Ed Snowden: Governments Can't Make The Public 'Safer' By Undermining The Encryption Essential To The Public's Security

from the DOES-NOT-COMPUTE dept

With the DOJ uniting with the UK and Australian governments to decry the use of end-to-end encryption by messaging services, it's again time to remind people why encryption matters. The way these government entities see it, encryption mainly helps criminals. Apparently, it's simply not necessary for law-abiding citizens to have secure communications.

This is wrong on many levels, starting with the insistence there's a safe way to circumvent encryption. There isn't. But multiple government agencies claim tech companies are overstating the reality, when all they're actually doing is stating the obvious.

Someone who knows a thing or two about the importance of encrypted communications has written an op-ed for The Guardian. Ed Snowden's article points out why citizens should be alarmed governments are trying to make their personal communications less secure for the children or the greater good or whatever.

For more than half a decade, the vulnerability of our computers and computer networks has been ranked the number one risk in the US Intelligence Community’s Worldwide Threat Assessment – that’s higher than terrorism, higher than war. Your bank balance, the local hospital’s equipment, and the 2020 US presidential election, among many, many other things, all depend on computer safety.

And yet, in the midst of the greatest computer security crisis in history, the US government, along with the governments of the UK and Australia, is attempting to undermine the only method that currently exists for reliably protecting the world’s information: encryption. Should they succeed in their quest to undermine encryption, our public infrastructure and private lives will be rendered permanently unsafe.

Encryption for communications encompasses far more than the idle chatter of social media users. Facebook is the target of the combined force of the US, UK, and Australian governments -- thanks to its plans to add end-to-end encryption to its Messenger service -- but other platforms and services providing encrypted communications will be next on the block if Facebook is deterred from offering this protection. Or worse, talked into creating a backdoor so either it -- or government agencies -- can spy on users' communications.

As Snowden points out, actual infrastructure is at stake. Encrypted communications are vital to the security of plenty of things even governments would like to see remain secure. And yet, they're willing to paint encryption as an accomplice to criminal acts, rather than the vital necessity it actually is.

If Facebook is willing to limit the amount of data it can harvest from its users by locking up Messenger so tight even it can't see the messages, providing encryption must not only be of value to users, but to Facebook itself. This cuts against the DOJ's ridiculous arguments that no one is demanding secure communications -- a statement that insinuates private companies are sticking it to the man just to stick it to the man.

These governments are claiming the introduction of encryption will make it impossible to investigate criminal acts. The one most frequently cited is the production and distribution of child porn. Recent cases make it clear encryption isn't preventing law enforcement agencies from tracking down criminals or shutting down their dark web services. The DOJ and others still have a wealth of investigative tools at their disposal. Private conversations that remain private doesn't change all that much. The history of criminal activity includes millions of conversations law enforcement agencies had no access to, and yet, they still managed to arrest and prosecute criminals.

This isn't about making anyone safer or preventing encrypted services from becoming ad hoc child porn servers. This is about what works easiest and best for governments.

The true explanation for why the US, UK and Australian governments want to do away with end-to-end encryption is less about public safety than it is about power: E2EE gives control to individuals and the devices they use to send, receive and encrypt communications, not to the companies and carriers that route them. This, then, would require government surveillance to become more targeted and methodical, rather than indiscriminate and universal.

The "public safety" argument doesn't make sense. The public doesn't achieve a net "safety" gain when its private communications are compromised. But it makes sense to these governments, which have often considered the rights they promised to respect as inconveniences to be routed around or removed completely.

Filed Under: chris wray, doj, ed snowden, encryption, fbi, going dark, william barr

The DOJ Is Conflating The Content Moderation Debate With The Encryption Debate: Don't Let Them

from the it's-not-the-same dept

As we've detailed a lot over the last week, the DOJ has decided that after years of failing to get backdoors mandated by warning about the "terrorism" bogeyman, it's decided to pick up the FOSTA playbook, and instead start focusing on child porn -- or what "serious people" now refer to as Child Sexual Abuse Material (CSAM). It did this last week with an assist from the NY Times, who published an article with (legitimately) scary stories, but somehow blaming the internet companies... because they actually report it when they find such content on their networks. I've seen more than a few people, even those who generally have been strong voices on the encryption debate and against backdoors, waver a bit on this particular subject, and note that maybe there shouldn't be encryption on social media networks, because it might (as the narrative says) help awful people hide their child porn.

Except... that's confusing a few different things. Mainly, it's mixing up the content moderation debate with the "lawful access" or "backdoors" debate. Yes, encryption makes it harder for the police to get in and see certain things, but that's by design. We live in a country with the 4th Amendment, in which we believe that it should be difficult for law enforcement to snoop deeply into our lives -- and that's always meant that some people will do and plot bad stuff out of the sight and hearing of law enforcement. Yet, if you were to look at law enforcement over the past 100 years, you can bet that they have many times more access to information about people today than they have in the past. The claim of "going dark" is laughable when you compare the information that law enforcement can get today even to what it could get 15 or 30 years ago.

But, importantly, bringing CSAM into the debate muddies the water by pretending -- incorrectly -- that in an end-to-end encrypted world you can't do any content moderation, and there's simply no way for platforms to block or report certain kinds of content. Yet, as Princeton professor Jonathan Mayer highlights in a new paper, content moderation is not impossible in an encrypted system. It may be different than it is today, but it's still very much possible:

Much of the public discussion about content moderation and end-to-end encryption over the past week has appeared to reflect two common technical assumptions:

1. Content moderation is fundamentally incompatible with end-to-end encrypted messaging.
   
2. Enabling content moderation for end-to-end encrypted messaging fundamentally poses the same challenges as enabling law enforcement access to message content.

In a new discussion paper, I provide a technical clarification for each of these points.

1. Forms of content moderation may be compatible with end-to-end encrypted messaging, without compromising important security principles or undermining policy values.
   
2. Enabling content moderation for end-to-end encrypted messaging is a different problem from enabling law enforcement access to message content. The problems involve different technical properties, different spaces of possible designs, and different information security and public policy implications.

You can read the whole thing, but as the paper notes, user reporting of such content still works in an end-to-end encrypted world, as does hash matching if done at the client end. There's a lot more in there as well, but what you realize in reading the paper is that while law enforcement has now latched onto the CSAM issue as its hook to break encryption (in part, I've been told by someone working with the DOJ, because they found it "polled well"), it's an entirely different problem. This is yet another "but think of the children" argument, which ignores the technical and societal realities.

Filed Under: chris wray, content moderation, doj, encryption, going dark, jonathan mayer, william barr
Companies: facebook

FBI Director Deploys Straw Men While Calling For The End Of Straw Men Arguments In The Encryption War

from the let-he-who-is-without-straw... dept

The DOJ's anti-encryption summit went off without a hitch. And why wouldn't it? No one who had anything good to say about encryption was invited. The only speaker without a history of criticizing encryption was John Walsh of "America's Most Wanted," who detailed the kidnapping of his son -- an event that took place long before encryption was viewed as an impediment to law enforcement.

Using a bit of the FOSTA playbook, but skewing it younger to facilitate appeals to emotion, the "summit" attempted to discuss the "creation" of "lawless spaces" resulting from end-to-end encryption. Facebook was front and center as the recent recipient of a letter from Attorney General William Barr, asking it to ditch its plans to encrypt Messenger communications.

Barr (who's already made his feelings about encryption clear) was joined by Deputy AG Jeffrey Rosen, FBI Director Chris Wray, UK Home Secretary Priti Patel, and Australia's Minister of Home Affairs Peter Dutton. No one representing the tech industry was included. Nor were any encryption experts. This was a preach-to-the-converted type of event and the speakers all made the most of it.

FBI Director Chris Wray offered his unsurprising take on encrypted communications: he's against it. Not that his opinion should be considered in any way an "expert" opinion. He runs an agency that can't even correctly count the number of encrypted devices it has in its possession. And it's the same agency where officials did everything they could to avoid unlocking a seized phone in a mass shooting case in hopes of securing favorable court precedent. Wray frequently presents the hardest skew on the issue (at least at the federal level), and his comments at the summit were no exception.

[I]f we don’t confront these real-life horrors happening to real people, if we don’t take action and do something soon to address the lawful access problem, it will be too late and we’ll lose the ability to find those kids who need to be rescued. We’re going to lose the ability to find the bad guys who need to be arrested and stopped. And we’re going to lose the ability to keep the most vulnerable people we serve safe from harm. We just cannot let that happen.

Technology has made life much easier for the good guy—there’s no doubt. But it’s also made life much easier for a wide range of bad guys—including international and domestic terrorists, hackers, opioid traffickers, and child predators. Like other criminals, child predators routinely rely on encrypted phones and laptops to store explicit photographs and exchange illegal media, contact victims, and coordinate with co-conspirators over encrypted messaging platforms.

These devices and platforms have become spaces where vital rules—against soliciting child abuse, against trading in and feeding that abuse, against threatening abuse victims struggling to make a normal life—can no longer effectively be applied.

The key word here is "effectively." Wray wants immediate access in exchange for a warrant. While end-to-end encryption may make it harder to obtain the content of communications from service providers, it does not make it impossible. There are vendors offering tools that can bypass phone encryption to access communication contents. Suspects have been known to volunteer passwords. More than one court has found that the application of biometric features to unlock devices does not violate the Fifth Amendment. Any number of third parties hold data that can give investigators clues about message content and link suspects with conspirators.

Going directly through Facebook -- and Facebook is the unspoken target of this "summit", thanks to its announcement of end-to-end encryption for Messenger -- is just not going to be a very useful option. Wray believes encryption shouldn't be able to defeat a warrant. But that short-sighted view ignores the fact that not every warrant results in the securing of evidence… or enough evidence to secure a guilty verdict.

The issue here is Facebook's plans for Messenger. According to stats mentioned in Barr's letter (and comments delivered by others), 70% of Facebook's 16 million child exploitation tips came from this service. Once the encryption is applied, even Facebook won't be able to see the contents of these communications. That's what the FBI, DOJ, and overseas government officials are hoping to prevent.

It's a legitimate concern, but it's being discussed with a lot of illegitimate arguments. Wray tries to pretend it's everyone else being disingenuous while he boldly speaks truth to tech power. But even this assertion is contradicted by Wray's statements.

I’m well aware that encryption is a provocative subject for some. Although I will tell you, I get more than a little frustrated when people suggest that we’re trying to weaken encryption—or weaken cybersecurity more broadly. We’re doing no such thing. And dispensing with straw men would be a big step forward in this discussion. Cybersecurity is a central part of the FBI’s mission. It’s one part of the broader safety net we try to provide the American people: not only safe data, safe personal information, but also safe communities, safe schools.

We also have no interest in any “back door,” another straw man. We—the FBI, our state and local partners—we go through the front door. With a warrant, from a neutral judge, only after we’ve met the requirements of the Fourth Amendment. We’ve got to look at the concerns here more broadly, taking into account the American public’s interest in the security and safety of our society, and our way of life. That’s important because this is an issue that’s getting worse and worse all the time.

Actually, no. It's still really safe and secure in the United States. Our "way of life" is under no greater threat in an era of increased encryption use than it was before this became the FBI's pet issue. In fact, we're safer today in terms of crime rates and terrorist activity than we've been in more than two decades.

Wray has built his anti-encryption side hustle on a pile of straw men. It's pretty rich to see him arguing no one else should have the privilege to argue their points as disingenuously as he has.

People want safety. People want security. These are inextricably intertwined, but Wray thinks it's possible to separate one from the other without a net loss in safety. And he can't even be honest about how he plans to do it. No one on this panel is willing to call the back doors they want "back doors." No, it's always something else. If the front door is the user's access to their communications, anyone coming in through another entrance is likely going to be viewed as using the back door. If the FBI prefers, we could just call it "using the bedroom window." It doesn't really matter what it's called when it's still access to encrypted communications that's achieved by going through anyone else but the end user.

Wray says everyone else -- everyone who doesn't immediately agree the security trade-off the FBI is pitching is worth it -- is wrong. We're allying ourselves with the most heinous criminals and actively thwarting law enforcement. We're all Wray's straw men now.

So to those out there who are resisting the need for lawful access, I would ask: What’s your solution? How do you propose to ensure that the hardworking men and women of law enforcement, sworn to protect you and your families, actually maintain lawful access to the information they need to do their jobs? What will you say to victims who are denied justice—or left unrescued—in the name of some incremental amount of additional data security?

Why limit your appeal to emotion when you can also appeal to authority? That's the rhetoric Wray is delivering to people who think he's right and will never push back against his oversimplifications, even as he decries the oversimplifications of others. What a train wreck.

It's not an "incremental amount." It's either secure or it isn't. It's not an incremental issue. I would say to the imagined crowd of "hardworking law enforcement" officers that demanding people relinquish their security just to make it easier for the government to access private communications is a bullshit deal. I'm sure Wray knows this. He just seems not to care.

Filed Under: chris wray, doj, encryption, fbi, going dark

DOJ Using The FOSTA Playbook To Attack Encryption

from the watch-out dept

For years now, the various DOJ folks pushing to break encryption have whined and complained that the tech industry won't even consider having an adult conversation about encryption. This, of course, has never been true. Indeed, in just the past few weeks we've highlighted two separate examples of attempts to bring together law enforcement folks and technology/cryptography experts to see if there are legitimate ways to move the conversation forward. That first one came up with an interesting and useful framework for judging any conversation about "lawful access" to encrypted communications, while the second demonstrated just how much various tech companies have been doing over the years -- in particular in helping law enforcement deal with the issue of child abuse.

And what do they get for all that? First, a horrific article in the NY Times that accurately highlights the awfulness of child sexual abuse online... but oddly frames the efforts that various tech companies have put into helping law enforcement as... evidence of not caring about the problem. And, of course, suggests that encryption is part of the problem:

After years of uneven monitoring of the material, several major tech companies, including Facebook and Google, stepped up surveillance of their platforms. In interviews, executives with some companies pointed to the voluntary monitoring and the spike in reports as indications of their commitment to addressing the problem.

But police records and emails, as well as interviews with nearly three dozen local, state and federal law enforcement officials, show that some tech companies still fall short. It can take weeks or months for them to respond to questions from the authorities, if they respond at all. Sometimes they respond only to say they have no records, even for reports they initiated.

And when tech companies cooperate fully, encryption and anonymization can create digital hiding places for perpetrators. Facebook announced in March plans to encrypt Messenger, which last year was responsible for nearly 12 million of the 18.4 million worldwide reports of child sexual abuse material, according to people familiar with the reports. Reports to the authorities typically contain more than one image, and last year encompassed the record 45 million photos and videos, according to the National Center for Missing and Exploited Children.

This is following the FOSTA/SESTA game plan. Highlight legitimately horrific examples of horrible things that people have done (in FOSTA's case, sex trafficking; here child porn). Then, follow it up by blaming the internet platforms and technology even if those platforms have actively helped law enforcement over and over again. Encryption is repeatedly suggested as truly evil.

Increasingly, criminals are using advanced technologies like encryption to stay ahead of the police.

"Advanced technologies"? And then:

Offenders can cover their tracks by connecting to virtual private networks, which mask their locations; deploying encryption techniques, which can hide their messages and make their hard drives impenetrable; and posting on the dark web, which is inaccessible to conventional browsers.

And again:

Tips included tutorials on how to encrypt and share material without being detected by the authorities.

Yes, encryption can be used to hide bad stuff. No doubt about it. However, it also protects the privacy and security of everyone else as well. There are real tradeoffs here to be discussed -- and we shouldn't forget that one element in that discussion is that law enforcement does have other tools to track down and find those involved in child porn. That encryption blocks some evidence does not mean there are not other ways for them to collect evidence -- as we've seen in many other cases.

But, given that Attorney General William Barr has been on an anti-encryption kick lately, as has FBI Director Chris Wray, it shouldn't be a huge surprise that they've teamed up for a DOJ "symposium" more or less building on the NY Times article (for which the DOJ appears to have been a major source), in which there appears to be an an entirely one-sided lineup of speakers to discuss the scary sounding:

Lawless Spaces: Warrant-Proof Encryption and Its Impact On Child Exploitation Cases

Barr is speaking, as is Wray. So is Deputy Attorney General Jeffrey Rosen, who also spent the summer trashing encryption. There are also two foreign speakers. There's Peter Dutton, the Home Affairs Minister from Australia, who lead that country's efforts to backdoor encryption with a bunch of ridiculously misleading claims about how companies that offer encryption should be blamed for anyone using it for illegal activity. Then there's the UK's Home Secretary, Priti Patel, who we had just mentioned earlier this week for her statements that encryption "empowers criminals."

There does not appear to be a single cryptographer on the program. There does not appear to be a single technologist on the program. There does not appear to be anyone who can provide even the slightest counterweight to the idea that encryption is just a tool for criminals. Contrast this to the sessions we talked about at the opening of this piece. The Carnegie Endowment and Stanford each actually invited people from a variety of different viewpoints and made sure to have actual experts involved. The DOJ is not doing that. This is pure theater as part of a public relations campaign to undermine the encryption that keeps us all safe.

Yes, you can point out very real and horrifying examples of people abusing just about any technology. But in a sane world, you then start looking at the actual size of the problem, the actual risks, the alternative approaches, and the costs and benefits associated with all of them. Not a single person on the DOJ's list of speakers seems equipped to do that. Given that we've quoted each and every one of them right here on Techdirt staking out an extreme anti-encryption standpoint over and over again, suggests that, unlike the tech industry, which has held and participated in various discussions, the DOJ just wants to set up scare mongering stories in the press before pushing for legislation that will destroy encryption and put us all at risk. For our safety.

As you'll recall, AG Barr himself had ominously warned that if the tech industry didn't "engage" then eventually there would be some sort of "incident" to "galvanize public opinion" against encryption:

Obviously, the Department would like to engage with the private sector in exploring solutions that will provide lawful access. While we remain open to a cooperative approach, the time to achieve that may be limited. Key countries, including important allies, have been moving toward legislative and regulatory solutions. I think it is prudent to anticipate that a major incident may well occur at any time that will galvanize public opinion on these issues.

Well, the industry was willing to engage and explain the costs of undermining encryption. But rather than understand that, it now looks like Barr is working overtime to manufacture that "major incident" to galvanize public opinion against their own security. It's a shame the NY Times decided to help.

Filed Under: child porn, chris wray, doj, encryption, fosta, going dark, moral panic, peter dutton, priti patel, william barr
Companies: facebook, google, ny times

The FBI Can't Get Into The Dayton Shooter's Phone. So What?

from the time-to-exploit-some-deaths dept

A high-profile act of violence has brought FBI complaints about device encryption to the surface again. This has been a long-running theme with the agency, one amplified recently by domestic surveillance advocate/Attorney General William Barr. Barr claimed encryption was creating a more dangerous world for everyone. Barr's claims echoed those of successive FBI directors. Both Barr and Wray continue to talk about device encryption despite having (so far) refused to update the number of encrypted devices the FBI can't access.

As Barr warned in his rant against encryption, all it would take is one major attack to sway public opinion to the government's side.

I think it is prudent to anticipate that a major incident may well occur at any time that will galvanize public opinion on these issues.

Well, the FBI is talking about encryption again with lawmakers. But with all due respect, Mr. Barr, this ain't it, chief.

Top FBI officials informed congressional lawmakers this week that they have been unable to access the smartphone of the suspected gunman in the Dayton, Ohio, mass shooting, two sources told The Hill.

In a briefing about the weekend shootings in Dayton and El Paso, Texas, FBI Deputy Director David Bowdich told House Democrats that the agency is in possession of what’s believed to be Connor Betts’s primary phone but can’t open it because it requires a passcode, according to the two sources who took part in Wednesday's briefing.

Two mass shootings in 24 hours could have provoked the public response Barr is looking for. But it didn't. These shootings had nothing to do with encrypted devices, even if the FBI felt it needed to inform lawmakers it couldn't get into a dead suspect's phone.

The question is why the FBI needs to do this. Like its previous skirmish with device makers over the encrypted contents of the San Bernardino shooter's iPhone, this complaint features a dead suspect and the highly-dubious implication that there's something of value contained in the locked device. There's no investigation being impeded by inaccessible data. The shooter is dead and the shooting is over.

The FBI -- and William Barr -- likely truly believe encryption backdoors will make investigations easier and prevent criminal acts. But there's nothing in the recent past that suggests their beliefs are well-founded. These are the speculations being used to undermine the security of millions of peoples' devices. The only thing the government has to offer is the fact that sometimes phones produce usable evidence. But criminal acts were prevented and/or prosecuted for years before a large majority of the public decided to start carrying tracking devices loaded with tons of personal info with them wherever they went.

Then there's the dishonesty: intellectual and otherwise. Most of what's offered as arguments for backdoors is intellectually dishonest. The FBI's failure to inform the American public about the true number of locked devices in its possession is the regular kind of dishonest. So is the assertion made by the FBI that it could be "months or years" before it can access the phone's contents. Multiple companies offer devices that can (supposedly) bypass any device's encryption, including the latest iPhones. The FBI and DOJ simply pretend these options don't exist when talking to Congress, law enforcement agencies, and the general public.

Every tragedy is an opportunity. The FBI isn't going to let these pass without attempting to capitalize on them. Unfortunately, it seems our country is capable of generating an endless amount of tragic opportunities. And it only takes one to give the government everything it wants.

Filed Under: chris wray, dayton, encryption, fbi, going dark, william barr

FBI Director Chris Wray Needs To Shut The Fuck Up About Encryption

from the SHOW-YOUR-WORK dept

FBI Director Chris Wray is still hoping to sell Americans on trading away their security for a little bit of law enforcement convenience. Wray believes the only way the FBI and other agencies will ever keep up with criminals is to do away with encryption. The "going dark" campaign may have started with Jim Comey, but Wray has proven to be every bit as obtusely tenacious as his predecessor.

Wray's latest anti-encryption pep talk occurred at the RSA Conference. CNET reports the FBI director delivered another misguided, but impassioned, speech in defense of making everything worse for everyone but the FBI.

Encryption should have limits. That's the message FBI Director Christopher Wray had for cybersecurity experts Tuesday. The technology that scrambles up information so only intended recipients can read it is useful, he said, but it shouldn't provide a playground for criminals where law enforcement can't reach them.

"It can't be a sustainable end state for there to be an entirely unfettered space that's utterly beyond law enforcement for criminals to hide," Wray said during a live interview at the RSA Conference, a major cybersecurity gathering in San Francisco.

Wray can't honestly define where encryption should stop and law enforcement access begin. All he can do is claim the status quo isn't working because sometimes the FBI can't get into a seized device. But how many times is encryption actually bringing an investigation to a halt? That's something Wray won't talk about, even though he has access to this information.

What CNET charitably calls a "back and forth" conversation between Chris Wray and tech companies is actually nothing more than Wray complaining about encryption and ignoring everything he hears back from the companies that would be affected.

Wray needs to take his anti-encryption ball and go home. Not because I disagree with him, but because the FBI has handled this "conversation" disingenuously since day one. The "going dark" narrative hasn't been backed by evidence or facts. The FBI misrepresented the number of uncrackable devices it had in its possession for more than three years. Once legislators started demanding proof, the FBI discovered it had no idea how many devices it had on hand.

No further details have been delivered by the FBI, but it's safe to assume the original estimate of 8-9,000 devices is actually less than a quarter of that. But we don't know what the actual count is because the FBI has yet to issue an updated number.

The FBI said it would recount the devices and get back to us. As of March 6th, it has been 281 days since the FBI started replacing statements of 8,000+ locked devices with asterisks and footnotes. This is why Wray needs to shut his mouth. Until his agency delivers the real number of locked devices, we don't need to entertain his anti-encryption dreams. If he and his agency are unwilling to have a real conversation about device encryption -- one containing actual facts about locked devices and their impact on investigations -- no one should grant him or his comments any credibility.

Filed Under: chris wray, doj, encryption, facts, fbi, going dark

FBI Boss Chris Wray: We Put A Man On The Moon So Why Not Encryption Backdoors?

from the yeah-ok-then dept

Despite the FBI finally admitting it had greatly exaggerated the number of encrypted devices it can't get into, FBI Director Chris Wray keeps pushing the "going dark" theory to whoever will listen. This time it was NBC's Lester Holt. In an interview during the Aspen Security Forum, Wray again hinted he was moving towards an anti-encryption legislative mandate if some sort of (impossible) "compromise" couldn't be reached with tech companies. (Transcription via Eric Geller.)

I think there should be [room for compromise]. I don't want to characterize private conversations we're having with people in the industry. We're not there yet for sure. And if we can't get there, there may be other remedies, like legislation, that would have to come to bear.

The "compromise" Wray wants is simple: if law enforcement has a warrant, it gets access. The solution isn't. To weaken or backdoor encryption to serve law enforcement's needs makes everyone -- not just criminal suspects -- less safe. If a hole can be used by good guys, it can be used by bad guys. And even the best guys can't prevent their tech tools from making their way into the public domain. Just ask the NSA and CIA. In the case of the NSA, leaked exploits resulted in worldwide ransomware attacks.

Wray pitches an impossibility by portraying it as a lack of effort by the tech industry. The tech industry -- the one with all the "brightest minds" -- have been consistent in their stance. A hole for one is a hole for all. There's no such thing as securely-compromised encryption. Wray's response has also been consistent: they're just not thinking hard enough. The only "compromise" pitched by members of the tech sector is basically re-skinned key escrow -- the thing that went out of fashion with the death of the Clipper Chip.

Wray's pitch now includes an appeal to the modern wonders of the world, as if these examples change the equation at all:

We're a country that has unbelievable innovation. We put a man on the moon. We have the power of flight. We have autonomous vehicles… [T]he idea that we can't solve this problem as a society -- I just don't buy it.

First off, bringing the space program into this is ridiculous. All it does is demonstrate the government has access to some of the best minds, but Wray expects the private sector to provide, maintain, and bear the expense of a law enforcement-friendly encryption "solution." (And if it fails to deliver, Wray's more than willing to ask the government to force the private sector to play ball.)

Second, putting a man on the moon was the side effect of a Cold War cock-measuring contest with the USSR. While the nation has derived many benefits over the years from the space program, the "man on the moon" mission was a way of expressing superiority and implying that our weaponry was similarly advanced. The US government showed the world how powerful it was. I don't think that's the analogy you want to make when discussing personal device encryption.

And third, the whole "putting a man on the moon" analogy was solidly mocked on John Oliver's program two years ago when he quoted cryptography expert Matt Blaze accurately saying, "When I hear 'if we can put a man on the moon, we can do this' I'm hearing an analogy almost saying "if we can put a man on the moon, surely we can put a man on the sun.'" Not every issue is the equivalent of putting a man on the moon.

While the others listed are private sector achievements, they're simply not good comparisons. Encryption methods continue to advance in complexity and ease-of-use. This is innovation, even if it's innovation Chris Wray doesn't like. Each of the innovations listed solved problems and created markets. In this case the problem is device security. Encryption solves it. Who wants secure devices? Everyone who buys one.

The rise of smartphones has seen users replace their houses with handheld devices as the primary storage for a life's-worth of documents, along with access to a great deal of financial and personal info. Device makers want to ensure a stolen phone doesn't mean a stolen life. Wray (and others) don't want to do anything more than obtain warrants to scrape the digital innards of devices they seize. In other words, when the FBI encounters a locked safe in someone's house, Wray would believe it's the manufacturer's fault for the safe failing to unlock immediately in the presence of a search warrant.

Still, Wray believes society as a whole would be better off with weaker encryption because sometimes terrorists and criminals use encryption.

Because to the extent that the bad guys have shifted more and more to living their whole lives through encrypted devices and encrypted messaging platforms, that if we don't find a way to access that information with lawful process, we're in a bad place as a country.

Default encryption has been around for a few years now and there's no evidence we're less safe as a nation. Very few prosecutions have been dead-ended because investigators couldn't get into a phone. The problem is presented as swiftly-growing and inevitable, but there's been nothing delivered as evidence of these claims. The FBI has continually pointed to its growing pile of locked devices as Exhibit A in the War on Encryption, but has never presented anything at all to give these claims of diminishing public safety any credence. All we know for sure at this point is the FBI can't count. It used a wrong number (~7,800) to push the narrative and still expects us to believe it after it admitted this count was nearly four times higher than the actual number of devices in its possession.

Wray needs to stop complaining about the tech sector until his own agency can demonstrate its ability to approach the issue with facts, verified numbers, and intellectual honesty.

Filed Under: backdoors, chris wray, encryption, fbi, going dark, man on the moon

DOJ, FBI Issuing Corrections To Statements, Testimony Containing Bogus Uncracked Device Numbers

from the cleanup-on-aisle-7800 dept

The FBI's push for encryption backdoors relied on ever-skyrocketing numbers of uncracked devices the agency's best and brightest just couldn't seem to access. "Look!" DOJ and FBI officials said, pointing lawmakers at charts showing an explosion in the number of locked devices over the last couple of years. Unsustainable, it seemed to say. But it was all a lie. Not a deliberate lie, maybe, but a lie nonetheless. A convenient misrepresentation of the problem caused by a software error.

How does an agency with the technical capabilities the FBI has miscount physical items? Apparently, you let software do the counting and hope for the best.

“The FBI’s initial assessment is that programming errors resulted in significant over-counting of mobile devices reported,’’ the FBI said in a statement Tuesday. The bureau said the problem stemmed from the use of three distinct databases that led to repeated counting of phones. Tests of the methodology conducted in April 2016 failed to detect the flaw, according to people familiar with the work.

This inflated the count from somewhere between 1,000-2,000 to nearly 8,000. That was the number used by Director Christopher Wray and AG Jeff Sessions in testimony to Congress and speeches to law enforcement. That was the center of the narrative: a number that kept growing exponentially with no end in sight.

You'd think the agency would track devices better, what with officials constantly claiming each and every phone was "tied to a threat to the American people." Something that important shouldn't be carelessly handled. But the phones "tied to threats" were overcounted, suggesting a severe problem in the FBI's tracking system that might make it difficult to figure out which "threats" each phone is "tied" to if and when it ever gets around to cracking the devices.

Now, the DOJ is in damage control mode. Robyn Greene was the first to notice the corrections made to officials' statements using the FBI's bullshit ~8,000 number. Edits to AG Sessions' recent comments at a law enforcement conference have replaced this:

Last year the FBI was unable to access investigation-related content on more than 7,700 devices…

With this:

Last year the FBI was unable to access investigation-related content on more than ** devices…

The footnote reads:

** Due to an error in the FBI's methodology, an earlier version of this speech incorrectly stated that the FBI had been unable to access 7,800 devices. The correct number will be substantially lower.

The FBI's been doing a bit of cleanup at its own site. Here's one from May 3, 2017 that has since been corrected.

In just the first half of this fiscal year, the FBI was unable to access the content of more than 3,000* mobile devices...

The FBI's footnote is far more concise and vague.

* Due to an error in methodology, this number is incorrect. A review is ongoing to determine an updated number.

It helpfully doesn't mention the FBI screwed up its own count. Nor does it state the new estimate will be "substantially lower." Cowards.

Here's another one, from September 27, 2017:

In the first 10 months of this fiscal year, the FBI was unable to access the content of more than 6,000* mobile devices…

How did this jump -- 3,000 phones in five months -- escape notice? As of November 2016, the number was only around 880 devices. Then it jumped to 3,000 six months later. Then it doubled to 6,000 in less than five months. By the end of that fiscal year four months later, the FBI had supposedly added another 1,775 uncrackable devices.

In fiscal year 2017, we were unable to access the content of 7,775* devices…

Even if the count had been accurate (which it wasn't), the numbers were delivered dishonestly. What appears to be a cumulative total of all devices the FBI had collected over the years is presented in testimony as being the total number of devices the FBI couldn't unlock during a single fiscal year. This vastly misconstrues the severity of the issue and while FBI officials may have been unaware the FBI's software was delivering bogus counts, it didn't stop them from overstating the problem by presenting historical cumulative numbers as a single year's total.

Whatever number the FBI finally delivers will be decidedly underwhelming. Considering it still hasn't provided Congress with details of its attempts to access supposedly uncrackable devices, the FBI has managed to decimate its own forces in the new War on Encryption. It overplayed its hand -- perhaps inadvertently -- and weakened its argument severely. Something this important to the FBI was handled carelessly -- not because the FBI doesn't really want weakened encryption, but because the FBI will not do anything to weaken its anti-encryption position. It never bothered to check the phone count because the number given to officials was sufficiently impressive. That mattered far more than accuracy or honesty. "Fidelity, Bravery, Integrity" my ass.

Filed Under: chris wray, corrections, doj, encrypted phones, errors, fbi, going dark, jeff sessions

EFF Asks FBI, DOJ To Turn Over Details On Thousands Of Locked Phones The FBI Seems Uninterested In Cracking

from the tearing-new-FOIA-holes-in-the-FBI's-narrative dept

The FBI's growing number of uncracked phones remains a mystery. The agency claims it has nearly 8,000 phones in its possession which it can't get into, despite multiple vendors offering services that can allegedly crack any iPhone and countless Android devices.

The push for mandated backdoors and/or weakened encryption continues, with successive FBI heads (James Comey, Chris Wray) declaring public safety is being threatened by the agency's locked phone stockpile. This push seems doubly insincere given a recent Inspector General's report, which revealed agency officials slow-walked the search for a third-party solution to unlock a phone belonging to the San Bernardino shooter.

Legislators have taken notice of the FBI's disingenuous push for a legislative mandate. Back in April, a group of lawmakers sent a letter to the FBI asking what it was actually doing to access the contents of its growing collection of locked phones and why it insisted there were no other options when it was apparent vendors were offering phone-cracking solutions.

The EFF has questions as well. It has sent a FOIA request [PDF] to the FBI and DOJ asking for details on the FBI's locked phone stash.

[W]e have submitted a FOIA request to the FBI, as well as the Offices of the Inspector General and Information Policy at DoJ. Among other things, we are asking the FBI to tell the public how they arrived at that 7,775 devices figure, when and how the FBI discovered that some outside entity was capable of hacking the San Bernardino iPhone, and what the FBI was telling Congress about its capabilities to hack into cellphones.

The FBI is in no hurry to make this information public, so it will probably take a lawsuit to get its response rolling. It still has yet to answer the questions posed to it by Congress, even as it continues to push its "going dark" narrative anywhere Director Chris Wray is given the opportunity to speak.

The ever-growing number of locked phones is a true mystery, considering the number saw exponential growth -- swelling from under 1,000 phones in 2016 to nearly 8,000 phones only two years later. This happened without exponential growth in deployed encryption, but also closely tracks with the rise of James Comey's "going dark" theory and the aftermath of the FBI's failed attempt to secure a favorable precedential decision in the San Bernardino shooter case.

Whatever is revealed should answer a few questions. Unfortunately, the answer may end up being that the FBI truly isn't interested in anything more than solutions mandated by the government.

Filed Under: chris wray, doj, encryption, fbi, going dark
Companies: eff

FBI Director Says It's 'Not Impossible' To Create Compromised Encryption That's Still Secure

from the saying-the-same-thing-over-and-over-doesn't-make-it-true dept

FBI Director Chris Wray was back on the "going dark" stump this week. In a speech [PDF] at Boston College, Wray again stated, without evidence, that it wasn't impossible to create weakened encryption that isn't weakened. (via Cyrus Farivar at Ars Technica)

We have a whole bunch of folks at FBI Headquarters devoted to explaining this challenge and working with stakeholders to find a way forward. But we need and want the private sector’s help. We need them to respond to lawfully issued court orders, in a way that is consistent with both the rule of law and strong cybersecurity. We need to have both, and can have both. I recognize this entails varying degrees of innovation by the industry to ensure lawful access is available. But I just don’t buy the claim that it’s impossible.

It really doesn't matter whether or not Wray "buys" this claim. If you deliberately weaken encryption -- either through key escrow or by making it easier to bypass -- the encryption no longer offers the protection it did before it was compromised. That's the thing about facts. They're not like cult leaders. They don't need a bunch of true believers hanging around to retain their strength.

Yet Wray continues to believe this can be done. He has yet to provide Senator Ron Wyden with a list of tech experts who feel the same way. The "going dark" part of his remarks is filled with incongruity and non sequiturs. Like this, in which Wray says he doesn't want backdoors, but rather instant access to encrypted data and communications… almost like a backdoor of some sort.

We’re not looking for a “back door” – which I understand to mean some type of secret, insecure means of access. What we’re asking for is the ability to access the device once we’ve obtained a warrant from an independent judge, who has said we have probable cause.

If by "backdoor," he means insecure exploit, then he's technically correct. If by "not a backdoor," he means another door located on the front or side or connected to the basement or whatever, then what difference does the door's location really make? A door is door and it provides an opening where there wasn't one previously.

Solutions have been provided. There's no shortage of people suggesting workarounds. Metadata is valuable even if Wray continues to downplay it. It's a weird position for him to take considering the agency's long reliance on metadata swept up by the NSA. Devices can be hacked, but Wray continues to assert this isn't a solution either, even after Cellebrite made the stunning announcement it could crack any iPhone, including the latest models. There are a variety of third parties hosting communications in cloud services, all of which could be approached to gain access to at least some evidence. Even public enemy #1, Apple, stores encryption keys for its iCloud services, which would give law enforcement much of what can't be obtained from a locked device.

Wray doesn't want a solution that isn't forced subservience of tech companies. That's become plainly apparent as he continues his anti-encryption crusade. Tech experts are ignored. Hacking breakthroughs like Cellebrite's aren't even cited. Legislators, for the most part, have offered no support for anti-encryption legislation, and yet Wray continues to push for technical access he can't define and proclaim his rightness despite having no expertise in the subject matter.

He also mentioned the stack of cellphones the agency claims it can't access -- 7,800 devices or more than half of those the FBI tried to access last year. But the number is meaningless. Wray claims they're all tied to investigations in one way or another, but does not describe what efforts were made to access their contents. Were the phones owners approached and asked for passcodes? Were the phones owners presented with the option of unlocking the devices or facing contempt charges? Were phones sent to Cellebrite or its competitors? Or has the FBI simply shrugged its shoulders, thrown them in a big pile, and decided to let the problem go unaddressed until it has enough legislators on its side?

In this discussion of The 7,800 Phones That Couldn't Be Broken, Wray mentioned something that shows the FBI won't be happy until it has mandated access to all encrypted data -- not just data at rest on locked devices.

Being unable to access nearly 78-hundred devices is a major public safety issue. That’s more than half of all the devices we attempted to access in that timeframe. And that’s just at the FBI. That’s not even counting devices sought by other law enforcement agencies – our state, local, and foreign counterparts. It also doesn’t count important situations outside of accessing a specific device, like when terrorists, spies, and criminals use encrypted messaging apps to communicate, which is an increasingly widespread problem.

Wray ended his speech as he always does -- with emotional appeals meant to throw shade on the tech experts who've told him his safely-broken encryption dreams are impossible.

After all, America leads the world in innovation. We have the brightest minds doing and creating fantastic things. A responsible solution will incorporate the best of two great American traditions – the rule of law and innovation. But for this to work, the private sector needs to recognize that it’s part of the solution. Again, I’m open to all kinds of ideas. But I reject this notion that there could be such a place that no matter what kind of lawful authority you have, it’s utterly beyond reach to protect innocent citizens. I also can’t accept that anyone out there reasonably thinks the state of play as it exists now – much less the direction it’s going – is acceptable.

Broken down, his final thoughts on "going dark" run like this:

1. Smart people refuse to help us.

2. They are irresponsible.

3. They are part of the problem.

4. They are making America unsafe.

Christ, what an asshole. The private sector is doing far more to "protect innocent citizens" than the FBI is. Encryption makes communications and data transfer much, much safer. Wray wants this weakened for one reason: to give law enforcement immediate access. Will this make America safer? The answer is no. Default encryption has been available for years now and there's been no corresponding spike in criminal activity and no loud chorus of united law enforcement officials lamenting their inability to close cases or prosecute people. America's jails are as full as they've ever been and crime rates remain far lower than they were prior to the advent of smartphones and encryption-by-default. It's only a very small number of law enforcement officials that seem to have a problem with this, but they're by far the loudest and most visible.

Filed Under: backdoors, chris wray, encryption, fbi, going dark, responsible encryption