26 December 2013
On Security Architecture, The Panopticon, And "The Law"
Date: Thu, 26 Dec 2013 02:25:10 +0100
From: arxlight <arxlight[at]arx.li>
To: Cryptography <cryptography[at]metzdowd.com>
Subject: [Cryptography] On Security Architecture, The Panopticon, And "The
Obviously, I applaud the herculean efforts the list members have (even just
in the last few months) exerted in the service of reforming "the practice"
in light of the labyrinthine mess we have all been recently presented with.
That said, and at the risk of running afoul of the list's core charter on
Christmas Day, I would like to explore some of the higher level questions
of architecture and design as they relate to the legal schema that presently
underpins the intelligence apparatus of the West. (Mostly because I am an
awful coder and I like the way big words look in print).
For better or worse (and mostly for worse at this point) the legal schema
that drives almost 100% of the global threat model stems from the United
States. No, no... we shall brook no whining my dear EU and UK subjects...
this will not do at this stage. You get the worldwide governance you deserve
in the end, and by permitting a hegemonic, global panopticon to emerge
unchallenged over the last many years (is that an NSA facility on your soil?
What? Is that ANOTHER ONE?), even in the midst of a supposed "democracy"
you have effectively waived your standing to contest it now by legal means.
(What, Chancellor? They have been listening to your cellphone? You know what,
fuck you and your coalition for signing off on Teufelsberg's funding every
So what now? Well, from whence, we may ask, does the global panopticon derive
its surveillance power? We could likely fill several volumes in the course
of recording the discourse on this topic. Being that our time together is
short, shall we instead focus on a few key points?
Third Parties --
At least to my way of thinking one of the foremost issues that mucks the
entire schema up is the concept of "knowing exposure" of data that might
otherwise be shrouded in the "expectation of privacy." An exploration of
Katz v. United States and the esteemed cases that later purport to suss out
the bounds of the "expectation of privacy" in the jurisprudence of the United
States is probably beyond the scope of this discussion, but it probably bears
notice to observe that such data as you (oh, noble Citizen of the United
States) convey to "third parties" has long been branded as data for which
you have waved your "expectation of privacy." One does not, after all, brag
about liaisons with illicit lovers to third parties if one expects such details
to be kept "unter vier Augen."
This would be less daunting if it were possible to do more without conveying
critical data to third parties. But it isn't. The perverse rise of SaaS offerings
and the dependence on large carriers to convey data that should require none
such has created an environment where nearly everything is conveyed to a
third party. Everything. Ah, the client-server model of computing, may it
burn in hell.
May I just ask: How could an industry once so attached to redundancy and
distributed infrastructure become so taken with creating massive, single
points of failure and a critical reliance on trusted third parties? Was there
some massive Facebook founder's share give away? What happened to the old
manta "Trusted third parties aren't"? How did the remnants of the cypherpunk
movement (forgive me the sentimental nostalgia of youth) lay so utterly dormant
as large, centralized providers came to dominate the storage and transmission
of critical data? Where, at least, was the tool of end-to-end encryption
in this co-opted intermediary world? How, after a few compromises of root
certificate authorities (that we know of) did X.509 survive for more than
six more months?
And so now the panopticon has only to co-opt a couple dozen large enterprises,
many of which are deeply dependent on the largess of central government in
the burgeoning crony-capitalist West, to find itself in possession of the
vast majority of private communications without issue, notice, or objection.
We cannot, surely, blame the panopticon. With that juicy of a target concentrated
in a corporate surface area so small what else did we expect? And someone
does keep funding her, year in and year out, no?
And so I submit: The reliance on third parties must end. It is not enough
simply to mandate that your data reside on third parties you deem slightly
more trustworthy than others (we're looking at you, European Union, and
particularly at you, Germany). May we be so bold as to point out that trusted
third parties that are vulnerable to being co-opted by national sovereigns
cannot be trusted? May we, by extension, point out that it is rather difficult
to describe a trusted third party that is not vulnerable to being co-opted
by national sovereigns? Must we draw a diagram of the inevitable conclusion
that follows from these two observations?
Alright, if you insist: Stop trusting third parties, dammit.
Legal Protections --
At the risk of getting all cryptoanarchist (ah, again the sentimental nostalgia
of youth) how is it possible for an objective (even semi-objective) observer
to be of the view that the rule of law (let's for the moment limit the analysis
to domestic and foreign surveillance) has any meaning at all today? Perhaps
there was a time where, in light of the understanding that the surveillance
infrastructure of the United States intelligence community is both pervasive
and skilled, protections afforded Citizens of the United States against
collection efforts by foreign intelligence appendages meant something. But
this time has long since passed.
The barrier between intelligence and law enforcement collection has long
since been torn down and, more upsetting, those agencies that once (and still)
deign to call themselves "foreign intelligence agencies" have smashed the
firewall and morphed into foreign and domestic intelligence agencies.
Does it surprise anyone to know that evidence collected by such entities
and provided to domestic law enforcement entities warrants no 4th amendment
scrutiny whatsoever? (To butcher a complex legal concept suffice it to say
that in general U.S. courts have long held that evidence delivered to the
prosecution may be admitted regardless of the legality of the methods by
which it was obtained, so long as the prosecution took no part in the illegal
collection- torture cases, so far, seem to be the only major category that
may be exceptions to the rule). Well, so much, indeed, for fourth amendment
And so the panopticon is served again. First by the porous nature of "trusted
third parties." Second by the weakened set of legal "protections" afforded
by the jurisprudential environment in the United States, a circumstance that
would appear to permit unbridled collection for the purposes of criminal
prosecution. Or whatever.
At this point is it even worth discussing judicial review in these contexts?
And So? --
Face it. Digital liberty has lost the Lawfare fight. It must win the technical
1. Recognize that no design should ever permit unprotected data to touch
third party infrastructure anywhere, anytime, anyway, ever. Period.
Ok, I was young. I needed the money. But somehow I thought some of us were
working towards end-to-end encryption for nearly everything all the way back
in the 1990s? What happened? John Gilmore, aren't you on this list somewhere?
Did the world just eat S/WAN?
Here's the scary question: Does "third party infrastructure" include hardware
with unaudited, close source firmware? If it does (and I think that it does)
we have a rather serious problem.
This is an awful threat model. But guess what. This is the threat model.
2. Recognize that we now inhabit an environment in which there are effectively
no legal protections of any kind against the sort of pervasive, omnipresent
surveillance that Erich Mielke would find very difficult not to masturbate
to. There was perhaps a time when citizens of the United States could claim
to enjoy greater protections than the unenlightened barbarians beyond the
two seas. Hey, yanks, guess what: You're just as fucked as the rest of us
So? Now what?
A. Build robust, distributed channels. Make them end-user friendly.
B. Do not build systems that offer third parties deniability. Build systems
that MANDATE third party deniability.
C. Build systems that are (relatively) trivial to audit. Hardware architects,
where are you?
D. L'Etat, c'est toi.
Or, you know, maybe I'll just go drink a bottle of scotch instead.
The cryptography mailing