Am I off in thinking that this is a good time to push more web properties to use forwardly secret SSL key exchange (like Google does with ECDHE_RSA)?
best, Joe On Fri Jun 21 08:32:46 2013, Eugen Leitl wrote: > > http://www.forbes.com/sites/andygreenberg/2013/06/20/leaked-nsa-doc-says-it-can-collect-and-keep-your-encrypted-data-as-long-as-it-takes-to-crack-it/ > > Leaked NSA Doc Says It Can Collect And Keep Your Encrypted Data As Long As It > Takes To Crack It > > If you use privacy tools, according to the apparent logic of the National > Security Agency, it doesn’t much matter if you’re a foreigner or an American: > Your communications are subject to an extra dose of surveillance. > > Since 29-year-old systems administrator Edward Snowden began leaking secret > documentation of the NSA’s broad surveillance programs, the agency has > reassured Americans that it doesn’t indiscriminately collect their data > without a warrant, and that what it does collect is deleted after five years. > But according to a document signed by U.S. Attorney General Eric Holder and > published Thursday by the Guardian, it seems the NSA is allowed to make > ambiguous exceptions for a laundry list of data it gathers from Internet and > phone companies. One of those exceptions applies specifically to encrypted > information, allowing it to gather the data regardless of its U.S. or foreign > origin and to hold it for as long as it takes to crack the data’s privacy > protections. > > The agency can collect and indefinitely keep any information gathered for > “cryptanalytic, traffic analysis, or signal exploitation purposes,” according > to the leaked “minimization procedures” meant to restrict NSA surveillance of > Americans. ”Such communications can be retained for a period sufficient to > allow thorough exploitation and to permit access to data that are, or are > reasonably believed likely to become, relevant to a future foreign > intelligence requirement,” the procedures read. > > And one measure of that data’s relevance to foreign intelligence? The simple > fact that the data is encrypted and that the NSA wants to crack it may be > enough to let the agency keep it indefinitely. “In the context of > cryptanalytic effort, maintenance of technical data bases requires retention > of all communications that are enciphered or reasonably believed to contain > secret meaning,” the criteria for the exception reads. “Sufficient duration > [for retaining the data] may consist of any period of time during which > encrypted material is subject to, or of use in, cryptanalysis.” > > That encryption exception is just one of many outlined in the document, which > also allows NSA to give the FBI and other law enforcement any data from an > American if it contains “significant foreign intelligence” information or > information about a crime that has been or is about to be committed. > Americans’ data can also be held if it’s “involved in the unauthorized > disclosure of national security information” or necessary to “assess a > communications security vulnerability.” Other “inadvertently acquired” data > on Americans can be retained up to five years before being deleted. > > “Basically we’re in a situation where, if the NSA’s filters for > distinguishing between domestic and foreign information stink, it gives them > carte blanche to review those communications for evidence of crimes that are > unrelated to espionage and terrorism,” says Kevin Bankston, a director of the > Free Expression Project at the Center For Democracy and Technology. “If they > don’t know where you are, they assume you’re not a US person. The default is > that your communicatons are unprotected.” > > All of those exceptions seem to counter recent statements made by NSA and FBI > officials who have argued that any collection of Americans’ data they perform > is strictly limited by the Foreign Intelligence Surveillance Act (FISA) > Court, a special judiciary body assigned to oversea the National Security > Agency. “We get great oversight by all branches of government,” NSA director > Alexander said in an on-stage interview at the Aspen Institute last year. > “You know I must have been bad when I was a kid. We get supervised by the > Defense Departmnet, the Justice Department the White House, by Congress… and > by the [FISA] Court. So all branches of government can see that what we’re > doing is correct.” > > But the latest leaked document bolsters a claim made by Edward Snowden, the > 29-year-old Booz Allen contractor who has leaked a series of top secret NSA > documents to the media after taking refuge in Hong Kong. In a live Q&A with > the public Monday he argued that NSA analysts often make independent > decisions about surveillance of Americans not subject to judicial review. > “The reality is that…Americans’ communications are collected and viewed on a > daily basis on the certification of an analyst rather than a warrant,” > Snowden wrote. “They excuse this as ‘incidental’ collection, but at the end > of the day, someone at NSA still has the content of your communications.” > > However, the leaked document doesn’t exactly paint Snowden’s picture of a > random NSA analyst determining who is surveilled. The guidelines do state > that exceptions have to be “specifically” approved by the “Director (or > Acting Director) of NSA…in writing.” > > Just how much actual surveillance the NSA’s exception for Americans’ > encrypted data allows also remains unclear. The Center for Democracy and > Technology’s Kevin Bankston points out that a previously leaked slide from an > NSA presentation makes reference to programs called FAIRVIEW and BLARNEY, > which are described as “collection of communications on fiber cables and > infrastructure as data flows past.” > > If the NSA is in fact tapping the Internet’s network infrastructure, > Thursday’s leaked guidelines suggest it might be allowed to collect and > retain all data protected with the common Web encryption Secure Sockets > Layer, (SSL) used for run-of-the-mill private communications like the Web > email offered by Google and Microsoft, social networking services like > Twitter and Facebook, and online banking sites. “If they’re tapping at the > [network] switches and they take full allowance of this ability to retain > data, that could mean they’re storing an enormous amount of SSL traffic, > including things like Gmail traffic,” Bankston says. > > In other words, privacy advocates may be facing a nasty Catch-22: Fail to > encrypt your communications, and they’re vulnerable to any eavesdropper’s > surveillance. But encrypt them, and they become legally subject to > eavesdropping by the most powerful surveillance agency in the world. > -- > Too many emails? Unsubscribe, change to digest, or change password by > emailing moderator at [email protected] or changing your settings at > https://mailman.stanford.edu/mailman/listinfo/liberationtech -- Joseph Lorenzo Hall Senior Staff Technologist Center for Democracy & Technology 1634 I ST NW STE 1100 Washington DC 20006-4011 (p) 202-407-8825 (f) 202-637-0968 [email protected] PGP: https://josephhall.org/gpg-key fingerprint: BE7E A889 7742 8773 301B 4FA1 C0E2 6D90 F257 77F8 -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at [email protected] or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
