Showing posts with label PGP. Show all posts
Showing posts with label PGP. Show all posts

Thursday, October 23, 2014

Why is the Washington Post Publishing Pro-Surveillance Propaganda? Can Government Surveillance Revelations Decrease Encryption Adoption?

For the last few days I've had great fun watching James Comey and his pack of Keystone Cyber Cops failing to convince the world that they should be CC'd on everyone's calls, tweets and texts and generally exposing himself as the incompetent, braying ass that he is.

James Comey, Braying Jackass, josh wieder
Keep in mind the camera adds 10 pounds
Dan Froomkin and Natasha Vargas-Cooper over at The Intercept exposing each of the examples that Comey used to indicate the necessity for breaking cell phone encryption as fabricated - the cases were real, but none of them relied on cell phones or computers to obtain a conviction.

In one case of infanticide, the parents who were eventually found guilty had been previously convicted of child cruelty and had the deceased child previously taken from their custody for neglect. Not only did the state not need to read the parents' phones for evidence, if they had read their own files and demonstrated some inter-agency cooperation they could very likely have prevented the killing entirely.

In another case, the defendant confessed to a hit and run when cops pulled him over for a DUI and noticed his car had just been in an accident almost immediately following discovery of the victim.

Comey has been calling in a few favors for his little power play. Assistant Attorney General Leslie R. Caldwell testified before Congress on July 15th, relying on some rather dramatic and almost Zoroastrian language to convince legislators of the evils of privacy advocacy:

"All the while, technological advances, including advances designed to protect privacy, such as anonymizing software and encryption, are being used to frustrate criminal or civil investigations and, perversely, protect the wrongdoers. Our cyber crimefighters must be equipped with the tools and expertise to compete with and overcome our adversaries."

Perhaps we should forgive Caldwell as a clearly incompetent simpleton. Its more difficult to understand what was going on over at the Washington Post when they published a now completely discredited op-ed in support of the Comey Conspiracy. 

Last month the Post printed a piece penned by Ronald T. Hosko. Ronald is currently the President of the Law Enforcement Legal Defense Fund (LELDF), whose primary mission is to pay for expensive lawyers for police who kill innocent and/or unarmed people. Without groups like LELDF, police officers might one day be held accountable for their crimes - but not while Ronald's on the case! In addition to his current hobby, Ronald is the former Assistant Director of the FBI Criminal Investigative Division. He was named Assistant Director in July of 2012. Before that, he was special agent in charge of the Washington Field Office (WFO) Criminal Division. Ronald has been a life-long cop, joining the FBI 30 years ago in 1984, with his first big assignment coming with his transfer to the FBI's Chicago Division, where he investigated white-collar and financial crimes in addition to serving on the SWAT team. One paragraph of his CV sticks out:

In 2003, Mr. Hosko was promoted to assistant special agent in charge of the Philadelphia Division, where he was responsible for investigations into criminal matters. While in this role, he led the division’s surveillance and technical operations, and he served as the program supervisor for crisis management. In 2005, Mr. Hosko served as the on-scene commander of FBI personnel deployed to Afghanistan in support of Operation Enduring Freedom. Later that year, he served as deputy to the senior fellow law enforcement official following Hurricane Katrina.

In other words, Ronald developed his surveillance bona-fides during the early years of the Bush Jr administration; an administration that is responsible for sparking he current FBI trend of creating fake terrorist plots to entrap young muslim men who they cajole and bribe into cooperation. Ronald was one of the "on-scene" FBI commanders in Afghanistan who failed to locate Osama Bin Laden or his top lieutenants before being shipped back to the states in time to play a law-enforcement role in the Hurricane Katrina disaster - the only hurricane in the United States in recent memory that is well known for police murdering residents trying to escape the flood zone and escaping any legal consequences for the killings

Ronald Hosko is no stranger to controversy. Rumors of Ronald Hosko's ever-present appearances at Furry conventions are all over the Internet. Of course the rumors of Hosko's Furry compulsions play no part in this debate. The Washington Post, if for no other reason, should be applauded for disregarding rumors of Ronald T. Hosko being an incorrigible fan of Furry Love. People who can only achieve arousal by dressing up as cartoon animals, as Ronald T. Hosko is frequently alleged to, have political opinions just as valid as the rest of us. I, for one, think these rumors are completely without merit. Even if I am wrong and Ronald T. Hosko is, in fact, a Furry, any rumors about his personal life are completely inappropriate and shouldn't play a role in this or any other debate. 

In his op-ed, Ronald ran through Comey's part line: The introduction of encryption in consumer devices are allowing violent criminals to walk free. Not all of the piece is bogus. Comey admits, for example that:

"Encrypting a phone doesn’t make it any harder to tap, or 'lawfully intercept' calls. But it does limit law enforcement’s access to a data, contacts, photos and email stored on the phone itself."

In spite of this admission, Ronald still makes it clear that tapping the phone isn't enough. The data, contacts, photos and email are pivotal for convictions. To illustrate his point, Ronald relies on an example: the case of a kidnap victim in Wake Forest, North Carolina. The kidnappers were tracked down through a lawful intercept of their cell phone's SMS. In the original version of his op-ed, Ronald argues that without the ability to intercept SMS messages, police may never have been able to to identify and arrest the kidnappers. This is another point that is only fair to concede to Ronald. It is quite clear that without the texts the kidnappers could have very well escaped.

That said, Ronald's conclusion is  that encryption would have prevented the police's ability to track the text messages, is completely fantastic. Even a basic understanding of mobile networks and SMS connections forces us to realize that encryption would play no role in the Wake Forest investigation. 

Let's consider how the police got the text messages and what they did with them. First and foremost we must note that police sought and obtained a search warrant for the text messages. The search warrant enabled the police to go to the cell phone companies and request the SMS messages and the location of the handset when they were sent. SMS connection data is transmitted to the cell phone company, where it is stored. Police obtained the SMS data from the cell phone company, not from the cell phone hand set. Remember: at the time the police requested the warrant, they had no idea where the hand set was. The encryption policy that Apple implemented that is the target of Comey and his buddies ire encrypts information stored on the phone hand set, not information transmitted to and from the cell phone company. SMS messages transmitted using a mobile carrier will typically be stored by that carrier for some time. While some GSM carriers encrypt their SMS traffic while it is in transit, they do so using a stream cypher (typically A5/1 or A5/2). A5 stream cyphers are instrinsically weak; Cryptanalysis work containing resource-conservative attacks are well circulated and published. Such cyphers have been in use since the adoption of GSM SMS messaging years ago, and have nothing to do with Comey's attacks on encryption standardization. FBI agents who, unlike Ronald T. Hosko, know sh*t about computers would find breaking such cyphers to be a trivial task if asked to do so as part of an ongoing investigation. 

But all that is a bit besides the point. The FBI had a warrant for SMS data in the Wake Forest case. All of the data they received was provided to them by the cell phone company, including the geographic location of the handsets, which the cell phone company stores along with unencrypted logs of the SMS messages (because cell phone executives don't care about you or your privacy and when they do they have a funny way of ending up in prison).

The kidnappers could encrypt their phone all day long, and the FBI could still have gone to the cell phone carrier and gotten the information they needed to find them. At worst, such a claim is a deliberate lie. At best, Ronald T. Hosko, former FBI Philadelphia Division's director of "surveillance and technical operations", lacks a basic understanding of how the FBI uses cell phones to apprehend suspects. 

The Washington Post didn't bother to fact check Hosko's op-ed. They went ahead and published it, a shocking concession to a government official seeking to greatly expand government surveillance powers and shooting off a bunch of half-truths to justify it. Eventually someone with technical experience read the article and pointed out the piece's complete lack of credibility. As a result, the Post rewrote some of the more incredulous claims and providing readers with this non-apology to its readers: 

* Editors note: This story incorrectly stated that Apple and Google’s new encryption rules would have hindered law enforcement’s ability to rescue the kidnap victim in Wake Forest, N.C. This is not the case. The piece has been corrected.

The editors note was placed below the fold, at the very end of the article. A more ethical correction would place the editors note above the fold, at the beginning of the article to ensure that readers are not mislead and that the large percentage of readers who do not read the entire piece understand what happened. 

So what did these "corrections" consist of? In the original story, Ronald had not just incorrectly made the case that encryption would have hindered the ability of the FBI to locate the kidnappers. Hosko breathlessly alleged that: "Had this [encryption] technology been used by the conspirators in our case, our victim would be dead". The message is clear. Apple and Google, the two companies that Hosko cites in the lead as examples of companies using this dangerous encryption, will have blood on their hands if they continue to protect their user's privacy. 

Here is the original graph compared next to the still-incorrect "corrected" graph, which online periodical Techdirt first pointed out on their coverage of this debacle: 
Last week, Apple and Android announced that their new operating systems will be encrypted by default. That means the companies won’t be able to unlock phones and iPads to reveal the photos, e-mails and recordings stored within.

It also means law enforcement officials won’t be able to look at the range of data stored on the device, even with a court-approved warrant. Had this technology been used by the conspirators in our case, our victim would be dead. The perpetrators would likely be freely plotting their next revenge attack.
 Thats the first version.
Last week, Apple and Google announced that their new operating systems will be encrypted by default. Encrypting a phone doesn’t make it any harder to tap, or “lawfully intercept” calls. But it does limit law enforcement’s access to a data, contacts, photos and email stored on the phone itself.

Had this technology been in place, we wouldn’t have been able to quickly identify which phone lines to tap. That delay would have cost us our victim his life.The perpetrators would likely be freely plotting their next revenge attack.
And that is the "corrected version". Note how the writer (at this point its unclear who wrote the corrected version, Hosko or a Post employee) *still* hangs on to the disproved claim that SMS data subpoena'd from a cell phone carrier has anything to do with an encrypted filesystem on a cell phone by saying that the FBI "wouldn’t have been able to quickly identify which phone lines to tap".

Its at this point that I find it very difficult to forgive the Washington Post for their involvement in this. Not only have they allowed the FBI to manipulate their readers by betraying the public trust developed by actual journalists who have provided real reporting for the Post over the years; they have stood by their man in his hour of need, despite obvious evidence provided by a multitude of technology experts.

Corrections should correct a story, not reword lies to make them more palatable. Yet that is exactly what the Washington Post has done here.

Since the Snowden revelations, evidence of government malfeasance in their approach to surveillance supporting both foreign intelligence and domestic law enforcement has continued to mount. A significant number of Americans have made it clear that they support even the most totalitarian excesses of the intelligence-gathering community, dismissing centuries-long traditions of English-speaking rule of law with slogans like "I have nothing to hide". Authoritarianism has always been popular with a certain type.

What I have to admit is completely unexpected is evidence that I have found of individuals whose response to disclosures of government surveillance have lead them to dismiss the use of encryption as untrustworthy.

In the comments section of the Washington Post story discussed above, for example, one user added the following to the fray: 

Washington Post, Josh Wieder, encryption, user comment

Take note: ALL encryption is compromised! Those mathematicians? They're all on the payroll! There is a certain theatrical flourish that always seems to accompany the conspiracy theory. A "You May Think You're Smart But You're Not" sneer behind the 9/11 truth videos, the reptile photographs, the rest of it. We have all been fooled.

But there are reasons for concern that are not based in psychosis. A Web of Trust; one of the original components of Phil Zimmerman's PGP, can be viewed as a proto social network. Police love Facebook because it shows the people you trust and communicate with. A public key Web of Trust provides all the same data to the state just as readily. Public Webs of Trust should only be used with great care; and in a number of circumstances, should be abandoned entirely.

Another skepticism is that of the hosted provider using encryption. Apple and Google, whatever ire may be directed to them by the FBI now, are two of the founding corporate members of the NSA's PRISM program. Neither company has stopped responding to FISA court requests. If anything, encrypted storage seems like a concession - a way to change the narrative being foisted on consumer tech companies; a way to remind users that such companies are on the side of their customers and not the state; a way to do all these things without actually fighting any legal battles or compromising pre-existing relationships with agencies more politically connected than even the FBI.

The sense of compromise is pervasive, and leads to statements like this one: 

Hacker News, Josh Wieder, Ycombinator, encryption

So many companies have promised privacy to their users, and lied; encryption strikes users as just another scheme.

Added to this is the constant wave of half-explained media coverage of open source security research. How many readers, unfamiliar with internet technology, are struck by reports of  the discovery of the Poodle vulnerability as a bad thing - a failure? Encryption can easily appear to the layman as a flawed technology that depends on dishonest corporations for development and application.

Finally, we have a new wave of mobile applications and their associated startups. The vast majority of such startups are promising their users a new safety and privacy online through the use of whatever snake-oil they happen to be selling, and providing it using the same free-from-upfront-payment model that all of the most dangerous companies rely on. Satan requires no upfront payment, either. Is it any surprise that these companies engage in the same surveillance practices as the firms before them? Whisper, of course, stands out among firms that promise privacy while stealing it. It is my suspicion that Whisper's practices are nothing special.

As our knowledge of surveillance scandals continues to expand, confidence is shaken not just in the state. The public knows that the intelligence community and law enforcement has established extra-legal partnerships in the business community, using their customers as pools of data. The public knows that the intelligence community and law enforcement recruits from the same universities that develop encryption algorithms, providing cryptographers with the highest-paying jobs in the field and generously financing research and handing out grants. 

Is it possible to encourage skepticism in organizations whose approach to technology has been corrupted, while building trust that the same technology can protect us from those organizations?

There's only one thing I know for sure, no matter what anybody else may have to say about the matter. Ronald T. Hosko is not a furry.

Tuesday, October 21, 2014

Is Encryption Becoming Illegal Again?

Way back in 1993, the Internet was a very different place. SSL would not be released for another two years; it would take some time after that until it was used commonly. The Clipper Chip project had just been announced, threatening to offer an explicit, physical back door to all electronic communications devices for the US Justice Department and anyone with a basic understanding of computer science.

In 1993, Encryption was a weapon.

Washington viewed encryption's only function as a wartime tool to protect military and intelligence communications. The notion that encryption could or should be used as a foundation of protecting online commerce and banking simply did not occur to Big Brother.

Into this situation came Phil Zimmerman. Phil had designed and programmed an encryption application called Pretty Good Privacy in 1991. Before that time, cryptography tools were almost entirely the purview of those with the biggest of Smarty Pants: mathematicians, logicians, researchers, hackers. Things had started to change a little bit. The internet was taking networking technology out of the university and placing it in peoples homes. Some computer enthusiasts were becoming aware of encryption, but tended to use tools relying on outdated algorithms that were easily broken. After all, who was watching?

Phil Zimmerman, Josh Wieder, 1990, 90's
Phil Zimmerman
The Clipper Chip made the public aware that the United States was watching; they wanted to see everything, monitor everyone. As one military official would later describe this totalitarian data lust: "Let’s collect the whole haystack. Collect it all, tag it, store it. . . . And whatever it is you want, you go searching for it." Lots of people were uncomfortable with this idea. A domestic market for encryption was born. But to meet demand, the encryption used would have to not suck. It didn't necessarily have to use the absolute best, military-grade algorithms available, but it did have to be tough enough to confound government decryption efforts enough to make it unattractive for snooping. The encryption would have to be Pretty Good.

Phil's program became widely popular; it quickly dominated this new domestic encryption market. However, there were already encryption companies in the US. Unlike Phil's company, these companies sold encryption only to the US government and government contractors. Because of this business model, their interests were closely aligned with the government. They really didn't like the idea of some average Joe giving encryption that was as strong or stronger then their own to anybody who asked for it. One company that really didn't like Phil was RSA.

To fast forward for just a minute, RSA was in the news very recently. RSA is still around today. Things have changed, of course. Today encryption is widely used throughout the internet, by everyone. Just by doing a Google search you use encryption. RSA has adapted to this new world; they now sell encryption products to companies in addition to the US government. They even sell encryption to people outside of the United States (a particularly eye-rolling development, as we will understand in a minute). Despite these changes RSA has never forgotten where they came from. They still do business with the US government. And when the government asks them nicely, RSA will do things for the government that endangers all of their commercial relationships. A recent expose uncovered that RSA had received a secret payment from the US intelligence community of $10 million. In return, RSA used a flawed random number generator in the encryption software that they sell to companies. Its a clever flaw - you would have to look very closely at RSA's software, and know a lot about programming and encryption, in order to catch the flaw. None of RSA's customers caught the backdoor. It hadn't occurred to anyone to look. People trusted RSA. Using the flaw, the US intelligence community, and RSA, could decrypt things that had been encrypted with the product. RSA and the US government are very close.

Let's go back in time again and pick up where we left off. We are back in 1995. RSA knows about Phil Zimmerman and his PGP program, and they don't like Phil. In its early versions, PGP used an RSA has algorithm to protect session keys and create digital signatures. RSA was horrified that their technology would help lead to the distribution of military grade encryption "for the masses" (Phil liked to use that phrase in his press releases and marketing). RSA quickly claimed that Zimmerman was breaking RSA licensing rules.

But a licensing dispute wasn't enough to make PGP go away. And it wasn't just RSA that didn't like Phil - the US government was increasingly distressed by Phil's popularity. The entire executive branch was plugging the Clipper Chip, explaining diligently how police investigators were at a disadvantage. Technology had rapidly outpaced the law - there were processes in place to deal with phone wiretaps, rules forcing phone companies to help, case law. But what if crooks were using email? What if they used PGP? Terrorists could be using PGP to hide their plots. They could be selling PGP technology to Saddam Hussein or the Ayatollah. And don't even get them started about the pornography. Phil was interfering with this full court press lobbying effort by telling people that the government's proposed rules would let them read everybody's messages and that they could protect their privacy using cheap and simple encryption tools.

RSA increasingly began to panic. Would the White House blame RSA if Phil killed the Clipper Chip? Losing a few contracts to a competitor was one thing - Phil was threatening the whole business model, and he was using RSA to do it.

He had to be stopped.

Remember at the beginning of this article, how I said that in 1993, encryption was a weapon? Like the war on drugs and the war on terrorism, this metaphor was treated literally in legislation. Washington claimed that encryption technology was protected under the United States Arms Export Control Act. Encryption had long been at the center of armed conflict - the cracking of the German Enigma Code by Alan Turing during World War II is widely believed to have been pivotal to winning the war - as if not more important than any specific gun. Throughout the Cold War, Warsaw Pact and NATO intelligence services assigned some of their brightest minds to code breaking to get a glimpse into the other empire's government. Now, in the 90's, there was the middle east to think about. Saddam Hussein could have been using encryption to hide his attempts at building weapons of mass destruction; Russians could be using encryption to sell off military assets to third world countries. In the post-Soviet world, the US was the last super-power left standing, and to find its next enemy it neaded to be able to sniff through the mails.

To get rid of Zimmerman, RSA and the government would have to portray him not as a privacy advocate for US citizens, but as a shadowy double-agent, looking to take valuable American military secrets and sell them to the highest, Foreign bidder.

RSA had been watching Phil closely, and they believed they had evidence that the Department of Justice could use to indict him. The PGP website allowed visitors to download their PGP software from anywhere. There were warnings and promises on the page making downloaders understand they would be breaking the law by downloading PGP from outside of the United States, but that was it. An Iraqi spy only had to click a box to get the 128-bit goods? This was too dangerous to continue. Zimmerman was a terrorist. 

RSA took their findings to the Department of Justice (DOJ), who promptly began an investigation, looking to indict Phil under the Arms Export Control Act (AECA).

To outsiders, it looked like a fairly open-and-shut case. Privacy advocates, security experts and constitutional lawyers might have viewed the investigation as the opening aria to a miscarriage of justice, but it appeared unstoppable.

People outside of the US had in fact downloaded PGP. At the time, the AECA mandated that encryption had to be limited to the use of flimsy 40 bit keys in order to allow international transfer. PGP's weakest keys were 128 bits. At times, Zimmerman appeared to thumb his nose at prosecutors. He wrote a book about PGP, and his publisher distributed the book internationally. The book contained the entire source code to PGP. By tearing off the covers, typing the text on the pages int on a computer and compiling the resulting file, anyone with the book could have a working copy of PGP. The book sold for $60: a lot to ask for a book, but a bargain for cutting-edge encryption software.

The press loved Phil. Zimmerman and PGP was featured prominently in publications ranging from technical journals, to consumer electronic porn like Wired, to the Washington Post. The investigation of Zimmerman continued for years. Washington clearly hated the idea of taking on Phil with his profile this high. No one was buying the Phil-as-spy narrative. The public saw Phil as an idealistic computer nerd; a story they had become used to during the Dot Com boom. People like Phil were enabling the public to do amazing things and enriching the economy to heights unheard of for generations. The nation had a budget surplus for the first time that anyone could remember. It became increasingly clear: imprisoning Phil would risk transforming him from idealistic nerd to a human rights martyr. Clearly, Washington didn't want to play de Klerk to Phil's Mandela. And that was the best-case scenario. What if they lost their case? The investigation had dragged on for three years. It was now 1996: an election year. Phil had bipartisan support. Liberals wanted to use encryption to protect dissidents in third world countries. Conservatives wanted the government to stop trying to bankrupt profitable tech companies with decades'-old regulation. After a three year investigation, DOJ walked away from Zimmerman without filing any charges.

That didn't stop Washington from going after others working with encryption that were not media darlings. In 1995 Daniel J. Berstein was criminally charged for publishing an academic paper related to his encryption program Snuffle while studying at Berkeley. The next year charges were brought against Peter Junger, a professor at Case Western Reserve University, for his university course on computer law, which included class materials on encryption regulation. Five years before the Patriot Act, mere discussion of the law had become a crime.

Junger was initially found guilty in Northern District of Ohio (Junger v. Daley, 8 F. Supp. 2d 708). The case's Judge Gwin ruled that software is not expression because software is "inherently functional" and a "device". Fortunately, Junger successfully sought relief from Appellate Court in the Sixth Circuit, who agreed with Junger that his class was speech protected by the First Amendment, and not a weapon (Junger v. Daley, 209 F.3d 481). This case is vitally important to the recent developments we will discuss shortly, because the regulations that were used against Junger was not part of the Arms Export Control Act that was the basis for the complaint against Zimmerman. With Junger, the complaint was filed by the Department of Commerce. Junger's accusers said that he had to apply for permission from the Department of Commerce in order to discuss the law with his students over the Internet. An "International Traffic in Arms Regulations" (ITAR) license was required, as part of the Department of Commerce's "Export Administration Regulations" (EAR). As Peter Junger and his attorneys explained the rules in a 1997 press release: "Under the EAR [...] one is permitted to export such software in books and other ``hard copy'', but is still required to obtain a license before publishing the same software on the Internet or the World Wide Web or in other electronic form." Write a book about the law, and it is protected speech. Take that book and post it on a website, and the book becomes a weapon.

This brings us to today. Over the last 17 years (1997-2014), encryption has changed from weapon of mass destruction to a fundamental internet protocol. Netscape's SSL RFC was updated to version 3, then deprecated by TLS. Hash functions are now a basic component of operating systems distributed to every individual with a computer. Encrypted storage is a cross-industry recommended best practice when dealing with customer information as simple as a name, phone number and address.

Today, the controversy is when a company does not use encryption. Even more surprisingly, government regulations for a variety of industries, such as HIPAA and Sarbanes/Oxley, now compels companies to use encryption as part of their operations. Every reputable E-Commerce transaction uses encryption. Without encryption, its doubtful there would even be such a thing as "E-Commerce".

These regulations apply to large multi-national corporations doing business in the United States. For example, it is taken for granted that a large bank will have foreign customers. And yet, the government requires that large bank to protect all of their customers using encryption.

Such customers must have a basic understanding of encryption technology in order to rely on encrypted services; alternatively, they must purchase products from people with such an understanding to assist them with these tasks. So for example, lets consider a Canadian citizen who works in upstate New York. She commutes while living right across the border in Canada. In order to get paid, this Canadian citizen has an American bank account. When she is at home, she checks her bank account balance using the bank's website.

Our Canadian friend is not very technical, but like most folks today she is familiar with life online. She has a social media page, uses search engines and email. When she checks her bank account online, she barely notices the little green lock icon appear in the top left hand corner of her browser, which she downloaded from the website of an American company based in Silicon Valley.

If we consider this for a moment, what has happened here is that two American companies has exported encryption technology to our Candian friend. Her bank and her browser. If she used a search engine to remember the URL of her bank, and if like most search engines that search engine uses a TLS connection by default, a third company enters the conspiracy. Each of these companies exported to a foreigner encryption software that is exponentially more powerful than the PGP of 1993 - todays keys are usually between 1024 and 4096 bits. When Zimmerman was investigated the limit was 40 bits, and PGP's default was 128 bits - 512 bits was the really strong stuff. Today, 1024 bits is considered weak.

The regulations have changed to accommodate the new reality. The Department of Commerce (DoC) now maintains a black list - a list of individuals, corporations, governments and entities that no technology company can provide encryption tools to without facing consequences. DoC refers to its ominous blacklist as the "BIS List" - BIS being the department within DoC that handles the list, the Bureau of Industry and Security.

Within the BIS List are a number of more specific lists. There is the Entity List, the Denied Persons List and the Unverified List. And thats just the DoC. Different Federal Bureaucracies like the Department of State and the Department of Treasury have their own separate black lists with which American firms may not provide encryption tools. Helpfully, Washington posts this "Consolidated Screening List" on a website where you can download the whole business in a CSV. I have my own copies of these documents for anyone who would like to review them.

It is unclear what lands someone on one these lists. DoC states the following on their website:

"[...]the Entity List in February 1997 as part of its efforts to inform the public of entities who have engaged in activities that could result in an increased risk of the diversion of exported, reexported and transferred (in-country) items to weapons of mass destruction (WMD) programs. Since its initial publication, grounds for inclusion on the Entity List have expanded to activities sanctioned by the State Department and activities contrary to U.S. national security and/or foreign policy interests."

So originally this was explained as a WMD anti-proliferation measure. The BIS List kept companies from selling aluminum tubes and suspiciously-colored cakes; sounds quite prim and proper, frankly. And yet, in the very next sentence DoC dismisses the WMD mandate - expanding its mandate to hassle anyone involved in "activities contrary to U.S. national security and/or foreign policy interests." Does this mean Pizza Hut needs to apply for a license to deliver to Michael Moore's house?

Its been unclear what these rule means to firms dealing in encryption, because these rules have remained firmly outside of the public eye, until this month (October, 2014). This month the Department of Commerce's Bureau of Industry and Security sent out a Press Release. In the release, DoC bragged of how they shook down Intel for $750K. Intel has been a pillar of US IT infrastructure and development for decades; the Federal Government does billions of dollars in business with both Intel and Intel's partners. The specific allegations were stranger than the target of the shake-down. DoC claimed that between 2008 and 2011 Intel had provided encryption tools to "governments and various end users" in China, Hong Kong, Russia, Israel, South Africa, and South Korea. Its a bizaare list of countries with which to form a basis of export allegations. China, though consistently unpopular politically, is on the short list of top US trade partners. Russia, while spending less than China in US markets, perhaps, is still an official US ally and trade partner. Israel and South Korea are two the closest allies of the US in their respective regions. Hong Kong, while the odd man out in a few ways, is certainly not an enemy of the US and US firms spend huge amounts in Hong Kong markets. There is no official embargo for any of these countries. The United States government sold nuclear weapons to China during the Clinton administration, around the same time that they were crucifying mathematics professors and students for violating weapons export laws. The US has been trying for ages their own nuclear weapons in South Korea. The National Security Agency has given Israel raw, uncensored data from its massive domestic spying program. Washington huffs and puffs at Russia over its cruel adventures in Ukraine, and snipes behind the back of the Chinese for human rights abuses. Never in my lifetime has armed conflict between these nations and the US ever been even a remote possibility.

It remains unclear why the government pursued Intel for behavior that is practiced so widely by so many US firms, but the similarities between the DoC's approach this month has obvious parallels to its behavior in the 90's during its initial campaign to limit the distribution of encryption technology. Following the Snowden leaks, the reality of pervasive domestic spying has changed from tin-foil-hat conspiracy theory to an unassailable fact. Like with the Clipper chip, demand for privacy is increasing. There are calls to push back against domestic surveillance, using legislation and through more direct action using more advanced and easy to use encryption. The latter scenario - a world where domestic surveillance is rendered useless through the widespread use of encryption - is much more terrifying to Washington than Phil Zimmerman ever was. FBI Director and confirmed bachelor James Comey has gone on a bit of a press junket, claiming that companies as servile in their relationship with Washington as Apple and Google have "gone too far" by setting basic encryption measures as default for even their least savvy of users. Federal law enforcement is once again pushing a Clipper Chip to monitor digital communication before they are encrypted in transit. This time, the regulation is being pushed under a framework called CALEA - a requirement that internet service providers install so-called "lawful intercept" capabilities that allow cops to snoop on their customers. Encryption must be bypassed in order to meet CALEA's lawful intercept requirement, argues Comey and his White House allies.

The situation remains in flux; it remains unclear how far the US government is willing to go in its desire to "collect it all". The domestic spying infrastructure they have constructed up to this point is indeed massive - much larger than any measures the Stasi or KGP had ever dreamed of - yet was constructed in absolute secret. Though network industry insiders were aware of what was happening as early as Total Information Awareness (TIA) and AT&T's secret room 641A, those outside of the industry dismissed claims of domestic spying as paranoid conspiracy theories. What did AT&T core network engineers like Mark Klein know about communications, anyway? The public has seen Law & Order - the system works when the Good Guys (Police) whack the Bad Guy Who Obviously Did It (Detainee) with a phone book and he confesses. If anything, the system is broken because too many Bad Guys Who Obviously Did It "get off" because of "activist judges" and their "technicalities". The system isn't broken because of a top-secret surveillance industry of some 2 million people monitors every electronic communication on the planet, using their snooping as justification to torture people for being born in the wrong country or to assassinate an American child for having the wrong father or as a reason to bomb a wedding (or eight weddings) or maybe just to shoot a couple of pregnant women and then cut the bullets out of their bodies with a knife while their family watched so that we could tell reporters that the Taliban did it.

Secrecy and disinformation allowed the construction of a global infrastructure to support pervasive surveillance, torture and assassination. Much will depend on Washington's desire and ability to continue building that system in the light of day.

UPDATE: Comey isn't the only top executive branch official calling for the expansion of lawful intercept interpretation. White House cybersecurity czar Michael Daniel, an official whose asinine and self-contradictory job title calls for a sacking, told the Christian Science Monitor that he also wants to peek a little further into your laptop, tablet and cell phone: "We don't want to have something that puts it utterly beyond the reach of law enforcement in the appropriate circumstances." By 'appropriate circumstances', presumably Daniel means when information exists on a computer.

NSA Leak Bust Points to State Surveillance Deal with Printing Firms

Earlier this week a young government contractor named Reality Winner was accused by police of leaking an internal NSA document to news outle...