[Cryptography] On Security Architecture, The Panopticon, And "The Law"

[arxlight]

Obviously, I applaud the herculean efforts the list members have (even
just in the last few months) exerted in the service of reforming "the
practice" in light of the labyrinthine mess we have all been recently
presented with.  That said, and at the risk of running afoul of the
list's core charter on Christmas Day, I would like to explore some of
the higher level questions of architecture and design as they relate to
the legal schema that presently underpins the intelligence apparatus of
the West.  (Mostly because I am an awful coder and I like the way big
words look in print).

For better or worse (and mostly for worse at this point) the legal
schema that drives almost 100% of the global threat model stems from the
United States. No, no... we shall brook no whining my dear EU and UK
subjects... this will not do at this stage.  You get the worldwide
governance you deserve in the end, and by permitting a hegemonic, global
panopticon to emerge unchallenged over the last many years (is that an
NSA facility on your soil?  What?  Is that ANOTHER ONE?), even in the
midst of a supposed "democracy" you have effectively waived your
standing to contest it now by legal means. (What, Chancellor?  They have
been listening to your cellphone?  You know what, fuck you and your
coalition for signing off on Teufelsberg's funding every year).

So what now?  Well, from whence, we may ask, does the global panopticon
derive its surveillance power? We could likely fill several volumes in
the course of recording the discourse on this topic.  Being that our
time together is short, shall we instead focus on a few key points?
Yes?  Good.


Third Parties --

At least to my way of thinking one of the foremost issues that mucks the
entire schema up is the concept of "knowing exposure" of data that might
otherwise be shrouded in the "expectation of privacy."  An exploration
of Katz v. United States and the esteemed cases that later purport to
suss out the bounds of the "expectation of privacy" in the jurisprudence
of the United States is probably beyond the scope of this discussion,
but it probably bears notice to observe that such data as you (oh, noble
Citizen of the United States) convey to "third parties" has long been
branded as data for which you have waved your "expectation of privacy."
 One does not, after all, brag about liaisons with illicit lovers to
third parties if one expects such details to be kept "unter vier Augen."

This would be less daunting if it were possible to do more without
conveying critical data to third parties.  But it isn't.  The perverse
rise of SaaS offerings and the dependence on large carriers to convey
data that should require none such has created an environment where
nearly everything is conveyed to a third party.  Everything.  Ah, the
client-server model of computing, may it burn in hell.

May I just ask: How could an industry once so attached to redundancy and
distributed infrastructure become so taken with creating massive, single
points of failure and a critical reliance on trusted third parties?  Was
there some massive Facebook founder's share give away?  What happened to
the old manta "Trusted third parties aren't"?  How did the remnants of
the cypherpunk movement (forgive me the sentimental nostalgia of youth)
lay so utterly dormant as large, centralized providers came to dominate
the storage and transmission of critical data?  Where, at least, was the
tool of end-to-end encryption in this co-opted intermediary world?  How,
after a few compromises of root certificate authorities (that we know
of) did X.509 survive for more than six more months?

And so now the panopticon has only to co-opt a couple dozen large
enterprises, many of which are deeply dependent on the largess of
central government in the burgeoning crony-capitalist West, to find
itself in possession of the vast majority of private communications
without issue, notice, or objection.

We cannot, surely, blame the panopticon.  With that juicy of a target
concentrated in a corporate surface area so small what else did we
expect?  And someone does keep funding her, year in and year out, no?

And so I submit: The reliance on third parties must end.  It is not
enough simply to mandate that your data reside on third parties you deem
slightly more trustworthy than others (we're looking at you, European
Union, and particularly at you, Germany).  May we be so bold as to point
out that trusted third parties that are vulnerable to being co-opted by
national sovereigns cannot be trusted?  May we, by extension, point out
that it is rather difficult to describe a trusted third party that is
not vulnerable to being co-opted by national sovereigns?  Must we draw a
diagram of the inevitable conclusion that follows from these two
observations?

Alright, if you insist: Stop trusting third parties, dammit.


Legal Protections --

At the risk of getting all cryptoanarchist (ah, again the sentimental
nostalgia of youth) how is it possible for an objective (even
semi-objective) observer to be of the view that the rule of law (let's
for the moment limit the analysis to domestic and foreign surveillance)
has any meaning at all today?  Perhaps there was a time where, in light
of the understanding that the surveillance infrastructure of the United
States intelligence community is both pervasive and skilled, protections
afforded Citizens of the United States against collection efforts by
foreign intelligence appendages meant something. But this time has long
since passed.

The barrier between intelligence and law enforcement collection has long
since been torn down and, more upsetting, those agencies that once (and
still) deign to call themselves "foreign intelligence agencies" have
smashed the firewall and morphed into foreign and domestic intelligence
agencies.

Does it surprise anyone to know that evidence collected by such entities
and provided to domestic law enforcement entities warrants no 4th
amendment scrutiny whatsoever?  (To butcher a complex legal concept
suffice it to say that in general U.S. courts have long held that
evidence delivered to the prosecution may be admitted regardless of the
legality of the methods by which it was obtained, so long as the
prosecution took no part in the illegal collection- torture cases, so
far, seem to be the only major category that may be exceptions to the
rule).  Well, so much, indeed, for fourth amendment protections.

And so the panopticon is served again.  First by the porous nature of
"trusted third parties."  Second by the weakened set of legal
"protections" afforded by the jurisprudential environment in the United
States, a circumstance that would appear to permit unbridled collection
for the purposes of criminal prosecution.  Or whatever.

At this point is it even worth discussing judicial review in these contexts?


And So? --

Face it.  Digital liberty has lost the Lawfare fight.  It must win the
technical fight.

How?

1.  Recognize that no design should ever permit unprotected data to
touch third party infrastructure anywhere, anytime, anyway, ever.  Period.

Ok, I was young.  I needed the money.  But somehow I thought some of us
were working towards end-to-end encryption for nearly everything all the
way back in the 1990s?  What happened?  John Gilmore, aren't you on this
list somewhere?  Did the world just eat S/WAN?

Here's the scary question:  Does "third party infrastructure" include
hardware with unaudited, close source firmware?  If it does (and I think
that it does) we have a rather serious problem.

This is an awful threat model.  But guess what.  This is the threat model.

2.  Recognize that we now inhabit an environment in which there are
effectively no legal protections of any kind against the sort of
pervasive, omnipresent surveillance that Erich Mielke would find very
difficult not to masturbate to.  There was perhaps a time when citizens
of the United States could claim to enjoy greater protections than the
unenlightened barbarians beyond the two seas.  Hey, yanks, guess what:
You're just as fucked as the rest of us now.

So?  Now what?

A. Build robust, distributed channels.  Make them end-user friendly.

B. Do not build systems that offer third parties deniability.  Build
systems that MANDATE third party deniability.

C. Build systems that are (relatively) trivial to audit.  Hardware
architects, where are you?

D. L'Etat, c'est toi.

Or, you know, maybe I'll just go drink a bottle of scotch instead.

-uni