On 03/21/2013 10:37 AM, Jacob Appelbaum wrote:
> Joseph Lorenzo Hall:
>> >
>> >
>> > On Thu Mar 21 12:27:47 2013, Jacob Appelbaum wrote:
>>> >> Joseph Lorenzo Hall:
>>>> >>> Two things seem particularly interesting: apparently zero requests for
>>>> >>> content were fulfilled for Skype and the associated FAQ [1] says CALEA
>>>> >>> (the US law that mandates intercept capability) does not apply to
>>>> >>> Skype.
>>>> >>> That seems particularly encouraging to me.
>>>> >>>
>>>> >>> The FAQ is also interesting in that the non-content question mentions
>>>> >>> "location" but then only lists state, country and ZIP code as fields
>>>> >>> provided (I don't know how MSFT would have access to precise
>>>> >>> geolocation, but that doesn't appear to be something they provide).
>>>> >>> Also
>>>> >>> the NSL reporting in the FAQ is binned in terms of thousands of NSLs...
>>>> >>> so in 2009 they report receiving 0-999 NSLs and in 2010 1000-1999 NSLs
>>>> >>> (hard to tell if that was just one more NSL or a bunch).
>>>> >>>
>>> >>
>>> >> I don't agree with that reading of the report. There is likely a lot of
>>> >> word-smithing here - for example, Does Skype include SkypeIn and
>>> >> SkypeOut or just Peer to Peer video, text and storage of (other)
>>> >> meta-data? Does CALEA happen on the Skype side of things or on the
>>> >> PTSN/VoIP service side of Skype{In,Out}? My guess is the latter rather
>>> >> than the former.
>> >
>> > Ok, I certainly agree there is probably a lot of wordsmithing here.
>> > CALEA certainly applies to PSTN interconnection but then presumably law
>> > enforcement would just go to the phone company which has
>> > CALEA-compliant switching hardware there. (I think.)
>> >
>>> >> Also, note that Microsoft "Provided Guidance to Law Enforcement" - so
>>> >> when they say they didn't provide content, did they provide the
>>> >> credentials? If so, the guidance could have allowed the "Law
>>> >> Enforcement" to simply login and restore the account data. Or perhaps
>>> >> merely disclosing a key?
>> >
>> > They certainly don't describe what that means, which is strange because
>> > for a transparency report with quantitative data, one would want to
>> > bound what the categories of quantitative data are! I would hope that
>> > MSFT would consider providing ciphertext and session keys as "providing
>> > content" and increment the zeros in that column, but there's no
>> > definitive statement in all of this that I can see which would support
>> > that.
> I wrote to them and asked these questions, as well as a few others.
>
> What other questions should we pose to them, I wonder?
Reading quickly through the documents, there seems to be no information
about US FISA court orders, so that might be something to ask them
about. I am concerned about the possibility that FISA is being abused to
access large swaths of user data (esp given FAA provisions and secret
interpretation of section 215 of Patriot Act). You could suggest general
rounded numbers for FISA like for NSLs. Doubt you'll get any info, though.
That said, kudos to MS for releasing this info and to people for pushing
them on Skype!
--
Dan Auerbach
Staff Technologist
Electronic Frontier Foundation
d...@eff.org
415 436 9333 x134
--
Too many emails? Unsubscribe, change to digest, or change password by emailing
moderator at compa...@stanford.edu or changing your settings at
https://mailman.stanford.edu/mailman/listinfo/liberationtech
