politicians make the law as they go, with no accountability, only because they are allowed to do so by those whom they govern. And, if someone already has vast power over you, it is but a small step to extend that power in a technological age by using technology to spy upon, intimidate, and control people. Why, when these leaders are allowed to lord it over us as they see fit, should they suddenly develop scruples in gathering information that only serves to enhance their power to do what we are already letting them do without so much as a peep of principled opposition?
Privacy is in significant peril, and it is a serious loss when Groklaw goes down over this issue. But assaults on privacy are but a symptom of a deeper malady as modern society increasingly believes that it can hand over massive forms of unchecked government to its politicians in the naive belief that such power can be used wisely if only we have right-thinking leaders at the helm. The answer, as de Tocqueville noted years ago, is not to place faith in leaders but rather to take personal responsibility in our lives and to curtail the powers of those who govern. I guess we shall just have to wait and see if this is possible today.
In the meantime, we can praise those who fight the good fight, and PJ has been a supreme example of this. Tireless, talented, and astute, she has been a wonderful force for good over the past decade. May she find a powerful new outlet for those talents as she moves forward, even in a difficult environment.
Last night Thom Hartmann interviewed Ron Paul in his Conversations with Great Minds segment. Paul's take on all of this is that what's happening is already illegal according to the constitution, but that we aren't able to enforce the law because corporations, special interests and political lapdogs write their own laws. I'm still not sure what my stance on Paul is but I like his core political belief of nonintervention. It's similar to the golden rule but for politics, so for example if you spy on americans, you infringe their property right, in this case by stealing their privacy. An individual should be able to sue the NSA for that and win, setting a precedent for the rest of the population. The fact that they can't shows just how corrupt the system truly is. I'm not a libertarian but he made me stop and think:
The efforts aren't illegal, in the Constitutional sense (U.S.), so long as the searches are deemed reasonable. Two branches of government (Executive and Judicial) have generally been in agreement that searches for the purposes of National Security (very broadly defined) are reasonable. And Congress has not passed laws to the contrary. In fact, Congress has been exceedingly pliant on these issues. They've been passing laws that not only make these searches legal, but exempting Telecoms from any lawsuits for their cooperation. A different Executive (say, Rand Paul) could effect many changes on his own. But history suggests that, when given War Powers, Executives of both parties have been very careful to relinquish that authority. And Rand Paul will have a hard enough time in his own party.
> And Congress has not passed laws to the contrary.
Congress did, in fact, pass the original Foreign Intelligence Surveillance Act of 1978 "to the contrary", expressly prohibiting (and criminalizing) many of the types of searches (both physical and electronic) for the stated purposes of "National Security" that had been done prior to the Act.
Of course, the executive was successful in getting Congress to remove many of the restrictions in FISA in the FISA Amendments Act of 2008, including retroactive immunity for private firms that had cooperated in the executive's violations of FISA, but then, if the scope of the surveillance in violation of FISA was as broad as current surveillance appears to be, it may well have been the source of the leverage to get the change through Congress.
Sorry, by "Congress" I wasn't referring to the version in place 35 years ago in the post-Watergate Era.
As you note, the Congress of today has rolled back FISA and added new, more pliant laws (e.g., Patriot Act).
We are in a different era where all three branches are gladly pushing the reasonable clause far beyond the intended use. That's the result and it is Constitutional because all three branches say so.
> Sorry, by "Congress" I wasn't referring to the version in place 35 years ago in the post-Watergate Era.
I am not sue that the "version" of Congress has changed as much as the attitude of the people toward the government. While abstract anti-government rhetoric is perhaps even more common now than in the post-Watergate Era, specifically directed outrage at particular abuses like the (far more pervasive today than in the Watergate Era) use of national security resources for surveillance of the population (and not just foreign communication) is far more muted.
So why can't, let's say, German citizens sue Google and alike in Germany? I am pretty sure many foreigners feel that some NSA programs are unconstitutional according to other countries' constitution.
What if many foreign citizens from many countries sue internet companies for assisting the Big Brother in spying on these foreign citizens?
> Many people today do not even give pause over the idea that the government claims huge amounts of unchecked power, whether it is to fight terrorists or to expand social programs
These are vastly different issues. Providing social programs doesn't infringe on anyone's rights except by taxation, which the government is constitutionally entitled to perform to any degree it wants. In contrast, the tactics employed to supposedly fight terrorism often impact rights which are protected by law.
The funny thing is that they aren't. They're all about power. Power given to the few to control the many. Social programs just have that sugary coating that voters like to swallow, but the rotten corruption of power is at the center of all and its effects inevitably dominate.
That's the opposite of what's happening. Money (power) is flowing from the few (the rich) to the many (the poor who actually use government services and social programs).
Bam! ... and there you demonstrated exactly how they fool you. You're thinking about the social programs themselves - the bait or the distraction.
I'm talking about governmental power: the power to control vast amounts of money, the power to reward your friends and relatives, the power to snoop on your innocent citizens and punish your enemies through the force of law and perhaps physical violence.
They offer you trinkets, you vote for them, they gain power, they spend money they don't have, they abuse their power, they live like kings, they blame others for their eternal failures to implement utopia, they claim that if only you would elect them again and give them more of the money of the evil rich, they could solve all of society's problems... wash, rinse, repeat.
"Doing good things is how they get you! They get re-elected by doing good things, and that gives them the voter support to do bad things. Down with good things!"
Promising good things is not equal to "good things". Doing a few good things is really easy when you have shitloads of other peoples' money to work with - but even then, they fail over and over to deliver what they actually promise.
Detroit's city managers promised and did a whole lot of good things, didn't they? They were a regular Santa Claus with the handouts.
Having more people on the government dole actually makes the problem worse. We need less government, as little as possible, and more self reliance. Charity is injurious unless it helps the recipient be rid of it.
If you give a person / family just enough money to live off of, in exchange for their promise not to productively contribute and achieve (with the pride, joy, and happiness that can go with that) ... you have effectively turned them into slaves.
A permanent welfare mentality = mental slavery. And tell me: are the people who are being "helped" happy, in the end? Do they live in peace? Travel their neighborhoods, talk to them in person, and you'll see the answer yourself. Yet sadly, they're convinced if they can vote for a little more money, and vote to take it away from certain others, then they'll be happy.
The system does little to truly help them. That's why it's disgusting.
Yea, it's really annoying how libertarians always conflate the government's abuse of military and police powers with its role in moderating the excesses of capitalism. As a lefty political activist it makes it hard to form alliances on issues that we agree on.
Can you comment on the difference between the 1st and 4th Amendment? It seems the current issues we face are reducible to the broadest interpretations of "reasonable" searches under National Defense claims from the Executive branch. It's hard for me to see how the Public has much recourse here. Even if they were to convince their representatives to pass new laws, this still seems like a fight between the other two branches. The Executive branch could ignore those laws under Executive privilege claims. And the Court seems more than willing to abide by that use of Executive power.
Am I missing something? Short of a generational movement to move the Court on civil rights toward information privacy (akin perhaps to medical privacy claims), I really don't see an alternative. The Executive branch has every incentive to maintain their power here (and argue as such under the War Powers). And the Court seems all too willing to cede that authority.
While the parent post is the #1 comment right now on this article, it is clearly hyperbole.
Blatant Intimidation and Control is not what the US Government does. If you want proof, compare the US handling of the Washington Post to the British handling of The Guardian. The Washington Post and New York times have been free to publish everything. The Guardian however, just had spooks smash their computers this past weekend.
The US affords the press freedom: freedom of speech, freedom of debate. There are no spooks here that are trying to shut anything down, anywhere. At worst, we have some secret conversation that happened between Lavabit's owners and the FBI. No one forced anyone to shut anything down however, most certainly not in this Groklaw case.
Abuses that have come to light are all under-the-table sort of affairs. Metadata collection is not technically data, and therefore isn't afforded 4th amendment protections. (See Smith v Maryland). Information gathered from the NSA technically can't be used in a prosecution case, so the DEA unofficially changes the story before it gets told to a judge (see Parallel Construction).
Some laws are working, but there are cracks in the foundation which is leading to an overall breakdown in trust. If anything, viewing the news recently has shown me that these agencies are very interested in following the _letter_ of the law, although not necessarily the spirit of the law.
------------------------
History of the US is a sobering example, of the Government constantly giving up powers in favor of its citizens. Need I remind people of the Office of Censorship in 1940s, where Government agents read every single mail that was going across the mail system? Need I remind people of COINTELPRO in 1960s, the program the FBI used to spy on Malcom X and Martin Luther King Jr ?
The US Government has historically listened to the pressures of its citizenry, and changed. It is not the time to lose hope, but the time to make your voice heard. FBI and NSA, as intimidating as they are, are run by US Citizens first and foremost.
> History of the US is a sobering example, of the Government constantly giving up powers in favor of its citizens. Need I remind people of the Office of Censorship in 1940s, where Government agents read every single mail that was going across the mail system? Need I remind people of COINTELPRO in 1960s, the program the FBI used to spy on Malcolm X and Martin Luther King Jr?
Imagine you're in a relationship with someone, and they abuse your trust. You call them out on it, and they agree to stop. Then later they start abusing your trust again, in a different way. You call them out on it and they stop. And this keeps happening.
Would you praise them for continually "giving up" their power over you when asked? Or would you consider yourself to be in an abusive relationship?
I just think it's a bit strange to view a succession of abuses of power as the government continuing to "permanently" reduce its power. How many more scandals do we need before the government has "permanently" reduced its power to the point where we won't need any more "permanent" reductions?
Governments are composed of people. The people who ran the government in the 1940s no longer did by 1960s... and the people who ran the government in the 1960s no longer do today.
Your example is fallacious to begin with, because you assume a single entity is responsible for PRISM, Office of Censorship, and COINTELPRO. No, they are different: different governments of different eras... facing different problems even.
As new people enter and leave government, they will be prone to repeat the mistakes of their ancestors. And it is the citizen's duty to continue to step it up and hold it in check. It takes work to keep the country together, everyone knows that fact.
If you cannot see the collection of people working together here, then you will fail to make progress. It is important to know who is making the mistakes and where additional oversight needs to be placed.
EDIT: In particular, Office of Censorship does not exist anymore. It has been completely shut down, the agency is dead period. COINTELPRO was an FBI program, shut down in the 1970s. Today, NSA is under criticism of PRISM.
Different agencies, completely different groups of people, are under criticism. Not a single person shared any criticism across the eras, let alone "repeated" the mistake.
> Governments are composed of people. The people who ran the government in the 1940s no longer did by 1960s... and the people who ran the government in the 1960s no longer do today.
This is a fair point, but I also think it can be useful to consider the perspective of government as a unified, evolving entity, much like it's useful to consider a forest as more than just individual plants that grow and die and are replaced by new plants.
> As new people enter and leave government, they will be prone to repeat the mistakes of their ancestors. And it is the citizen's duty to continue to step it up and hold it in check. It takes work to keep the country together, everyone knows that fact.
I agree with this point. Perhaps the issue is why these abuses keep arising; is it just human nature, or are there institutional factors at work (factors that transcend the revolving door of individuals entering/leaving government)? I don't know the answer.
Regardless, we seem to agree that the NSA abuses are troubling and need to be pushed back on, so I suppose we're basically on the same page.
I think my disagreement was mainly with the notion that the government was continually "giving up" power in a linear, cumulative fashion. Every time one of these programs is shut down, are laws passed to ensure they can never arise again? If so, that would be reassuring.
Because there is an inherent mismatch in privacy concerns and law enforcement / defense concerns.
Office of Censorship was created to counter the German / Japanese threat of spies during World War 2. It was seen as a necessary measure to help unite the country. The successful use of the Atomic Bomb is credited to the Office of Censorship, who helped keep the project secret. Quite possibly... the Atomic Bomb's details would have been leaked in WW2 if it weren't for the Office of Censorship.
COINTELPRO was then created in the 50s to counter the Soviet threat. In the 70s it was revealed it was being used for more than just that, and the project dismantled. In fact, FISA protections were supposed to prevent any large-scale domestic spying. The entire point of FISA was to stop future projects as they rose up.
As PRISM came up, despite FISA protections. Its important to realize how it happened. If you've been paying attention to Congress, FISA has in fact worked: Senator Wyden and Senator Udall have been criticizing these programs for a very long time. No one seemed to care in 2007 however, so the programs continued. I guess Edward Snowden has made things far more dramatic, and easier for the Press to talk about... but these are facts that have been discussed for some time now.
If there is a fault in FISA, its because Americans don't like listening to Senators. So no matter how many Senators you put in charge of watching the Intelligence Agencies, apparently no one will care unless a giant controversy is brought up by a non-politician.
Every few decades, peacetime makes us forget that the world is willing to attack us. Eventually, we as the citizenry work to dismantle the annoying and invasive defensive measures we give to law enforcement. (see Clinton Era in the 90s, where he reduced the size of Intelligence Agencies by half)
Then, an attack happens. The US returns to "war mode", and everyone is willing to trade privacy for security... at least for a few years. And that is when these new programs find their way into the system once again. The creation of Patriot Act led to the authorization of PRISM.
The important issue to see here, is that these programs are 100% legal. These agencies are always willing to follow the letter of the law. So... all we have to do is petition Congress to change the law. Section 215 of the Patriot Act: "Business Records Provision" is the law that legalizes the collection of Metadata. If it dies, the program dies with it.
> Every few decades, peacetime makes us forget that the world is willing to attack us. Eventually, we as the citizenry work to dismantle the annoying and invasive defensive measures we give to law enforcement. (see Clinton Era in the 90s, where he reduced the size of Intelligence Agencies by half)
> Then, an attack happens. The US returns to "war mode", and everyone is willing to trade privacy for security... at least for a few years. And that is when these new programs find their way into the system once again.
I appreciate the contextualization. For some reason it's a bit less scary to conceptualize these abuses of power as an autoimmune disorder rather than some kind of intrinsic cancer that never seems to go into remission. Probably because it makes this seem less like an inevitable slide into totalitarianism and more like a simple overreaction to a perceived threat, an overreaction which becomes increasingly malignant. The proper response is to correct this overreaction and work to put in safeguards to prevent future overreactions.
I hope your observation that "peacetime makes us forget that the world is willing to attack us" is not implying this is a bad thing; on the contrary, it seems like the closest we'll get to rationality.
> I hope your observation that "peacetime makes us forget that the world is willing to attack us" is not implying this is a bad thing; on the contrary, it seems like the closest we'll get to rationality.
Not necessarily. It comes with good and bad.
People have already forgotten that it is the NSA's job to investigate the Nasdaq and Google Hacks of last year. Chinese hackers were spying on Americans... hacking into gmail accounts and so forth.
And yet you read through this thread, with Groklaw closing down and everything. You have to remember: you may feel that the NSA has violated your privacy, but they are also the organization responsible for protecting it from other nations.
But peacetime makes us quick to forget these events. The Google-hack event was only 2 years ago, the Nasdaq hack is currently ongoing, the RSA hack was in 2011. Someone hacked Verisign in 2012. All are being treated as international hacking events.
The balance of "privacy" and "security" is more complicated than "destroy that program" or "remove funding" from a certain agency. Overreactions happen both in peacetime and wartime. Now, more than ever, as other countries spy on Americans, is the time for agencies like the NSA to step up and help defend.
You see how easy it is to turn an argument into anything? There are no easy solutions in politics. A lot is going on in this country, and its far more complicated than "totalitarianism" vs "privacy concerns".
"The war on drugs is now 30, 40 years old. There have been a lot of unintended consequences. There's been a decimation of certain communities, in particular communities of color."
-- Eric Holder, 2013
The Attorney General is responsible for the Department of Justice, which is in turn in charge of the FBI and DEA. Also, the FBI does not handle most drug related federal offences. That is the DEA. Get your agencies right!
Anyway, this would be the Attorney General bending the law. Legally, they are supposed to arrest you for smoking Marijuana. However... if the Attorney General bends the rules, and "fails" to arrest you on the charge, then the law is as good as broken. An official order from the Attorney General can stop the DEA from prosecuting Drug users, even without any changes to law.
And thus, the power of the executive branch. They can't change the laws, but Eric Holder is in a position to change the enforcement of laws. That is about as good as he can do, a future Attorney General / President may roll things back.
To Eric Holder, the Drug War is an anti-African American symbol. So it seems like he's doing what he can to stop it. He probably will crackdown on the obvious illegally operated Pot centers in California, but he's probably going to ease up the Drug War as much as he can.
>Governments are composed of people. The people who ran the government in the 1940s no longer did by 1960s... and the people who ran the government in the 1960s no longer do today.
No, governments are composed of institutionalized sets of behaviours and response guidlines; colloquially known as "Laws" - the architecture of governance.
The "people" in these organizations are agents of these systems. They behave exactly how the institutionalized archetypes are designed to make them behave.
You're perpetuating the same illusion that "elections" perpetuate: "This human, named 'Obama' will change everything!"
No he wont. He will fall into the role and archetype of the office of the president.
Sure, if you wanna be a defeatist. But IMO, that viewpoint is lazy, and unacceptable to the hacker.
Governments change, be it to external factors (9/11 -> passage of Patriot Act -> PRISM), or internal factors (Erm... the Civil Rights Movement)
We, the Millennials, have a good shot at becoming the next greatest generation. We grew up during the rise of the internet. We witnessed 9/11. We fought in two oversea wars, we've returned to the greatest economic recession since the great depression. We've elected the first African American President. We've defeated SOPA. We've created Reddit. We've created Google. We've created Wikipedia.
The air of political change is growing... not shrinking. Don't you see? Millenials are beginning to take over the country. Its our time to shine!
Sure. Gen X caused the wars, and we fought in it :-) Gen X was old enough to vote Bush into office, while Millennials were too young to vote but old enough to go to wars afterwards.
I looked up the technical definitions of Baby Boomer, GenX, and Millennials. Baby Boomers end at 1964. GenX ends in 1984. Millennials (GenY) end 2004. The current generation is Generation Net (GenZ), and will end 2024.
So I guess we Millenials haven't really done much yet... but GenX (Today, ages 28 to 48) are just getting into political leadership. Obama is still a Boomer, but GenX candidates will certainly be up for election this decade. A GenX President is unlikely for another decade or so... but surely House / Senate members are beginning to be filled with GenX. So I guess you guys have first dibs on fixing all of these issues, eh?
Don't mess things up too much before we Millennials get there!
>The US Government has historically listened to the pressures of its citizenry, and changed
While they may have changed tactics and methods they did not stop the nefarious activity.
I think you're naive to think that protesting the USGs actions have led them to stop any of it - actually it has only led to to their attempt to obfuscate their actions.
Do you recall when "The office of total information awareness" was railed against? Where it was said to be a Very Bad Thing - and it was supposedly shuttered?
Well, what do you think PRISM is a program of. The NSA IS the office of total information awareness.
Does the US Government do this anymore? No, it doesn't. Period.
Historical facts fight against your argument. The US Government has permanently given up powers to respect the privacy of citizens. I can come up with more historic examples if you wish.
Maybe we don't we eye-to-eye: I find your comment ridiculous.
Does the government do what exactly? You are aware they are slurping 100% of digital communications? In light of what has been confirmed by Snowden's efforts - I can't take your comment seriously.
Office of Censorship would delete and manipulate documents to aid in the war propaganda effort in the 1940s. Its pretty different than what is going on today.
You're confusing the walking back of an extreme overstep with a fundamental change in direction.
You can't cherry pick a couple of examples of where extreme power grabs were curtailed and say, "See, the government is giving up power!" You're looking at local down trends in an overall upward curve and declaring the whole thing to have a negative slope.
In order to make your case, you'd need to start with the Constitution and the strict limits that it placed on the Federal government and map that to the authority it exercises today. The trend is in the opposite direction you're thinking of.
Do you think citizens have more, or less rights today than in 1789? When the Bill of Rights was first drafted?
I believe we have more rights today, as a historical fact. We can easily create Corporations. Almost anyone can vote, Black, white, or women. The original 13 colonies drafted their soldiers into militia, while today the Draft has been completely eradicated. (ditto for the Civil War). Before 1960, freedom of press is compromised if there was a "reasonable tendency" to endanger society. (http://en.wikipedia.org/wiki/Bad_tendency)
Are you seriously telling me, that we were "more free" in 1790s than today? If we were still operating in 1900s era law, we wouldn't even be allowed to talk about strikes, due to the "bad tendency" measure. (A man was in-fact arrested and put into jail for inciting a strike in the 1910s)
And yes, I'll call you "boy" until you understand simple US History. "Boys" believe in the ideal past, a past that _never existed_. Boys are unable to see how much this country has grown, and how much better it is today than before.
> Blatant Intimidation and Control is not what the US Government does. If you want proof, compare the US handling of the Washington Post to the British handling of The Guardian. The Washington Post and New York times have been free to publish everything.
The Post and the New York Times were free to publish this material. It has consequences of course, but none of them were levied against the Washington Post or New York Times.
The US Government does not punish the press for receiving, discussing or talking about that sort of information. Instead, it goes after the leakers. Discussion, and freedom of speech is much respected.
If anything, your link is but one more example that supports my point.
Fair enough. Although I still argue my point: the Press is free to publish what it wants. Judith Miller was charged with contempt of court for failing to reveal her source. She was not charged with what she wrote.
If the best example of US Government censorship is Judith Miller, then my point remains very strong. No one in the US is stopping freedom of speech. At best, you can get arrested for failing to uphold a subpoena, which is a known fact anyway.
---
Furthermore, despite the whole affair, not a single report of Spooks coming in to destroy computers, or otherwise try and stop the publication of those events. (As has been seen in the UK right now, with the whole Guardian thing going on).
You are right, US is not there where UK already is. But unless people (and I don't mean 0.001% that hangs out on HN and like, I mean 99.999% that don't know what it is but vote) take serious interest in privacy and limiting government powers, we're moving in this direction, and moving there pretty fast. The fact that we have a president with which about 90% of the press are in deep and unquestioning love doesn't help either.
The "letter" of the law means nothing if the citizens are not ready to defend it. The congress can pass new laws, and as long as SCOTUS is ready to allow it - and experience teaches us when it comes to surveillance SCOTUS is ready to give a lot of allowances to the government - there's nothing to stop them but the citizens themselves. But if the citizens are more interested in voting in more government handouts for themselves than in liberty, then there's nobody else to stop it.
I have been thinking that appointing Congress/Parliament by random selection from the population would be a good idea. Who do you think would be more likely to want to want power, for example?
I agree with everything here and in the original post. What isn't clearly explained is how/why the government's behavior is prohibiting the continuation of Groklaw.
Apparently Groklaw runs on private email messages between her and her readers. If people cannot be assured of the privacy of their messages, then what they say is necessarily constrained. Given the nature of the topics on Groklaw, having privacy to discuss and subsequently post on it, is essential to the running of it.
Holy crap. Groklaw? I'd never for one second thought that the fall out from the NSA debacle would reach so far as to cause Groklaw to be shut down.
PJ feels extremely genuine here, she is definitely not using this as an excuse.
Wow. There is something very unhealthy in the air or in the water these days. Lots of people seem to be totally immune to the consequences of rampant surveillance and frankly bizarre powers executed by the current set of governments. And all that in the name of the war on some nebulous entity that could not even capitulate if it wanted to (and that's assuming such central command and control even exists).
2013 is fast shaping up to be a year of notoriety, so many things happening in so many places that are all linked to governments overstepping their powers.
Who would have thought 20 years ago that we'd see US whistleblowers hiding in Russia of all places. That there would be meaningful comparisons drawn between the Russian government and the UK government when it comes to dealing with the press, that we'd see torture committed by the people we routinely thought of as the good guys.
It's a weird world we are living in at the moment.
Since comments are turned off there:
Thank you PJ for all the extremely hard work and the dedication. A lot of good came from this, I'm quite sure that there were some cases where both the plaintive and the defense were spending as much time reading groklaw as they were reading their email. It certainly counted for something.
> I suspect that US tech companies who are complicit in dragnet surveillance - and PRISM specifically - are already understanding this.
Absolutely. Just as 2013 is the year where "ordinary people" have begun to understand that "the cloud" is a scam.
(And that is doesn't make that much of a difference if they store their data with Google, Apple, or directly with the NSA. If the blueprints of PRISM can't be kept from leaking, then subsets of the actual data will leak as well. Five or ten years from know, you'll have a huge grey market of -- medium to low quality, outdated, etc. -- surveillance data.)
"Just as 2013 is the year where "ordinary people" have begun to understand that "the cloud" is a scam."
Disagree. So-called "ordinary people" don't really know or care about this issue. They care that "hey, my phone calendar syncs with my Google calendar!". They care that "hey, I can listen to my music on my computer, my phone AND my tablet". They care that they don't have to worry about backing up some things (Google Docs / Microsoft Office 365). They care that their pictures can be accessed by their friends without having to attach them to email. No average person is running away from the cloud for this reason--they're running towards it because overall, they still feel it makes their lives easier.
No, but yesterday a friend of mine asked me how to back up her pictures from her computer. I told her to use a removable drive. My wife said: "Just store them on Facebook". I said: "The US government makes a copy of anything you upload to the internet." My wife was shocked. Our friend said: "I don't want that." (She's from Hungary). We settled on 32 GB flash drives.
Moral of the story: Just like Groklaw, the ordinary people will stop trusting the internet because people in the know (in her case lavabit founder) say not to trust it.
Ordinary people, for the most part, trust the geeks they know to guide them through the computing landscape.
"The US government makes a copy of anything you upload to the internet"
So accuracy isn't really something you're all that concerned with? It is my understanding (and certainly could be wrong) that the whole PRISM thing was the ability for the government to get their hands on any data they wished, not that they're making copies of everything. I believe metadata is stored, which is an entirely different animal.
Snowden says they can do it. ISP sources confirm the government is trying to do it, but they are forbidden from disclosing the exact nature of what is done. You're really going to believe the people who have been busted lying about it and say anyone who doesn't is not concerned with 'accuracy?'
And what does metadata mean, anyway? If the government stores everybody you've been in a picture with, or who's looked at your pictures, but doesn't store the picture, is that really supposed to make us feel better?
That's PRISM, one of tens of programs that exist. Look up XKEYSCORE, for an example that does include mirroring "all" internet traffic. Pot and kettle; make sure you read everything, and don't get caught in their "Oh no we shut down that specific program a long time ago!" plausible deniability schemes that neglect to mention the 7 other programs they run that do the same thing.
I think it's unlikely that the NSA is actually storing all photo's uploaded to Facebook long-term, of course.
I'm just saying that "ordinary people" will follow what us geeks say, even when we're slightly wrong, because our guesses are much better than their guesses.
Of course, the people who the NSA and GCHQ are trying to find and track will not be using email or other forms of electronic communication or storage for anything.
It remains to be seen what happens to the general marketplace. I suspect we may see a number of startups specialising in organising face to face meetings...
> So-called "ordinary people" don't really know or care about this issue.
In one sense, they're right. For the most part, they really don't have anything to hide except maybe a few naughty pictures taken at a less-than-sober moment.
What people don't get (and I do not claim to be an expert, just a cynic) is the ability for others to take two pieces of information and form a previously-unthought-of conclusion. They aren't mean, nasty or suspicious enough to even think that is a possibility.
I still hew to the idea that this isn't a technical issue. We can come up with all kinds of secure protocols and systems until we're drowning in them but it still won't fix the problem that large parts of our society are just plain broken at some fundamental level.
We passed the laws that allowed this. We hired the nosy bastards that are doing this. Hell, we made the terrorists that required us to pass the laws and hire the nosy bastards. Somewhere along the line, we decided it was more profitable to set countries on fire than it was to work on conflict resolution.
We didn't need a computer to do that.
Fix the philosophical issue because all the tech in the world is just a bandaid.
This, sadly, is the ultimate truth. We may have already lost this battle for one simple reason: the average person is too apathetic to care what their Government is doing to them.
Its not "By the people For the people" anymore. Its By those in power (who aren't elected, by the way) For those in power.
I agree. I start getting wound up, only to be gently reminded by my wife that just because I am only now discovering it for myself does not mean it hasn't been there all along...
At this point, it would make more sense to store data with the NSA. They have that entire, taxpayer-funded Utah Data Center full of storage. Why not just open it up for people to backup their files cheaply?
Absolutely, I bet someone in the govt is thinking about giving each citizen say 10GB of free space that is secure from: hackers, identity theft, foreign espionage etc.
All the ones that won't use this offer can then be even more meticulously monitored.
Just don't pretend it actually applies. You replied to a comment talking about whether such a service would actually be capable of backing up people's data, not in the slightest a discussion of price.
While that is not unreasonable, you cannot get to that point of haggling between 10G/10TB unless the 10GB option can physically be accepted. If people take photos and videos, the 10GB option of uploading everything is logically impossible, and must be discarded.
Just as 2013 is the year where "ordinary people" have begun to understand that "the cloud" is a scam.
And the year when we understand that we are all lemmings.
I remember the 90s when people were afraid of putting their credit cards on ecommerce sites, and now they put their whole lifes and assets online.
The beauty of corporations is that they are still accountable to a much greater degree than than the NSA. Those who run Google have a fiduciary responsibility to shareholders. Up until a few months ago this always meant to many that if there was anything fishy going on at Google that they would quickly resolve the problem by firing the individuals guilty of any transgression and quickly instituting security policies to make sure something like that doesn't happen again. After all, individuals can mount class action suits, as can shareholders and the FTC or other some other regulator can come down on them.
The problem with what we discovered a few months ago is that the government can use fiduciary duty of the officers of these companies against the companies and they can do so in a way that guarantees that the executives won't talk about the abuse. They made demands for access and every corporation in the world knows that when push comes to shove, you don't want to piss off any organization that can unleash the IRS on your bookkeeping. And if someone does push back, its possible that there were additional threats of jail time for obstructing justice or contempt of court. Add to that the ability to gag anyone with an NSL and you have a situation that is wide open to abuse.
Unlike corporations, the people don't really have real recourse for transgressions of the NSA, CIA or LEO in general when it involves secrets that we are not privileged to, especially not any recourse within the capabilities of the common man (unless you are a common man within those institutions and you're willing to give up everything to whistleblow). Most attempts to sue get thrown out on state secrets grounds. All we have left is the ability to vote, but its pretty clear from some of the facts that that is unlikely to make any difference for most voters since the only people who knew what was going on were on the intelligence committees and even then both the ICs in both houses and the FISA court have admitted that they don't have any real oversight.
Facing this reality, I'm not entirely surprised people like pj at groklaw and ll at lavabit are checking out.
My hope would be that at least corporations are not lemmings.
For a non-US company that does anything remotely sensitive or competitive on an international level, it's simply insane to use, say, Google's cloud services.
I don't know to what extent Google depends on foreign corporate clients -- but I'd be surprised if this wasn't something they were very seriously concerned about.
(And the recent revelations about the NSA are really just the icing on the cake. If there is high demand for some confidential data, it's likely that there will be supply.)
There's no evidence the blueprints of PRISM were leaked, just training slides for analysts. There's also no evidence that actual surveillance data was leaked.
This particular slippery slope argument seems weaker because one would expect the government to place tighter controls on the data or the blueprints.
If no actual surveillance data was leaked, though, that's likely because Snowden is an idealist. It seems that he had access to that data. If the next leaker just wants some cash, things could change. (Or, hell, maybe the previous leaker--maybe spy is a better word here--who didn't get caught because s/he didn't go public, or was purely the victim of an ultra-sophisticated phishing attempt!)
Which is precisely what I was hinting at. The idea that the NSA would be capable of keeping this data absolutely confidential is ludicrous. And that's why in the future (most likely already today) it will be relatively safe to assume that there are other parties, be it individuals or organizations, that have access to some aspect of your private communication.
Bruce Schneier already posted last week on how the NSA 'slipped up' thousands of times every year since 2008 leaking this wholesale vacuumed data all over the place. He advocates for corporations to fight the NSA instead of bending over for them because it's them who will get screwed in the end when their data ends up leaked too
At this point, you and I are just speculating on which outcome is more likely. I'm arguing there are probably significant data controls. You're arguing that the data was accessible but not leaked because he was an idealist. Until there's evidence pointing either way, this is just speculation.
I would argue that the most direct way to prove the extent of spying would be to actually expose the data that was gathered. Therefore, after weighing the privacy of the unfortunate soul versus demonstrating to the world the power and pervasiveness of this system, he might have an incentive to leak the actual data, if he had access to it.
I was using the term "blueprints" colloquially, meaning "plans" or "details". Quite a few of the leaked slides are exactly the type of material that one would expect the government to have "tighter controls on", compared to petabytes of mostly useless data.
I disagree. Training documents are meant to be shared to a much wider audience than the developers of the system. Data coming from the system is meant to be used in a report.
My guess is that that hard part in PRISM is actually building it. You have to have tons of money and cooperation from big powerful companies and government because it's illegal(unless you're NSA).
I have now gotten for myself an email there,
p.jones at mykolab.com in case anyone wishes
to contact me over something really important
and feels squeamish about writing to an email
address on a server in the US.
PJ could help people understand the real issues if she explained that all plaintext mail is vulnerable. It's not only about the mail host, it's the network itself that's compromised.
Switching to Kolab is false comfort for people who are "squeamish" about sending mail to "a server in the US".
I'd love to see PJ publish her public key and encourage people to learn how to use it.
I am in the process of developing a new messaging system to address exactly that issue ( anonymous communication where it is unclear who is talking to who )
The way in which it will work is having all users of the system constantly send encrypted streams to each other ( mostly gibberish ). When you want to send a real message you simply replace the encrypted gibberish with some real content.
It will implement "onion" style repeated encryption to prevent direct links from being statistically analyzed as well.
Look for it in 6 months or so. Details will be up at circleofdistrust.com in about a month or so.
The idea of masking real content with gibberish always seems hacky to me, and in security hacky is not a good idea. While I suspect you might be able to make it work, I think a better solution is to go to more of a bitcoin approach.
Essentially, set up a new block-chain that allows transactions to contain 'large' messages (IE. large enough for long plaintext, but probably not enough to embed videos). Then, when you want to send a message, encrypt it using the intended recipients public key, then publish the cipher-text to the blockchain.
I don' t have a list of urls right now, but papers on the lack of anonymity of bitcoin and bitmessage are not hard to find. It is a very difficult problem against NSA level attackers. Masking when content is being exchanged by exchanging something on a fixed schedule seems like one of the few things that can be done to at least mask something.
Edit: OTOH, this this does just mean they attack one or both nodes if they care when content is being sent.
Bitmessage is essentially a torrent server where everyone gets a copy of everyone elses emails, so you get your email by downloading all emails.
Unfortunately in such a system, you have to download all emails, or request what you want in order to actual get the email you want.
The system either does not scale, or will leak information in order to remove the requirement of getting everyone elses emails.
Also, the government can collect -all- of the encrypted messages easily, and potentially eventually correlate who an anonymous id is based on their knowledge of who received messages on which day.
I haven't checked Bitmessage's protocals, but that it is not nessasary to identify the intended recipient. If you publish the ciphertext with no meta-data, then everyone can attempt to decrypt it. Only the intended recipient would succeed, but an ease dropper would not be able to identify who successfully decrypted the message.
This raises an obvious scalability question, as you need to attempt to decrypt every message that is used in the network (in addition to simply downloading it which you have to do anyway). There are probably ways to mitigate this overhead without compromising security.
If you read the wikipedia entry is says that the destination id is required. I assume these must be created somehow and communicated to the sender before being able to receive anything.
So long as this is occurring, the way the scheme works, unless you download every message, it could be determined which id belongs to whom. Once you determine that it is easy to track originating packets to that destination since it is not an onion system.
Additionally, without side channel communication ( in person or posting that address somewhere publicly ) it is impossible to anonymously communicate to an intended recipient.
Dear NSA: I can and will be designing a fully anonymous open source distributed messaging system that is entirely secure even if you tap every line in the world. At the very best, you will be able to accuse people just of running the software. If you don't like this, I'd advise you that your only option is to hire me and/or pay be enough money to become disinterested in finishing the creation of the software.
I am a U.S. citizen. I still believe in freedom of speech, as well as my right to "Life, Liberty, and the pursuit of hapiness".
I am also a Libertarian, which means I don't believe in large government, due to the corruption that follows.
So long as my goals and beliefs are for freedom and privacy, the creation of secure anonymous messaging is of little interest to the NSA. Will they "like" if it is intentionally designed in a way that it could be used by criminals? No... But I should have no fear of that.
Just because guns can kill people doesn't mean you should use them for that. Just because atomic theory can be used to make large bombs doesn't mean nuclear energy is wrong. Just because pressure cookers contain heat well at pressure doesn't mean you should use them for anything besides cooking your food.
> If you don't like this, I'd advise you that your only option is to hire me and/or pay be enough money to become disinterested in finishing the creation of the software.
So, I think you just lost my trust. You're coming at this from the wrong angle, instead of coming from a princpled stance you're approaching this as a value proposition.
Thank you, PJ, for the invaluable and remarkable work you have done for the FOSS community and, as a consequence, wider society in general over the years. On a personal note, thank you also for helping me with some research for a paper I was writing a couple of years back even though you were a busy person.
I really hope that people look not only into the current list of abuses, but also into the whole nature of government that _inevitably_ led to this point.
Band-aids and spin doctors are not going to make these problems go away. At best they'll just make the problems go further underground so that we don't hear about them as often in the news.
Do you think the NSA is looking to cut back its authority or is it looking to prevent public awareness of this kind of thing in the future?
Since like a beginning of the Future History kind of rule. Then good thing is, it will last for only a couple of the decades before people wake up and restore the freedom. At least it was like that in the book.
Since we weren't allowed to say it when it was relevant, and the point was muddled and trampled on in pseudo-rational debates (“Can you find evidence that they’re abusing this new legislation?”, etc.), I'll go ahead and say it now: it's happening.
There's still a big world outside the Internet, and yet ironically, we live in a world where some employers are so stupid that they won't hire someone without a Facebook, making the abuse and surveillance of Internet more relevant than it needs to be.
I find it hilarious that in most of the threads I've read on here for months, that people who have actually lived in oppressive regimes say that the US is at least displaying a likelihood of being on the slow descent to Hell, while people in the US are quick to point out that it's still fine because we have elections and we aren't being forced out onto the streets and shot in the back of the head.
Read any book on history, strategy, authoritarianism or "real" conspiracies and it's abundantly clear that the best way to control a population is to analyze and manipulate the information they consume; I will not be surprised when we find out in 30-50 years that the tech companies were not only complicit in passive surveillance, but in active manipulation to control public opinion and perception.
Further, people self-actualize and learn to evolve to higher ideals, so once you debase intelligent debate/freedom of expression and make every personal detail of a person's life that passes over an electronic medium open to dissection and survellience, you debase the minds of the people as a whole and open the door to committing worse atrocities.
It's actually less difficult than it was 50-100 years ago to control public opinion. Before, you'd have to burn books and control every major newspaper and broadcasting corporation. Now you can just astroturf on Reddit or Twitter, or edit Wikipedia is subtle ways, and have the same effect.
> the best way to control a population is to analyze and manipulate the information they consume
The comparison that some have made between the US Government and Stasi is more accurate than you think, with regards of Zersetzung:
> By the 1970s, the Stasi had decided that methods of overt persecution which had been employed up to that time, such as arrest and torture, were too crude and obvious. It was realised that psychological harassment was far less likely to be recognised for what it was, so its victims, and their supporters, were less likely to be provoked into active resistance, given that they would often not be aware of the source of their problems, or even its exact nature. Zersetzung was designed to side-track and "switch off" perceived enemies so that they would lose the will to continue any "inappropriate" activities.
Data mining is a very interest challenge and represents a major step in large-scale computing technology, but it pales in comparison to data manipulation.
Imagine for a moment if the intelligence-surveillance apparatus were redirected outward: methods used for parsing human communication would be re-purposed for disseminating seemingly-human propaganda. Who you're responding to on Twitter, reddit, or HN may not be a person.
Imagine for a moment if spammers were quite a bit more convincing in their emails, and that their poor grammar and spelling were improved.
While I see the potential for "Zersetzung", it just doesn't scale as well as mass surveillance.
If your communication (and ___location) data is stored by US companies complicit with programs like PRISM, and there is no hope that this data will ever be destroyed, then that's enough to make you communicate (and move) a lot more cautiously.
Agreed. Some time ago on HN: Law firms forcing online newspapers to delete older articles. No one cares, it's old news right? Step by step they're changing history.
Oh, I have. It's just far too long ago, and I had the misfortune of reading a translation. A bad one, at that.
So I couldn't place the quote. I just knew it from different context.
Much the same way it took me years to find a quote that my gradeschool math teacher used and which had lodged itself firmly in my brain. Namely: "To study and not think is a waste. To think and not study is dangerous." - Confucius
I like the Confucius quote. There IS a certain danger in taking shortcuts in your thinking. It's probably best to use shortcuts anyway when in discovery mode, but then to check those shortcuts rigorously.
Kudos for this accurate and relevant Confucius quote, it is rare nowadays.
In fact, reading this guy's Analects, you'd find a mine of secular wisdom aphorism that sound obvious but are all the more urgent to remember by the times running.
There's still a big world outside the Internet, and yet ironically, we live in a world where some employers are so stupid that they won't hire someone without a Facebook, making the abuse and surveillance of Internet more relevant than it needs to be.
You know what's my thought towards such employers? A big fat FUCK YOU! Those are companies, where I rather collect unemployment benefits than ever working one day for such an outfit.
The same sentiment is extended to any service, which requires me to have a Facebook (or any other social media) account.
Right, right, but for everyone that isn't a lean rockstar Node ninja programmer agile kanban expert--e.g., most of the population of the United States--it is far, far too easy to weigh going hungry against getting a "harmless" Facebook profile.
Replying to myself as this could have been misunderstood: programmers are not going hungry in the US, and yet, comply with things they may consider unscrupulous. We shouldn't, even if we were starving, but that's a tall order for most human beings.
I'm not intransigent, but I try not to redraw the line of how low I'll go according to context.
I'm not saying things are good in America right now, but I think our problems are due to my fellow citizens, not some evil cabal of overlords. If we're all gonna steer the plane into the ground, well, I wish we wouldn't, but from everything I see we are doing this to ourselves. We went crazy over terrorism, and we didn't come back.
We went crazy over terrorism? Who's we? Am I part of the we that helped pass the PATRIOT Act (which was an Act of Congress) without reading it?
Am I the one who pitched Saddam's Weapons of Mass Destruction to justify an invasion of an irrelevant country that resulted in ~125,000 dead civilians?
Am I the one who has been helping build the system that has devalued an American college degree to the point of worthlessness? Did I decide to over-advertise the college experience to impressionable kids? Did I decide to give more student loan money to college students? Did I decide to raise the cost of my university to account for said federal dollars that I can now obtain out of greed?
But many of the policies and actions are coming from a higher-level than your average citizen.
EDIT: However, I agree that the stupidity and apathy of the general populace is at least partly to blame. The people who know what's up ahead of time aren't confident enough to act until it's obvious, in which case it's usually too late. The rest just don't care and assume someone else will solve the problem. Further, following trends and the subsequent inability to make it through a turbulent or confusing time without devolving into mass panic and animal-like behavior is also a problem.
If 75% of the polled public believes that linking minimum wage to the cost of living is a good and correct thing, and legislation continues to be passed attempting to lower or inhibit raising minimum wage, who would you suggest controls the legislation? It's certainly not the 75%.
> once you debase intelligent debate/freedom of expression and [...] you debase the minds of the people as a whole and open the door to committing worse atrocities.
...Can PJ not figure out GnuPG? Is she officially retiring from any and all digital correspondence contrary to her notice that "[her] email [addresses] still work"? She says she's getting off the internet to whatever extent possible, and then asks people to continue to send her mail. I also find it cute that people believe facilities based in other Western nations are outside of the NSA's reach.
I gotta say that stopping Groklaw, which is a public site anyway, because someone else might be reading it, doesn't seem to make a lot of sense, despite the emotional ploys in this article. She can write and save drafts locally in a (GASP) local word processor and encrypt anything she chooses to upload to remote storage. The government will then not be able to read unfinished Groklaw articles. Does this resolve the issue?
This whole article should've just been a public key and a PO box address with this note: "I will not acknowledge plaintext mail. If you are uncomfortable transmitting encrypted data over the wire, please send a USB disk to this box."
Encryption is mentioned in the article, but dismissed as encrypted e-mails are stored for 5 years in hope of new discoveries for decrypting without the private key.
I still agree with you, though.. PGP is pretty good, after all :)
GnuPG is not a solution for this. The problem is not just about the contents of the message, but knowing your communication habits. GnuPG can't encrypt who your message is going to, being replied to, when, or even the subject.
The NSA probably isn't storing all the contents of voice calls either, but it really doesn't matter all that much. They can still tell who you communicate with when and how often. That's not conducive to democracy or free speech.
Furthermore, because of how few people use GnuPG or other such tools, I would expect you'd only be targeted harder for using them.
> GnuPG is not a solution for this. The problem is not just about the contents of the message, but knowing your communication habits. GnuPG can't encrypt who your message is going to, being replied to, when, or even the subject.
GnuPG is PART of a solution to this. If you do need to hide the recipient, sender, subject line, etc., then you'll have to bolster your solution with other offerings. One suggestion may be to use temporary email addresses created through Tor, so that the gathered mail header data is not meaningful. Another suggestion would be to encrypt the data and dump it onto a filehost and send the link through a non-email channel. But in any case, it is crucial that the content of one's messages remains private.
>Furthermore, because of how few people use GnuPG or other such tools, I would expect you'd only be targeted harder for using them.
Indeed this is the case now, but as we get more people set up with GPG, it will no longer be an effective method of discrimination.
I'm sure she can, but by doing so has reduced the set of people capable of sending her mail significantly by imposing the requirement that they figure out GnuPG before they send her an email.
Not in the same way that you can use email though. It is unsafe to use GnuPG on a computer you do not own or trust like a computer at a public library or an Internet cafe. It is, however, possible to register an email address on such a computer and send unencrypted email on that same computer with some precautions and still be fairly sure that the contents will not be connected to you.
It's just as safe to use GnuPG on a public terminal as it is to use any other password-protected functionality on a public terminal. You run the risk that the terminal is recording your input and that your password may be compromised. In one case, this may compromise the security of your private key, and in the other case, it may compromise the security of your email account.
One could argue that GnuPG is actually safer on a public terminal than generic online email access, because if you keep your keys on a USB stick, it's another critical piece of data that would have to get collected separately before the captured input data was of any use (this could be automated, but it'd be much harder than just running a keylogger, especially if one undertakes avoidance techniques). If one accesses an ordinary email service, the log would look like "gmail.com↲cookiecaper↲mypassword", which obviously contains all information necessary to access an account. As long as the private key is not automatically copied by the terminal, you can simply change your passphrase after each usage of a public terminal and it simply won't matter if someone stole your input or not.
The only issue is that in the real world, most terminals do not have GnuPG installed. We should be using taking this opportunity to try to change that, while public interest is on the topic.
The main point I was trying to make is that, if you don't own a computer of your own and you are trying to leak something, an internet cafe or other public terminal that sees use by several people might be an effective way of hiding that you sent something. If you don't own a computer of your own you have no trusted place you can go to generate a PGP key, to set its passphrase securely, to encrypt email before you use the public terminal, to decrypt what you retrieved from the public terminal on your home machine (so your passphrase can't be keylogged or your key cannot be copied), and so forth. If you use a mass-market operating system (Windows, Mac OS X) you might have a computer that you own but cannot trust in any way. That's where opening a "throwaway" email address and sending something unencrypted is a viable use case. If you muck it up by trying to encrypt using PGP then possession of the key is persuasive (but not conclusive) evidence that you are the one that sent the email, and quickly becomes conclusive evidence if even the most basic automated surveillance techniques are used on that untrusted machine.
>One could argue that GnuPG is actually safer on a public terminal than generic online email access, because if you keep your keys on a USB stick, it's another critical piece of data that would have to get collected separately before the captured input data was of any use (this could be automated, but it'd be much harder than just running a keylogger, especially if one undertakes avoidance techniques).
One would be wrong. If an adversary is keeping a copy of every file that is opened on a USB stick (which would be trivial to add as an "update", "patch", or "option" to, say, an on-demand antivirus scanner) then it's game over.
>If one accesses an ordinary email service, the log would look like "gmail.com↲cookiecaper↲mypassword", which obviously contains all information necessary to access an account. As long as the private key is not automatically copied by the terminal, you can simply change your passphrase after each usage of a public terminal and it simply won't matter if someone stole your input or not.
If they have your key from the previous step then changing your passphrase does absolutely "jack" and "shit". Where are you going to change this passphrase anyway that's on a computer owned/trusted by you if you don't own a computer or don't want to tie that key back to your home machine and identity?
>The only issue is that in the real world, most terminals do not have GnuPG installed. We should be using taking this opportunity to try to change that, while public interest is on the topic.
Then you'll have backdoored copies of GnuPG installed on these machines that will offer you no security.
>If you don't own a computer of your own you have no trusted place you can go to generate a PGP key, to set its passphrase securely, to encrypt email before you use the public terminal, to decrypt what you retrieved from the public terminal on your home machine (so your passphrase can't be keylogged or your key cannot be copied), and so forth.
Correct. We should consider it a pre-requisite that someone interested in swapping secure communications has at least one computing unit which they can control. This is like asking "but if someone doesn't have fingers, how will they type at a public computer?" Most people have administrative access to at least one machine, at least a phone if not a laptop. The requirements to generate a key are not excessive.
>That's where opening a "throwaway" email address and sending something unencrypted is a viable use case.
Never said this won't ever be a viable use case. There are times when it'd be appropriate to use a one-time mail address from a public terminal and then discard it. It's really up to the individual if encryption is necessary for the content they're seeking to send.
>One would be wrong. If an adversary is keeping a copy of every file that is opened on a USB stick (which would be trivial to add as an "update", "patch", or "option" to, say, an on-demand antivirus scanner) then it's game over.
So first, this is another level of complexity, another barrier, that makes things more difficult, even if it could plausibly be executed. A random joe who sneaks a hardware keylogger between the board and the machine will not be able to do anything with this. Many amateurs will fail to understand that this kind of thing is needed. It is still much more secure to use a public terminal with the knowledge that this may happen than putting all your eggs in one basket and relying solely on keyboard input ("something you know") for security.
Secondly, if they're copying EVERY file off every USB drive that's plugged in, they may have difficulty distinguishing your key, especially if you take avoidance techniques as mentioned in my first post. Private keys that are used by GnuPG are binary, not plaintext (you can export them as armored keys, but GPG won't use these files directly). You can name the keyfile whatever you want. You can embed your key inside another file and extract it to /tmp with dd. You can put your keyring in a TrueCrypt volume. You can put it in a password-protected rar file. You can encrypt it against a key that is embedded on the stick outside of the filesystem, so that even if the terminal copies the full contents of the filesystem, they still won't be able to use your key. There are all kinds of things one can do to ensure that his key is not just sitting there to be taken, and to be reasonably secure that even if it is taken, it will be difficult to extract in a meaningful manner.
>If they have your key from the previous step then changing your passphrase does absolutely "jack" and "shit"
Yes, I'm aware of this, which is why I prefixed my statement with "[a]s long as the private key is not automatically copied by the terminal..."
> Where are you going to change this passphrase anyway that's on a computer owned/trusted by you if you don't own a computer or don't want to tie that key back to your home machine and identity?
You're not, you must have a machine you trust, as most people trying to leak content will. One could use a virtual machine to manage his identities that he didn't want registered on the host box.
>Then you'll have backdoored copies of GnuPG installed on these machines that will offer you no security.
This is a good point. You should use your own GPG binary hosted on your USB stick instead.
Not wanting to be in possession of key material which could tie the original message back to you would be a good example. PGP messages are not deniable.
I was thinking more of a situation where a worker trying to expose abuses has knowledge of how to use a computer but does not have a computer at home that they can trust. Either it's shared, is running an operating system that cannot be trusted (due to malware or other reason), is under active surveillance (not necessarily by a state-level actor), otherwise untrustworthy, or the leaker simply does not own one.
In that case there is no safe way to generate and store a PGP key, and possession of the associated key is a great way to break anonymity.
The thing is, GPG is not bollocks. Barring a major unforeseen discovery, RSA cryptography will easily stand up to five years' retention.
If you're worried, use a long keylength. I've been using 4096-bit keys for over a year now and there's no noticeable performance hit for regular comms on my computer. On my phone, 4096 is noticeably slower than 2048, but it still works fine (probably about a 5-10 sec operation to decrypt an ordinary email, and I have a comparatively "old" phone).
More to the point though, is that forcing the NSA to work on a specific message is computational power that they can't use to oppress the populace at large.
I know PJ is quite private (and probably rightfully so after the private investigators that were sicced on here during the SCO trials), but I was still shocked to read about this. Imagine if the New York Times and Washington Post had shut down in the 1940s, 50s, 60s when phone wiretapping was completely legal for the government to do.
Not only did they not shut down, but they didn't even have encryption to use back then. The people are far better armed today to be able to protect their communications.
> More to the point though, is that forcing the NSA to work on a specific message is computational power that they can't use to oppress the populace at large.
This, precisely.
Too many people throw up their hands because it's impossible to be 100% surveillance proof. But you don't need to be. If we can make surveillance orders of magnitude more expensive, we win.
And there's nothing necessarily wrong with doing so. It should further be noted that anything you upload to a Google server is automatically packaged and delivered to the NSA by Google directly, so don't send anything to Gmail that you wouldn't want the NSA to access.
A FISA warrant doesn't magically render RSA invalid. If all your comms are encrypted, they can get whatever warrants they want, and they still won't be able to read your information unless you surrender your passphrase and key.
I understand that they can, and sometimes may, force you to divulge your key, but it's not a consistent thing in the United States. There are judgments that require the divulgence, and judgments that claim such forced divulgence is precluded by the Fifth Amendment.
In any case, you buy yourself a very large amount of time if you don't just leave all your communiques out for them to read in plaintext. If you're encrypted, you have a lot of due process to exhaust before they ultimatley MAY order you to divulge the key. They have to go through your lawyer. He can file motions and appeals. The accused may incidentally forget the password. There are a lot of options. With plaintext, there are no options; there is only the government with all your content, and you with no control over anything.
The point is really that they could just change their mind. It's already obvious that the gov't will go to great lengths to violate privacy and what we assumed were constitutional protections, so why would they respect your 5th amendment right and not just demand keys in the future?
While I understand her (1) personal reasons for shutting down Groklaw, this is an extraordinarily bad decision for privacy and democracy.
In the last few weeks quite a few providers of private communications and/or freedom (for some definition of freedom) have shut down. Lavabot, Freedom Hosting, etc. If the US could shut down The Guardian they would.
This leaves fewer and fewer secure channels for private communication, and less and less information about what is actually going on.
This is an incredibly dangerous road to walk down, and is akin to the Intelligentsia leaving Germany in the 20's. We all know how that ended.
(1) edited his to her - thanks for pointing it out rolux
Obama continues to push hard to steal what little privacy rights US citizens have remaining. He is openly hostile about it, and lies about it constantly.
Am I exaggerating here? The scary thing is I'm not. He's not done. It's going to get worse.
Sadly, I think this is part of our problem. "Obama".
Attaching his name to this just makes it so that we all vote for a Republican next year, congratulate ourselves for getting rid of the guy who loved spying on us all, and everything stays exactly the same.
I'm not trying to defend him or say he is blameless here. I'm saying that it's bigger than who is in the President's chair at the moment, and I wish we could think about these things in a more systemic way.
Exactly. The problem is so far beyond partisan now that people still framing it in terms of "Bush" or "Obama" have the blinders on.
The problem is systemic and cultural, the federal bureaucracy is more influential on elected officials than elected officials are on the federal bureaucracy, at least in matters of intelligence and national security.
Every politician elected into this system faces extraordinary forces of compliance, and only a few on both the left and right (Wyden, Paul, etc) seem able to resist.
What is even more scary is that we have been in freefall in this regard mostly since at least Nixon signed the Banking Secrecy Act.
This was followed by Carter signing FISA....
Regan followed, signing among other things legislation to allow the military to enforce drug laws domestically as an exemption to Posse Comitatus. This meant that the military was involved in surveillance at both Ruby Ridge and Waco, and also directly provided military equipment and in some cases personnel to these operations (in addition to Navy SEALs raiding crack houses in some cities).
Then came Clinton and things got worse again with the Anti-Terrorism and Effective Death Penalty Act and some other laws.
Although people often bemoan political apathy as if it were a grave social ill, it seems to me that this is just as it should be. Why should essentially powerless people want to engage in a humiliating farce designed to demonstrate the legitimacy of those who wield the power? In Soviet-era Russia, intelligent people did their best to ignore the Communists: paying attention to them, whether through criticism or praise, would only serve to give them comfort and encouragement, making them feel as if they mattered. Why should Americans want to act any differently with regard to the Republicans and the Democrats? For love of donkeys and elephants?
EXCERPT FROM
Orlov, Dmitry. “Reinventing Collapse.” New Society Publishers, 2011-04-06. iBooks.
This material may be protected by copyright.
I used to disagree with you and Mr Orlov, but there is a point where apathy is the correct response because it frees up energy to build a better future through other means.
What you can use elections for is to extort policies from elected officials. The problem is that means being willing to vote for the greater evil if you don't get the things the country needs and our country is unwilling to enter into that mentality.
I think you're missing the point that the actual important policies are not up for debate and are agreed to by both sides before the two winners are picked for us to vote on. All the electorate gets to decide on is meaningless stuff. Both candidates will always want the elimination of privacy, destruction of the middle class, complete subservience to wall street, etc. The electorate gets to decide on unimportant stuff like the skin color of the winner... it doesn't really matter because either winner will implement the same policies, although perhaps with slightly different PR campaigns.
A fundamental impedance mismatch is the public wants/needs policies. However they're only allowed to vote on two hand picked two sides of the same coin "leaders", not the actual policies. The "winner" is the candidate who tells the best lies about policies, which will of course be forgotten after inauguration, and both are going to do the same thing anyway so it doesn't matter very much which wins.
That's why voting is the final act of a series of political actions, and merely should be cast as an up/down "keep this guy" vote without looking too close at the alternatives.
We have to take over the conversation and stop listening to the challenger. The challenger doesn't exist. It is up/down on the incumbent.
I fail to see the point of that. By definition, both the incumbent and the challenger were hired by the same political action committee to achieve the same outcome by using different PR techniques.
Your suggestion is that the general public should slightly modify how they select which lie is told to them. The result will be they'll be lied to slightly differently, and no change in actual outcome.
With enough money, and it'll take a lot of money, the public could purchase their own candidates... That would be interesting, although unlikely. And there's an awful lot of intentional divide and conquer PR work already in place to prevent it.
Once wealth inequality and income inequality exceed a certain level the system spirals out of control until it crashes and reboots. In that scenario the most sensible way to limit total overall human suffering is to floor the accelerator and encourage the process, rather than hold it back, so it crashes quicker and we get back to normalcy sooner. Given that background, a lot of current events suddenly make more sense. Look at federal reserve policy, or pretty much anything in contemporary politics.
The funny thing is that FISA was originally intended to curb the intelligence abuses that had come to light earlier in the '70s, in which phones were tapped, and international telegrams seized en masse, with no legal authority whatever. It doesn't seem to have been effective in that regard even before it was effectively gutted by the FISA Amendments Act of 2008, but it's still not quite of a piece with the stuff that came later.
I don't think that it's useful to be talking about Obama specifically. Before Obama there was Bush Jr, who was the sitting president when most of these programs were put in place. It should be clear now that it's not one specific President, or one specific party, but the whole political class that has been corrupted. Thinking things will get better at the next election will absolutely not help things, unless the issue du jour of the next election is privacy, and the new president chosen based on their commitment to privacy. Even then it's not sure whether such a President could successfully make meaningful change.
I lot of people were hoping Obama was the start of a new direction. I'm now hoping he'll be the last of the old direction. The big problem to solve is: how do you elect someone different? As long as the two parties get to decide who American can elect, democracy is a hollow gesture. And the media are all in the pocket of the main parties.
Honestly, it seems like only Al-Jazeera US might be the only independent news station.
"As long as the two parties get to decide who American can elect,"
No, its one set of political campaign donors, not two parties.
One set of donors, hires two competing PR firms masquerading as political parties, to implement two different messages aiming at the identical goal.
Its relatively effective and stable as a technology for social control. Its also effective at benefiting the people who are running it, which is obviously not the general public or humanity overall or the environment or pretty much anyone but a couple 1%ers.
> I lot of people were hoping Obama was the start of a new direction. I'm now hoping he'll be the last of the old direction.
As long as people are hoping for some politician to deliver them from government unaccountable to the people, its not going to happen.
> The big problem to solve is: how do you elect someone different?
Elections are important, but they aren't everything. More needs to be done to think about "how do we effectively hold those we do elect accountable".
> As long as the two parties get to decide who American can elect, democracy is a hollow gesture.
To the extent this is part of the problem, it is probably more tractable if you realize that it is a problem effecting many elections, isn't amenable to a quick one-step fix, and that elections to the Presidency aren't the best place to start.
"lot of people were hoping Obama was the start of a new direction"
Anyone who thought that wasn't paying attention, of course, but it's not like that's a new thing.
And it makes sense: it's not like your vote is actually going to do anything, so why bother paying attention? Just go vote if you remember, and pick the guy with the letter by his name that you voted for last time. (Can look up Ilya Somin's writings regarding "rational political ignorance" for more on that.)
Start by being intellectually curious about the person, who he is, what he has done on the past, what philosopies he is associated with. Quit labeling people who try to do this as wingnuts or racists or employing other logically fallacious arguments to try to shut down debate.
We -- all citizens of Western countries -- should seriously stop voting altogether. And I mean full stop. When the next election comes, nobody votes. That'll destabilize things right quick.
More pragmatic would be to vote anti-incombant regardless of party until things change. Let the elected officials know that if they want a second term, they had better cooperate.
It is a curious quirk of psychology that a single vote for a two major parties is considered to matter, despite being guaranteed not to sway the outcome, while a vote for a third party is considered "wasted". And even curiouser, choosing not to vote at all is considered the more rational option.
Here's hoping that the people eventually figure out that instant runoff can be implemented state-by-state.
> Here's hoping that the people eventually figure out that instant runoff can be implemented state-by-state.
Here's hoping that people eventually figure out that better voting systems can be implemented state by state, including non-single-winner systems where appropriate (e.g., legislative elections), and single winner systems better than IRV (which is pretty much the preference voting system that does the most to preserve the problems of majority/runoff) for the places where single winner systems are still needed, as might be the case with executive elections (or not, if you reform more than just the election system.)
Honestly, I'm in favor of any modifications to winner-take-all. "None of the Above" would be a major win for the protest vote, with a huge meta-electoral effect even if it never wins. And while it would boost morale and turnout for presidential years, the real effect would be seen if we elected Congress that way as well.
Basically, you check yes or no for everyone, and the winner is the one with the most "yes" votes. Less expressive than IRV, but also simpler to understand and tabulate.
Belatedly: thanks for sharing. It does seem an easier sell, because the counting process is so easy to understand. It's not as favorable to third parties as IRV, because "[X] Minor [X] Major" obviously doesn't carry as much weight as "[1] Minor [2] Major", but at least it still kills the spoiler effect. While IRV seems more "pure" in an information theory sense, Approval is elegant in its simplicity.
That's mostly my views as well, yeah. There are a couple (narrow) weird cases with IRV, too... but IRV is unquestionably a tremendous improvement over FPTP.
"the real effect would be seen if we elected Congress that way as well."
Elaborate on that a bit - I know it's popular to say that Congress has a low approval rating, but no one votes for "congress" - they vote for their congresspeople, who typically have high approval ratings. There may well be other effects I'm not spotting, though...
Add a third option on the ballot for re-doing election
with different candidates:
"Dont like either of these two (expletive) - come back with better ones".
If this option comes tops in the election, both parties pay a percentage towards the cost of next round. Can't say their donors would be very happy if this shit goes on for months. Oh my god, how will we function without a government? Well, its not like the government we chose is doing/gonna do all that better.
Atleast it'll slowdown most of the shitty laws that get passed with alarming efficiency.
There is no "we", but I also disagree that it would "destabilize things". I think that after a brief initial upheaval, it would stabilize things to a great degree, and in a positive manner.
But yeah, it's devastating -- especially when it comes just one day after a editor of the Guardian states that they can no longer report on certain topics from London.
It seems like we need entirely new communication protocols.
> It seems like we need entirely new communication protocols
How about new government - one that isn't broken and tramples on all of our civil liberties? The first step is to dismantle the military industrial complex
While elsewhere in the comments, there is the sentiment that "you can't code yourself out of this", my hopes of voting myself out of it (or otherwise "fixing" a system, as if it was just accidentally "broken") are much lower.
(But note that "protocols" may also have non-technological components.)
Popular movements have accomplished incredible things over the centuries, and almost none (I'm hedging, I want to say there were none at all) of them were achieved by ticking a box on a voting form. The level of repression in the West today, while certainly not at its lowest point ever, is still lower than it's been for much of the past century.
It's easy to feel helpless and isolated, to feel like you can't do anything because the government is so big and you're so small. Realise that this feeling of helplessness is not based in reality. It is fostered; not by some kind of global conspiracy between government and business, but because it serves the interests of powerful people and institutions everywhere. There is no need for them to cooperate, for them to get together in shady backrooms to decide how next to disempower you. Their interests just happen to align.
But that isolation is not something you're forced into. You can break free. It's not easy, but if people suffering under military dictatorships can do it, then in our (still) relatively free society, we can do it too.
Anyone who feels like this should read Howard Zinn's A People's History of the United States. I'm rereading it these days (relistening, actually), and while it's certainly not perfect, you'll get a lot out of the shift in viewpoint.
>While elsewhere in the comments, there is the sentiment that "you can't code yourself out of this", my hopes of voting myself out of it (or otherwise "fixing" a system, as if it was just accidentally "broken") are much lower.
So you intent of fixing just a small point of the whole mess (the surveillance thing) and not the overall mess (bad governments, something that affects 100% of our life and countries)?
Not to mention there is nothing to fix this way. Everything can be outlawed, including mere use of unlocked general purpose computers as a non authorized professional in, say, 20 years time.
"Everything can be outlawed, including mere use of unlocked general purpose computers as a non authorized professional in, say, 20 years time."
I think that genie is well out-of-the-bottle.
Did you see the article recently about installing linux on the microcontroller on a hard disk controller board? There's no end of "consumer electronics" that have "general purpose computers" inside them. Hell, I'm helping out some people deploying christmas lights with a half-gigahertz ARM Linux board with wifi as a controller. (hardware details here: http://dev.moorescloud.com/2013/07/06/holiday-hardware-is-op... if you're curious). They've shipped over a million RaspberryPi's in the last 16 months - they're mostly still going to be useable in 20 years time, and between now and then pretty much every toy,appliance,car,tv,phone,coffeemachine,whatever is going to contain something capable of running linux...
No, I'm just saying that working technology (like general purpose computers as affordable consumer goods) may be harder to ignore than "the voice of the people".
(In Philosophy, you'd call this position "materialist", I assume.)
You need to fix both of course. The broken political situation needs to be fixed, but communication protocols need to be improved too.
And of course, as long as the current political situation in the US lasts, cloud services in the US cannot be trusted. Run your own server, or use a server abroad.
Your final statement here is not true. The way in which you keep anonymity with an onion system is as follows:
1. Use a central originating server for onion packet sourcing
2. Make it public who all users are
3. Have onion packet creation contain "token of receipt" for all messages along the chain.
4. Rate limit message origination from users
5. Ban users who refuse to forward encrypted packets at a steady rate
6. Only allow small message sizes ( 10k )
7. Have all online users constantly originate "bogus" packets to random users
8...
I am currently writing such a system. Some details up at circleofdistrust.com in about a month or so.
How do you rate limit users? Are not originator traffic and pass thru traffic indisquishable, so a receiving peer cannot tell the if a node is just well connected and has a lot of traffic on behalf of others, or is an abuser?
There are two types of nodes in the system, "servers" and "users". All servers communicate with each other so that they are all aware of all existing "servers" globally. There will likely be a limit on who is allowed and authorized to be a server. ( likely a list of their public keys published to the main site for the project )
All packets must be hashed and authorized ( signed ) by the server before they can be sent out. Any packet not authorized by a server will be rejected. In this way, servers will rate limit originating packets.
The traffic is distinguishable because the onion layer is identified at each level. If, after unwrapping your layer, you discover the underlying "level" is not 1 less than your own informed level, the ip origination will be flagged back to the server for spamming.
Current estimate for number of onion levels is 100. Actual destination should be somewhere in the middle 60 or so, to prevent government tracing of the packet because all hops.
At each hop, random delays will be implemented, as well as injection of extra data and/or disguising the entire packets as other forms of tcp communication. ( to prevent dropping of the packets through filtering )
The "servers" know that users are sending out origination packets at a specific rate and to whom, but nothing about the layers beyond the first. Additionally, the entire onion packet is never sent to any server, only a hash of it with specific other information. This way, "servers" can never be accused of harboring illegal data of any sort.
Forwarding rates are measured because each onion layer containing a "message of receipt" that is sent back to the server. The server receieves all of those from the originating user before approving the onion packet.
The only think attackers of the system could try to do is attempt to DDOS users of the system. This is prevented inherently by it being known at all types all users logged into the system ( this is public knowledge in the system ). Communication is only allowed from valid behaving users.
Its not as though we don't have a spam problem already…
Freshly pulled-out-of-the-air suggestion – anonymous but requiring micro-payments. Say, 500 or 1000 satoshi (around a tenth of a cent) per message delivered – not as a means of generating revenue, but as a way to destroy email's current "if I only get one sale per 100,000 emails I send, that just means I need to send 10,000,000 emails a day to get my desired 100sale/day" vulnerability - if that actually cost the spammer $10,000/day, it just wouldn't happen.
('course that required having hard currency to bitcoin exchanges easy enough for the general public to use, and scalable enough to service a significant proportion of internet-using people)
- That's why I prefer to think about protocols, as opposed to a system (i.e. global implementation of one or more generalized protocols)
- You don't always have to solve the problem theoretically; solving it practically may be good enough. A system can be usable for a long time, before it collapses under abuse.
> If the US could shut down The Guardian they would.
That's stupid. Of course they wouldn't. They would require them to stop reporting on the security state. But that is vastly different from shuttering them all together.
The Guardian certainly performs a public service in a variety of other domains (from which the government can and does benefit). The security state just doesn't want the press banging around in their ___domain.
Let's not let the hyperbole get away from us here.
Even better, would be to have them report favourably or obtusely instead of shutting them down. I fail to see the hyperbole here... just a difference of method.
Shuttering a press outlet is a different thing in kind than what is happening right now.
The US is not Zimbabwe or Burma or Jordan. It has its serious flaws and issues that need to be addressed, but we shouldn't mistake the kind of creature that we are dealing with. Making that mistake will lead one to seriously misunderstand what the interests and possible courses of action that western governments will pursue.
Also, if one wanted to be really crabby about it, it's kind of disrespectful to all of the journalists who paid with their lives to contribute to the civic sphere to equate pervasive surveillance (as serious and insidious as it is) with the pervasive fear of physical harm and death that some journalists face.
Marcela Turati did a terrifyingly good job of conveying the price that Mexican journalists pay at the Investigative Reporters & Editors conference this year. If you really want to get a sense of that, you can watch the video here: http://ire.org/conferences/ire-2013/keynote/
Intimidation, confiscation/destruction of property without due process, invasive surveillance and retention under 'terrorist' laws for family of journalists is a difference of degree than what happens in Mexico.
I hold the liberal Western governments to higher standards though, and see the difference in degree as being eroded more easily than you suggest.
You're still falsely equating. Even if it were a slippery slope along a line, it's still a line. Not all of the points are directly adjacent to each other.
Let me try and phrase this in terms that aren't loaded such as 'slippery slope' or rhetorical geometry.
I believe in the importance of a free press, and recent developments are troubling and lead to understandable concerns about the ability of ordinary people and journalists to discuss, report on, or investigate without undue duress, potential criminal activities by rogue agents exceeding their mandate as proscribed by their democratically elected governments.
This to me is the most pernicious thing about this whole surveillance business. The mere presence of a comprehensive surveillance apparatus, even when you don't live in a totalitarian state when jack booted thugs pay you a visit to "get your mind right", does incalculable damage to the first amendment. In a free society, it's "game over" without the first amendment. This is in some ways even more damaging than the actual surveillance (which in theory could be shut off today) because once the public feels they've lost the freedom of speech, it is extremely hard to convince them otherwise. Look at how hard it has been for the citizenry of forer communist countries to embrace and internalize the freedoms we in the US have had for a few hundred years.
I have said this on HN several times, and I will say this again. Dragnet surveillance of private digital correspondence by the US and other governments is wrong, and a gross, unjustified, overreaction to the real threat of terrorism.
And yet, when taken as part of the whole picture that is the internet, government surveillance is little more than a drop in the ocean. While governments may collect a possibly significant amount of correspondence and analyze some of it, almost all online data, e-mail correspondence as well as photos and documents, search history, browsing history, our physical ___location, the driving, running and cycling routes we take, the busses we use and more, is constantly collected, analyzed monitored and used, all day every day, by private corporations. These corporations are even less subject to oversight than any democratically elected institution, and their employees are less carefully screened.
Government surveillance is wrong, but at least it raises an outrage that, in time, is almost certain to bring about change. Corporate surveillance is a more dangerous beast. It employs manipulation and deceit rather than plain-old secrecy, and worst of all – it causes little outrage.
Some have compared the current state of things to George Orwell's Big Brother government, but those who've read the book know that Big Brother does not rule through secrecy and intimidation. Big Brother is never mistrusted, never hated, and never feared or suspected. People subject themselves to his control willingly. Big Brother is loved. That is how absolute power is gained. And that is why a democratic institution has little hope of ever attaining Big Brother status, especially in America where any government is automatically suspect. The real danger to our privacy and our freedom, the true potential Big Brother and the danger that dwarfs any government surveillance online, is Google, Facebook and their ilk.
... usually don't destroy hard drives of journalists or don't detain people as a matter of harrassment just to name two recent actions undertaken by governments who use their introspective powers to take conclusions ("we have to have this Miranda guy") and act upon them ("we know he's in Berlin. Check the flight records")
The point is that the control of the governments does not seem to work anymore OR, at the same time addressing that "Big Brother is loved": nobody cares, because governmental agencies do the right thing. (That is my impression until now, living in Europe)
> ... usually don't destroy hard drives of journalists or don't detain people as a matter of harrassment
I actually remember a similar action taken by Apple (though through the use of a government agency). But bear in mind that corporations' rights to employ violence have been taken from them, but only after they'd been put to good use. They had a long history of terrorizing and killing people (in the US it was during the days of the Pinkertons), and Google is already more powerful today than the robber barons ever were. If government is weakened enough, corporations will gladly fill the void.
People must understand that every interaction with an Internet service means voluntarily sending your data to them. These companies don't just "vacuum it up", the data is simply sent directly to them. Maybe you don't see it that way, but that is why the perception needs to change.
When you use Gmail you are sending your mail to Google, first, and then it is relayed to the recipients. When you search for driving directions to an address, you are sending data to Google that says "I want to know how to drive/cycle/walk to X ___location right now". When you search for some phrase you are sending a request to Google that says "I want to know about this".
There is no reason why they wouldn't hold onto that data. You sent it to them, because you want the response that they can provide. It's an exchange.
> People your you you you your you you you they You them you they
People who do not understand technology to the depth and detail that you do are not halfwits or children. They know what they intend to accomplish and giving up their most personal information for perpetual archival is seldom a property they are asking for. If the technological tools they possess do not faithfully obey their intentions with a minimum of unintended side effects then the problem is with the technology or the services not the user.
Technology is neat and important, but it exists to serve the user. Faithfulness to the users needs and intentions are the only criteria by which we can judge technology.
Putting users' needs first is a great ideal, but ultimately any exchange with a company in a private market context is an economic one.
I don't think anybody is an idiot just because they don't understand this. They've come to see Internet services as something like public utilities. There is very little to reinforce the idea that you are indeed giving the provider something for the service, since what you are giving is invisible/intangible.
A purely quantitative comparison between governments and corporations is completely pointless.
Governments have a monopoly on the use of force, on law making and on many other things that we all depend on. Governments have much greater powers than any particular corporation, and hence the abuse of that power is a lot more dangerous.
How elected representatives vote is public record. How corporations and lobbyists sway them, however, is not.
> Governments have much greater powers than any particular corporation
Yes, but unfortunately this may be changing. I don't think any government in the history of mankind has ever had as much information about people as Google does.
"Corporations" are not a single entity. Some are more aligned with the development of society, some hinder it. It is harmful to lump all corporations in one group.
> is to use a service like Kolab for email, which is located in Switzerland, and hence is under different laws than the US,
don't do this. Since 1999, email providers in Switzerland are forced to keep all logs and data for one year (currently in discussion to prolong this to 5 years) and hand all data over at the authorities request.
If you don't comply you will be punished by fines or even jail.
I once (early 2000s) received one of these orders and I honestly don't remember whether it had a judges signature, but I think it was just some police officer signing it, so I can't be sure whether there was (and is) any court oversight.
If you want your conversations to be confidential, don't choose a Swiss provider.
Maybe I'm just not "getting it", but this seems like an incredibly odd decision. It is not a revelation that plaintext email can technically be looked at by people beyond the sender and recipient. And it's not clear what in any reported stories would specifically relate to Groklaw's use of email.
What it seems to come down to is the general fear that the NSA COULD, from a technical perspective, be reading specific unencrypted emails. But before the recent news stories, did PJ (or anyone else) really send and receive emails thinking "there is no way the NSA, or anyone else, can see this email"?
As far as chilling effects go, the knowledge that a multi-billion dollar signals intelligence agency is technically capable of reading an unencrypted email seems pretty mild. Is free speech and free communication really so fragile that it rests on the idea that casual communication you make no special effort to protect is totally out of the reach of large police or intelligence organizations?
My thoughts too, to me, ordinary email is like a conversation in the park. People can listen to that if they want, it's the public. Ordinary email goes over the public Internet. It seems to me to be a bit of elegant arm waving. To me the restrictions on encryption are of more concern. It's like saying we can't have a private conversation except within the bounds of what the government says is OK.
Chomsky noted in a speech recently (http://www.salon.com/2013/08/17/chomsky_the_u_s_behaves_noth...) that the very vast majority of us have absolutely no impact on the policy of our governments. Only the upper tiers have influence and the utter richest minority are likely to get what they want.
In both the US and where I am in Australia, the two major parties are barely different and doubly so in regards to this whole issue. A vote is not going to mean a great deal.
But a vote that can make some difference is voting with our wallets. Can very conscious purchasing decisions made by more and more people remove some of the influence held by the very richest on our planet? Is that too dreamy?
Where possible, I try to avoid purchasing from the biggest brand in any category, but there'd be a lot, lot more I could do about this. If we imagine the typical food pyramid, but fill it with brands and apply it to every product and category showing the richest and most influential at one end and the delightful smallfry at the other, could we help motivate people to make better decisions about where they spend their money? Or even where they earn it? Earn a fraction less to work for a smaller supplier perhaps.
Apps, surveys, social media, gamification - these are all things that might help people make more careful decisions. Ride a bike, grow food or buy from independent greengrocers at least, seek out furniture that's locally made, etc.
Give me a site/app that asks me about my life and rates my efforts or motivates me to make a better choice in everything I do. Help me identify brands that feel independent but are actually owned by corporate monsters.
The idea is great, but unfortunately it won't work for the majority of Americans. Paycheck-to-paycheck is a reality for way too many people. I know a lot of people who are opposed to Walmart, and wish that they could afford not to shop there, but they can't. The price is just too compelling. Feeding their kids is a lot more important to them than making a political statement.
Sure, but there are other small steps that can make incremental differences. Cheaper than driving a car (insurance, registration, fuel bought from a megacorp) is riding a bike now and then. Or getting coffee from the little place on the corner rather than the chain. Or even buying from the third biggest fast food company in the country rather than the first biggest.
perhaps causing some retail chains and corporations who own those to have less profit may have some benefit, but i doubt it will be very high.
i suspect that the problem is deep seated. For example, why can't just anyone enter the banking business? Why isn't there any mom & dad run banks - small, local banks with customers they can could with their hands (and toes)? Why is something as important as money (and teh ability to lend it out) controlled by so few?
This is such depressing news. And I've been trying to think of a way to solve this technically, but the Government has the five dollar wrench, and all we have is the crypto.
Code will not be enough, the system only respects one thing, money. If enough people move to services outside of the States, the real people in power will tell the government to reinstate at least some civil liberties and human rights. But even then, don't expect too much.
As mixmax said, this is "akin the Intelligentsia leaving Germany in the 20's." It will start with moving to hosting and services outside the country and will eventually be followed by people physically leaving the country. As James Joyce said, "silence, cunning... exile"!
It's not so bad. I've been an expat for 26 years and I've never looked back.
It is almost a cliche at this point, but it is worth remembering Martin Niemöller's words. He made the same mistake that many people are making today: thinking they don't have to worry because they are not the people whom the government is persecuting today. And the unfolding of events taught Martin Niemöller a very painful lesson. In an ideal world, the public would hear his words and learn the lesson without having to repeat all the mistakes of the past.
He wrote:
First they came for the communists,
and I didn't speak out because I wasn't a communist.
Then they came for the socialists,
and I didn't speak out because I wasn't a socialist.
Then they came for the trade unionists,
and I didn't speak out because I wasn't a trade unionist.
Then they came for me,
and there was no one left to speak for me.
What a joke. Please educate yourself about the history of successful social movements like labor rights, civil rights, environmental protection, etc.
The privacy movement has not even begun to begin what is necessary to change the law. For example: can you name the leading organization that works solely on privacy? There isn't one. The issue is only sort-of covered if you add up the partial work of a bunch of different orgs, like the EFF, ACLU, NRA, Emily's List, etc.
So: want to move the needle? Start an organization, raise many millions of dollars, collect thousands of contacts, and then run a big scary public and grassroots campaign. Give money to privacy-friendly politicians, and spend independent money to defeat opponents of privacy. Recruit privacy-friendly folks to run for local, state, or federal office. Take meetings with corporate, regulatory, and congressional staff to find folks who are sympathetic to the cause. Run privacy conferences. Pay people to write privacy blogs. Pick a nasty law and create a test case to get it into litigation. Etc, etc.
Now you might say "we shouldn't have to do that." And you're right. But: life isn't fair. Black people should not have had to risk lynchings in order to vote, but they did--and they did it. And they fought it.
>Please educate yourself about the history of successful social movements like labor rights, civil rights, environmental protection, etc.
Given that the current context involves opposing government power, I'm not sure labour rights and environmental protection are relevant examples; both resulted in massive expansion of the effective scope government power.
Civil rights would perhaps be a slightly better example simply because what was being fought against were largely government creations (e.g., legally compulsory discrimination). And even then the civil rights movement had a visible violent side[1].
Civil rights would perhaps be a slightly better example simply because what was being fought against were largely government creations (e.g., legally compulsory discrimination).
And the "solution" was to exchange these for other government creations, like the EEOC. Which on net resulted in a massive expansion of the effective scope of government power (not least because many of the previous government creations were at the state level, but what we have now is mostly federal).
I don't see the necessity to play exactly the same game our political establishment is playing (raising millions, spin-doctoring, bribery) in order to beat the system from within. It may be one way to do it, but it's costly and seems extremely inefficient. Hopefully there are other ways to achieve something.
Frankly, I am unsure about your intentions for writing the above post. You insinuate that organizations like the EFF are not suitable to fight the fight for privacy. You make this look like a gargantuan effort to even get started. Are you trying to discourage people or have you just given up?
My point is that it is, objectively, a gargantuan, costly, and difficult effort to make a significant change to U.S. federal law. Wishing it was easier does not make it so.
My disrepectful tone was not nice and I apologize for that.
I just get so frustrated when I see people who seem unwilling to face that reality. Your comment above read to me like a hopeful programmer saying "I've read a few books and done some coding exercises but none of that seemed to create the next Google." (And yes, I am saying it is that hard to make big changes in the law.)
good suggestions (I'd add HRW), but you could leave the disrespectful attitude aside. Instead of your first paragraph, maybe mention the publications of the Albert Enstein Institute (http://www.aeinstein.org/).
But it is also in everything together. My rule is that if I protest, I write my congressmen. If I voted based on issues I wrote about I write them and explain my votes. I have at times gotten interesting responses that show I have sometimes managed to get folks to stop and think which is all one can hope to do.
But beyond that we need to do what is needed now. We need to get guaranteed secure email services going in nations which have strong privacy protections. We need to create networks of end-to-end encrypted voice traffic which use open source architectures designed for privacy. The NSA has handed the good guys one heck of a market. All that is needed is the time and effort.
Governments are inherently prone to corruption and abuse of power. It is stupid to grant the single entity the right to proctect you, your life and your well-being.
What we need is multiple court systems, multiple police systems, etc. And what's more important -- the ability to freely choose between them. Just like you're able to choose Pepsi over Coke or to choose Google over Bing, or to choose one bank over another.
This isn't easy system to achieve, but mostly because a lot of people are skeptical.
What would the effects be from a flash boycott if X-million people suddenly stopped buying from a corporation? Someone could devise a model to calculate the effects and find potential candidates.
The SOPA blackout showed what's possible when the Internet organizes (http://en.wikipedia.org/wiki/Protests_against_SOPA_and_PIPA). Turn it into an Internet meme that empowers the people, and keep it going until the echo grows too loud to be ignored.
It would probably require the cooperation of a team of computer scientists, finance geeks, and social-marketing gurus to organize the campaign. Or maybe one clever hacker could pull it off.
I think that The Power of the Powerless, essay written about this topic in 1978 by Vaclav Havel, might be interesting even these days. I am not sure it can resonate with western people. Nevertheless, I am going to give it a try: http://www.vaclavhavel.cz/showtrans.php?cat=eseje&val=2_aj_e...
What about waiting for something drastically bad to happen? That'll wake people up, won't it? I think the issue here is that the US populace on average is much too complacent. People don't "care", they don't see how it affects them, etc.
There's a great podcast called Hardcore History[2] which has some significance here. There's a podcast titled something similar to "Justifiable Insanity" that talks about the end of WW2. People got into the mental trap of "Well, if we do something particularly heinous, they'll HAVE to surrender!". This lead to things like firestorms of Dresden and Hamburg, which had immense (esp. for the time period) death tolls.[0][1] So, be careful with the tactic of "Well, if something REALLY bad happens.."
Organize. It's the only course of action that has ever worked.
Voting/not voting/protesting/etc. are tactics that are only useful as part of a larger campaign, and as part of a large group committed to a particular goal.
As an IT professional I cannot honestly do this without going much further (like teaching them about using an Open Source OS instead of Windows, the dangers of modern hardware components like PCI NICs, BIOSes that may be remotely infected by malware/modified, keyloggers, TEMPEST, defeating Truecrypt, PGP, Bitlocker with memory dumps etc.), way out of scope for a normal person.
I don't think it's feasible for most IT-savvy people to access the Internet using commodity hardware (regardless of software) without exposing themselves to mass-surveillance or at least inherent weaknesses that may be exploited for that purpose at some point when secure client-side encryption becomes more widespread so that just snooping traffic at major backbones is no longer sufficient.
As a result, it would feel wrong to give people a false sense of security by teaching them about client-side encryption only.
There is this annual event "Freedom not Fear" which is about protesting against government surveillance - this year in Germany there is a huge coalition organizing demonstrations on September 7 http://blog.freiheitstattangst.de/
Hashtag: #fnf13
The pirate parties together with other organizations all over the world plan to join in. Spread the message and contact me if you plan to organize something.
This doesn't make sense to me. There's a simple technical solution: stop using email for tips and setup a secure web form on the site. Can someone explain why this wouldn't solve the problem?
I guess I don't get it. Didn't we "know" about things like Carnivore in the 90s? Isn't it rather expected that unencrypted communications are going to be gathered? You don't even need a nation-state to do so. Anyone with physical access can place taps, and parsing and saving port 25 traffic ain't exactly Manhattan Project level work.
I agree it's upsetting and citizens should be demanding oversight. But to assume your plaintext transmissions over uncontrolled wires are somehow private seems absurd. It's like the silliness people got whipped into over Google's WiFi collection which was essentially passing "-s 0" instead of "-s 64" to tcpdump.
Tell me. You're speaking with a friend in a public square or park in your town. You're not speaking in code with your friend. Judging by what you just said I expect you assume your every conversation is being monitored.
We have certain expectations of privacy and basic human decency. Just because it's possible to wiretap and hoover up all unencrypted communications I wouldn't have concluded that the spooks are doing so because I would have thought they wouldn't stoop to this behaviour. Sure there was a little bit of info here and there but there's nothing like hard evidence (Snowden-style) for changing ones mind.
You don't have to show us all how smart you are, we know already -- so you can keep these types of comments to yourself.
First, I don't see you really addressing my point, which is that this behaviour dates back a long time (Carnivore was public knowledge before Snowden even worked for the NSA), and it doesn't even take a very powerful entity to implement it. (Jeez, I regularly get customers sending me traces of their customers (metadata+voice contents) just for troubleshooting purposes.)
Advances in massively deployed array microphones aside, I don't find speaking in a park to be remotely similar to transmitting over a large public network. On the Internet, you are willing handing your data off to multiple third parties. You have little control over which third parties, or even which countries, your data flows through.
I'm not insulting anyone's intelligence. I'm simply questioning why anyone assumes they've got privacy other than "because it feels like it should". And, hey, that might be a good argument and something to get enshrined in law. (Although, I'd be surprised if the USG backs down at all, except perhaps to concede to some more oversight audits.)
Snowden's "hard evidence" is great because it gives bigger, solid ammunition to argue against mass surveillance. But it's not like anything has suddenly changed, nor should anyone's behaviour change (other than to use encryption when possible).
P.S. Your comment would be better without the sarcasm. I'm being honest and serious in my attempt at commenting here.
>Tell me. You're speaking with a friend in a public square or park in your town. You're not speaking in code with your friend. Judging by what you just said I expect you assume your every conversation is being monitored.
You should be aware of the possibility that someone may be eavesdropping in this situation, yes.
>We have certain expectations of privacy and basic human decency.
Our expectations of privacy are valid in private contexts, like a home or business. Public contexts, like a busy shopping center or the internet, do not contain inherent guarantees of privacy. Even though one can normally assume that no one dangerous is listening in, it's a risk you always take when you engage in any conversation or behavior in a visible ___location.
>Just because it's possible to wiretap and hoover up all unencrypted communications I wouldn't have concluded that the spooks are doing so because I would have thought they wouldn't stoop to this behaviour.
This is pretty naive. Whenever there is a large benefit:cost ratio in play, people should expect that someone at some point _will_ stoop to that level. The ability to record and filter huge portions of worldwide communication is obviously hugely beneficial to all nation-states, so they're obviously going to do it. There are even some who would argue that this is not fundamentally immoral, so it's an even less clear-cut case than things that are obviously fundamentally immoral, meaning it should've been even more expected.
These monitoring programs have been occurring for a long time, most likely since Snowden was a child.
>You don't have to show us all how smart you are, we know already -- so you can keep these types of comments to yourself.
I think just the opposite. We should be using this as an opportunity to educate everyone on the critical importance of encryption (analogous to placing your comms in a sealed envelope, instead of leaving them bare on a postcard), not express moral outrage that some people would "stoop so low". I guess if you're into that, you can do that too (I find it trite, personally), but it shouldn't be done at the expense of the resolution to this problem, which is widespread adoption of full client-side encryption.
> Our expectations of privacy are valid in private contexts, like a home or business. Public contexts, like a busy shopping center or the internet, do not contain inherent guarantees of privacy. Even though one can normally assume that no one dangerous is listening in, it's a risk you always take when you engage in any conversation or behavior in a visible ___location.
Or even if you talk in your house with your door wide open. Does anyone else remember Star Trek VI?
But either way we also don't expect every conversation we make outside to be monitored as a matter of course. To the extent that NSA is doing this we are right to be very upset.
The flipside is that even before email there were few options for communications between third-parties that could not be intercepted at all (without a full warrant) by the U.S. government within the U.S. Probably USPS was it (though later telephones received that same protection). And there were about zero methods if you were talking international communications (maybe diplomatic pouch was safe, probably nothing else was). So in that regard modern comms are still an improvement.
But I do agree with you that things people need to have private, need to be encrypted, as there are more threats out there than just the NSA.
Physical mail, at least in the US, enjoys privacy due to specific law. As I understand, a court order/warrant is needed to open a USPS letter.
With private carriers like FedEx (which aren't allowed to offer normal letter service in the US) there's no such restrictions. FedEx directly states "We may, at our sole discretion, open and inspect any shipment without notice."[1]
Sad but also very understandable. Thanks pj for all your hard work throughout the years and for being one of the most diligent watchdogs in the foss community.
The solution at least for the time being is not going to be over the pipes, it will have to be real world.
A 1 GB USB costs approximately 4$ , you can encrypt the information and use the regular mail with no return address. To avoid cameras in the post office you can use a 3rd party or a real world dropbox.
This sounds so sci-fi dystopian it's hard to believe it actually a plausible solution.
ps. Don't forget to use gloves, make sure "they" can't track your purchase, and also check if the drive is clean as a whistle.
For me, personally, this is much more sad than Lavabit shutting down. Groklaw was an icon, it has huge significance.
I do not know whether this - i.e. shutting down - is a good strategy in general. It raises some awareness, it might cause some change ... but what if change does not happens? What other means of protest will we have?
My take away from this is she is doing it for her own sanity more than an act of protest. She isn't doing this with the thought that her closing down the site will help spur conversation or change minds but that she can't continue to live a happy, digital life and that the site can't function as intended with the current surveillance. She views privacy and intimacy as a crucial part of both retaining your own humanity and also a part of having a frank and honest discussion.
But I have to say, this is getting to me too... more than I would think something like this would.
Not only that, but also that she is, to some extent, responsible for also safeguarding the privacy (or at least anonymity) of people who contact her, and she doesn't feel that's possible.
He's not shutting down to raise awareness, but because he feels unable to conduct the blog without feeling his communications with his readers are private.
She.
I remain surprised by how often this mistake is made, given her name is on every page and the whole thing a few years back where someone accused her of being a fiction made up by IBM.
Also, I wonder what the other contributors she had given post privileges to think of this (I thought she had stepped down/away from some of the cases groklaw was covering).
We've seen a rare example of serious investigative journalism and how /our/ countries respond to it by targeting family and loved ones of the journalists. That's the way we used to say only the KGB or the Gestapo behaved in the Bad Old Days. Guess what ? The Bad Old Days are right here and right now.
No wonder PJ is concerned that continuing Groklaw may expose her to serious risk from the authorities. Commenting on court cases and filling in the background through back-channel information from Deep Throat (or whatever pseudonym they use today) sure does not seem to be worth that risk to me.
It's sad that any comment on this stuff makes it sound like you go around wearing a tin-foil hat.
I may have missed it, but I don't recall any back channel information from Deep Throat type sources there. What I recall was a lot of documents readily available to lawyers but somewhat a pain in the ass for average people to track down and get copies of, especially for free.
Note that I am not saying there were none...just that I never noticed them. Anyone have an example or two?
States explicitly "Groklaw relied in some cases on email tips from readers and other anonymous sources".
Following the early days of the SCO reporting it was obvious there was unreleased information being shared. There was even lots of discussion about whether Groklaw was some secret group of IBM agents and stuff like that due to the knowledge and insight being displayed at the time.
PJs coverage of several cases contained information that often found its way into the court room much to the chagrin of the Plaintiff. PJ was subject to a very nasty, dishonest expose by a shill for SCO at one point. PJ also regularly put out calls for prior art that resulted in patents being invalidated. A strategic leak of information by the government could be very damaging to some of Groklaw's contributors... even though the contributors likely did nothing they could go to jail for.
Oh, and she did all of the above in simple terms. Groklaw is easily one of the best blogs ever. Sad day to see PJ go.
Jesus, it's only two, short sentences in, "The owner of Lavabit tells us that he's stopped using email and if we knew what he knew, we'd stop too. There is no way to do Groklaw without email. Therein lies the conundrum."
The point I am confused about is why a legal analysis blog is worried about government surveillance, so I am wondering if my perception of what Groklaw actually does is incorrect.
When folks like Lavabit and Groklaw preemptively shut down because they cannot take the security & privacy of their communications for granted, it makes me wonder the converse: how are other companies that deal in sensitive information (patents, lawsuits, competitive bids etc.) dealing with it?
Have they resigned themselves to it? Are they devising new corporate communication policies that assume always-on surveillance? Are they thinking things will improve after this storm has passed?
My personal information for my apartment is stored on an FTP server and their offices use WEP encryption on their WiFI. They have a scan of my passport, every facet of information about me; if their storage was compromised it would be fairly devastating to their tens of thousands of clients.
Unfortunately I have no clout regarding the storage of this information, and no choice as to who I store it with.
Snowden uses Lavabit email service.
Snowden leaks top secret material belonging to US and UK.
US demands Snowden's emails from Lavabit.
Lavabit shuts down.
pj reads news of Lavabit and concludes that email is not anonymous. (Email was never truly anonymous, unless you count anonymous remailers. Surely she knew this.)
pj concludes that she should shut down Groklaw. (Why not just warn everyone that she will comply with legal requirements, like Google and myriad other web-based businesses do, for example. Millions of people still use these services even with that warning.)
pj concludes that she should no longer use "the internet" (cf. email). (Huh? Email is but one use of the internet; it was designed ages ago and was never intended to be anonymous.)
Are people who leak top secret material and are wanted by US authorities sending emails to pj? If not, then please help me understand pj's logic.
If Snowden sent emails to pj, and pj, like Lavabit, does not wish to comply with authorities and hand over whatever they've got, then I guess shutting down Groklaw makes sense. I guess.
You cannot have a right to privacy as Brandeis envisioned it when you lack any reasonable expectation of privacy. Reading pj's post it sounds like she's abandoned _all_ expectations of privacy with respect to the internet (which includes email among so many other potential uses). This reeks of "all-or-nothing" thinking.
Lawmakers have no reason to exceed the expectations of their employers. If you the voter and taxpayer expect zero privacy, you should not be surprised if that's what is delivered.
It's not a completely logic-motivated decision, but that does not make it any less valid. Having your sense of privacy and safety breached is incredibly disturbing on an emotional level. I've been robbed, you end up feeling rightly violated at a very base level and left with a general disgust for everything and anyone involved.
Years ago, when I was a little involved with the FSFE, I did a bit of graphics design for some people there. One thing I made was that small graphic one you see in the header there.
Seeing it again now after years... Weird.
Then I went to http://planet.fsfe.org/ and found out they're still using my site design there.
Wow. I'm floored.
This is... I don't know. With the storm brewing right now, they need help. People help.
Now I'm reading this story, in which pj explains her story which was exactly my point from the comment linked above. What's the deal?
Anyhow, yes, when the sum of human communication is read by the US government (and other governments and private intel corporations) then it's incredibly destructive to the human condition and society.
We're fucked. Time to start fixing this for real. Open up your IDE's and/or text editors and get to work. Make sure to open source (GPL or Affero GPL) everything. Work on decentralized P2P encrypted networking. Good projects: cjdns ... see you on the flip side. Hack the Planet!
Since you genuinely don't seem to understand, here's the deal: that story was about someone's personal experience of sexual harassment, and you posted a flippant analogy comparing it to invasion of online privacy. NSA surveillance is a big deal, but nothing to do with sexual harassment.
Thanks, I appreciate your feedback and the other commenter's. It didn't occur to me it would be interpreted as flippant or off-topic. Anyhow, IMO it was a serious and equivalent analogy, as I think pj's story shows. Anyhow, I was just curious, I don't actually care about downvotes.
I think the problem is that it is no way equivalent, and sexual assault is psychologically far more damaging. I don't think you can compare the complex damage to body and self-worth triggered by that meaningfully to the limited intrusion most of us feel at having machines storing and cataloguing our every move. With respect, I don't think pg's story shows the two are similar at all - she's taken a decision to withdraw from being a conduit for leaks (probably because she doesn't want her life destroyed by a NSL), but has not had sexual contact forced on her. It's just a completely different thing.
The biggest dangers I see with the surveillance state are more in the future, when complex filters are run on our data in decades to come, and segregate us into cohorts of users which can then be targeted and related at will. When that capability catches up with the data storage capability and starts to churn through decades of data, we truly will be in a dystopia far beyond our imagining today.
We need some kind of a "want my privacy back" backlash or a movement. A slogan that we can unite against and spread the message across the populace.
It's the kind of slogan you use against not only the mass surveillance by the NSA, but also against vehicle miles traveled tax that puts a GPS in your car and against those insurance company OBD-II dongles (Progressive Snapshot) that record your driving and transmit it back. Against surveillance cameras on every city block. Against the idea that "if you have nothing to hide", then you will have no problem with surveillance.
At first I thought, pj is using the "NSA" scapegoat as a copout. Email is the reason??? Use GPG! But then I remember how difficult it is to get even my most technical friends to care about secure communications. GPG is a two-way street; for pj to communicate with groklaw constituents or partners or partners of partners, they'd ALL have to be using GPG. Otherwise, someone without it is going to leak what was assumed to be a secure thread. The weakest link conundrum.
They aim to create an self-hosted e-mail client with (among other things) a new take on encryption usability. I think this is one step in the right directoin of making e-mail encryption easier to use. If you think so too, back them :)
All tech geeks set up mail servers with encryption and volunteer to migrate their non-tech friends and family to new email homes. We also show how to configure encryption in their mail clients and start getting them to use native email clients rather than webmail.
This will have two effects. It will send a message to Google/Microsoft/Yahoo!/insert big mail provider here/... that they have been lax in protecting the privacy and interests of their users. Of course, given the free-as-in-beer model of webmail it was long apparent to some that the user was actually the product and the advertiser was the actual customer. If a user is seen as a mere data-point then there is little incentive to assure these mere data-points privacy. maybe this will be the kick in the pants the big providers need. Maybe that model is irredeemably broken and always has been but we just didn't know it yet.
Email should be like snail mail. Everybody acts as their own mail server and mail client in snail mail land. Your inbox is the physical letterbox and you would never let some corporation provide that value in return for some dubious positive (convenience? a nice interface to your mail store? the ability to search your mail store? ...)
The second effect is that it sends a message to the spooks and claws back a vital channel of our privacy. We can work on safe and easy anonymous browsing and safe and anonymous and federated social networking and whatever else further down the road -- mail needs to come first.
Think about it. There are enough tech geeks. Every geek should need to know how to do this anyhow. This will scale. We need to build a movement around this. When something in the political arena forces the immeasurably invaluable Groklaw offline something tangible needs to be done. We have had a series of ever more alarming wake-up calls (though I hate how clichéd that sounds) since the first Snowden revelations. We need to start acting on these calls. Sure our response needs a political dimension (a global moratorium on digital mass surveillance) as well but I think that this technical part-solution has got legs.
> All tech geeks set up mail servers with encryption and volunteer to migrate their non-tech friends and family to new email homes.
I certainly wouldn't be comfortable with my peers having the opportunity to control my email and the myriad of accounts associated with it. I can't imagine they would be happy with me doing the same with their data.
> We also show how to configure encryption in their mail clients
Encryption is fairly useless without authentication, and we can safely assume that the NSA has control of Certificate Authorities.
> Think about it. There are enough tech geeks. Every geek should need to know how to do this anyhow. This will scale.
I've been battling with the concept of hosting my email for quite some time, and it always boils down to being a horrific thing to set up. There's a pile of easy ways you can screw up and make something insecure or spam-ridden. I spent a good day trying to put together a solution I was happy with, but couldn't.
> Encryption is fairly useless without authentication, and we can safely assume that the NSA has control of Certificate Authorities.
You don't need CA's for e-mail encryption. You need keyrings and networks of trust (I exchange keys with my closest associates via offline means; I sign a certificate stating that I vouch for the authenticity of their certificates; my associates can then choose whether or not to trust the signatures I've signed, and whether to trust the signatures they've signed again).
Yes, there's room for infiltration, but it is vastly better than relying on central CA's for this type of usage, because it allows people you trust to contradict infiltrators.
You need a CA for TLS-secured comms between MTAs. Many MTAs are set up to do opportunistic encryption out of the box, but they won't be validating the certs they get, so there's no guarantees about who's got the private key.
Of course there's no need to rely on a central CA - it's not hard to run your own, and you can make it reasonably secure - say, a small ARM Linux board with passphrase-protected private keys on a removable SD card. Generating the keys in a secure way is perhaps a bigger problem - untrusted hardware RNGs, poor quality entropy after boot etc.
One can also keep a virtual machine CA on a hardware-encrypted USB device (IronKey, say, depending on your level of trust with Imation) - it's easy enough to bootstrap a tiny Linux distribuution from source with just OpenSSL and some utility scripts to issue & revoke certs.
You don't necessarily need a $5000 HSM solution to issue your own SSL certificates at this level.
> You don't necessarily need a $5000 HSM solution to issue your own SSL certificates at this level.
Well sure, I can issue them myself in a few minutes, the issue is that arbitrary mail servers won't be able to authenticate me. Which means we're means we're back to MITM attacks—better than plain text if the observer can't manipulate the data stream—but I wouldn't bet on it. Work with the assumption that the NSA is Mallory, not Eve.
The WOT at least provides some authenticity, but only for people you already know. If I want to email you and aren't part of your WOT, then it's as good as plaintext.
If you have to stay on the Internet, my research indicates that the short term safety from surveillance, to the degree that is even possible, is to use a service like Kolab for email, which is located in Switzerland, and hence is under different laws than the US, laws which attempt to afford more privacy to citizens. I have now gotten for myself an email there, p.jones at mykolab.com in case anyone wishes to contact me over something really important and feels squeamish about writing to an email address on a server in the US.
How feasible is Freenet for email? We can use PGP today, but the metadata is available to all. But what journalists who need to communicate more anonymously that that used pseudonymous PGP keys - one per story, rather one per person, and posted encrypted messages on Freenet?
When you think about totalitarian internet monitoring, like the one the US seem to have, there's almost no point aiming for anonymity. Almost all sensible means are broken when you have deep levels of traffic interception in many countries.
The Tor Anonymity Router mentions the types of monitoring they attempt to subvert, and mention that full internet monitoring is not one of their design goals. This is simply because with any low-latency system, correlation between the entry and exit can be obtained. Similar attacks exist for networks such as Bitcoin for similar reasons.
> But what journalists who need to communicate more anonymously that that used pseudonymous PGP keys - one per story
In this case you run into troubles with authenticity. Without persistent keys being authenticated in some way (see "web of trust"), there's no way in telling if the person is communicating with a government proxy or the real target journalist.
That's the issue with the "encrypt everything" mantra, authenticity is stupid difficult to verify.
I think Tor would be a better idea of what to try to emulate, but the full envelope (including envelope from) would have to be encrypted such that it would be decrypted at the end-point.
I think something sufficiently secure is possible for email. I think it would require a whole new set of protocols and approaches, and for some things (like voice) it is not.
Should be feasible with GNUnet [1] which has pretty generic foundations for implementing anonymous and secure peer-to-peer services. Think of an encrypted overlay network that uses addresses that cannot be linked to IP addresses and relaying transfer mechanisms that are hardened against traffic analysis attacks.
There seems to be research under way to get a messaging protocol built into GNUnet. Google turns up this pdf [2] for example.
Email can be implemented in a global p2p file database. Every "email" simply adds another file. Privacy can be ensured with encryption (as long as the encryption is not broken, at least). See existing Freenet message boards for an example.
It may not be Internet RFC821/822 (and subsequent standards) Email, but it is email.
Publish a site using a USK (perhaps one per recipient), containing all encrypted messages sent recently. Update the site with an additional message when you need to send one. The recipient checks it for updates periodically.
I'm not sure if my understanding is inaccurate, but since Frost already achieves something like this, I don't see that it's automatically impossible such as what you seem to be inferring.
I'm dubious about the safety of using non-Freenet clients, but surely this demonstrates that it's possible to build a messaging system built over Freenet?
Americans! Every time someone wants to introduce gun control, you bang on and on about your right to keep and bear arms being necessary to the security of a free State.
Well, your free state is in jeopardy. Now is the time to assemble your well-regulated militia to secure it!
In this case, yes. PJ being a woman is very well known and it irks me when people automatically assume that anybody that runs a thing as successful as groklaw has to be a guy without checking. If you don't know use a gender neutral word or check, it's simple.
It's not purity in language, it is paying basic respect to a person who is named several times in full in this thread.
I think you're brilliant, but I don't know if you are right here. PJ is a private person, kept her name out of the blog for a long while, and I've never seen her make an issue of her sex. This error is made frequently in the Groklaw comments, and I haven't seen her correcting them. While disputable, it's not clear to me that it's more respectful to correct an irrelevant factual error than to follow the authors lead.
The "basic respect" part is tricky. While getting this correct may imply more respect, it also reinforces the idea that the difference is relevant. For example, if she was identified as "Miss Jones" and you happened to know that she was married, does it merit a correction to point out that she is actually "Mrs. Jones" to show proper respect to her status as a married woman?
Hofstadter skewers this in one of this examples: "Ble conveniently sidesteps the fact that there is a tradition in our society of calling unemployed blacks 'Niss' and employed blacks 'Nrs.' Most blacks --- in fact, the vast majority ---prefer it that way. They want the world to know what their employment status is, and for good reason. Unemployed blacks want prospective employers to know they are available, without having to ask embarrassing questions. Likewise, employed blacks are proud of having found a job, and wish to let the world know they are employed."
I don't have an answer, but thought you might enjoy thinking about the issue in the context of Hofstadter's article.
"They" generally works, it's just not commonly used and so sounds a little odd. Try using "they" instead of instead of "he" and "her" for a few minutes to see. It works.
I'm not sure what point you're trying to (obliquely) make, but the fact that you're bringing up that essay in response to someone correcting an incorrect pronoun makes me suspect you've grossly misunderstood it.
Hofstatder's paper doesn't just add linguistic specifiers for race, it also removes their significance for sexual differentiation. Hofstatder demonstrates the insidious effect of forcing the use of sex specific terms in cases where sex is not relevant.
In Hoftstadter's scenario, assume that that PJ had been misidentified as the "author" of the piece. Would it be a good impulse to correct the mistake and point out that she is actually an "authoroon"? I take Hofstadter to be arguing that rather than being more precise with our he's and she's, we need to move beyond them.
Why do they "require" email in order to function? Can't they handle communication via a web based application which is part of the site? A few forms here and there, some https...
My personal decision is to get off of the Internet to the degree it's possible. I'm just an ordinary person. But I really know, after all my research and some serious thinking things through, that I can't stay online personally without losing my humanness, now that I know that ensuring privacy online is impossible. I find myself unable to write....
The scripture quoted in the article is Jeremiah 10:23. History verifies the truthfulness of that scripture. Government by man has not brought a better world, even when rulers have had high ideals and the best of intentions. Instead, "man has dominated man to his injury." -(Ecclesiastes 8:9)
You cannot just quit internet, you just can-not.
Aren't there any secure email providers like lavabit in Europe or Asia .
Whenever I think about NSA now , in a corner of my mind , I see Dan Brown Saying, " I told you so". With a copy of Digital fortress (his book about NSA) in his hand.
at the risk of encouraging brainless anger responses.
yes lets all bend over and take it up the ass...
because someone says what they learned makes them not want to use e-mail? this is precisely the opposite of how to stand up to oppression.
no matter what it is the response should not be "well i'm going to stop being free and let them oppress me" you may as well just lay down and die in my mind...
you are born free whether you like it or not and nobody can take that away but yourself.
We succumb to terror pushing away meaningless bits of code on Github as a crypto projects in response. Some projects flourish sure but the same forces that profit off the court-less killings of others are collating your data, your pet projects. Harvesting your stolen info out of botnets.
Giving you a salary for technician work keeping infrastructure ticking.
Enough enabling the beastly mess that is privatized 'national' security. The payments to infrastructure providing companies for data access. The kidnapping/torture/drone fire of others when technological routes don't work.
If you have a career with Dell, AT&T, Booz Allen Hamilton, SAIC, and many others, start making demands or make resumes. Stop being complicit.
I disagree. Let's use all our skills and avenues, not just some of them.
> We succumb to terror pushing away meaningless bits of code on Github as a crypto projects in response.
That is a subjective opinion. Email itself is meaningless bits of code. You want us to stop using email altogether? What about the web? Why are you even posting on this forum so?
> Some projects flourish sure but the same forces that profit off the court-less killings of others are collating your data, your pet projects. Harvesting your stolen info out of botnets.
That is alarmist hyperbole.
> Giving you a salary for technician work keeping infrastructure ticking.
Enough enabling the beastly mess that is privatized 'national' security. The payments to infrastructure providing companies for data access. The kidnapping/torture/drone fire of others when technological routes don't work.
If you have a career with Dell, AT&T, Booz Allen Hamilton, SAIC, and many others, start making demands or make resumes. Stop being complicit.
Dell? A computer hardware device assembler? What on earth are you on about. You appear to think that the entire info-tech infrastructure, companies and "wage-slaves" alike are complicit in all this. Computers are a kind of tool, you can use them for beneficial, neutral or nefarious means. Let's keep the spotlight where it is needed -- on the secrest out-of-control governmental surveillance organs of various nation states.
In short. Think a bit before you post and spare us the melodrama.
> Dell? A computer hardware device assembler? What on earth are you on about. You appear to think that the entire info-tech infrastructure, companies and "wage-slaves" alike are complicit in all this.
"Former intelligence contractor Edward Snowden began downloading documents describing the U.S. government's electronic spying programs while he was working for Dell Inc in April 2012, almost a year earlier than previously reported, according to U.S. officials and other sources familiar with the matter.
David Frink, a spokesman for Round Rock, Texas-based Dell, declined to comment on any aspect of Snowden's employment with the company, saying Dell's "customer" - presumably the NSA - had asked Dell not to talk publicly about him.[1]"
That's a completely new one on me. I seem to stand corrected on the Dell issue (could someone expand on this?) -- but I still think you are casting your net a bit wide. I apologize for the heaping pile of denigration as you call it but maybe tone it down a bit and take the time to show (and link) in more detail why you are saying what you are saying, ok?
"Some projects flourish sure but the same forces that profit off the court-less killings of others are collating your data, your pet projects. Harvesting your stolen info out of botnets."
> That is alarmist hyperbole.
Those were two direct references, the first being SAIC with their military drone[1] and domestic '___domain awareness center[2]' operations. The second being Endgame Systems and their monetization of botnet data/malware[3].
> Let's keep the spotlight where it is needed -- on the secrest out-of-control governmental surveillance organs of various nation states.
Hello, random new account advising us not to come up with electronic solutions to electronic government surveillance!
>Some projects flourish sure but the same forces that profit off the court-less killings of others are collating your data, your pet projects. Harvesting your stolen info out of botnets.
What in the fuck does this even mean? How is it relevant? The only problem with "fresh" crypto projects is that if you fuck it up, and you have bad crypto, it's as good as no crypto.
Most of us here don't work for those companies, nor do most people being spied on, so this advice sucks.
Legislation and regulation are the long-term methods of stopping this, but the short-term method of dealing with a technological problem is better technology.
> What in the fuck does this even mean? How is it relevant?
It means projects with sound footing are likely to be undermined aggressively by all means. Through courts, around courts, under courts. Undermined using infrastructure and resources provided by many potential contributor's day jobs.
A bit like trying to build a castle on the weekend while getting paid to help knock it down during the weekdays. Wondering why it didn't amount to much some time later.
That's nice to say. Get angry, be outraged. But what do we do, day-to-day, while things are still a mess? How do you organize a revolution under the noses of the people you're revolting against?
The code still has a purpose, even if it's not the "right" solution, long-term.
Stop bothering with the articles here, and "get out of the building":
* Call or write a real letter to your representatives in congress (assuming you're American).
Hopefully that is something everyone has already done.
* Coordinate - isn't there some place where people are organizing/coordinating this stuff?
* Write a letter to the editor in your local newspaper.
* If you're in the bay area, how about helping to organize a primary challenger for Nancy Pelosi? She did not vote to defund the NSA. People in SF have the money, the means, and the incentive to get someone in office who cares more about this stuff.
* Donate money to politicians/groups opposing this stuff. The EFF, for instance.
Revolution is not what you think. It consists of the small actions of millions of people. The small actions are usually more revolutionary than the large.
The NSA has just created a huge market for guaranteed secure communications infrastructures. The technology is there. It may need some extensions but it is there.
Some ideas (again no time for a startup now and this is too important):
1. An email-like service based on TOR with content encrypted via public key encryption end to end.
2. The second is an encrypted voice network. This can't encrypt metadata a swell in a way that central offices can't see it, but the contents could be encrypted easily enough.
The code is a means to an end. We can't code our way out of the problem. We can build businesses that get us out and code is supportive of that.
Encoding your own mail means that you are playing by rules of the game NSA has set up. The only way is to make your own game and make them play by YOUR rules. If you encode your communications there is a barrier that they will break down directly by making you disclose the keys while threatening with Tax audits, jail time etc. Or by breaking down encryption commications. They are the largest employer of IT/Security/Cryptographers on the face of the earth.
So the only way to do this is to make them not play their game.
Frankly whole cancerous security apparatus has been fueled by privatized sector just like the one with privatized jail system.
Sad to say this but there only way I can see this being resolved is political/etc. Start websites cover the stories. Find methods of figuring out whether they are listening to you or not. For example set up fake drug deals so you can draw them on fact of monitoring your communications. Sue them every instance you find them breaking down your doors. Yeah I know it is not pleasant.
Just like OP said there is no easy way out of this.
Also make working for contractors of NSA and being employee of NSA being a very unpatriotic and scummy thing to do - akin to digging around underwear drawer of your next door granny neighbor.
> Encoding your own mail means that you are playing by rules of the game NSA has set up.
well, actually, I was talking about encoding other people's email, for a fee. The goal is to change the game and change the rules. The NSA has created this market. Let's use this to reshape the game.
> If you encode your communications there is a barrier that they will break down directly by making you disclose the keys while threatening with Tax audits, jail time etc.
This is true, so the game is not just to get your own keys taken care of but everyone else's and locate the business in a country that will be better interested and able to stand up to NSA interests here.
> Or by breaking down encryption commications. They are the largest employer of IT/Security/Cryptographers on the face of the earth.
Again true, which is why the game has to change.
> So the only way to do this is to make them not play their game.
So the new game is to make sure as much traffic as possible is encrypted. All of the above take time. They could bug the end points, they could break down the encryption with massively parallel supercomputers. They could threaten individual users of the service.
So the game is to make sure that everyone encrypts everything every time (or at least that enough do to make individualized efforts prohibitive on a dragnet scale).
We know they don't like that game. They've been trying to get control over all encryption since the days of Clinton but they haven't yet.
> Frankly whole cancerous security apparatus has been fueled by privatized sector just like the one with privatized jail system.
Very true. BTW, read "The Servile State" by Hilaire Belloc if you want a really depressing read....
> Sad to say this but there only way I can see this being resolved is political/etc. Start websites cover the stories. Find methods of figuring out whether they are listening to you or not. For example set up fake drug deals so you can draw them on fact of monitoring your communications. Sue them every instance you find them breaking down your doors. Yeah I know it is not pleasant.
If someone wants to, great. I am not in the US at the moment so my options are more limited.
> Also make working for contractors of NSA and being employee of NSA being a very unpatriotic and scummy thing to do - akin to digging around underwear drawer of your next door granny neighbor.
How do we do that? How many of us know such contractors?
It really comes down to lobbying lots and lots of politicians who can stop the NSA by significantly slashing its funding or by enforcing existing laws. The Occupy movement showed that revolutions don't work in a state where government and police will conspire against its citizens by infiltrating and undermining its civil rights movements.
The problem with Occupy was that there was no demanded reforms, only complaints and protests against things. Protests aren't ever enough though.
It is telling how little credibility Occupy had with Washington when Obama, giving his jobs speech during the protests, called for the deregulation of Wall St.
While Occupy DID make some demands; they were just made by the individual groups.
It would be more correct, though, to say that "demands" weren't really the point of Occupy. They changed the national dialogue, and made a LOT of traditional euphamisms and arguments obsolete and useless by putting the core issue of class warfare back up in front where it belongs.
"Cutting out decades of distraction an propaganda" may not have been an explicit "goal", but it was certainly a victory for the movement.
"I don't have to tell you things are bad. Everybody knows things are bad."
I've taught more people about the Web Of Trust and how to use GPG in the last ~1.5 months than in the last ~1.5 decades.
"...and we sit watching our TV's while some local newscaster tells us that today we had fifteen homicides and sixty-three violent crimes, as if that's the way it's supposed to be."
Something about this current drama has made the whole concept of encryption and the realities of surveillance suddenly resonate with a LOT more people. It's not a majority yet, of course, but a change in perception this dramatic is a amazing.
"We sit in the house, and slowly the world we are living in is getting smaller, and all we say is, 'Please, at least leave us alone in our living rooms.'"
I have people emailing me encrypted email now, who just last year ignored the idea with the usual dismissal of it being "unnecessary" or "too complicated"[1].
"Well, I'm not going to leave you alone. I don't want you to protest. I don't want you riot. I don't want to write to your congressman because I wouldn't know what to tell your to write."
So now that people are finally noticing the reality they live in, and are finally getting mad, I see this as what educators call a "teachable moment" to try and suggest a few broader concepts tan the gpg lessons they are asking for.
"I'm as MAD AS HELL, and I'm NOT going to take this anymore!"
A few things I've been trying to teach recently, now that there are actually people listening:
* General education on the concept of data mining, and the power of a handful of JOIN clauses. The idea of grabbing all your phone calls is something most people already understand. Connecting a few random bits of entropy together to get a surprisingly reliable primary key is still not widely understood.
* Web Of Trust - Starting small and local is good, just like in elections. It would be amazing if somehow the Key Signing Party could be worked into some traditional social ritual.
* Stop supporting the feudal model of email, by tying your identity to an @company.com ___domain. Land is king IRL, and staking your claim on the internet is important for similar reasons. It would be nice if everybody could change their MX records and hosting service as easily as they change POTS long distance providers.
* Stop using webmail - many of the benefits of encryption are lost if you don't keep the keys in your physical possession, as demonstrated by lavabit and elsewhere.
This doesn't directly fix the problem[2], but it is stuff that can be done (and is being done) now, and these are certainly things that would help immediate problems faced when organizing a revolution. The NSA doesn't have the manpower or money to strong-arm their snooping routers into every last-mile endpoint. This kind of long-term cutting of the data the NSA can see is one of the better weapons we have against them.
"Then we'll figure out what to do about the depression and the inflation and the oil crisis. But first get up out of your chairs, open the window, stick your head out, and yell..."[3]
[1] You would think a Biology professor would understand an argument about how this isn't necessary about them, but about maintaining the "herd immunity" of the email ecosystem...
[2]: It might in the long run, once a lot more software support is written, and it finally becomes possible for regular people to extend their web of trust as far as, e.g. groklaw.
[3]: Incidentally, the lecture at the end of Network comes to mind every time the government panics about Snowden: "...and YOU have meddled with the primal forces of nature, and YOU...WIIL...ATONE!"
Code won't do enough. You are right. What will help will be businesses in privacy-friendly countries which offer secure communications infrastructures. This can be guaranteed by careful development and placement of business assets and, yes, carefully designed code.
Many of the people at these businesses you mention are wage slaves and they can't so easily just get up and leave.
Code gives us tools. Such is a start, but only a start. We need solid, internationally federated businesses, which can be built to take on this challenge. Yes open sourcing the tools is important too, but only as a means to an end.
We need to build up an infrastructure for actually using these tools and that means businesses offering services.
I do not have time to do another business (I am ramping up two businesses right now). I do have time to consult, advocate, and advise on this very important topic.
"Former intelligence contractor Edward Snowden began downloading documents describing the U.S. government's electronic spying programs while he was working for Dell Inc in April 2012, almost a year earlier than previously reported, according to U.S. officials and other sources familiar with the matter.
...
David Frink, a spokesman for Round Rock, Texas-based Dell, declined to comment on any aspect of Snowden's employment with the company, saying Dell's "customer" - presumably the NSA - had asked Dell not to talk publicly about him.[1]"
> If you have a career with Dell, AT&T, Booz Allen Hamilton, SAIC, and many others, start making demands or make resumes. Stop being complicit.
Unfortunately, the majority of wage-slaves are so indentured to their overlords that simply leaving is not an option, as the alternative is penury and starvation - particularly when you work for a giant like BAH, who'll ensure nobody will ever employ you again.
If you want to make a stand, don't hand in your notice, don't make a resume, don't make demands, just don't show up, and let 'em flail. Worst they'll do is fire you, and in today's world you do not need to pledge fealty to an employer in order to survive, and the fewer people that do, the more rapidly things will change.
If all the IT folks simply walked away from their machines, they would stop working, but we do not, and instead we strive to make their machines work perfectly without our intervention.
Jump ship before they decide to push you overboard, anyway - because they will. If you think your employer respects you, and will give you a job for life... you are wilfully deceiving yourself.
Nobody on HN should say that she cannot stand up and walk away. We're have one the most sought-after and best paid jobs in the world. If we cannot give up some comfort, nobody is going to.
Absolutely. I quit my well paid job for a bank in 2006, as the stink of corruption was too much for me - and quit by just walking out one day, and not coming back. 'lo and behold, banking scandal and collapse, not long later. Fuckers I'd been working for had been hiding $bns of bad debt by shunting it into a director's name every quarter. SEC nabbed 'em. I spent several years broke, getting my own outfit off the ground. Means I'll never work in that industry again. Good riddance.
I 'Asked HN' earlier but received no reply from anyone. I would love to hear from anyone, mostly those listed on Bluecabinet on ProjectPM. The latter site started Barrett Brown, currently under prosecution by the US government[1]:
Ask HN: Do you work for any of the included companies? (Dell/HBGary/AT&T/etc)[2]
So about botnet data, here is one NSA related company that deals with data the coders are jailed over, Endgame Systems[1].
"botnet-analytics package gets you access to a database of Internet addresses, organization names, and worm types for hundreds of millions of infected computers, and costs $1.5 million."
Folks like the industrious pj have much to worry about when 'outside channels' are made into a a for-profit process. Combine 'parallel investigations' with 'outside channels' with a healthy dash of money for the ringleaders and some for the heads of the companies they pay (Google) and you plenty of reason not to talk law or much else over Email.
It is becoming a desperate situation for noncombatants.
Without sounding trollish, I believe there is a need for a completely new 'transfer of information' protocol that is as immune as possible to NSA (or other agency) snooping. She's right, the internet is broken. So rather than posting endless articles about how it sucks, and suffering heart-breaking tragedies like Groklaw shutting down, why don't we build something new, something truly beautiful, by which I mean something truly private?
To summarize my point, quoting PJ, "privacy is vital to being human, which is why one of the worst punishments there is is total surveillance..."
Well that's puerile. Talk about taking things to extremes--just like a child would do. "We can't go to grandma's right now? WE'RE NEVER GOING TO GRANDMA'S EVER!"
"What I do know is it's not possible to be fully human if you are being surveilled 24/7."
Yeah? Well if you're using this as your benchmark, then you should never go out in public, because I guarantee you're on videotape someplace. Security cameras are everywhere. And let's not play games: your ISP has been monitoring your browsing & download history for decades. Nevermind phone calls, any tolls you paid while driving, any bill you paid via credit card, any flight you've taken, any country you've traveled.
Now this is broken and suddenly you care? Stop fucking playing the victim card for attention, I'm sick of it. And I'm not just talking about the Groklaw people, this goes for whoever jumps on the "OMG I'm shutting down now" bandwagon for a portion of the 15 minutes of fame going around.
You want to make a difference? Start getting involved in politics. Internet-rage does nothing but get you a few website hits before people go back to caring about the A-Rod scandal, or the Obamas' new dog.
Nearly 200 years ago, de Tocqueville asked why the American experiment in self-government succeeded while its French counterpart led to the guillotine, mob excesses, and ultimate tyranny and he gave a complex answer whose core was that private moral restraints in the populace served to check the unbounded passions in people that lead to oppression. In other words, the private life that each of us leads will hugely influence the way we are governed.
Governments are always ready to grab the greatest degree of power that the people will give them. That is the default because it is hard-wired into the human condition. And this is the major factor not grasped by those today who assume that society is evolving to a point that, if only right-thinking people with good motives are given enough power over our lives, they will somehow magically transform society for the good through government action. In reality, if any persons - right-thinking or not - are given largely unchecked authority over our lives, abuses will inevitably follow. As they gather huge amounts of power, their purpose in life becomes to guard that power jealously and to increase it as opportunities permit. No bureau has ever abolished itself. Farm programs from the depression era thrive today as ever, though the logic for their existence has long since vanished. Politicians of all stripes promote expanded budgets for their own areas of preferred government expansion and spend money they don't even have in vast quantities with little or no accountability to the people they supposedly serve.
This is why it is vital in a free society that its people be educated and morally grounded to value their rights as individuals and to resist and distrust unchecked authority in the state. Do we have that today? Perhaps, but only in a very weakened form. Many people today do not even give pause over the idea that the government claims huge amounts of unchecked power, whether it is to fight terrorists or to expand social programs. There is very little residue in our society of the old-fashioned principled belief that it is wrong to have vast centralized power with very few checks upon it. In her sign off piece, PJ notes: "Not that anyone seems to follow any laws that get in their way these days. Or if they find they need a law to make conduct lawful, they just write a new law or reinterpret an old one and keep on going. That's not the rule of law as I understood the term." This is lamentable but it is a mere symptom, and not the cause, of our ills. Politicians make the law as they go, with no accountability, only because they are allowed to do so by those whom they govern. And, if someone already has vast power over you, it is but a small step to extend that power in a technological age by using technology to spy upon, intimidate, and control people. Why, when these leaders are allowed to lord it over us as they see fit, should they suddenly develop scruples in gathering information that only serves to enhance their power to do what we are already letting them do without so much as a peep of principled opposition?
Privacy is in significant peril, and it is a serious loss when Groklaw goes down over this issue. But assaults on privacy are but a symptom of a deeper malady as modern society increasingly believes that it can hand over massive forms of unchecked government to its politicians in the naive belief that such power can be used wisely if only we have right-thinking leaders at the helm. The answer, as de Tocqueville noted years ago, is not to place faith in leaders but rather to take personal responsibility in our lives and to curtail the powers of those who govern. I guess we shall just have to wait and see if this is possible today.
In the meantime, we can praise those who fight the good fight, and PJ has been a supreme example of this. Tireless, talented, and astute, she has been a wonderful force for good over the past decade. May she find a powerful new outlet for those talents as she moves forward, even in a difficult environment.