Manhattan DA's Office Serves Up Craptastic White Paper Asking For A Ban On Encryption

from the and-just-a-couple-of-backdoors,-maybe-FOR-SAFETY! dept

Manhattan DA Cyrus Vance may not know what the fuck he's talking about when he discusses encryption, the internet and other tech-related issues. But that's certainly not going to keep him from talking about them.

A just-published "white paper" from the Manhattan DA's office (h/t Matthew Green) offers up all sorts of stupidity in its attempt to justify anti-encryption legislation.

It starts with lofty ideals…

This Report is intended to:

1) Summarize the smartphone encryption debate for those unfamiliar with the issue;
2) Explain the importance of evidence stored on smartphones to public safety;
3) Dispel certain misconceptions that many privacy advocates hold about law enforcement’s position related to encryption, including the myth that we support a “backdoor” or government-held “key;”
4) Encourage an open discussion with technology companies, privacy advocates, and lawmakers; and
5) Propose a solution that protects privacy and safety.

… before throwing most of these out completely, starting with the "open discussion" with the affected stakeholders.

Vance's office doesn't want to burden the nation's tech companies with "golden keys" or "good guy-only" backdoors. The paper admits such a "solution" would be complicated and expensive. (But not impossible, notably.)

His solution? Something that doesn't burden tech companies, but simply leaves their customers unprotected. No backdoors will be needed because there will be nowhere to install one.

The federal legislation would provide in substance that any smartphone manufactured, leased, or sold in the U.S. must be able to be unlocked, or its data accessed, by the operating system designer. Compliance with such a statute would not require new technology or costly adjustments. It would require, simply, that designers and makers of operating systems not design or build them to be impregnable to lawful governmental searches.

That's the big idea: a ban on encryption, presented disingenously as "Not A Ban." For all the paper's supposed "discussion" of the issues and contemplation of concerns expressed by companies and their customers, this is the DA's office's brilliant cure-all: federal legislation that would prevent companies from deploying encryption -- at least not without holding onto a set of keys for government use.

Offered in support of these arguments are the horrendous laws being contemplated/passed in other countries like the UK and France. If they can do it, we can do it! Vance's office argues any resulting harm to human rights civil liberties will be minimal. Undiscussed is the resulting harm to innocent users whose phones' contents are no longer encrypted.

The paper also discusses various workarounds that have been suggested, like accessing the unencrypted contents of cloud storage services connected to users' phones. The DA's office says that just isn't good enough. For one thing, not every user utilizes the cloud services offered by Google and Apple. The office's argument against seeking other routes to communications and data is astoundingly terrible.

[S]martphone users are not required to set up a cloud account or back up to the cloud, and therefore, many device users will not have data stored in the cloud. Even minimally sophisticated wrongdoers who use their devices to perpetrate crimes and who have cloud accounts will likely take the relatively simple steps necessary to avoid backing up those devices, or data of interest, to the cloud. In most instances, only one or two selections must be made in the device’s settings to turn off the back-up function or to remove certain types of content from the back up.

There's a huge problem with this paragraph. It makes the assertion that criminals are more likely to avoid utilizing cloud backup services while simultaneously noting that this process is entirely optional and will not be used by most people. Using this logic, an average user may also be a "minimally sophisticated wrongdoer," at least as far as law enforcement can tell from what it finds stored in the cloud.

The underlying point is that lots of data and communications still reside within the phone itself and law enforcement will not be able to access this without Apple or Google leaving a door open for it.

The office does further damage to its own arguments for banning encryption by highlighting a string of successful prosecutions utilizing evidence recovered from cell phones. It uses this list to highlight the amount of "probative evidence" obtained from cell phones while simultaneously (and inadvertently) pointing out that law enforcement really hasn't been stymied by encryption, despite Vance's FUD-filled imaginations to the contrary.

And, finally, let's take a look at one more bogus analogy made by Vance's office, in which he tries to equate phones with houses.

The Fourth Amendment dictates that search warrants may be issued only when a judge finds probable cause to believe that a crime has been committed and that evidence or proceeds of the crime might be found on the device to be searched. The warrant requirement has been described by the Supreme Court as “[t]he bulwark of Fourth Amendment protection,” and there is no reason to believe that it cannot continue to serve in that role, whether the object that is to be searched is an iPhone or a home.

In fact, what makes full-disk encryption schemes remarkable is that they provide greater protection to one’s phone than one has in one’s home, which, of course, has always been afforded the highest level of privacy protection by courts. Apple and Google should not be able to alter this constitutional balance unilaterally. Every home can be entered with a search warrant. The same should be true of devices.

A more honest analogy would compare phones to computers, which is basically what they are. While a warrant may give cops access to someone's computer -- allowing them to seize it -- it does not guarantee they'll be able to access its contents. Vance wants to compare opening a phone to opening a door, but it's not a true comparison. If people could make their houses as impregnable as their phones and computers, some very likely would -- and not just the theoretical "minimally sophisticated criminals." A house that cops can't get into is a house criminals can't get into. But there's no way to encrypt a door or window.

The paper tries to portray this as somehow making phones more private than houses in terms of the Fourth Amendment. But encrypted phones have nothing to do with a heightened expectation of privacy. Encryption makes phones more secure than houses, not more private than houses. The Fourth Amendment considerations aren't being shifted. It's only the level of instant access that's being changed. Vance's office -- being part of the law enforcement community -- should welcome efforts that make citizens more secure. Instead, all it's doing is bitching loudly and disingenously about all the power it imagines encryption will strip away from it.

Filed Under: backdoors, cyrus vance, encryption, encryption backdoors, going dark, ny

Manhattan District Attorney Ratchets Up The 'Going Dark' FUD; Leaves Out Its Connection To Shady Hacking Team

from the because-those-little-details-aren't-important dept

After the FBI's James Comey, it seems that the biggest proponent of backdooring encryption for law enforcement has been Manhattan District Attorney Cyrus Vance, who has now penned a ridiculous fear-mongering opinion piece for the NY Times (along with City of London Police Commissioner Adrian Leppard, Paris Chief Prosecutor Francois Molins and Spanish chief prosecutor Javier Zaragoza). Vance has been whining about encryption for a while. And Leppard, you may recall, is the guy who recently claimed "the tor" is 90% of the internet and a "risk to society." He's not exactly credible on technology or encryption issues. But, still... he gets to team up on a NYT op-ed about encryption.

While Comey has been struggling to find a dead child to use as the literal poster child of his campaign to weaken encryption, these prosecutors are now parading out a few stories, starting with a murder in Evanston, Illinois (note: not anywhere near Manhattan, Paris, London or Madrid):

In June, a father of six was shot dead on a Monday afternoon in Evanston, Ill., a suburb 10 miles north of Chicago. The Evanston police believe that the victim, Ray C. Owens, had also been robbed. There were no witnesses to his killing, and no surveillance footage either.

With a killer on the loose and few leads at their disposal, investigators in Cook County, which includes Evanston, were encouraged when they found two smartphones alongside the body of the deceased: an iPhone 6 running on Apple’s iOS 8 operating system, and a Samsung Galaxy S6 Edge running on Google’s Android operating system. Both devices were passcode protected.

An Illinois state judge issued a warrant ordering Apple and Google to unlock the phones and share with authorities any data therein that could potentially solve the murder. Apple and Google replied, in essence, that they could not — because they did not know the user’s passcode.

The homicide remains unsolved. The killer remains at large.

Cool story. Totally bogus, but cool story. There are all sorts of problems with it starting with the fact that, as of last check Samsung is not requiring encryption by default, because of performance issues. Thus, if it's true that the phone was encrypted, that's not an issue with Google/Android, but the user setting up something himself -- something that anyone has been able to do for ages and has nothing to do with recent moves by Google (and it's not even entirely clear from the description by Vance if the phones were actually encrypted or just had a passcode/lockscreen).

More importantly, the idea that this is why the murder "remains unsolved" and "the killer remains at large" is ridiculous. It's not even clear why the smartphones are all that relevant in this case. But nothing in having a passcode on the phones would stop police from figuring out the phone numbers, contacting service providers for information or issuing perfectly working warrants for communications data (remember, the only issue with encryption would be stored data at rest on the phone). Indeed, the Evanston police did obtain call records related to the phone, but they didn't help the investigation. In fact, the Commander of the Evanston Police Department told The Intercept that while accessing the phones might provide some useful clues he's not sure if it would actually help solve the case -- just as the call records did not.

In other words, this is nothing but blatant factually challenged fear mongering.

And it goes on:

Between October and June, 74 iPhones running the iOS 8 operating system could not be accessed by investigators for the Manhattan district attorney’s office — despite judicial warrants to search the devices. The investigations that were disrupted include the attempted murder of three individuals, the repeated sexual abuse of a child, a continuing sex trafficking ring and numerous assaults and robberies.

This is the first time anyone has actually given numbers of the times law enforcement was "stymied," but notice that none of these cases, including the "attempted murder of three individuals, the repeated sexual abuse of a child or the continuing sex trafficking ring" were described in any more detail to explain how the encrypted phones were the real problem (again: remember there is nothing stopping the police from getting other data, including communications data or any of the data backed up in the cloud, as most data on iPhones is).

Oh, and then there's this: As Kade Crockford highlights, Muckrock recently noted that the leaked emails from the Hacking Team showed that the Manhattan DA's office was a potential client of the Hacking Team, meaning that it would have had access to plenty of tools on hand to break into phones -- even those that make use of encryption.

As recently as this past May, Hacking Team and an assistant district attorney with the Manhattan District Attorney’s Office emailed back and forth about a potential software “solution.” Hacking Team sales staff fielded questions about jailbreaking iPhones remotely, and discussed among themselves about how high a price to quote.

Hacking Team hosted a spyware demo in September 2013 for Manhattan district attorney staff, and again in February 2015. When the assistant DA requested a price estimate, a Hacking Team operations manager suggested a starting ask of $3 million.

"If it's totally out of budget, we can come up with a special 'deal' for them and the usual accommodations," wrote Hacking Team’s Daniele Milan on an internal email thread about discussions with the DA.

The DA’s office confirmed that it has met with Hacking Team to review their products.

"In order to keep pace with rapid developments in the private sector, we invite groups to demo various emerging technologies," wrote Joan Vollero, Manhattan DA spokeswoman, in an emailed statement.

The Vance op-ed also completely misrepresents things, arguing that because some criminals falsely believe that everything is now encrypted, it means they are:

Criminal defendants have caught on. Recently, a suspect in a Manhattan felony, speaking on a recorded jailhouse call, noted that “Apple and Google came out with these softwares” that the police cannot easily unlock.

Except, Google and Apple have long offered the software, and (again) it's not yet default on Android phones and it only protects stored data on the phones -- while most people will likely (falsely) assume that it also protects communications data or backed up data.

The op-ed also ignores the valid reasons for protecting your own privacy, or what happens when malicious actors use backdoors to get into your data. Or how foreign states, such as China and Russia will also demand backdoors. Instead, it pretends the only criticism of backdoors is because of worries about government surveillance. This is wrong. The article falsely argues that full disk encryption only provides "marginal" benefits to users, and shouldn't be allowed because what prosecutors want to do is different than the NSA's mass surveillance efforts. Once again, this misstates the reasons for full-disk encryption and completely ignores the dangers of backdoors.

We had hoped the ridiculousness over the whole "going dark" hysteria would start to die down by now, but apparently that was being optimistic. One wonders if Cyrus Vance, Francois Molins, Adrian Leppard and Javier Zaragoza also bemoan the act that criminals can speak to each other in person and no warrant will ever reveal what they said.

Filed Under: adrian leppard, cyrus vance, encryption, fud, going dark, mobile encryption

New York's Top Prosecutor Says We Need New Laws To Fight iPhone/Android Encryption

from the because-child-murdering-drug-dealers,-of-course dept

The greatest threat to law enforcement since the motocar continues to receive attention from entities aghast at the notion that peoples' communications and data might not be instantly accessible by law enforcement. Apple's decision (followed shortly thereafter by Google) to offer default encryption for phone users has kicked off an avalanche of paranoid hyperbole declaring this effort to be a boon for pedophiles, murders and drug dealers.

New laws have been called for and efforts are being made to modify existing laws to force Apple and Google into providing "law enforcement-only" backdoors, as if such a thing were actually possible. New York County's top prosecutor, Manhattan DA Cyrus Vance -- speaking at an FBI-hosted cybersecurity conference -- is the latest to offer up a version of "there ought to be a law."

Federal and state governments should consider passing laws that forbid smartphones, tablets and other such devices from being “sealed off from law enforcement,” Manhattan District Attorney Cyrus Vance said today in an interview at a cybersecurity conference in New York.

Sure. These entities could "consider" this. And then swiftly discard the idea. There's no good reason why millions of people's data and communications should be made less secure just to make capturing criminals -- a small minority of the population -- easier. There are only law enforcement reasons. And those reasons are specious, at best. Cops have been catching criminals since long before the rise of the cellphone and they'll continue to do so long after default encryption becomes standard operating procedure.

But to hear opponents of Apple's move tell it, encryption-by-default is an unfair impediment to investigative and law enforcement agencies.

“It’s developed into a sort of high-stakes game,” Vance said. “They’ve eliminated accessibility in order to market the product. Now that means we have to figure out how to solve a problem that we didn’t create.”

Vance's portrayal of this decision is dishonest and self-serving, but it's his last sentence that is the most skewed. Law enforcement (along with investigative and national security agencies) did create this problem. They abused their powers to obtain warrantless access to metadata, data, communications, and anything stored locally on the phone. Cops routinely searched phones of those they detained without a warrant, something that was finally curbed by a Supreme Court decison. The NSA, FBI and law enforcement agencies all use the Third Party Doctrine to access call records, cell site location data and anything else that can be easily had without ever approaching a judge. So, they did bring this on themselves. And that's why (as the oft-used quote goes) the "pendulum" has "swung the other way."

It's not marketing. It's a very specific reaction to years of unchecked government power. It's obvious the government can't restrain itself. So, these companies have made it "easier" for the government to refrain from abusing its power by making this decision for them. Sure, there's a limited market for more security, but making it default going forward gains these companies nothing in terms of new customers. It's not an option that's only available to people who buy certain phones or certain service contracts. It's for everyone who buys a phone. Vance echoes the statements of others in his attempt to portray this as a purely mercenary decision but the only thing this does is make him look stupider.

After ticking the mandatory "crimes against children/murderers" emotional-plea checkbox, Vance goes on to cross "public safety" off the list of talking points.

“This is an issue of public safety,” Vance said. “The companies made a conscious decision -- which they marketed -- to make these devices inaccessible. Now it’s our job to figure out how we can do our job in that environment.”

Incredibly, Vance portrays his deployment of every anti-encryption cliche as special and unique, claiming he's "going rogue" by speaking up on the subject. (Because everyone else has been oh so silent...) But there's nothing new being said here. Again, Vance pushes the "greed" angle, but it's his last sentence that's the most ridiculous.

Vance -- and others like him -- aren't "figuring out" how to do their jobs in "this environment." They have no desire to do that. What they want is to change the environment. The new environment doesn't cater to their instant access desires, but rather than deal with the limitations and approach them intelligently, they've chosen to portray encryption-by-default as Google and Apple's new plan to make a ton of money selling smartphones to child molesters and murderers.

They want the laws to change, rather than law enforcement. And all they've offered in support are panic-button-mashing "arguments" and heated hyperbole. The problem is that panic buttons and hyperbole are effective legislative mobilizers. As bad as Vance's ideas are, there's a good chance he'll be able to find a number of politicians that agree with him. In all likelihood, the environment will be forced to adapt to law enforcement, rather than the other way around.

Filed Under: cyrus vance, encryption, mobile encryption, privacy

If Most Crime Involves A 'Cyber' Element, Can't We Just Call It Crime Instead Of Cybercrime?

from the scary-scary-internet dept

It is a standing modern truth that you can take a scary word in the English language and turbocharge its terror factor by putting the word "cyber" in front of it. Don't believe me? Murder. Some guy stabs or shoots me. Cyber-murder. Holy crap! A dude can reach through the computer and electrocute my face! The problem, as we've discussed previously, is that many of the supposed facts used to hype cybercrime are massively overstated, and the unfortunately resulting hysteria breeds atrocities like The Patriot Act, because computers are terrifying and apparently the government is not. Of course, it doesn't end with crime. Cyberwar, cyber-terrorism, these words now permeate the bloodstream like terrifying nanobots, all while the use of technology and the internet marches forward at incredible rates.

But is the term "cybercrime" even useful anymore? When NYC district attorneys like Manhattan's Cyrus Vance suggest that pretty much all crime includes a cyber element, can't we just drop the scare words and go back to calling it "crime?"

According to Vance, cybercrime isn't just a growing trend—it's a fundamental shift in the way modern crime works. It has already reached a point where nearly every crime in the city involves a cyber component.

"It is rare that a case does not involve some kind of cyber or computer element that we prosecute in our office—whether it is homicide, whether it's a financial crime case, whether it's a gang case where the gang members are posting on Facebook where they're going to meet," said Vance.

It seems to me that just because there is a small element in a murder that involves a computer, that doesn't make it cybercrime, but that's apparently how it's being reported at the DA's office. This, of course, allows federal agencies like DHS and the CIA to get involved, where they, otherwise, would not.

The city is getting help from the Secret Service, Department of Homeland Security, local businesses, and others. This system of cooperation was actually set up in 2001 when President George W. Bush signed the PATRIOT Act into law. It established the Electronic Crimes Task Forces (ECTFs) under the Secret Service. According to the Secret Service website, "The concept of the ECTF network is to bring together not only federal, state and local law enforcement, but also prosecutors, private industry and academia."

I wouldn't want to necessarily suggest that having the alphabet agencies get involved at some level is always going to be a bad thing, but perhaps it is time we all had a conversation about how we, as citizens, want to be policed in America. That question is going to dovetail into whether or not we want scare-words like "cyber" to result in law enforcement evolving away from the local level to the federal level. For a country that bangs the "get government out of our lives" drum so frequently, often from the party that spawned The PATRIOT Act no less, we seem quite willing to let irrational fear dominate us.

Filed Under: computers, cybercrime, cyrus vance, district attorney, new york city