Feds to web firms: Hand over encryption keys and user passwords
The US government and its intelligence and law-enforcement agencies have apparently been trying to get Internet firms to hand over both their users’ account passwords and their master encryption keys.
According to Declan McCullagh and his sources inside some of these companies, the agencies obviously subscribe to the notion that “If you don’t ask, the answer is always no,” but it’s unknown whether this approach has been successful.
When contacted, Microsoft has declined to say whether their company received such requests from the government, but adamantly stated that they can’t see a circumstance in which they would provide them either with encrypted user passwords, the algorithms and the salt used in their encryption process, or the company’s master encryption keys.
Google has also declined to confirm whether such requests were made, but has confirmed that they have never shared a user’s encrypted password with the government, or handed them encryption keys.
A Facebook spokesperson has said that they have not received requests for encryption keys from the any government, and that they would fight aggressively against any such request if they ever receive it.
FastMail director Richard Lovejoy was more concrete with his answers, claiming a request for their SSL key would be denied as it would be “clearly illegal” and unethical to comply.
But is he right in saying that? Can US government agencies legally demand encryption keys or user passwords from these firms?
According to Jennifer Granick, director of civil liberties at Stanford University’s Center for Internet and Society, it’s difficult to tell. “Is there any circumstance under which they could get password information? I don’t know,” she says, and her answer is the same when it comes to requests for encryption keys.
An unnamed lawyer that occasionally represents Web companies says that subpoenas and regular court wiretap orders, even in a criminal case, would probably not be enough for the companies to comply. On the other hand, a FISA order might just do the trick.
As far as we know, there haven’t been legal precedents that would answer these question, either. In two separate cases, criminal defendant have been subpoenaed to share their own passwords to their computers / encrypted files, and the rulings in those cases went in diametrically opposed directions, but that’s a completely different matter.
Another thing that is unknown is whether requests for user passwords are targeted at specific users or do the agencies ask for the dump of the entire password database. In both cases, it’s likely that bigger companies would fight that kind of request in court, but there’s no telling what smaller companies that perhaps can’t financially afford to start such proceedings would do.
Privacy activist and ACLU technologist and analyst Christopher Soghoian commented the revelations by saying that the federal agencies want the passwords because they often get reused by the users. “A Hotmail password might unlock another service or device,” he pointed out.