ν42

HTTPS everywhere and H.R.4681 - Intelligence Authorization Act

A. Sinan Unur

The house quietly passed HR 4681. Section 309 of the act contains a gem:

SEC. 309. PROCEDURES FOR THE RETENTION OF INCIDENTALLY ACQUIRED COMMUNICATIONS. (a) Definitions.–In this section:

  1. Covered communication.–The term ``covered communication’’ means any nonpublic telephone or electronic communication acquired without the consent of a person who is a party to the communication, including communications in electronic storage.

  1. Limitation on retention.–A covered communication shall not be retained in excess of 5 years, unless–

(iii) the communication is enciphered or reasonably believed to have a secret meaning;

This section empowers government agencies to retain communications they have captured, without a court order, for five years.

If the communication is encrypted (the “reasonably believed to have secret meaning” is so ambiguous not to constitute any kind of constraint on government), there is no limit on how long the metadata and contents of communications of U.S. citizens obtained without a warrant can be retained forever.

It made sense to me to move to HTTPS everywhere. Like many others, I have taken baby steps toward that end, and hope to make more progress early next year.

However, in light of the language of this statute, it is entirely possible that moving the HTTPS everywhere is going to give U.S. government and assorted agencies the right to retain all communications they capture until such time as the encryption can be broken, or, more significantly, there arises a situation where case needs to be made against you.

While perfect forward secrecy may protect the content of the communication from being revealed, it is a double-edged sword, because it also prevents the voluntary revelation of such communication by an accused to reveal that the contents exonerate her from national security related offenses.

Therefore, if a government agency decides to target an individual, the mere existence of encrypted traffic between the browser of the accused, and a “bad” web site can doom her fate. Since encrypted communications can be kept indefinitely, accusations can be made any number of years in the future, in a much more different environment.

Alice: “But, but, I was only doing web searches about women’s rights in Muslim countries when I clicked on that link to the al-Qaida recruitment web site.”

Guvmnt: “Well, we captured 37,538,499 bytes of communication between you, and that web site. All of it is encrypted with perfect forward secrecy, and we can’t tell what information you exchanged with the al-Qaida recruitment web site. But, if you were innocent, why would you engage in secret communications with the al-Qaida recruitment web site?!”

Your computer’s IP address, and the IP addresses of the sites it communicates with are “meta information” which we know government agencies presume they have a right to collect without a court order. So, that is not new.

What seems to me to be new is the legal authority granted to government agencies to indefinitely retain information, and communications in case that communication is encrypted.

This is my personal technical blog. Views expressed here are my own independently formed personal opinions. Nothing I say here necessarily represents or endorses, nor is it endorsed by, any of my past, present, and future employers and/or clients.

Affiliate links: I use affiliate links to link directly to products I actually bought and use. I have found these products useful, and I am sharing that information. If you click on those links, I receive a small commission. I am not compensated directly by any provider, seller, or producer to place these links.

Copyright © 2021 A. Sinan Unur

Terms