And who knows what else is still secret. A good rule of thumb is that if something's in the "cloud" or hosted on someone's computer that you don't directly control, you should assume that LEOs have access to it.
When all the data is centralized, you don't care about the end-point encryption. All you care about is having access to all the databases.
None of these are the reason. The reason is that HTTPS traffic is generally between a service provider (i.e., company) and an end user, and the former can be easily subpoenaed and compelled to disclose data during an ongoing investigation into the latter.
The USG doesn't need to (and doesn't bother to) break HTTPS for domestic LEO, because existing mechanisms are easier and approved by the courts.
I don't think it is. The person I'm responding to seems to be implying that the USG doesn't worry about HTTPS because they've broken it or otherwise extralegally subverted it. I'm saying that the USG doesn't worry about HTTPS because they have effective legal mechanisms for domestic investigations, and using extralegal means domestically is more of a headache than it's worth.
No, read my comment again. Every one of the links shows a completely legal way to grab someone's data from any company. The whole point of my initial comment was to point out that legal system is so well primed against any privacy pushback that it's irrelevant what data is encrypted in transit. All the repositories and databases are just one NSL away. And NSLs are so easy to get that you don't even need to convince a judge to approve one.
>By using NSLs, the FBI can directly order companies to turn over information about their customers and then gag the companies from telling anyone that they did so. Because the process is secret, and because even the companies can’t tell if specific NSLs violate the law, the process is ripe for abuse.
>A judge does not have to approve the NSL or an accompanying gag order.
>Over 300,000 NSLs have been issued in the past 10 years alone. The most NSLs issued in a single year was 56,507 in 2004. In 2013, President Obama’s Intelligence Review Group reported; that the government continues to issue an average of nearly 60 NSLs every day. By contrast, in 2000 (the year before the passage of the USA PATRIOT Act that loosened NSL standards), 8,500 NSLs were issued.
NSLs can't get access to encrypted content, only metadata. Metadata can also reveal way too much, but we also need to be realistic about this conversation. Law enforcement will abuse every avenue they have (including NSLs), but the GP is also largely right, by and large they'll just go get a rubber stamped subpoena.
> 1. HTTPS relies heavily on DNS. It’s as secure as DNS is. Nuff said.
I don't think this is true: HTTPS (and TLS >= 1.3) provide a suite of protections that mostly address perceived weaknesses in DNS (ECH, ESNI, CT logging, HSTS, etc.).
As for DNS itself: DoH and DoT is widely available, and my understanding is that all major browsers currently support one or the other. I've been using outbound DoH for at least two years at this point via Pi-hole.
I interpreted "law enforcement doesn't seem to care [...]" as a claim that domestic LEO has meaningfully broken HTTPS on general traffic, which I don't believe is the case. But if you meant that they don't care because they have legal access mechanisms that already suit their purposes, then I agree.
It's a catch-all term for all the law enforcement people. There's now so many organizations that can get your data through warrants, and some even without warrants, so that's a convenient term to use. And especially if you're not a citizen/resident of the US since the Fourth Amendment does not apply to you. But it's not like the 4A has stopped them or slowed them down anyway.
NSLs: https://www.eff.org/issues/national-security-letters/faq
Dragnet/Geofence warrants: https://www.nbcnews.com/news/us-news/google-tracked-his-bike... and https://www.logically.ai/articles/geofence-warrants-on-the-r...
Dragnet/Mass-surveillance keyword warrants: https://www.forbes.com/sites/thomasbrewster/2021/10/04/googl...
Dragnet/mass-scanning of online storage: https://www.forbes.com/sites/thomasbrewster/2021/12/20/googl...
PRISM: https://en.wikipedia.org/wiki/PRISM_(surveillance_program)
RAMPART-A: https://en.wikipedia.org/wiki/RAMPART-A
Forced backdoors into "encrypted" email: https://www.theregister.com/2020/12/08/tutanota_backdoor_cou...
And who knows what else is still secret. A good rule of thumb is that if something's in the "cloud" or hosted on someone's computer that you don't directly control, you should assume that LEOs have access to it.
When all the data is centralized, you don't care about the end-point encryption. All you care about is having access to all the databases.