Why
did Bradley Cooper and Jessica Alba fail to record a tip when they paid
their cabbies during New York City taxi rides back in 2013? Why was
Cooper near a Mediterranean restaurant in Greenwich Village? Why was
Alba at a ritzy hotel in Soho?
We don’t know the answers, but we
do know exactly when and where the movie stars were going, and we also
know there’s no record of them forking over any gratuity. What’s
worrisome, say privacy experts, is that we know all of this not from
some special government sting operation but from publicly available data
about millions of people’s movements throughout New York City.
That
information, released in an open records request, validates the
concerns of those who argue that while consumers’ digital metadata may
seem to be anonymous, it actually isn’t. It takes just one or two other
pieces of information to turn seemingly anonymous tranches of metadata
into specific information about individuals — and not just those who are
famous.
“The more computing power and publicly available data,
the easier it becomes to identify individuals in the data,” says Utrecht
University’s Stefan Kulk. “In a time when even government institutions
upload large online data sets for the sake of open-data policies, the
scale of the problem of de-anonymized data providing insights into
everyone’s day-to-day life will only increase.”
In the case of the
taxi info, data analyst Christopher Whong filed an open records request
in March 2014 for New York’s database of cab fare, tip and location
information after seeing a tweet from the city’s Taxi and Limousine
Commission. Though that database of 174 million cab rides in 2013
includes no passenger names, software engineer Vijay Pandurangan was
able to link the data to other publicly available information about
license plates, cab driver identities and taxi companies’ medallion
numbers.
Then, to show the individualized surveillance power of
the seemingly anonymous data, Anthony Tockar of Neustar Research
cross-referenced the information with publicly available photos of
celebrities getting into cabs with identifiable license plates. That
allowed Tockar to declare that Cooper’s “cab took him to Greenwich
Village, possibly to have dinner at Melibea, and that he paid $10.50,
with no recorded tip.” He also revealed that “Alba got into her taxi
outside her hotel, the Trump SoHo, and somewhat surprisingly also did
not add a tip to her $9 fare.” (If Cooper or Alba tipped with cash, then
that might not show up on the records.)
To
dispel any notions that such information could be used only to track
celebrities, Tockar showed how the same data could be employed to
pinpoint the home addresses — and possible identities — of frequent
visitors to Larry Flynt’s Hustler Club.
News of taxi metadata
being turned into individual-specific information follows similar
stories that emerged in the wake of Edward Snowden’s disclosures about
the National Security Agency vacuuming up metadata.
Last year, for
example, Stanford University researchers showed how medical, financial
and other personal information could be disclosed just by
cross-referencing phone metadata with publicly available databases.
Similarly, Susan Landau, former Sun Microsystems engineer and author of
the book “Surveillance or Security?” told the New Yorker that metadata
can reveal details about everything from upcoming corporate transactions
to journalists’ sources to political negotiations.
To illustrate
that, Duke University associate professor Kieran Healy published a
now-legendary essay, explaining how British forces could have come to
target Paul Revere — and potentially snuff out the American Revolution —
if they had access to the same kind of metadata the NSA collects.
But, then, it’s not just the NSA that’s vacuuming up data — it can also be local governments and corporations.
Of
course, they may not all have nefarious motives for collecting data.
The problem, though, is that the data itself can be used in nefarious
ways.
David Sirota is a senior writer for the International
Business Times and the best-selling author of the books "Hostile
Takeover," "The Uprising" and "Back to Our Future." E-mail him at ds@davidsirota.com, follow him on Twitter @davidsirota or visit his website at www.davidsirota.com.
Imagine that you could wander unseen through a city, sneaking into
houses and offices of your choosing at any time, day or night. Imagine
that, once inside, you could observe everything happening, unnoticed by
others—from the combinations used to secure bank safes to the
clandestine rendezvous of lovers. Imagine also that you have the ability
to silently record everybody's actions, whether they are at work or
play without leaving a trace. Such omniscience could, of course, make
you rich, but perhaps more important, it could make you very powerful.
That
scenario out of some futuristic sci-fi novel is, in fact, almost
reality right now. After all, globalization and the Internet have
connected all our lives in a single, seamless virtual city where
everything is accessible at the tap of a finger. We store our money in
online vaults; we conduct most of our conversations and often get from
place to place with the help of our mobile devices. Almost everything
that we do in the digital realm is recorded and lives on forever in a
computer memory that, with the right software and the correct passwords,
can be accessed by others, whether you want them to or not.
Now—one more moment of
imagining—what if every one of your transactions in that world was
infiltrated? What if the government had paid developers to put trapdoors
and secret passages into the structures that are being built in this
new digital world to connect all of us all the time? What if they had
locksmiths on call to help create master keys for all the rooms? And
what if they could pay bounty hunters to stalk us and build profiles of
our lives and secrets to use against us?
Well, check your imagination at the door, because this is indeed the
brave new dystopian world that the US government is building, according
to the latest revelations from the treasure trove of documents released
by National Security Agency whistleblower Edward Snowden.
Over the last eight months, journalists have dug deep into these
documents to reveal that the world of NSA mass surveillance involves
close partnerships with a series of companies most of us have never
heard of that design or probe the software we all take for granted to
help keep our digital lives humming along.
There are three broad ways that these software companies collaborate with the state: a National Security Agency program called "Bullrun"
through which that agency is alleged to pay off developers like RSA, a
software security firm, to build "backdoors" into our computers; the use
of "bounty hunters"
like Endgame and Vupen that find exploitable flaws in existing software
like Microsoft Office and our smartphones; and finally the use of data
brokers like Millennial Media
to harvest personal data on everybody on the Internet, especially when
they go shopping or play games like Angry Birds, Farmville, or Call of
Duty.
Of course, that's just a start when it comes to enumerating the ways
the government is trying to watch us all, as I explained in a previous
TomDispatch piece, "Big Bro is Watching You." For example, the FBI uses hackers
to break into individual computers and turn on computer cameras and
microphones, while the NSA collects bulk cell phone records and tries to
harvest all the data traveling over fiber-optic cables.
In December 2013, computer researcher and hacker Jacob Appelbaum
revealed that the NSA has also built hardware with names like Bulldozer,
Cottonmouth, Firewalk, Howlermonkey, and Godsurge that can be inserted
into computers to transmit data to US spooks even when they are not
connected to the Internet.
"Today, [the NSA is] conducting instant, total invasion of privacy
with limited effort," Paul Kocher, the chief scientist of Cryptography
Research, Inc. which designs security systems, told the New York Times. "This is the golden age of spying."
Building Backdoors
Back in the 1990's, the Clinton administration promoted a special
piece of NSA-designed hardware that it wanted installed in computers and
telecommunication devices. Called the Clipper Chip,
it was intended to help scramble data to protect it from unauthorized
access—but with a twist. It also transmitted a "Law Enforcement Access
Field" signal with a key that the government could use if it wanted to
access the same data.
Activists and even software companies fought against the Clipper Chip
in a series of political skirmishes that are often referred to as the Crypto Wars. One of the most active companies was RSA from California. It even printed posters with a call to "Sink Clipper."
By 1995, the proposal was dead in the water, defeated with the help of
such unlikely allies as broadcaster Rush Limbaugh and Senators John
Ashcroft and John Kerry.
But the NSA proved more tenacious
than its opponents imagined. It never gave up on the idea of embedding
secret decryption keys inside computer hardware—a point Snowden has
emphasized (with the documents to prove it).
A decade after the Crypto Wars, RSA, now a subsidiary of EMC, a
Massachusetts company, had changed sides. According to an investigative
report by Joseph Menn of Reuters, it allegedly took $10 million from the National Security Agency in exchange for embedding an NSA-designed mathematical formula called the Dual Elliptic Curve Deterministic Random Bit Generator inside its Bsafe software products as the default encryption method.
The Dual Elliptic Curve has a "flaw" that allows it to be hacked, as
even RSA now admits.
Unfortunately for the rest of us, Bsafe is built
into a number of popular personal computer products and most people
would have no way of figuring out how to turn it off.
According to the Snowden documents, the RSA deal was just one of
several struck under the NSA's Bullrun program that has cost taxpayers
over $800 million to date and opened every computer and mobile user around the world to the prying eyes of the surveillance state.
"The deeply pernicious nature
of this campaign—undermining national standards and sabotaging hardware
and software—as well as the amount of overt private sector cooperation
are both shocking," wrote Dan Auerbach and Kurt Opsahl of the Electronic
Frontier Foundation, a San Francisco-based activist group that has led
the fight against government surveillance. "Back doors fundamentally
undermine everybody's security, not just that of bad guys."
Bounty Hunters
For the bargain basement price of $5,000, hackers offered for sale a software flaw
in Adobe Acrobat that allows you to take over the computer of any
unsuspecting victim who downloads a document from you. At the opposite
end of the price range, Endgame Systems of Atlanta, Georgia, offered for
sale a package named Maui
for $2.5 million that can attack targets all over the world based on
flaws discovered in the computer software that they use. For example,
some years ago, Endgame offered for sale targets in Russia including an
oil refinery in Achinsk, the National Reserve Bank, and the Novovoronezh
nuclear power plant. (The list was revealed by Anonymous, the online
network of activist hackers.) While such "products," known in hacker circles as "zero day exploits,"
may sound like sales pitches from the sorts of crooks any government
would want to put behind bars, the hackers and companies who make it
their job to discover flaws in popular software are, in fact, courted
assiduously by spy agencies like the NSA who want to use them in
cyberwarfare against potential enemies.
Take Vupen, a French company that offers a regularly updated
catalogue of global computer vulnerabilities for an annual subscription
of $100,000. If you see something that you like, you pay extra to get
the details that would allow you to hack into it. A Vupen brochure
released by Wikileaks in 2011 assured potential clients that the
company aims "to deliver exclusive exploit codes for undisclosed
vulnerabilities" for "covertly attacking and gaining access to remote
computer systems."
At a Google sponsored event in Vancouver in 2012, Vupen hackers demonstrated
that they could hijack a computer via Google's Chrome web browser. But
they refused to hand over details to the company, mocking Google
publicly. "We wouldn't share this with Google for even $1 million,"
Chaouki Bekrar of Vupen boasted to Forbes magazine. "We don't
want to give them any knowledge that can help them in fixing this
exploit or other similar exploits. We want to keep this for our
customers."
In addition to Endgame and Vupen, other players in this field include
Exodus Intelligence in Texas, Netragard in Massachussetts, and ReVuln
in Malta.
Their best customer? The NSA, which spent at least $25 million in
2013 buying up dozens of such "exploits." In December, Appelbaum and his
colleagues reported in Der Spiegel that agency staff crowed about their ability to penetrate
any computer running Windows at the moment that machine sends messages
to Microsoft. So, for example, when your computer crashes and helpfully
offers to report the problem to the company, clicking yes could open you
up for attack.
The federal government is already alleged to have used such exploits (including one in Microsoft Windows)—most famously when the Stuxnet virus was deployed to destroy Iran's nuclear centrifuges.
"This is the militarization of the Internet,"
Appelbaum told the Chaos Computer Congress in Hamburg. "This strategy
is undermining the Internet in a direct attempt to keep it insecure. We
are under a kind of martial law."
Harvesting your Data
Among the Snowden documents was a 20-page 2012 report from the
Government Communications Headquarters—the British equivalent of the
NSA—that listed a Baltimore-based ad company, Millennial Media.
According to the spy agency, it can provide "intrusive" profiles of
users of smartphone applications and games. The New York Times has noted that the company offers data
like whether individuals are single, married, divorced, engaged, or
"swinger," as well as their sexual orientation ("straight, gay,
bisexuall, and 'not sure'").
How does Millennial Media get this data? Simple. It happens to gather
data from some of the most popular video game manufacturers in the
world. That includes Activision in California which makes Call of Duty, a
military war game that has sold over 100 million copies; Rovio of
Finland, which has given away 1.7 billion copies of a game called Angry
Birds that allows users to fire birds from a catapult at laughing pigs;
and Zynga—also from California—which makes Farmville, a farming game
with 240 million active monthly users.
In other words, we're talking about what is undoubtedly a significant
percentage of the connected world unknowingly handing over personal
data, including their location and search interests, when they download
"free" apps after clicking on a licensing agreement that legally allows
the manufacturer to capture and resell their personal information. Few
bother to read the fine print or think twice about the actual purpose of
the agreement.
The apps pay for themselves via a new business model called "real-time bidding"
in which advertisers like Target and Walmart send you coupons and
special offers for whatever branch of their store is closest to you.
They do this by analyzing the personal data sent to them by the "free"
apps to discover both where you are and what you might be in the market
for.
When, for instance, you walk into a mall, your phone broadcasts your location and within a millisecond a data broker sets up a virtual auction
to sell your data to the highest bidder. This rich and detailed data
stream allows advertisers to tailor their ads to each individual
customer. As a result, based on their personal histories, two people
walking hand in hand down a street might get very different
advertisements, even if they live in the same house.
This also has immense value to any organization that can match up the
data from a device with an actual name and identity—such as the federal
government. Indeed, the Guardian has highlighted an NSA document from 2010 in which the agency boasts that it can "collect almost every key detail of a user's life:
including home country, current location (through geolocation), age,
gender, zip code, marital status…income, ethnicity, sexual orientation,
education level, and number of children."
In Denial
It's increasingly clear that the online world is, for both government
surveillance types and corporate sellers, a new Wild West where
anything goes. This is especially true when it comes to spying on you
and gathering every imaginable version of your "data."
Software companies, for their part, have denied helping the NSA and reacted with anger to the Snowden disclosures."Our
fans' trust is the most important thing for us and we take privacy
extremely seriously," commented Mikael Hed, CEO of Rovio Entertainment,
in a public statement.
"We do not collaborate, collude, or share data with spy agencies anywhere in the world."
RSA has tried to deny
that there are any flaws in its products. "We have never entered into
any contract or engaged in any project with the intention of weakening
RSA's products, or introducing potential 'backdoors' into our products
for anyone's use," the company said in a statement on its website. "We
categorically deny this allegation." (Nonetheless RSA has recently
started advising clients to stop using the Dual Elliptical Curve.)
Other vendors like Endgame and Millennial Media have maintained a stoic silence. Vupen is one of the few that boasts about its ability to uncover software vulnerabilities.
And the NSA has issued a Pravda-like statement
that neither confirms nor denies the revelations.
"The communications
of people who are not valid foreign intelligence targets are not of
interest to the National Security Agency," an NSA spokeswoman told the Guardian.
"Any implication that NSA's foreign intelligence collection is focused
on the smartphone or social media communications of everyday Americans
is not true."
The NSA has not, however, denied the existence of its Office of Tailored Access Operations (TAO), which Der Spiegel describes as "a squad of [high-tech] plumbers that can be called in when normal access to a target is blocked."
The Snowden documents indicate that TAO has a sophisticated set of tools at its disposal—that the NSA calls "Quantum Theory"—made
up of backdoors and bugs that allow its software engineers to plant spy
software on a target computer. One powerful and hard to detect example
of this is TAO's ability to be notified when a target's computer visits
certain websites like LinkedIn and to redirect it to an NSA server named
"Foxacid" where the agency can upload spy software in a fraction of a second.
Which Way Out of the Walled Garden?
The simple truth of the matter is that most individuals are easy
targets for both the government and corporations. They either pay for
software products like Pages and Office from well known manufacturers
like Apple and Microsoft or download them for free from game companies
like Activision, Rovio, and Zynga for use inside "reputable" mobile
devices like Blackberries and iPhones.
These manufacturers jealously guard access to the software that they
make available, saying that they need to have quality control. Some go
even further with what is known as the "walled garden"
approach, only allowing pre-approved programs on their devices. Apple's
iTunes, Amazon's Kindle, and Nintendo's Wii are examples of this.
But as the Snowden revelations have helped make clear, such devices
and software are vulnerable both to manufacturer's mistakes, which open
exploitable backdoors into their products, and to secret deals with the
NSA.
So in a world where, increasingly, nothing is private, nothing is
simply yours, what is an Internet user to do? As a start, there is an
alternative to most major software programs for word processing,
spreadsheets, and layout and design—the use of free and open source software like Linux and Open Office,
where the underlying code is freely available to be examined for hacks
and flaws. (Think of it this way: if the NSA cut a deal with Apple to
copy everything on your iPhone, you would never know. If you bought an
open-source phone—not an easy thing to do—that sort of thing would be
quickly spotted.) You can also use encrypted browsers like Tor and search engines like Duck Duck Go that don't store your data.
Next, if you own and use a mobile device on a regular basis, you owe it yourself to turn off as many of the location settings and data-sharing options
as you can. And last but hardly least, don't play Farmville, go out and
do the real thing. As for Angry Birds and Call of Duty, honestly,
instead of shooting pigs and people, it might be time to think about
finding better ways to entertain yourself.
Pick up a paintbrush,
perhaps? Or join an activist group like the Electronic Frontier Foundation and fight back against Big Brother.
Posted
by
Soulskill from the can-it-be-aliens-next-time-please dept.
chicksdaddy writes
"More than six months after hacked Emergency Alert System (EAS) hardware allowed a phony warning about a zombie uprising to air in several U.S. states, a security consulting company is warning that serious issues persist in software from Monroe Electronics,
whose equipment was compromised in the earlier attack.
In a blog post,
Mike Davis of the firm IOActive said patches issued by Monroe
Electronics, the Lyndonville, New York firm that is a leading supplier
of EAS hardware, do not adequately address problems raised earlier this
year, including the use of 'bad and predictable' log-in credentials.
Monroe’s R-189 CAP-EAS
product was the target of a hack in February during which EAS equipment
operated by broadcasters in Montana, Michigan and other states was
compromised and used to issue an alert claiming that the 'dead are
rising from their graves,' and advising residents not to attempt to
apprehend them.
CAP refers to the Common Alerting Protocol, a successor
to EAS. A recent search using the Shodan search engine by University of
Florida graduate student Shawn Merdinger found more than 200 Monroe
devices still accessible from the public Internet. 66% of those were
running vulnerable versions of the Monroe firmware."
Secret demands mark escalation in Internet surveillance by the federal
government through gaining access to user passwords, which are typically
stored in encrypted form.
The U.S. government has demanded that major Internet companies divulge
users' stored passwords, according to two industry sources familiar with
these orders, which represent an escalation in surveillance techniques
that has not previously been disclosed.
If the government is able to determine a person's password, which is
typically stored in encrypted form, the credential could be used to log
in to an account to peruse confidential correspondence or even
impersonate the user. Obtaining it also would aid in deciphering
encrypted devices in situations where passwords are reused.
"I've certainly seen them ask for passwords," said one Internet industry
source who spoke on condition of anonymity. "We push back."
A second person who has worked at a large Silicon Valley company
confirmed that it received legal requests from the federal government
for stored passwords. Companies "really heavily scrutinize" these
requests, the person said. "There's a lot of 'over my dead body.'"
Some of the government orders demand not only a user's password but also
the encryption algorithm and the so-called salt, according to a person
familiar with the requests. A salt is a random string of letters or
numbers used to make it more difficult to reverse the encryption process
and determine the original password. Other orders demand the secret
question codes often associated with user accounts.
"This is one of those unanswered legal questions: Is there any circumstance under which they could get password information?" --Jennifer Granick, Stanford University
A Microsoft spokesperson would not say whether the company has received
such requests from the government. But when asked whether Microsoft
would divulge passwords, salts, or algorithms, the spokesperson replied:
"No, we don't, and we can't see a circumstance in which we would
provide it."
Google also declined to disclose whether it had received requests for
those types of data. But a spokesperson said the company has "never"
turned over a user's encrypted password, and that it has a legal team
that frequently pushes back against requests that are fishing
expeditions or are otherwise problematic. "We take the privacy and
security of our users very seriously," the spokesperson said.
A Yahoo spokeswoman would not say whether the company had received such
requests. The spokeswoman said: "If we receive a request from law
enforcement for a user's password, we deny such requests on the grounds
that they would allow overly broad access to our users' private
information. If we are required to provide information, we do so only in
the strictest interpretation of what is required by law."
Apple, Facebook, AOL, Verizon, AT&T, Time Warner Cable, and Comcast
did not respond to queries about whether they have received requests for
users' passwords and how they would respond to them.
Richard Lovejoy, a director of the Opera Software subsidiary that operates FastMail,
said he doesn't recall receiving any such requests but that the company
still has a relatively small number of users compared with its larger
rivals. Because of that, he said, "we don't get a high volume" of U.S.
government demands.
The FBI declined to comment.
Some details remain unclear, including when the requests began and
whether the government demands are always targeted at individuals or
seek entire password database dumps. The Patriot Act has been used to demand entire database dumps
of phone call logs, and critics have suggested its use is broader. "The
authority of the government is essentially limitless" under that law,
Sen. Ron Wyden, an Oregon Democrat who serves on the Senate Intelligence
committee, said at a Washington event this week.
Large Internet companies have resisted the government's requests by
arguing that "you don't have the right to operate the account as a
person," according to a person familiar with the issue. "I don't know
what happens when the government goes to smaller providers and demands
user passwords," the person said.
An attorney who represents Internet companies said he has not fielded
government password requests, but "we've certainly had reset requests --
if you have the device in your possession, than a password reset is the
easier way."
Source code to a C implementation of bcrypt, a popular algorithm used for password hashing.
(Credit:
Photo by Declan McCullagh)
Cracking the codes
Even if the National Security Agency or
the FBI successfully obtains an encrypted password, salt, and details
about the algorithm used, unearthing a user's original password is
hardly guaranteed. The odds of success depend in large part on two
factors: the type of algorithm and the complexity of the password.
Algorithms, known as hash functions, that are viewed as suitable for
scrambling stored passwords are designed to be difficult to reverse. One
popular hash function called MD5, for instance, transforms the phrase
"National Security Agency" into this string of seemingly random
characters: 84bd1c27b26f7be85b2742817bb8d43b. Computer scientists
believe that, if a hash function is well-designed, the original phrase
cannot be derived from the output.
But modern computers, especially ones equipped with high-performance
video cards, can test passwords scrambled with MD5 and other well-known
hash algorithms at the rate of billions a second. One system using 25 Radeon-powered GPUs that was demonstrated
at a conference last December tested 348 billion hashes per second,
meaning it would crack a 14-character Windows XP password in six
minutes.
The best practice among Silicon Valley companies is to adopt far slower
hash algorithms -- designed to take a large fraction of a second to
scramble a password -- that have been intentionally crafted to make it
more difficult and expensive for the NSA and other attackers to test
every possible combination.
One popular algorithm, used by Twitter and LinkedIn, is called bcrypt. A 2009 paper (PDF) by computer scientist Colin Percival
estimated that it would cost a mere $4 to crack, in an average of one
year, an 8-character bcrypt password composed only of letters. To do it
in an average of one day, the hardware cost would jump to approximately
$1,500.
But if a password of the same length included numbers, asterisks,
punctuation marks, and other special characters, the cost-per-year leaps
to $130,000. Increasing the length to any 10 characters, Percival
estimated in 2009, brings the estimated cracking cost to a staggering
$1.2 billion.
As computers have become more powerful, the cost of cracking bcrypt
passwords has decreased. "I'd say as a rough ballpark, the current cost
would be around 1/20th of the numbers I have in my paper," said
Percival, who founded a company called Tarsnap Backup,
which offers "online backups for the truly paranoid." Percival added
that a government agency would likely use ASICs -- application-specific
integrated circuits -- for password cracking because it's "the most
cost-efficient -- at large scale -- approach."
While developing Tarsnap, Percival devised an algorithm called scrypt,
which he estimates can make the "cost of a hardware brute-force attack"
against a hashed password as much as 4,000 times greater than bcrypt.
Bcrypt was introduced (PDF) at a 1999 Usenix conference by Niels Provos, currently a distinguished engineer in Google's infrastructure group, and David Mazières, an associate professor of computer science at Stanford University.
With the computers available today, "bcrypt won't pipeline very well in
hardware," Mazières said, so it would "still be very expensive to do
widespread cracking."
Even if "the NSA is asking for access to hashed bcrypt passwords,"
Mazières said, "that doesn't necessarily mean they are cracking them."
Easier approaches, he said, include an order to extract them from the
server or network when the user logs in -- which has been done before -- or installing a keylogger at the client.
Sen. Ron Wyden, who warned this week that "the
authority of the government is essentially limitless" under the Patriot
Act's business records provision.
(Credit:
Getty Images)
Questions of law
Whether the National Security Agency or FBI
has the legal authority to demand that an Internet company divulge a
hashed password, salt, and algorithm remains murky.
"This is one of those unanswered legal questions: Is there any
circumstance under which they could get password information?" said Jennifer Granick, director of civil liberties at Stanford University's Center for Internet and Society. "I don't know."
Granick said she's not aware of any precedent for an Internet company
"to provide passwords, encrypted or otherwise, or password algorithms to
the government -- for the government to crack passwords and use them
unsupervised." If the password will be used to log in to the account,
she said, that's "prospective surveillance," which would require a
wiretap order or Foreign Intelligence Surveillance Act order.
If the government can subsequently determine the password, "there's a
concern that the provider is enabling unauthorized access to the user's
account if they do that," Granick said. That could, she said, raise
legal issues under the Stored Communications Act and the Computer Fraud
and Abuse Act.
The Justice Department has argued in court proceedings before that it
has broad legal authority to obtain passwords. In 2011, for instance,
federal prosecutors sent a grand jury subpoena demanding the password
that would unlock files encrypted with the TrueCrypt utility.
The Florida man who received the subpoena claimed the Fifth Amendment,
which protects his right to avoid self-incrimination, allowed him to
refuse the prosecutors' demand. In February 2012, the U.S. Court of
Appeals for the Eleventh Circuit agreed, saying that because prosecutors
could bring a criminal prosecution against him based on the contents of
the decrypted files, the man "could not be compelled to decrypt the
drives."
In January 2012, a federal district judge in Colorado reached the
opposite conclusion, ruling that a criminal defendant could be compelled
under the All Writs Act to type in the password that would unlock a
Toshiba Satellite laptop.
Both of those cases, however, deal with criminal proceedings when the
password holder is the target of an investigation -- and don't address
when a hashed password is stored on the servers of a company that's an
innocent third party.
"If you can figure out someone's password, you have the ability to reuse
the account," which raises significant privacy concerns, said Seth Schoen, a senior staff technologist at the Electronic Frontier Foundation.
Last updated at 8:00 p.m. PT with comment from Yahoo, which responded after this article was published.
Disclosure: McCullagh is married to a Google employee not involved with this issue.