Re: Did I misread the article?
The article read that way, and it would be nice if The Register could update it to describe the documents requested with more clarity and precision.
2187 publicly visible posts • joined 16 Jan 2011
"Asking for a back door is by definition asking for encryption to be weakened."
No, it is not necessarily doing that. Key escrow does not weaken encryption in the sense that it is more vulnerable to to cryptanalysis. It weakens the security of encrypted messages by sharing keys with a third party, requiring that the communicants trust that the escrow agent will keep the keys safe from exploitation by those from whom the messages are to be kept secret. That is a quite different matter.
An upstanding, trusting citizen might have no particular problem trusting the government to do that. Criminals surely would object for obvious reasons. The great majority of those livingunder democratic regimes probably will object, if asked, on the general principal that while the agents of the government usually do not misbehave, they have been known to do so, and also that the key escrow with any third party increases the probability that criminals will obtain and use them for ill.
Fewer than 2,500 intercept warrants in the UK for a year amounts to around 1 for each 20,000 adults. That may actually not be unreasonable provided the number of people targeted in each warrant is sensible, the duration of the warrant is not too long, and there are legal constraints on use of the collected data. I suspect those are generally true in the UK, which seems to have a decent government overall.
While it is not sensible to think the Home Secretary spends much personal time examining the warrants for appropriateness or legal compliance, that does not imply that the office does not have employees who do so as part of their jobs, as both legal and political matters.
On the other hand, in the US, with a population roughly five times that of the UK, 2014 saw a total of 3,554 intercept warrants (1,279 federal and 2,275 state or local), for an average of about 1 per 65,000 adults. The average duration appears to have been about 33 days each. It is not clear that these numbers are exactly comparable to those quoted for the UK, and they are for content interceptions only and do not include orders for delivery of metadata.
Thanks for the tip; it looks like an interesting book, and I look forward to reading more of it. A couple of quick samples suggest what I suspect others already have pointed out. If you are stopped by a police officer, politeness, a show of respect for the officer (whether or not honest), and compliance with requests and orders is prudent behavior, and likely to bring much better results than the alternatives, even for those who were driving/walking while black/hispanic. The time to protest police misconduct usually is not when it is occurring, and the person to whom the complaint should be given almost never is the officer involved.
That said, body cameras in use are likely to mitigate bad behavior on both sides of a police/citizen encounter. The downside is that a great many police visits are for domestic disagreements that both participants are likely to feel embarrassment over and think of as a privacy invasion. The solution might be for the cameras to run all the time unless all those involved in an encounter (including the police officer) agree that it can be turned off for privacy reasons. Storage for the camera to hold everything on a shift, and to retain a copy of it for a reasonable period, is cheap enough in relation to other police equipment and operations that it should not be an impediment.
It also is worth mentioning that the situations of most interest are those which include violence and perhaps a shooting or forcible arrest. In those, even with the body cameras running, the capture is likely to be ambiguous and incomplete, and outside observers with cell phones are likely to contribute to a better understanding than any one source would provide.
So $15 per month, or $300 for a lifetime subscription - for those at risk of forgetting to pay regular bills within the next year or year and a half.
I am suspicious of claims like Lumosity has been making, as it is unclear whether playing the games keeps one's brain from draining, or simply that those whose brains are more sound are able to keep playing them, and so look to Lumosity, and possibly themselves, like successes.
Yet Keepass does provide me the functions I think essential for password management:
- generation of non-memorable complex passwords
- password storage in an encrypted file
- easy password retrieval and use
as well as some I consider desirable:
- portability to all the operating systems I use (with required .net or mono)
- local-only database storage, optionally on removable/portable media
- open source and free license (GPL2 or later).
Not as convenient, maybe as LastPass (which I have not used), but better suited to my preferences.
Indeed. Pulse oximeters, probably incorporating light guides, have been around for a long time, as have integrated circuit motion detectors. Both have been in widespread use since well before February, 2009. Integrating them using a computer and software seems like something a programmer skilled in dealing with sensors would do with little inspiration based on a goal of, for example, calculating calories expended over time. It is quite plausible that Apple and Fitbit declined to pay royalties on these patents because their legal departments, after examining them, declared them rubbish.
The concomitant of this convenience, however, is to degrade, apparently quite a lot in the case of this equipment, the system's performance of its basic function.
Note also that the last two items cited mostly do not require external wireless control despite the fact that they can be implemented in that way.
That is my experience exactly, down to using xfinity rather than the unusable hotel service while travelling.
Comcast has done some wrong things, but where I live southeast of Salt Lake City it provides good service, albeit at a price higher than I expect after Google completes its scheduled build-out here.
"The FCC noted that high-latency satellite internet connections, used in more remote parts of the country, were still below optimal levels."
Good luck fixing that.
It would be interesting to see how we Usians located within metropolitan areas. My limited experience suggests it is fairly good, although not fully up to the likes of really densely populated or compact nations. I did not see such a breakout in a quick scan of the report's table of contents.
A patent application approved is a work unit completed.
A patent application denied is a work unit in limbo that can require additional work repeatedly, year after year as it is resubmitted with amendments, until it can be approved or finally denied.
The performance appraisal incentive for the examiner is quite obvious.
The category of patent requested probably is immaterial.
Even in class action lawsuits there has to be a plausible* claim of actual damage. If I understand correctly, someone in physical possession of the computer (or its storage device) who also obtained the key (no matter the source) would be able to obtain the data. In other words, would be able to do exactly the same thing that could be done based on physical access of a computer with unencrypted storage.
It's a bit hard to see the damage from Microsoft's possession of the key no matter how slack they might be about its security.
* "Plausible" because meritless lawsuits are likely to be dismissed and can, although with considerable difficulty, come back and bite attorneys who bring them.
The real problem with "nothing to hide, nothing to fear" relative to their domestic, and even foreign, TLAs is that for the overwhelming majority, nearly all the time, it is a factually correct statement. While this statement varies in accuracy depending on the government under which one lives, even the most oppressive regimes have resource limitations that require them to manage surveillance and focus on those who appear likely to cause trouble, and rely on much more pervasive means of surveillance than mere access to storage encryption keys will provide. At bottom, though, most people go about their lives following governmentally and socially approved paths and do not have to be particularly concerned, on a personal basis, about vulnerability to law enforcement activity.
That is not an argument against encrypting data to provide a degree of privacy and security, but surely it is unreasonable and simply incorrect to argue that Microsoft's storage of recovery keys reduces privacy security below what plain text storage provides.
A case in point is the Clipper Chip of Infamy. After considerable push back about possible government abuse or loss of the escrowed key information (and finding of implementation flaws) it was discarded along with the very real privacy and security benefits that it would have offered in well over 99% of all cases. Even if the entire escrow database had been published the result would not be inferior to what we have, which is that most telephony is done in the clear. The same is true of the related Capstone, intended for use with communications other than telephony, although much of the benefit was recovered through use of SSL and TLS.
As an earlier poster noted, there is no requirement to indicate a party affiliation or anything that suggests political preference as part of voter registration. The example in the article shows this clearly. At most, indicating a political party preference establishes entitlement to participate in selecting the election candidates of that party.
Propagandizing during working hours has nothing to do with the Citizens United decision. Most private sector employers of any size will not allow it, and it is illegal in federal and most, if not all, state and local government offices.
The list, which I suspect may be a list created by a state government consortium to identify potentially fraudulent registration and possible voting in several states, shows nothing at all about actual voting behavior, which is secret. Nothing in the data described can be used to reveal any voter's ballot choices.
It has been half a century since a law prevented African-American citizens from either registering to vote or voting. As always, the Civil Rights Act of 1964 and the Voting Rights Act of 1965 were not always followed, complaints made under the laws were not always prosecuted with vigor, and prosecution did not always result in conviction and punishment. Nonetheless, it has not been legal in any state to deny voter registration or voting based on race since 1965.
Getting registered in the US requires an affirmative act, most often, I think, checking a box on a driving license application or, for those who do not have or seek driving licenses, completion of a form to be filed with a local or state voting registrar. Twenty-three states also provide online registration applications and forty-seven accept the printable mail-in form available from www.usa.gov. In general, procedures here are not materially more difficult or greatly different from those in the UK.
Registration is nowhere controlled by major political parties as a matter of law and cases in which the major parties control it in practice are at most local and extremely rare.
Aside from the fact that "hanging chads" on punch card ballots has nothing at all to do with voter registration, it is a problem logically equivalent to mismarked paper ballots: almost entirely a matter of voter error and rarely a result of poor ballot quality or punch pin wear. It is possible, but extremely unlikely, for the punch used to be pushed completely through the card and leave the chad attached to the ballot. Most of the hanging chads would be dislodged before or during machine counting.
It is not entirely clear why these records should be thought private; they are, after all, records collected for a public purpose by a government agency, and are records that are important to the conduct of the very important election process. The example given shows, for the data items I recognized, what is available in many or most states to political parties able and willing to pony up the cash to buy a copy.
While the location information included might increase the risk to some people who require protection, the probability of that is low because either their location already is known to those who threaten them, or they have moved to a place of hiding and had the presence of mind to omit notifying the voting officials.
As we all know, or should, the NSA, and its predecessor, associated, and adversary SigInt agencies were in business for at least forty or fifty years before the onset of modern terrorism. They have a lot on their plates, all of them, beyond what may be going on amongst terrorists, whether in the Middle East or elsewhere. The transmission modes and protocols have changed a lot, and all of them have added the new ones as they came into use while continuing to capture and analyze communications on the older ones like radio, telegraph, and telephone.
A great deal of intelligence analysis is produced from public sources, but it needs to be supplemented by, and validated by comparison with, information that is believed to be private. In the present environment, one tool is penetration of networks guarded by routers, something Juniper claimed to provide security against.
Before I retired, I managed systems on which several Java versions were, in fact, required.
1. Some commercial products were written to a particular Java version. The vendor would not support operation on later versions. As this was a US DoD agency, we were not allowed to run unsupported software and nobody in the chain of command would even come close to authorizing us to support a vendor product (for which we had no source code or ability to develop fixes). Running unsupported software was a Category I finding that technically required removing the product from any DoD network. This was a common case, and I was acquainted with numerous workstations and servers that had three or more Java versions installed and in use.
I recall a case in which we tested of a non-Oracle product (not itself obsolete) that was said to depend on Java 6, then out of support. Java 7 was available and we tested the product against it thinking that in view of the frequency of Java vulnerabilities it might be better to run an unsupported combination of supported products than a flatly unsupported Java version. The question never arose, however, since our testing indicated that the dependency was quite real, and the final outcome was a much slower and more costly product upgrade to the newer version.
2. During software development it often was necessary to maintain both current and future versions of a product on the same server. They sometimes required different Java versions, since we tried to target new development to software environments that were not at or approaching obsolescence.
This might be a solution in matters of domestic criminal activity, provided the warrant was served on a party that possessed a copy of the key. In that case they might be able to persuade the key holder to provide access to the encrypted material by presenting it as the preferable alternative to various contempt of court punishments.
Otherwise, they are asking, in principle, for something they never have had in practice: a way to access messages encrypted using methods they do not know and keys that they do not have and which those who do will be reluctant to disclose and possibly unavailable for interrogation and possible punishment. Lack of that capability and its successful circumvention have been a consistent thread in political and military history for several thousand years, probably about since the invention of written communication. It is a "nice to have" but never has been, is not, and probably never will be, a "must have."
The subject of the article appears to be S.2410, for which text is not yet available, so we have only the postings of Senator Reed and news reports like this one that presumably are based upon it.
Whether a corporation director has any technical knowledge of computer and network security is of little relevance to the question of whether the corporate and customer information is properly secured, and a law requiring this type of disclosure is pretty much a waste. What counts at that level is that the directors as a group know that security is important to their customers and the corporation, and that they impress that upon the matter to the executives who manage the company and make their compensation and continued employment depend on that. And that is not something the law can do a great deal about except after an event, as the damage becomes clear and the need for blame arises.
A law criminalizing and punishing security failures, or requiring that the corporation make whole those actually damaged, might be a better approach. We really do not need another law that replaces substance with form and statements of compliance.
On the one hand, SELinux appears to be a fit for purpose mandatory access control system, with associated benefits and costs comparable to any such system. Unlike most, it is fully open source and those who wish to examine it for errors, vulnerabilities, and back doors are free to do so and have had about 15 years to find them. To reject it out of hand based only on its origin is roughly the same as rejecting all immigration of Syrian refugees because some of them might be Daesh plants.
On the other hand, it took the US and USSR under 25 years to be in position to land something on the moon, albeit with the known example of the WW II German rocket program and, for the US, a lot of useful pieces and engineers with hand on experience. The suggestion that the PRC required stolen design data to accomplish it in 40 years is rubbish. For the most part, it appears that their scientists and engineers are in most respects on a par with those of Europe and North America, and their primary advantage is that they can combine knowledge and techniques, some learned in the West, with known results to accelerate some aspects of development. Stolen details certainly would be useful, but just as certainly were not the primary driver.
What local taxes the USPS pays is a matter of law that the Congress can change.
Whether federal employees or postal employees (a slightly different category) pay state income taxes depends entirely on the state laws. As a federal employee I was subject to income taxation by the US, the state of Ohio, Cleveland city (work location) and Lakewood city (residence). Active duty military pay may be exempt or partly exempt from income tax in some states; that also is a state option.
The citizens of Oklahoma (for example) remain free, through their elected representatives, to tax themselves as they see fit. Additionally, like all other states, they participate in various federal tax revenue sharing programs.
The ability of states to raise revenue probably will not be affected seriously by this change. Sales taxes are not the only source of state revenues and the part due to internet (or mail order) sales is unlikely to be large.
The states (and cities) where they have a physical presence, in the form of corporate taxes, fuel taxes, vehicle taxes and the like. Many states also collect employee personal income and other taxes from their residents. There is no scarcity of taxes.
What taxes the USPS pays is a matter that states could raise with the federal government through their congressional delegations.
Good for them in the sales tax matter. While I have sympathy for the operators of brick and mortar stores, it seems unreasonable to tax a company that has no physical presence to provide an implicit subsidy for local businesses. The states can collect taxes, and do, from the delivery services, so are not entirely deprived of income from interstate sales, and they can collect taxes from those internet businesses based in state, like in Utah from Overstock.com).
While agencies dislike Congressionals, Representative Lofgren was quite right to ask DHS for information about this unfortunate incident. My objection was to what I think an unnecessarily accusatory tone and the implicit suggestion that DHS employment should limit fundamental civil rights. I hope she will publicize DHS's answer.
Tracking back beyond the Register articles to the FOIA document release and Julia Angwin's ProPublica report, I see that the issue indeed has the appearance of inappropriate DHS action. The tone of SA Squire's email is that of an informal personal message, but its origin from an official DHS email address would be likely to convey the impression of a DHS anti-TOR policy, and might have been intended to do so. That impression might be incorrect, but surely would have been amplified when Thomas Grella forwarded it with a mild endorsement to the Lebanon police who raised the issue with the library. The library board later met publicly, and after discussing the issues raised, decided to reopen the relay, as they should. There does not seem to have been any significant degree of pressure in the episode.
Should the library employee have shut down the node before the board meeting? Probably not, since the board had approved it at a previous meeting.
Were the police out of line to raise the issue? I do not think so; their range of official action certainly would extend to making officials of the library and other public organizations aware of risks associated with their operations.
Did Tom Grella act inappropriately? Maybe; in choosing to forward Squire's email to the Lebanon police he probably should have provided more information than "this could become an issue."
SA Squire, however, should be counselled and possibly disciplined for one of two things. If he acted as a private citizen, he should have made that clear in the text of the message and sent it from a personal email account rather than his official DHS account, to avoid giving an incorrect impression that he was acting in his official capacity. Done that way he would have been entirely within his rights as a citizen. Hillary Clinton was criticised for using a private server to conduct public buisness; using public servers for private action is equally inappropriate. Alternatively, if Mr. Squire was expressing DHS policy, he should have worded his message more formally and referenced the specific policy.
Absent prior history of similar behavior, either offense warrants supervisory counselling, a review of the applicable laws and DHS policies and procedures, and possibly a temporary flag in is personnel record, to be removed after a year or so with no further issues of the type. In view of Lofgren's letter, however, they might be tempted to do more: federal agencies really hate to receive Congressional letters, and this event also brought them a good deal of bad PR.
Is Lofgren's letter a bit over the top? I think so, for the reasons I stated earlier, as modified above. It is not clear that either the DHS employee or the Lebanon, NH police actions constitute "interference," and whether or not by design, SA Squire separated himself, and DHS, from the actual conversations. While counselling certainly is in order for SA Squire, and clarification of the boundaries between official duties and private actions a good idea for all DHS (and other government) employees, Squire's only error probably was failing to state that he was acting as a private citizen, not as a DHS employee. Lofgren's letter suggests that she wants DHS to direct, or at least advise, employees to limit exercise of their constitutional rights, something that would be quite illegal.
-
While I support, generally, what I take to be Representative Lofgren's position, her action is at least as overbearing as that of Special Agent Squire or any of the police officers. Her questions all are of the same pattern as "have you stopped beating your wife" and the second issues a demand that DHS develop and implement policies that deny employees basic and constitutionally guaranteed rights as citizens.
Nothing any of them is reported to have done is illegal or even unreasonable. The library system's provision of a TOR exit node certainly will facilitate criminal activity, just as it will facilitate legal activity that users want to keep private. Police officers, and even DHS special agents, are citizens with the rest of us and may be denied the rights that go with that only to a very limited degree, as exemplified by the federal Hatch Act and various state laws that limit partisan political activity.
Special Agent Squire's reported action is squarely within his rights as a citizen, and those of the police officials is within their rights as citizens as well as within the scope of their official duties. The officers made representations to library officers, who suspended node operation pending library board action. The library board, after hearing from both proponents and opponents, then reinstated the TOR node. Neither this article nor the Register's 22 September article on the same subject reports anything that constitutes unreasonable behaviour by anyone involved.
When I retired at the end of 2011, my agency had just started to deploy Windows 7 to a few developers for evaluation. I expect they, like the Navy and Marine Corps, still have a significant number of Windows XP workstations, along with a POA&M to replace them real soon.
Downvoted because of triteness and limited applicability, as well as implicit oversimplification of a lot of legally and technically complicated matters. Neither essential liberties nor safety is absolute or can be.
Encryption systems with back doors are inherently flawed. So are certificate systems when based on untrustworthy or compromised certificate authorities, a better analogy for various suggested key escrow systems. It is likely that a key escrow system could be devised that would be as secure from compromise as current CA private keys, that could be used legally only with, for example, a court ordered warrant (and be reasonably secure against use absent a warrant), and it might be that some could scale to the very large number of keys required to conduct commerce.
It is likely that such an escrow system would be of about the same utility as the NSA call details data, which is to say "not very much." It would be quite costly and viewed by many with considerable distrust. It would raise a great many foreign trade and relations issues, although many of those probably would be surmountable given the likely interest of other governments in doing much the same. I do not think the US Congress would authorize it, but have to agree they have done sillier things.
We are, at the moment, in a state of moral panic over what really is a very small threat (nationally, but not to those affected directly) and thrashing about looking for Something to Do. The moment will pass, as later events overtake it.
The police in nearly any jurisdiction can arrest pretty much whomever they want, whenever they want to do it. However, it is likely to take more than a discussion "with other people about the possibility of doing «something»" to make a conspiracy charge stick in the US, where a concrete action in furtherance of the <<something>> usually is required in addition to the discussion, hence the somewhat common cases in which an arrest is made for things like solicitation of a murder (from a police officer) or conspiracy to blow up a bridge (from a couple of FBI agents).
A most interesting discussion, one to which I shall return tomorrow and might make a comment or two. For now I will make two observations.
The first is that while a workable and scalable key escrow system might be possible, and would serve the needs of most people, it really would not be of great law enforcement use for most purposes because nearly all crimes have little to do with communication or data, whether or not it is encrypted. The very small fraction of criminals who plan complicated activities that require coordination of numerous actors who must communicate quickly over considerable distances are not at all likely to rely on encryption methods they know can be broken at the drop of a warrant. They will use one of the numerous cryptosystems that have been available for some time and are though by experts in the field to be free of weaknesses and back doors. Accordingly, they might be caught out by more old fashioned methods of surveillance or detection, and might be charged with violating encryption laws, but probably will be able to avoid electronic surveillance that is not aided by more traditional methods.
Second, the English language averages about 5.1 characters per word, and an average book has about 64,500 words. A 64 GB USB key that I can buy at Walmart for $15 and tax, can hold a one time key pad large enough to securely encrypt the entire British Library or Library of Congress collection, and very probably both.
I agree fully with this, but would add one additional observation: in some cases, TPB and similar services provide access to media that are otherwise unavailable. There are old TV shows, for instance, for which I would pay willingly (or hope for availability on Netflix/Amazon/Acorn etc.) but are not available legally. It would be widely beneficial, including to the copyright owners, if they made them available for download or streaming. It might be thought unreasonable by their legal departments and litigation agents, however.
Department of Defense rules (and NSA is a DoD agency) require that disk drives containing restricted data (i. e., PII, FOUO, or more controlled), be degaussed and physically destroyed. I think the others still may be overwritten multiply using different patterns and then excessed.
One thing the documentation Edward Snowden released illegally does not show is that the NSA deceived the President, the Departments of Defense and Justice, or the Foreign Intelligence Surveillance Court. Indeed, it is fairly clear that they also provided timely and relatively complete information to the intelligence committees of the Senate and House of Representatives, despite the fact that few members of either body took the trouble to read the documents provided. A presumption that NSA managers and employees operated programs in secret that were intended to generally subvert the rights or liberties of US citizens or those of other countries is unwarranted. Replacement of the program being ended, of course, was authorized by the Congress and directed by the President.
Reasonable people may differ about the appropriateness of various intelligence agency programs and whether they are consistent with the US Constitution and laws. In addition to citizens, federal judges and legislators, including members of the intelligence committees, did so often, and there is no clear reason to think any of them dishonest.
Stipulating that Wikipedia cannot be considered an authoritative source of information, particularly about matters that involve the complexities of international law and domestic law in various regions and countries, I referred to it for a quick summary of the "Charter," which I took to be the "Charter of Fundamental Rights of the European Union," drafted by the European Convention on Human Rights in 1999 and finally confirmed by the Treaty of Lisbon in 2009, signed and ultimately ratified (with reservations by the UK and Poland) by 27 EU countries. From what is there, it appears it applies to citizens of any EU country in any EU country. EU governments may have extended the protections to citizens of other countries, and probably are bound by treaty to do so in the case of foreigners legally present in EU countries, as the US does in the case of all foreigners legally present in the US. To the extent specified in treaties (and possibly other intergovernment agreements), they also would be constrained in their actions toward foreigners outside of EU territory. I saw nothing in the English language version of the Charter suggesting any general obligation to citizens of non-EU states who are not present in EU territory.
The subject is, of course highly technical and governed by numerous treaties and laws, and I might have missed something significant; if so, I would be happy for someone with more knowledge to point it out.
To press on with more or less irrelevant analogies, you also do not find a needle in a haystack if you do not look for it, and you are more likely to find a needle in a haystack if you look at all of it than if you look only at part.
It is worthwhile to keep in mind that SigInt agency capture and filtering of internet backbone data flows is pretty much the same thing they were (and are) doing with radio signals at places like Menwith Hill and Sugar Grove, and in numerous other listening stations before them. The internet changed the transmission means, but nothing else.
The fact that nearly all terrorist perpetrators were known (for some definition of known) may indicate no more than police/intelligence staffing insufficient to follow up on all of them. That seems to have been true in the Charlie Hebdo shootings and may have been a factor in the more recent ones in Paris. It is not clear whether increased data collection and analysis would make things better or worse, although I suspect the latter. Manpower and other resources used for collection and analysis might better be used for direct surveillance of those thought to be risks, and John Poindexter's notion that sorting and collating all the data by machine would replace human agents with algorithms always was pretty much a pipe dream, completely aside form the fact that it couldn't be sold even in the immediate post-9/11 panic.
I am minded to ask what the legal protections are under European national laws for non-citizens and residents outside their respective countries. Are there any? Stewart Baker (former NSA legal counsel) has argued in testimony to the US Congress that US citizens and residents have more legal protection against their government than citizens and residents in most of Europe, including the UK, France, and Germany, have against theirs. The US has a requirement for warrants or other court orders, ensuring that demands for data have been reviewed at least minimally by a nominally independent third party.
We know from the files Edward Snowden released, and those later declassified in response, that the NSA's data collection and analysis was done under laws passed by the US Congress, executive orders issued and updated by numerous Presidents, with review and (usually) approval by a properly authorized court consisting of federal judges nominated by a President, approved by the Senate, and appointed, as additional duty, by the Chief Justice of the Supreme Court. Nothing in what was released or declassified suggests frequent, intentional, or systematic NSA action outside that legal framework. Nearly all US citizens are much more at risk from criminals after their money than any government official. Among government officials, the risks, in roughly descending order, are local police; tax assessors; ambitious, overcharging prosecutors (local ahead of federal); and far behind, the FBI and intelligence agencies.
The President, indeed, occasionally goes beyond what the Constitution and laws allow, and the laws sometimes authorize unconstitutional actions. That has been true for over 200 years. The courts have made corrections in the past and will continue to do so in the future.
The President and executive branch generally are not required to protect those who are not US citizens or in the US from anything, any more than another government is obliged to protect non-citizens located outside of their jurisdiction. This can be, and often is, modified by treaties and other intergovernment agreements, but is the default rule.
I anticipate quite a few down votes for this post. I would prefer a clear description of the legal protections that apply to European citizens and legal residents instead, but would be quite satisfied with both.
This was an NCIS episode plot a few years ago, so it's all planned out for Daesh, including some of the things to avoid.
I can't say I fully believe the premise that taking out a few towers could wreak enough damage to bring the US to its knees, though. The last one I experienced was the Northeast US (and Canada) blackout of 14-15 August, 2003, apparently triggered by dodgy control software and sloppy tree pruning near Cleveland at a time of high demand. In Cleveland the lights went out about 1610, I shut down the whimpering servers, and caught a bus to my son's apartment (he had a gas stove). We watched the stars that night, and our power came back on about Noon the following day. That evening I went back and started the computers so the customer department could work their scheduled Saturday O/T. We had an extra paid day off that year, but no obvious long term damage.
Terrorists might be able to do worse, but I doubt it would not be recoverable in a week or so.
In the context at hand it is reasonably well documented that in addition to such things as IP headers the metadata also includes the "From:," "To:," "CC:," and "BCC:," and "Subj:" lines, but not the remainder unless the body is encrypted.
The notion that the processing involved would slow the internet is follty. They are taking a copy in real time, discarding much of it immediately and filtering the remainder more carefully off line. We know this from published materials for NSA and GCHQ, and it may be assumed without risk of error that the Russians, Chinese, and others are doing something a lot like it.
Jonathan Adler (a real live US attorney) speaks to this somewhat at:
https://www.washingtonpost.com/news/volokh-conspiracy/wp/2015/11/20/the-metadata-collection-program-is-constitutional-at-least-according-to-judge-kavanaugh/
complete with a number of case law references for those interested in more detail.
As the OP said, it depends on the definition of "unreasonable."
I cannot think of a single reason that I, or anyone else not an owner of the equipment in question, should care what Apple charges for it. Money is generally understood as a measure of the economic concept of utility, but in actuality, two different people see that in exactly the same way. Among other things, that facilitates commerce. Purchasers of Apple products have a different view of their utility than I do, for reasons I do not know and do not wish to. They are free to act on their view of the products' utility, as I am not to act. It is their business, not mine. I am not entitled to an opinion in the matter and neither, in my opinion, is anyone else.