1. Any malicious person savvy enough to pull off a crime of interest to the Feds is smart enough to provide a wiped or burner phone to DHS/ICE, and they have to know this. So, what is the point in doing this if not to target law abiding citizens.
2. USGOV has a spotty track record of keeping this information secure. A foreign actor is likely to access this info eventually. As one former government official once joked many years ago - concerning Chinese hacking - "Well, its probably more secure in the CCP's data center, so I wouldn't worry."
This is the problem when a non-technical generation makes the rules and regs. Luddites ought not be permitted to ascend the GS ranks.
> 1. Any malicious person savvy enough to pull off a crime of interest to the Feds is smart enough to provide a wiped or burner phone to DHS/ICE, and they have to know this. So, what is the point in doing this if not to target law abiding citizens.
This isn't even remotely true. See for example the recent Anom honeypot[1]. Criminals do more or less the same things that ordinary citizens do, and often have strictly worse security practices because they believe "ordinary" things are weaker. This makes them great targets for snake oil.
That being said, I agree with (2). It's simply an unnecessary risk to keep this much data around for this long.
Although grandparent's logic is faulty, I think it does go to an important point. They don't need 15 years warrantless storage of phone data. On anyone, including foreigners. If it takes them 15 years to realise they shouldn't have let someone over the border it is around 14 to 14.995 years too late.
The powers these agencies have is far in excesses of what they need to do their jobs, and it is going to be abused. These aren't particularly upstanding people, they're the sort who think DHS/ICE represents an ideal that they are OK with.
There are a few reasons why government would want to keep data for that long. Educated guess: playing the odds that currently encrypted data could be broken in the near future.
My primary argument isn’t security theater, although I do agree it applies. My argument is that no democracy / republic should assume that every resident/citizen is a potential criminal without some probable cause / particularized suspicion/ significant evidence. The larger the percentage of citizens who experience unjustified searches, the lower the institutional trust level falls. Eventually citizens stop trusting elections, courts, police, etc. then people start massive social panics on the assumption that everything government is corrupt.
This isn't security theater. Security theater has to be in your face. Security theater is pageantry, but no substance. Security theater is has no impact on your safety, but makes people feel safer by providing the illusion of security.
This is substantial, has been being done without most Americans being aware of it, and it doesn't make anyone feel safer, but it still has a huge impact on your safety. It makes you less safe.
This is just a gross violation of our constitutional rights.
If a group had infinite budgets to actually act on this data effectively and if you could actually ever prove that this data was used for said purpose, you're still violating the privacy of 99.999999 of the people who don't commit crimes. I'm all for collecting legitimate warranted wide access information about people with legitimate patterns of criminal behaviour. I'm all about collecting information about financial transactions as one form or another the proceeds of crime are traded into legitimacy in regulated channels (at least for now). I'm not ok collecting "whatever I feel like" for the reason "well because we legally can".
if there is data suggesting it, it would be classified. the Government isn't in an equal information relationship with the population, nor can it be, to effectively use intel domestically and abroad.
just a counter-argument. I am not in favor of this obvious overreach. But I don't need data to tell me that.
Criminals who get caught do more or less the same things that ordinary citizens do, because the systems setup to catch them assume they'll act like a normal person, because you catch the greatest number of criminals that way. By definition, we have no information about what criminals who don't get caught do, because they're never identified as criminals. That's the point.
Selection bias is the most powerful force in the universe.
Reminds me of the Stainless Steel Rat, where he is intentionally caught and sent to prison, hoping to further his criminal education. Only to find out he is now incarcerated with all the criminals that weren't smart enough to evade capture...
This is essentially Pareto resource efficiency for crime. Spending 20% of resources catches 80% of criminals. To catch the other 20% you have to spend exponentially more with exponentially diminishing returns. (This model is too simple though as the environment isn't static and criminals are able to learn and adopt strategies that make your efficiency decay over time)
Ah, so criminals that get busted follow poor practices that lead to them getting busted. Not sure what this has to do with criminals at large, you know, the ones that do stuff like use a safe phone when traveling abroad.
This is unfalsifiable: are you saying that there's some unquantifiable number of perfectly competent criminals? How would we go about verifying that?
On an individual level, I am positive that there are criminals that escape the (not particularly competent) techniques of DHS/CBP. But the GP's claim (that Federal criminals are, as a category, completely above and beyond this kind of enforcement) is just not true.
I'm just going off of talking with people during 5 years in the Feds. You know, the guys that can get whatever they want in prison because 'connections'. The guys that can reach out and touch someone for you if you need it. But sure, there isn't some larger more competent network of people that arrange all this for them. It's probably their grandmothers.
Of course there are. I said that in the last comment.
There are two points here:
* Estimates of "darknet" economies (and "criminal" economies in general) strongly express preferences for the mostly unfalsifiable LEO hypothesis that there's lots of crime just floating around out there, and they could do so much more about it if we just put up with a little more surveillance, etc.
* There's no particular evidence that there's a bimodal distribution between incompetent criminals who get caught and competent criminals who don't. There are probably lots of competent criminals who don't get caught, but there are also probably lots of incompetent ones who don't (and vice versa). The strongest predictor for successful interdiction (especially at borders) isn't competence, but sheer numbers: criminals have to succeed every time, cops only have to succeed once.
there is without a doubt a correlation between the significance of criminal enterprise and the rate of getting caught.
they may be catching some low level movers with these practices, but not much else above that. The evidence is that there is functioning enterprises in the first place. If captures at the border were a normal distribution of all criminal competency.. that would be destabilizing to a trillion dollar industry.
> there is without a doubt a correlation between the significance of criminal enterprise and the rate of getting caught.
This is the problem with unfalsifiable claims. Why is that "without a doubt"?
I can formulate a just as intuitive (and just as baseless) claim: less significant criminal enterprises get caught less, since they fail the "significance" test.
You are right, organized crime has never existed in this country. Hasn't required complex new statutes be created to go up against their sophistication. The government doesn't shout from the rooftops with their limited victories. You got me.
If you exclude the history of crime in this country and go only from the context of this specific conversation, you have a valid argument.
There are no Mexican cartels. They definitely don't operate in the USA (because they could never operate in a covert way in the USA and a public way in Mexico, being smart and adjusting to fit situational needs). The cartel just sits on the other side of the border and 'hopes' their product makes it to market and hopes they can find random repeat drug smugglers for their BILLION dollar operations.
The mafia was wiped out by the Feds. Vegas is totally clean of corruption.
MCs are just guys that enjoy riding together and having chapters spread throughout the country.
I can't buy illegal drugs in every town in American (which would require a sophisticated multistate/international logistics network). I can't launder money (yet the government continues to impose complex money laundering rules on banks at significant cost to the industry for some reason?). There aren't massage parlors in every city with women from China/Korea, with those women routinely changing out.
And if anything illegal is happening, it just random individuals, acting on their own, who HAPPEN to not get caught. A multi billion dollar international network, that has an uninterrupted supply of drugs/gambling/sex in most ever town in the country, all done by random people that somehow make it come together.
I didn't say any of that. Of course there's organized crime in the US.
My point is simple: LEOs rely on the fear and paranoia of invisible, unquantified crime to maintain public support for things that we'd otherwise never accept (domestic surveillance, civil asset forfeiture, a generally bloated and inefficient funding structure for police forces, etc.).
All I want is numbers: the money we put in should be a function of need, not of persistent handwringing by paranoiacs (or, worse, someone with a power trip taking advantage of the paranoiac). To that end, it simply isn't enough to say "we don't know what's really going on." Find out (that's what the existing ample funding is for!) and come back for more.
> Criminals do more or less the same things that ordinary citizens do, and often have strictly worse security practices because they believe "ordinary" things are weaker
The null hypothesis is that criminals are humans like us, except that they make money through crime instead of legal employment. Fallacious reasoning here would require us to treat criminals as uniquely invisible or otherwise unlike other humans, which isn't really borne out.
>>So, what is the point in doing this if not to target law abiding citizens.
It's the old rule known to governments all over the world - there is no such thing as an innocent citizen, there is only a citizen who you haven't investigated enough. Call me cynical but storing ALL of your digital data allows the agencies to basically find something, anything, that will allow them to further blackmail you into complying. Even the most innocent person will have something that can be misconstrued as criminal, from jokes about tax evasion to pictures of your toddler in a pool - threaten going to trial if the person doesn't do X, and most people will comply, not because they aren't innocent, but because the might of the American justice system is such that you really don't want to fuck with it on the receiving end.
To add to your point, our laws are so overly broad that it is impossible to exist without breaking some law. (your point talks of 'digital data' my comment refers to real-life)
From driving 1mph over the speed limit, to skipping FBI warnings on DVDs, to countless other "innocent" infractions. If they look hard enough they will find SOMETHING. And that's all they need.
Three Felonies a Day by Silverglate (ISBN 1594035229) and even https://twitter.com/CrimeADay make it obvious. Every citizen escapes prosecution only by the grace of Federal law enforcement.
For people renting it is routine to receive mail for several previous tenants. Everytime you throw away a credit card sign-up offer for someone else, you are committing a felony.
I did this with mail from the tax service addressed to the previous tenant. The result? A few days later I received the same mail in my inbox again, plus another one. Returned both of them, a few weeks later I received 4 mails.
When I started receiving more than 20 mails in one day, all from the tax service to that previous tenant, I bought a shredder and shredded the entire stack of mails. Some years later, I was still shredding mails. My magnanimity to correct for government failures only goes so far.
I've been routinely receiving junk mail for a person that I know for a fact has been dead for about a decade. I used to do this with that mail, but stopped a couple of years ago. Now I just toss it directly in the recycling bin.
It's not that dangerous. They'll talk to you about what your intent was. On the other hand it could be the companies mailing you junk with no reply for decades have the ill intent because they're trying to get people into committing felonies (entrapment) with dogshit offers nobody would ever take that are littering the mail system. So if they accuse you, tell them that accusation must be redirected--like mail is--to like a middle-manager in the company doing mass-mailings.
They didn't pay you anything to wade through their junk. You aren't their slave unless you sign.
And I don't open the mail -- that's a crime the postal service would take very seriously indeed. Sure, perhaps my practice is technically illegal, but I don't think it's the sort of illegal that the USPS would spend a lot of time and money on.
I'm not opening someone else's mail, I'm not preventing it from being delivered to the address on it, and I'm not preventing the recipient from receiving it. His death does that.
why is this specific to renting? what about previous owners? and yes I do get stuff for people not here for more that 12 years now, and I toss it, and I dare them to do anything about that.
These systems are perpetuated on the backs of the naive or sanctimonious enough to believe, and loudly proclaim, that they have nothing to hide; they haven't been targeted and haven't ever been in trouble; why are you breaking the law, you criminal scum?
Generations pass and everything remains the same. We're all on the same boat, so why are people so quick to judge against those targeted for violations of a contrived status quo?
No in the USA. We have rights on paper, but the threat of the trial tax convinced most to waive all of their rights in a plea agreement. That takes away things like their right to appeal their sentence, challenge illegal police behavior, etc. What would you pick? Keep your rights but face the entire weight of the US Government with unlimited budget and risk 20-40 years, or a plea for 3-5? All you have to do is give up all your rights. 95% pick to give up their rights.
Plea agreements were illegal up until the 70s for a reason.
>Any malicious person savvy enough to pull off a crime of interest...and they have to know this.
You'd be amazed at how many dumb things smart criminals/people can do. Maintaining proper OpSec is hard. It only takes one mistake to give the LEOs a string to pull to unravel the whole sweater.
Everything else, I tend to feel the same way as you. Just wanted to mention the OpSec part
I just just reading this Bloomberg story about a Chinese spy who was busted. It’s mind boggling how sloppy even state backed malicious agents are at information security.
It's hard to keep up security. You get tired, lonely, bored, exhausted. Everyone screws up at some point, you hope that those you're hiding from don't notice.
It's similar to torture training in the US Military: they teach you that everyone breaks eventually, the trick is to hold out long enough the information you provide isn't that useful anymore.
Haha, just 5 minutes ago I read a story about Iranian 'hacker' who wrote a ransomware note in Microsoft Word, so the file metadata contained his full name :)
Similar SecOps problems happened to both John McAfee and the Silk Road founder.
As far as I remember, McAfee shared an iPhone photo with location metadata when he was in Belize, so American authorities were able to track him down.
The Silk Road founder had some sort of PHP coding error which led police to his San Francisco location. That is, you could simply visit the Silk Road home page and his location leaked.
So yeah criminals aren't better at SecOps. They're just more reckless than most people...
(where 80 is a random number between 75 and 85 I choose at the time and 91.1 is a random (real) number between 91.0 and 91.9)
You cannot exiftool purge a HEIC because it breaks it - you need to exiftool purge the resulting jpeg ... also, weirdly, -attenuate needs to come before the +noise switch in the command line.
I think I know what you mean when you say Luddites, but the Luddites were actually very knowledgeable about technology. They rebelled against technology being used against them without any benefit to them. If you understand that history, you might agree with me that we want Luddites such as Wyden in government.
I do think it's a shame that nobody seems to understand what the Luddites were actually about. They weren't ignorant of or against technology at all. Their beef was about economics.
> A foreign actor is likely to access this info eventually.
This is one thing that has always confused me about the data collection in democratic countries. I understand the appeal from an authoritarian perspective, but it seems that people don't recognize that this same data can be used as a weapon against their own citizens.
So you're left with three real options: 1) Minimize data collection, 2) Spend massive amounts of money on encryption, research, and constant audits to minimize the risk of data leakage (which will eventually get leaked in some form), 3) leave your population (and your political positions) vulnerable to manipulation by foreign and domestic entities that do not have the public's (or your) interest in mind. It seems like we're going with #3 but it even seems like a bad strategy for authoritarians. #2 seems better for that one. But #1 seems best for democracies and people in positions of power where power is not highly centralized. (Can we at least get homomorphic encryption and learning algorithms?) But I guess these same people are still under an impression that a backdoor doesn't work like any other door: that anyone can use a door as long as you can figure out how to break or crack the lock (which always happens).
> This is the problem when a non-technical generation makes the rules and regs.
The millennials hold the power these days. If you consider them non-technical, I'm not sure there will ever be a technical generation...
Which may be a fair assertion as I work with a lot of people in the tech industry who wouldn't even consider the issues you raise unless it was handed to them on a silver platter. If actual tech people aren't considering it, those who have other focuses in life certainly won't be.
Millennials have less money than the generations before them, they do not make up the majority of voters and they aren't executives at large.
The only power most of them have boils down to passive or active rebellion, and they are too busy managing excess grey pressure in most places while said grey pressure is actively voting against them.
Additionally, even millennials aren't technical at large. They certainly aren't technology preactive enough. Not even most developers are.
The intelligence community only exists because those in power grant it so. The millennials hold the power. Certainly they delegate – there is only so much time in the day – but the outcome still rests on what lies at the top.
The reality is that millennials, as a generation, don't see a problem with this. Select individuals may, but individuals don't hold power.
im not sure what definition you are using, the executive is nearly 80, the average age of congress is 60, average age of CEOs is 58. You know, the people with actual power.
The civil servant representatives may be older, but they don’t hold the power. They are hired by the power to serve the power. Again , we are talking about the power, not those who the power has delegated some work to.
Again? No, you obviously have a different definition of power, one that is abstract and in practicality useless. I'm trying not to be disparaging, but your comment is so absurd that I can't think of any situation where it would be appropriate outside of a college freshman poly sci class.
Please, let your disparagement run free. It allows us to understand that your motivation is to protect your emotional state, not to simply convey information as has been the nature of discussion up to this point. As I have no emotional attachment to the subject, I'm not bothered by it and am able to learn that you are not here in good faith.
Contradictory information is welcome, encouraged even, but I am not sure your criticism, no matter how constructive, is on-topic information. The subject here is pretty well defined. Worrying about what I may have done wrong does not add value to the thread of information here.
Bringing this back to the topic at hand to not derail it further, millennials hold the power. They are largely not concerned with it. Technical understanding to some degree doesn't mean one is an expert in all matters of tech. Security is actually not well understood by most, even those who are involved with tech professionally. As an example, "don't implement your own encryption" is common advice given because we realize that security and related matters is actually really hard to understand and really easy to get wrong.
Sure, lets start with what I can only assume is your premise, that since millennials are very recently the largest adult demographic , that somehow translates into any current issue being implicit agreement by the millennials?
1. millennials are very very marginally above boomers in % of population, when separating each demographic.
https://www.statista.com/statistics/797321/us-population-by-...
- this doesn't give millennials majority rule, ie (boomers + gen x ) is larger
2. It is not the case that population numbers are directly proportional to power. Even on paper, this has never been true in the US. It is a democratic republic. A million arguments could be made why this ideal is even barely true.
3. Political power in the US is so far removed from I'm guessing your libertarian? view of politicians. They are not servants of a populace power. It is also not a failing of millennials if politicians are in contradiction with "millennial" belief.
4. The US is not a vaccuum. One trillionaire would have more power than 99.99% of millennials combined. this isn't the french revolution.
I feel like your reply to politicians not being representative of the marginally larger populace of millennials is a moral failing of millennials for not starting a revolution. Which is absurd.
Indeed, it would be quite illogical to experience feelings over consuming information. There is no inherit emotional experience found within information. The fact that security is hard to understand, even for tech professionals, equating to feeling like there is a moral failing of millennials being implied does not compute. If your feelings won't let you participate in good faith, so be it, but ultimately there is no value in those emotions.
You are saying millennials hold the power, like it's an axiom. There is no on topic when you build your premise on that. They do not hold the power by any reasonable definition.
Were it an axiom what purpose would stating it serve? There is no value proposition found in conveying information that is already established.
Millennials hold the power, but do not understand technology well enough to realize the implications of their actions. Many tech professionals do not even understand the implications. It is a hard topic to understand.
Certainly. Every manager understands that when you hire an employee there will be situations where, in the heat of the moment, they have to make decisions without consulting a higher rank and sometimes you won't like those decisions. That's the nature of being an employer. If you weren't willing to take that risk you wouldn't hire someone.
However, when an employee doesn't do what you like you can tell them to stop going forward. There isn't much will to have the employees stop in this case because nobody is thinking about the security implications outside of HN where you have professional security researchers able to provide their unique perspective. Security is a fairly hard to understand topic if you're not deeply engrossed in it and is not something people casually think about.
Venture out into the world where you find millennials in construction, food service, retail, childcare, etc. and listen to what they are talking about. I can almost guarantee it is not this.
Upper ranks, sure, but at the very top you find millennials. They are the largest and strongest force.
Of course, they also don't really consider the implications. Step away from HN, where the perspective is biased by people who study security for a living, for a minute and you won't find much of anyone who is stopping to think why this may be a problem.
1. Any malicious person savvy enough to pull off a crime of interest to the Feds is smart enough to provide a wiped or burner phone to DHS/ICE, and they have to know this. So, what is the point in doing this if not to target law abiding citizens.
2. USGOV has a spotty track record of keeping this information secure. A foreign actor is likely to access this info eventually. As one former government official once joked many years ago - concerning Chinese hacking - "Well, its probably more secure in the CCP's data center, so I wouldn't worry."
This is the problem when a non-technical generation makes the rules and regs. Luddites ought not be permitted to ascend the GS ranks.