Tools of the Sovereign Individual

From Jon Matonis:

Book Review: The Sovereign Individual

The International Society for Individual Liberty published James Elwood’s book review of the amazing and prescient The Sovereign Individual: Mastering the Transition to the Information Age.

Here is a brief excerpt from the full review:

It is the computer revolution that provides the promise of a real-world Galt’s Gulch. Still in its infancy, the cybereconomy will allow the successful practitioners of computer technology to escape the regular economy and the predations of governments. Widely available strong encryption tools like Pretty Good Privacy (PGP) are already allowing ordinary users to make it impossible for government to monitor their communications or decipher the contents of their hard drives or storage disks.

The Information Revolution will also bring us the death of politics as we know it. Participants in the cyber-economy will operate in the anarchic environment of the Internet, choosing who they will deal with, how and when. The authors think that the morality of the marketplace will dominate the Internet, and that private clubs with their own security procedures will arise to prevent theft by cybercriminals. Politicians will become increasingly irrelevant, as people bypass them and form new voluntary local institutions and virtual communities on the Internet.

The death blow to the nation-state will be digital cash, which has just become available. E-cash or even e-metal, using encrypted verifiable signals will allow individuals to make their transactions in secret on the Internet, and will destroy the ability of governments to exact wealth through the hidden tax of monetary inflation. Using financial institutions domiciled in tax havens, and using anonymous remailers, cybernauts will be able to largely avoid taxes and inflation, and thus amass wealth at a vastly accelerated rate.

Governments will starve. Their ability to exact large sums from the rich for transfer payments will disappear. If they are to survive, they will be forced to radically downsize, and treat their citizens like customers instead of livestock. And since their ability to police large territories will also decline due to weapons technology, there will be enormous pressures to break up nations into much smaller jurisdictions. The provision of protection will become a business service, and much more personalized, especially for the rich cyber-entrepreuners.

For further reading:
“The Sovereign Individual Book Review”, Peter Macfarlane, October 31, 2008
“Will Computer Technology Liberate Individuals from the Nation-State?”, Greg Kaza, The Freeman, February 1, 1998

Thomas Jefferson Used Encryption

From lfb.org:

The encryption of computer data is one of the most powerful tools individuals have to protect themselves against an intrusive state.

Encryption is the process of converting data into encoded text produced by an algorithm. To convert the encoded text back to its original form requires either a ‘key’ or tremendous effort. A key is a sequence of numbers that senders typically offer to those they wish to decrypt the protected data. All others must use the ‘tremendous effort’ option.

The state wants to be a universal key holder. Otherwise, people could transmit everything from love letters to financial data in a secure and private manner that escapes surveillance. The state argues that encryption offers new and unique protection for terrorists, tax evaders, drug dealers, pedophiles and other miscreants. And, so, new and unique measures must be taken to pull back the dangerous veil of cyber privacy.

Nonsense. Encryption is almost as old as communication itself. The root word “cryptography” comes from two ancient Greek words: “crypto” or “hidden”; and, “graphia” or “writing.” Encryption’s main purpose is to shield information from those who would use it in an unwanted manner.

Knowledge has always been power and those who seek power have always commanded or censored access to knowledge, depending on which action gave them advantage.

In America, the tug of war between privacy and forced access to encrypted data is as old as the nation’s formation. As always, forced access was executed by authorities against individuals.

In 1785, a resolution authorized the secretary of the Department of Foreign Affairs to open and inspect any mail that related to the safety and interests of the United States. The ensuing inspections caused prominent men, like George Washington, to complain of mail tampering. According to various historians, it also led James Madison, Thomas Jefferson and James Monroe to correspond in code. That is, they encrypted their letters to preserve the privacy of their political discussions.

The need for Founding Fathers to encrypt their correspondence is high irony. The intrusive post office against which they rebelled had been established specifically to provide a free flow of political opinion. In the 1770′s, Sam Adams urged the 13 colonies to create an independent postal system because the existing post office, established by the British, acted as a barrier to the spread of rebellious sentiment. Dorothy Ganfield Fowler in her book Unmailable: Congress and the Post Office observed, “He [Adams] claimed the colonial post office was made use of for the purpose of stopping the ‘Channels of publick Intelligence and so in Effect of aiding the measures of Tyranny.’”

Alas, the more government changes, the more oppression remains the same. Soon the Continental Congress itself wanted to declare some types of matter ‘unmailable’ because their content were deemed dangerous. Anti-Federalist letters and periodicals became one of the first types of information to become de facto unmailable. (Anti-federalists resisted centralized government and rejected a Constitution without a Bill of Rights.) During the ratification debates on the Constitution, the Anti-Federalists were unable to circulate their material through the Federalist-controlled post office.

Throughout history, encryption and the control of information has been particularly important during times of war. Prior to and during the Civil War, for example, both the North and South banned just about everything deemed to be ‘seditious.’ Private communication in America has never recovered. Recent history is rife with purely political postal measures such as the “Cunningham Amendment” (1962) which restricted the circulation of communist literature that originated in a foreign country.

The American government has always realized the political importance of controlling the flow of information. In the 1770s, communication occurred primarily through postal routes maintained by horseback riders. Today, we communicate through packets of data beamed across phone lines; the internet is the modern equivalent of the Pony Express. The difference in the transmission mode is irrelevant to the political principles involved. The key questions are, “who owns your personal information?” and “who has the right to access it?”

On May 6, 1999, the Ninth Circuit Court of Appeals offered answers. The court ruled that federal restrictions on encryption violate the First Amendment: specifically, they constitute prior restraint and may limit the freedom of the press (Daniel J. Bernstein v. US Department of Justice).

In the decision, Judge Betty Fletcher stated, “The availability and use of secure encryption may…reclaim some portion of the privacy we have lost. Government efforts to control encryption thus may well implicate not only the First Amendment rights…but also the constitutional rights of each of us as potential recipients of encryption’s bounty.”

Since then, the government has sidestepped the ruling, sometimes quietly, sometimes under the aegis of other laws. For example, the Clinton Administration required a one-time technical review of encryption software as a precondition to its export.

Such maneuvers are not a new response to a new threat. They are the same tactics of which George Washington complained, the same ones that drove Thomas Jefferson to use code.

5 Essential Privacy Tools For The Next Crypto War

From Forbes:

by Jon Matonis

The first crypto war revolved around the hardware-based Clipper Chip and coercing companies to deploy broken encryption with backdoors to enable domestic State spying. Fortunately, the good guys won.

The next crypto war is still a war of the government against its own citizens but this time enlisting the corporations, including social networks, as direct agents of the State. What some have dubbed Crypto Wars 2.0 manifests itself in the current litany of legislative acronyms designed to confuse and befuddle.

Sometimes I think legislative bills are named with a Twitter hashtag in mind. Although it doesn’t always work out favorably for the  name deciders, hashtags do generally assist in the coalescing of Internet organizers around the world. Since passage of the Cyber Intelligence Sharing and Protection Act by the U.S. House of Representatives in April, #CISPA has been everywhere. Thankfully, twin legislative initiatives SOPA and PIPA were dropped in January. Also, let’s not forget the gradual expansion of CALEA and the Lieberman-Collins Cyber Security Act and the NSA-centric McCain Cybersecurity Act.

Even the seemingly unpatriotic USA PATRIOT Act of 2001 is a garbled backronym that would make George Orwell proud: Uniting (and) Strengthening America (by) Providing Appropriate Tools Required (to) Intercept (and) Obstruct Terrorism Act.

The Electronic Frontier Foundation recently posted an FAQ arguing that CISPA would allow companies to review and then to hand over customers’ personal information, logs, and email to the government. That is a fairly broad and comprehensive mandate.

What has gone largely unnoticed in this torrent of analysis, however, is that privacy tools for individuals already exist and they have so for many years! Quietly anticipating encroachment against basic Internet liberties, concerned cyber privacy advocates has been coding and releasing the tools that allow for private electronic communication and private web surfing. Proposed legislation like CISPA may or may not pass and become law, but if it does we have to understand the new landscape. Your privacy is up to you!

1. Email Privacy – Naked email is like a postcard for anyone to read. Pretty Good Privacy (PGP), an open source software program created by Phil Zimmermann in 1991, is the global standard for point-to-point encrypted and authenticated email. Hushmail is an OpenPGP-compatible web-based email platform that does not have access to your user password for decryption. Both products, when used correctly, offer subpoena-proof email communication.

2. File Privacy – Your files might be stored in the encrypted cloud but that doesn’t mean that they’re 100% safe for your eyes only. Free and open-source TrueCrypt allows you to encrypt folders or entire drives locally prior to syncing with Dropbox. BoxCryptor also facilitates local file encryption prior to cloud uploading and it comes with added compatibility for Android and iOS.

There is an alternative to the dual-application process described above. Although most cloud-based storage services transfer over an encrypted session and store data in an encrypted form, the files are still accessible to the service provider which makes the data vulnerable to court-ordered subpoena. In order to rectify this, two different zero-knowledge data storage companies provide secure online data backup and syncing – SpiderOak and Wuala. For obvious reasons, there is no password recovery and employees have zero access to your data.

3. Voice Privacy – Wiretapping will become more prevalent in the days and months ahead. From the creator of PGP, Zfone is a new secure VoIP phone software product utilizing a protocol called ZRTP which lets you make encrypted phone calls over the Internet. The project’s trademark is “whisper in someone’s ear from a thousand miles away.” You can listen to Zimmermann present Zfone at DEFCON 15.

Also utilizing ZRTP, open-source Jitsi provides secure video calls, conferencing, chat, and desktop sharing. Because of security issues and lawful interception, Tor Project’s Jacob Appelbaum recommends using Jitsi instead of Skype.

Designed specifically for mobile devices and utilizing ZRTP, open-source RedPhone from Whisper Systems is an application that enables encrypted voice communication between RedPhone users on Android.

4. Chat Privacy – Encrypting your chat or instant messaging sessions is just as important as encrypting your email. Cryptocat establishes a secure, encrypted chat session that is not subject to commercial or government surveillance. Similar to Cryptocat, the older and more durable Off-the-record Messaging (OTR) cryptographic protocol generates new key pairs for every chat implementing a form of perfect forward secrecy and deniable encryption. It is available via Pidgin plugin.

5. Traffic Privacy – The final step in the process is geo-privacy, which refers to the protection of ‘information privacy’ with regard to geographic information. Virtual Private Networks, or VPNs, have been used consistently for anonymous web browsing and IP address masking. Just make sure that your VPN provider does not log IP addresses and that they accept a form of payment that does not link you to the transaction.

Additionally, the Tor Project provides free software and an open network for privacy-oriented Internet usage. Intended to protect users’ personal freedom, privacy, and ability to conduct confidential business, Tor (The onion router) is a system that improves online anonymity by routing Internet traffic through a worldwide volunteer network of layering and encrypting servers which impedes network surveillance or traffic analysis.

I encourage everyone to become familiar with these basic tools for privacy. The important disclaimer is that in order to circumvent these privacy technologies, your password can be obtained in a variety of ways that are extremely intrusive and beyond the realm of casual day-to-day usage, such as hardware-based keyloggers or ceiling-mounted cameras. Furthermore, browser-based cryptography carries the added risk of spoofed applets being delivered to your desktop by court order or by malicious actors but this risk can be mitigated by maintaining trusted source code locally. The mission statement from Tor Project director Jacob Appelbaum still stands, “Make the metadata worthless essentially for people that are surveilling you.”

Follow author on Twitter.

First Surveillance Proof ISP Taking Shape

Source: http://govtslaves.info

By Ryan Gallagher

As government agencies in the United States, the United KingdomCanada, and Australia push for increased surveillance powers, one pioneering American is pushing back.

New York-based entrepreneur Nicholas Merrill is making progress on a project he revealed in April: an encryption-based telecommunications provider designed to be “untappable.” After crowd-funding almost $70,000 in donations, Merrill says that he has held talks with a host of interested venture capitalists and a few “really big companies” apparently interested in partnering up or helping with financial support. Now the “surveillance-proof” software is in development, and he is on track to begin operating a limited service by the end of the year.

Merrill’s ultimate aim is to create a telecommunications infrastructure that inhibits mass surveillance. First, he is building an Internet provider that will use end-to-end encryption for Web browsing and email. Then he plans to roll out a mobile phone service that will enable users to encrypt calls, making them difficult to intercept.

The key to decrypt the communications would be held by each individual customer, not Merrill’s company. Because the telecom firm would be unable to access the communications, law enforcement agencies that want to read or listen to communications would be forced to serve warrants or court orders on individuals directly. “This would make it impossible to do blanket, dragnet surveillance of all the customers of a telecommunications carrier,” Merrill says.First Surveillance Proof ISP Taking Shape

The idea for the project is not to help bad guys evade detection, though undoubtedly that’s how some critics will see it. Rather, Merrill is particularly keen to develop the technology to help journalists and human rights organizations—groups, he says, “whose right to confidentiality is more or less accepted under the law.”

Merrill has a strong record of defending user privacy. In 2004, he became the first ISP executive to successfully challenge a secret FBI “national security letter” demanding he hand over customer information. His willingness to question the constitutionality of the secret letter at the time put him at odds with most major telecoms providers, which have a poor track record when it comes to protecting customer privacy. In 2005 and 2006, a number of companies were revealed to have handed over troves of customer data and opened up wiretaps to the National Security Agency, sometimes without a warrant.

Today, Merrill admits prospective funders of his latest project have expressed concerns that it could lead to a confrontation with powerful actors (“It’s challenging to go up against some of the forces that are trying to open up all communications to wiretapping,” he says). But he is trying to address this by showing that government and law enforcement agencies could themselves benefit from his technology. Cybersecurity and privacy are part of the same problem but framed differently, he believes. Both could be addressed at once by ubiquitous encryption of communications and data transfer—protecting user privacy while also helping prevent malicious hackers from stealing information.

 

Some establishment figures have already been won over by Merrill’s argument. The advisory board of his nonprofit research institute, Calyx, which is developing the technology, includes a former NSA technical director and a former federal prosecutor who is also ex-CIA. Whether he can get the backing of current members of the U.S. law enforcement community, though, is another matter altogether. Merrill’s technology could be seen as creating extra barriers for law enforcement and the authorities would likely oppose it for that reason. Existing U.S. wiretapping law, called CALEA, states that telecom providers “shall not be responsible for decrypting” communications if they don’t possess “the information necessary to decrypt.” But that may change under reforms proposed by the FBI, which is actively seeking more surveillance powers.

As governments increasingly move toward expanding their power to conduct electronic surveillance, it is inevitable that innovative technologists, software developers, and cryptographers will work to help people protect the privacy of their personal communications. Earlier this week the NSA’s chief tried to quell concerns over allegationsthat it is building a huge domestic surveillance center in Utah, dismissing whistle-blowers’ claims as “baloney.” Given the NSA’s recent history, however, it is likely many Americans will remain skeptical about the spy agency’s reassurances—and some will turn to encryption.

Merrill aims to launch his telecommunications firm first in the United States before tackling the international market, where there are also mounting concerns about government surveillance schemes. “We’re not trying to force people to use our service,” Merrill says. “What we’re trying to do is re-envision how the telecommunications industry could work if privacy and encryption technology was built in from the beginning.”

In the UK, You Will Go Jail Not Just For Encryption, But For Astronomical Noise, Too

From Falkvinge,

There was some surprise in the comments of yesterday’s post over the fact that the United Kingdom has effectively outlawed encryption: the UK will send its citizens to jail for up to five years if they cannot produce the key to an encrypted data set.

First of all, references – the law is here. You will be sent to jail for refusing to give up encryption keys, regardless of whether you have them or not. Five years of jail if it’s a terrorism investigation (or child porn, apparently), two years otherwise. It’s fascinating – there are four excuses that keep coming back for every single dismantling of democracy. It’s terrorism, child porn, file sharing, and organized crime. You cannot fight these by dismantling civil liberties – they’re just used as convenient excuses.

We knew that this was the next step in the cat-and-mouse game over privacy, right? It starts with the government believing they have a right to interfere into any one of your seven privacies if they want to and find it practical. The next step, of course, is that the citizens protect themselves from snooping – at which point some bureaucrat will confuse the government’s ability to snoop on citizen’s lives for a right to snoop on citizen’s lives at any time, and create harsh punishments for any citizens who try to keep a shred of their privacy. This is not a remotely dystopic scenario; as we see, it has already happened in the UK.

But it’s worse than that. Much worse. You’re not going to be sent to jail for refusal to give up encryption keys. You’re going to be sent to jail for an inability to unlock something that the police think is encrypted. Yes, this is where the hairs rise on our arms: if you have a recorded file with radio noise from the local telescope that you use for generation of random numbers, and the police asks you to produce the decryption key to show them the three documents inside the encrypted container that your radio noise looks like, you will be sent to jail for up to five years for your inability to produce the imagined documents.

falkvinge@fraka:/home$ ls -la
drwxr-xr-x  5 root root        4096 2011-12-06 01:21 .
drwxr-xr-x 22 root root        4096 2012-04-23 12:22 ..
-rw----r--  1 root root 34359738368 2012-07-12 10:51 narrowbandnoise-32.raw

A 32-gigabyte noise file, or encrypted data? Can only be the latter.

But wait – it gets worse still.

The next step in the cat-and-mouse game over privacy is to use steganographic methods to hide the fact that something is encrypted at all. You can easily hide long messages in high-resolution photos today, just to take one example: they will not appear to contain an encrypted message in the first place, but will just look like a regular photo until decoded and decrypted with the proper key. But of course, the government and police are aware of steganographic methods, and know that pretty much any innocent-looking dataset can be used as a container for encrypted data.

So imagine your reaction when the police confiscate your entire collection of vacation photos, claim that your vacation photos contain hidden encrypted messages (which they don’t), and sends you off to jail for five years for being unable to supply the decryption key?

This is not some dystopic pipe dream. This law already exists in the United Kingdom – and the vacation photo scenario above, while on the far-fetched side of the scale, is possible. And the basic philosophical problem is greater than the described collateral damage: the government will send you to jail for safeguarding any confidences placed in you.

Wickr — an iPhone encryption app a 3-year-old can use

From CNET:

Free app encrypts text, voice, and video messages and leaves no trace on servers or even the device.

Encryption hasn’t made it to mainstream consumers because it isn’t always easy to use and because the person at the other end needs to be using it too. A new free iOS app called Wickr solves at least the first of those issues.

Wickr, which is available on the iTunes store beginning today, offers military-grade encryption for protecting text, photo, audio, and video messages.

All messages you send disappear within six days, unless you want them to self-destruct earlier than that. You can also set individual messages to autodestruct within a set period of time after the recipient opens them.

Wickr co-founder Nico Sell advises a number of security companies and handles public relations for the Defcon hacker convention, so she has a good handle on the privacy risks that can come from storing data on unencrypted smartphones. Encryption protects data from prying eyes in the case of theft or loss, or if the device gets hit by data-stealing malware or other remote attacks.

“Reporters always asked me how they can securely and anonymously communicate with sources, and there hasn’t been an easy answer. That was my first use case,” she said in an interview with CNET today. She also wanted her children to be able to freely express themselves in a safe space. “My 3-year-old can send encrypted messages” using Wickr, Sell said.

Once the app is downloaded, you create an account by providing a username and typing in a password. I found it was straightforward to send a test message to Sell and to send invites to friends from my contacts list via e-mail or text message. I set the app so alerts pop up when someone sends me a message via Wickr. The app also allows you to block certain users or allow only certain ones.

In addition to data on the device being encrypted, all data on the Wickr servers is encrypted too (the service uses AES and RSA encryption standards), so Wickr never sees the plaintext of messages. Users can remain completely anonymous; the service doesn’t require an e-mail address to create an account.

The app also offers advanced antiforensics features so deleted files are not recoverable, and it “sanitizes” the device by cleaning files that have been deleted by other apps such as the native camera program, said Wickr co-founder Robert Statica, director of the Center for Information Protection at the New Jersey Institute of Technology. “The security of the message stays with the message until it disappears,” he said.

A version of the app for Android will eventually be available, as well as a premium version that will give users enhanced capabilities, such as the ability to send messages to more than 10 people at once and to send video and voice messages that are longer than 15 seconds.

“Wickr is part of a new wave of security technologies that is about being user-friendly for the average person,” said security expert Dan Kaminsky, who is serving as an advisor to Wickr. “Wickr is an attempt to take a very rich communication experience with voice and video and text (messages) and provide it with some of the best-of-breed technologies for creating a safe space to communicate.”

Wickr does not encrypt voice calls. For that there is Whisper Systems for Android or Silent Circle for Android and iPhone from PGP creator Phil Zimmermann. A beta version is due out next month.

Some great privacy mobile apps for Android

From GuardianProject.info:

To achieve our goal of a comprehensive, privacy- and security-focused communications solution, Guardian is driven both by internal development and the open-source community at large. In cases where a viable, vetted, and usable product already fills the communications needs of our target audience, we will recommend apps that work.

Our Apps

Orbot: Anonymous Web Browsing
Orbot brings the capabilities of Tor to Android. Tor uses Onion Routing to provide access to network services that may be blocked, censored or monitored, while also protecting the identity of the user requesting those resources.
Download app. View source code.

Orweb: a browser with increased privacy (UPDATED 28-July-11)
Orweb is a privacy enhanced web browser that supports proxies. When used with Orbot, Orweb protects against network analysis, blocks cookies, keeps no local browsing history, and disables Flash to keep you safe.
Download app. View source code.

Gibberbot: Private and Secure Instant Messaging Gibberbot is a full featured instant messaging application integrated with the “Off the Record” encrypted chat protocol. Our app is built on Google’s open-source Talk app and modified to support the Jabber XMPP protocol.
Download app. View source code.

ObscuraCam: Secure Smart Camera A secure camera app that can obscure, encrypt or destroy pixels within an image. This project is in partnership with WITNESS.org, a human rights video advocacy and training organization.
Download app. View source code.

ProxyMob (Android 2.x/ARM7 Only)
Firefox for Android Add-on which exposes HTTP and SOCKS proxy settings through a new options menu. This enables the user to connect with Tor through Orbot, as well as any network proxy service.
Download app. View source code.

 


3rd party applications we recommend

 

K-9 and APG: Encrypted E-mail
K-9 Mail is an open-source app based on Android’s built-in Email app. The project is focused on making it easy to manage multiple accounts and large volumes of email, as well supporting OpenPGP encryption using Android Privacy Guard.
Download app. View source code.

CSipSimple: Encrypted Voice Over IP (VOIP)
CSipSimple is a free and open source SIP client for Android that provides end-to-end encryption using ZRTP. It’s compatibility with desktop SIP clients such as jitsi makes it an ideal solution for secure voice.
Download app. View source code.

TextSecure: Short Messaging Service (SMS)
TextSecure, developed by Whisper Systems, provides a robust encrypted text messaging solution, but it is only compatible with other TextSecure users.
Download app.

 

The NSA Is Building the Country’s Biggest Spy Center (Watch What You Say)

“Sitting in a restaurant not far from NSA headquarters, the place where he spent nearly 40 years of his life, Binney held his thumb and forefinger close together. “We are, like, that far from a turnkey totalitarian state,” he says.”

The NSA Is Building the Country’s Biggest Spy Center (Watch What You Say)

By

The spring air in the small, sand-dusted town has a soft haze to it, and clumps of green-gray sagebrush rustle in the breeze. Bluffdale sits in a bowl-shaped valley in the shadow of Utah’s Wasatch Range to the east and the Oquirrh Mountains to the west. It’s the heart of Mormon country, where religious pioneers first arrived more than 160 years ago. They came to escape the rest of the world, to understand the mysterious words sent down from their god as revealed on buried golden plates, and to practice what has become known as “the principle,” marriage to multiple wives.

Today Bluffdale is home to one of the nation’s largest sects of polygamists, the Apostolic United Brethren, with upwards of 9,000 members. The brethren’s complex includes a chapel, a school, a sports field, and an archive. Membership has doubled since 1978—and the number of plural marriages has tripled—so the sect has recently been looking for ways to purchase more land and expand throughout the town.

But new pioneers have quietly begun moving into the area, secretive outsiders who say little and keep to themselves. Like the pious polygamists, they are focused on deciphering cryptic messages that only they have the power to understand. Just off Beef Hollow Road, less than a mile from brethren headquarters, thousands of hard-hatted construction workers in sweat-soaked T-shirts are laying the groundwork for the newcomers’ own temple and archive, a massive complex so large that it necessitated expanding the town’s boundaries. Once built, it will be more than five times the size of the US Capitol.

Rather than Bibles, prophets, and worshippers, this temple will be filled with servers, computer intelligence experts, and armed guards. And instead of listening for words flowing down from heaven, these newcomers will be secretly capturing, storing, and analyzing vast quantities of words and images hurtling through the world’s telecommunications networks. In the little town of Bluffdale, Big Love and Big Brother have become uneasy neighbors.

The NSA has become the largest, most covert, and potentially most intrusive intelligence agency ever.

Under construction by contractors with top-secret clearances, the blandly named Utah Data Center is being built for the National Security Agency. A project of immense secrecy, it is the final piece in a complex puzzle assembled over the past decade. Its purpose: to intercept, decipher, analyze, and store vast swaths of the world’s communications as they zap down from satellites and zip through the underground and undersea cables of international, foreign, and domestic networks. The heavily fortified $2 billion center should be up and running in September 2013. Flowing through its servers and routers and stored in near-bottomless databases will be all forms of communication, including the complete contents of private emails, cell phone calls, and Google searches, as well as all sorts of personal data trails—parking receipts, travel itineraries, bookstore purchases, and other digital “pocket litter.” It is, in some measure, the realization of the “total information awareness” program created during the first term of the Bush administration—an effort that was killed by Congress in 2003 after it caused an outcry over its potential for invading Americans’ privacy.

But “this is more than just a data center,” says one senior intelligence official who until recently was involved with the program. The mammoth Bluffdale center will have another important and far more secret role that until now has gone unrevealed. It is also critical, he says, for breaking codes. And code-breaking is crucial, because much of the data that the center will handle—financial information, stock transactions, business deals, foreign military and diplomatic secrets, legal documents, confidential personal communications—will be heavily encrypted. According to another top official also involved with the program, the NSA made an enormous breakthrough several years ago in its ability to cryptanalyze, or break, unfathomably complex encryption systems employed by not only governments around the world but also many average computer users in the US. The upshot, according to this official: “Everybody’s a target; everybody with communication is a target.”

Continue reading…

Encryption and Self Incrimination

The Electronic Freedom Foundation put out an excellent article on how to respond when asked to give out your encryption password and I recommend reading it. Here is the takeaway:

If you find yourself in a situation where the government is forcing you to decrypt a computer or provide an encryption key, be sure to let us know. And remember that silence is golden. Boucher talked to law enforcement. Fricosu talked to her ex-husband and co-defendant in jail. It was this talking that defeated their Fifth Amendment privilege through the foregone conclusion doctrine. The less you say, the better.

Two Cases’ Lessons: If Cops Don’t Know What You Encrypted, They Can’t Make You Decrypt It

From Forbes:

The last 24 hours have produced two opposite rulings about whether suspects in legal cases have to cough up the password to potentially incriminating data that they’ve encrypted on a hard drive. The two cases add up to a lesson: If the cops don’t know what they don’t know, your secrets are safe. But if they know what they’re looking for, the world’s strongest cipher isn’t going to stop them from getting it from a suspect.

On Thursday, the 11th circuit court of appeals ruled in the child pornography case of an unnamed man called John Doe that he wasn’t legally required to give up the password to an encrypted hard drive that might contain incriminating information. (The PDF of the ruling is here.) Forcing him to decrypt his data, the judge in the case argued, would violate Doe’s fifth amendment rights to not offer any testimony that would incriminate himself. But the very same day, a federal appeals court rejected the appeal of a suspect for mortgage fraud named Ramona Fricosu, demanding that she give up the password to her encrypted laptop despite her plea that the computer–just like John Doe’s–contained incriminating data.

Those two cases may seem on the surface like mere judicial confusion and contradiction. But the real difference between them, says Electronic Frontier Foundation attorney Hanni Fakhoury, is what investigators expected to find on those scrambled hard drives. Fakhoury cautions that the details of every case are different, but that broadly speaking, “if the government knows what they’re going to find, they have no problem,” he says. “If they don’t, they can’t make you decrypt anything.”

In the case of John Doe, the suspect came to law enforcement’s attention when the IP address of his computer and his name in a hotel’s registry were tied to pornographic pictures of underage girls posted to YouTube. But when authorities seized his hard drives, parts of them were encrypted with the program TrueCrypt. Investigators were unable to decrypt them and–just as importantly–couldn’t begin to guess what might be stored in those encrypted partitions.

That ambiguity allowed Doe to plead the fifth, according to the court’s ruling. The court’s opinion makes clear that if investigators had known what they were looking for, Doe would have had to decrypt that file. That situation would be a situation the ruling calls a  ”foregone conclusion,” when the court knows that a piece of evidence is potentially incriminating, but the holder of that evidence won’t make it available. Without that knowledge, however, the password to Doe’s files is merely like any kind of testimony, and falls under Doe’s fifth amendment protections.

“We find no support in the record for the conclusion that the Government, at the time it sought to compel production, knew to any degree of particularity what, if anything, was hidden behind the encrypted wall.” it reads. “The Fifth Amendment protects Doe’s refusal to decrypt and produce the contents of the media devices because the act of decryption and production would be testimonial, and because the Government cannot show that the ‘foregone conclusion’ doctrine applies.”

In the Fricosu case, on the other hand, the authorities had a recording of the suspect talking to her co-defendant in which she mentions an incriminating file on her laptop. That’s enough, Fakhoury says, for the court to compel her to turn over the password. Given that she had already incriminated herself in the recorded conversation, refusing to decrypt the hard drive just becomes a case of withholding evidence for which she can be held in contempt.

Fakhoury compares the situation to a 2008 case in Vermont where a child pornography suspect, Sebastien Boucher, had a file on his computer clearly labelled as graphic child pornography–I’ll spare you the exact, disgusting phrase. In that case, the fact that the file was encrypted didn’t help him–the mere title of the file was enough to bypass his fifth amendment argument against handing over the password.

Fricosu’s case isn’t nearly as black and white. But the nature of the encrypted contents is clear enough that the court has ruled the fifth amendment doesn’t help her.

So what’s the lesson for those that value their hard drive’s privacy, even against legal intrusion? Fakhoury makes clear that the EFF isn’t trying to help child pornographers avoid prosecution. But he offers two pieces of advice for others who hope to avoid handing over their passwords to the cops. “Encrypt everything,” he says. “And don’t label your files ‘child porn.’”

Get your FREE Asset Protection & Privacy Guide here