US Government Has Apparently Demanded, And Obtained, Tech Companies' Source Code In The Past

from the ask-(FISC_)-and-ye-shall-receive dept

Fri, Mar 18th 2016 1:48pm — Tim Cushing

From Zack Whittaker at ZDNet comes the alarming revelation that it's not just Apple looking at possibly having to turn over its source code and/or encryption keys to the government, much like what happened to Lavabit. Many other companies have done this previously as the result of orders granted by the nation's most opaque, non-adversarial court.

The US government has made numerous attempts to obtain source code from tech companies in an effort to find security flaws that could be used for surveillance or investigations.

The government has demanded source code in civil cases filed under seal but also by seeking clandestine rulings authorized under the secretive Foreign Intelligence Surveillance Act (FISA), a person with direct knowledge of these demands told ZDNet. We're not naming the person as they relayed information that is likely classified.

With these hearings held in secret and away from the public gaze, the person said that the tech companies hit by these demands are losing "most of the time."

That's hardly heartening. The DOJ would only go so far as to confirm this has happened before, likely because there's no way to deny it. The documents from the Lavabit case have been made public -- with the DOJ using a formerly-sealed document to hint at what could be in store for Apple if it refuses to write FBiOS for it.

Unfortunately, because of the secrecy surrounding the government's requests for source code -- and the court where those requests have been made -- it's extremely difficult to obtain outside confirmation. Whittaker contacted more than a dozen Fortune 500 companies about the unnamed official's claims and received zero comments.

A few, however, flatly denied ever having handed over source code to the US government.

Cisco said in an emailed statement: "We have not and we will not hand over source code to any customers, especially governments."

IBM referred to a 2014 statement saying that the company does not provide "software source code or encryption keys to the NSA or any other government agency for the purpose of accessing client data." A spokesperson confirmed that the statement is still valid, but did not comment further on whether source code had been handed over to a government agency for any other reason.

Cisco is likely still stinging from leaked documents showing its unwitting participation in an NSA unboxing photo shoot and has undoubtedly decided to take a stronger stance against government meddling since that point. As for IBM, its statement is a couple of years old and contains a major qualifying statement.

Previously-leaked documents somewhat confirm the existence of court orders allowing the NSA to perform its own hardware/software surgery. Presumably, the introduction of backdoors and exploits is made much easier with access to source code. Whittaker points to a Kaspersky Lab's apparent discovery of evidence pointing to the NSA being in possession of "several hard drive manufacturers'" source code -- another indication that the government's history of demanding source code from manufacturers and software creators didn't begin (or end) with Lavabit.

The government may be able to talk the FISA court into granting these requests, given that its purview generally only covers foreign surveillance (except for all the domestic dragnets and "inadvertent" collections) and national security issues. The FBI's open air battle with Apple has already proceeded far past the point that any quasi-hearing in front of the FISC would have. That's the sort of thing an actually adversarial system -- unlike the mostly-closed loop of the FISA court -- tends to result in: a give-and-take played out (mostly) in public, rather than one party saying "we need this" and the other applying ink to the stamp.

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: doj, fbi, fisa, fisa court, fisc, privacy, security, signing keys, software, source code, tech companies

42 Comments

If you liked this post, you may also be interested in...

Reader Comments

Subscribe: RSS

View by: Time | Thread

Anonymous Coward, 18 Mar 2016 @ 2:03pm

If they are willing to go this far they might as well nationalize the entire industry.
[ link to this | view in thread ]
Anonymous Coward, 18 Mar 2016 @ 2:05pm

If only there where software designed from the get go, to remain secure while the source code is OPEN to view by anyone... oh wait...
[ link to this | view in thread ]
Anonymous Coward, 18 Mar 2016 @ 2:18pm

Re:
Yes, open source has been having a wonderful time the past few years in the security sector.
There's nothing wrong with open source, but it's not a panacea that makes it automatically more secure than closed source. To the contrary, many people just assume that since anyone can look at it, that all the vulnerabilities must have been found and fixed by now.
[ link to this | view in thread ]
Anonymous Coward, 18 Mar 2016 @ 2:26pm

Re: Re:
It does have one advantage, it is much harder for anyone to deliberately introduce a backdoor, and it is much much easier to use the likes of wireshark to look at what the software is doing on the network, absent all those servers that proprietary OS's want to talk to..
[ link to this | view in thread ]
Anonymous Coward, 18 Mar 2016 @ 2:34pm

I'm pissed off at this. This is borderline deputizing the U.S. tech industry. This is unconscionable and utterly disgusting.
[ link to this | view in thread ]
Anonymous Coward, 18 Mar 2016 @ 2:58pm

"We will not give source code to any government entity."

Legally and/or technically speaking such responses don't bsay anything about contractors working on behalf of the government, or commercial/nonprofit orgs created to front for the government.
[ link to this | view in thread ]
kenichi tanaka (profile), 18 Mar 2016 @ 2:58pm

Even if the FBI had gone to FISC, Apple could have just forced the issue and appealed the decision directly to the U.S. Supreme Court.
[ link to this | view in thread ]
Anonymous Anonymous Coward, 18 Mar 2016 @ 3:00pm

Two Choices for the rest of us...
...but where would we move to?
[ link to this | view in thread ]
Roger Strong (profile), 18 Mar 2016 @ 3:11pm

> US Government Has Apparently Demanded, And Obtained, Tech Companies' Source Code In The Past

I'm guessing that this happened in 1999 when the NSA banned Furbies from their premises in Maryland.
[ link to this | view in thread ]
David (profile), 18 Mar 2016 @ 3:23pm

source code given - or taken?
What I would wonder is whether that source code was given by the company or merely taken by the government agencies. The average tech related manufacturing firm is ill placed to hold off a government sponsored breach. Also, it is rather easy to blame the Chinese because they are constantly pissing in everyone's soup as it is.

Just because they have someone's source code doesn't mean the company [b]handed[/b] it to them.
[ link to this | view in thread ]
br3n (profile), 18 Mar 2016 @ 3:31pm

Re: open source
may not be the best answer but for some like me it is the only choice.i cannot read code but i do know others are looking at it and they may be looking at it more in the future as it might be our last choice.
br3n
[ link to this | view in thread ]
Anonymous Coward, 18 Mar 2016 @ 4:00pm

DROPOUT JEEP
Via Schneier…
DROPOUTJEEP

(TS//SI//REL) DROPOUTJEEP is a STRAITBIZARRE based software implant for the Apple iPhone operating system and uses the CHIMNEYPOOL framework. DROPOUTJEEP is compliant with the FREEFLOW project, therefore it is supported in the TURBULENCE architecture.

(TS//SI//REL) DROPOUTJEEP is a software implant for the Apple iPhone that utilizes modular mission applications to provide specific SIGINT functionality. This functionality includes the ability to remotely push/pull files from the device, SMS retrieval, contact list retrieval, voicemail, geolocation, hot mic, camera capture, cell tower location, etc. Command, control, and data exfiltration can occur over SMS messaging or a GPRS data connection. All communications with the implant will be covert and encrypted.

(TS//SI//REL) The initial release of DROPOUTJEEP will focus on installing the implant via close access methods. A remote installation capability will be pursued for a future release.

Unit Cost: $0

Status: (U) In development
Schneier links to this leaked page, which carries a “10/01/08” marking.

Question: Presuming we believe in the authenticity of this material— how desirable would Apple's source (iOS, and/or lower level down to VHDL/Verilog/etc) be to this reported development effort by NSA's Tailored Access Operations (TAO) group?
[ link to this | view in thread ]
Anonymous Coward, 18 Mar 2016 @ 4:10pm

Re: DROPOUT JEEP
“The NSA Has a Backdoor Called 'DROPOUTJEEP' for Nearly Complete Access to the Apple iPhone”, iClarified, Dec 30, 2013
. . . The NSA claims in their QUANTUMTHEORY documents that every attempt to implant iOS will always succeed. This leads [Jacob "@ioerror"] Applebaum to question whether Apple assisted them in installing this backdoor:
“They literally claim that anytime they target an iOS device that it will succeed for implantation. Either they have a huge collection of exploits that work against Apple products, meaning that they are hoarding information about critical systems that American companies produce and sabotaging them, or Apple sabotaged it themselves. Not sure which one it is. I'd like to believe that since Apple didn't join the PRISM program until after Steve Jobs died, that maybe it's just that they write shitty software. We know that's true.”
[ link to this | view in thread ]
Anonymous Coward, 18 Mar 2016 @ 4:28pm

Re: DROPOUT JEEP
NSA's Tailored Access Operations (TAO) group
Actually, Schneier indirectly links to a Dec 29, 2013 Spiegel Online story, “Shopping for Spy Gear: Catalog Advertises NSA Toolbox”, by Jacob Appelbaum, Judith Horchert and Christian Stöcker, which describes the document as coming from the “ANT” group:
Master Carpenters

The specialists at ANT, which presumably stands for Advanced or Access Network Technology, could be described as master carpenters for the NSA's department for Tailored Access Operations (TAO).
[ link to this | view in thread ]
Anonymous Coward, 18 Mar 2016 @ 4:29pm

Re:
Good idea, we can do with all sorts of other businesses too, to make sure everyone is doing their part..

O fucking wait? Is this Communist China? Looks like it!
[ link to this | view in thread ]
Anonymous Coward, 18 Mar 2016 @ 5:03pm

Re: Re: DROPOUT JEEP
Oh, and for those who aren't necessarily diving in to follow all the links here—

From Zack Whittaker's ZDNet story (Mar 17, 2016) that Cushing linked in the article up above:
. . . Top secret NSA documents leaked by whistleblower Edward Snowden, reported in German magazine Der Spiegel in late-2013, have suggested some hardware and software makers were compelled to hand over source code to assist in government surveillance.&nbpsp;. . .
[ link to this | view in thread ]
Anonymous Coward, 18 Mar 2016 @ 6:44pm

Re:
right there with you
[ link to this | view in thread ]
Anonymous Coward, 18 Mar 2016 @ 6:54pm

If I were an enemy of the US, how would I try to hurt it in the Information Age? I can think of no better way than to sow doubt as to the security of the software coming out of country isn't worth buying. In doing that pretty much all companies writing software would become untrusted sourced there. Once that is known, globally, businesses, governments, and individual users would probably go hunting other companies to provide those desired softwares or start creating their own.

No wonder so many corporations are moving out of the US and using the tax dodge as the publicly faced reason if they can't say the real reason.
[ link to this | view in thread ]
That One Guy (profile), 18 Mar 2016 @ 9:42pm

Mistaken terminology
FISA court... FISA court...

Yeah, people really need to stop calling it a 'court', as it has as much to do with a typical court as the cheapest fast-food has with fancy cuisine. In the same way that both of the latter have food, and that's about the only thing they have in common, the former both has people in judge outfits, and that's about it.

The FISA 'court' isn't adversarial, knows only what they are told and have no real interest in finding out more before ruling, works with secret interpretations of the law to create secret rulings... to call it a 'court' is to do a great disservice to actual courts.
[ link to this | view in thread ]
gezzerx, 18 Mar 2016 @ 10:30pm

Give it to them.
Give them the source code, encrypted of course,printed in the smallest font possible, just like Lavabit did. If the Government doesn't like it just give them the 1 finger salute
& tell them to sit on it & rotate !
[ link to this | view in thread ]
Rekrul, 19 Mar 2016 @ 12:32am

Re:
Even if the FBI had gone to FISC, Apple could have just forced the issue and appealed the decision directly to the U.S. Supreme Court.

Who would probably side with the FBI.
[ link to this | view in thread ]
Anonymous Coward, 19 Mar 2016 @ 1:47am

Re: Give it to them.
Much better, give it to them printed in 96 point type, on heavyweight paper, and literally bury them in paper.
[ link to this | view in thread ]
Lisboeta, 19 Mar 2016 @ 6:14am

Re: Re: Give it to them.
Even better if the pages are _accidentally_ not numbered.
[ link to this | view in thread ]
jim, 19 Mar 2016 @ 6:32am

so whats the news?
Oh, hum. How is that news? Let's put this info into context, remember the opening statement, some thing about lavabit being required to give the source code, to the US government? And relating this to Apple? So that bit has been fought and won by the gummit. So why does Apple still fight? After all, if one perused the news, from the mid November, of last year, one would find, if looking for black Friday adds, not much, but giveaway of the Apple source code to the Chinese government. Hmm, interesting! And a related article about, Hawaii producing a new Apple clone. Double interesting. So, are we supporting the Apple customers, or a foreign competitor? Oh, the reasons cited were a crackdown on muslem terrorists in southern and eastern China. Interesting? Compounded interesting.
[ link to this | view in thread ]
Rick Caird, 19 Mar 2016 @ 12:11pm

Re:
It is just another reason for companies like Apple to move both their headquarters and their Engineering overseas.
[ link to this | view in thread ]
Anonymous Coward, 19 Mar 2016 @ 12:29pm

Re: so whats the news?
… news, from the mid November, of last year, one would find … giveaway of the Apple source code to the Chinese government.
Supporting links for that, please?

From the Apple SrVPSwEng Craig Federighi's Mar 15, 2016 declaration at paragraph 6 (p.2: ln.25-6):
Apple has also not provided any government with its proprietary iOS source code.
Meanwhile I have familiarized myself with this Jan 23, 2015 Quartz story by Heather Timmons, “Apple is reportedly giving the Chinese government access to its devices for ‘security checks’ ”.
While there was no other information available on the paper’s website, the tweet echoes a report in the Beijing News (link in Chinese) that Apple chief executive Tim Cook informed Lu last month that Apple would let China’s State Internet Information Office conduct “security checks” on all products that it sells on the mainland.
Google Translate link for Beijing News Jan 21, 2015 story “Apple is willing to accept China's position network security review”.
[ link to this | view in thread ]
Anonymous Coward, 19 Mar 2016 @ 2:06pm

Global industry practices
“IBM Allows Chinese Government to Review Source Code”, by Eva Dou, Wall Street Journal, Oct. 16, 2015
. . . Chinese media reported that IBM Senior Vice President Steve Mills disclosed the source-code sharing in a speech in Beijing Thursday, saying that IBM needed government support to continue its growth in China. Mr. Mills’ remarks couldn’t be immediately confirmed. . . .

In 2010, years before Mr. Snowden’s disclosures intensified Beijing’s efforts, Microsoft said it would share source code for Windows 7 and other products with the Chinese government. . . .

But U.S. companies have largely resisted pressure from Beijing to share source code. . . .
“IBM allows Chinese Government to review source code: WSJ”, Reuters, Oct 16, 2015
International Business Machines Corp has agreed to let China review some product source code in a secure room, the Wall Street Journal reported, citing two people briefed on the practice.
[ link to this | view in thread ]
Michael W. Perry, 20 Mar 2016 @ 6:32am

Best case scenario.
Join with me for a moment is extreme cynicism. What is the best possible outcome for widespread NSA/FBI surveillance?

No, it's not the NSA/FBI succeeding in forcing Apple to insert backdoors and discover pass codes for law enforcement. It's for Apple to give every appearance of having won this dispute, while secretly cooperating with those agencies, actively or passively, for any of a number of reasons.

Why? Because a NSA/FBI win sends a message to terrorists and other wrongdoers (including corrupt corporations) that Apple platform is unsafe and requires that they take additional measures. A seeming win by Apple, accompanied by enormous publicity, would make them slack off in their precautions, thus making the work of NSA/FBI easier.

Indeed the very publicity given to this dispute and Apple's seemingly hard stand could just as easily be taken as an indication that the company's public opposition to NSA/FBI spying is accompanied by private cooperation. It is, after all, just the behavior one would expect if that were the case.

How might the NSA/FBI best reward Apple? By giving the company's executives a stack of "get out of jail free" cards for corporate wrongdoing. Nothing could be more valuable not even money.
[ link to this | view in thread ]
Anonymous Coward, 20 Mar 2016 @ 7:36am

Re: Best case scenario.
… sends a message…
Anyone who believes that a 4-digit pin can protect their secrets when the physical hardware has been captured by a major nation-state adversary who has time and determination……… ……… ……… well, anyone who believes that is not really thinking rationally.

In this case, the FBI/DoJ has been misstating material facts. It remains something of an open question for me whether particular individuals from those agencies have been intentionally misstating specific material facts.

Apple, in seeming conflict with the government in this case, manufactures the iPhone. If Apple implies that the device is fit for a particular purpose, don't they have some sort of obligation to avoid concealing known defects which render it unfit for that purpose? One might perhaps argue that an intrinsically unlawful purpose cannot create liability in a manufacturer for concealing known defects.
[ link to this | view in thread ]
Anonymous Coward, 20 Mar 2016 @ 8:36am

Re: Re: Re: Give it to them.
Playing games like that was Ladar Levison's major mistake in the Lavabit case.

I can see why Levison hesitated before he shut down his company. It was what— ten years? personal investment. Anyone would hesitate before that step.

But Levison's better move at the point where he had to turn over the private key, rather than printing out the key in minuscule, would have been to hand it over by openly publishing it on his website.
[ link to this | view in thread ]
Anonymous Coward, 20 Mar 2016 @ 10:10am

Re: Re: Re: Re: Give it to them.
But Levison's better move at the point where he had to turn over the private key, rather than printing out the key in minuscule, would have been to hand it over by openly publishing it on his website.

Doing as you suggest would have destroyed his reputation, as every Government in the world could then read all those messages that they had cached in case there was a breakthrough in decryption. Doing as he did warned everybody who used his service that the NSA had a way in.
[ link to this | view in thread ]
Anonymous Coward, 20 Mar 2016 @ 10:16am

Re: Re: Re: Re: Re: Give it to them.
every Government in the world could then read all those messages that they had cached
He turned the private key over in electronic form two days after he turned it over on paper.

So what difference did the two days make—other than costing him $10,000 for contempt?
[ link to this | view in thread ]
Anonymous Coward, 20 Mar 2016 @ 10:49am

Re: Re: Re: Re: Re: Give it to them.
destroyed his reputation
Perhaps it's time to repeat Moxie Marlinspike's criticism of the Lavabit architecture: “Op-ed: Lavabit’s primary security claim wasn’t actually true” (Ars Technica, Nov 5, 2013):
It's not clear whether the Lavabit crew consciously understood the system's shortcomings and chose to misrepresent them, or if it really believed it built something based on can't rather than won't. One way or the other, in the security world, a product that uses the language of cryptography to fundamentally misrepresent its capabilities is the basic definition of snake oil.
In fairness, Levinson's response: “Op-ed: Lavabit’s founder responds to cryptographer’s criticism” (Ars Technica, Nov 7, 2013):
It never occurred to me that the feds might demand Lavabit’s SSL key. It simply wasn’t part of my threat model. If I were to highlight one of my personal failings in this ordeal, it would be that oversight.
[ link to this | view in thread ]
John Fenderson (profile), 20 Mar 2016 @ 11:14am

Re: Re: Re: Re: Re: Re: Give it to them.
"It never occurred to me that the feds might demand Lavabit’s SSL key. It simply wasn’t part of my threat model."

Wow, that's a huge admission of failure. Kudos to Levinson for having the fortitude to give a mea culpa. Boos to Levinson for being so blind to one of the first threats he should have been considering (loss of keys to attackers).
[ link to this | view in thread ]
Anonymous Coward, 20 Mar 2016 @ 12:04pm

Re: Re: Re: Re: Re: Re: Re: Give it to them.
The problem at the core of exchanging encrypted messages is exchanging base keys in a fashion that both ends can be sure that the keys are from who they purport to be. The same problem lies at the core of secure boot systems, can anybody be sure that one the certificates in the certificate does not belong to the NSA or other government agency.
Effectively, secure communications require people to manage the keys that they use, and gain keys via routes that they personally trust. Failing that, they could be exchanging messages via a third party who is reading all the traffic, and impersonating each end to the other end. It does not matter how secure the encryption is if a third party can insert themselves into the message exchange.
[ link to this | view in thread ]
Whatever (profile), 20 Mar 2016 @ 4:58pm

Cisco's denial
I find Cisco's denial here to be a little TOO specific for it's own good:

"We have not and we will not hand over source code to any customers, especially governments"

I didn't know that a court order was a "customer". It rather looks like they are trying to be a little too clever about the wording. They don't give the source code to customers - but for a court order, well...

You gotta wonder why they worded it that way!
[ link to this | view in thread ]
John Fenderson (profile), 20 Mar 2016 @ 8:58pm

Re: Cisco's denial
Cisco is a defense contractor, as well as a major supplier to the rest of the government. That's pretty much all the leverage against them that's needed.
[ link to this | view in thread ]
Anonymous Coward, 21 Mar 2016 @ 8:09am

Re: Re: so whats the news?
Apple would let China’s State Internet Information Office conduct “security checks” on all products that it sells on the mainland.
“The Behind-the-Scenes Fight Between Apple and the FBI”, by Adam Satariano and Chris Strohm, Bloomberg, Mar 20, 2016
. . . Apple gave the Federal Bureau of Investigation early access to iOS 8 so it could study how the new system would change evidence-gathering techniques, according to people familiar with the software's development.
[ link to this | view in thread ]
Wendy Cockcroft, 29 Mar 2016 @ 5:50am

Re: Re:
All totalitarian authoritarian dystopias start to look the same after a while, don't they?
[ link to this | view in thread ]
Anonymous Coward, 7 Aug 2018 @ 7:17am

Re:
How many such appeals do you know of?

Yeah, that's what I thought.
[ link to this | view in thread ]
Anonymous Coward, 7 Aug 2018 @ 7:18am

Re: Two Choices for the rest of us...

...but where would we move to?

We seem to be fresh out of new world continents.
[ link to this | view in thread ]
Anonymous Coward, 7 Aug 2018 @ 7:22am

Re: source code given - or taken?

Just because they have someone's source code doesn't mean the company [b]handed[/b] it to them.

We might have accidentally dropped a copy in their headquarters while visiting there, but we didn't "hand" it to them.
[ link to this | view in thread ]