Are the Feds Asking Tech Companies for User Passwords?

The secrecy surrounding the tactic, alleged by CNET sources, is as alarming as the potential abuses.

lock freddy the boy.png
Freddy the Boy/Flickr

Over at CNET, Declan McCullagh reports on yet another way that the surveillance state is threatening our privacy. "The U.S. government has demanded that major Internet companies divulge users' stored passwords, according to two industry sources familiar with these orders," he reports. He goes on to explain, "if the government is able to determine a person's password, which is typically stored in encrypted form, the credential could be used to log in to an account to peruse confidential correspondence or even impersonate the user." His sources say that their employers respond to these law-enforcement requests by vigorously challenging them.

Do some web companies just quietly cave instead?

What's striking, if you read through the rest of his story, is the difficulty of nailing down even basic facts about what the federal government is doing. Here's the result of McCullagh's reportorial diligence:

A Microsoft spokesperson would not say whether the company has received such requests from the government. But when asked whether Microsoft would divulge passwords, salts, or algorithms, the spokesperson replied: "No, we don't, and we can't see a circumstance in which we would provide it."

Google also declined to disclose whether it had received requests for those types of data. But a spokesperson said the company has "never" turned over a user's encrypted password, and that it has a legal team that frequently pushes back against requests that are fishing expeditions or are otherwise problematic. "We take the privacy and security of our users very seriously," the spokesperson said.

Apple, Yahoo, Facebook, AOL, Verizon, AT&T, Time Warner Cable, and Comcast did not respond to queries about whether they have received requests for users' passwords and how they would respond to them.

Also, McCullagh writes, "some details remain unclear, including when the requests began and whether the government demands are always targeted at individuals or seek entire password database dumps."

Let me put it more bluntly. It's possible that the federal government is going to Google, Facebook, and Microsoft and saying, "hey, give us the passwords of thousands of your users." If so, the companies wouldn't tell us, most likely because they'd be legally forbidden from doing so, and the government certainly wouldn't tell us. It is unacceptable if massive password requests are now happening. But it is also unacceptable that it could happen, or be happening, without the public even knowing.

That's how it works now: The feds don't say a word even when they adopt new policies that are radical and aggressive.

Even as the Obama Administration avows that it welcomes a civic debate about the surveillance state, it preemptively short-circuits citizens' ability to assess and debate policy. It's disingenuous, illiberal, anti-democratic, and imprudent. The notion that self-government, secret policy, and secret law can coexist is Obama's folly, and the folly of his predecessors.

Let us not share in it.