Thursday, August 29, 2013

Restore Public Oversight of Secret Warrants

This is an attempt at forcing the US back into reasonable public oversight without having to build ironic technology solutions outside the US to enable basic Constitutional rights for its citizens. Since I'm not a lawyer, there's probably a lot wrong with it - I'd love to hear ideas for improving it. I wouldn't be terribly interested in diatribes about why it wouldn't work. The internet has hit its quota for those.

This is a follow-up to Privacy - What's Possible With the NSA Watching.

I'll try to stick to the technology side of things and openly punt on the legal ins and outs.

A brave coder could create a data service that just moves things securely in and out, that other convenient, secure services could be built on top of. Secure email, text messaging, phone calls (voice service), whatever you like. With Congress and members of the NSA etc apparently unwilling to admit that what they're doing is violating basic US rights, it may be possible to force public oversight on this process with technology despite laws and programs to the contrary.

Basic Security

First, the service itself could be secured with HTTPS PFS, described in the previous article. That takes care of connections. On the servers themselves you've got a regularly rotating key for encrypting user data you share with no one, including the government.

But there's still the sticky problem of whatever poor jerk runs this site being served a secret warrant, and no legitimate legal challenge being available because the actual person whose rights are being violated isn't allowed to know. To untangle this gross catch 22 the government's assembled, what you really need to enable here is 3 basic principles: separation, anonymity, and civil disobedience.

Separation

If the author of the code doesn't actually control the service, they just maintain the code the service uses to operate, they can provide some insulation between themselves and the service. The service could be designed to generate its own keys, keep them completely private, and expose them to no one - even the author of the service. If we assume the author of the service can't avoid being identified, the trick is to ensure they can never be compelled to expose user data. Suppose the NSA says to the author, someone on your network is a person of interest, tell no one, go get their data for us. If the author doesn't have any access to the keys that data is being stored with - if the software itself is the only entity with actual access to the keys - there's not much the author can be asked to do here. Except - they could be compelled to write code that modifies the software so it exposes those keys, or exposes what a specific person has said.

Civil Disobedience and Anonymity

So, if the service was setup so the only way it could be modified is via a public channel, like a public code repository, you would force any malicious code like the above to be exposed to the public. You could further force any modification to the code through a public review process - ideally by anonymous coders so they can't be compelled to approve malicious code - you would place a pretty strong lock and key on the code. To do this you have the software update itself periodically, by pulling the latest approved code from the public repository. You could design the software in a way that it destroys all the keys (making the data leftover garbage) if it's modified in any other way. This creates a remaining risk of the repository itself being attacked, so whoever hosts the repository would also be at risk of being compelled. Worst case you could host the repo with the rest of the service, and have the software respond to an attack by destroying the keys.

The coders that do these code reviews would have to accept a serious legal risk by participating - whatever is ensuring their anonymity could always be pulled back, so they could potentially be compelled to approve malicious code - it could get pretty ugly. That's civil disobedience. There may be other ways to protect the coders besides anonymity - for example if only a small, random subset of the coders was allowed to perform a given code review/approval, all coders gain plausible deniability as to who actually said no to a malicious code submission, and no one coder is the ideal target for threats to get them to approve malicious code.

An Olive Branch

As I said earlier, the goal is not to build the one place actual terrorists can have a nice secure chat about blowing up a building. You do still want it to be possible for warrants to be served on real, actual criminals - you just don't want it to be outside the realm of public oversight with nothing but a "Just Trust Us" PR campaign as guarantee it's not being abused.

So, the goal is to make it possible to serve warrants into this system - basically to the software - and a group of people - a jury of your peers in a sense - get to decide whether that warrant is valid and reasonable.
  1. Make the only way to get access to private data in this system via an electronic warrant filing system. From a technical perspective, you could just have the system email some government email address a key periodically that they can use to validate themselves as government actors, and they can make up their own minds about how they want to gate use of the system. They've shown themselves to be plenty resourceful in screwing us so far, I'm sure they can do smart things with this as well.
  2. Every user of the system is a member of the jury of peers. When a secret warrant is issued, a small pool of members is selected, and sent the warrant. Since it's a secret warrant, their receipt of it is illegal - another piece of civil disobedience. But if you manage to keep step 1 air tight, you may be able to force the government into step 2. A lawyer would know better than I what would be necessary in the electronic warrant system for it to feel comfortable for NSA etc to use, and legally cover members as well as possible.
  3. The random pool of users decides whether the warrant should be honored. If they decide it should, the selected communications are turned over, simple as that. If they decide it should, but there's no reasonable justification for this warrant being secret, they can turn it over, but have the software publish the warrant publicly. If the warrant is completely unreasonable, they can turn nothing over and have the software publish it to remind the government of its duties. You can ensure the pool is always an odd number and a simple majority wins on both the "turn records over" and "make public" votes.
That's it - a way to put a jury of your peers and public scrutiny back into the US legal process. It's possible there are parts of this that just aren't viable inside the US - in fact, the author of the software could probably have some really terrible things happen to them regardless of where they lived, so they'd probably need to be as anonymous as possible. Go America.

Privacy - What's Possible With the NSA Watching

A number of people have reached out to me to tap my technical expertise, asking essentially — is it possible to have a private conversation anymore? Well, it is — in a few ways. The first answer will surprise you least.

If you travel to where there is no cellphone network, and no recording devices, and you’re not visible by any satellites, you should be able to have a conversation no one can hear. That’s not as impossible as it sounds given how much of the planet isn’t covered by a cell network, but for at least my lazy tech-loving life, it’s probably never going to happen. I also have to acknowledge that the warrantless wiretapping program itself is something out of the paranoid conspiracy theories of a crazy person, and yet by all accounts it’s very real — I just don’t want to propose a response any crazier than the evidence demands. So now let’s work back through all the ways the government can capture a conversation.

Who’s Actually Listening

Although most articles refer to the NSA, there’s evidence that it’s actually a wide range of organizations either listening in or getting access through others. The FBI, NSA and DEA have all been shown to have their own monitoring programs. Some of them have been shown to have more than one. And the IRS and local police departments have been shown to have access to one or more of these monitoring programs. So while I’ll also be using “the NSA” as a convenience, brave reporters, journalists and whistleblowers have taken great risk to show us it’s a lot more than one program at one department of the government.

Tinfoil Hat Stuff

First let’s get past the tinfoil hat stuff that sounds insane.

Satellites

Technically speaking, a satellite recording you with no cloud cover should be able to get a clear enough video of you speaking, that a lip reader (or lip reading software) could capture what you’re saying.

There’s also technology out there that reads the small vibrations in a large flat surface, like a pane of glass in a window, and translates that back into a crappy version of the original audio. To make it sound even more ridiculous, this technology is actually called a Laser Microphone. Yeah that’s right — go ahead and click that amazing word combination. And then go build one.

Both of these mean that if you’re in view of a satellite — basically if you’re outdoors or near a window, you could not assume your conversation is private. That said, satellites are big expensive things that must be launched up into space, and replaced by launching another one, because they fail over time — not cheap. There aren’t many, so they can’t be recording everyone at once. Even if they could, they wouldn’t have the bandwidth to send all that video or audio back to Earth where anyone could make use of it. Basically, if someone at NSA, CIA, FBI etc is watching you with a satellite, either they’re violating your privacy for fun (and with no public oversight, it’s not unfair to assume) or you did something really, really suspect worth an incredible expense. So let’s assuage the satellite fears with, “I’m not a top ten criminal, I just want my right to privacy, and I’ll avoid being outside naked.”

High Altitude Drones

Perhaps the only thing that sounds more insane than satellite monitoring is drone monitoring. Drones unfortunately are a lot cheaper than satellites, can get a much better view of you, and have a lot more opportunity for even just plain getting an actual audio recording of what you're saying - or even recording the wifi signal your cellphone is putting out. The only solace here is it appears the government doesn't have many of these. In 2011 US Customs and Border Patrol received their 9th drone - meaning they have fewer operating over the first 100 miles from the Mexican border than we have satellites orbiting earth. But, there's still obvious opportunity for abuse here, and again, no public oversight. But, they're still few enough that we'll assuage this the same way we did the satellites.

Cellphones Recording While Off

Still acting like paranoid maniacs, it has been documented numerous times that various agencies have found ways to switch someone’s cellphone mic on in secret, to record audio and send it back to the FBI or NSA, while that person wasn’t making a call and thought they were in the clear. However, what has been documented suggests a couple of important things: First, you have to specifically be targeted. It may be that some of these phones have a bug in them that lets any wise hacker in to do this, but descriptions of what’s been uncovered suggest it was more about a really vicious virus getting installed on a phone, often through direct physical access.

So we’ll set this one aside the same way we did with the satellites — seems like the top cops have to really want you imprisoned or dead to have this happen to you. There is one exception though, and that is a dragnet approach to infecting phones in this way.

For example, if the NSA etc worked out a deal with Samsung, HTC, etc to have this backdoor built in to every phone they made (as may have happened in the RIM/Blackberry case), it would be possible for everyday citizens to get surveilled with little way to detect it and no way to prevent it (short of leaving the modern technological world). But, even if this were so, the way cellphone networks are designed is unlikely to enable that much bandwidth usage. Basically to transmit that much information back to where it could be recorded and analyzed, every cellphone would need to be continuously transmitting data over the network — when the design of cell networks is based on the assumption that most phones spend their time idling, and in this mode they have almost zero interaction with the very limited resources at their local cell tower.

The remaining possibility is a dragnet hack into many phones, or all phones or desktops by a given manufacturer or with a given OS, and they only phone home periodically to avoid saturating networks. The only way to really catch this would be to monitor traffic - on wifi you could watch your router's traffic, and on the cell network unfortunately you'd have to do something more elaborate, like reading how much signal it's putting out when, and whether all of those times it emits a signal are expected. This is a real weakness - as usual, if your device is compromised, so are you.

Your Location

Sadly the nature of cellphones is that they have to constantly check in with the cell network by their nature. They need to tell the cell network, "Hey, in case anybody calls - I'm here." Unless you pull the battery, you are constantly broadcasting your location. That location information is available to the NSA etc. The alternatives here are pretty slim: Leave the phone on and be tracked as you wander the globe, pull the battery when not in use and only be tracked sometimes, or set it to Airport Mode and hope that there isn't some passive way to still be tracked anyway (debatable), and simultaneously wonder why it is you bought a smartphone that never connects to anything.

Corporations That Caved

So now let's finally get away from the paranoia stuff and on to one people like to harp on: big evil corporations. Companies like Google talk a big game about privacy, but it's now been shown they and a whole bunch of other companies did not fight the good fight when it came to secret warrants allowing dragnet data gathering on their networks, of your data. Cue There Goes My Hero by Foo Fighters. So even if you could trust the way you transmitted your data, while it's stored at Google etc unencrypted, the NSA gets to casually peruse it - or really, record every last character so they can casually peruse it later, even if you delete it. So you can't trust any company known to have caved to this dragnet, and you can't trust anything you've ever said, even the deleted stuff, over any of those companies' servers. If we're going to be really honest with ourselves, it's probably not safe to assume any company has fought back against these secret warrants issued by secret courts, unless you've seen them make a very public stink about it. So, any normal, unencrypted data on these services is out.

Secret Warrants

This may be the biggest barrier in the way of privacy. Since the various government agencies doing this do so with zero public oversight, never declassify what they've done, and use courts that are themselves secret, it's not possible to exercise your right to privacy - because the warrant your service provider is served specifically instructs them not to tell you about it. Since the person whose rights are being violated never knows, they can never challenge it in court and never enact the mechanism that calls this program what it is: Unconstitutional. Apparently the Constitution failed to include the "If a right falls in the forest and no one's there to hear it" clause.

Strictly speaking, it may not be legally possible to solve this for any service in reach of the United States - that is, either in the US itself, or in a country that either actively collaborates with the US dragnet, or caves to US pressure. Fortunately the US has plenty of enemies, but often they have warrantless wiretapping programs or worse of their own - so it's a tricky legal conundrum, and my area of expertise is technical, not legal. I'll make some technical proposals here below, but I welcome legal considerations by those who know more about that side of it.

What's Possible

With what's in the way discussed, finally what I promised: What's actually possible. First let's get non-goals out of the way.

Non-Goals

Our goal isn't to completely shut the government out. We already acknowledged the tinfoil hat stuff as being legitimately possible, so if you're dangerous enough, they may use those extreme tools, and we won't even try to interfere there. Our goal also isn't to be able to have a private conversation that's absolutely impossible to ever get into - because if we can use it, so can some big bad guy, and the Constitution provides for reasonable things like publicly inspectable warrants where justified with good reason; technology that shuts out even this legal option is likely an unwise tool to give to the world.

Don't Have Any Viruses

This probably goes without saying but if you have a virus on your machine of any sort you're probably hosed. Even if the NSA didn't put it there, any virus that made it on is probably transmitting something private off the machine - maybe everything. If your machine is infected all bets are off. Not trivial advice to follow through on but that's how it is.

Pre-Shared Key

If we go back to the initial proposal where you have a conversation outside of any listening devices, there's one more option you have here: Instead of having the one private conversation, you could share a secret (encryption keys), keep it private (for example by passing it on a thumb drive - never emailing it), and have as many encrypted conversations as you like over the open internet with your friend without anyone, including the NSA, able to read what you're saying. As long as the key size was large enough, you could even be so brazen as to post your encrypted messages anywhere - public forums, Amazon product reviews, wherever - and the only person able to read them would be your friend(s). However, this doesn't facilitate much communication. You're unlikely to meet privately offline with everyone you'll ever want to communicate with, share private keys, bank that neither of you will ever get a virus, and communicate solely via these keys.

From an actual technological perspective it works like this: You could use what's called a Symmetric Key, where a single gigantic primary number is all you need to read anything written in this secret format. This approach would be easy to use with TrueCrypt, free encryption software for any computer out there. It would be a bit annoying, but each time you wanted to say something, you'd encrypt for example a text file into a .tc file, attach it to an email to as many friends as you wanted to send it to (that you've shared this key with), and they'd all open the .tc attachment to find your one text file and read it. Not super convenient for text, but about the same time as you'd spend attaching other files. For just text you can automate this kind of pre-shared key encryption with PGP or GPG (the distinction isn't super important, they do the same thing). You can tie this into Gmail, but it only works on desktops - though you could probably pair it with APG on Android and get it working on mobile as well. For IM on desktops that leverages this approach you can use Pidgin with OTR.

The vulnerability here is that for every friend you share the key with, that's one more person you have to worry will someday get a virus on their phone or computer and get that key stolen. When they do, now everyone's vulnerable, including everything they ever said with it.1 It's also pretty inconvenient as-is, although again you could write software to improve that a little.

On the flip side, this also has the no-legal-avenues problem: Two terrorists could actually use this approach to communicate securely, and thwart even a warrant (public or secret) to read what they said - because no one has the key to read it but them. If they can avoid legal avenues that would force them to divulge the key and technical avenues that would steal the key, they can communicate with total privacy - not what you want to hand to bad guys. That said, it's likely those bad guys could get that key stolen in one of the tinfoil hat scenarios, or stuff I've never heard of. Or the Bush/Obama/next administration could just kill them. That happens a lot.

Mesh Communication

The best way to keep something from being read on the internet is to not talk about it on the internet. There are now free pieces of software, like Serval for Android, to have a conversation entirely outside of the internet, but still use those cool smartphones we like using. Of course any cloud-based anything, like google maps, fast GPS positioning, documents you don't lose when the phone is destroyed - that stuff - that's all gone without an internet connection. If the way you're talking on Serval was active enough that a large group of people were using it, there's probably also the risk that one of their devices is hacked, or some jerk is listening to everything and broadcasting it all, or whatever. But the point is, you can text, email, have phone calls, etc with anyone you can get a wifi signal to if you both have Android phones, or more broadly you could do this with anyone with the right software in place. The range on this has to fundamentally be pretty limited, since you're probably not encrypting what you're saying, so as soon as anybody listens in, you're hosed. You could add in the Pre-Shared Key stuff above via software, with all its ups and downs.

HTTPS

One of the best pieces of news is there is no published viable attack on HTTPS, the technology that secures web connections when you've got that little lock icon in your browser's Address Bar. The technology is a bit amazing given it begins with a public conversation, and someone attempting to listen in could record every single interaction back and forth - and still be unable to understand (decrypt) anything you ultimately say over the secure connection HTTPS sets up. That said, there is one attack-like strategy a bad guy could use, and the NSA has even been documented as using it: Record all those interactions, store them for years while working on breaking the original HTTPS certificate the server you were talking to, then use that to decrypt all of the recorded HTTPS traffic you left behind.

The solution to this is slightly more obscure, but still easily accessible: Perfect Forward Secrecy. Basically the service you're trusting needs to enable it, and you need to use a browser that supports it (like Chrome). HTTPS is a relatively long handshake process, and PFS adds several more back and forths to secure the connection even from this relatively exotic attack. So, any service you wanted to use privately would need to use HTTPS with PFS.

Securing the Service

So if HTTPS gets you data in and out of a service no problem, and your machine is virus free, the only remaining concern is the service itself - its servers, basically.

As mentioned in the Secret Warrants area above, one answer is to just put the service outside the reach of the United States. Lavabit, a company that attempted to provide secure email inside the US, shut down and left behind a message:
I have been forced to make a difficult decision: to become complicit in crimes against the American people or walk away from nearly ten years of hard work by shutting down Lavabit. After significant soul searching, I have decided to suspend operations. I wish that I could legally share with you the events that led to my decision. I cannot. I feel you deserve to know what’s going on--the first amendment is supposed to guarantee me the freedom to speak out in situations like this. Unfortunately, Congress has passed laws that say otherwise. As things currently stand, I cannot share my experiences over the last six weeks, even though I have twice made the appropriate requests. 
What’s going to happen now? We’ve already started preparing the paperwork needed to continue to fight for the Constitution in the Fourth Circuit Court of Appeals. A favorable decision would allow me resurrect Lavabit as an American company.
This experience has taught me one very important lesson: without congressional action or a strong judicial precedent, I would _strongly_ recommend against anyone trusting their private data to a company with physical ties to the United States.
Kolab uses this approach by putting their servers in Switzerland, which apparently has very few warrants served on its data (not clear if any are secret...).

So that's a fairly sad, if you're at all patriotic, solution.

Force All Warrants Into The Open

So the final, scraping the barrel possibility I want to propose requires more legal knowledge than I possess. I've broken it out into its own post:

Footnotes

1. PGP/GPG differ slightly from other methods described here, by being asymmetric rather than symmetric. In symmetric encryption, everyone shares a single key, which is used to both read and write whatever's being said, by all parties. In asymmetric encryption, each person has their own read ("public") and write ("private") key. As you connect with more people, you gather their individual public keys. Technically, this does change what kind of risk you're taking by using a given service, but in the end the risk is about the same: If anyone in the group gets hacked, all of the keys they have on their machine are taken as well, opening up everything you ever told them. If people quote each other in emails, what they said is largely opened up as well. The difference ends up being pretty irrelevant to an end user looking for privacy.