Friday, 26 July 2013 15:21

Are the NSA and FBI Asking For Encryption Keys and Passwords?

Written by

Reading time is around minutes.
animal farm-pigs

There is a rumor going around (from “sources wishing to remain anonymous”) that claims that US Law Enforcement and the NSA have been asking internet companies for user passwords. The article originally posted by cNet has made the rounds this morning across a few sites; all of them pointing back at the single cNet source. Now on top of everything else that is going on many people are ready to jump on board with this and further denounce the NSA, the FBI, DHS, IRS, and anyone else in the US government with initials. But outside of the claims from a single blogger at cNet are there any other indications that this is a common practice?

 

To give you some background (very small amount of background) the claim actually stems from the only person that ever fought a National Security Letter (NSL) and won. In 2004 Nicholas Merrill was served with a National Security Letter which demanded a certain amount of user data. Merrill decided to fight this as he felt the request was not legal or in any way justified. For 6 years he was under a gag order not to discuss the case or the existence of the letter with anyone. However in 2010 he won his fight and also won the right to talk about it. In his disclosure on the incident he also talked about building a network that was hardened against NSA and FBI requests. This would be a network protected by point to point encryption, encrypted data repositories and much more. However at the core of this network was something very unusual; the users would control their own encryption keys. Merrill said that by doing this the government could not gain access to encrypted data without producing a search warrant and delivering it to the individual. This new type of network would not have the ability to gain access to user data as they would not own or control the keys or the locks that guard it.

No considering that this was coming from someone that fought an NSL and won the revelation that to protect user data a company must not own the encryption keys is quite an eye opener. It would seem to validate, at least on some level, the claims being presented at cNet. So one point for cNet zero for the NSA and their group of spies. However, we would not want to just take this one piece of evidence and leave it as read. We need to give the opposition their time too.

As we and many other sites have stated, companies like Google, Microsoft, Yahoo, Facebook etc. all claim they do not give out any more information than they are legally obliged to. They also have claimed they have not made any “back doors” which would allow entry by any government agency without a valid request. On the subject of user passwords and encryption information they have remained unusually silent either declining to say if they have had this sort of request or not even bothering to respond. It sort of does not bode well for them or the NSA that they did not make any type of rebuttal to refute these claims. Well looks like it is now two to zero…

Although these two items appear to make a very good case to show the NSA and FBI might be asking for encryption keys and user passwords there is an even bigger bit of evidence to bring to bear here. In the case of Megaupload we saw the FBI and US DoJ follow a very disturbing pattern. In addition to seizing assets with almost no presented evidence in the matter we saw them coerce authorities in New Zealand to set up surveillance on a citizen. This is something that New Zealand laws prohibit so the request and the surveillance was very much illegal. On top of this the FBI used a blanket warrant when they raided Kim Dotcom’s house. Again this type of warrant is not legal in New Zealand and yet it was executed and the FBI made off with a ton of un-reviewed data without permission. They showed back then that they are willing to break the law to get what they want. So it is not surprising, or out of the realm of possibility that they would demand this level of access now.

Of course even if a company says no to giving access to encryption keys or direct access to user information there are still ways that the NSA and others can get the information. They can ask for a dump of data from the server, get a real warrant to install a key logger on a computer, and simply apply the compute power the NSA has at its disposal to brute force their way in. Getting the keys to the castle ahead of time is simply an easier way to get what they want. The level of surveillance that is being brought to bear on US citizens is quite frightening and it is not as simple as looking for bad guys and terrorists. For the most part these people operate in their own world and have fairly secure means of communication they use. It means that this level of monitoring is only good against ordinary people (or very inept criminals). Many seem to feel that the knowledge of government activities will prevent people from participating in the normal Democratic Process for fear that if they do not agree with the current administration they will be targeted for further investigation.

Although we may never know for certain if the NSA and others are asking for (and getting) encryption keys and passwords we are fairly certain they are. There is quite a bit of information that points to this being true (outside of “anonymous sources”). We have a bad feeling that this is not going to stop here. Now that we have woken up to find out digital lives subjected to unwarranted and unwanted scrutiny there are going to be more leaks about it. We said last year that 2013 would be a bumpy ride for privacy and internet rights and sadly we were right.

Tell us what you think in our Forum

 

Read 3971 times Last modified on Friday, 26 July 2013 15:24

Leave a comment

Make sure you enter all the required information, indicated by an asterisk (*). HTML code is not allowed.