Can someone describe to me the important work they are doing maybe in 5 bullet points? Im cool with donating, but I would love to see why... I don't want my cash going towards something that is just another political scheme to raise cash.
#1 investigates breaches of Internet civil liberties.
#2 Provide legal support to people who's civil liberties has been violated. Mostly related to free speech.
#3 Protects security researchers from government harassment, particularly those who produce encryption software.
#4 Develops software security tools, like https everywhere.
#5 Uses legal tools to get government to admit and publicly release documents related to surveillance, incorrect search and seizures, anti-file sharing laws, patents and free speech. see more at https://en.wikipedia.org/wiki/List_of_litigation_involving_t...
I'd also like to add that you can just call them up and ask about stuff. Try that at a regular law firm. A few years back I was threatened with a cease and desist because commenters on my site were talking about someone. I called the EFF and they put me right through to a lawyer who explained that the DMCA, of all things, protected me as a service provider, and that I could essentially tell the other party to go fuck themselves.
I mean, they didn't say it like that.... But still, very valuable. Likely saved me thousands of dollars with a 5 minute phone call.
And, my god, I never would have expected to have to hide behind the DMCA (Digital Millennium Copyright Act)! I used to protest against that thing like a maniac before it was passed!
Come on, you didn't know what was in the bill but were against it because someone on the internet said "it's bad"?
Seriously, 5 minutes on wikipedia is all it takes.
He didn't say he didn't know what was in the bill, just that he needed a lawyer's advice on the bill's interpretation. That's what lawyers are for. Wikipedia does not provide legal advice.
There's plenty bad with the DMCA and how companies use and abuse it to be against it, but it can also be used for good.
>There's plenty bad with the DMCA and how companies use and abuse it to be against it, but it can also be used for good.
yeah, we protested back in the day because the DMCA made it illegal to decrypt DVD's with DeCSS, which, to this day, is why you cannot watch DVD's legally in Linux without paying someone. For our protest, we actually printed out the code to DeCSS and handed it out to people saying "This piece of paper is illegal, you cannot read this piece of paper." http://en.wikipedia.org/wiki/DeCSS
The DMCA did a lot of stuff like this. It essentially laid the groundwork for future Internet and IP laws. It was the first law to address the content of the Internet, so it was a bit of a landmark.
The clause that's in there that ended up protecting me was where the DMCA states that service providers cannot be held accountable for the things their users say. Huge, awesome bit, that. Definitely a serious 20/20 hindsight thing. I can play DVD's on my Linux machine now, too... Though not legally, really.
If you want to fund security tool development, consider contributing directly to that. For instance, the effort to audit Truecrypt is still raising funds:
The security of Truecrypt is incredibly important to privacy efforts.
If you're looking to provide legal support to people, consider donating to ACLU. By the numbers, ACLU appears to be a much more effective way of converting donations to legal support for civil liberties cases. I have some reservations about EFF but unreservedly support ACLU.
As a security researcher working in encryption, I'm not sure what #3 is about. I'm more likely to have the government offer me money (I won't work for the government, haven't in the past, or even accept DARPA grants) than harass me.
EFF is indeed not alone in needing support. For development, The Truecrypt audit is a good example, as well is the tor project. Freedom box is a good third.
ACLU and EFF has joined their forces on several issues. EFF legal support is about Internet civil liberties cases, while ACLU has the broader scope of "the Constitution and laws of the United States". For example, ACLU domain covers anti-war protesters. When one is considering where to send donation money, a larger or small scope has both benefits and drawbacks.
One could argue that that was the past and do not reflect today. Hotz might disagree a bit on that subject, as well as each time someone has had "anti-drm circumvention laws" being thrown at them for doing security research. I personally have not forgotten ACTA as a recent example where today's government still want to create laws that hinders security researcher in their job.
Likewise. I have some reservations about the ACLU (but nonetheless support many areas of their work) but wholeheartedly support the ACLU.
Because I know folks will ask me, I think that antidiscrimination law and things like first amendment rights so frequently conflict that I think there is a real conflict of interest when an organization takes on both. The ACLU does take on both, or they claim to, but this usually means pushing antidiscrimination law over first amendment issues, which I think is a real problem.
The ACLU's position in a lot of issues like Hosana Tabor v. EEOC was wrong (so wrong that all 9 justices disagreed with the ACLU and stood up instead for civil liberties), and they are for corporate free speech on political issues (Citizens United) unless that is discriminatory (Willock Photography). And so forth.
> If you're looking to provide legal support to people, consider donating to ACLU.
The ACLU is doing some important work, particularly in the areas of drones and areas outside the EFF's focus.
I am not that enthusiastic about the ACLU because I think their defence of first amendment issues is rather tepid and has been for decades. In the 1950s they kicked my mother's uncle out for defending the rights of the Communist Party USA to peaceably assemble, and today I am really not happy with the way they look at religious liberty.
The problem with religious liberty and the ACLU is that they seem to look at it entirely as if it is just a piece of anti-discrimination law and nothing more. For this reason they came down 100% on the wrong side of Hosana Tabor v. EEOC, and have generally opposed religious liberty when it conflicts with other anti-discrimination agendas they push. But the First Amendment is not just another piece of anti-discrimination law, and it must have more force than the Americans with Disabilities Act or the Civil Rights Act. The unwillingness to really defend religious freedom outside of the antidiscrimination context is one reason I can't back the ACLU over the EFF.
I COMPLETELY agree that in the realm of timely causes that the TrueCrypt audit is a very crucial short-term need. Even if you don't use it (and I can't think of may reasons not to!) someone or some project that you like or use probably depends on it. And not being able to say with certainty that it has not been corrupted this needs to be answered.
As far as the EFF and ACLU meh...neither particularly excite me there are distinct differences to be sure. But it is the similarities that make me feel nonplussed about support. The way I think of these orgs if there is something specific you think they do well and more importantly if it makes you "feel good", then give. As for practical results there are other places your money could be better spent.
Don't forget that when they provide legal support it doesn't just help that person: often cases they take are setting legal precedents that will help future cases. Because new technology is new, a lot of its interactions with the law haven't come to courts (or haven't come to federal appeal courts) before.
In effect, they're contributing to making present and future US law. And they're on the side of civil liberties.
Why is that when the government says "But, but computer!" judges abandon common sense and case law. Even when the tables are turned there is still an amazing amount of techno-ignorance in the process. Consider the long ago (tech time anyway) prosecution of Microsoft. The idiots in charge completely ignored their success with IBM and attacked via the browser vector. Andrew Schulman at the time of pre-trial investigation had three books entitled Undocumented this that and the other thing. Each should have been a successful blueprint in terms of anti competitive behavior. Had this and the browser been part of their war chest I think the result would have been considerably stronger (i.e. the bust them apart goal would have been reached) with a appropriately more useful public result. <end_of_slightly_off_topic_rant/>
> Why is that when the government says "But, but computer!" judges abandon common sense and case law.
It's exactly the opposite. It's technologists that say "but, but computer!" and demand special treatment for computers are involved.[1] Judges generally treat computers in terms of real-world analogies to concrete things, and these analogies often clash with idealistic notions held by technologists.
This case is actually an excellent example of that phenomenon. I've heard people say that their laptop/phone/etc is an "extension of their mind" or something to that effect. Because the 5th amendment only applies to testimonial incrimination (because of the use of the word "witness" in the text of the 5th), you need that nexus to the mind in order to justify concluding that forcing someone to give up an encryption key is equivalent to forcing them to testify against themselves.
The more obvious (to me, anyway) analogy is that a laptop/phone is like a backpack or briefcase. I keep documents, photos, notes, etc, in my laptop just as I would keep them in a briefcase. Well, under the case law it is not prohibited under the 5th amendment to force someone to unlock a briefcase! That act has no nexus with a person's internal thoughts and is thus not testimonial.
[1] Other examples include various CFAA-related things. Nobody would defend just walking into peoples' houses and saying "hey, your locks suck!" but defend analogous behavior with regard to computer security all the time. You also see it in the e-mail context. E.g. most people who complain about the government possibly subpoenaing e-mails they store on Google's servers would not see the problem with the government subpoenaing Enron's records they stored at their accounts' premises. Technologists generally want to ignore the obvious physical analogies in favor of ones based on how they perceive the electronic world (i.e. it's "my personal documents" even though it's stored on a cloud and dozens of engineers and sysadmins have access to them).
An unencrypted hard drive may be akin to a briefcase, but what about an encrypted one? Wouldn't that be more like a safe with a combination lock? IIRC, courts still cannot compel one to disclose the combination to unlock a safe, only to provide a key to a lock, exactly because safe combinations exist solely within the defendant's mind--just like most encryption keys. Disclosing the key implies that one has access to the data, which may be incriminating in and of itself with certain data. Even if the key is not provided, and the defendant is allowed to enter their password privately so that prosecutors may inspect the unencrypted data, the act of entering the password in and of itself provides evidence that one is aware of the contents, and thus may be used as evidence against oneself.
One can imagine the possibility that you are required to decrypt the documents, but that fact is itself not admissible in court. The prosecutor would have to demonstrate some other link to prove the files are yours. For instance, if they want to introduce an email found on your encrypted disk, they would claim it belongs to you because your name appears in the To/From field.
What if there is no evidence that the file belongs to the user other than the user knew the key to decrypt it? Would prosecution not be possible? I mean, what if you provide the combination to a safe that contains contraband--drugs or guns or undisclosed cash, but no ledger saying "this is the property of X"--wouldn't the combined facts of discovering of the safe in the possession of the defendant and their disclosure of the combination incriminate them?
I suppose. Even if you don't disclose the combination, I imagine the jury would be quite curious how you came to be in possession of a safe but not its combination.
"Why is that when the government says "But, but computer!" judges abandon common sense and case law"
I can think of a few reasons:
(1) My understanding of the legal theory is that computers are considered to increase the capabilities of the population; hence, the government's power to enforce the law must also be increased. Consider a car analogy: you must display visible license plates to identify your vehicle whenever it is on the road, yet that was never required for horses, carriages, bicycles, or any previous mode of transportation. Likewise with computers: where previously you might have been able to whisper a secret to someone a foot away from you, now you can secretly communicate with someone across thousands of miles.
(2) It is assumed that the spirit of the law must be upheld. If the police are legally allowed to wiretap a suspect as part of an investigation, then encryption must not be allowed to get in the way of that. In other words, technology must not defeat the law, even in spirit.
(3) Conservative views of technology: quite a few judges are still of the opinion that personal computers are just fancy cable boxes, and so doing anything that violates the will of service providers or governments is "abuse." Entering a URL manually is considered to be vastly different from writing a script to generate and fetch URLs automatically, even if there is no technical difference. If you discover that your phone lets you make a free long distance call when you whistle into it, you are a criminal; if you discover that a web server will give you anyone's account number when you enter the right URL, well, you're an even worse criminal.
(4) Ignorance of what is actually possible with computers. See e.g. how Kevin Mitnick was treated when prosecutors claimed he could whistle into a phone line and thus launch a nuclear strike.
Re (2), the idea that LE is entitled to have comms decrypted has never been "the spirit of the law" until very recent legislation. In the days of "alligator clip on the wire", the law allowed the police only to intercept whatever the content was, in the form it was in - it did not compel the people speaking to explain their "code words", or to speak in a language the officers could understand.
It is precisely this fact which makes the current "going dark" argument an example of overreaching and mendacious, bad-faith deceptive rhetoric: encryption does not take away any powers the police formerly had; to the contrary, the demand for decryption goes far beyond traditional wiretapping principles.
I am not saying that I agree with the idea, but one could make an argument that modern cryptography is different from speaking with code words, and that the spirit of wiretapping laws extends to forced decryption. Using code words only barely qualifies as "encryption" at all -- it is certainly not going to meet basic semantic security definitions. Further, codewords are not something is built into any communications equipment, not automated, and computed in one's head -- quite different from TLS or OTR.
One could argue (as the DoJ does) that the spirit of wiretapping law is that the police can, with the approval of a court, temporarily violate a specific suspect's privacy in an electronic communication system. Hence if the system automatically encrypt's the suspect's messages, the police should be able to obtain plaintexts. Phone companies are not exempted from wiretapping requirements when they multiplex phone calls, despite the fact that that is a technical measure that (as a side effect) impedes wiretapping.
Again, this is not an argument I agree with. For one, wiretapping laws do not, as you pointed out, require a suspect to participate in any way in the wiretapping. For another, there is a component of modern encryption that does (or should) occur in a suspect's mind, much like the computation of code words. It is also true that in general, wiretapping laws have expanded far more rapidly than communications technologies have hampered police investigations; the ability of the citizens to have a private conversation is still "catching up."
Actually you are right and I overstated. This has been the distinction in the recent laws, if the provider as opposed to the interlocutors can decrypt it is required.
It is a challenge to build a system that encrypts as part of a service (rather than users encrypting at the endpoints), yet prevents the service operater being able to provide plaintext. In this situation the 5th amendment does not avail, but I think there is a strong argument for the service provider having an option to shut down (like Leveson/Lavabit) rather than cooperate - not on the grounds Leveson argued, but rather by a right to avoid being used as an instrument of fraud. But we digress from the main topic here.
>My understanding of the legal theory is that computers are considered to increase the capabilities of the population; hence, the government's power to enforce the law must also be increased.
The obvious counterargument is that it would have to be a two way street or you would have endlessly expanding government powers. Thus, if computers increase the capability of law enforcement (e.g. to wiretap at scale or search recorded communications without individual law enforcement officials having to listen to them) then the individual's rights against government surveillance must also be increased.
Moreover, if the argument is that we need to maintain the historical balance between privacy and law enforcement interests then even the existing powers of law enforcement go too far, because the technology available to law enforcement officials when the amendments in the Bill of Rights were adopted didn't allow real-time communication between individuals to be recorded whatsoever.
And I have to imagine a lawyer would ask what case establishes this legal theory of government automatically gaining new powers as a result of technological advances, because I'm not aware of any such precedent.
> Consider a car analogy: you must display visible license plates to identify your vehicle whenever it is on the road, yet that was never required for horses, carriages, bicycles, or any previous mode of transportation.
It is easy to draw a distinction between cars and computers because the reason we require identification for cars is not that they are more powerful than bicycles etc., it is that they are more dangerous. Computers, by contrast, are for the most part not dangerous at all. No innocent bystanders are killed when someone uses the internet while intoxicated. Moreover, we can see how the distinction plays out with automobiles, because anyone can use mass transit anonymously, which is clearly much more powerful than a bicycle in rapidly getting you from here to there, but also not very dangerous.
> It is assumed that the spirit of the law must be upheld. If the police are legally allowed to wiretap a suspect as part of an investigation, then encryption must not be allowed to get in the way of that. In other words, technology must not defeat the law, even in spirit.
I'm not seeing any coherent principle in this argument. If the police are legally allowed to stand in the street and look at you through the window when you are standing in your living room, then a curtain "must not be allowed to get in the way of that"?
It seems obvious that just because the use of a technology makes the jobs of law enforcement more difficult doesn't mean that people have no right to use the technology.
And it is also quite beside the point, because I don't think anyone is making the argument that no one can use the specific technology (e.g. encryption), the question is rather whether someone who has already used it can be compelled to reveal the secrets against his will.
> Thus, if computers increase the capability of law enforcement (e.g. to wiretap at scale or search recorded communications without individual law enforcement officials having to listen to them) then the individual's rights against government surveillance must also be increased.
But that's just it. The people have far more ability now to keep their communications secret than they have ever had before. It makes no sense to say that the individual has either less or the same ability to keep their communications secret. PGP has been around how long?
The fact is that people don't care. Maybe they will in the future, but I doubt it given the rise of mobile and its corresponding dependence on the cloud.
Does the Fifth Amendment only apply to US citizens? The reason I ask is this: if I am traveling to the US and the TSA asks me to decrypt my laptop or unlock my phone, am I protected under the Fifth Amendment? Well, are US citizens protected under it at the airport?
2) Does the Fifth Amendment prohibit certain things?
The Fifth Amendment, like the others, generally applies to not just citizens, but legal residents and others who are on U.S. soil.
The second issue is what's interesting here. The literal text of the Fifth Amendment is:
"No person... shall be compelled in any criminal case to be a witness against himself."
Literally, it prohibits people from being forced to testify against themselves in a criminal trial. The Supreme Court has ready it very broadly to prohibit all sorts of other things, but one limit it has recognized is that it still only applies to "testimonial" incrimination. Think: testifying on a witness stand. Non-testimonial acts, like forcing someone to unlock a box, are not covered.
Some courts have held, and the EFF argues, that providing an encryption key is unlike providing the key for a box because it requires you to recount things that are in your memory, and is therefore testimonial.
> Non-testimonial acts, like forcing someone to unlock a box, are not covered.
(IANAL) The example is not 100% applicable. You can only be legally compelled to open a lockbox if doing so provides no testimonial information. If there is uncertainty around whether you had control over the contents of the lockbox, then opening it would definitely provide that information. This action is therefore considered to have a testimonial component, and covered by the 5th Amendment.
You can still be compelled to open the lockbox, if doing so will not run afoul of the 5th Amendment. There are generally two ways to do so. One is that the action does not have a (non-trivial) testimonial component: If there is no doubt that you had control over the contents of the lockbox, then there is effectively no information being provided. The second way is that the testimonial component is not used against you: the prosecution cannot say that you opened it, but is otherwise allowed to use the contents as evidence (with caveats).
A close analogy is: Even if you can be compelled to open a lock box, if it is filled with papers that are in an unknown language, can you then be compelled to translate those documents? That, to me, is the equivalent to providing a decryption key.
I don't think it's a great analogy, because translating documents requires a wholly different level of mental involvement than simply recounting an encryption key. Note that even fishing out and providing a regular key requires some degree of mental involvement.
What about providing information such as what language the document is written in? Of course, the real equiv. is if the document is written in code, then can you be required to reveal the secrets of the code?
> Some courts have held, and the EFF argues, that providing an encryption key is unlike providing the key for a box because it requires you to recount things that are in your memory, and is therefore testimonial.
I am not aware of any court in the US which has held otherwise to be honest.
There are a few cases where individuals were ordered to decrypt contents but in all those cases, it was content that the law enforcement officials had already seen on the computer.
For a parallel, there's a case before the Supreme Court which was just argued over whether the 5th Amendment protects an individual from testifying against himself in the context of a court-ordered psychological evaluation. The likely outcome is that it does unless the defendant raises an insanity defence, and then, as long as the defendant can offer evidence that he was not sane, the state gets to compel him to have an evaluation.
What I am getting at is that the 5th Amendment almost certainly both applies and prohibits, generally, forced decryption at least in the US. There may be cases, however, where the 5th Amendment does not apply because nothing new is revealed to the government that the individual has not already presented.
>The Fifth Amendment, like the others, generally applies to not just citizens, but legal residents and others who are on U.S. soil.
This true only once you are on the soil, not at the entry points. If you are not a US citizen, or at least granted some form of acknowledgement by the government i.e. a visa, the protections of the Constitution and the Bill of Rights do not apply to you. Again, this is true at the entry point to the US[1].
So to come back to the original example: if I enter the US as a non-citizen, can TSA or border security force me to decrypt my hard drive? The answer, with no doubt, is 'absolutely, yes they can'. In the eyes of Homeland security, if you are not a US citizen, you have no rights at the border and they will not hesitate to detain you or send you right back if you are uncooperative.
Literally, it prohibits people from being forced to testify against themselves in a criminal trial.
The 5th Amendment and other parts of the constitution are taken to imply other rights. The Presumption of Innocence is one of these. (Taken to be implied by the 5th, 6th, and 14th amendment.) However in U.S. law, it is fine for jurisdictions to compromise this for certain kinds of crime. Prosecutors may not need to prove motive or intent, for example.
> Prosecutors may not need to prove motive or intent, for example.
This is true but even for strict liability crimes there may be vagueness problems unless you can show some degree of at least a very general intent.
For example consider rape. You can't imprison someone because of a totally reasonable misunderstanding of this sort, so typically you are going to have to construct consent from the view of the accused. This leads to all sorts of things like (in many/most/all? states) the nature of the relationship is relevant. If you wake a woman up with sex and she's your wife and you normally share a bed, no prosecutor anywhere is going to consider that rape, but if you move into the bed of a friend-of-a-friend you let sleep in your guest room and wake her up with sex, that will be.
These things get really complicated. My reading of the cases in the US which have ordered compelled encryption have held that there was already full testimony that the documents existed and were of a certain nature, and were decryptable by the defendant that it was solely a matter of demonstrating what was already testified to.
This is true but even for strict liability crimes there may be vagueness problems unless you can show some degree of at least a very general intent.
The problem here is that the prosecutors hold a lot of sway over how much Presumption of Innocence should be relaxed in each case, as they are the ones who advise the governments of local jurisdictions about these matters. That would be like the umpires always being on the payroll of the home team. I'm not so sure this situation is conducive to a level playing field.
It won't work on Customs and Immigration. When you're talking to them you're not "in the US" yet. After that, yes, the privilege against self-incrimination is granted to everyone in the United States, citizen or not.
Caveat: The "border search exception" has some other pretty enormous holes.
Hopefully a lawyer will chime in, but I searched this a while ago. As a US citizen, CBP cannot require you to answer any questions beyond your customs declaration. They can detain you, but you don't have to say anything; they cannot deny you entry.
As a non-citizen, I don't believe you need to answer any questions, but they may decide to just deny you entry at that point, and it could cause problems if you ever wish to return. Best idea I've heard of is to have your company encrypt the laptop before you travel and do not provide you the key until you're done travelling.
The one case I am aware of was when a CBP agent stated they saw child porn on the laptop, which the person subsequently locked. In that case a court ordered him to provide the key.
Better idea: Buy a laptop when you get here, or have it shipped to you, and load it by downloading from the VPN. Upload your data before you return, and then Wipe/Destroy/Donate before crossing borders.
One of the things I like about my W500 Thinkpad (and my Dell D830 and ilk before that) is that it is insanely easy to swap the hard drive.
If I were concerned about traveling with certain data I would use a travel drive. Swap it in before going, and, as suggested, download what I needed once safely at my destination.
Now I'm wondering if there are other ways to carry that data with me in a format that would resist inspection. For example, on an SD card inside a camera. Or on a DVD. Break up the data into smaller files and named them variations on foo.jog or bar.avi or something, and reassemble things later.
For something like that the question might be whether I could be compelled to install or copy files to the active machine for inspection or evaluation if anyone got wise.
Yes in theory everyone.. not just nationals/citizens are protected by the constitution/bill of rights. But the reality is that no, there are too many exceptions to what was supposed to be a source of truth in our laws to do much more than 'pretend' we are protected by the constitution; citizens or otherwise.
Russians being protected by the 5th Amendment is not an example of Russians being subject to American laws, but an example of the American government being subject to American laws.
In general, the US constitution only specifies "citizens" and not "people" when it's talking about things like voting and holding office, etc. Rights (such as the bill of rights) are generally expressed as belonging to "people", not just the citizens of the US. It's also in the spirit of the declaration of independence that "all men are created equal", which would lead one to believe that they all have certain inalienable rights, citizen or otherwise. Just because the current xenophobic culture that is popular today doesn't jive with that doesn't change it. It also doesn't mean that Russians are subject to American law (at least not while in Russia), but that for things such as rights, they apply to everyone. So, for instance, some would maintain that warrantless searches, "close" to the border or otherwise, are unconstitutional no matter who they are performed on.
That's a wild distortion of the use of the word "people" in the Constitution. Uses of the word "people" in the Bill of Rights must be interpreted consistently with the uses of that word in the Constitution proper. The word "people" is used only twice in the Constitution proper. Once in the Preamble:
"We the People of the United States, in Order to form a more perfect Union, establish Justice, insure domestic Tranquility, provide for the common defence, promote the general Welfare, and secure the Blessings of Liberty to ourselves and our Posterity, do ordain and establish this Constitution for the United States of America."
Once in Article I, Section 2:
"The House of Representatives shall be composed of Members chosen every second Year by the People of the several States."
In both cases, it is clear that "people" refers to the body politic--the people who, by their consent, are governed by the United States.
I would interpret it a different way. Since the other two uses of "people" saw it necessary to clarify, then the word "people" without those clarifications must refer to people in general.
I know this is a bit offtopic but why is the obsession with the semantics and the literal text of the Constitution?
It is just words on paper created by mortal men that certainly were unable to see 200 years into the future. And with the advance of technology some parts will begin to show their age. Both the government and the citizens can do a lot of things right now that they could not foresee.
And yet the idea of the changing, expanding and clarifying it seems to be a taboo in modern US politics. People are only allowed to interpret it, but not allowed to talk about changing it.
It is as close to theology as I could not imagine. I don't know of any other country that treats its founding laws that way.
> I know this is a bit offtopic but why is the obsession with the semantics and the literal text of the Constitution?
The literal text of the Constitution is the current law of the land. That's why its interpretation continues to be relevant. I'm perfectly fine with amending the fuck out of it in theory, but I can agree with most people that such amendments need to be carefully reasoned about before being enacted.
I, for one, don't consider the Constitution to even be correct. I consider it to be real. It's not really different from a man saying, "The sun comes out at night." I feel obliged to correct him, but to do that, I have to acknowledge that he said it.
> It is as close to theology as I could not imagine.
Your mistake is mostly in imagining that it is not theology. It is. [1]
Many people, most notably libertarians, have been co-opted by the refrain of "what the Founders originally meant" and "what the Constitution originally said" as a way to justify their policies.
This is made more confusing by the presence of "originalist" jurisprudential theory. [2] But this originalism is also an outgrowth of dominionism.
Libertarians would normally be expected to oppose this kind of trend, but their label was part of the co-opting. The result is that there are libertarians and Real True Libertarians, just as there are Christians and Real True Christians and Republicans and Real True Republicans (read: not a RINO).
All of this is dominionism. It's arguable that a lot of this is just a wave of echoes from the Reconstruction after the Civil War, which was unprecedented in a lot of ways (the rise of the central executive using what was unquestionably force to suppress rebellion and secession; the breaking of the institution of slavery on a national scale; the deliberate and callous humbling of the losers in the war), and merely delayed until the 1980s because of the two World Wars and Vietnam.
>It's arguable that a lot of this is just a wave of echoes from the Reconstruction after the Civil War, which was unprecedented in a lot of ways (the rise of the central executive using what was unquestionably force to suppress rebellion and secession; the breaking of the institution of slavery on a national scale; the deliberate and callous humbling of the losers in the war), and merely delayed until the 1980s because of the two World Wars and Vietnam.
It wasn't so much "delayed" so much as faded over time without completely subsiding until, as the post-WWII realignment of the major parties progressed, it eventually became political useful for one of them to deliberately expend resources and propaganda efforts to fan it, starting with Nixon's "Southern Strategy".
You have to put the EFF's action in procedural context. They're at "Plan B." They've lost "Plan A," which was the political debate. Voters, broadly, are mistrustful of "hackers" and don't see a problem with searching computers at the border. Certainly, my mom doesn't see a problem with such searches. Now, the EFF is coming along and asking a federal judge to tell my mom and all the voters like her that they can't do what they want to do, all because of some "words on paper created by mortal men" 200 years ago. This is "Plan B." At this stage, the rules are different and more restrictive. To overcome the democratic will, you not only have to show that your point of view is better, but you have to show that this 200 year old document requires people now, 200 years later, to act a certain way. That procedural posture leads to "the obsession with the semantics and the literal text of the Constitution."
As for why this spectacle doesn't happen in other countries, it's largely because in those countries there is no "Plan B." If you lose at "Plan A" you're done. In the U.S. you have a "Plan B" because we have a judiciary that is a co-equal branch of government. Other countries have constitutional courts, but those courts have very limited jurisdiction and do not function as a co-equal branch of government. In the U.S., you have 94 federal district courts, 13 courts of appeal, and 1 Supreme Court, any one of which can declare a state or federal law unconstitutional. Moreover, unlike judges of constitutional courts in other western countries, American federal judges have the extensive powers of common law judges. They can not just declare laws unconstitutional, but force public officials to take affirmative actions to remedy violations.
The U.S. federal judiciary is, as an institution, extremely anti-democratic. It can not only defeat the democratic will of a state or even the national legislature, but do so in a way that binds all future legislatures. The power to bind legislation in the future is one that no legislature in the U.S. possesses. The obsession with "the semantics and the literal text of the Constitution" is the flip side of this anti-democratic power. The judiciary derives its legitimacy from its role interpreting the text of the Constitution. To the extent that it strays from that text, it loses legitimacy.
Thanks for the reply, but I think you slightly misunderstood what I was asking. It was not a criticism over the way judiciary are doing their work.
What I was wandering is why there is no scrutiny over the constitution itself - are parts of it relevant still, could they be bettered and so on. Quick checking of the years of the enactment of the various amendments shows that after the initial flurry of activity there is some calm period for the country to settle down - but then with the changing society various amendments are enacted and we have roughly one amendment every 5-10 years after WWI until the seventies.
And then suddenly that stops for 42 (so far) years. So in times of unprecedented technological and social change there is no perception that the document itself must change.
Is the text about well regulated militia needed for security still relevant when you have professional huge standing army ?
Do we need new constitutional right in the digital era and not have to rely on the pity of SCOTUS to extend the current we have?
So basically my question is why the constitution is considered sacrosanct and perfect, and not something with flaws and shortcomings that should be fixed?
> we have roughly one amendment every 5-10 years after WWI until the seventies.
> And then suddenly that stops for 42 (so far) years.
I missed this earlier, but you've got your facts wrong. The last ratified amendment was the 27th in 1992, or 21 years ago. The 26th was 21 years before that in 1971.
> Is the text about well regulated militia needed for security still relevant when you have professional huge standing army ?
The Wikipedia page has a lovely summary of Judge Scalia (and originalist) contorting himself to pieces over it. It would be entertaining if it weren't law.
What I'm saying is that the most obvious way to change the Constitution, judicial interpretation, is circumscribed by the considerations I mentioned.
Outside of that, you'd need a Constitutional convention or a series of amendments. But nobody wants to open that can of worms. You'd be as likely to see an amendment banning abortion as one guaranteeing privacy. The equal protection clause of the 14th would be on the chopping block. People would seriously propose repealing the 13th amendment.
> Rights (such as the bill of rights) are generally expressed as belonging to "people", not just the citizens of the US.
Erm. Are we reading the same Constitution? There's only one instance of the word in there and it's talking about IP ("To promote the Progress of Science and useful Arts, by securing for limited Times to Authors and Inventors the exclusive Right to their respective Writings and Discoveries;"). The understanding of IP law that I've seen is that American patents don't apply internationally: they have to be converted over to the other governments' systems.
> It's also in the spirit of the declaration of independence that "all men are created equal", which would lead one to believe that they all have certain inalienable rights, citizen or otherwise.
This is the same Declaration of Independence that didn't bother including slaves and women as "men", yes? Just to be clear on what the "it" you're referring to isn't being changed by modern times.
> It also doesn't mean that Russians are subject to American law (at least not while in Russia), but that for things such as rights, they apply to everyone.
The essential claim here is that rights granted by American law apply to Russians.
What you're not saying, but perhaps are meaning to say, is that there ought to be legal structures that transcend national boundaries to apply to the entire human race and that we can in turn derive American law from such a structure such that there are situational effects at a national level. The UN, and the UNDHR, come closest to this but American law does not recognize the UNDHR as anything but a set of suggestions. Judges do not use it as a guideline. Legislators do not use it as a blueprint. (And further, the UN does not have in its membership the entire human species.)
That would make sense. It would reduce Americans' sense of sovereignty, and thus would be fought tooth and nail by the xenophobic culture you reference, but it would then make sense to talk about universal human rights.
It's funny. I've been of the mind for the past decade and a half that we need a species-level government precisely in order to achieve effects like this, but it's also specifically the people who want these effects who are most horrified at the prospect.
So perhaps that's not what you're meaning to say. Maybe you're suggesting that there's a moral Lawgiver who hands down rights and everyone should listen to Him for a change? That's what the Founders largely thought, after all.
> The understanding of IP law that I've seen is that American patents don't apply internationally
Of course they don't apply to other governments, they apply to the US government. The constitution, and American law, tells the American government what rights it ought to enforce or protect, within it's jurisdiction.
> This is the same Declaration of Independence that didn't bother including slaves and women as "men", yes?
It makes no such distinction. Didn't the US have a civil war over this? Which side won?
> The essential claim here is that rights granted by American law apply to Russians.
In places where American law applies, yes. Do you think they shouldn't?
> The constitution, and American law, tells the American government what rights it ought to enforce or protect, within it's jurisdiction.
No, it doesn't. You can keep asserting this, but making up claims from thin air is not actually enforced law.
> It makes no such distinction. Didn't the US have a civil war over this? Which side won?
Are you proposing that we should have a feminist versus anti-feminist war? Because I'm pretty sure the anti-feminists would win that one right now.
> In places where American law applies, yes. Do you think they shouldn't?
My opinion isn't material. My questions have, aside from the philosophical digression, been about the factual ground we're upon.
Because if American law applies to foreign nationals, then Guantanamo becomes a lot less illegal. Quote passages of US Code, or other relevant law. Not your philosophical opinion, which isn't the point here. If you want to discuss what should be, then let me say that I don't even want America to exist. That's how far afield we're going if you want to know what my opinions are.
I have no idea where this argument is supposed to be going. In general, Constitutional rights apply to non-citizens within the US, and this has been held since at least 1886, see e.g. http://www.salon.com/2010/02/01/collins_5/. There have been various Supreme Court cases over the last decade about whether they apply to people under the jurisdiction of but not inside the US, namely Guantanamo detainees. Outside of US jurisdiction, there are circumstances in which residents of foreign countries can violate US law (criminal or civil matters), which involve interacting with the US, such as (for better or worse) "cybercrime", in which case the US can attempt to extradite them or take other measures. These are separate issues, but only the one about Guantanamo detainees is at all controversial.
> Um. Which theory is this? Last I checked, as an American citizen, I'm not subject to Russian law. Why are Russians subject to American law?
You are on Russian soil (unless you have diplomatic immunity). It would be reasonable (but perhaps not true) to assume that if you're subject to limits of law in a jurisdiction you're also privy to its protection (presumption of innocence etc).
That page is very misleading. Not only does it wildly distort the original policy of CBP that included the "100 miles" thing, but it ignores the fact that the "100 miles" aspect has since been retracted.
All the original policy stated is that the "border search exception" to the 4th amendment did not have to be at the literal border. This was to accommodate border checkpoints in the southwestern U.S. which are for practical reasons not right at the border but a few miles inland along major highway routes.
I'd expect that if CBP is asking for your encrytion key and you are not a U.S. citizen and you refuse to provide it you're probably going to be refused entry. Being refused entry isn't to be taken lightly. It may very well mean you will never be allowed entry again.
As others have pointed out it's probably better to simply not know the encryption key or to download your data after arriving. Which are covered in the guide I linked.
Your post mentioned the TSA but I'm not aware of the TSA asking for encryption keys. I'd be surprised if they ever do or have since their mandate is aircraft safety. Searching data would not likely be allowable under the search exceptions they operate under. Your concern should be towards CBP doing the search while clearing passport control/customs.
This might just be a thought exercise, but I remember reading somewhere that 100 miles from the borders and 50mile radius at all port of entries the Amendments do not apply. Also, these explicitly state 'persons' not citizens or residents so in that sense you're safe.
If you can be compelled to provide a physical key, I don't see why a digital key should be different. It's not "being a witness".
That said, I'm nonetheless happy the EFF is pushing at this - it's that kind of pressure that makes sure reasonable calls are made in the corner cases.
For one thing, there's the argument in the article: giving the key is an admission that you know the key in the first place, which is self-incrimination.
Just like possessing a key means you were associated with the safe and its contents, though. Again, there's still a real-world analogy so I suspect the courts will treat it as they do in the real world and try to determine on a case-by-case basis whether simply being able to decrypt the data could be considered incriminating or not.
For instance, it's not self-incriminating if the government can show that they already know you're associated with the key/lock. Likewise with an encryption key...
Because you can't stick a digital key into random data and expect the result to make any sense?
They believe the random looking data is actually encrypted data, data they believe is relevant, and they believe it can be decrypted by what they believe is a keyphrase they believe you still remember or had in the first place.
That is quite a big wager to throw someone in jail over, for a potentially unlimited time.
(Now of course TrueCrypt containers and the like still have somewhat of a recognizable header format - but theres no guarantee they contain anything)
That's why a court becomes involved and a judge makes a decision based on reasonable belief. For instance, if you have a laptop that has a password on boot, and there's evidence that you've been using the laptop, you'd need a pretty great excuse to suddenly not know the boot password.
Also, I don't think "block of random looking bits" should be considered prima-facie evidence that it is encrypted data (by any particular key or even at all). But if there is strong evidence that key A was used to encrypt some bits, and if there is strong evidence that person B has access to key A, then compelling production of that key is not absurd if done correctly.
If they truly take this serious and as far as they can go, it will come down to revealing the key which is different than producing a decrypted copy or making available access to the encrypted data.
I like this argument and agree with it, but it seems like the only real way to truly protect yourself from being compelled to incriminate yourself is to use deniable encryption. There will always be cases where a specific jurisdiction makes an incorrect call that forces someone to give up their key or go to jail. There needs to be a solution for that other than suing to put the toothpaste back in the tube.
Deniable encryption only works if either (a) everyone is using it or (b) there is no way to tell if you are using it. I doubt you will ever see the former, and that latter is pretty difficult -- even if such a scheme exists, you have to also hide the deniable encryption software you are using i.e. it is the classic warden problem.
To put it another way, let's say you are using Truecrypt, and the prosecution can prove that you have incriminating documents on your laptop. You enter your "innocent" passphrase and behold! No incriminating documents. I think the next obvious move will be for the court to demand that you enter your other passphrase, leaving you trying to prove that you really were not using the distinguishing feature of Truecrypt.
A better solution, where applicable, is to destroy keys as quickly as you can. Keep your keys on a smartcard, and self-destruct the card if you think you will be arrested. You will deny yourself access to your files, but you will also deny your adversary such access. The police might try to prove that you destroyed evidence, but that is much harder to prove if your own procedure is to periodically destroy your keys (and such a procedure can be done individually without raising suspicion). Basically it all comes down to opsec -- something the military has known for centuries.
I'm talking about a deniable encryption scheme such as rubberhose, where the fact that you're using it is known, but it's impossible to tell whether you've revealed all the hidden aspects or not. "Here's my key." "Well, you're using deniable encryption; we need your other key." "Ok, here are my other two keys."
But your hypothetical is also strange: "let's say ... the prosecution can prove that you have incriminating documents on your laptop." If the prosecution can prove that you have incriminating documents before you ever provide the keys, you're already screwed.
The thing is, if you are using deniable encryption and keep producing keys that reveal innocent data, the government will just keep demanding keys from you. Basically, you have to be able to last until they give up -- but the odds are already against you on that.
As for the hypothetical scenario, that is actually something that happened in real life:
In real life it is somewhat unusual for the government to grab random people off the street and demand plaintexts. There is going to already be some kind of evidence against you, something to make the government suspicious. Maybe you attended an antiwar protest. Maybe you published a book about how to molest children. Maybe you are connected to some kind of fraud. Maybe a cop saw what appeared to be child pornography on your monitor. If the government is asking for your passphrase, it is because they already expect to find incriminating files; they will not just shrug and say, "We goofed!" when they see a deniable encryption system producing innocent files.
While there is a sort of a "when do you stop asking for keys" problem, that doesn't mean they will necessarily be able to compel you to provide that final key you don't want them to have. The fact that they haven't gotten what they're after yet is not evidence that you have more keys, because it's indistinguishable from the case where you've simply already deleted the files.
I'm not expecting them to shrug and say "we goofed", I'm expecting them to realize that with a well-designed deniable system, they can't tell the difference between you being uncooperative and there being nothing incriminating to find. If they can prove the files exist and you're refusing to give them up, then that's something they can charge you with, but as I indicated earlier, that's a different kettle of fish.
The big risk with deniable encryption, of course, is that the courts don't really understand it well and you end up in a situation where they are compelling you to provide information that actually does not exist (they think it's on a hidden aspect but they're wrong), and are willing to throw you in jail for not producing it. This risk is what leads me to the conclusion that the law must acknowledge that compelling complete decryption of all data is impossible.
"The fact that they haven't gotten what they're after yet is not evidence that you have more keys, because it's indistinguishable from the case where you've simply already deleted the files."
Perhaps, but then why not just provide no key at all and rely on the semantic security of the cryptosystem? If you need to give the court a reason why you are not producing the secret key, you can always claim to have forgotten it. How does deniable encryption improve over that, if in the end it comes down to indistinguishability?
"I'm expecting them to realize that with a well-designed deniable system, they can't tell the difference between you being uncooperative and there being nothing incriminating to find."
OK, but the same is true of non-deniable encryption when you say, "I forgot the key!" Anything that might lead them to believe otherwise would be equally applicable to deniable encryption.
To put it another way, what is the difference between saying, "I only have this key," and saying, "I cannot remember the key at all?" In either case, you need to convince the police that there is no incriminating key they can demand from you.
This is a good question, and the differences are pretty small. One difference, although I'm not sure what the impact is of this difference, is that if you say you've forgotten the key, that's an acknowledgement that there is data there to be discovered, just that you can't provide access to it. Does this leave a door open to other efforts to decrypt it? I don't know.
I think the typical solution is to have something embarrassing but not incriminating (or incriminating, but for a lesser charge) for the last password you give up.
I doubt that would cut it. If the police are expecting you to reveal spreadsheets detailing your real estate fraud, and your deniable encryption system outputs some embarrassing fetish porn, the police are going to ignore the porn and demand your other key. Why should they believe you about the embarrassing files being the real or only reason you are using deniable encryption? Why would they not simply assume that you put those files there as part of an attempt to develop a plausible excuse?
The real problem here is that, in a way, using deniable encryption is itself incriminating unless everyone uses it -- and we do not live in such a world. Unlike other cryptosystems, it is hard to develop a "legitimate" reason for using deniable encryption, as it has no particular advantage in protecting data from criminals over non-deniable encryption.
The purpose and usage of deniable encryption is not for police to stop demanding the other key.
They may or may not stop, you can't control that. However, if you simply refuse to provide any more keys (regardless if such keys exists); then their only recourse is to try and convict you for not providing the key - and there, on a trial by a layman jury, the plausibility of whatever excuse you [didn't] provide would matter a great deal.
It's all about reducing the likelihood. Keeping my fetish porn hidden behind legitimate looking encrypted whatever is not an absurd story, so a chunk of the probability moves that way, leaving it correspondingly less likely that the deniable-encryption-supporting encrypted file here also contains the thing they were looking for. Whether it's less likely enough depends on a whole ton of things.
> nor shall be compelled in any criminal case to be a witness against himself,
I could see compelled decryption being congruent with the constitution if the decrypter is guaranteed immunity--ie, you can be compelled to be a witness against someone else.
Oh but the courts can find convenient interpretations of the wording. Like, the act of entering a passphrase only proves that you know the passphrase, so unless that knowledge is entered as evidence against you you have not actually witnessed against yourself.
Really though, there is a deeper issue here. What if I legitimately forget my passphrase? There is no real way to know whether or not I forgot it; will I be held in contempt of court over my forgetfulness? Will I be accused of perjury? Will I be imprisoned? Might the government accuse me of a crime, point to an encrypted hard drive that I have not used in a year, and then throw me in prison for failing to decrypt it?
There's a great deal of difference 'is there a real way to know X for 100% sure' and 'can a jury&judge be convinced that X is true beyond reasonable doubt'.
Depending on all kinds of criteria, most likely including factors such as what is your known relation to that hard drive, your attitudem, how you look and how good is your lawyer, the argument 'I forgot that passphrase' may turn out both ways.
I am not convinced that they could within any foreseeable future. They may be able to prove that the knowledge is in there, or they may be able to prove that you think you are lying, but proving that you are truly able merely unwilling to actually vocalize that data is another matter entirely. Hell, there are disorders that render you unable to vocalize your own name, despite knowing full well what it is and wanting to vocalize it.
Who is to say that "It is on the tip of my tongue/fingers, but I can't seem to say/type what it is." does not, under an MRI, appear to be "He knows what it is, but won't say/type it."?
I'm sure you could find expert witnesses willing to be paid to argue either way exactly what the MRI is or could be indicating.
I am not convinced that they could within any foreseeable future...there are disorders that render you unable to vocalize your own name
Seems terribly shortsighted, given the points you are arguing from. If there is a disorder, it seems quite likely that we would eventually be able to detect the disorder.
Psychology today is still struggling with classifying disorders by observable symptoms. We are a long way off from being able to make a wide range of conclusive and specific diagnoses, particularly of subtle phenomenon. Hell, it isn't even clear how many different phenomenon we are currently calling "schizophrenia". We don't know the categories to put people into yet!
Regardless, I did say "foreseeable future". There may be developments that catch me by surprise, but going at the current rate and direction we are right now, there is no way in hell MRIs will be able to satisfactorily contradict "I am unable to recall" in a courtroom anytime soon.
It seems out disagreement is just stems from different shades of "foreseeable." To me, it's a foregone conclusion that scanning technology will one day be able to verify claims that one is "unable to recall," though we can't foresee exactly how and when this will happen.
That would make a dramatic difference to all kinds of criminal trial. Will it be legal for the police to question you while you're under an MRI? I don't think the answer for the special case of a decryption key will be any different from the general case (did you kill X, or whatever).
Hmm a case of the EFF wanting something to be true I feel
To use an analogy if you can be compelled to give up the keys to a physical safe how can electronic keys be considered differently? To quote Spock "a difference that makes no difference is no difference "
This is what the "man on the clapham omnibus" would think
If I built an encryption system, where entering a specific key initiated a function that systematically destroyed all data on the drive.... could I be accused of tampering with evidence?
What you really want is a cryptosystem that provides a "clean" image when given one passphrase, and the "real" image when given another passphrase. Then when you're compelled to give up the passphrase, you do. Since it's mathematically impossible to tell the encrypted data from random data you wrote to the disk before using it for real, it would be very difficult to prove (through analysis of the disk image alone) that you knew 1 or more additional passphrases that would reveal other encrypted data.
Of course, this all depends on very careful implementation: the "clean" image must not overwrite "real" data, but also must not leak the existence of a possible area of more data. You'd also better have realistic timestamps in the "clean" area, etc.
That is not how things will work. Your drive will be copied before you are even asked for a passphrase. Whatever cryptosystem you have will be modified to be non-destructive.
Now, smartcards are another story. Smartcards can be designed to self-destruct after too many bad passphrases are entered. I suspect, though, that a forensic lab could back up the secret before you are allowed to enter anything.
If I built a safe in which combination A would open the door, but combination B would activate a system to incinerate the contents and upon presentation of a valid warrant for the contents of the safe I entered, or directed another to enter, combination B...could I be accused of tampering with evidence? Does that re-phrasing clear up the question?
Or how about a sort of dead-man's switch? Is that tampering? Everything you did was put into place before you got into trouble. Can you be charged with "pre-tampering" of evidence? Or how about "not untampering" of evidence?
Couldn't I encrypt my private key with a TPM, give them the encrypted private key and have them say insert a smart card that clears the TPM, (or clear it myself) putting the private key beyond reach? Does the TPM manufacturer keep the burned in TPM private key used to encrypt other things (like my key) on record? I have an older TPM not built into my chipset so am not worried about not trusting say Intel
iOS devices (and Android?) can already be configured to wipe their data after so many incorrect PINs are entered. I suspect the creation of a "self-destruct" PIN would be no worse a crime than an "I'm under attack" detection scheme.
https://supporters.eff.org/donate