Cy Vance Still Arguing For Mandated Encryption Backdoors; Believes Third Party Doctrine Supports His Theory
from the a-bunch-of-bad-ideas,-all-wrapped-up-in-self-righteousness dept
The United States Senate Committee on Armed Services held a hearing about the coming darkness cellphone encryption Friday morning. There was almost no attempt made to address both sides of the issue, most likely because Senator John McCain -- who headed up the "discussion" -- has already made up his mind on how this problem should be handled.
Testimony -- all from government officials -- was presented, with Manhattan DA Cyrus Vance leading off. Vance's tune hasn't changed. Encryption is still (apparently) an insurmountable problem and the only "answer" runs directly through Congress. Vance spent most of his speaking time [PDF] criticizing Apple and suggesting its decision to provide encryption by default on its phones was done purely to spite him and the government.
Given Apple’s own statements about the security of iOS 7, shortly after Apple’s reengineering of its phones to prevent search warrant access by law enforcement, I asked it in a letter dated March 2015, whether there was a bona fide security reason to make its new operating system, iOS 8, warrant-proof. Apple chose not to answer me, but in March of this year, the House Judiciary Committee compelled Apple to answer the same question. That Committee asked Apple the following question, in writing, “Was the technology you possessed to decrypt these phones”—and the clear reference is iOS7 phones and their predecessors—“ever compromised?” Apple’s written response was: “The process Apple used to extract data from locked iPhones running iOS 7 or earlier operating systems was not, to our knowledge, compromised.” (Emphasis added.)
Apple’s answer to this crucial question shows what we have long suspected: That Apple’s method of data extraction under iOS 7 posed no documented security problems. That being so, then there should be no unreasonable security risk going forward if we return to the procedure where court-ordered warrants can be honored by extracting responsive data off of smartphones.
In Vance's view, encryption protocols should not be altered until they've been compromised -- a view that aligns nicely with his presumption that the government should always have access to phone contents but runs counter to good security practices. Vance wants Apple to go back to holding the encryption keys and be on hand to unlock the door whenever the government asks.
Vance is still pushing his "encryption is a godsend to criminals" narrative -- based on little more than same single recorded prison phone call he referenced months ago. Vance may have a pile of cellphones law enforcement can't break into, but that hardly suggests a majority of criminals are gravitating towards encrypted services. The rise in the number of encrypted communications methods will benefit some criminals, but even high-profile terrorist attacks have been coordinated and planned using methods still open to interception and investigation.
The solution is legislation, according to the DA. Vance provides a list of prior legislation crafted to aid law enforcement as support for his theory the government should be allowed access to phone contents. However, his list covers only records collected and stored by third parties -- not the content and communications he's seeking access to.
Federal regulation is already important in the communications industry. When telephone companies went from using copper wires to using fiber optics and digital signals, the police could no longer use their old techniques of executing wiretap orders, and so Congress passed the Communications Assistance for Law Enforcement Act (CALEA), mandating that telecom providers build into their systems mechanisms for law enforcement to install court-ordered wiretaps. CALEA has worked. It has saved lives, and it has withstood Constitutional challenge. It has not stifled innovation, as its opponents feared…
[...]
Here are a few other examples: DEA regulations require all U.S. pharmacies to maintain paper and electronic prescriptions bearing the name of the patient and prescriber, drugs dispensed, and dates filled. FTC regulations require any business that checks a customer’s identification to maintain and provide victims and law enforcement with transaction records relating to identity theft. State regulations require private schools to maintain student data records, including records of attendance and suspected child abuse. I could go on.
The point is that companies in nearly every industry are required by law to maintain voluminous customer records and produce criminal evidence when they receive a court order. When your introduction of goods and services into the stream of commerce overlaps with public safety, this is the price of doing business in the United States.
In other words: the government should have access to iPhone contents because it has access to other stuff. It's a clumsy comparison at best. At worst, it's a blueprint for unprecedented government intrusion. Vance may be trying to demonstrate that the government has historically had access to a wealth of information thanks to regulators and the Third Party Doctrine and should continue to be granted access, but this inept analogy is worse than apples-to-oranges. Connecting Vance's dots suggests he views personal data and communications as just another set of records "collected" by cellphone providers. He may not openly suggest these are nothing more than "third party" records, but he obviously believes private corporations "owe" this sort of access to the government.
Vance says he doesn't want a legislated encryption backdoor, but his solution is basically a legislated encryption backdoor.
My Office’s proposed solution is to enact a federal statute providing that data on any smartphone made or sold in the United States must be accessible—not by law enforcement, but by the maker of the smartphone’s operating system—when the company is served with a valid search warrant. And if a person or entity such as Apple offers encryption software, it has to have the ability to provide data in response to a judicial order.
The backdoor may be located at the company's headquarters, but it's a backdoor all the same.
His testimony also suggests more legislation might be needed to further subvert encryption. Like James Comey, Vance suggests harder nerding will make the impossible possible.
This solution is limited to data at rest on smartphones. It would not affect encryption of data in motion. I cannot at this time offer a technical fix to address data in motion. I am confident, however, that engineers from industry and government, working together in good faith, can find one.
"Good faith." That's hilarous. The only time law enforcement is interested in a "good faith" discussion is when it's trying to salvage an illegal search.
Vance -- like Comey -- believes all concessions must come from the private sector. That's how he defines "working together." He's also concerned a 12-month study from a Congressional committee won't address the issue fast enough.
Twelve months of taking testimony resulting in non-binding recommendations in a report will not adequately address the urgency of the problem that local law enforcement faces. Time is not a luxury that local law enforcement, crime victims, or communities can afford.
With a nod to civil liberties:
Our laws require speedy trials. Victims require justice. And criminals must be held accountable before they can reoffend.
I would think that if you don't have the evidence -- if it's on phones that can't be broken into -- you just don't have the evidence. I sincerely hope people aren't being locked up until Congress creates the backdoor Vance is looking for. Of course, we know that is happening, but hopefully not on the scale Vance suggests with his list of police-resistant devices still being held by law enforcement agencies (who assume they contain evidence of criminal activity).
The end result of the encryption study can't be determined at this point. But given the nature of this committee -- and its decision to only present one side of the issue -- it appears its greatest purpose may be nothing more than buying time until backdoor/ban legislation is reintroduced.
Vance's side hasn't budged an inch. While deference is continually paid to the "smart people" at tech companies, it's only done so under the assumption that they're just holding out on the government. The solution Vance, et al want is supposedly possible, even if it isn't. Any arguments to the contrary are continually treated as deliberate antagonism, rather than basic facts. Backdoored encryption -- no matter who holds the keys -- is a security problem. And it's not going to go away, no matter how many times the same arguments are repeated.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: cy vance, cyrus vance, encryption, going dark, john mccain, manhattan da
Companies: apple
Reader Comments
Subscribe: RSS
View by: Time | Thread
It worked so well for Russia...
Why do you want to turn us into Russia? They have already created these laws in the ham-fisted way you are proposing (just ban it and figure it out later).
Just wait and see how well it works out for Russia and its tech sector. I swear, you guys won't be happy until every civilian has to have a body cam strapped to them at all times and it is a felony to turn it off even in the most intimate and private of settings...because... children!
You never have had a full picture of every bad thing a person does... why do you think you are entitled to it now?
Sincerely,
All Tech Professionals
[ link to this | view in chronology ]
Re: It worked so well for Russia...
Even if everyone had a chip implanted into the brain at birth as in the film "The Final Cut" that automatically records everything the person sees and hears those guys in the FBI/NSA etc were still demand even more tougher action to be taken because of terrorism etc.
[ link to this | view in chronology ]
It worked so well for Russia...
Why do you want to turn us into Russia? They have already created these laws in the ham-fisted way you are proposing (just ban it and figure it out later).
Just wait and see how well it works out for Russia and its tech sector. I swear, you guys won't be happy until every civilian has to have a body cam strapped to them at all times and it is a felony to turn it off even in the most intimate and private of settings...because... children!
You never have had a full picture of every bad thing a person does... why do you think you are entitled to it now?
Sincerely,
All Tech Professionals
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
"DEA regulations require all U.S. pharmacies to maintain paper and electronic prescriptions bearing the name of the patient and prescriber, drugs dispensed, and dates filled."
...Because drugs are regulated substances that could kill people if abused. Aside from talking to my aunt about her neighbor for three hours, what phone calls are likely to kill people?
"FTC regulations require any business that checks a customer’s identification to maintain and provide victims and law enforcement with transaction records relating to identity theft."
This is about protecting the customers from crime, not breaking into their personal communications, you 4th amendment-hating idiot.
"State regulations require private schools to maintain student data records, including records of attendance and suspected child abuse."
Again, this is for the protection of the students. Do you not understand the difference between keeping records to keep people safe and getting access to information that violates their privacy and constitutional rights? No? Then you shouldn't have your job.
I could go on.
[ link to this | view in chronology ]
Re:
But smartphone encryption, one of the great public safety
challenges of our time, remains almost entirely self-regulated.
Encryption is the safety-measure here, it protects billions of people from identity theft, stalking, fraud and other crimes.
If you want to increase security and safety, you need to outlaw non-encrypted phones and any kind of law-enforcement access or other backdoor.
[ link to this | view in chronology ]
Third Party Doctrine and required Data Collecting
Quite the convenient gig and a point I'm surprised isn't raised more often on the problems with the third party doctrine.
"I'd like this data and like to get it without a warrant" So rather than outright saying it must be provided (although they're going for that as best they can) it's require the data to be collected, then assert 3rd party to get it without a warrant.
[ link to this | view in chronology ]
How quickly Blackberry is forgotten
[ link to this | view in chronology ]
And on the other side...
https://www.digicert.com/TimeTravel
[ link to this | view in chronology ]
[ link to this | view in chronology ]
"We can't bend down far enough, so HOP HIGHER!"
[ link to this | view in chronology ]
Privacy, it's a thing
Notably missing to the best of my knowledge:
Lockmakers are not required to provide a master key to any government agency.
Companies that make and/or sell webcams are not required to include and provide the password for the device such that any government agency/agent can access the camera at their whim.
Companies that make and/or sell computers are not(yet) required to install and provide the password for a keylogger to any government agency in case they want to know what someone types.
Beyond the above there's also the fact that the examples he provides are intended to be to protect the public, whereas undermining encryption will cause vastly more harm than it could ever possibly prevent, meaning you've essentially got someone arguing directly against public safety and security, simply to make his own job easier.
[ link to this | view in chronology ]
So basically he's saying that until a theoretical vulnerability is realized and exploited, there's no problem and we shouldn't make any changes. By that logic, all bugs with security implications should not be patched when discovered, they should be left in place until the theoretical vulnerabilities are turned into actual exploits used by criminals and hostile foreign powers.
[ link to this | view in chronology ]
Re:
When my government wants warrantless access to the google searches I do for the location of the nearest Starbucks or instructions on how to install the hardware I just bought at the store, that government seems pretty damn hostile and foreign to me.
[ link to this | view in chronology ]
Re:
No house that hasn't been broken into previously should have locks on the doors, because clearly the fact that it hasn't been broken into means it won't be, ever.
No bank that hasn't been robbed in the past should have any locks or other security features, because if it hasn't happened before then it won't happen in the future.
No car that hasn't been in an accident should have seat-belts or any other safety features as obviously they're unnecessary costs.
[ link to this | view in chronology ]
Re: Re:
All letters addressed to houses occupied by residents who have not been crime victims must be opened by the USPS, contents scanned and retained, and then nailed to public noticeboards. An open postcard will be mailed to the addressee ordering them to report to the noticeboard to collect their credit card bills, healthcare bills, bank statements etc. Since they have never been the victim of a mail delivery or USPS employee there is obviously no risk. The postcards are to be thrown onto the addressee's front yard or street, under no circumstances should they be concealed in a mailbox (all of which will be confiscated so that no criminal evidence may be concealed therein).
[ link to this | view in chronology ]
Foregone conclusions, eh?
In case you wondered what the findings would be, he explains it all pretty clearly.
[ link to this | view in chronology ]
CALEA
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Response to: Anonymous Coward on Jul 18th, 2016 @ 11:54am
[ link to this | view in chronology ]
Vance's phone
[ link to this | view in chronology ]
Re: Vance's phone
[ link to this | view in chronology ]
About time
[ link to this | view in chronology ]
[ link to this | view in chronology ]