FBI Director Uses January 6 Insurrection To, Once Again, Ask For Encryption Backdoors

from the FBI-really-needs-to-write-some-new-material dept

FBI Director Chris Wray needs to shut the fuck up about encryption.

Let me explain sum up:

For years, consecutive FBI Directors have claimed encryption is preventing law enforcement from doing law enforcement. And for years, public records, efforts by researchers, and court documents have shown encryption isn't much of an impediment to investigations.

Most importantly -- in the FBI's case -- the agency overstated the amount of locked devices in its possession for years while agitating for encryption backdoors. It turns out the FBI's "locked device" spreadsheet performed some faulty math, greatly misstating the number of locked devices in its possession. While the FBI said it has over 8,000 impregnable electronics allegedly preventing law enforcement from investigating crimes, the correct amount is expected to be less than a quarter of that.

That discovery was made in May 2018. The FBI has yet to provide an accurate count of these devices.

So. Shut. The fuck. Up.

Wray is shameless and incapable of shutting the fuck up, even after the agency admitted to Congressional oversight it really didn't know how many locked devices it had or how often encryption actually prevented investigators from investigating.

And yet, here's Chris Wray, leveraging the January 6th insurrection to complain about encryption yet again.

There doesn't appear to be any lack of open source data capable of aiding the FBI in its investigation of this event. Hundreds have already been charged for their participation in the raid on the US Capitol building.

This event has forced US law enforcement to admit domestic terrorism is an actual threat -- a threat propelled mainly by white extremists and others aligned with the pathetic ideal that white makes right. This threat includes far too many law enforcement officers, who have also aligned themselves with the same ideals. That's why it's been ignored for so long and that's why it's a much bigger problem now than it should be.

But here's what Chris Wray has chosen to focus on with his allotted testimonial time before the Senate: encryption. Wray says it's a "lawful access" problem. And he begins with what can only be considered an overstatement of the threat, considering the FBI has done nothing but overstate the problem for years.

The problems caused by law enforcement agencies’ inability to access electronic evidence continue to grow. Increasingly, commercial device manufacturers have employed encryption in such a manner that only the device users can access the content of the devices. This is commonly referred to as “user-only-access” device encryption. Similarly, more and more communications service providers are designing their platforms and apps such that only the parties to the communication can access the content. This is generally known as “end-to-end” encryption. The proliferation of end-to-end and user-only-access encryption is a serious issue that increasingly limits law enforcement’s ability, even after obtaining a lawful warrant or court order, to access critical evidence and information needed to disrupt threats, protect the public, and bring perpetrators to justice.

Yes, encryption can prevent "easy" investigative efforts. But it doesn't prevent investigations. Lots of data and communications can be obtained from service providers and cloud services that store copies of their own. There are at least a couple of vendors providing law enforcement with forensic tools that appear capable of pulling vast amounts of data from "locked" devices. And while it may be accurate to say the "problem" continues to "grow" given the increased deployment of encryption, the FBI has yet to honestly depict the problem it's already facing, so there's no way of quantifying this "growth" to judge its impact on investigations.

And Wray continues to be dishonest about what he wants. He wants encryption backdoors. But when asked directly, he'll claim he doesn't want backdoors. Instead, he wants a mythical form of encryption that is capable of protecting users from malicious threats but not government entities armed with a warrant.

The FBI remains a strong advocate for the wide and consistent use of responsibly managed encryption, encryption that providers can decrypt and provide to law enforcement when served with a legal order.

This sure sounds like a backdoor, but Chris Wray is in permanent denial.

We are not asking for, and do not want, any “backdoor,” that is, for encryption to be weakened or compromised so that it can be defeated from the outside by law enforcement or anyone else.

It's the everyone else who is wrong.

Unfortunately, too much of the debate over lawful access has revolved around discussions of this “backdoor” straw man instead of what we really want and need.

LOL. Get fucked, Chris. The reason no serious security professional agrees this is possible is because it isn't. A hole for law enforcement is a hole for anyone. Once providers start storing encryption keys for law enforcement, those encryption keys are a target for malicious hackers. Criminals who find the keys will do the same thing Wray is asking companies to do, bypassing encryption to obtain communications and personal data.

The only person trotting out straw men is the FBI Director, who appears to believe any counterargument is made in bad faith. His straw men may be uncaptured terrorists or dead kids or whatever, but they're still straw men, especially considering the FBI still has yet to provide an accurate count of encrypted devices in its possession.

And those are his straw men. Wray cites both terrorist attacks and child sexual exploitation as reasons to eliminate actually secure encryption. This ignores the FBI's willingness to radicalize people solely for the purpose of arresting them on terrorist charges. And it ignores the fact the FBI has -- on more than one occasion -- seized and operated servers distributing child porn in order to catch other child porn distributors. Whether or not we agree with the FBI's actions in these cases, it illustrates breaking encryption isn't the only way to address these problems.

Wray also claims the rest of the law enforcement community is suffering from the proliferation of end-to-end encryption.

Our state and local law enforcement partners have been consistently advising the FBI that they, too, are experiencing similar end-to-end and user-only-access encryption challenges, which are now being felt across the full range of state and local crime. Many report that even relatively unsophisticated criminal groups, like street gangs, are frequently using user-only-access encrypted smartphones and end-to-end encrypted communications apps to shield their activities from detection or disruption.

But this really hasn't been observed by anyone else but Wray. (And we know Wray can't be trusted.) The FBI has made constant noise about encryption. Local agencies -- despite having far fewer resources -- haven't said much publicly about encryption or its challenges, outside of the outsized racket whipped up by Manhattan DA Cy Vance. And Vance is no more trustworthy or credible than Chris Wray.

Chris Wray will take any chance given to complain about encryption and a lack of "lawful access." But he doesn't have facts or history on his side.

Filed Under: backdoors, chris wray, encryption, fbi, going dark, january 6

Police Chief Demands Holes In Encryption Because Some Cops Decided To Participate In The DC Insurrection

from the sure,-make-this-all-about-us-when-it's-really-just-about-you dept

As more evidence comes to light showing a disturbing amount of law enforcement participation in the January 6th attack on the Capitol, police departments around the nation are finally being forced to face something they've ignored for far too long.

The law enforcement officers who participated in the insurrection attacked officers attempting to defend the building, or, at the very least, did nothing to discourage the lawless actions occurring all around them. The officers that went to DC and engaged in a riot aren't an anomaly. They've been part of law enforcement for as long as law enforcement has existed: bigots with a penchant for violence and a thirst for power.

These officers are finally beginning to be rooted out, but only because they did things no one can ignore. Hundreds of participants produced hundreds of recordings, turning their own celebration of their attempted election-thwarting into the evidence needed to identify them and charge them with federal crimes. Posts made to social media platforms provided more evidence, tying incriminating statements to location data to place off-duty cops on the scene.

Now that agencies are finally confronting their in-house white supremacist/militia problem, they're asking for everyone to be made less secure so they can handle the problem that's been hiding in plain sight for years.

Houston Police Chief Art Acevedo -- who presides over an agency with more than its share of bad cops -- was asked what officials like himself are doing to confront this problem. In response, Chief Acevedo asked for Congress to do him -- and other law enforcement agencies -- a favor:

Acevedo... said anonymous online platforms on the “dark web” are making such [internal] investigations impossible, even for departments with sufficient resources. He expects the move away from public platforms like Facebook and Twitter to grow rapidly in response to the FBI arrests of those who rioted at the Capitol.

This month, Acevedo was asked by the House Oversight and Reform Committee to explain what actions police chiefs are taking, and responded by asking for help. For years, law enforcement officials have asked for passage of a federal law that would require such platforms to have a “back door” that law enforcement can access if they have “a legitimate investigative need and a court order” to gain entry.

Then he blamed social media platforms for his own inability to police his police, calling them out as the real lawbreakers here:

“Congress’s failure to act has enabled industry giants to flaunt the law and operate with impunity,” Acevedo wrote in response.

First off, if the bad cops are shifting to "dark web" platforms in response to their own opsec failures during the January 6th riot, mandating backdoors that affect "industry giants" isn't going to make it any easier to track down cops who've moved on to "darker" web services.

Second, law enforcement agencies' continuous failure to hold officers accountable or to perform rigorous background checks should not be used as leverage to make services and devices less secure for millions of Americans. Citizens have already had to watch their tax dollars pay the salaries of brutal thugs whose loyalty to each other often supersedes their sworn duties as public servants. They don't need to be punished further just so it's a little easier for cops to perform the occasional internal investigation.

Finally, the encryption offered by device makers and communications platforms also protects cops -- not just from accountability, as Acevedo implies here -- but from malicious hackers and criminals who would love access to cops' devices, communications, and sensitive files. A backdoor for bad cops is a backdoor for good cops -- and a backdoor that strips a layer of security away from everyone who uses these devices and services.

The ugliness that permeates law enforcement needs to be rooted out. But the security of millions of Americans shouldn't be weakened just because those policing the police haven't done much of this policing for decades. They've had open access to evidence for years and rarely used it. Now that their sins are too big to ignore until the next news cycle hits shouldn't be the impetus for backdoor mandates.

Filed Under: art acevedo, backdoors, encryption, going dark, insurrection, washington dc

German Court Orders Encrypted Email Service Tutanota To Backdoor One Account

from the end-to-end-crypto-is-still-your-friend dept

A legal requirement to add backdoors to encrypted systems for "lawful access" has been discussed for many years. Last month, the EU became the latest to insist that tech companies should just nerd harder to reconcile the contradictory demands of access and security. That's still just a proposal, albeit a dangerous one, since it comes from the EU Council of Ministers, one of the region's more powerful bodies. However, a court in Germany has decided it doesn't need to wait for EU legislation, and has ordered the encrypted Web-email company Tutanota to insert a backdoor into its service (original in German). The order, from a court in Cologne, is surprising, because it contradicts an earlier decision by the court in Hanover, capital of the German state of Lower Saxony, and Tutanota's home town. The Hanover court based its ruling on a judgment by the Court of Justice of the European Union (CJEU), the EU's highest court. In 2019, the CJEU said that:

a web-based email service which does not itself provide internet access, such as the Gmail service provided by Google, does not consist wholly or mainly in the conveyance of signals on electronic communications networks and therefore does not constitute an 'electronic communications service'

Despite this, in the Tutanota case the Cologne court applied a German law for telecoms. Tutanota's co-founder Matthias Pfau explained to TechCrunch:

"The argumentation is as follows: Although we are no longer a provider of telecommunications services, we would be involved in providing telecommunications services and must therefore still enable telecommunications and traffic data collection," he told TechCrunch.

"From our point of view -- and law German law experts agree with us -- this is absurd. Neither does the court state what telecommunications service we are involved in nor do they name the actual provider of the telecommunications service."

Given that ridiculous logic, it's no surprise that Tutanota will be appealing to Germany's Federal Court of Justice. But in the meantime the company must comply with the court order by developing a special surveillance capability. Importantly, it only concerns one account -- allegedly involved in an extortion attempt -- that seems to be no longer in use. Moreover, as the TechCrunch article explains, the monitoring function will apply to future emails that the account receives. And even then, it will only deliver any unencrypted emails that are present, because Tutanota is not able to decrypt users' emails that apply end-to-end encryption, which is entirely under the user's control, not Tutanota's.

That means the practical effect of this court order is extremely limited: to future unencrypted emails of just one quiescent account. But independently of its real-life usefulness, this order sets a terrible precedent of a court ordering an Internet company to insert what amounts to a backdoor in an account. That's why it is vital that Tutanota's appeal prevails -- for both the company, and for the EU Internet as a whole.

Follow me @glynmoody on Twitter, Diaspora, or Mastodon.

Filed Under: backdoors, email, encrypted email, encryption, eu, germany, lawful access
Companies: tutanota

Japan-UK Trade Deal Shows How Controversial Digital Policies Can Be Slipped Through With Little Scrutiny Or Resistance

from the welcome-to-the-data-washing-hub dept

Techdirt has been writing about trade agreements for many years. The reason is simple: as digital technology permeates ever more aspects of modern life, so international trade deals reflect this by including sections that have an important impact on the online world. A new trade agreement between Japan and the UK (pdf) is a good example. It is essentially a copy of the earlier trade deal between the EU and Japan (pdf) -- because of Brexit, UK negotiators have not had the time or resources to draw up their own independent text, which typically requires years of drafting and negotiation. But significantly, the Japan-UK agreement adds several major sections purely about digital matters. All are terrible for the general public, as a briefing document from the UK-based Open Rights Group explains.

One issue concerns transfers of personal data between the UK and Japan. In the EU, this is governed by the well-known and relatively stringent GDPR. In fact, in order to achieve "adequacy" -- essentially, legal permission to receive EU personal data -- Japan has had to strengthen its data protection laws:

The EU required Japan to change its data protection regime, including supplementary rules on onwards transfers of EU data to other countries. The European Parliament has expressed further concerns and Japan is considering further changes.

However, the Japan-UK trade deal explicitly calls for personal data flows to be made easier, with a consequent watering-down of EU-level protections:

The UK deal includes measures which ban restrictions on the free flow of personal data, restrictions which could clash with the limits which European data protection laws place on international transfers. The EU could not adopt these measures in its treaty with Japan, and instead put in placeholder text committing both parties to review the situation in three years. The UK-Japan text heeds the wording of the USMCA [United States-Mexico-Canada Free Trade Agreement], with some extra clauses to exclude procurement and data kept on government orders.

The banning of restrictions on the free flow of personal data allows for public interest policies, following a standard formulation in trade agreements. This regime looks reasonable on paper, but in practice, it is very difficult to implement public interest policies which clash with trade liberalisation, as they are open to legal challenge, which rarely find in favour of restrictions.

Open Rights Group notes two important consequences of this decision not to follow the EU text here. First, it potentially allows personal data flowing to the UK from third countries to be passed to Japan and then on to other jurisdictions, for example the US, with almost no controls or restrictions. This would turn the UK into a "data washing hub" as the Open Rights Group puts it. In this respect, the UK-Japan deal contrasts with the EU-Japan deal, where:

The EU specifically excluded data flows from their trade agreement with Japan. Although Japan has an adequacy decision from the EU, it had to put specific arrangements in place for EU data to stay in Japan.

Given that risk, it is highly likely that the EU will refuse to grant adequacy to the UK, in order to prevent the personal data of EU citizens being sent via the UK to Japan or the US without adequate protections. The crucial role of personal data in modern business means a failure to gain adequacy will have a hugely negative impact on EU-UK trade. The other significant addition to the text in the digital sphere concerns "technical protection mechanisms" (TPMs) -- DRM and similar technologies -- and the criminalization of circumventing them. Open Rights Group points out:

Another concern for digital rights in the UK is the potential criminalisation of circumvention outside commercial endeavours, affecting ordinary people. Circumvention is not a niche activity. Millions of people used to make backup copies of DVDs and many today have to bypass technological protections in order to convert their protected ebooks to other formats. The provisions in the USMCA will require Mexico to beef up its anti- circumvention laws, including introducing criminal penalties for "commercial advantage or private gain".

Finally, there is an interesting section dealing with cryptography. The Japan-UK deal introduces provisions to shield cryptography from a range of government requirements, such as sharing or disclosing keys. However:

What is different here is that the UK also introduces a specific exception for law enforcement to demand access to encrypted communications and for financial regulation. This is not surprising given that the UK is at the forefront of government demands to access data from encrypted messaging systems such as WhatsApp or Telegram. There are no public interest policy exceptions in this area, however limited, only demands from courts, regulators or police.

Of course, the UK is not alone in wanting access to encrypted communications: a recent Techdirt article noted that the EU is also looking to require what is euphemistically termed "lawful access" -- that is, backdoors -- to end-to-end encrypted communications, as is the US and elsewhere. What is significant here is that the exception is being introduced in the context of trade, with no expert input or public debate about the details, as are the other measures discussed above. The danger is that this will become a common practice, where governments try to slip through contentious digital policies as short sections of obscure but far-reaching trade deals.

Follow me @glynmoody on Twitter, Diaspora, or Mastodon.

Filed Under: backdoors, brexit, data protection, encryption, japan, privacy, trade deals, uk

EU Takes Another Small Step Towards Trying To Ban Encryption; New Paper Argues Tech Can Nerd Harder To Backdoor Encryption

from the that's-now-how-any-of-this-works dept

In September, we noted that officials in the EU were continuing an effort to try to ban end-to-end encryption. Of course, that's not how they put it. They say they just want "lawful access" to encrypted content, not recognizing that any such backdoor effectively obliterates the protections of end-to-end encryption. A new "Draft Council Resolution on Encryption" has come out as the EU Council of Ministers continues to drift dangerously towards this ridiculous position.

We've seen documents like this before. It starts out with a preamble insisting that they're not really trying to undermine encryption, even though they absolutely are.

The European Union fully supports the development, implementation and use of strong encryption. Encryption is a necessary means of protecting fundamental rights and the digital security of governments, industry and society. At the same time, the European Union needs to ensure the ability of competent authorities in the area of security and criminal justice, e.g. law enforcement and judicial authorities, to exercise their lawful powers, both online and offline.

Uh huh. That's basically we fully support you having privacy in your own home, except when we need to spy on you at a moment's notice. It's not so comforting when put that way, but it's what they're saying. Then there's a lot of nonsense about how encryption is creating a "challenge" for public safety, even though there is no evidence at all to support this claim. The reality is that law enforcement has access to more data and more tools than ever before in history. That one small fragment of it might sometimes be encrypted, is not an issue. And it's certainly not an issue that requires the wholesale destruction of end-to-end encryption. But, of course, that's not where the EU is coming out on this.

Instead, it concludes with the inevitable "nerd harder" bullshit argument without ever explaining how this can be done (answer: because it cannot be done safely).

Moving forward, the European Union strives to establish an active discussion with the technology industry, while associating research and academia, to ensure the continued implementation and use of strong encryption technology. Competent authorities must be able to access data in a lawful and targeted manner, in full respect of fundamental rights and the data protection regime, while upholding cybersecurity. Technical solutions for gaining access to encrypted data must comply with the principles of legality, transparency, necessity and proportionality.

Since there is no single way of achieving the set goals, governments, industry, research and academia need to work together to strategically create this balance.

This is the same old garbage we've seen before. Technologically illiterate bureaucrats who have no clue at all, insisting that if they just "work together" with the tech industry, some magic golden key will be found. This is not how any of this works. Introducing a backdoor into encryption is introducing a massive, dangerous vulnerability that basically takes the secure walls of a house and rams a giant tank through the side. It's not adding a special key for law enforcement. It's breaking the very foundation of how end-to-end encryption works, and introducing a wide variety of shaky dangerous elements that they insist will never get exploited. But, with encryption, any vulnerability inevitably gets exploited.

Attacking end-to-end encryption in order to deal with the miniscule number of situations where law enforcement is stymied by encryption would, in actuality, put everyone at massive risk of having their data accessed by malicious parties. It's incredibly clueless and incredibly shortsighted.

And it's absolutely stunning that it's coming from the EU. After all, we keep hearing how the EU believes in "privacy" and "data protection" much more than the US. We hear stories about the lessons learned from World War II about how governments can abuse access to the private information on citizens. Indeed, the EU courts recently blew up the EU/US "Privacy Shield" agreement regarding transferring data from the EU to the US because of NSA surveillance efforts that cannot guarantee EU data remains protected.

And then they turn around and want to destroy encryption? Incredible.

At this point, this is nothing more than a draft policy paper from the Council. A lot more needs to happen before this becomes anything resembling a law in the EU. But just the fact that this continues to lurch forward, pushed by ridiculously ignorant bureaucrats is hugely problematic. People in the EU need to speak up loudly about what a mess this is.

Filed Under: backdoors, encryption, end-to-end encryption, eu, eu council, lawful access

Senator Wyden Wants To Know If The NSA Is Still Demanding Tech Companies Build Backdoors Into Their Products

from the build-them-or-we'll-just-build-our-own dept

It's been more than a half-decade since it made headlines, but the NSA's hardware manipulation programs never went away. These programs -- exposed by the Snowden leaks -- involved the NSA compromising network hardware, either through interception of physical shipments or by the injection of malicious code.

One major manufacturer -- Cisco -- was righteously angered when leaked documents showed some of its hardware being "interdicted" by NSA personnel. It went directly to Congress to complain. The complaint changed nothing. (Cisco, however, changed its shipping processes.) But even though the furor has died down, these programs continue pretty much unhindered by Congressional oversight or public outcry.

One legislator hasn't forgotten about the NSA's hardware-focused efforts. Senator Ron Wyden is still demanding the NSA answer questions about these programs and give him details about "backdoors" in private companies' computer equipment. The DOJ and FBI may be making a lot of noise about encryption backdoor mandates, but one federal agency is doing something about it. And it has been for years.

Not only has the NSA installed its own backdoors in intercepted devices, it has been working with tech companies to develop special access options in networking equipment. This allows the agency to more easily slurp up communications and internet traffic in bulk. Senator Wyden wants answers.

The agency developed new rules for such practices after the Snowden leaks in order to reduce the chances of exposure and compromise, three former intelligence officials told Reuters. But aides to Senator Ron Wyden, a leading Democrat on the Senate Intelligence Committee, say the NSA has stonewalled on providing even the gist of the new guidelines.

“Secret encryption back doors are a threat to national security and the safety of our families – it’s only a matter of time before foreign hackers or criminals exploit them in ways that undermine American national security,” Wyden told Reuters. “The government shouldn’t have any role in planting secret back doors in encryption technology used by Americans.”

No one knows what's in the guidelines and whether they forbid the NSA from backdooring hardware or software sold to US buyers. All the NSA is willing to say is it's trying to patch things up with domestic tech vendors by, um, giving them more stuff to patch up.

The agency declined to say how it had updated its policies on obtaining special access to commercial products. NSA officials said the agency has been rebuilding trust with the private sector through such measures as offering warnings about software flaws.

This is a welcome change after years of exploit hoarding. But there's no reason to believe the NSA isn't holding useful flaws back until they've outlived their exploitability. As for the built-in backdoors, the NSA refuses to provide any details. It won't even answer to its oversight. And if it won't do that, it really needs to stop saying things about "robust oversight" every time more surveillance abuses by the agency are exposed.

There's more to this than potential domestic surveillance. Any flaw deliberately introduced in hardware and software can be exploited by anyone who discovers it, not just the agency that requested it. The threat isn't theoretical. It's already happened. In 2015, it was discovered that malicious hackers had exploited what appeared to be a built-in flaw to intercept and decrypt VPN traffic running through Juniper routers. This appeared to be a byproduct of the NSA's "Tailored Access Operations." While Juniper has never acknowledged building a backdoor for the NSA, the circumstantial evidence points in No Such Agency's direction.

[Juniper] acknowledged to security researcher Andy Isaacson in 2016 that it had installed Dual EC [Dual Elliptic Curve] as part of a “customer requirement,” according to a previously undisclosed contemporaneous message seen by Reuters. Isaacson and other researchers believe that customer was a U.S. government agency, since only the U.S. is known to have insisted on Dual EC elsewhere.

This is the danger of relying on deliberately introduced flaws to gather intelligence or obtain evidence. Broken is broken and broken tools are toys for malicious individuals, which includes state-sponsored hackers deployed by this nation's enemies. It's kind of shitty to claim you're in the national security business when you're out there asking companies to add more attack vectors to their products.

Filed Under: 4th amendment, backdoors, nsa, ron wyden, surveillance
Companies: cisco, juniper

Five Eyes Countries Band Together To Complain About Facebook And End-To-End Encryption

from the breaking-Messenger-will-leave-criminals-with-only-dozens-of-secure-options dept

The world's law enforcement agencies are back at it, advocating for the demise of end-to-end encryption. The last time they all got together like this, they were complaining to Facebook for thinking about adding encryption to its Messenger service.

Because Facebook does so well reporting child porn to the proper authorities, the proper authorities have gathered to decry its decision to encrypt this service, claiming it would result in a lot of unobserved child porn being passed between users. With Facebook unable to eavesdrop on messages, the images and videos can be shared unnoticed.

And, again, the international law enforcement community is asking for weaker encryption… and namechecking Facebook as the cause of and potential solution to all the world's child porn problems. The new "international statement" opens up with a united declaration that everyone loves encryption, before getting to the long list of "buts."

We, the undersigned, support strong encryption, which plays a crucial role in protecting personal data, privacy, intellectual property, trade secrets and cyber security. It also serves a vital purpose in repressive states to protect journalists, human rights defenders and other vulnerable people, as stated in the 2017 resolution of the UN Human Rights Council. Encryption is an existential anchor of trust in the digital world and we do not support counter-productive and dangerous approaches that would materially weaken or limit security systems.

Of course, that last sentence is a lie. At best, it's completely disingenuous. Almost immediately following this assertion that the undersigned have no intention or pursuing counterproductive/dangerous approaches, the Five Eyes crew (along with India and Japan) lists the counterproductive/dangerous ways they'd like encryption to be broken.

Particular implementations of encryption technology, however, pose significant challenges to public safety, including to highly vulnerable members of our societies like sexually exploited children. We urge industry to address our serious concerns where encryption is applied in a way that wholly precludes any legal access to content. We call on technology companies to work with governments to take the following steps, focused on reasonable, technically feasible solutions:

• Embed the safety of the public in system designs, thereby enabling companies to act against illegal content and activity effectively with no reduction to safety, and facilitating the investigation and prosecution of offences and safeguarding the vulnerable;

• Enable law enforcement access to content in a readable and usable format where an authorisation is lawfully issued, is necessary and proportionate, and is subject to strong safeguards and oversight; and

• Engage in consultation with governments and other stakeholders to facilitate legal access in a way that is substantive and genuinely influences design decisions.

I'm not sure what sort of "strong encryption" can handle all of these weak spots being introduced without turning into something easily misused, but these government reps are pretty sure people at these companies will come up with something. These governments have convinced themselves they're "stakeholders" in private conversations between citizens that are facilitated by services like Facebook's Messenger.

And that's what this is about. The statement cites Facebook's success in handling child porn while trying to use that against it.

In 2018, Facebook Messenger was responsible for nearly 12 million of the 18.4 million worldwide reports of CSAM [child sexual abuse material to the US National Center for Missing and Exploited Children (NCMEC)]. These reports risk disappearing if end-to-end encryption is implemented by default, since current tools used to detect CSAM [child sexual abuse material] do not work in end-to-end encrypted environments.”

If this is true, then there's nothing else that can be done. Weakened encryption that allows Facebook to intercept users' messages does nothing for the millions of Facebook users who've never trafficked in illegal content. The company can either give users security and privacy, or it can give these governments what they want. There's no middle ground that's going to accommodate both groups.

And this push against Facebook is working. These statements were converted into news articles claiming Facebook is "responsible" for 94% of all reported child porn. But that wording suggests Facebook is the problem, rather than its users. Facebook made 94% of the reports, showing once again it's been doing what it can to combat the problem.

Its decision to offer encryption to Messenger users isn't being made lightly. It's aware of the downside. But it's also aware of the threat posed to its users by a number of malicious entities, which include authoritarian governments and state-sponsored hackers. If it wants to protect its millions of innocent users, it has to offer the same shelter to criminals using the service. That's how it goes. The middle ground governments think the private sector should nerd towards simply doesn't exist.

Filed Under: australia, backdoors, canada, encryption, five eyes, india, japan, new zealand, security, uk, us
Companies: facebook

Bill Barr Applauds FOSTA Sponsor's Clone Of Senate's Encryption-Breaking 'Lawful Access' Bill

from the DO-NOT-CONGRATULATE dept

I guess those "rule of law" folks don't care if a law is any good or will do what it intends to do without causing significant collateral damage. All they care about is that it's a law and, as a law, everyone should just subject themselves to it with a minimum of complaining.

The Attorney General is one of those "rule of law" people. Sure, he works for an administration that doesn't seem to care much about laws, propriety, or basic competence, but he's the nation's top cop, so laws and rules it is.

Bill Barr wants holes in encryption. He wants them so badly he's making up new words. "Warrant-proof encryption" isn't any different than regular encryption. It only becomes "warrant-proof" when the DOJ and FBI are talking about it, as though it was some new algorithm that only scrambles communications and data when the presence of a warrant is detected.

Far too many people in Washington think encryption is only valuable to criminals. Bills are in the works to compel encryption-breaking/backdooring. Some even handcuff these demands to Section 230 immunity -- a 2-for-1 special on shoveled shit straight from the federal government to Americans' favorite platforms and services.

Given how much the AG loves broad, abusive laws, it's no surprise he's going on the record to congratulate the author of another terrible law on her newest terrible piece of legislation.

Today, Attorney General William P. Barr issued the following statement on the introduction of a bill in the U.S. House of Representatives that would give law enforcement access to encrypted data with court approval in order to protect user privacy. The legislation was introduced by Representative Ann Wagner.

“I applaud Representative Wagner for introducing this critical lawful access legislation. Although strong encryption is vital, we cannot allow the tech industry to use encryption that blinds law enforcement and prevents it from thwarting or investigating serious crimes and national security threats, including terrorist plots, cyberattacks, and sexual exploitation."

Yes, let's applaud Rep. Ann Wagner. (Let's not.) Wagner was the sponsor behind FOSTA, the anti-sex worker law (d/b/a anti-sex trafficking legislation) that has been instrumental in roughly zero prosecutions -- the same prosecutions bill sponsors like Wagner claimed would be impossible without this new law.

That wasn't Wagner's only bogus claim. She also claimed the passage of FOSTA resulted in the immediate disappearance of 90% of "sex trafficking ads." This claim was proven false by fact checkers. The vast majority of the ads that vanished did so when Backpage shut down its adult ads prior to FOSTA's passage and prior to the DOJ's prosecution of the site's owners.

So, when Barr applauds Wagner, he's applauding someone who'll say almost anything to justify harmful legislation. This is the kind of person Barr admires because Bill Barr does the same thing, even though he's not writing new bills personally.

Here's some more of the "anything" Barr will say to applaud bad bill-making. Wagner's new thing is a clone of the Senate's "Lawful Access to Encrypted Data" bill. As you can guess by reading the bill's clunky title, it's another attempt to sacrifice encryption on the altar of law enforcement convenience, ensuring cops don't have to work too hard to collect evidence.

As we all are painfully aware, law enforcement agencies -- despite being around for more than 150 years -- have yet to solve a single crime. So it's imperative we give them access to gigabytes of communications and data so they can finally get around to putting a few criminals behind bars. That being said, here's what's being said by Barr in support of this bill. I have no idea what most of this has to do with anything, but it's full of things that sound bad.

The danger is particularly great for children, especially during this time of coronavirus restrictions when children are spending more time online. Survivors of child sexual abuse and their families have pleaded with technology companies to do more to prevent predators from exploiting their platforms to harm children. Unfortunately, these companies have not done enough, which is why this legislation is needed.

Well then. And I thought this administration was going to save kids from child predators by sending them to COVID-infested schools ASAP. But somehow this is the tech companies' fault, since they offer security to all users, even though a small percentage of users engage in criminal acts.

Barr finishes up his applause for Wagner and her LAED knockoff with what can only be a deliberate misreading of the issues at stake.

Privacy and public safety are not mutually exclusive. I am confident that the tech industry can design strong encryption that allows for lawful access by law enforcement. Encryption should keep us safe, not provide a safe haven for predators and terrorists.

The issue isn't privacy. The Constitution may help ensure privacy by limiting the government's intrusion into our lives and homes, but what's really at stake here is security. And security -- of devices and files and communications -- is directly related to public safety. You can't claim to be a champion of public safety when you're willing to make it easier for malicious hackers to gain access to email accounts, personal messages, smartphones, hard drives, computers, social media accounts, and everything else encryption shields from outsiders.

An encryption hole handcrafted for cops is a hole anyone else can use once it's discovered. A backdoor built into hardware or software isn't only going to be exploited by law enforcement. If the assistance is compelled, companies won't be able to patch security issues -- not if the flaw exists to serve the government. Tech companies in Australia -- where compelled technical assistance is already law -- are seeing their customer bases shrink as people look for options that aren't deliberately broken. The same thing will happen here in the US if bills like this become law.

Bill Barr is willing to sacrifice your security. And he won't be giving you anything in return. We won't be safer. We'll be more vulnerable than we've ever been. And Rep. Wagner wants to help him screw you over, just like she did to countless Americans with FOSTA.

Filed Under: ann wagner, backdoors, doj, encryption, fbi, fosta, laed, section 230, william barr

Australian Tech Giant Says Country's Anti-Encryption Laws Are Harming Local Tech Companies

from the no-one-trusts-a-[compelled]-rat dept

The Australian government rang in 2019 by saddling the nation's tech companies with compelled decryption mandates. The new law gave the government the power to demand technical assistance to access any data or communications sought by law enforcement or security agencies. Sure, "case-by-case" solutions might work for awhile, but sooner or later, built-in backdoors would expedite things for both the government and their compellees.

The backdoors may not be in place yet, but it appears no one really trusts Australian tech companies now, thanks to the Australian government. An inquiry into the country's anti-encryption laws is underway and local tech giant Atlassian has expressed its displeasure with the new status quo.

Atlassian’s policy and government affairs head, Patrick Zhang, said the encryption laws had harmed Australia’s reputation in the sector.

Zhang said they had led to a reluctance among tech companies abroad to engage in Australia or with Australian companies, for fear that weaknesses would be built into their products.

Companies also fear that they could be compelled by the Australian government to do things that would constitute illegality in other countries where they operate, Zhang said.

The laws have also led to a reluctance among industry talent to work here.

You can't put a price tag on catching criminals, but presumably the new law will pay for itself (and the damage to local industry) once enough children are saved or terrorists are caught. This isn't to make light of either child exploitation or terrorism. Both should be taken seriously by law enforcement and security agencies. The problem in Australia is that legislators didn't bother to consider how much damage compelled assistance would do to lots of innocent people.

It isn't just the tech companies whose futures look a lot more murky. It's also their employees and any number of people who rely on them for income. It's anyone who uses their services and whose communications and data might be accessed inadvertently by government agencies or deliberately by malicious entities taking advantage of newly created security flaws.

In the end, Atlassian's comments are unlikely to matter. The government has already decided what the proper security/liberty exchange rate is and it appears local tech companies are just expected to serve and suffer. The outgoing independent national security law monitor claims the law is "necessary." So do the agencies that directly benefit from compelled assistance. And they've brought an unbelievable statistic with them to justify the collateral damage.

Australia’s domestic intelligence agency Asio and the Australian federal police support the law and say about 90% of priority cases involve encryption, which allows criminal suspects to communicate in a hidden manner.

Wow. 90%. This number appears to say that almost every case in which encryption is encountered is granted "priority" status. Encryption may be common but it's not that common. And even if it is, there are still a number of options available to agencies that don't include forcing companies to weaken or destroy features that secure the devices and communications of millions of innocent people.

Filed Under: australia, backdoors, competitiveness, encryption
Companies: atlassian

EU Plans To Use Supercomputers To Break Encryption, But Also Wants Platforms To 'Create Opportunities' To Snoop On End-To-End Communications

from the there-are-better-ways dept

They say that only two things are certain in life: death and taxes. But here on Techdirt, we have a third certainty: that governments around the world will always seek ways of gaining access to encrypted communications, because they claim that things are "going dark" for them. In the US and elsewhere, the most requested way of doing that is by inserting backdoors into encryption systems. As everyone except certain government officials know, that's a really bad idea. So it's interesting to read a detailed and fascinating report by Matthias Monroy on how the EU has been approaching this problem without asking for backdoors -- so far. The European Commission has been just as vocal as the authorities in other parts of the world in calling for law enforcement to have access to encrypted communications for the purpose of combating crime. But EU countries such as Germany, Finland and Croatia have said they are against prohibiting, limiting or weakening encrypted connections. Because of the way the EU works, that means the region as a whole needs to adopt other methods of gaining access. Monroy explains that the EU is pinning its hopes on its regional police organization:

At EU level, Europol is responsible for reading encrypted communications and storage media. The police agency has set up a "decryption platform" for that. According to Europol's annual report for 2018, a "decryption expert" works there, from whom the competent authorities of the Member States can obtain assistance. The unit is based at the European Centre for Cybercrime (EC3) at Europol in The Hague and received five million euros two years ago for the procurement of appropriate tools.

The Europol group uses the open source password recovery software Hashcat in order to guess passwords used for content and storage media. According to Monroy, the "decryption platform" has managed to obtain passwords for 32 cases out of 91 where it the authorities needed access to an encrypted device or file. A 39% success rate is not too shabby, depending on how strong the passwords were. But the EU wants to do better, and has decided one way to do that is to throw even more number-crunching power at the problem: in the future, supercomputers will be used. Europol is organizing training courses to help investigators gain access to encrypted materials using Hashcat. Another "decryption expert group" has been given the job of coming up with new technical and legal options. Unfortunately, the approaches under consideration are little more than plans to bully Internet companies into doing the dirty work:

Internet service providers such as Google, Facebook and Microsoft are to create opportunities to read end-to-end encrypted communications. If criminal content is found, it should be reported to the relevant law enforcement authorities. To this end, the Commission has initiated an "expert process" with the companies in the framework of the EU Internet Forum, which is to make proposals in a study.

This process could later result in a regulation or directive that would force companies to cooperate.

There's no way to "create opportunities" to read end-to-end encrypted communications without weakening the latter. If threats from the EU and elsewhere force major Internet services to take this step, people will just start using open source solutions that are not controlled by any company. As Techdirt has noted, there are far better ways to gain access to encrypted communications -- ones that don't involve undermining them.

Follow me @glynmoody on Twitter, Diaspora, or Mastodon.

Filed Under: backdoors, encryption, eu, hacking