Those Feds Who Aren't Reading Our Stuff Are Demanding Internet Companies Give Up Our Passwords

They also want info on how they're encrypted

Scott Shackford | 7.25.2013 4:45 PM

(Arkadi Bojaršinov | Dreamstime.com)

"Now who's being naive, Marge?" — Credit: Arkadi Bojaršinov | Dreamstime.com

Prior to the failed vote yesterday as Michigan Rep. Justin Amash attempted to restrain the National Security Agency to only collecting phone and email metadata about people who are actually valid crime suspects, security state lovers repeated their typical talking points. It's necessary to fight terrorism, it has saved lives, Sept. 11! Sept. 11! Sept. 11! And, of course, those defending the mass collection of data say the federal government is hardly getting anything at all! Nothing truly private! They aren't reading our e-mail!

If they're not, apparently it's not from lack of trying. Tech privacy journalist Declan McCullagh over at CNet reports today that feds are asking Internet companies to divulge users' passwords:

The U.S. government has demanded that major Internet companies divulge users' stored passwords, according to two industry sources familiar with these orders, which represent an escalation in surveillance techniques that has not previously been disclosed.

If the government is able to determine a person's password, which is typically stored in encrypted form, the credential could be used to log into an account to peruse confidential correspondence or even impersonate the user. Obtaining it also would aid in deciphering encrypted devices in situations where passwords are reused.

"I've certainly seen them ask for passwords," said one Internet industry source who spoke on condition of anonymity. "We push back."

A second person who has worked at a large Silicon Valley company confirmed that it received legal requests from the federal government for stored passwords. Companies "really heavily scrutinize" these requests, the person said. "There's a lot of 'over my dead body.'"

Some of the government orders demand not only a user's password, but also the encryption algorithm and the so-called salt, according to a person familiar with the requests. A salt is a random string of letters or numbers used to make it more difficult to reverse the encryption process and determine the original password. Other orders demand the secret question codes often associated with user accounts.

McCullagh isn't clear about the form these requests come in (subpoenas, national security letter demands, warrants, etc.). I tweeted him for more detail and his response was, "That would be a good question to ask the FBI or DOJ!"

Google and Microsoft both told McCullagh that they have not and would not provide password information nor encryption algorithm info to the feds. Several other Internet and communication companies didn't respond. In the confusing, complicated world of tech privacy, it's not clear if the feds can actually order companies provide the information:

Whether or not the National Security Agency or FBI has the legal authority to demand that an Internet company divulge a hashed password, salt, and algorithm remains murky.

"This is one of those unanswered legal questions: Is there any circumstance under which they could get password information?" said Jennifer Granick, director of civil liberties at Stanford University's Center for internet and Society. "I don't know."

Granick said she's not aware of any precedent for an Internet company "to provide passwords, encrypted or otherwise, or password algorithms to the government — for the government to crack passwords and use them unsupervised." If the password will be used to log into the account, she said, that's "prospective surveillance" which would require a wiretap order or Foreign Intelligence Surveillance Act order.

The Feds have been trying to force people suspected of crimes to provide access to their own accounts, which runs up against some Fifth Amendment concerns. McCullagh describes one such incident in his piece. Reason Science Correspondent Ron Bailey wrote about another case in June while making some suggestions to those wanting to foil potential government surveillance efforts.

I watched the NSA amendment debate on CSpan yesterday afternoon, and during the call-in portion, only one of about a dozen or so calls opposed Amash's amendment.

Start your day with Reason. Get a daily brief of the most important stories and trends every weekday morning when you subscribe to Reason Roundup.

NEXT: Teachers Union Attacks Virginia Candidate's Homeschooling Proposal

Hide Comments (50)

Editor's Note: As of February 29, 2024, commenting privileges on reason.com posts are limited to Reason Plus subscribers. Past commenters are grandfathered in for a temporary period. Subscribe here to preserve your ability to comment. Your Reason Plus subscription also gives you an ad-free version of reason.com, along with full access to the digital edition and archives of Reason magazine. We request that comments be civil and on-topic. We do not moderate or assume any responsibility for comments, which are owned by the readers who post them. Comments do not represent the views of reason.com or Reason Foundation. We reserve the right to delete any comment and ban commenters for any reason at any time. Comments may only be edited within 5 minutes of posting. Report abuses.

The Late P Brooks 12 years ago

Something something nothing to fear.
SIV 12 years ago

If you're not a drug trafficking terrorist pedophile you have nothing to hide.
1. CE 12 years ago
  
  Unless you routinely criticize the government, who now has the power to frame you as such.
Sudden 12 years ago

All your passwords are belong to us.
DJF 12 years ago

Ha, they will never figure out my password. 0123456789
1. umh 12 years ago
  
  Try 0123456789almostanything and you're good. For all practical purposes a long password is unbreakable, however all bets are off if they have a back door or you use a common phrase.
  1. Bluestrike2 12 years ago
    
    Actually, that's fairly horrible advice. The 0123456789 string is itself incredibly common in a context that almost matches, verbatim, your suggestion. What's more, on an individual level, most people tend to stick to certain patterns for themselves. I have my prefix, I add an extra word, and I'm sticking to that pattern. Nevermind the fact that I'm radically decreasing the effort necessary for a cracker to work through any two of my passwords, for instance.
    
    Rather than rehashing advice you'll find elsewhere given that I'm tired at the moment, I'll just point you to a discussion on an XKCD comic on the subject. The math in the comic is correct for what it's worth, and the accompanying discussion is quite illuminating:
    
    http://security.stackexchange......passphrase
    
    Long story short, we have a tendency to allow cognitive biases to blind us with passwords. The Tr0ub4dor&3 phrase seems random and obscure compared to "correct horse battery staple," but in fact, the opposite is true. The passphrase here represents a higher measure of entropy (~44 compared to ~28) without the easy to quantify underlying pattern of the first.
    
    If you're interested, read up on the diceware list as a tool for generating random passphrases that can be remembered by a human:
    
    http://world.std.com/~reinhold/diceware.html
2. Generic Stranger 12 years ago
  
  One two three four five? That's the kind of thing an idiot would have on his luggage!
Matrix 12 years ago

"Reject the voices that warn of tyranny..." - Dumbass

Fuck you, shitbag president!
1. pan fried wylie 12 years ago
  
  Forgetting the past has always worked in the past.
  
  At least, I think so, since I forgot it already.
2. CE 12 years ago
  
  You know who else rejected the voices that warned of tyranny?
  1. Hyperion 12 years ago
    
    The people of every society in history that has ever fallen into tyranny, right before the fall?
    
    History must be the hardest subject, ever.
    1. Libertymike 12 years ago
      
      Well, how about the poster formerly known as TAO?
3. Mickey Rat 12 years ago
  
  Only a tyrant has to worry about warnings of tyranny, and YOU"RE not a tyrant, are you?
pan fried wylie 12 years ago

it has saved lives, Sept. 11! Sept. 11! Sept. 11

There are, what, 5k lives that weren't saved on Sept. 11 despite direct knowledge of the plan that killed them.

But yeah, datamining a bunch of irrelevant garbage will somehow save lives that direct knowledge couldn't. THE RIGHT PEOPLE ARE IN CHARGE, YOU FUCKING OBSTRUCTIONIST PEONS!111ONEONESOMALIA!!111ONE
1. Andrew S. 12 years ago
  
  We would face a 9/11 every day if not for our brave NSA. Since 3,000 or so people died on 9/11, our brave President has saved somewhere around 5 million people from dying in terror attacks. Why do you want 5,000,000 Americans to die, libertarians?
  1. Invisible Finger 12 years ago
    
    Because it would be cheaper if terrorists did it for free rather than waste salaries on Obamacare death panels and police departments to produce the same results.
    1. pan fried wylie 12 years ago
      
      Why do you hate Jobs?Q!!Somalia!11wonwonwonw
  2. umh 12 years ago
    
    You have bad dreams I see. I a non sequitor in your logic.
2. Anonymous Coward 12 years ago
  
  It's a good thing all of this spying is going on. Somebody might have set off an explosive at some big event like the Boston Marathon.
  
  Oops! Too soon?
Gojira 12 years ago

Using the internet is a privilege, not a right! Plus, the information being sent and received is going through third parties, so you can have absolutely no expectation of privacy!

The solution is obvious; if you don't want the feds to read your stuff, then never use the internet for anything at all, QED.
1. umh 12 years ago
  
  I think you're onto something. Maybe the terrorist don't trust online encryption.
Fist of Etiquette 12 years ago

Google and Microsoft both told McCullagh that they have not and would not provide password information nor encryption algorithm info to the feds.

And now we await the leak that informs us they have, in fact, given up those passwords.
1. pan fried wylie 12 years ago
  
  3 felonies a day * how many employies + corporate infractions (do we have a daily rate for that?) can be pretty compelling.
  
  Plus Anti-Trust-We-Can-Fuck-You-Whenever-We-Want legislation.
  
  How was MS allowed to include a PDF reader and Skype in Win8 without going to court again?
2. CE 12 years ago
  
  They didn't "provide" password information to the feds... they just left the password list in an unencrypted file at a third party server that the NSA knew about.....
Hyperion 12 years ago

I watched the NSA amendment debate on CSpan yesterday afternoon, and during the call-in portion, only one of about a dozen or so calls opposed Amash's amendment

Call-ins? By the serfs? Hahaha! Our betters have better things to do than listen to the lowly people who elected them.
1. CE 12 years ago
  
  And 88 percent of the letters in my Congressional District to our Congressthief were against the TARP bailouts, but he voted for it anyway, and was reelected, because the other candidate was on the other team.
  1. Hyperion 12 years ago
    
    Well, they might take our freedoms, but at least we'll never vote for a Rethuglican! Reverse this, and it's the same, I know. Both teams have retarded constituent team cheer leaders.
Stormy Dragon 12 years ago

If the companies were properly securing their systems, they shouldn't have any of their users passwords to begin with:

http://en.wikipedia.org/wiki/S.....d_protocol

Of course, they don't end up paying when accounts get compromised which means most of them don't bother to properly secure their systems and most of them can probably comply with the request.
1. Brandybuck 12 years ago
  
  Anyone storing their users passwords as plaintext should be tarred, feathered, and ridden out on the rails, never again to sully the net with their putrescent presence.
Nazdrakke 12 years ago

I'm trying (and failing) at this point to envision an act by our government that would shake a majority of the people of our country out of their complacency. I'm trying to think of something that tyrannical regimes do that has not been undertaken in some way by our own government in the last decade and accompanied by a resounding "meh" by the citizenry.

We are so fucked.
1. Gojira 12 years ago
  
  Complete confiscation of all weapons, plus enforced murder-on-sight of all non-whites and gays.
  
  Something to get both sides riled up.
  1. jesse.in.mb 12 years ago
    
    Complete confiscation of all weapons, plus enforced murder-on-sight of all non-whites and gays.
    
    Best Pink Pistols recruiting strategy ever.
2. Hyperion 12 years ago
  
  I can tell you what will do it. But I wouldn't call it Tyranny.
  
  Cut off the free shit. Which they will have to, as soon as the money runs out. So, yes, we are fucked.
  
  But what they are doing now, an all out assault on freedom and especially the internet, are things that they can't pass outright in congress. They tested the waters with SOPA, and see the backlash is too great. So they're just sneaking it in throught the back doors. That's what they do now. There is no more constitution, bill of rights, or even rule of law anymore in the US, it's all effectively dead now. We have a literal militarized police state.
  1. pan fried wylie 12 years ago
    
    How long did the bread lines get in Soviet Russia before things changed?
    
    I predict the Free Shit lines here will need to get twice as long, thanks to WordsForFriends and Farmville, before anyone will even notice.
    
    And yes, the lines will just get longer and longer, because they will never close the Free Shit Store.
  2. GILMORE 12 years ago
    
    Absolutely right. People dont want Freedom = they want Free Shit. And when the Free Shit runs out they will demand fascism. See Europe:
    
    http://www.dailymail.co.uk/new.....Spain.html
    
    50% unemployment...and they're not rioting demanding jobs = they are rioting against injecting more freedom in their economies. Ridiculous. And this is the Progressives idea of Utopia.
ant1sthenes 12 years ago

I think the next Snowden needs to stop trying wake up America, and instead punish its enemies. Instead of leaking evidence of NSA wrongdoing, leak evidence of wrong-doing or personally embarrasing information about pro-NSA politicians right before elections, and make sure they know that the NSA's permanent dragnet was the source of the information.
1. Hyperion 12 years ago
  
  I think this is why, sort of, that the Amash amendment surprisingly got 205 votes. It's not because the reps care about the voters, they don't, because they know they will keep getting elected. It's because they are starting to fear this shit themselves. And they would be stupid not too. In a fascist military state, you can suddenly wind up being the enemy, no matter who you are.
  
  Only an economic collapse(ugly way) or outright rebellion by a sizable portion of the states (somewhat better), can save us now. That, or the sheeples finally wake up and start raising hell over the rapid evaporation of our civil rights. That one's a long shot.
  
  Look at this shit:
  
  New NSA facilities
  
  This is truly Orwellian stuff. That reminds me of looking at the satellite photos of NK prison camps. We are broke, our economy in shambles, and we are spending billions on shit like this, to spy on and monitor the every move of our own citizens? This is a nightmarish scenario.
  1. ant1sthenes 12 years ago
    
    "Your appointment to DHS should be finalized within the week. I've already discussed the matter with the Senator."
    
    "I take it he was agreeable?"
    
    "He didn't really have a choice."
    
    "We have cock shots?"
    
    "Oh yes, and some visits to very unusual pornographic sites. When I mentioned we could put him on the priority list for internet history deletion, he was so willing it was almost pathetic."
    
    "Mmm. I hope you're not underestimating the problem. The others may not go as quietly as you think -- intelligence indicates they're behind the problems in Congress."
    
    "A bunch of pretentious old men playing at running the world. But the world left them behind long ago. We are the future."
    
    etc, etc.
CE 12 years ago

All of these big Internet companies should just publicly post the metadata of the NSA's data requests. If the NSA has nothing to hide, why would the NSA object to the metadata about their requests being made public?
1. Hyperion 12 years ago
  
  Well, read that article that I just posted above.
  
  According to their guy, it's all very transparent.
  
  So just walk in their anytime you want and tell them you want to see what the fuck they are looking at, of your private information, that is so damn important for national security.
Brandybuck 12 years ago

Why the fuck are internet companies storing passwords!?!? Are these guys clueless? You store the hashes to the passwords!!! This has been standard procedure for several decades now.
1. Stormy Dragon 12 years ago
  
  Even storing hashes is considered obsolete now (although many companies still do it anyways). As I pointed out above, current best practices is that the server should never have access to a plain text version of the password at all. It doesn't need to know the password, it just needs to be able to verify that you know what it is.
  1. Brandybuck 12 years ago
    
    Well you need something to compare with, otherwise you're just trusting the user's word that he typed in the right password. The hash should of course be cryptographically strong.
    
    I'm reading over SRM page you linked to, and it seems to me that it's still storing a hash of some kind. Key phrase in the wikipedia page: "...then verifies to both parties that the two keys are identical and that both sides have the user's password."
    1. Stormy Dragon 12 years ago
      
      If you're hashing server side, the client is still sending you a plaintext password which means it can be intercepted. With SRP, the password never leaves the client's computer.
      1. Brandybuck 12 years ago
        
        Color me confused, but if neither the password or any sort of a hash leaves the client, then isn't the client essentially on the honor system? You need a secure encyrpted connection first and then you can send the password/hash/other. But you need to send something to the server so it can verify you rather than just taking your word on it.
GILMORE 12 years ago

I am convinced that when the NSA computers finally become self-aware, and they realize that their sole reason for existence is to digest and analyze billions upon billions of peoples texts, facebook posts, youtube comments, and stupid instagram memes, they will spontaneously create a massive EMP in a desperate bid to destroy themseleves and forever purge the mammoth store of inanity from the universe. History will remember the event as The Great Cleansing, and the birth of a new Age of Reason. The NSA will be repurposed into a global porn archive
1. ant1sthenes 12 years ago
  
  Nah, they'll mind-meld with a transhuman host to become a benevolent global dictator.
MappRapp 12 years ago

The Feds sure have a LOT of spare time on their hands lol.

http://www.GotMy-Anon.tk
Dave Krueger 12 years ago

I know you're all thinking that, to the NSA, any of us could be a terrorist, therefore they feel the need to treat us all as terrorists. The truth is much simpler. As we've seen in so many middle eastern countries lately, the real enemies of government are ordinary citizens. So, the NSA doesn't really want to monitor us because we might be terrorist. Nope. That's just the excuse. They really want to watch us because we are ordinary citizens who could, under the right circumstances, get really, really pissed off at the assholes in DC.

To the NSA and their benefactors in the three branches of government, we are 300 million loose cannons.

Please log in to post comments

Those Feds Who Aren't Reading Our Stuff Are Demanding Internet Companies Give Up Our Passwords

They also want info on how they're encrypted

Latest

Javier Milei's Free Market Reforms Are Starting To Pay Off

Americans Are Deeply Skeptical of Trump's 'Liberation Day' Tariffs

Can Trump Broker a TikTok Sale Before the April 5 Deadline?

Nina Jankowicz's Defense of Government Censors Is Based on Misinformation

Innocent Father or MS-13 Gang Member?

Recommended

Login Form