[hcs-d] Government wiretapping

Joshua Kroll kroll at cs.princeton.edu
Tue Sep 28 15:10:15 EDT 2010


On Tue, Sep 28, 2010 at 2:57 PM, Joe Zimmerman <joe at hcs.harvard.edu> wrote:
>
>> I have to disagree with you here.  The technical conversation is
>> essential -- the 'jobs' argument or 'innovation' argument is empty if
>> it isn't backed by the reality of what the impact would be on the
>> technology that drives that innovation and provides those jobs.  And
>> this is a technical forum, not the letters page of the NYT or a policy
>> brief for lawmakers' desks -- it's exactly the kind of place where
>> that kind of technical conversation has a home.  So I don't think
>> anyone should be shamed for carrying on that conversation.
>
> Correct me if I'm wrong, but I don't think Josh was intending to shame
> anyone; I interpreted "making the discussion about..." to mean "making the
> public discussion about...", not "making our discussion about...". I
> completely agree that we should discuss the technical aspects here, in depth
> and loudly.

Yes, sorry. I think I was trying to do two things:

1. Say "don't make the public discussion about esoteric parts of this
that ultimately have correct engineering answers. The public wants to
discuss tradeoffs, not be told that it's wrong."
2. Point out that the proposal isn't really Clipper all over again,
which the tech community seems to be viewing it as. If we do that, we
miss the importance of the other issues, technical and non. Instead,
we focus on an invented debate and push the entire issue into the
realm of "broken policymaking" instead of engaging usefully on the
really hard, really very technical issues that will likely come up as
lawmakers actually see and begin to review this proposal.

Specifically, we miss the (technical) issue you describe: that placing
a burden on service providers hurts the ability of anyone with no
capital but knowledge and an idea to start a company on the Internet.
There's a whole argument to be made there, for example, around the
costs of security just from the added complexity and added risk. As I
mentioned, there's a good literature of people breaking CALEA systems.
And those aren't generally connected to the Internet. There's also a
good literature about what to do with cell phone location information
(yes, even without a GPS, AT&T knows where you are every 6 seconds).

And we miss the equally important (also technical) issue that is
determining how and what law enforcement powers should be limited to
in a new version of ECPA. Since that's what the proposal is trying to
do, that's the (still technical) debate we should be having: given
that law enforcement has a reasonable interest in doing something like
wiretapping under the auspices of the courts, what are the technical
boundaries to what they can do, what should services be obligated to
provide and not provide, and when will they need what level of
oversight? Should they be able to get DNS queries without a warrant?
URLs? IP addresses? Might those be incriminating at the level that
grants them 4th Amendment protection? Why? Why not? The original
jurisprudence here goes back to the fact that letter carriers could
read the outside of an envelope but not what was on the inside. Thus,
as technology developed, so-called "envelope information" was never
protected.


More information about the hcs-discuss mailing list