Since the leak of PRISM by Edward Snowden, there has been a continual stream of information and leaks regarding the activities of the US government. Yesterday we shared with you a story about how US agencies such as FBI and NSA want access to master encryption keys used for HTTPS connections by various websites and companies. Today we have another development to share, and it is just as nasty as all the previous news.
The U.S. government is actively increasing its surveillance of citizens by requesting — “demanding”, as CNET puts it — major tech companies and websites to hand over user account passwords. This means the U.S. government, and related agencies, could log into user accounts without user consent to gain access to confidential data or any other important user information… or even masquerade as the users in question.
Usually user passwords are stored in encrypted form that protects the passwords from being known even if password databases were to be hacked; in these situations, even companies don’t know what user passwords are but rather only have access to passwords’ encrypted forms… so a company couldn’t tell the government user passwords even if the company wanted to. To combat this problem, sources are claiming the government will request the associated encryption algorithm so that they can reverse engineer passwords from their encrypted form.
A source close to the situation has told CNET that they have personal experience in the realm of the government requesting the handover of user passwords. The person went on to state that companies scrutinize these requests from the government and many times refuse the requests, if legally possible, to protect user information from the government’s prying eyes.
Spokespersons from tech giants such as Google, Microsoft, and Yahoo came out with statements denying their respective companies have ever walked hand-in-hand with the government in regards to giving up giving up user passwords.
According to Yahoo spokeswoman:
“If we receive a request from law enforcement for a user’s password, we deny such requests on the grounds that they would allow overly broad access to our users’ private information. If we are required to provide information, we do so only in the strictest interpretation of what is required by law.”
Interestingly, all three spokespersons failed to disclose whether or not their respective companies had ever received request for user passwords from the government.
In my opinion, companies will attempt to come off as trustworthy, but if there’s one thing the recent Snowden leaks have proven, you should always use a healthy amount of skepticism before believing what companies and the government tells you.
[Thanks WildCat, via CNET, image via TopTenReviews]