According to two industry sources, the federal government has demanded major Internet companies hand over users’ stored passwords and in some cases, the encryption algorithm and the so-called salt used to keep the passwords secret, CNET reported Thursday.
If the government can determine a person’s password, which is typically stored in encrypted form, it could be used to log in to an account to peruse confidential correspondence or even impersonate the user, Declan McCullagh said.
“I’ve certainly seen them ask for passwords,” one anonymous source said. “We push back.”
Another person working for a large Silicon Valley company reportedly told CNET it had also received requests for stored passwords.
According to the source, companies “really heavily scrutinize” these requests. “There’s a lot of ‘over my dead body,'” the source said.
Microsoft, Google and Yahoo would not say if they have received requests for passwords but said they do not divulge that information.
“We take the privacy and security of our users very seriously,” a Google spokesperson said.
“If we receive a request from law enforcement for a user’s password, we deny such requests on the grounds that they would allow overly broad access to our users’ private information. If we are required to provide information, we do so only in the strictest interpretation of what is required by law,” a Yahoo spokesperson added.
Apple, Facebook, AOL, Verizon, AT&T, Time Warner Cable, and Comcast did not respond to CNET’s inquiry, and, McCullagh said, the FBI declined to comment.
McCullagh offered some hope for those concerned about increased government surveillance, however, saying it’s not guaranteed the government can crack an encrypted password even with the encryption algorithm and the salt — a random string of letters or numbers used to make it more difficult to reverse the encryption process and determine the original password.
“Even if the National Security Agency or the FBI successfully obtains an encrypted password, salt, and details about the algorithm used, unearthing a user’s original password is hardly guaranteed,” he wrote. “The odds of success depend in large part on two factors: the type of algorithm and the complexity of the password.”
At this point, the Daily Caller said, it’s unknown whether the orders were targeted at specific individuals or were mass database requests. It’s also unclear how long the government has made the demands.
But does the federal government have the authority to demand this information?
“This is one of those unanswered legal questions,” said Jennifer Granick, director of civil liberties at Stanford University’s Center for internet and Society. “Is there any circumstance under which they could get password information?”
“I don’t know,” she said.
Granick said if the feds intend to log into an online account with one of the acquired passwords, they would be required to obtain a targeted wiretap warrant or a Foreign Intelligence Surveillance Act order.
If the government does acquire the password, she added, “there’s a concern that the provider is enabling unauthorized access to the user’s account if they do that.”
Eric Holder’s Justice Department has argued it has the authority to obtain user passwords.
In February 2012, a federal judge upheld a man’s Fifth Amendment right to withhold the password for his encrypted external hard drive.
A month earlier, a federal district judge in Colorado reached the opposite conclusion, citing the All Writs Act. In that case, the judge said a criminal defendant could be compelled to type in the password unlocking a Toshiba Satellite laptop.
But, McCullagh observed, those were specific criminal cases that “don’t address when a hashed password is stored on the servers of a company that’s an innocent third party.”
In the past, the Daily Caller said, federal investigators have been far more brazen, even going so far as to break into a suspect’s home or office, implanting keystroke-logging software in order to spy on what happens from afar. That happened in a drug case reported by McCullagh in 2007:
An agent with the Drug Enforcement Administration persuaded a federal judge to authorize him to sneak into an Escondido, Calif., office believed to be a front for manufacturing the drug MDMA, or Ecstasy. The DEA received permission to copy the hard drives’ contents and inject a keystroke logger into the computers.
“This may not (yet) be George Orwell’s ‘1984,’ but Big Brother would surely be proud of the ‘progress’ being made,” the Independent Journal Review said.
- Paul Krugman: U.S. is ‘kind of’ an ‘authoritarian surveillance state’
- House bill written by original SOPA author would destroy all Internet privacy
- Obama’s NSA collecting phone records of millions of Verizon customers
- Lindsey Graham: I’m ‘glad’ NSA snooping on millions of Verizon customers
- Hawaii considers bill to track every web site visited
- Tennessee law bans posting Internet images that ’cause emotional distress’
- FCC to vote on rules to regulate Internet
If you like this article, you can follow Joe on Twitter @jnewby1956, subscribe to receive email updates when a new article is published, or check out his Facebook page.
Be sure to listen to “Grit and Grace” every Thursday from 6-8 p.m. Pacific Time on Blog Talk Radio, where you can hear Joe discuss current events.