“The U.S. government has demanded that major Internet companies divulge users’ stored passwords, according to two industry sources familiar with these orders, which represent an escalation in surveillance techniques that has not previously been disclosed,” Declan McCullagh reports for CNET. “If the government is able to determine a person’s password, which is typically stored in encrypted form, the credential could be used to log in to an account to peruse confidential correspondence or even impersonate the user. Obtaining it also would aid in deciphering encrypted devices in situations where passwords are reused.”
“Some of the government orders demand not only a user’s password but also the encryption algorithm and the so-called salt, according to a person familiar with the requests. A salt is a random string of letters or numbers used to make it more difficult to reverse the encryption process and determine the original password. Other orders demand the secret question codes often associated with user accounts,” McCullagh reports.
Microsoft, Google, and Yahoo would not say whether they had received such requests, but broadly denied handing over passwords. McCullagh reports, “Apple, Facebook, AOL, Verizon, AT&T, Time Warner Cable, and Comcast did not respond to queries about whether they have received requests for users’ passwords and how they would respond to them.”
McCullagh reports, “Even if the National Security Agency or the FBI successfully obtains an encrypted password, salt, and details about the algorithm used, unearthing a user’s original password is hardly guaranteed. The odds of success depend in large part on two factors: the type of algorithm and the complexity of the password… Whether the National Security Agency or FBI has the legal authority to demand that an Internet company divulge a hashed password, salt, and algorithm remains murky. ‘This is one of those unanswered legal questions: Is there any circumstance under which they could get password information?’ said Jennifer Granick, director of civil liberties at Stanford University’s Center for Internet and Society. ‘I don’t know.’ …’If you can figure out someone’s password, you have the ability to reuse the account,’ which raises significant privacy concerns, said Seth Schoen, a senior staff technologist at the Electronic Frontier Foundation.”
Read more in the full article here.
[Thanks to MacDailyNews readers too numerous to mention individually for the heads up.]
Related articles:
Obama administration scrambles to shut down imminent U.S. House vote to defund NSA spying – July 24, 2013
Obama administration demands master encryption keys from firms in order to conduct electronic surveillance against Internet users – July 24, 2013
Apple, Google, dozens of others push Obama administration to disclose U.S. surveillance requests – July 19, 2013
Secret court agrees to allow Yahoo to reveal its fight against U.S. government PRISM requests – July 16, 2013
How Microsoft handed U.S. NSA, FBI, CIA access to users’ encrypted video, audio, and text communications – July 11, 2013
DuckDuckGo search engine surges 33% in wake of PRISM scandal – June 20, 2013
Yahoo: Since December 2012, we have received up to 13,000 U.S. gov’t requests for customer data – June 18, 2013
Apple: Since December 2012, we have received U.S. gov’t requests for customer data for up to 10,000 accounts – June 17, 2013
Nine companies, including Apple, tied to PRISM, Obama to be smacked with class-action lawsuit – June 12, 2013
U.S. lawmakers urge review of ‘Prism’ domestic spying, Patriot Act – June 10, 2013
PRISM: Do Apple, Google, Facebook have an ethical obligation not to spy on users? – June 8, 2013
Plausible deniability: The strange and unbelievable similarities in the Apple, Google, and Facebook PRISM denials – June 7, 2013
Google’s Larry Page on government eavesdropping: ‘We had not heard of a program called PRISM until yesterday’ – June 7, 2013
Seecrypt app lets iPhone, Android users keep voice calls, text messages away from carriers, government eyes and ears – June 7, 2013
Obama administration defends PRISM data-collection as legal anti-terrorism tool – June 7, 2013
Facebook, Google, Yahoo join Apple in sort-of denying PRISM involvement – June 7, 2013
Report: Intelligence program gives U.S. government direct access to customer data on Apple servers; Apple denies – June 6, 2013