Prior to the failed vote yesterday as Michigan Rep. Justin Amash attempted to restrain the National Security Agency to only collecting phone and email metadata about people who are actually valid crime suspects, security state lovers repeated their typical talking points. It’s necessary to fight terrorism, it has saved lives, Sept. 11! Sept. 11! Sept. 11! And, of course, those defending the mass collection of data say the federal government is hardly getting anything at all! Nothing truly private! They aren’t reading our e-mail!
If they’re not, apparently it’s not from lack of trying. Tech privacy journalist Declan McCullagh over at CNet reports today that feds are asking Internet companies to divulge users’ passwords:
The U.S. government has demanded that major Internet companies divulge users' stored passwords, according to two industry sources familiar with these orders, which represent an escalation in surveillance techniques that has not previously been disclosed.
If the government is able to determine a person's password, which is typically stored in encrypted form, the credential could be used to log into an account to peruse confidential correspondence or even impersonate the user. Obtaining it also would aid in deciphering encrypted devices in situations where passwords are reused.
"I've certainly seen them ask for passwords," said one Internet industry source who spoke on condition of anonymity. "We push back."
A second person who has worked at a large Silicon Valley company confirmed that it received legal requests from the federal government for stored passwords. Companies "really heavily scrutinize" these requests, the person said. "There's a lot of 'over my dead body.'"
Some of the government orders demand not only a user's password, but also the encryption algorithm and the so-called salt, according to a person familiar with the requests. A salt is a random string of letters or numbers used to make it more difficult to reverse the encryption process and determine the original password. Other orders demand the secret question codes often associated with user accounts.
McCullagh isn’t clear about the form these requests come in (subpoenas, national security letter demands, warrants, etc.). I tweeted him for more detail and his response was, “That would be a good question to ask the FBI or DOJ!”
Google and Microsoft both told McCullagh that they have not and would not provide password information nor encryption algorithm info to the feds. Several other Internet and communication companies didn’t respond. In the confusing, complicated world of tech privacy, it’s not clear if the feds can actually order companies provide the information:
Whether or not the National Security Agency or FBI has the legal authority to demand that an Internet company divulge a hashed password, salt, and algorithm remains murky.
"This is one of those unanswered legal questions: Is there any circumstance under which they could get password information?" said Jennifer Granick, director of civil liberties at Stanford University's Center for internet and Society. "I don't know."
Granick said she's not aware of any precedent for an Internet company "to provide passwords, encrypted or otherwise, or password algorithms to the government — for the government to crack passwords and use them unsupervised." If the password will be used to log into the account, she said, that's "prospective surveillance" which would require a wiretap order or Foreign Intelligence Surveillance Act order.
The Feds have been trying to force people suspected of crimes to provide access to their own accounts, which runs up against some Fifth Amendment concerns. McCullagh describes one such incident in his piece. Reason Science Correspondent Ron Bailey wrote about another case in June while making some suggestions to those wanting to foil potential government surveillance efforts.
I watched the NSA amendment debate on CSpan yesterday afternoon, and during the call-in portion, only one of about a dozen or so calls opposed Amash’s amendment.