32 comments

[ 3.8 ms ] story [ 76.8 ms ] thread
EFF Deeplinks overstates as usual, harming their credibility.

EARN IT doesn't let the government scan every message (just like right now your non e2e encrypted data says isn't subject to mass scanning by government, but guarded by a warrant or your hosting provider's government bootlickiness), but merely (as the article admits) doesn't prevent the government from passing such a law in the future.

> right now your non e2e encrypted data says isn't subject to mass scanning

That's not consistent with my understanding of XKeyscore.

You see, that’s why xkeyscore is illegal.
Ummm, "illegal" does not equal "not used". It just means "not disclosed, and obfuscated through parallel construction".

I mean, do you really think that a military intelligence agency operates under domestic law? And from what I've read, need to know structure within the NSA doesn't map to command/reporting structure. So there may be components that operate ~independently as deep backup.

As far as the legal situation is concerned XKeyScore was a foreign intelligence tool, domestic surveillance does still require a Fisa warrant and I don't think there was ever evidence that XKeyScore or similar NSA tools were used as tools of mass surveillance against American citizens.
It's been a while since I've read up on this, but my understanding is that the NSA vacuums up everything it can and operates under the rather creative legal theory that this doesn't count as "collection" until it's returned by the search engine, which they pinky-promise won't return it unless their prediction model is at least 51% sure that it's a foreign communication.
Just out of curiosity, if the EFF overstates "as usual" in your view, how much credibility did you perceive them to have in the first place (before readingthis article)?
I’d say somewhere between huffpo and buzzfeed.
A Pulitzer prize winner and a Pulitzer prize finalist. Not really sure what conclusion to draw from your comment.
I'm not sure this logic is sound.

For starters, it feels like an appeal to authority. I don't think Pulitzer gets to decide who is credible, as they possibly (likely?) have an agenda like anyone else.

Second, I'm not sure how many hundreds of Pulitzer prizes have been given out over the years, but I surely don't blindly trust every source that has every been awarded one.

Third, receiving a Pulitzer price for one story/investigation, doesn't mean that all the stories written by your dozens of other reporters also become credible.

Well it's pretty simple. I treat news from EFF the same as I treat news from huffpo and buzzfeed. Pretty easy to draw a conclusion, I think.
EFF is always dramatic, but it’s a pretty classic legislative move to form a committee to do some dirty work that the legislators don’t want pinned to them.

It’s legit to be worried about the legislation, particularly considering the sponsor.

I think you may be overstating how much they're overstating.

The bill creates a group of anti-E2E-encryption folks with the power to smack down an online company when it suits them, who won't need congressional approval when deciding what the rules are. We know the rules they want are incompatible with E2E encryption.

It is possible they surprise us with E2E-encryption-friendly rules. Was that your point? Possible, sure.

Exactly! The body in charge of setting the rules is made up primarily of law enforcement and holds no accountability to the public. I have no doubt that if they are handed this opportunity to make encryption uneconomical for companies, they will take it.

Expert opinions about the effect of adding backdoors/ending encryptiin on safety won't matter to them.

You mean the same government that fly's sting rays around? Gets illegal pings on cell phones from service providers? The government that put warrant-less tracking devices on cars? Nah - that government is cool bro. They definitely have our best interest in mind.
TFA says this:

> The so-called EARN IT bill, sponsored by Senators Lindsey Graham (R-SC) and Richard Blumenthal (D-CT), will strip Section 230 protections away from any website that doesn’t follow a list of “best practices,” meaning those sites can be sued into bankruptcy. The “best practices” list will be created by a government commission, headed by Attorney General Barr, who has made it very clear he would like to ban encryption, and guarantee law enforcement “legal access” to any digital message.

If that's accurate, I don't believe that EFF is overstating at all.

However, none of this particularly frightens me. That's because I assume that any communication where I don't manually encrypt stuff locally, using well-vetted open-source software, is vulnerable. And I also assume that any entity that operates openly, and is vulnerable to legal, criminal or financial pressure, cannot be trusted at all.

So if all this authoritarian bullshit comes to pass, everyone who uses vulnerable tools will be pwned. That's sad, and perhaps it'll be worse than now, but there's arguably no reliable way to know if so, and by how much.

More importantly, there'll be an opportunity to move more online activity and communications to truly secure channels, which are far less vulnerable to compromise. You could consider that an expansion of criminal enterprise, but that's how things work.

There are some signs that the Tor Project is getting with the program. And there is actually a new onion-routing network, Loki, which looks promising. I've been using their messaging app, Session, and it's quite usable on Linux and (I gather) Android. Perhaps I2P will attract more users too.

> However, none of this particularly frightens me. That's because I assume that any communication where I don't manually encrypt stuff locally, using well-vetted open-source software, is vulnerable. And I also assume that any entity that operates openly, and is vulnerable to legal, criminal or financial pressure, cannot be trusted at all.

I can bet they'll also have rules along the lines of "services will scan their own non-encrypted messages to make sure no encryption is being done by the user", so you'd likely be legally liable, or at least liable to being banned by the service.

Well, there's steganography.

And as I said, I'd just avoid services that were vulnerable to coercion.

If it gets to the point that all ISPs block anything that's encrypted, then most everyone will be screwed. However, that'd be hard to implement without creating opportunities for private pwnage.

And as a deep backup, there's always encryption via covert channels. You can only hide maybe 0.1%-1% of throughput, but that's enough for text hidden in video or whatever.

And re banning, I can create as many new personas as I need.

If you're in the US please take the time to email your federal representatives and let them know you care about protecting encryption. It only takes a few clicks though the EFF article linked above.
Thanks. It was pretty easy.
Encryption isn't mentioned in this bill at all-- it's worse than that. This bill let's a small group of people vote on practices that you may be bound to by law, using an emotionally sensitive subject.

The draft of this bill is currently lacking decent limits.

Done, and added a bit to the beginning of the message (wonder if that helps). Here's to hoping that something will be done (about this and many other things), before I lose all faith I have left in this country.
I often wonder (given the privacy violations and law breaking that goes on) do you some how get a black mark from the powers that be if you participate in these types of petitions.
probably, but it is still worth the potential trouble (unless you plan on being the next Snowden,then it might be better to stay under the radar)
This reminds me of a very similar initiative[0] adopted by Russia in 2016. It was heavily backed by the highest ranks, but ultimately failed due to lack of technical knowledge by everyone involved.

[0] - https://en.wikipedia.org/wiki/Yarovaya_law

Except that "lack of technical knowledge" will have no effect on the outcome here, nor would an abundance. These thugs are terminally lacking anything of any kind of value, and it hinders them no more than their pallid saggy jowls, which jiggle and wiggle tirelessly with the effluent of eternal nonsense.
They have no concept of a limit. In a world order as unbalanced as today's, granting themselves this kind power with no proportional responsibility risks forfeiting their authority.