Are the Feds Asking Tech Companies for User Passwords?

http://www.theatlantic.com/politics/archive/2013/07/are-the-feds-asking-tech-companies-for-user-passwords/278126/

The secrecy surrounding the tactic, alleged by CNET sources, is as alarming as the potential abuses.


Over at CNET, Declan McCullagh reports on yet another way that the surveillance state is threatening our privacy. "The U.S. government has demanded that major Internet companies divulge users' stored passwords, according to two industry sources familiar with these orders," he reports. He goes on to explain, "if the government is able to determine a person's password, which is typically stored in encrypted form, the credential could be used to log in to an account to peruse confidential correspondence or even impersonate the user." His sources say that their employers respond to these law-enforcement requests by vigorously challenging them.

Do some web companies just quietly cave instead?

What's striking, if you read through the rest of his story, is the difficulty of nailing down even basic facts about what the federal government is doing. Here's the result of McCullagh's reportorial diligence:

A Microsoft spokesperson would not say whether the company has received such requests from the government. But when asked whether Microsoft would divulge passwords, salts, or algorithms, the spokesperson replied: "No, we don't, and we can't see a circumstance in which we would provide it."

Google also declined to disclose whether it had received requests for those types of data. But a spokesperson said the company has "never" turned over a user's encrypted password, and that it has a legal team that frequently pushes back against requests that are fishing expeditions or are otherwise problematic. "We take the privacy and security of our users very seriously," the spokesperson said.