Attorney General Jeff sessions gave a speech on Monday to the Association of State Criminal Investigative Agencies, in which he outlined how the Department of Justice was going to be helping them out. As you’d expect, it was the usual law-and-order-rah-rah stuff, and there was plenty to argue with. I’d like to focus on this bit:

It is also critical that we deal with the growing encryption or the “going dark” problem.

And the stakes are high. Last year the FBI was unable to access investigation-related content on more than 7,700 devices—even though they had the legal authority to do so. Each of those devices was tied to a threat to the American people.

This is a large number, but it is small compared to the number that your agencies are unable to access because of encryption.

Many years ago, some conservative pundit (it might have been William F. Buckley, I can’t find the quote) grew tired of liberal complaints that that millions of poor Americans were “starving,” and he responded with a blunt question: If poor Americans are starving, he asked, then why aren’t they dying? That sounds cold-hearted, but I think it’s a fair point about the rhetoric of poverty: If nobody is dying from lack of nutrition, then “starving” is a gross exaggeration. Or less politely, it’s a lie.

Which brings me to Sessions’ assertion that each of the 7700 inaccessible devices was tied to a threat to the American people: If encryption prevented the FBI from investigating 7700 threats to the Amrican people, where are all the dead Americans?

When people talk about taking away some government investigative power — FISA warrants, say — folks like Sessions are always quick to claim that they need that power to protect America, and if we only knew of the terrible threats they confront to protect America, we would agree with them. This is a hard argument to counter, because without seeing their evidence — which must of course remain secret for national security reasons — the only way to find out if they really need the power is to take it away and see if something bad happens. Needless to say, there is some reluctance to conduct such an experiment, so we end up taking their word for it.

But the situation with encryption is the opposite case: Sessions wants the DOJ to have a power it doesn’t currently have. So if he’s right about the consequences of not having that power, then our country should now be littered with the bodies of people who could have been saved, but for the DOJ’s inability to break into those phones. You’d think he could easily offer a few hundred examples.

Unless of course strong encryption in the hands of Americans isn’t the problem he’s trying to convince us it is.

I don’t know anything else about Representative Ted Lieu, but I do like what he said after hearing law enforcement types testify that the American people not be allowed to use strong encryption:

It’s a fundamental misunderstanding of the problem. Why do you think Apple and Google are doing this? It’s because the public is demanding it. People like me: privacy advocates. A public does not want a an out of surveillance state. It is the public that is asking for this. Apple and Google didn’t do this because they thought they would make less money. This is a private sector response to government overreach.

I’ve made a similar point myself.

Then you make another statement that somehow these companies are not credible because they collect private data. Here’s the difference: Apple and Google don’t have coercive power. District attorneys do, the FBI does, the NSA does, and to me it’s very simple to draw a privacy balance when it comes to law enforcement and privacy: just follow the damn Constitution.

And because the NSA didn’t do that and other law enforcement agencies didn’t do that, you’re seeing a vast public reaction to this. Because the NSA, your colleagues, have essentially violated the Fourth Amendment rights of every American citizen for years by seizing all of our phone records, by collecting our Internet traffic, that is now spilling over to other aspects of law enforcement. And if you want to get this fixed, I suggest you write to NSA: the FBI should tell the NSA, stop violating our rights. And then maybe you might have much more of the public on the side of supporting what law enforcement is asking for.

More than that, you need to create an accountable process, and you need to create a credible deterrent to the misuse of surveillance powers. It has to be something more transparent and believable than the usual promises of internal safeguards that we have no way to evaluate. Monitor the process, report violations to Congress, send violators to Leavenworth. If you’re not willing to punish law enforcement officers for violating our privacy, then your claim to respect our privacy isn’t for real.

Then let me just conclude by saying I do agree with law enforcement that we live in a dangerous world. And that’s why our founders put in the Constitution of the United States—that’s why they put in the Fourth Amendment. Because they understand that an Orwellian overreaching federal government is one of the most dangerous things that this world can have.

Yup.

Ever since Edward Snowden told us all about the NSA’s rampant spying on Americans, I’ve been meaning to convert Windypundit to an encrypted site, and I think I finally did it. If all is working, you should be seeing “https:” in front of “windypundit.com” up there in the address bar.

(You might not see the little lock symbol, however, depending on your browser. That’s because the images in my Amazon ads widget are being served unencrypted by Amazon. In theory, those images could be intercepted and altered in transit, so your browser is letting you know that you’re looking at mixed content, some of which is not strictly secure. Apparently Amazon ads are infamous for ruining secure pages this way.)

It’s not that I need the security. The whole point of a blog like this is to share everything on the site with literally anyone who wants to see it. In fact, I’ve gone through rather a lot of trouble to make sure that happens. Ask the server for a page, and ye shall receive it.

My reason for adding encryption is really just to make a small contribution toward gumming up the workings of the surveillance state. This page traveled to your browser as one more secure data stream on the net — random bits for all practical purposes, except to you and me. There’s nothing worth spying on here, but only you and I can be sure of that. It’s one more thing that intelligence and law enforcement agencies can’t read, one more thing to waste their time, one more thing to discourage them from trying.

Encryption disguises the internet’s valuable data in the hiss of (pseudo-) random noise. Spying on the internet takes work, and that work pays off because the data is there to find. But it doesn’t have to be that way. We can make it harder for them to spy on us, and that will make it less worthwhile for them to try.

Be the noise.

Illinois recently passed an anti-bullying law that some school districts are interpreting as granting some disturbing powers, according to a story at Motherboard by Jason Koebler:

School districts in Illinois are telling parents that a new law may require school officials to demand the social media passwords of students if they are suspected in cyberbullying cases or are otherwise suspected of breaking school rules.

The law, passed as HB 5707, apparently does not specifically say schools can demand student social media passwords, but school districts appear to be acting under the belief that it interacts with a bill from the previous year.

That law states that elementary and secondary schools must notify parents if they plan to ask for a password, and that it can be asked for if a student violates policy. The cyberbullying law codifies the idea that Facebook harassment is a violation of code policy, which is why you see these letters popping up.

I only glanced at the legalese briefly, but it seems to me that most of the violence to student privacy is done by the earlier law, with the more recent bill only adding the bullying element.

Edwin C. Yohnka, Director of Communications and Public Policy for the Illinois ACLU, tells me the anti-bullying bill (which his organization supported) doesn’t actually give schools this power:

The story about the single downstate school district was, of course, disturbing. That said, that school district badly misread their authority under the new Illinois law. As the sponsor of the measure made clear in several public statements this week, the intent of the law was never to permit school districts to gather social media passwords for students. Those social media accounts would, as one might expect, include lots of personal information that the school district should not be accessing.

That hasn’t stopped Triad Community Schools Unit District #2 from putting on the jackboots:

Leigh Lewis, superintendent of the Triad district, told me that if a student refuses to cooperate, the district could presumably press criminal charges.

“If we’re investigating any discipline having to do with social media, then we have the right to ask for those passwords,” she said.

“I would imagine that turning it over to the police would certainly be one way to go. If they didn’t turn over the password, we would call our district attorneys because they would be in violation of the law,” she added. “That would only be in some cases—we’d certainly look at the facts and see what we’re dealing with before we make the decision.”

This is wrong on so many levels.

If a student is using social media to send bullying messages, investigators can read the messages from the victim’s account. And if they’re private messages that aren’t part of the harassment of the victim, then officious meddlers like Leigh Lewis have no business reading them without a warrant.

I don’t know why they think they can treat social media differently from other communication methods. If students used the U.S. Mail to send letters (as your grandparents did in olden times) schools wouldn’t be allowed to read them. Nor would they be allowed to tap students’ phones without a warrant. But somehow they think social media is different. Somehow they think digital communication is less protected. (And legally speaking, it probably is. Which is something we ought to change.)

I’ve been living life in the digital world for over thirty years, and the idea that someone could be forced to give their password to a total stranger feels like an incredible violation. The gall of these bastards. They say they’re just interested in bullying, but they want to see everything.

To a heavy user of a social media site like Facebook, letting a stranger use your account is like letting a stranger into your home. It’s like letting a stranger rifle through your wallet, dump out the contents of your purse, and paw through your underwear drawer. They’ll be able to read every message your child sent to everyone they know. In addition, they’ll also get to read every private thing that your child’s family and friends shared with them in confidence, thus violating the privacy of innocent bystanders.

With the password, school district officials could gain access to anything any of you might share over the social network — private thoughts your children shared with friends, information about medical or psychological problems of family members, titillating details of your child’s sexual experimentation, what you really think of some of your kid’s teachers, your off-the-cuff comments about your boss, a photo of that time you let them drink a beer with you, passwords to other computer systems that someone sent in a message — the list goes on and on.

And once they have the password, they will be able to assume your child’s virtual identity. (It’s probably not legal, but who would stop them?) They can delete stuff they don’t like, they can interrogate your child’s friends in the guise of your child, they can ask family members for sensitive information. Furthermore, major social media credentials often serve to control access to other web sites (e.g. “Login with your Facebook account”), giving them God-only-knows how much access into your child’s life.

I’m seething with anger over the depth of this violation of privacy. I don’t have kids, but my gut reaction is that you should respond to a school’s password demand as if they were demanding to see nude pictures of your child. If that means you punch them hard in the face again and again until they go down, and then kick them in the ribs until they cough up blood, all while reciting Jules’s “Lay my vengeance upon thee!” speech from Pulp Fiction…that would be wrong. Don’t do that. It’s a very bad idea. (But have I mentioned that this makes me angry?)

My gut also says you should tell your kid to borrow a legal strategy from Saul Goodman and repeat this key phrase: “That’s not my social media account.” Or say they can’t remember the password. Or give up the password and then change it a minute later “for security reasons.” Or give control of the account to someone outside the jurisdiction. Or…

Sadly, those are also bad ideas. Technical hacks of the law don’t work very well in the real world legal system. They may sound clever, but judges don’t have much appreciation for clever. They tend to see it as contempt or obstruction. Don’t do anything clever.

But if you have the resources, and some school authorities try to pull this shit, don’t let them get away with it. If some school employee tries this crap on you, call a lawyer. There are serious Constitutional issues here, so you might be able to get a public interest law firm to take it on for free.

But…if this makes you as angry as it does me, and you’ve just got to do something…I think there’s a pretty good argument that people with no respect for your privacy have no grounds to complain about theirs. If some school official forces your child to give up their privacy, don’t keep it a secret. Call them out on that shit. Name names. Give out contact information. To get you started, the contact page for the Triad school district is here.

(Hat tip: Robby Soave.)

So a couple of days ago I was explaining why Orin Kerr was wrong about Apple’s new policy of rendering themselves unable to encrypt customers’ iPhones, and in passing I linked with some disdain to a piece by former FBI Assistant Director Ronald T. Hosko, who was claiming, of course, that the new policy would help the bad guys.

Yesterday, however, Hosko did something that none of the anti-privacy alarmists at the NSA have ever been able to do: He gave an actual example of someone who would have been harmed by Apple’s policy. He did this in a post for the Washington Post‘s blog PostEverything titled something like “I helped save a kidnapped man from getting killed. With apple’s new encryption rules, we never would have found him.”

It was a dramatic way to make his point. It’s one thing for people like me to go on about abstract concepts like privacy rights, but I don’t have the burden of helping save the life of actual kidnap victims. In the face of Hosko’s story, the privacy argument becomes a lot harder to make. I suppose if I wrote a full response to Hosko’s piece, I would have to reiterate the dangers of a brittle security system, I would talk about the horrors of living in an all-seeing totalitarian police state, and I would point out that law enforcement officers are not free of trustworthiness issues.

The trustworthiness problem is especially relevant. You may notice I didn’t give you a link to Hoska’s article. That’s because in the time since it was originally posted, the title has been changed to “Apple and Google’s new encryption rules would make law enforcement’s job much harder,” and this note has been added at the bottom:

Editor’s note: This story incorrectly stated that Apple and Google’s new encryption rules would have hindered law enforcement’s ability to rescue the kidnap victim in Wake Forest, N.C. This is not the case. The piece has been corrected.

As near as I can tell from the rewrite, Hosko was a little confused, and it turns out the FBI got all the information they needed from the carrier, not the phone itself.

So, maybe I’ll write that longer response some day. But for now, I think I’ll just take this as an illustration of why I’m not really ready to trust these people when they say they need access to my personal data.