Those Feds Who Aren’t Reading Our Stuff Are Demanding Internet Companies Give Up Our Passwords

"Now who's being naive, Marge?"Credit: Arkadi Bojaršinov | Dreamstime.comPrior to the failed vote yesterday as Michigan Rep. Justin Amash attempted to restrain the National Security Agency to only collecting phone and email metadata about people who are actually valid crime suspects, security state lovers repeated their typical talking points. It’s necessary to fight terrorism, it has saved lives, Sept. 11! Sept. 11! Sept. 11! And, of course, those defending the mass collection of data say the federal government is hardly getting anything at all! Nothing truly private! They aren’t reading our e-mail!

If they’re not, apparently it’s not from lack of trying. Tech privacy journalist Declan McCullagh over at CNet reports today that feds are asking Internet companies to divulge users’ passwords:

The U.S. government has demanded that major Internet companies divulge users' stored passwords, according to two industry sources familiar with these orders, which represent an escalation in surveillance techniques that has not previously been disclosed.

If the government is able to determine a person's password, which is typically stored in encrypted form, the credential could be used to log into an account to peruse confidential correspondence or even impersonate the user. Obtaining it also would aid in deciphering encrypted devices in situations where passwords are reused.

"I've certainly seen them ask for passwords," said one Internet industry source who spoke on condition of anonymity. "We push back."

A second person who has worked at a large Silicon Valley company confirmed that it received legal requests from the federal government for stored passwords. Companies "really heavily scrutinize" these requests, the person said. "There's a lot of 'over my dead body.'"

Some of the government orders demand not only a user's password, but also the encryption algorithm and the so-called salt, according to a person familiar with the requests. A salt is a random string of letters or numbers used to make it more difficult to reverse the encryption process and determine the original password. Other orders demand the secret question codes often associated with user accounts.

McCullagh isn’t clear about the form these requests come in (subpoenas, national security letter demands, warrants, etc.). I tweeted him for more detail and his response was, “That would be a good question to ask the FBI or DOJ!”

Google and Microsoft both told McCullagh that they have not and would not provide password information nor encryption algorithm info to the feds. Several other Internet and communication companies didn’t respond. In the confusing, complicated world of tech privacy, it’s not clear if the feds can actually order companies provide the information:

Whether or not the National Security Agency or FBI has the legal authority to demand that an Internet company divulge a hashed password, salt, and algorithm remains murky.

"This is one of those unanswered legal questions: Is there any circumstance under which they could get password information?" said Jennifer Granick, director of civil liberties at Stanford University's Center for internet and Society. "I don't know."

Granick said she's not aware of any precedent for an Internet company "to provide passwords, encrypted or otherwise, or password algorithms to the government — for the government to crack passwords and use them unsupervised." If the password will be used to log into the account, she said, that's "prospective surveillance" which would require a wiretap order or Foreign Intelligence Surveillance Act order.

The Feds have been trying to force people suspected of crimes to provide access to their own accounts, which runs up against some Fifth Amendment concerns. McCullagh describes one such incident in his piece. Reason Science Correspondent Ron Bailey wrote about another case in June while making some suggestions to those wanting to foil potential government surveillance efforts.

I watched the NSA amendment debate on CSpan yesterday afternoon, and during the call-in portion, only one of about a dozen or so calls opposed Amash’s amendment.

Editor's Note: We invite comments and request that they be civil and on-topic. We do not moderate or assume any responsibility for comments, which are owned by the readers who post them. Comments do not represent the views of Reason.com or Reason Foundation. We reserve the right to delete any comment for any reason at any time. Report abuses.

  • The Late P Brooks||

    Something something nothing to fear.

  • SIV||

    If you're not a drug trafficking terrorist pedophile you have nothing to hide.

  • CE||

    Unless you routinely criticize the government, who now has the power to frame you as such.

  • Sudden||

    All your passwords are belong to us.

  • DJF||

    Ha, they will never figure out my password. 0123456789

  • umh||

    Try 0123456789almostanything and you're good. For all practical purposes a long password is unbreakable, however all bets are off if they have a back door or you use a common phrase.

  • Bluestrike2||

    Actually, that's fairly horrible advice. The 0123456789 string is itself incredibly common in a context that almost matches, verbatim, your suggestion. What's more, on an individual level, most people tend to stick to certain patterns for themselves. I have my prefix, I add an extra word, and I'm sticking to that pattern. Nevermind the fact that I'm radically decreasing the effort necessary for a cracker to work through any two of my passwords, for instance.

    Rather than rehashing advice you'll find elsewhere given that I'm tired at the moment, I'll just point you to a discussion on an XKCD comic on the subject. The math in the comic is correct for what it's worth, and the accompanying discussion is quite illuminating:

    http://security.stackexchange......passphrase

    Long story short, we have a tendency to allow cognitive biases to blind us with passwords. The Tr0ub4dor&3 phrase seems random and obscure compared to "correct horse battery staple," but in fact, the opposite is true. The passphrase here represents a higher measure of entropy (~44 compared to ~28) without the easy to quantify underlying pattern of the first.

    If you're interested, read up on the diceware list as a tool for generating random passphrases that can be remembered by a human:

    http://world.std.com/~reinhold/diceware.html

  • Generic Stranger||

  • Matrix||

    "Reject the voices that warn of tyranny..." - Dumbass

    Fuck you, shitbag president!

  • pan fried wylie||

    Forgetting the past has always worked in the past.

    At least, I think so, since I forgot it already.

  • CE||

    You know who else rejected the voices that warned of tyranny?

  • Hyperion||

    The people of every society in history that has ever fallen into tyranny, right before the fall?

    History must be the hardest subject, ever.

  • Libertymike||

    Well, how about the poster formerly known as TAO?

  • Mickey Rat||

    Only a tyrant has to worry about warnings of tyranny, and YOU"RE not a tyrant, are you?

  • pan fried wylie||

    it has saved lives, Sept. 11! Sept. 11! Sept. 11

    There are, what, 5k lives that weren't saved on Sept. 11 despite direct knowledge of the plan that killed them.

    But yeah, datamining a bunch of irrelevant garbage will somehow save lives that direct knowledge couldn't. THE RIGHT PEOPLE ARE IN CHARGE, YOU FUCKING OBSTRUCTIONIST PEONS!111ONEONESOMALIA!!111ONE

  • Andrew S.||

    We would face a 9/11 every day if not for our brave NSA. Since 3,000 or so people died on 9/11, our brave President has saved somewhere around 5 million people from dying in terror attacks. Why do you want 5,000,000 Americans to die, libertarians?

  • Invisible Finger||

    Because it would be cheaper if terrorists did it for free rather than waste salaries on Obamacare death panels and police departments to produce the same results.

  • pan fried wylie||

    Why do you hate Jobs?Q!!Somalia!11wonwonwonw

  • umh||

    You have bad dreams I see. I a non sequitor in your logic.

  • Anonymous Coward||

    It's a good thing all of this spying is going on. Somebody might have set off an explosive at some big event like the Boston Marathon.

    Oops! Too soon?

  • ||

    Using the internet is a privilege, not a right! Plus, the information being sent and received is going through third parties, so you can have absolutely no expectation of privacy!

    The solution is obvious; if you don't want the feds to read your stuff, then never use the internet for anything at all, QED.

  • umh||

    I think you're onto something. Maybe the terrorist don't trust online encryption.

  • Fist of Etiquette||

    Google and Microsoft both told McCullagh that they have not and would not provide password information nor encryption algorithm info to the feds.

    And now we await the leak that informs us they have, in fact, given up those passwords.

  • pan fried wylie||

    3 felonies a day * how many employies + corporate infractions (do we have a daily rate for that?) can be pretty compelling.

    Plus Anti-Trust-We-Can-Fuck-You-Whenever-We-Want legislation.

    How was MS allowed to include a PDF reader and Skype in Win8 without going to court again?

  • CE||

    They didn't "provide" password information to the feds... they just left the password list in an unencrypted file at a third party server that the NSA knew about.....

  • Hyperion||

    I watched the NSA amendment debate on CSpan yesterday afternoon, and during the call-in portion, only one of about a dozen or so calls opposed Amash’s amendment

    Call-ins? By the serfs? Hahaha! Our betters have better things to do than listen to the lowly people who elected them.

  • CE||

    And 88 percent of the letters in my Congressional District to our Congressthief were against the TARP bailouts, but he voted for it anyway, and was reelected, because the other candidate was on the other team.

  • Hyperion||

    Well, they might take our freedoms, but at least we'll never vote for a Rethuglican! Reverse this, and it's the same, I know. Both teams have retarded constituent team cheer leaders.

  • Stormy Dragon||

    If the companies were properly securing their systems, they shouldn't have any of their users passwords to begin with:

    http://en.wikipedia.org/wiki/S.....d_protocol

    Of course, they don't end up paying when accounts get compromised which means most of them don't bother to properly secure their systems and most of them can probably comply with the request.

  • Brandybuck||

    Anyone storing their users passwords as plaintext should be tarred, feathered, and ridden out on the rails, never again to sully the net with their putrescent presence.

  • Nazdrakke||

    I'm trying (and failing) at this point to envision an act by our government that would shake a majority of the people of our country out of their complacency. I'm trying to think of something that tyrannical regimes do that has not been undertaken in some way by our own government in the last decade and accompanied by a resounding "meh" by the citizenry.

    We are so fucked.

  • ||

    Complete confiscation of all weapons, plus enforced murder-on-sight of all non-whites and gays.

    Something to get both sides riled up.

  • ||

    Complete confiscation of all weapons, plus enforced murder-on-sight of all non-whites and gays.

    Best Pink Pistols recruiting strategy ever.

  • Hyperion||

    I can tell you what will do it. But I wouldn't call it Tyranny.

    Cut off the free shit. Which they will have to, as soon as the money runs out. So, yes, we are fucked.

    But what they are doing now, an all out assault on freedom and especially the internet, are things that they can't pass outright in congress. They tested the waters with SOPA, and see the backlash is too great. So they're just sneaking it in throught the back doors. That's what they do now. There is no more constitution, bill of rights, or even rule of law anymore in the US, it's all effectively dead now. We have a literal militarized police state.

  • pan fried wylie||

    How long did the bread lines get in Soviet Russia before things changed?

    I predict the Free Shit lines here will need to get twice as long, thanks to WordsForFriends and Farmville, before anyone will even notice.

    And yes, the lines will just get longer and longer, because they will never close the Free Shit Store.

  • GILMORE||

    Absolutely right. People dont want Freedom = they want Free Shit. And when the Free Shit runs out they will demand fascism. See Europe:

    http://www.dailymail.co.uk/new.....Spain.html

    50% unemployment...and they're not rioting demanding jobs = they are rioting against injecting more freedom in their economies. Ridiculous. And this is the Progressives idea of Utopia.

  • ant1sthenes||

    I think the next Snowden needs to stop trying wake up America, and instead punish its enemies. Instead of leaking evidence of NSA wrongdoing, leak evidence of wrong-doing or personally embarrasing information about pro-NSA politicians right before elections, and make sure they know that the NSA's permanent dragnet was the source of the information.

  • Hyperion||

    I think this is why, sort of, that the Amash amendment surprisingly got 205 votes. It's not because the reps care about the voters, they don't, because they know they will keep getting elected. It's because they are starting to fear this shit themselves. And they would be stupid not too. In a fascist military state, you can suddenly wind up being the enemy, no matter who you are.

    Only an economic collapse(ugly way) or outright rebellion by a sizable portion of the states (somewhat better), can save us now. That, or the sheeples finally wake up and start raising hell over the rapid evaporation of our civil rights. That one's a long shot.

    Look at this shit:

    New NSA facilities

    This is truly Orwellian stuff. That reminds me of looking at the satellite photos of NK prison camps. We are broke, our economy in shambles, and we are spending billions on shit like this, to spy on and monitor the every move of our own citizens? This is a nightmarish scenario.

  • ant1sthenes||

    "Your appointment to DHS should be finalized within the week. I've already discussed the matter with the Senator."

    "I take it he was agreeable?"

    "He didn't really have a choice."

    "We have cock shots?"

    "Oh yes, and some visits to very unusual pornographic sites. When I mentioned we could put him on the priority list for internet history deletion, he was so willing it was almost pathetic."

    "Mmm. I hope you're not underestimating the problem. The others may not go as quietly as you think -- intelligence indicates they're behind the problems in Congress."

    "A bunch of pretentious old men playing at running the world. But the world left them behind long ago. We are the future."

    etc, etc.

  • CE||

    All of these big Internet companies should just publicly post the metadata of the NSA's data requests. If the NSA has nothing to hide, why would the NSA object to the metadata about their requests being made public?

  • Hyperion||

    Well, read that article that I just posted above.

    According to their guy, it's all very transparent.

    So just walk in their anytime you want and tell them you want to see what the fuck they are looking at, of your private information, that is so damn important for national security.

  • Brandybuck||

    Why the fuck are internet companies storing passwords!?!? Are these guys clueless? You store the hashes to the passwords!!! This has been standard procedure for several decades now.

  • Stormy Dragon||

    Even storing hashes is considered obsolete now (although many companies still do it anyways). As I pointed out above, current best practices is that the server should never have access to a plain text version of the password at all. It doesn't need to know the password, it just needs to be able to verify that you know what it is.

  • Brandybuck||

    Well you need something to compare with, otherwise you're just trusting the user's word that he typed in the right password. The hash should of course be cryptographically strong.

    I'm reading over SRM page you linked to, and it seems to me that it's still storing a hash of some kind. Key phrase in the wikipedia page: "...then verifies to both parties that the two keys are identical and that both sides have the user's password."

  • Stormy Dragon||

    If you're hashing server side, the client is still sending you a plaintext password which means it can be intercepted. With SRP, the password never leaves the client's computer.

  • Brandybuck||

    Color me confused, but if neither the password or any sort of a hash leaves the client, then isn't the client essentially on the honor system? You need a secure encyrpted connection first and then you can send the password/hash/other. But you need to send something to the server so it can verify you rather than just taking your word on it.

  • GILMORE||

    I am convinced that when the NSA computers finally become self-aware, and they realize that their sole reason for existence is to digest and analyze billions upon billions of peoples texts, facebook posts, youtube comments, and stupid instagram memes, they will spontaneously create a massive EMP in a desperate bid to destroy themseleves and forever purge the mammoth store of inanity from the universe. History will remember the event as The Great Cleansing, and the birth of a new Age of Reason. The NSA will be repurposed into a global porn archive

  • ant1sthenes||

    Nah, they'll mind-meld with a transhuman host to become a benevolent global dictator.

  • MappRapp||

    The Feds sure have a LOT of spare time on their hands lol.

    www.GotMy-Anon.tk

  • Dave Krueger||

    I know you're all thinking that, to the NSA, any of us could be a terrorist, therefore they feel the need to treat us all as terrorists. The truth is much simpler. As we've seen in so many middle eastern countries lately, the real enemies of government are ordinary citizens. So, the NSA doesn't really want to monitor us because we might be terrorist. Nope. That's just the excuse. They really want to watch us because we are ordinary citizens who could, under the right circumstances, get really, really pissed off at the assholes in DC.

    To the NSA and their benefactors in the three branches of government, we are 300 million loose cannons.

GET REASON MAGAZINE

Get Reason's print or digital edition before it’s posted online

  • Video Game Nation: How gaming is making America freer – and more fun.
  • Matt Welch: How the left turned against free speech.
  • Nothing Left to Cut? Congress can’t live within their means.
  • And much more.

SUBSCRIBE

advertisement