Pages
▼
Thursday, July 25, 2013
Breaking: The Feds Want Your E-Mail Passwords
Major internet providers are going public - they're receiving increased request from the federal government to turn over massive numbers of private e-mail passwords.
The U.S. government has demanded that major Internet companies divulge users' stored passwords, according to two industry sources familiar with these orders, which represent an escalation in surveillance techniques that has not previously been disclosed.
If the government is able to determine a person's password, which is typically stored in encrypted form, the credential could be used to log in to an account to peruse confidential correspondence or even impersonate the user. Obtaining it also would aid in deciphering encrypted devices in situations where passwords are reused.
"I've certainly seen them ask for passwords," said one Internet industry source who spoke on condition of anonymity. "We push back."
A second person who has worked at a large Silicon Valley company confirmed that it received legal requests from the federal government for stored passwords. Companies "really heavily scrutinize" these requests, the person said. "There's a lot of 'over my dead body.'"
Some of the government orders demand not only a user's password but also the encryption algorithm and the so-called salt, according to a person familiar with the requests. A salt is a random string of letters or numbers used to make it more difficult to reverse the encryption process and determine the original password. Other orders demand the secret question codes often associated with user accounts.
While some of the major internet providers say they've successfully resisted government orders for passwords and encryption codes, a number of others simply refused to answer. And even the ones that claim they haven't could be lying simply to avoid a massive flood of people dropping their e-mail accounts and use of their search engines and web facilities.
The actual legal rationale is, as the article puts it, 'murky'. My first impulse is to say that this is a clear violation of th4e Fourth Amendment's provisions against unreasonable search and seizure, particularly when is comes to massive scooping up of data from people who are under no suspicion of doing anything to warrant it.
And while the surveillance is troublesome, we've has this kind of surveillance before during wartime.The difference now is that for the first time we have a president and an administration willing to use it as a weapon against their political opponents rather than just for national security purposes:
The Justice Department has argued in court proceedings before that it has broad legal authority to obtain passwords. In 2011, for instance, federal prosecutors sent a grand jury subpoena demanding the password that would unlock files encrypted with the TrueCrypt utility.
The Florida man who received the subpoena claimed the Fifth Amendment, which protects his right to avoid self-incrimination, allowed him to refuse the prosecutors' demand. In February 2012, the U.S. Court of Appeals for the Eleventh Circuit agreed, saying that because prosecutors could bring a criminal prosecution against him based on the contents of the decrypted files, the man "could not be compelled to decrypt the drives."
In January 2012, a federal district judge in Colorado reached the opposite conclusion, ruling that a criminal defendant could be compelled under the All Writs Act to type in the password that would unlock a Toshiba Satellite laptop.
Both of those cases, however, deal with criminal proceedings when the password holder is the target of an investigation -- and don't address when a hashed password is stored on the servers of a company that's an innocent third party.
"If you can figure out someone's password, you have the ability to reuse the account," which raises significant privacy concerns, said Seth Schoen, a senior staff technologist at the Electronic Frontier Foundation.
If you don't already use two step authentication, it is a good idea to enable it.
ReplyDelete