CALEA 2 and Tor

by arma | May 9, 2013

Journalists and activists have been asking me this week about the news that the Obama administration is now considering whether to support the latest version of the FBI's "Going Dark" legislation. Here are some points to add to the discussion.

  • This is far from law currently. Nobody's even published any proposed text. Right now the White House is considering whether to back it, and now is a great time to help them understand how dangerous it would be for America.
  • Forcing backdoors in communication tools is a mandate for insecurity. Haven't they been paying attention to just how much these same systems are under attack from foreign governments and criminals? Did they not learn any lessons from the wiretapping scandals in Greece and Italy, where CALEA backdoors were used to surveil politicians, without law enforcement even knowing about it? You cannot add a backdoor to a communications system without making it more vulnerable to attack, both from insiders and from the outside.
  • The Justice Department is being really short-sighted here by imagining that the world is black and white. We've heard from people at the FBI, DEA, NSA, etc who use Tor for their job. If we changed the design so we could snoop on people, those users should go use a system that isn't broken by design — such as one in another country. And if those users should, why wouldn't criminals switch too?
  • In any case, it seems likely that the law won't apply to The Tor Project, since we don't run the Tor network and also it's not a service. (We write free open source software, and then people run it to form a network.)
  • The current CALEA already has an ugly trickle-down effect on the citizens of other countries. Different governments have different standards for lawful access, but the technology doesn't distinguish. So when the Egyptian general plugs in his telco box and sees the connector labelled "lawful access", he thinks to himself "I *am* the law" and proceeds with surveilling his citizens to stay in power. To put it bluntly, America's lawful intercept program undermines its foreign policy goals.

And lastly, we should all keep in mind that they can't force us to do anything. You always have the alternative of stopping whatever it is you're doing. So for example if they try to "force" an individual directory authority operator to do something, the operator should just stop operating the authority (and then consider working with EFF and ACLU to establish precedent that such an attempt was illegal). And so on, all the way up the chain. Good thing the Internet is an international community.

Comments

Please note that the comment area below has been archived.

May 09, 2013

Permalink

Can you give some context as to what is going on here?
I use Tor everyday to post online anonymously...what is Obama up to now?

May 10, 2013

Permalink

You are missing the point. The law is irrelevant. For will be made illegal, or just fined to death and dragged through court for a decade until there is no more for. This is not a technical problem to solve. This is about control and abuse of power.

The law is clearly relevant, or there would be no attempts to outlaw it.

Right now, Tor has not been "fined to death" (it cannot be fined unless it is illegal) or "dragged through court for a decade" (because doing that to a legal organization is bad publicity; ask Apple about Samsung).

If things were as bad as you said, Tor wouldn't exist right now.

May 12, 2013

Permalink

If Ron Paul had won the presidential election then maybe we wouldn't be having this problem.. But, since Americans have lost all understanding of the meaning and value of liberty, they have therefore voted themselves into slavery....

May 12, 2013

Permalink

If you are too dumb to live in a liberal democracy then you will live in a totalitarian police state.

May 14, 2013

Permalink

"...they can't force us to do anything. You always have the alternative of stopping whatever it is you're doing. So for example if they try to "force" an individual directory authority operator to do something, the operator should just stop operating the authority..."

I think they can force people to do things, including continuing to operate while compromised and keeping it a secret.

May 15, 2013

In reply to arma

Permalink

I'm actually the kind of person who would strongly consider going to prison for disobeying the government. In the United States, librarians were forced to hand over checkout histories to the federal government, and keep quiet about it. A few of them leaked it, and were imprisoned for saying something.

May 16, 2013

In reply to arma

Permalink

I think he's right. Isn't that what happened at Hushmail? And that was Canada.

No, Hushmail chose to put a backdoor into their system and continue operating in Canada. Then I guess they moved most of their budget into PR to convince people that Hushmail was great and safe. Standard tactics from for-profit companies -- I'm glad we don't have shareholders.

May 26, 2013

In reply to arma

Permalink

"Standard tactics from for-profit companies -- I'm glad we don't have shareholders."

But plenty of your funding sources are for-profit companies, are they not?

I wouldn't be so sure of that.

What about the argument by using a service like Hushmail, one is effectively *announcing*, "I've got something to hide..."?

It could possibly be said that there's a certain "safety in numbers" in the likes of Gmail; getting lost in the crowd.

This is a process of accumulating and valuing associations, not determining a single value for a data point that applies to everyone. The model is not "if the number of emails from everyone containing the word 'Snowden' is big enough, it moves from suspicious activity to harmless for everyone"; the value of a data point fluctuates based on the other data points connected to it.

Consider a database query cross referencing every Gmail identity with at least one message containing 'Wikileaks' with Google searches for Tor. Then do it against sets like signers of online petitions and contributors to EFF. Now repeat with data of offline activity like protest attendance, membership in the ACLU, travel to London and Madrid (which both had train bombings) and purchases of books by Cory Doctorow. Once a threshold is passed, the value of an email that includes "Snowden" from the same account increases because the entire history is scrutinized for information that supports further investigation. None of the individual data points is illegal or even suspicious on its own, but together they are used to build a character sketch that triggers further intrusion.

Cherry-picking data carries a substantial danger of confirmation bias. Like someone in a messy breakup can easily fall into the trap of recalling the entire relationship and recasting every innocent mistake and misspoken word to support a case that the partner was betraying him the whole time, the context assigns motivations after the fact. These are based on the subjective interpretation of the analyst once the breakup has taken place rather than the motivation of the subject when she performed the acts in question. Positive mitigating factors like shared experiences and values are ignored and forgotten because they do not contribute to the predetermined judgment.

Herd immunity relies on storage and searching being relatively time consuming and expensive processes. Since these are now incredibly fast and cheap (and the budget virtually unlimited), the limiting factor moves down the line to how the information is used. Without meaningful oversight and respect for democratic values, the momentum is toward greater scope and secrecy with less responsibility for the watchers and fewer rights and protections for the people.

Tl;dr: There is no safety because you can't get lost.

June 09, 2013

In reply to arma

Permalink

Arma, could you please clarify what you mean by "backdoor" in Hushmail?

I know that Hushmail complies with legal warrants, and I am perfectly ok with that. Have I missed something else? Please give references to articles.

I want also to thank you for all your work with Tor and helping to protect us netizens.

May 16, 2013

In reply to arma

Permalink

Well, there's this from the article:

"Instead, the new proposal focuses on strengthening wiretap orders issued by judges. Currently, such orders instruct recipients to provide technical assistance to law enforcement agencies, leaving wiggle room for companies to say they tried but could not make the technology work."

So judges are even now forcing companies to engage in affirmative actions, to assign staff to work on wiretapping attempts.

May 18, 2013

Permalink

Sounds pretty weak, almost like you would comply if the law told you to put a backdoor in tor. Pretty sad, FOSS is supposed to be immune from this stuff.

This law or a law like it will eventually be passed. Every law they want to pass they pass.

You should disobey the law. If they come for you, do worse to them than what they would do to you.

The "we don't think it is a good idea" I'm hearing from the FOSS community sounds like something out of soviet russia. Very weak.

Should be "fsk you, we will not capitulate, ever, even if that means a shooting war and our deaths"

Disobey what law? There isn't even any proposed law yet.

I tried for a while to work in a reference to https://sedvblmbog.tudasnich.de/docs/faq#Backdoor

But in the end I decided that this wasn't the right point for aggressively picking a fight. IMO the feds would be mighty foolish to pick a fight with Tor, first because we are the extreme example of why their upcoming law doesn't take reality into account, and (related) because we have so many friends around the world who would get upset alongside us, and help make sure the attempt backfires.

If they really want to make this our fight, we'll oblige them. But we've got a lot of other fights to fight, so I am not too eager to get too distracted from the rest of them.

(Historically, we're a "write code to make the world better" company, not a "stand around in a courtroom explaining how we want the world to be" company. I think we do better at the former. Also there are plenty of organizations who can do the latter.)

May 18, 2013

Permalink

"If we changed the design so we could snoop on people,"

Why are you even contemplating obeying them?
The law is not your religion, it is the dictates of some overbearing enemy.
Why would you obey them?

May 28, 2013

Permalink

With the latest scandals in the USA Government vs. The People, we can easily understand their motives with CALEA 2 and so on. Absolutely no more authorities for the Government criminals! Not that they matter anyway really...

May 30, 2013

Permalink

I hope you guys will at least have the decency to tell us Tor users, once you are forced by the government to put a backdoor in to Tor.

June 10, 2013

Permalink

First they came for the Tor users, and I didn't speak-out because I wasn't a Tor user, and I figured, "If you've got nothing to hide...."....