DailyDirt: Trust In Math

from the urls-we-dig-up dept

We'll know things are really going wrong when government authorities are trying to innovate their way around math. (And maybe we're already headed that way with backdoors to encryption.) Hopefully, though, we'll be able to trust in math for the foreseeable future, and nevermind about the Banach-Tarski paradox. Math is hard.

• If you thought that quantum cryptography would someday solve all the problems of unauthorized eavesdroppers, some researchers have shown that we'll have to be a bit more careful. Using the Bell inequality to check for attackers isn't necessarily sufficient to certify a quantum key distribution (QKD) as secure, as an eavesdropper could use some quantum hacking to compromise a system with fake detectors. Fortunately, some additional tests can reestablish security and protect against current and future attacks of a specific type. [url]
• Keeping anonymous communications networks anonymous is a bit harder if you can't guarantee there isn't an adversary with the resources to compromise a significant fraction of the network. One solution to this problem might be to include some obfuscation and noise to the network -- and as long as one out of three nodes isn't compromised, messages will be anonymous and untraceable. [url]
• The math challenge of 'graph isomorphism' is supposed to be tough, but if it's downgraded to a less difficult problem, then we might have to move away from number factoring for securing encryption. An algorithmic breakthrough for factoring could allow powerful computers to break into encrypted messages. This wouldn't be the first time we've had to change encryption methods, but this would be a significant development now, given the widespread use of encryption technology that relies on factoring. [url]

If you've been thinking about learning how to code, take a look at our Daily Deals for a collection of online courses to help you program and/or master some professional skills.

Filed Under: backdoors, banach-tarski paradox, cryptography, encryption, graph isomorphism, math, qkd, quantum cryptography, quantum hacking, quantum key distribution, security

Pioneer In Internet Anonymity Hands FBI A Huge Gift In Building Dangerous Backdoored Encryption System

from the not-a-good-idea dept

I first came across cryptography pioneer David Chaum about a decade ago, during the debates about online voting. Many in the technology world were insisting that such things were impossible to do safely, but Chaum insisted he had come up with a way to do online voting safely (he'd also tried to do electronic money, DigiCash... unsuccessfully). Many people disagreed with Chaum and it led to some fairly epic discussions. It appears that Chaum is again making moves that are making many of his colleagues angry: specifically creating a backdoored encryption system.

Few doubt Chaum's cryptography skills or pedigree. He was instrumental in the early days of computer cryptography and what anonymity we have online today owes a lot to Chaum. But his latest plan is... troubling:

At the Real World Crypto conference at Stanford University today, Chaum plans to present for the first time a new encryption scheme he calls PrivaTegrity. Like other tools Chaum has spent his long career developing, PrivaTegrity is designed to allow fully secret, anonymous communications that no eavesdropper can crack, whether a hacker or an intelligence agency.

That part sounds good, right? But then there's this:

That ambitious privacy toolset aside, Chaum is also building into PrivaTegrity another feature that’s sure to be far more controversial: a carefully controlled backdoor that allows anyone doing something “generally recognized as evil” to have their anonymity and privacy stripped altogether.

Whoever controls that backdoor within PrivaTegrity would have the power to decide who counts as “evil”—too much power, Chaum recognizes, for any single company or government. So he’s given the task to a sort of council system. When PrivaTegrity’s setup is complete, nine server administrators in nine different countries would all need to cooperate to trace criminals within the network and decrypt their communications. The result, Chaum argues, is a new approach that “breaks the crypto wars,” satisfying both the law enforcement agencies who argue that encryption offers a haven for criminals, and also those who argue that it’s necessary to hobble mass spying.

Unfortunately, Chaum is both totally missing the point and playing right into the FBI's hands. The argument of basically every other cryptographer is that building any encryption system is incredibly difficult -- and introducing any sort of backdoor opens up massive and dangerous vulnerabilities -- whether the original creators recognize it or not. The second you introduce a backdoor -- even using Chaum's weird "nine people in nine countries" system -- you have introduced a vulnerability. A vulnerability that can and will be abused by others. You are introducing a security flaw. And that's a massive security problem.

Chaum's bragging about this system totally misses this point:

“If you want a way to solve this apparent logjam, here it is,” says Chaum. “We don’t have to give up on privacy. We don’t have to allow terrorists and drug dealers to use it. We can have a civil society electronically without the possibility of covert mass surveillance.”

That assumes that his system can't be hacked. That's a dangerous claim. Yes, the "key" is split into 9 pieces, but it's still introducing a vulnerability and undermining the integrity of the system.

And, worst of all, as ACLU security expert Chris Soghoian points out, this is little more than a huge political gift to the FBI, who can go back to their stupid claims that if technologists just work harder they can come up with a "solution" to the false problem of "going dark." Similarly, you have politicians like Hillary Clinton insisting that if only techies come together with government they can "solve" the encryption/"going dark" issue.

And now you can bet, without a doubt, that law enforcement and clueless politicians will start pointing to Chaum's offering as an example of a "solution."

Security experts: Backdoors weaken security. They're a bad idea. Chaum: I've built a new system with a backdoor. FBI: See? It is possible.

— Christopher Soghoian (@csoghoian) January 6, 2016

But, as Soghoian points out, that misses the point. Chaum is creating a technology that is, by default, less secure and comes with vulnerabilities built in. It's no secret that it's possible to build backdoored encryption. Hell, just about anyone could do that. The "impossible" part that people are warning about is building such a system that is actually secure. Chaum's is not. By default, it has vulnerabilities built in, and they will get exploited. And, even before the technology is exploited, the existence of this will be exploited by politicians and law enforcement to undermine arguments for strong encryption.

And, of course, none of PrivaTegrity's security claims have been checked or audited publicly at this point. Chaum admits that while the eventual plan will involve routing messages (multiple times) though nine servers in nine different countries, the prototype runs entirely on Amazon's cloud computing infrastructure. Either way, at the very least, the system makes it clear that decrypting all such traffic requires attacking and compromising just nine servers. If you don't think the NSA can do that, you haven't been paying attention.

Filed Under: backdoors, david chaum, encryption, going dark, hillary clinton, james comey, security
Companies: privategrity

Dutch Government Supports Encryption, Opposes Backdoors

from the living-in-fear-isn't-for-us,-thanks dept

Running somewhat against the grain of the current political climate, the Netherlands government has issued a statement strongly supporting encryption (for everyone, not just the government) and against the idea of intelligence/law enforcement backdoors. Patrick Howell O'Neill of the Daily Dot has the details:

The Dutch executive cabinet endorsed “the importance of strong encryption for Internet security to support the protection of privacy for citizens, companies, the government, and the entire Dutch economy,” Ard van der Steur, the Dutch minister of security and justice, wrote in the statement. “Therefore, the government believes that it is currently not desirable to take legal measures against the development, availability and use of encryption within the Netherlands.”

This statement of support contrasts with recent efforts by European countries to institute encryption bans or backdoors. This is also somewhat at odds with recent efforts by this same government to grant greater surveillance and hacking powers to its intelligence/law enforcement agencies.

The statement also hedges its pro-encryption stance slightly. While generally opposed to mandatory backdoors, it does suggest service providers with the power to decrypt communications may be required to do so at the request of the government. The concluding paragraphs of the statement hint that investigatory/national security "needs" may occasionally outweigh the greater good of secured communications.

But overall, the pro-encryption statement shows this government understands the net positive of strong encryption. Sure, it may occasionally hinder investigators or intelligence operations, but it also defends against foreign surveillance efforts, state-sponsored attacks and criminals.

As O'Neill points out, the Netherlands may become something of a "safe harbor" for tech companies looking to protect their customers from neighboring governments who have opted to fight the War on Terror by engaging in a War on Encryption.

If strong end-to-end encryption is banned in major Western nations, countries like the Netherlands may become important islands of legal cryptography that stymie anti-encryption efforts.

The debate over encryption has gotten to the point where encryption-friendly countries are viewed as pockets of resistance by their neighbors -- which is truly perverse, considering the efforts will do more to keep bad guys out than provide shelter for wrongdoers.

Filed Under: backdoors, dutch government, encryption, going dark, netherlands, privacy

Senator Richard Burr: Confused And Wrong On Encryption

from the this-is-ridiculous dept

Senator Richard Burr, head of the Senate Intelligence Committee and long time friend to the intelligence community, has now penned a ridiculous, misleading, fear-mongering opinion piece for the Wall Street Journal, entitled: Stopping Terrorists From "Going Dark." It's pretty much exactly what you'd expect if you've paid any attention to the ridiculous "going dark" debate in the US. But, let's dig in and show just how bad this one is:

While the terrorist attacks in Paris, San Bernardino, Calif., and Garland, Texas, have brought discussions about encryption to the front pages, criminals in the U.S. have been using this technology for years to cover their tracks. The time has come for Congress and technology companies to discuss how encryption—encoding messages to protect their content—is enabling murderers, pedophiles, drug dealers and, increasingly, terrorists.

Right, except so far officials haven't been able to show evidence of any of those cases actually using encryption. Similarly, law enforcement has failed to show that criminals using encryption have really been that much of a problem either. And that's because it's not a problem. Even in the (still mostly rare) cases where encryption is being used, criminals still reveal plenty of information that would allow law enforcement to track them down. It's called doing basic detective work.

Consumer information should be protected, and the development of stronger and more robust levels of encryption is necessary. Unfortunately, the protection that encryption provides law-abiding citizens is also available to criminals and terrorists. Today’s messaging systems are often designed so that companies’ own developers cannot gain access to encrypted content—and, alarmingly, not even when compelled by a court order. This allows criminals and terrorists, as the law enforcement community says, to “go dark” and plot with abandon.

Yes, criminals and terrorists can use encryption just like law-abiding citizens. But that's true of any technology. There's no way to build technology that "only the good people can use." Criminals use cars and computers and guns. And they eat food and drink too. Some of them talk to each other in person. Yet we don't freak out about any of that other stuff. And, again, it's simply incorrect to say they can "plot with abandon." They cannot. Even when using encryption, many people either mess it up or still leave other clues. Most encrypted communication still reveals metadata about who was contacted, for example.

Leaving aside the terrorism challenges, encryption is affecting the investigations of kidnapping, child pornography, gang activity and other crimes. Federal, state, local and tribal law-enforcement officers can obtain legal authority to conduct electronic communications surveillance on terrorists and criminals. But encrypted devices and applications sometimes block access to the data. This means that even when the government has shown probable cause under the Fourth Amendment, it cannot acquire the evidence it seeks.

Yes, yes, the FBI and folks like the Manhattan DA's office keep making this claim, but every time they're asked to provide actual evidence of investigations stymied because of encryption, they come up empty. Official stats on lawful interception orders show that encryption is almost never a problem. They just don't run into it.

Technology has outpaced the law. The core statute, the Communications Assistance for Law Enforcement Act, was enacted in 1994, more than a decade before the iPhone existed. The law requires telecommunications carriers—for instance, phone companies—to build into their equipment the capability for law enforcement to intercept communications in real time. The problem is that it doesn’t apply to other providers of electronic communications, including those supporting encrypted applications.

This is wrong. Technology has not outpaced the law -- quite the opposite. Thanks to technology, law enforcement has more access to more information about every person alive than ever before in history. Technology now allows police to know where basically everyone has been at any moment in the day, who they spoke with, who they called or who they contacted via email. The fact that one small bit of data might be encrypted is hardly the case that technology has somehow outpaced the law.

Separately, yes, it's true that CALEA (the wiretapping statute) requires that phone calls can be tapped, but that's entirely different than undermining encryption. In fact, as we noted last week law already makes clear that phone companies are not required to backdoor encryption.

Federal Bureau of Investigation Director James Comey has said that one of the two Garland, Texas, shooters who died carrying out an attack on a Muhammad art exhibit in May exchanged 109 messages with an operative overseas. “We have no idea what he said,” Mr. Comey told the Senate this month, “because those messages were encrypted.” He described this as a “big problem”—and I couldn’t agree more.

Yes, yes, this is the example it took Comey over a year to finally come up with, but again it's an incredibly weak one. Note: the encryption did not stop them from knowing who the shooter was communicating with, because the encryption does not impact the metadata. Yes, it may limit the ability to read the exact content of the messages, but the same would be true if they had just communicated via a phone call on an untapped line. Or if they had simply communicated with a simple code that those two knew and the FBI did not. This is really no different than any other criminal investigation situation, and it's not the encryption that's the problem.

Last month Manhattan District Attorney Cyrus R. Vance Jr. released an in-depth report specifically on “smartphone encryption and public safety.” Many cellphones, including those designed by Apple and Google, now encrypt by default all the data they store, which is accessible only with a passcode.

Yeah, and we talked about how ridiculously wrong that report was at the time. And, again, the default mobile encryption only applies to data stored on those phones, not metadata. Apple would still have the keys to most data backed up in the cloud. Same with information shared with others where encryption may not be used. The amount of data that is truly "unobtainable" is minimal -- which is why no one has any really good examples of it being a problem.

The challenges presented by encryption extend to financial transactions. In August Sen. Elizabeth Warren wrote letters to six federal agencies voicing concerns that banks were using Symphony, an encrypted messaging system that could prevent regulators from detecting illegal activities. The letter came shortly after New York’s top banking regulator, the New York State Department of Financial Services, raised the same concern with several major banks and Symphony’s developer.

In response, the banks agreed to store decryption keys with independent custodians, and Symphony agreed to retain electronic communications for seven years. All parties also agreed to a periodic review process to make sure that oversight keeps in sync with new technologies.

It would seem to me that daily financial flows shouldn’t command more attention than terrorist or criminal communications, yet here we are. Although the agreement described above may not be the solution for all encrypted communications, it does show that cooperative solutions are possible.

That is not an apples to apples comparison by any stretch of the imagination. The reason for the concern with the banks is that banks are a highly regulated industry in which they are legally required to keep records of certain communications. That's not true of the general public, and unless Senator Burr is looking to wipe out the 4th Amendment, he shouldn't even pretend these things have anything in common.

Second, what a cheap politician's trick to pull out the "daily financial flows shouldn’t command more attention than terrorist or criminal communications" line. This is blatant fear mongering, because the issue is not about terrorists or criminals, but you, me, and everyone reading this who has an expectation of privacy. The only way to break encryption for "terrorists and criminals" is to make everyone less safe by putting in dangerous backdoors.

And, every time we put backdoors into encryption we see how it's abused -- such as with the recent Juniper vulnerability.

Finally, the "cooperative solution" in the case of the financial industry is an entirely different animal as well. Again, that's a limited use case in a specific, highly regulated industry. To even suggest that because of that specific use case, there must be some sort of "cooperative solution" once again highlights a near total ignorance of how encryption works.

I and other lawmakers in Washington would like to work with America’s leading tech companies to solve this problem, but we fear they may balk. When Apple objected to a recent court order in a New York criminal case requiring it to unlock an iPhone running iOS 7—an operating system that Apple can unlock—the company refused, arguing: “This is a matter for Congress to decide.” On that point, Apple and I agree. It’s time to update the law.

You fear they may balk? You want to know why? Perhaps because your friends in the intelligence community spent the last fifteen years breaking into their systems at every opportunity, undermining the trust and security of all of their users. You think that might have something to do with it? Maybe?

Senator Burr is doing something incredibly dangerous here. He's misleading the American public in a totally ignorant way, that will put our security at risk. He is making the world a more dangerous place, on purpose, because of a misunderstanding of how technology works. He has no place regulating technology issues at all.

Filed Under: backdoors, congress, encryption, going dark, richard burr, senate intelligence committee

China Using US Encryption Fight To Defend Its New Encryption Backdoor Mandate

from the because,-of-course dept

It's not like this wasn't easy to predict (because we did exactly that), but as China is pushing forward with its new "anti-terrorism" law, it's using the US's fight over encryption as a reason for why the law shouldn't be a problem. Part of the law would require that companies backdoor any encryption for the Chinese government:

The initial draft, published by parliament late last year, requires companies to keep servers and user data within China, supply law enforcement authorities with communications records and censor terrorism-related Internet content.

China has said many Western governments, including the United States, have made similar requests for encryption keys, and Chinese companies operating in the United States had been subject to intense security checks.

Again, this is hardly surprising, but with all of these politicians demanding backdoors, or other surveillance techniques, have any of them stopped to consider the message being sent to other governments around the globe? Either way, the bill has now been approved by the Chinese Parliament. And, again, the Chinese government is pointing to other countries as to why it's no big deal:

Speaking after China's largely rubber-stamp parliament passed the law, Li Shouwei, deputy head of the parliament's criminal law division under the legislative affairs committee, said China was simply doing what other Western nations already do in asking technology firms to help fight terror.

"This rule accords with the actual work need of fighting terrorism and is basically the same as what other major countries in the world do," Li told reporters.

So, again, to all the politicians and lawmakers supporting backdooring encryption, what's your response when China uses it to say that's why they're doing it as well?

Filed Under: anti-terrorism, backdoors, china, encryption, going dark, privacy, surveillance, us

US Gov't Agencies Freak Out Over Juniper Backdoor; Perhaps They'll Now Realize Why Backdoors Are A Mistake

from the wishful-thinking dept

Last week, we wrote about how Juniper Networks had uncovered some unauthorized code in its firewall operating system, allowing knowledgeable attackers to get in and decrypt VPN traffic. While the leading suspect still remains the NSA, it's been interesting to watch various US government agencies totally freak out over their own networks now being exposed:

The FBI is investigating the breach, which involved hackers installing a back door on computer equipment, U.S. officials told CNN. Juniper disclosed the issue Thursday along with an emergency security patch that it urged customers to use to update their systems "with the highest priority."

The concern, U.S. officials said, is that sophisticated hackers who compromised the equipment could use their access to get into any company or government agency that used it.

One U.S. official described it as akin to "stealing a master key to get into any government building."

And, yes, this equipment is used all throughout the US government:

Juniper sells computer network equipment and routers to big companies and to U.S. government clients such as the Defense Department, Justice Department, FBI and Treasury Department. On its website, the company boasts of providing networks that "US intelligence agencies require."

Its routers and network equipment are widely used by corporations, including for secure communications. Homeland Security officials are now trying to determine how many such systems are in use for U.S. government networks.

And, of course, US officials are insisting that it couldn't possibly be the NSA, but absolutely must be the Russians or the Chinese:

The breach is believed to be the work of a foreign government, U.S. officials said, because of the sophistication involved. The U.S. officials said they are certain U.S. spy agencies themselves aren't behind the back door. China and Russia are among the top suspected governments, though officials cautioned the investigation hasn't reached conclusions.

Yeah, sure. Anything's possible, but the NSA still has to be the leading suspect here, and the insistence that it's the Chinese or the Russians without more proof seems like a pretty clear attempt at keeping attention off the NSA.

And, of course, all of this is happening at the very same time that the very same US government that is now freaking out about this is trying to force every tech company to install just this kind of backdoor. Because, as always, these technically illiterate bureaucrats still seem to think that you can create backdoors that only "good" people can use.

But that's not how technology works.

Indeed, now that it's been revealed that there was a backdoor in this Juniper equipment, it took one security firm all of six hours to figure out the details:

Ronald Prins, founder and CTO of Fox-IT, a Dutch security firm, said the patch released by Juniper provides hints about where the master password backdoor is located in the software. By reverse-engineering the firmware on a Juniper firewall, analysts at his company found the password in just six hours.

“Once you know there is a backdoor there, … the patch [Juniper released] gives away where to look for [the backdoor] … which you can use to log into every [Juniper] device using the Screen OS software,” he told WIRED. “We are now capable of logging into all vulnerable firewalls in the same way as the actors [who installed the backdoor].”

Putting backdoors into technology is a bad idea. Security experts and technologists keep saying this over and over and over and over again -- and politicians and law enforcement still don't seem to get it. And, you can pretty much bet that even though they now have a very real world example of it -- in a way that's impacting their own computer systems -- they'll continue to ignore it. Instead, watch as they blame the Chinese and the Russians and still pretend that somehow, when they mandate backdoors, those backdoors won't get exploited by those very same Chinese and Russian hackers they're now claiming were crafty enough to slip code directly into Juniper's source code without anyone noticing.

Filed Under: backdoors, china, cybersecurity, privacy, russia, security
Companies: juniper networks

WaPo's Excellent Explainer On Encryption Debunks WaPo's Stupid Editorial In Favor Of Encryption Backdoors

from the hey,-you-guys-should-talk! dept

Washington Post reporter Andrea Peterson has put together a really excellent explainer piece on what you should know about encryption. Considering the source, it's a good "general knowledge" explainer piece for people who really aren't that aware of encryption or technically savvy. That's important and useful, given how important this debate is and how many participants in it don't seem to understand the first thing about encryption. But what struck me is this little tidbit:

Can the government stop terrorists from using encryption?

Well, no. The most the government can probably do is bar companies from offering the most secure forms of encryption to their users. But encryption isn't just one product. Just like the math it's based on, it's really more of a concept or an idea rather than a specific technical tool.

And it's pretty impossible to outlaw ideas.

It goes on, in some depth, to explain just what a stupid idea it would be to outlaw end-to-end encryption, noting that there are lots of non-US companies and plenty of open source offerings for encryption that would still be widely available and used.

Now, compare that to the ridiculous editorial that the Washington Post put out a year ago, advocating for just such a solution:

How to resolve this? A police “back door” for all smartphones is undesirable — a back door can and will be exploited by bad guys, too. However, with all their wizardry, perhaps Apple and Google could invent a kind of secure golden key they would retain and use only when a court has approved a search warrant. Ultimately, Congress could act and force the issue, but we’d rather see it resolved in law enforcement collaboration with the manufacturers and in a way that protects all three of the forces at work: technology, privacy and rule of law.

Hey, Washington Post editorial board, I hope you read your own newspaper.

Filed Under: andrea peterson, backdoors, encryption, going dark, golden key
Companies: washington post

James Comey, Dianne Feinstein Team Up To Mislead About Encryption; Promise Legislation To Undermine National Security

from the ugh dept

This is hardly a surprise, but after Congress had more or less realized that passing a law to undermine encryption wasn't a good idea, the clueless surveillance state hawks have used the Paris and San Bernardino attacks as a chance to go for it again. In a hearing this morning, FBI Director James Comey -- who has long been leading the charge -- explained that he thought tech companies ought to change their business model to drop end-to-end encryption. Ridiculously, he argued that there's no "technical issue" in undermining encryption, just a business decision:

Now, Comey said at a Senate Judiciary Committee hearing Wednesday morning, extensive conversations with tech companies have persuaded him that “it’s not a technical issue.”

“It is a business model question,” he said. “The question we have to ask is: Should they change their business model?”

Comey is being misleading to disingenuous here. Yes, anyone can undermine encryption. And, yes, I guess you could argue that undermining encryption and weakening security for all your users is a "business model" issue in that they won't trust you any more and might look for alternative providers. But that's not the real issue. Comey's trying to shift the debate, because he knows that what he's really asked for is impossible. He's asked for backdoors that only law enforcement can use. And basically every computer security expert has explained that the only way to do that would be to expose everyone to more threats. And Comey seems to think that's okay.

Let me repeat that. The head of the FBI, who is supposed to be protecting American citizens, thinks it's okay to make everyone less safe, based on the unproven theory that it'll make his own job a little easier.

And, not surprisingly, Senator Dianne Feinstein, was right there ready to assist. She cited the Paris attacks as evidence for why "the world is really changing"

“I suspect what happened was in the aftermath of Snowden, particularly Europe got very conservative with respect to encryption. The companies back away. Now, that’s changing with Paris and God forbid what might happen in the future. So what I’m trying to say is, I think this world is really changing in terms of people wanting the protection and wanting law enforcement, if there is conspiracy going on over the Internet, that that encryption ought to be able to be pierced.”

Again, this is the same Senator who just a month ago was practically screaming about how important cybersecurity is, and now she says that the single biggest factor in protecting information online -- encryption -- should be done away with.

And, indeed, while others have held back, Feinstein has said she's working with Senator Burr on legislation to effectively break encryption:

Sen. Dianne Feinstein (D-Calif.) told the Senate Judiciary Committee on Wednesday that she would seek a bill that would give police armed with a warrant based on probable cause the ability “to look into an encrypted Web."

"I have concern about a PlayStation that my grandchildren might use," she said, "and a predator getting on the other end, and talking to them, and it's all encrypted. I think there really is reason to have the ability, with a court order, to be able to get into that."

A spokesman for Feinstein's office told the Daily Dot in an email that the senator has been working with Judiciary Committee Chairman Richard Burr (R-N.C.) the issue of encryption and that Burr's office is taking the lead on potential legislation.

None of that makes any sense. First of all, the Playstation is not encrypted end-to-end, and if she's concerned about who her grandchildren are talking to on the Playstation maybe she should look into that, rather than having the government undermine the very foundations of basic computer security on the internet?

Hopefully cooler heads prevail in Congress, but we've seen Feinstein and Burr team up to do tremendous damage through fearmongering before, and apparently it's not going to stop any time soon.

Filed Under: backdoors, business mod, congress, dianne feinstein, encryption, going dark, james comey, legislation, richard burr

Manhattan DA's Office Serves Up Craptastic White Paper Asking For A Ban On Encryption

from the and-just-a-couple-of-backdoors,-maybe-FOR-SAFETY! dept

Manhattan DA Cyrus Vance may not know what the fuck he's talking about when he discusses encryption, the internet and other tech-related issues. But that's certainly not going to keep him from talking about them.

A just-published "white paper" from the Manhattan DA's office (h/t Matthew Green) offers up all sorts of stupidity in its attempt to justify anti-encryption legislation.

It starts with lofty ideals…

This Report is intended to:

1) Summarize the smartphone encryption debate for those unfamiliar with the issue;
2) Explain the importance of evidence stored on smartphones to public safety;
3) Dispel certain misconceptions that many privacy advocates hold about law enforcement’s position related to encryption, including the myth that we support a “backdoor” or government-held “key;”
4) Encourage an open discussion with technology companies, privacy advocates, and lawmakers; and
5) Propose a solution that protects privacy and safety.

… before throwing most of these out completely, starting with the "open discussion" with the affected stakeholders.

Vance's office doesn't want to burden the nation's tech companies with "golden keys" or "good guy-only" backdoors. The paper admits such a "solution" would be complicated and expensive. (But not impossible, notably.)

His solution? Something that doesn't burden tech companies, but simply leaves their customers unprotected. No backdoors will be needed because there will be nowhere to install one.

The federal legislation would provide in substance that any smartphone manufactured, leased, or sold in the U.S. must be able to be unlocked, or its data accessed, by the operating system designer. Compliance with such a statute would not require new technology or costly adjustments. It would require, simply, that designers and makers of operating systems not design or build them to be impregnable to lawful governmental searches.

That's the big idea: a ban on encryption, presented disingenously as "Not A Ban." For all the paper's supposed "discussion" of the issues and contemplation of concerns expressed by companies and their customers, this is the DA's office's brilliant cure-all: federal legislation that would prevent companies from deploying encryption -- at least not without holding onto a set of keys for government use.

Offered in support of these arguments are the horrendous laws being contemplated/passed in other countries like the UK and France. If they can do it, we can do it! Vance's office argues any resulting harm to human rights civil liberties will be minimal. Undiscussed is the resulting harm to innocent users whose phones' contents are no longer encrypted.

The paper also discusses various workarounds that have been suggested, like accessing the unencrypted contents of cloud storage services connected to users' phones. The DA's office says that just isn't good enough. For one thing, not every user utilizes the cloud services offered by Google and Apple. The office's argument against seeking other routes to communications and data is astoundingly terrible.

[S]martphone users are not required to set up a cloud account or back up to the cloud, and therefore, many device users will not have data stored in the cloud. Even minimally sophisticated wrongdoers who use their devices to perpetrate crimes and who have cloud accounts will likely take the relatively simple steps necessary to avoid backing up those devices, or data of interest, to the cloud. In most instances, only one or two selections must be made in the device’s settings to turn off the back-up function or to remove certain types of content from the back up.

There's a huge problem with this paragraph. It makes the assertion that criminals are more likely to avoid utilizing cloud backup services while simultaneously noting that this process is entirely optional and will not be used by most people. Using this logic, an average user may also be a "minimally sophisticated wrongdoer," at least as far as law enforcement can tell from what it finds stored in the cloud.

The underlying point is that lots of data and communications still reside within the phone itself and law enforcement will not be able to access this without Apple or Google leaving a door open for it.

The office does further damage to its own arguments for banning encryption by highlighting a string of successful prosecutions utilizing evidence recovered from cell phones. It uses this list to highlight the amount of "probative evidence" obtained from cell phones while simultaneously (and inadvertently) pointing out that law enforcement really hasn't been stymied by encryption, despite Vance's FUD-filled imaginations to the contrary.

And, finally, let's take a look at one more bogus analogy made by Vance's office, in which he tries to equate phones with houses.

The Fourth Amendment dictates that search warrants may be issued only when a judge finds probable cause to believe that a crime has been committed and that evidence or proceeds of the crime might be found on the device to be searched. The warrant requirement has been described by the Supreme Court as “[t]he bulwark of Fourth Amendment protection,” and there is no reason to believe that it cannot continue to serve in that role, whether the object that is to be searched is an iPhone or a home.

In fact, what makes full-disk encryption schemes remarkable is that they provide greater protection to one’s phone than one has in one’s home, which, of course, has always been afforded the highest level of privacy protection by courts. Apple and Google should not be able to alter this constitutional balance unilaterally. Every home can be entered with a search warrant. The same should be true of devices.

A more honest analogy would compare phones to computers, which is basically what they are. While a warrant may give cops access to someone's computer -- allowing them to seize it -- it does not guarantee they'll be able to access its contents. Vance wants to compare opening a phone to opening a door, but it's not a true comparison. If people could make their houses as impregnable as their phones and computers, some very likely would -- and not just the theoretical "minimally sophisticated criminals." A house that cops can't get into is a house criminals can't get into. But there's no way to encrypt a door or window.

The paper tries to portray this as somehow making phones more private than houses in terms of the Fourth Amendment. But encrypted phones have nothing to do with a heightened expectation of privacy. Encryption makes phones more secure than houses, not more private than houses. The Fourth Amendment considerations aren't being shifted. It's only the level of instant access that's being changed. Vance's office -- being part of the law enforcement community -- should welcome efforts that make citizens more secure. Instead, all it's doing is bitching loudly and disingenously about all the power it imagines encryption will strip away from it.

Filed Under: backdoors, cyrus vance, encryption, encryption backdoors, going dark, ny