USA PATRIOT Act Survives Amendment Attempt (fwd from brian-slashdotnews@hyperreal.org)
----- Forwarded message from brian-slashdotnews@hyperreal.org -----
At 06:27 AM 7/9/2004, Eugen Leitl wrote:
*** PGP Signature Status: good *** Signer: Eugen Leitl (makes other keys obsolete) <eugen@leitl.org> (Invalid) *** Signed: 7/9/2004 6:27:50 AM *** Verified: 7/9/2004 11:27:24 AM *** BEGIN PGP VERIFIED MESSAGE ***
----- Forwarded message from brian-slashdotnews@hyperreal.org -----
From: brian-slashdotnews@hyperreal.org Date: 9 Jul 2004 13:26:01 -0000 To: slashdotnews@hyperreal.org Subject: USA PATRIOT Act Survives Amendment Attempt User-Agent: SlashdotNewsScooper/0.0.3
Link: http://slashdot.org/article.pl?sid=04/07/09/1145225 Posted by: michael, on 2004-07-09 12:49:00 Topic: us, 90 comments
from the i-feel-safer-already dept. crem_d_genes writes "A bill to modify the USA PATRIOT Act that would have blocked part of the legislation's provisions that allow for the investigation of people's reading habits [1]was defeated by a 210-210 vote in the U.S House of Representives. The House leaders kept the roll call open for 23 minutes past the 15 minute deadline to persuade 10 Representatives to change votes. According to the article 'Rep. Zach Wamp, R-Tenn., said he switched his initial "yes" vote to "no" after being shown Justice Department documents asserting that terrorists have communicated over the Internet via public library computers.' On the other hand, 'Critics of the Patriot Act argued that even without it, investigators can get book store and other records simply by obtaining subpoenas or search warrants.'"
Quite a few book stores (including the local Half-Priced Books) now keep no records not required and some do not even automate and encourage their patron to pay cash. In California book sellers to such used/remaindered stores must identify themselves for tax purposes. steve
On Fri, 9 Jul 2004, Steve Schear wrote:
Quite a few book stores (including the local Half-Priced Books) now keep no records not required and some do not even automate and encourage their patron to pay cash. In California book sellers to such used/remaindered stores must identify themselves for tax purposes.
The Patriot gag orders lead me to a thought. Is it possible to write a database access protocol, that would in some mathematically bulletproof way ensure that the fact a database record is accessed is made known to at least n people? A way that would ensure that either nobody can see the data, or at least n people reliably know the record was accessed and by whom? When somebody comes with a paper and asks for the data, the one currently in charge of the database has to give them out, and may be gag-ordered. However, when way too many people know about a secret, which the protocol should ensure, it's better chance it leaks out, and less likely to identify the one person responsible for the leak, who could be jailed then. Especially when at least one of n is outside of the reach of the paws of the given jurisdiction. The question is this: How to allow access to a specific file/db record in a way that it can't be achieved without a specified list of parties (or, for added system reliability, at least m of n parties) reliably knowing about who and when accessed what record? With any attempt to prevent the parties from knowing about the access leading to access failure? Note a peculiarity here; we don't ask for consent of the parties (that would be a different threat-response model), we only make sure they know about it. (We can deny the access, when at least (n-m)+1 parties refuse to participate, though.)
On Fri, 9 Jul 2004, Thomas Shaddack wrote:
On Fri, 9 Jul 2004, Steve Schear wrote:
Quite a few book stores (including the local Half-Priced Books) now keep no records not required and some do not even automate and encourage their patron to pay cash. In California book sellers to such used/remaindered stores must identify themselves for tax purposes.
The Patriot gag orders lead me to a thought.
Is it possible to write a database access protocol, that would in some mathematically bulletproof way ensure that the fact a database record is accessed is made known to at least n people? A way that would ensure that either nobody can see the data, or at least n people reliably know the record was accessed and by whom?
When somebody comes with a paper and asks for the data, the one currently in charge of the database has to give them out, and may be gag-ordered. However, when way too many people know about a secret, which the protocol should ensure, it's better chance it leaks out, and less likely to identify the one person responsible for the leak, who could be jailed then. Especially when at least one of n is outside of the reach of the paws of the given jurisdiction.
The question is this: How to allow access to a specific file/db record in a way that it can't be achieved without a specified list of parties (or, for added system reliability, at least m of n parties) reliably knowing about who and when accessed what record? With any attempt to prevent the parties from knowing about the access leading to access failure?
Note a peculiarity here; we don't ask for consent of the parties (that would be a different threat-response model), we only make sure they know about it. (We can deny the access, when at least (n-m)+1 parties refuse to participate, though.)
That would crash the system.
At 01:44 PM 7/9/2004, you wrote:
On Fri, 9 Jul 2004, Steve Schear wrote:
Quite a few book stores (including the local Half-Priced Books) now keep no records not required and some do not even automate and encourage their patron to pay cash. In California book sellers to such used/remaindered stores must identify themselves for tax purposes.
The Patriot gag orders lead me to a thought.
Is it possible to write a database access protocol, that would in some mathematically bulletproof way ensure that the fact a database record is accessed is made known to at least n people? A way that would ensure that either nobody can see the data, or at least n people reliably know the record was accessed and by whom?
This may best be accomplished by placing the data offshore and empowering the db operators with some non-repudiatable right of disclosure (especially under duress of a warrant). Some months back I discussed a procedural methodology where patrons could find out if their records hand been accessed in a way that circumvented court orders. I was told that it might work but that frustrated prosecutors might press charges of conspiracy before the fact to evade lawful orders that 'might' be issued, even if the defendant had no reasonable expectation that this might occur. steve "The law is an ass." -- Charles Dickens
On Fri, 9 Jul 2004, Steve Schear wrote:
This may best be accomplished by placing the data offshore and empowering the db operators with some non-repudiatable right of disclosure (especially under duress of a warrant).
This may be impractical in some cases.
Some months back I discussed a procedural methodology where patrons could find out if their records hand been accessed in a way that circumvented court orders. I was told that it might work but that frustrated prosecutors might press charges of conspiracy before the fact to evade lawful orders that 'might' be issued, even if the defendant had no reasonable expectation that this might occur.
But we have a psychological mechanism here; many people tend to be "tough" when not under direct threat. Then they implement the mechanism. Then years flow by. Then the prosecutors come. But by then it is too late to cooperate. They are doomed (though that depends largely on the available lawyers), but it can save the ones they were protecting. It seems that, by the prosecutor logic, just about any comsec improvement you implemented may be viewed as a conspiracy, including but not limited to secure email. I am not happy to say this, but can we ever hope for designing any kind of secure infrastructure without some nodes having to win the martyr lottery? ....speaking about martyrs... I am just watching a TV document about cults. Maybe we could piggyback on religion and use some kinks within Christian doctrine, selected for having wide user base within Western civilization? Eg, finding a believable and theologically coherent explanation how operating a Darknet node helps undermining the reign of Satan (a voice suggests me that the Book of Prophecies, or how that horsemen thing is called, could contain enough of material to build on)? That could provide a decent amount of node ops using existing infrastructure of likely-minded religious organizations. Faith is a big motivation for undertaking risk, and while Westerners currently tend to be less radical than Middle-Easterners, this kind of mission is far from suicidal. But one of the voices in my head just told me that shared MP3s would bring in more people with less effort...
"The law is an ass." -- Charles Dickens
Maybe because most of it comes out of ass-holes?
At 01:44 PM 7/9/2004, Thomas Shaddack wrote:
Is it possible to write a database access protocol, that would in some mathematically bulletproof way ensure that the fact a database record is accessed is made known to at least n people? A way that would ensure that either nobody can see the data, or at least n people reliably know the record was accessed and by whom? .... Note a peculiarity here; we don't ask for consent of the parties (that would be a different threat-response model), we only make sure they know about it.
The obvious method for the first half of your problem is Shamir secret-sharing - n out of m people need to provide their information in order to access the data item (or its key.) That isn't necessarily an _efficient_ protocol for databases, of course, but where you have something where it works, it works. And obviously you'd want some jurisdictional arbitrage. I'm not convinced that the second half of your problem makes sense. The only ways to make sure that somebody knows something are either to tell them or else to get them to tell you some piece of information you need. Since it's the secret police that would be running the algorithm, they're not going to be polite about telling them if they don't need to, so you're dependent on some algorithm that requires their assistance, which is in some sense consent. I suppose you could differentiate assistance and consent contractually, by telling them it's ok to release the data when given papers from some appropriate court, and you could probably even require them to notify you, e.g. by having them charge a per-event fee for their service, and maybe that'll hold up in jurisdictions where their secret police don't cooperate well with your secret police. Of course, even to use this requires that the application be designed in some manner where there's some kind of key that's needed to access the data, such as a mailbox that encrypts incoming mail with your public key. That doesn't prevent the secret police from forcing your mailbox company to reveal the information before encrypting it to you, but it does at least protect _old_ mail, unless n out of the m key escrow agents all cooperate. I don't know why you'd design a system like this when you could do it without the key escrow feature - am I missing something? Bill Stewart bill.stewart@pobox.com
On Fri, 9 Jul 2004, Bill Stewart wrote:
At 01:44 PM 7/9/2004, Thomas Shaddack wrote:
Is it possible to write a database access protocol, that would in some mathematically bulletproof way ensure that the fact a database record is accessed is made known to at least n people? A way that would ensure that either nobody can see the data, or at least n people reliably know the record was accessed and by whom?
..
The obvious method for the first half of your problem is Shamir secret-sharing - n out of m people need to provide their information in order to access the data item (or its key.) That isn't necessarily an _efficient_ protocol for databases,
Better yet, you have the n sources provide pieces of a key which auto-expires after X days, that key is used to access the database rather than getting the data from n sources. Authenticating at random with n sources, each with a different key is also required. Store the data on some persistent, distributed stores... Bit Torrent comes to mind here.
I'm not convinced that the second half of your problem makes sense.
See above method and add some sort of log to it that automatically and anonymously publishes logs of access to it. So long as n>m/2 and at least n people are trustworthy it should work, right? Then, you also need a watcher app to reveal that access occured. This app downloads the logs of the hashes you're interested in, plus other random ones to prevent logging from revealing who is interested in what. Would also be nice if the hash for the data you're trying to watch/access changes with the date. That way if one user of the system is compromised, the compromisers can't figure out who the other parties accessing the same data are. But I'm not sure how you'd make it happen without tweaking the Bit Torrent client a lot, or writing a new one from scratch (invoking Not-Invented Here Syndrome).
Of course, even to use this requires that the application be designed in some manner where there's some kind of key that's needed to access the data, such as a mailbox that encrypts incoming mail with your public key. That doesn't prevent the secret police from forcing your mailbox company to reveal the information before encrypting it to you, but it does at least protect _old_ mail, unless n out of the m key escrow agents all cooperate.
A-Yup.
I don't know why you'd design a system like this when you could do it without the key escrow feature - am I missing something?
How else would you do it and still be able to know when something was read? ----------------------Kaos-Keraunos-Kybernetos--------------------------- + ^ + :"I find it ironic that, on an amendment designed to protect /|\ \|/ :American democracy and our constitutional rights, the /\|/\ <--*-->:Republican leadership in the House had to rig the vote and \/|\/ /|\ :subvert the democratic process in order to prevail" \|/ + v + : -- Rep. Sanders re vote to ammend the US PATRIOT ACT. -------------------------------------- http://www.sunder.net ------------
participants (6)
-
alan -
Bill Stewart -
Eugen Leitl -
Steve Schear -
Sunder -
Thomas Shaddack