Monday, August 06, 2007

What The FISA Vote Really Means...

Most people think the kind of wiretapping the Democrats allowed FISA to be amended to permit without requiring a warrant is international telephone calls with a foreign participant. Most people are wrong.

What's really going on is the eavesdropping on electronic group communications, like email and web forums, where U.S. citizenship is not required for membership, i.e. pretty much all of them. For example, the comment threads here at MojoWire are subject to unwarranted search. If you posted a comment in our threads, then the U.S. government has been empowered to seize the information necessary to identify you, despite any attempts you may have made to keep your identity from being disclosed to your family, friends, employers, etcetera. It doesn't matter that you're a U.S. citizen. It doesn't matter that the editors at MojoWire are all U.S. citizens, and that the blog and the comments forums are all hosted in data centers in the U.S. All your base belong to them.

Why is that? Because at least one of the people who comments semi-regularly at MojoWire does so from an IPv4 address assigned by RIPE, the European Internet registry. We have strong reason to believe he or she might be located outside the United States. Even if that person were to stop posting, it wouldn't matter. Other bloggers use Blogger from outside the U.S. Foreigners use Haloscan to comment on other blog posts. All it takes is one foreign user and the whole system is available for unwarranted search. Legally, thanks to the Democrats in Congress.

Everything Blogger or Haloscan or anyone else has on file about who any of us might be is subject to secret, unwarranted eavesdropping without even the fig leaf of FISA oversight. And that's just an example. It shouldn't be too hard to see how just about everything you say and do on the Internet is subject to unwarranted eavesdropping, and you have no legal protection from abuse or even any recourse to prevent it from happening. Haloscan and Blogger (or Google, or Microsoft or Apple) can be charged with espionage if they disclose to us or you that they've complied with demands for your private information. The private companies that collect and handle the information produced under the so-called Terrorist Surveillance Program are not policed in any meaningful way, and they can share their databases secretly or even publicly rent out derivatives with complete impunity.

Put simply, unless you're already using strong cryptography for all your communications, your personal messages not secure against network attacks on their confidentiality, integrity or authenticity. Furthermore, if you are using strong cryptography, then you'd better already have a plausible reason, or you'll match the profile of a terrorist. Maybe you don't mind having no personal privacy in the face of government nosiness. Maybe you don't mind that government eavesdropping operations have been outsourced to corporations run for profit by criminals and thugs. Maybe it doesn't bother you nobody is empowered to keep the secret police from abusing their surveillance power, and that the people most likely to have their privacy invaded and subject to extortion and blackmail are your elected representatives, your union leaders, the political activists who work to expose wrongdoing and corruption, the list goes on and on.

Maybe the abstract concept of personal privacy is frightening and alien to you. If so, then you should be happy. Otherwise... you ought to be pissed off.

Ten years ago, when Internet communications professionals like me were telling you that not using crypto would put you at risk of not having any expectation of electronic privacy in the future, the situation we were warning you about is the one you are now experiencing. Nothing you send on the Internet is private anymore, and if you insist on encrypting it to protect your privacy anyway, then you must be a terrorist. We've been telling you this would happen. It's happened.

Would you like to know what we're warning you about now?— so as to avoid a situation in another ten years that you might not like? Maybe you would.

That's too bad.

I'm not posting it in the clear. If you want to know, then ask me verbally the next time you see me someplace where there aren't likely to be any listening devices.

Maybe you'll figure it out on your own.

No comments: