US Government Has Apparently Demanded, And Obtained, Tech Companies' Source Code In The Past
from the ask-(FISC_)-and-ye-shall-receive dept
From Zack Whittaker at ZDNet comes the alarming revelation that it's not just Apple looking at possibly having to turn over its source code and/or encryption keys to the government, much like what happened to Lavabit. Many other companies have done this previously as the result of orders granted by the nation's most opaque, non-adversarial court.
The US government has made numerous attempts to obtain source code from tech companies in an effort to find security flaws that could be used for surveillance or investigations.That's hardly heartening. The DOJ would only go so far as to confirm this has happened before, likely because there's no way to deny it. The documents from the Lavabit case have been made public -- with the DOJ using a formerly-sealed document to hint at what could be in store for Apple if it refuses to write FBiOS for it.
The government has demanded source code in civil cases filed under seal but also by seeking clandestine rulings authorized under the secretive Foreign Intelligence Surveillance Act (FISA), a person with direct knowledge of these demands told ZDNet. We're not naming the person as they relayed information that is likely classified.
With these hearings held in secret and away from the public gaze, the person said that the tech companies hit by these demands are losing "most of the time."
Unfortunately, because of the secrecy surrounding the government's requests for source code -- and the court where those requests have been made -- it's extremely difficult to obtain outside confirmation. Whittaker contacted more than a dozen Fortune 500 companies about the unnamed official's claims and received zero comments.
A few, however, flatly denied ever having handed over source code to the US government.
Cisco said in an emailed statement: "We have not and we will not hand over source code to any customers, especially governments."Cisco is likely still stinging from leaked documents showing its unwitting participation in an NSA unboxing photo shoot and has undoubtedly decided to take a stronger stance against government meddling since that point. As for IBM, its statement is a couple of years old and contains a major qualifying statement.
IBM referred to a 2014 statement saying that the company does not provide "software source code or encryption keys to the NSA or any other government agency for the purpose of accessing client data." A spokesperson confirmed that the statement is still valid, but did not comment further on whether source code had been handed over to a government agency for any other reason.
Previously-leaked documents somewhat confirm the existence of court orders allowing the NSA to perform its own hardware/software surgery. Presumably, the introduction of backdoors and exploits is made much easier with access to source code. Whittaker points to a Kaspersky Lab's apparent discovery of evidence pointing to the NSA being in possession of "several hard drive manufacturers'" source code -- another indication that the government's history of demanding source code from manufacturers and software creators didn't begin (or end) with Lavabit.
The government may be able to talk the FISA court into granting these requests, given that its purview generally only covers foreign surveillance (except for all the domestic dragnets and "inadvertent" collections) and national security issues. The FBI's open air battle with Apple has already proceeded far past the point that any quasi-hearing in front of the FISC would have. That's the sort of thing an actually adversarial system -- unlike the mostly-closed loop of the FISA court -- tends to result in: a give-and-take played out (mostly) in public, rather than one party saying "we need this" and the other applying ink to the stamp.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: doj, fbi, fisa, fisa court, fisc, privacy, security, signing keys, software, source code, tech companies
Reader Comments
Subscribe: RSS
View by: Time | Thread
[ link to this | view in chronology ]
Re:
O fucking wait? Is this Communist China? Looks like it!
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
There's nothing wrong with open source, but it's not a panacea that makes it automatically more secure than closed source. To the contrary, many people just assume that since anyone can look at it, that all the vulnerabilities must have been found and fixed by now.
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re: open source
br3n
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Legally and/or technically speaking such responses don't bsay anything about contractors working on behalf of the government, or commercial/nonprofit orgs created to front for the government.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
Who would probably side with the FBI.
[ link to this | view in chronology ]
Re:
Yeah, that's what I thought.
[ link to this | view in chronology ]
Two Choices for the rest of us...
[ link to this | view in chronology ]
Re: Two Choices for the rest of us...
We seem to be fresh out of new world continents.
[ link to this | view in chronology ]
I'm guessing that this happened in 1999 when the NSA banned Furbies from their premises in Maryland.
[ link to this | view in chronology ]
source code given - or taken?
Just because they have someone's source code doesn't mean the company [b]handed[/b] it to them.
[ link to this | view in chronology ]
Re: source code given - or taken?
We might have accidentally dropped a copy in their headquarters while visiting there, but we didn't "hand" it to them.
[ link to this | view in chronology ]
DROPOUT JEEP
Question: Presuming we believe in the authenticity of this material— how desirable would Apple's source (iOS, and/or lower level down to VHDL/Verilog/etc) be to this reported development effort by NSA's Tailored Access Operations (TAO) group?
[ link to this | view in chronology ]
Re: DROPOUT JEEP
[ link to this | view in chronology ]
Re: DROPOUT JEEP
[ link to this | view in chronology ]
Re: Re: DROPOUT JEEP
From Zack Whittaker's ZDNet story (Mar 17, 2016) that Cushing linked in the article up above:
[ link to this | view in chronology ]
No wonder so many corporations are moving out of the US and using the tax dodge as the publicly faced reason if they can't say the real reason.
[ link to this | view in chronology ]
Mistaken terminology
Yeah, people really need to stop calling it a 'court', as it has as much to do with a typical court as the cheapest fast-food has with fancy cuisine. In the same way that both of the latter have food, and that's about the only thing they have in common, the former both has people in judge outfits, and that's about it.
The FISA 'court' isn't adversarial, knows only what they are told and have no real interest in finding out more before ruling, works with secret interpretations of the law to create secret rulings... to call it a 'court' is to do a great disservice to actual courts.
[ link to this | view in chronology ]
Give it to them.
& tell them to sit on it & rotate !
[ link to this | view in chronology ]
Re: Give it to them.
[ link to this | view in chronology ]
Re: Re: Give it to them.
[ link to this | view in chronology ]
Re: Re: Re: Give it to them.
I can see why Levison hesitated before he shut down his company. It was what— ten years? personal investment. Anyone would hesitate before that step.
But Levison's better move at the point where he had to turn over the private key, rather than printing out the key in minuscule, would have been to hand it over by openly publishing it on his website.
[ link to this | view in chronology ]
Re: Re: Re: Re: Give it to them.
Doing as you suggest would have destroyed his reputation, as every Government in the world could then read all those messages that they had cached in case there was a breakthrough in decryption. Doing as he did warned everybody who used his service that the NSA had a way in.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Give it to them.
So what difference did the two days make—other than costing him $10,000 for contempt?
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Give it to them.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Give it to them.
Wow, that's a huge admission of failure. Kudos to Levinson for having the fortitude to give a mea culpa. Boos to Levinson for being so blind to one of the first threats he should have been considering (loss of keys to attackers).
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re: Give it to them.
Effectively, secure communications require people to manage the keys that they use, and gain keys via routes that they personally trust. Failing that, they could be exchanging messages via a third party who is reading all the traffic, and impersonating each end to the other end. It does not matter how secure the encryption is if a third party can insert themselves into the message exchange.
[ link to this | view in chronology ]
so whats the news?
[ link to this | view in chronology ]
Re: so whats the news?
From the Apple SrVPSwEng Craig Federighi's Mar 15, 2016 declaration at paragraph 6 (p.2: ln.25-6): Meanwhile I have familiarized myself with this Jan 23, 2015 Quartz story by Heather Timmons, “Apple is reportedly giving the Chinese government access to its devices for ‘security checks’ ”. Google Translate link for Beijing News Jan 21, 2015 story “Apple is willing to accept China's position network security review”.
[ link to this | view in chronology ]
Re: Re: so whats the news?
[ link to this | view in chronology ]
Global industry practices
[ link to this | view in chronology ]
Best case scenario.
No, it's not the NSA/FBI succeeding in forcing Apple to insert backdoors and discover pass codes for law enforcement. It's for Apple to give every appearance of having won this dispute, while secretly cooperating with those agencies, actively or passively, for any of a number of reasons.
Why? Because a NSA/FBI win sends a message to terrorists and other wrongdoers (including corrupt corporations) that Apple platform is unsafe and requires that they take additional measures. A seeming win by Apple, accompanied by enormous publicity, would make them slack off in their precautions, thus making the work of NSA/FBI easier.
Indeed the very publicity given to this dispute and Apple's seemingly hard stand could just as easily be taken as an indication that the company's public opposition to NSA/FBI spying is accompanied by private cooperation. It is, after all, just the behavior one would expect if that were the case.
How might the NSA/FBI best reward Apple? By giving the company's executives a stack of "get out of jail free" cards for corporate wrongdoing. Nothing could be more valuable not even money.
[ link to this | view in chronology ]
Re: Best case scenario.
In this case, the FBI/DoJ has been misstating material facts. It remains something of an open question for me whether particular individuals from those agencies have been intentionally misstating specific material facts.
Apple, in seeming conflict with the government in this case, manufactures the iPhone. If Apple implies that the device is fit for a particular purpose, don't they have some sort of obligation to avoid concealing known defects which render it unfit for that purpose? One might perhaps argue that an intrinsically unlawful purpose cannot create liability in a manufacturer for concealing known defects.
[ link to this | view in chronology ]
Cisco's denial
"We have not and we will not hand over source code to any customers, especially governments"
I didn't know that a court order was a "customer". It rather looks like they are trying to be a little too clever about the wording. They don't give the source code to customers - but for a court order, well...
You gotta wonder why they worded it that way!
[ link to this | view in chronology ]
Re: Cisco's denial
[ link to this | view in chronology ]