Congrats, FBI, You've Now Convinced Silicon Valley To Encrypt And Dump Log Files

from the a-victory-for-privacy dept

Soon after the original Snowden revelations, I went around talking to a bunch of startups and startup organizers, discussing whether they'd be more willing to speak out and complain about excessive government surveillance. Some certainly did, but many were cautious. A key thing that I heard over and over again was "well, our own data privacy protections... aren't that great, and we'd hate to call attention to that." Every single time I'd hear that I'd point out that this should now be their first priority: clean up your own act, now and fix your own handling of people's data, because it's an issue that's going to become increasingly important, and you're being foolish and shortsighted to ignore it.

While the Snowden revelations certainly did get some companies to improve their own practices, it looks like the FBI's decision to go after Apple over encryption, has really galvanized many in Silicon Valley to take action to truly protect their users from snooping government officials -- meaning making use of real (not backdoored) encryption and also diong other things like dumping log files more frequently.
“We have to keep as little [information] as possible so that even if the government or some other entity wanted access to it, we’d be able to say that we don’t have it,” said Gadea, founder and chief executive of Envoy. The 30-person company enables businesses to register visitors using iPads instead of handwritten visitor logs. The technology tracks who works at a firm, who visits the firm, and their contact information.
The article is full of such stories -- including one of a company called Stealth Worker that is basically helping lots of startups build in better security from the start:
Stealth Worker — a start-up funded six months ago by the prominent incubator Y-Combinator — provides contract cybersecurity experts to early-stage start-ups, which often operate on a shoestring budget. Stealth Worker chief executive Ken Baylor said that in the past month he had been approached by a half-dozen companies looking for ways to build tougher encryption and other secure technical architectures.
Because it's the Washington Post, and they feel the need to be "balanced" the article does include the one ridiculous contrarian quote from our old friend, former NSA General Counsel Stewart Baker, who basically dismisses reality as a myth in the heads of some engineers:
“This is a Silicon Valley delusion that the government wants to outlaw encryption,” Stewart A. Baker, a former National Security Agency general counsel, said in an interview. “I grant that there is a radicalized subculture of engineers that is very prone to that delusion, but it is a delusion.”
This is classic Baker: saying something that avoids the actual truth by saying something that's nominally true, but not what people are actually discussing. The claim of "outlawing encryption" is really shorthand for "outlawing effective encryption that is less vulnerable to attack." And that's absolutely what many in the government are trying to do. I mean, there's no delusion necessary when you can just read the bill put forth by Senators Dianne Feinstein and Richard Burr, that absolutely would make real encryption illegal. Sure, it says you can keep encryption, but only if it includes a way for 3rd parties to decrypt it. And the only way that's possible is to introduce serious vulnerabilities into the encryption.

The thing that Baker and many others truly don't get about Silicon Valley is that when you give techies a challenge that involves making "the best" of something, they like solving the challenge. The suggestions to backdoor encryption undermine that philosophy. They're saying that techies would need to deliberately cripple their own solutions. And the more that the FBI and clueless Senators push for such a solution, the stronger Silicon Valley will dig in and keep building better overall solutions that are less prone to government snooping.

Maybe, just maybe, if the likes of the NSA and FBI hadn't regularly abused their snooping powers, folks would be more willing to give them the benefit of the doubt. But it's a bit late for that at this point.

Reader Comments

Subscribe: RSS

View by: Time | Thread


  • icon
    yankinwaoz (profile), 25 May 2016 @ 10:42am

    Until forced to keep logs

    The Govt can ban the deletion of logs. And they can require logs be created, archived, and surrendered to any Barney Fife LEO who darkens their door.

    reply to this | link to this | view in chronology ]

  • identicon
    Jason, 25 May 2016 @ 10:46am

    understatement

    Maybe, just maybe, if the likes of the NSA and FBI hadn't regularly abused their snooping powers, folks would be more willing to give them the benefit of the doubt.
    I've felt that way from the beginning. If they (pick whatever "they" is appropriate to the context) would have been up front about what they wanted to be able to do, convinced people it was necessary, had proper safeguards and oversight, and was proportional to the problem that was trying to be solved---gone about it through a normal democratic process, one could almost say---then a whole lot of the crazy mess things are in right now might have been completely avoided.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 25 May 2016 @ 3:10pm

      Re: understatement

      They got caught in their own propaganda.

      They made the mistake of initially framing the discussion in terms of "we conduct mass surveillance to keep you safe". But as is the case with a whole lot of propaganda, the framing begins to fall apart when you hold it up to reality.

      Sure, they can use domestic mass surveillance to catch some baddies (although they certainly do not have a huge number of examples of it doing that - but whatever, let's pretend it does that to some degree). Where their "keep you safe" arguments start to fall completely apart is when we hold them up to the reality of all the ways it makes us "less safe" and what nefarious uses all that private data will certainly be put to by unscrupulous private, corporate, government, and criminal actors.

      When framed in those alternate terms, the benefits proposed by law enforcement/intelligence community become highly improbable. Especially in light of the obvious detriments. And as they're a group of smart people, I can only assume they are very aware of these facts.

      So that begs the question, what is their actual intent (vs their stated goal)?

      reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 26 May 2016 @ 10:49am

      Re: understatement

      They got caught in their own propaganda.

      They made the mistake of initially framing the discussion in terms of "we conduct mass surveillance to keep you safe". But as is the case with a whole lot of propaganda, the framing begins to fall apart when you hold it up to reality.

      Sure, they can use domestic mass surveillance to catch some baddies (although they certainly do not have a huge number of examples of it doing that - but whatever, let's pretend it does that to some degree). Where their "keep you safe" arguments start to fall completely apart is when we hold them up to the reality of all the ways it makes us "less safe" and what nefarious uses all that private data will certainly be put to by unscrupulous private, corporate, government, and criminal actors.

      When framed in those alternate terms, the benefits proposed by law enforcement/intelligence community become highly improbable. Especially in light of the obvious detriments. And as they're a group of smart people, I can only assume they are very aware of these facts.

      So that begs the question, what is their actual intent (vs their stated goal)?

      reply to this | link to this | view in chronology ]

  • identicon
    BobOki, 25 May 2016 @ 10:47am

    Mispelling

    Please search this article for the word "diong" and correct, then feel free to delete this courtesy comment. Great article otherwise.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 25 May 2016 @ 11:03am

    OMG, they just denied it! That means the government DOES want to outlaw encryption...!

    reply to this | link to this | view in chronology ]

  • icon
    Uriel-238 (profile), 25 May 2016 @ 11:06am

    Now that the FBI is operating as an espionage agency

    It's teaching companies to act as security firms...or espionage firms...or organized crime.

    Which is poetic, since the FBI really got started to combat the Mafia.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 25 May 2016 @ 12:37pm

      Re: Now that the FBI is operating as an espionage agency

      Anyone that is willing to commit evil to stop evil becomes the evil they destroy.

      reply to this | link to this | view in chronology ]

      • icon
        John Fenderson (profile), 25 May 2016 @ 1:02pm

        Re: Re: Now that the FBI is operating as an espionage agency

        Plus, there's a couple more fundamental human tendencies in play here. People tend to become what they hate, people tend to think that their personal experiences are representative of the greater reality, and people tend to resemble the folks that they spend a lot of time with, even when that time is spent in opposition to them.

        reply to this | link to this | view in chronology ]

  • identicon
    Pixelation, 25 May 2016 @ 11:12am

    Apparently Stewart Baker wants a little backdoor. A "just the tip" kind of guy.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 25 May 2016 @ 11:24am

    "I grant that there is a radicalized subculture of engineers that is very prone to that delusion, but it is a delusion."

    A radicalized subculture consisting of.. more or less everyone who has any skill or knowledge to contribute to the subject.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonmylous, 25 May 2016 @ 1:04pm

      Re: Radicalized

      You're the only commenter so far to even mention this quote and you said nothing about the use of the word Radicalized.

      The choice of this word speaks volumes about the mindset of law enforcement and the Senators supporting them. They DO see it as Gov versus Tech. They aren't looking for amicable solutions, they want blind obedience or you're equal to a terrorist in their eyes.

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 25 May 2016 @ 9:00pm

        Re: Re: Radicalized

        We've got to do something about those radical engineers. I've heard they even practice math.

        reply to this | link to this | view in chronology ]

        • icon
          That One Guy (profile), 26 May 2016 @ 12:54am

          Re: Re: Re: Radicalized

          Math would be bad enough, their real crime is practicing non-government approved math!

          If the government says that 2+2 equals 5 then that's the new mathematical reality, yet those commie terrorist pirates continue to insist that it equals 4, in clear contempt of their betters, and despite assurances from the governments(which is always right of course) that if they'd just try harder they'd be able to change the old, non-government approved math to meet the new, government approved version!

          reply to this | link to this | view in chronology ]

    • icon
      DannyB (profile), 25 May 2016 @ 1:18pm

      Re: Radicalized

      Is it radical to have an extreme polarized view? For example: the sun rises in the east. Not in the west. Not somewhere in between the two. There is exactly one correct viewpoint. A radical idea, I know. Yes, I suppose I am 'radicalized' about whether the sun rises in the east or in the west.

      reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 26 May 2016 @ 12:47am

      Re:

      I believe there's a radicalized subculture of aeronautic engineers who believe you need to generate lift to fly.

      What nut cases they are!

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 25 May 2016 @ 11:51am

    This is great! Finally we have members of Congress and the FBI working together to make sure tech companies keep Americans safer in the digital age.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 25 May 2016 @ 11:51am

    /dev/null logging is common practice for a number of different types of providers.

    The problem with that, is logs are generally diagnostic tools. Their purpose is to help you fix things when they break.

    MTTR increases when you can't keep them. So the fact that judges completely disrespect indirect composition (meta data) as a form of speech under the first amendment, has real world expenses that are reflected in poor customer service, and higher maintenance costs.

    Judges need to stop regarding digital composition as less worthy of protection than other speech. Yeah the volume is WAY higher, and yes it is often multiplexed and easier to get to. No that doesn't make the first amendment less relevant, it makes it MORE relevant.

    Meta data, is indirect digital composition. The fact that it is accidental (from the original communicators perspective) does not make it less worthy of protection. Both antibiotics and vulcanized rubber were accidental composition. Would the same judges, play diddle-nuts with the rights of the composers in THOSE cases?

    This double standard is progressing more and more into the lives of normal every day people. They will resent it. And eventually they will rectify it. From the states perspective, fixing this sooner, will be cheaper.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 25 May 2016 @ 12:34pm

    Forgetting for a moment that their actions and lack of oversight in the last 15 years, have raised them from "be wary of" to "not sure who the terrorists are here" in my book; the insanity of their objectives and the very likely probability of extreme misuse, should be enough for anyone to call them out as enemies of the public.
    The mere mentioning of this should be laughed out of the room together with those who proposed such a thing.

    Here is an equally crazy suggestion: Put bombs on every plane, train, bus and other transportation so we can blow it up before the terrorists can hit anything if there is a suspecion of someone on board. This is basicly what holes in encryption are: bombs just waiting to be misused.

    reply to this | link to this | view in chronology ]

  • icon
    DannyB (profile), 25 May 2016 @ 1:14pm

    Download book Applied Cryptography while it is still legal to do so

    I mentioned this one other time. I'll mention it here again . . .

    http://cacr.uwaterloo.ca/hac/

    See this copyright information before downloading:

    http://cacr.uwaterloo.ca/hac/about/copyright-notice.html

    CRC press has granted the following specific permissions for the electronic version of this book:

    Permission is granted to retrieve, print and store a single copy of this chapter for personal use. [ . . . rest omitted . . . ]

    reply to this | link to this | view in chronology ]

  • icon
    sehlat (profile), 25 May 2016 @ 1:23pm

    It's called blowback.

    The FBI has looked into the abyss. The abyss has looked back, and punched it in the face.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 25 May 2016 @ 1:45pm

    The last time they had a "radicalized" engineer attack, we came up missing the Twin Towers and a chunk of the Pentagon. Take note: Don't pass off engineers.

    s/a nuclear/crypto cleared multi-engineer

    reply to this | link to this | view in chronology ]

  • icon
    That One Guy (profile), 25 May 2016 @ 2:55pm

    Meanwhile in Bizzaro world...

    A government official was quoted calling those in the tech industry who continued to call for weaker encryption a 'radicalized minority', who 'put the security of everyone at risk with their absurd insistence that weaker encryption was needed to stop crime.'

    "The government's position on this is the same today as it was yesterday, and will not change. Weakening encryption is a foolhardy idea that puts everyone at risk, and is something that only criminals and those that wish to aid them would ever push for, as criminals stand the most to gain from it. The tech sector's demand that all encryption be deliberately flawed is completely absurd, and I honestly have no idea what could have led to such an insane idea.

    Numerous individuals in law enforcement have urged us to push back strongly against this dangerous idea, making it very clear that weaker encryption, far from decreasing crime as various tech companies claim will instead lead to an explosion of crime, as countless devices and services become easy targets for malicious individuals.

    Weakened encryption is a dangerous idea, and any crimes that it would allow to be stopped would be vastly overshadowed by the countless crimes it would enable. I can only hope the tech sector realizes this before it's too late."

    reply to this | link to this | view in chronology ]

  • identicon
    John, 25 May 2016 @ 3:07pm

    Australia has forced log retention

    The Australian government has laws forcing ISPs, web hosts etc to keep logs for 2 years, but exempted overseas companies. Guess where businesses are taking their operations? Out of the country where possible, as it reduces the compliance cost of doing business. I wonder in 5 years time, whether the US government will pass a bill preventing US businesses from moving off shore in order to save Silicon Valley.

    reply to this | link to this | view in chronology ]

  • identicon
    dsggdjfhk, 25 May 2016 @ 3:30pm

    Techies are selective about crippling things.

    Sadly, techies are actually very selective about whether they'll cripple their own work product. They won't do it for the G-man, but they will for the guy in the suit and tie who pays their salary, as evidenced every time something on the internet is intentionally broken to generate revenue.

    The most common example of this being sites gratuitously coded to be unnavigable or, increasingly often, unreadable, if you turn off Javascript. Try it. Turn it off and see how many of your favorite (noninteractive! I mean sites where you go, read something, and leave, not Facebook and Twitter and the like) websites render as a blank page, or a blunt message saying "turn on Javascript or we won't show you anything", and how many more are readable but the links don't work and/or all of the images on the page are missing.

    Of course it's perfectly technically possible for such sites to work without JS. A div element with some text in it inside the body element. An anchor element with an href attribute. An img element with a src attribute. These have been around since the 90s and work just fine with JS switched off. So what's the deal here?

    The only answer that makes any sort of sense is that the site is deliberately broken to force people to switch JS on, and the only answer that makes sense as to why they want to force JS on is that they want to run a script on your computer to do something you'll find annoying rather than a value-add. This tends to mean advertising -- and not just display advertising, which is easily done with img tags and server-side scripts to determine what ads to serve, or even targeted display advertising, since 1x1 transparent GIFs and tracking cookies also don't need JS. No, they want to do obnoxious advertising that is deliberately crafted so as to obstruct the visitor from doing what the visitor wants to do until they've acknowledged the ad in some way. That's the only motive that makes sense for trying to force people to turn on JS.

    Of course, that just drives people to turn on both JS and an ad-blocker, which in turn drives the suits to demand the engineers cripple the site even more by adding anti-adblock boobytraps, which of course also require JS enabled in order to function, adding more motive to force visitors to turn on JS to see content.

    So the engineers have shown that they are perfectly willing to degrade and cripple their own product, making it less useful and more annoying to users, if their paycheck depends on their doing so. Just not for random G-men who aren't their bosses.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 25 May 2016 @ 3:43pm

      Re: Techies are selective about crippling things.

      I think you are confusing code monkeys with dedicated hackers. The first are in software to make money, the second because its their passion. Indeed the ability to do the right thing is one of the attractions of free and open source software for real hackers, as their peers and not any managers are the ones who decide whether or not something makes into the release.

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 25 May 2016 @ 9:09pm

        Re: Re: Techies are selective about crippling things.

        I think you are confusing code monkeys with dedicated hackers.

        And code monkeys aren't exactly the one's leading innovation.

        reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 25 May 2016 @ 6:39pm

      Re: Techies are selective about crippling things.

      So you found the switch to turn off javascript, and that constitutes an international conspiracy?

      In your particular case, there is a solution. Download and put up a crawler, and then write a patch that detects and ejects sites with development practices you disagree with. Then post a couple of years later, IF you've finished. I'd love to see YOUR solution. Hell, kickstart it and I'll help fund it for christ's sake. Note that all the software required to complete such a task, is FREE, and was written by the same kind of people that you are bitching about.

      Please stop being a minion for an aristocracy that is trying to focus fear and bigotry on technicians and scientists. They spread this meme to maintain control. You, by bitching instead of contributing, are helping create the leverage that results in the shit code you are talking about.

      BTW if you put up with the shit we put up with, you would have already gone postal. The people your complaining about are on your side.

      reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 25 May 2016 @ 8:25pm

      Re: Techies are selective about crippling things.

      I'm a techie who works for a company that builds a framework for building web applications. I don't disagree with the underlying point you are making, but JavaScript (specifically) is actually essential for certain approaches - static HTML plus links to navigate simply can't provide certain user experiences. Think of things like providing a list of records which automatically loads more data as the user scrolls down, or sorts instantaneously when the user clicks on a header rather than having to reload the entire web page.

      There are plenty of sites that deliberately make their pages non navigable when you have ad-blocking software, etc, but the requirement for JS is real for many scenarios.
      (Of course a company could write a less capable version of the site in static HTML in addition to the more interactive version, but it's twice as much work for something which will only impact a tiny fraction of users who are disabling JS in their browser).

      Having said this - I personally recommend using privacy tools to minimize third-party tracking across sites, and ad blocking software. There are lots of options out there. I use Privacy Badger myself, and AdBlock Plus.

      reply to this | link to this | view in chronology ]

      • icon
        John Fenderson (profile), 26 May 2016 @ 7:34am

        Re: Re: Techies are selective about crippling things.

        "but JavaScript (specifically) is actually essential for certain approaches"

        This is true, but in practice (in my experience), 90% of the time that those approaches are used are in situations where they are not necessary.

        I will continue with my current practice: disable Javascript by default. If a site doesn't work that way, and the site is not in some way critical to me, then I just won't go there anymore. If the site is critical to me, I'll take the time to determine which pieces of Javascript I will allow to run and which I won't. Usually, there's only one or two really critical bits.

        reply to this | link to this | view in chronology ]

    • icon
      Uriel-238 (profile), 25 May 2016 @ 9:44pm

      Last I checked, especially regarding telecoms...

      The G-men usually offer companies monetary incentives to cooperate in the first place. AT&T and Verizon are notorious for taking huge payoffs from the United States for cooperating with the NSA mass surveillance program.

      So yeah, some companies will sabotage the integrity of their product for sake of the government when the price is right.

      Really, it's a short term gain for a long term loss.

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 26 May 2016 @ 3:59am

        Re: Last I checked, especially regarding telecoms...

        Really, it's a short term gain for a long term loss.

        Unfortunately, the "long term loss" is for society, not the companies involved.

        reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 26 May 2016 @ 8:20am

      Re: Techies are selective about crippling things.

      There's a world of difference between "purposely crippling functionality" and "just can't be assed enough to fix a bug".

      And yes, page's being unreadable when JS is turned off is just that - a bug. There are plenty of fallback strategies for everything you can do in JS, however they take time and effort to code. Doing that coding for the quite small number of users that this applies to is not sound business practice.

      reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 26 May 2016 @ 10:42am

      Re: Techies are selective about crippling things.

      I want to introduce you to a program called NoScript. Selectively disable javascript to stop the insecurity.

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 26 May 2016 @ 2:52pm

        Re: Re: Techies are selective about crippling things.

        Already use it. Even then:

        1. There's a slight security risk in activating scripts, even just for the domain serving the page you're viewing. If they get hacked and a script that loads an exploit kit gets added to their pages, boom.

        2. The typical case doesn't work if you just enable the site's own scripts. There will be dozens of other domains with scripts listed in the unblock menu, and a lot of them will have *really* dodgy names, and one of the dodgier ones will often turn out to be the one that's needed to unlock the functionality of DISPLAYING SOME FREAKING STATIC TEXT.

        For example, "d9f23ab948c01f3b.cloudfront.net". What the fuck is that? Malware domains often have large amounts of nonsense gobbledygook in them, just like that. At best it's a legitimate cloud hoster, in which case allowing scripts from it means allowing not just the scripts for example.com whose site I'm trying to browse but every *other* script hosted at that cloud hoster as well, including, in all likelihoods, some malicious ones.

        reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 25 May 2016 @ 4:36pm

    forced retention

    are erasers still ok on #2 pencils? or does govt want to see our work?

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 25 May 2016 @ 5:34pm

    X

    reply to this | link to this | view in chronology ]

  • icon
    Supserb (profile), 25 May 2016 @ 10:09pm

    Right on! When the government makes laws that completely change the constitution in secret, which is what they have done prior, that snowden revealed. It is illegal. It is beyond the scope of their power. Those legislators should be brought up on charges. Companies that stand up to this corrupt government, will be remembered as heroes, just as snowden will be remembered.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 26 May 2016 @ 3:38am

    Of course only domestic terrorists refuse top let corrupt government agencies look through their data unencrypted

    /s

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 26 May 2016 @ 8:01am

    pula

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 26 May 2016 @ 8:58am

    "A key thing that I heard over and over again was "well, our own data privacy protections... aren't that great, and we'd hate to call attention to that."

    I suspected as much, the silence is deafining

    I seriously doubt that very MANY companies in ALL fields take it as seriously as they should be, yet their quite willing to stipulate that a service or good only be purchased/exchanged for the ever growing list of our personal private data

    Data protection laws are obsolete, outdated, and pitifully weak, and im sure there are those who want to keep it that way

    reply to this | link to this | view in chronology ]

  • identicon
    infoexpert, 28 May 2016 @ 9:51am

    Encryption is a must

    I am surprised that after so many news about data breaches etc. most of businesses are still not focusing on adding encryption to their apps. Now there are tools like www.qredo.com that enable people without any cryptography knowledge to add high level of security/protection to their apps. I recommend all to checkout www.qredo.com as it seems that it might be game changer.

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Use markdown for basic formatting. HTML is no longer supported.
  Save me a cookie
Follow Techdirt
Techdirt Gear
Shop Now: Copying Is Not Theft
Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.