US crypto plan aims to bug PCs

'Plumbers' to be legalised -- if it gets through Congress...

  • alert
  • submit to reddit

Internet Security Threat Report 2014

Crypto works the same horrifying voodoo on government control-freaks the world over, but cultural distinctions will colour their response. If the British Nanny State would become a cruel bully, its American companion aspires to become a twitchy, sweaty sneak thief. Or such is the impression we get from the Department of Justice's recent draft proposal for what it calls a "Cyberspace Electronic Security Act". Whereas Her Majesty's Government might rudely chuck you into the slammer for defying a warrant to decrypt files it chooses to examine and be done with you, Auntie Sam prefers to tiptoe into your house under cover of night and secretly install a device or an application to disable your crypto scripts and record your online communications and personal files in plain text. This would be made possible by expanding a little-used law enabling the Feds to obtain a warrant to sneak into private premises and install hidden listening devices. Only 50 such warrants were issued last year in the US, making it perhaps the least popular law-enforcement tactic known. It's a bit clumsy: the first warrant merely authorises installation of the device; a second warrant is required to examine the evidence it collects. For the proposed PC bug, a "recovery agent" would perform the dirty deed and maintain the data in a secure manner until such time as a judge empowers a law-enforcement agent or an officer of the court to view it. We weren't sure just what's meant by a "recovery agent". Is it some spymaster sysadmin working for our local ISP? A local police detective posing as an incontinent computer repairman cheerfully performing "free system upgrades"? A cat burglar who owes the DoJ a favour? The DoJ wasn't quite sure either. This is one of the bits of the proposal still being worked out. It would be fair to imagine that a recovery agent could be any of the above, but most likely a lab-coated technician examining a confiscated hard drive for potential evidence in a more-or-less IT workshop environment down at police HQ. American libertarians are alarmed, but we find the proposal more comical than sinister. We were much amused by Assistant Attorney General Jon Jennings' letter to House Speaker Dennis Hastert, entreating him to drum up congressional support for the scheme. Jennings appeals to the need for speedy action in such emergencies as "stopping a terrorist attack or seeking to recover a kidnapped child, [where] time is of the essence and may mean the difference between success and catastrophic failure." The Reno DoJ rarely fails to exploit the vast American cult of infant worship when paddling near the falls with due process, and there we have a classic example. Nice try, but in situations where a kidnapper's computer can be located and physically modified without his knowledge, finding the brat would be a no-brainer. Or does the DoJ expect kidnappers to communicate ransom demands to traumatised parents via ICQ? The most amusing flaw in this plan is not legal but rational. Auntie Sam may have got herself so worked up over innocent children in bondage that she fails to grasp the obvious: users sophisticated enough to employ IT in high-level crime are those least likely to be tripped up by an anti-crypto application, or the sudden materialisation within their computers of an unidentified black box. But what are the Feds to do? The Reno DoJ has been in fits over crypto for the past three years. Its preferred goal is to assemble a library of keys to be used as needed, but Congress has thus far been dragging its feet as only Congress can. This proposal may be something of a "Plan B" for Justice in case it fails to achieve the holy Grail. To be fair, the surreptitious installation of applications and devices would be a most unusual tactic under the proposal. The act, if it were passed, would be used chiefly to prevent any data not considered evidence from being made available to law enforcement agents. Sound paradoxical? Not at all: this is a pre-emptive strike at legal objections which might convince a judge that seizing a computer exposes too much of its owner's private data to law enforcement agents. Hence the clause, "recovery information shall be used to decrypt data and communications only as specified in the order, warrant, or other determination." These limitations are standard in US law, stretching back to the Constitution. Article IV of the Bill of Rights states in delightfully unambiguous language that, "no warrants shall issue, but upon probable cause, supported by oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized." In other words, if the police serve a warrant to search your flat for a stolen piano, they've got no business mucking about in your medicine cupboard. The seizing of a computer and subsequent wholesale decrypting of its contents would amount to searching the medicine cupboard for a stolen piano, and no decent judge would authorise it. What Justice is aiming at here is not the authority to seek a warrant to seize or otherwise monitor a computer -- it already has that authority. The real aim here is to improve the odds that a judge would issue a warrant upon request, simply by limiting the amount and kinds of information to be revealed. It's an extremely clever tactic. When Congress returns from holiday in September, the DoJ will comb the Hill in search of a sponsor for this, its newest siege engine against the crypto bastion. Certainly there are members with simplistic enough law-and-order mentalities to bite the hook; but a bill such as this would be political poison to most, and the chance it would pass both houses is remote. The mainstream press have already stigmatised it as blanket authorisation for a plethora of black-bag jobs. A pity, really. If the alarmists would take a moment to think clearly, it would soon dawn on them that bureaucratic confusion, government incompetence, and jurisdictional disputes will render this amusing bit of legislation harmless, at least in comparison to the alternative. ®

Choosing a cloud hosting partner with confidence

More from The Register

next story
Inequality increasing? BOLLOCKS! You heard me: 'Screw the 1%'
There's morality and then there's economics ...
Spies, avert eyes! Tim Berners-Lee demands a UK digital bill of rights
Lobbies tetchy MPs 'to end indiscriminate online surveillance'
Google hits back at 'Dear Rupert' over search dominance claims
Choc Factory sniffs: 'We're not pirate-lovers - also, you publish The Sun'
While you queued for an iPhone 6, Apple's Cook sold shares worth $35m
Right before the stock took a 3.8% dive amid bent and broken mobe drama
How the FLAC do I tell MP3s from lossless audio?
Can you hear the difference? Can anyone?
4chan outraged by Emma Watson nudie photo leak SCAM
In the immortal words of Shaggy, it wasn't me us ... amirite?
prev story


Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.
Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.