Mozilla Security

Decrypting The Internet

Bruce Schneier on the new wiretapping proposal:

Any surveillance system invites both criminal appropriation and government abuse. Function creep is the most obvious abuse: New police powers, enacted to fight terrorism, are already used in situations of conventional nonterrorist crime. Internet surveillance and control will be no different.

Official misuses are bad enough, but the unofficial uses are far more worrisome. An infrastructure conducive to surveillance and control invites surveillance and control, both by the people you expect and the people you don’t. Any surveillance and control system must itself be secured, and we’re not very good at that. Why does anyone think that only authorized law enforcement will mine collected internet data or eavesdrop on Skype and IM conversations?

I 100% agree here. A security vulnerability, intentional or not is a vulnerability. Even systems with no known security holes are eventually broken. Look at the recent reverse engineering of HDCP, which was theorized as vulnerable in 2001 but not broken for several years, a pretty good run. Eventually all security mechanisms will be broken. Starting with something broken just increases the window of opportunity for abuse and misuse.

In theory this proposal could (I’m no lawyer, I don’t even play one on TV) even impact things like Firefox Sync (Formerly Weave) which employs the best security mechanism I’ve seen in a service. To summarize, it works by encrypting your data before transmission to the server. However the key is never sent. That means even if the Gestapo took the servers with your data, they would still need to get the key from you, or do battle with the encryption which isn’t easy. Even Mozilla can’t read your data, unless a flaw were found in the encryption algorithm. The question is if sync were considered to fall under “services that enable communications”. That seems broad enough to leave room to argue that sync facilitates communication since the browser is the ultimate communication client. The browser is also valuable since it potentially has passwords, bookmarks, and history giving a good motivator to make that argument. Argue that to a 75-year-old judge who never used a computer and it might work.

Meanwhile just weeks ago UAE ironically gets criticized by the US for proposing a Blackberry ban for the same reasons.

2 replies on “Decrypting The Internet”

Do they actually know anything about technology and human beings? How on earth do they think this is going to achieve what they want?

It would be one thing if this proposal were effective and dangerous. But this is mainly just stupid — and dangerous (in its potential for corruption) and harmful (a big waste of everyone’s resources and, quite frankly, patience and good will).

@voracity: This is a growing problem in general as society becomes more advanced. Politicians often make decisions on things they don’t even understand. Ted Stevens talking about being “sent an internet” was a recent famous example, but it goes way beyond him. Think every politician studied military strategy before voting about the war efforts? How about nuclear physics before deciding on energy policy or safety of nuclear power plants? Sometimes it becomes obvious when they say something that sounds silly (like Ted Stevens), but I bet half the room didn’t know more than him, they just kept their mouths shut and he took the heat.

Leave a Reply

Your email address will not be published. Required fields are marked *