Feds Trying To Get Master Encryption Keys From Tech Companies

from the of-course-they-are dept

This is hardly surprising, but Declan McCullagh is reporting that the feds have been trying to get various tech companies to hand over their master encryption keys so that the NSA and FBI can decrypt any of the messages they scoop up. So far the tech companies have been resisting:
"The government is definitely demanding SSL keys from providers," said one person who has responded to government attempts to obtain encryption keys. The source spoke with CNET on condition of anonymity.

The person said that large Internet companies have resisted the requests on the grounds that they go beyond what the law permits, but voiced concern that smaller companies without well-staffed legal departments might be less willing to put up a fight. "I believe the government is beating up on the little guys," the person said. "The government's view is that anything we can think of, we can compel you to do."
It's unclear from the article if any companies have given in and provided the keys, but it sounds like at least most of the big ones are fighting it. Microsoft and Google both directly denied that they would hand over such a master key. Lots of other companies didn't respond to Declan's questions. Of course, it's no surprise that the government would ask. They've been asking for access and backdoors to just about everything.

If they can't convince the companies that this is legal and required, you can fully expect that a law will be proposed shortly which will more or less require companies to hand over such keys.
"The requests are coming because the Internet is very rapidly changing to an encrypted model," a former Justice Department official said. "SSL has really impacted the capability of U.S. law enforcement. They're now going to the ultimate application layer provider."
Once again, perhaps it's time to think about moving away from a situation in which all our "cloud" data is stored in a few centralized spots. You can still get the benefits of a cloud, even if you control the data yourself -- if only companies would open up and allow users to point their services at data stored elsewhere.


Reader Comments (rss)

(Flattened / Threaded)

  1.  
    identicon
    Anonymous Coward, Jul 25th, 2013 @ 3:47am

    Our government is out of control and the majority seem unwilling to fix it.

    Things need to change.

     

    reply to this | link to this | view in thread ]

  2.  
    identicon
    The Real Michael, Jul 25th, 2013 @ 3:54am

    Re:

    They're not simply out of control, they've gone stark raving mad. "Give us your encryption keys because we said so." How about no.

    Wonder what will happen with all those Kickstarter projects and whatnot that are attempting to encrypt data/communication. If they don't cave to the government's (UNCONSTITUTIONAL) demands, the latter will likely falsely accuse them of aiding the enemy, because they're lunatics.

     

    reply to this | link to this | view in thread ]

  3.  
    identicon
    Anonymous Coward, Jul 25th, 2013 @ 4:06am

    so, surely the answer then is for all the companies concerned to have a united front and help each other, isn't it? look at what the entertainment industries achieve, just because they can draw on resources from near and far. it's no good the 'big boys' being able to resist if the 'little guys' cant. all that will lead to is courts using the defeat of the little guys as precedent to get the 'big guys' to confirm. dont take a surgeon to know the way to go on this, does it?

     

    reply to this | link to this | view in thread ]

  4.  
    identicon
    FM HIlton, Jul 25th, 2013 @ 4:07am

    Not that we'd care

    Like just open up all the channels and have done with it. Of course the Internet is a tameable beast, so they have to have all the keys to it.

    If they get them, I'm off forever. If you can't be secure at all with any of it, why bother?

    The SSL keys are the only thing stopping the NSA from having real-time spying on-line, and it's only a matter of time before these companies give in because they're gutless cowards, just like everyone who doesn't care.

    It might not be surprising to some people but it is highly disturbing to me, and I'm pretty much convinced that the end is near for that 'wild west' synergy that used to be so true on the Internet.

    It'll be owned and controlled by the corporate masters and watched every second by the NSA. Nothing will be private, nothing will be secure.

    We're half-way there now. I can see the writing all over the wall-ten feet high.

     

    reply to this | link to this | view in thread ]

  5.  
    icon
    Zakida Paul (profile), Jul 25th, 2013 @ 4:14am

    It is time to get over the cloud storage fetish.

    There is no substitute for offline, offsite, secure backups of all your data; and that is for both businesses and individuals.

     

    reply to this | link to this | view in thread ]

  6.  
    identicon
    NSA_Is_The_Threat, Jul 25th, 2013 @ 4:41am

    Why is the net pursuing encryption?

    The trend towards encryption on the net is driven by the fact that it makes us safer. We can trust what we read, who we are talking to, that our private matters, like credit cards and youthful indiscretions, remain so.

    The monetary rewards for stealing our private actions is large. Most elected now have used data mining and demographic analysis to get elected - they think they need to keep lying and stealing to stay in office.

    The nation needs ambiguity and privacy. It need transparancy, so we can see what our tax dollar buys us. The consent of the justly governed is an informed consent.

     

    reply to this | link to this | view in thread ]

  7.  
    icon
    RyanNerd (profile), Jul 25th, 2013 @ 4:42am

    This is simply insane

    The direct analogy of this is that you must give the keys to your house to any officer or federal agent that demands them from you.
    Sad state this country is in. This all started with Bush and Obummer is just taking it to the next level. Makes me sick.

     

    reply to this | link to this | view in thread ]

  8.  
    icon
    lfroen (profile), Jul 25th, 2013 @ 4:43am

    Re: Not that we'd care

    Nothing prevent you from storing your data at your own computer, you know.
    Go buy some tiny box with linux inside, connect usb disk, turn encryption on. That's it. Want to communicate with your box over internet - few more checkboxes.

    Your government want an ability to wiretap communications. What's new about it? Do you know that you phone has never been encrypted?

     

    reply to this | link to this | view in thread ]

  9.  
    icon
    Ragnarredbeard (profile), Jul 25th, 2013 @ 4:48am

    Do it

    I would sooooo give them the keys. Of course, the key might be borked. ;)

     

    reply to this | link to this | view in thread ]

  10.  
    identicon
    Anonymous Coward, Jul 25th, 2013 @ 4:54am

    This is a good idea. I fully support it.

    It is a lot easier to steal private keys if they are located in central repository. Saves me the trouble of hacking lots of individual targets.

    -- Lazy hacker

     

    reply to this | link to this | view in thread ]

  11.  
    identicon
    Bengie, Jul 25th, 2013 @ 5:08am

    Web of Trust

    Well, time for Web of Trust model.

     

    reply to this | link to this | view in thread ]

  12.  
    identicon
    Anonymous Coward, Jul 25th, 2013 @ 5:20am

    Just a thought, but a demand for encryption keys confirms that they are recording all internet traffic.

     

    reply to this | link to this | view in thread ]

  13.  
    identicon
    aerilus, Jul 25th, 2013 @ 5:58am

    Re: Why is the net pursuing encryption?

     

    reply to this | link to this | view in thread ]

  14.  
    identicon
    Marak, Jul 25th, 2013 @ 5:59am

    sigh

    Getting real tired of your shit america (yes your govt but they are the ones representing you internationally).

     

    reply to this | link to this | view in thread ]

  15.  
    identicon
    vastrightwing, Jul 25th, 2013 @ 6:20am

    Plausible deniability

    I don't believe them: I trust everything that Google, Apple, Yahoo and Microsoft say the same way I trust everything the government says.

    There is an encryption technology called plausible deniability: dual encrypted channels with double keys. When the government demands the keys, you give them one set of keys to placate them so you don't end up in jail. I won't bore you with the details, but check out True Crypt.

    I never liked the idea of storing anything of mine on rack servers (AKA the cloud) owned by anyone other than me. All the B.S. about we protect you is utter nonsense. I'm going back to type writers, in person face to face communications, and when I do use skynet, I'll encrypt my messages on top of the SSL layer. Then I'll use TOR because I don't even want anyone knowing where I'm sending messages to in the first place. If they want to track me, they can use old fashioned detective work.

     

    reply to this | link to this | view in thread ]

  16.  
    identicon
    gnudist, Jul 25th, 2013 @ 6:36am

    And this is why RMS warded against cloud compution: You have the same lack of control as propritary software, in this case even less since at least you can perma delete in windows while online the goverment can easliy get it without you knowing and any "delete" function may just make it unaccessable to you.

    Paranoid yet?

     

    reply to this | link to this | view in thread ]

  17.  
    icon
    Josh in CharlotteNC (profile), Jul 25th, 2013 @ 7:09am

    Key escrow

    Deja vu all over again. A return to the encryption wars of the 90s with key escrow. The NSA lost back then, looks like they want a re-do.

     

    reply to this | link to this | view in thread ]

  18.  
    identicon
    Pixelation, Jul 25th, 2013 @ 7:26am

    Oh Microsoft, you kid...

    "Microsoft and Google both directly denied that they would hand over such a master key."

    With Microsoft, based on the past, I call bullshit. I would be surprised if they haven't already handed it over.

     

    reply to this | link to this | view in thread ]

  19.  
    identicon
    Anonymous Coward, Jul 25th, 2013 @ 7:34am

    I agree ms would probably do it in a heartbeat. possibly google too. I don't trust anything on the internet. never have/will.

    ms tried to get google censored. I think they actually sued them or at least tried to. probably so they could say "look bing works better than google". yeah now that it's crippled MICRO-DICK

     

    reply to this | link to this | view in thread ]

  20.  
    identicon
    captain obvious, Jul 25th, 2013 @ 8:46am

    quick on the heels of...

    So, they just had their shill Snowden do the leak to test the waters. They didn't a massive shit storm, just a minor squall. They give it a small amount of time and then hit us with this gem. Their plan is working perfectly. MUAaaahhhh ha ha ha haaaa!

     

    reply to this | link to this | view in thread ]

  21.  
    identicon
    Anonymous Coward, Jul 25th, 2013 @ 8:47am

    Re: quick on the heels of...

    They didn't get a massive ....

     

    reply to this | link to this | view in thread ]

  22.  
    icon
    That One Guy (profile), Jul 25th, 2013 @ 9:04am

    Re: Oh Microsoft, you kid...

    Given it's microsoft were talking about it, I wouldn't be surprised if they'd handed the keys over as soon as they were implemented in the first place.

     

    reply to this | link to this | view in thread ]

  23.  
    icon
    John Fenderson (profile), Jul 25th, 2013 @ 9:36am

    Public Key Encryption 101

    The web of trust model would help a lot.

    What would help even more is if there was some way to get people to take encryption seriously, and not just as a checkbox or prepending https to a url.

    The notion of "trust" is absolutely core to the security of public key encryption. You need to determine whether a key you are using was actually issued by who you think it was issued by.

    We now know that the default way this is "ensured", that it was vouched for by a CA such as Verisign, Microsoft, etc., is meaningless in terms of being able to trust the key. People have to start taking a more active role in verifying the keys they use.

     

    reply to this | link to this | view in thread ]

  24.  
    identicon
    Chris Brand, Jul 25th, 2013 @ 9:39am

    A new law ?

    "you can fully expect that a law will be proposed shortly which will more or less require companies to hand over such keys". I doubt it. Too difficult to sneak something like that by right now. They'll just go to the FISA court and get it to interpret some existing law in a way that allows them to demand what they want.

     

    reply to this | link to this | view in thread ]

  25.  
    identicon
    Mark Atwood, Jul 25th, 2013 @ 9:42am

    Why do they even need this?

    The *only* use case for the government to have the SSL/TLS master private keys is so they can eavesdrop on the resulting communication without even bothering with a warrant or subpoena.

    Why would the Obama Justice department want to spy on your Google Searches in such a way that they don't want to send a subpoena to Google? Hmm?!

    The only question of real import is: WHY HAVN'T WE HUNG THESE PEOPLE YET?

     

    reply to this | link to this | view in thread ]

  26.  
    identicon
    hobo, Jul 25th, 2013 @ 9:42am

    Re:

    I'm not saying I disagree. But if "the majority" are "unwilling," then you've got your answer. Sadly, that would be the system working properly.

     

    reply to this | link to this | view in thread ]

  27.  
    icon
    McCrea (profile), Jul 25th, 2013 @ 9:59am

    All your SSL belong to us

    fucktards

     

    reply to this | link to this | view in thread ]

  28.  
    icon
    McCrea (profile), Jul 25th, 2013 @ 10:11am

    Consumer Trust

    If people lose faith in the web, e-commerce could collapse.

    (We all know the Feds can't keep a secret)

     

    reply to this | link to this | view in thread ]

  29.  
    identicon
    PRMan, Jul 25th, 2013 @ 10:21am

    Re:

    I know, right? Everyone laughed at me because I didn't want to store everything in the cloud...

     

    reply to this | link to this | view in thread ]

  30.  
    icon
    Hephaestus (profile), Jul 25th, 2013 @ 11:02am

    Re: Re:

    How can they cave to the government demands if the software allows people to generate their own encryption keys? Just saying.

     

    reply to this | link to this | view in thread ]

  31.  
    identicon
    Anonymous Coward, Jul 25th, 2013 @ 11:08am

    We need new technology to address the flaws in Certificate Authorities.

    I would suggest something more 'decentralized'.

     

    reply to this | link to this | view in thread ]

  32.  
    icon
    John Fenderson (profile), Jul 25th, 2013 @ 11:29am

    Re: This is simply insane

    This all started with Bush and Obummer is just taking it to the next level.


    It started well before Bush.

     

    reply to this | link to this | view in thread ]

  33.  
    identicon
    Rekrul, Jul 25th, 2013 @ 12:40pm

    (From the link) Google also declined to disclose whether it had received requests for encryption keys.

    Well, that's as good as admitting that they have received requests for encryption keys...

     

    reply to this | link to this | view in thread ]

  34.  
    identicon
    vastrightwing, Jul 25th, 2013 @ 1:15pm

    The gate keepers

    After further consideration, I come to the conclusion that all the mentioned companies will gladly hand over the keys. I repeat, they will gladly hand over the keys because the government has stuff they want! Data! Yes, Quid pro quo. I'm sure that since the NSA is acting as the gate keeper of all this meta data, they are liberally sharing stats and other information with their partners. Of course they're lying to all their partners about it telling each one that they aren't sharing their data with the competition.

    Imagine the NSA telling Microsoft there is an exploit in the OS long before anyone is publically aware of it. The NSA will tell them about it and ask them not to patch it yet. This way, the NSA can exploit it themselves. Microsoft can start fixing it so when the vulnerability goes public, Microsoft can have a patch ready to go. Ditto with all the viruses. I wonder how many viruses are military in nature?

    I imagine there is a whole lot of information sharing going on we have not learned about yet. The NSA, being the gate keepers keeping big tech in check.

     

    reply to this | link to this | view in thread ]

  35.  
    identicon
    Anonymous, Jul 25th, 2013 @ 2:37pm

    Hey feds...

    I got yer master encrytion key right here!

     

    reply to this | link to this | view in thread ]

  36.  
    identicon
    Anonymous, Jul 25th, 2013 @ 2:38pm

    Re: Hey feds...

    * encryption

     

    reply to this | link to this | view in thread ]

  37.  
    identicon
    Anonymous Coward, Jul 25th, 2013 @ 3:16pm

    Re:

    Or you encrypt the files before you put them in the "cloud".

     

    reply to this | link to this | view in thread ]

  38.  
    icon
    John Fenderson (profile), Jul 26th, 2013 @ 11:14am

    Re: Re:

    That helps a lot, but is insufficient. Even better is to avoid using the cloud for anything, or at least for anything that is at all important.

     

    reply to this | link to this | view in thread ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Save me a cookie
  • Note: A CRLF will be replaced by a break tag (<br>), all other allowable HTML will remain intact
  • Allowed HTML Tags: <b> <i> <a> <em> <br> <strong> <blockquote> <hr> <tt>
Follow Techdirt
A word from our sponsors...
Essential Reading
Techdirt Reading List
Techdirt Insider Chat
A word from our sponsors...
Recent Stories
A word from our sponsors...

Close

Email This