Senators Launch Full On Nuclear War Against Encryption: Bill Will Require Broken Encryption, Putting Everyone At Risk

from the stop-pushing-this-bullshit dept

Another day, another bad bill. Just as we're coming to terms with the EARN IT Act moving forward in Congress, three Senators -- Lindsey Graham, Tom Cotton, and Marsha Blackburn -- have announced a direct attack on encryption. The full bill is here. It's 51 pages of insanity that would effectively destroy privacy and security on the internet. This is five-alarm fire bad.

For what it's worth, Graham is also a co-sponsor of the EARN IT Act, which makes me wonder if he's going to agree to an amendment of EARN IT that keeps encryption out of it while pushing this bill instead. That's now the rumor making the rounds, and I even received a press release from an anti-porn activist group supporting this bill because they think it will help clarify that EARN IT won't end encryption (none of that makes sense to me either, but...)

The announcement of the bill includes all the usual "think of the children" nonsense, claiming that we can't have encryption because some bad people might use it for bad stuff. The press release summarizes what they claim the bill will do:

Highlights of the Lawful Access to Encrypted Data Act:

• Enables law enforcement to obtain lawful access to encrypted data.

• Once a warrant is obtained, the bill would require device manufacturers and service providers to assist law enforcement with accessing encrypted data if assistance would aid in the execution of the warrant.
• In addition, it allows the Attorney General to issue directives to service providers and device manufacturers to report on their ability to comply with court orders, including timelines for implementation.

• The Attorney General is prohibited from issuing a directive with specific technical steps for implementing the required capabilities.
• Anyone issued a directive may appeal in federal court to change or set aside the directive.
• The Government would be responsible for compensating the recipient of a directive for reasonable costs incurred in complying with the directive.

Incentivizes technical innovation.

• Directs the Attorney General to create a prize competition to award participants who create a lawful access solution in an encrypted environment, while maximizing privacy and security.

Promotes technical and lawful access training and provides real-time assistance.

• Funds a grant program within the Justice Department’s National Domestic Communications Assistance Center (NDCAC) to increase digital evidence training for law enforcement and creates a call center for advice and assistance during investigations.

In short, this basically says "break encryption, but we won't tell you how." We're right back to "nerd harder" except that this time it's "nerd harder, or you're breaking the law."

The problems with this should be evident from all the times we've discussed this before, so I'm really not interested in going over it all again. But the quick summary: installing a "backdoor" or "lawful access" to encrypted communications is not a simple technical problem. As cryptography expert Matt Blaze once said, it's like saying "well, if you can land a man on the moon, why can't you land a man on the sun." A backdoor to encryption literally breaks the encryption and opens up a huge host of other problems, none of which are readily solvable. Instead, you just find more and more problems, each of which makes everyone less secure.

The actual text of the bill is even worse than the summary. It's crazy long so I won't do a full breakdown here, but will call out a few scary, scary bits. The key part is that this basically requires the end of encryption. While there is some language early on about it not applying if "technically impossible," there is other language that more or less cancels that out. Specifically, it requires Apple and other large device sellers to backdoor encryption. It is not an option, but a requirement:

DEVICE MANUFACTURERS.—A device manufacturer that sold more than 1,000,000 consumer electronic devices in the United States in 2016 or any calendar year thereafter, or that has received an assistance capability directive under section 3513, shall ensure that the manufacturer has the ability to provide the assistance described in subsection (b)(2) for any consumer electronic device that the manufacturer—

‘‘(A) designs, manufactures, fabricates, or assembles; and ‘‘(B) intends for sale or distribution in the United States.

So, if you sell more than a million consumer electronic devices in the US, you are required to make sure they have backdoors. That's... going to be a LOT of backdoors. Every Alexa device. Every smart TV. And, of course, every phone. That's devices. How about apps and services? More of the same:

PROVIDERS OF REMOTE COMPUTING SERVICE; OPERATING SYSTEM PROVIDERS.—A provider of remote computing service or operating system provider that provided service to more than 1,000,000 subscribers or users in the United States in 2016 or any calendar year thereafter, or that has received an assistance capability directive under section 3513, shall ensure that the provider has the ability to provide the assistance described in subparagraphs (A) and (B) of subsection (b)(2) for any remotely stored data that the provider processes or stores.

That's... a lot of websites that will be barred from using real end-to-end encryption. The "shall ensure" part is what should scare everyone.

That's still talking about data stored on those servers though. As for "data in motion" again, services will have to provide backdoors under this bill. The reference to "technically impossible" only seems to apply to "independent actions of an unaffiliated entity that make it technically impossible to do". So, the only way to avoid having to break encryption on your own services is to... outsource it to an unaffiliated entity who can make it impossible for you to break the encryption?

As for messaging services: again, the bill "shall ensure" assistance:

A provider of wire or electronic communication service that had more than 1,000,000 monthly active users in the United States in January 2016 or any month thereafter, or has received an assistance capability directive under section 3513, shall ensure that the provider has the ability to provide the information, facilities, and technical assistance described in section 2518(4).

And it gets worse. The bill allows the Attorney General to order someone to break encryption:

If a person fails to comply with a directive issued under subsection (b), the Attorney General may file a petition for an order to compel the person to comply with the directive in the United States District Court for the District of Columbia, which shall have jurisdiction to review the petition.

There's also a giant "NERD HARDER" section, which explains Bill Barr's comments above. Basically it creates a contest, run by the Attorney General, to create a type of backdoored encryption where the Attorney General and his hand-picked judges will determine which technology wins. And by "wins" I mean loses, because that technology will be broken in no time at all, putting everyone at risk.

This whole thing is so incredibly dangerous, and it's not even clear that encryption is a real problem for law enforcement. The basic cost-benefit analysis here is that this law would put everyone, and all our communications, at risk of attack, for a possible benefit in a tiny number of cases, where there remains no evidence that a backdoor would have helped stop any crime. I can't see how the tradeoff is worth it, and any elected official pushing this nonsense should be asked to explain how they weigh these costs and benefits. And if they answer like Bill Barr by saying "smart techies can figure it out" they should have their views discounted for being idiots.

Meanwhile, the press release leads off with quotes from the three sponsors, all of which are head-bangingly wrong, but designed to do the usual tugging at the emotional strings rather than any actual recognition of what they're pushing here:

“Terrorists and criminals routinely use technology, whether smartphones, apps, or other means, to coordinate and communicate their daily activities. In recent history, we have experienced numerous terrorism cases and serious criminal activity where vital information could not be accessed, even after a court order was issued. Unfortunately, tech companies have refused to honor these court orders and assist law enforcement in their investigations. My position is clear: After law enforcement obtains the necessary court authorizations, they should be able to retrieve information to assist in their investigations. Our legislation respects and protects the privacy rights of law-abiding Americans. It also puts the terrorists and criminals on notice that they will no longer be able to hide behind technology to cover their tracks,” said Graham.

There remains little evidence that terrorists have been able to communicate without law enforcement being able to access the info. Remember, the FBI flat out lied about how many devices it had in its possession that it couldn't get into, and has since refused to give an updated number (despite multiple requests). At the same time, every time the FBI does come out and point to a situation where it can't get into a phone, a few months later, they seem to admit that, well, actually, there was a technology that let them get in.

On top of that, we've discussed how law enforcement and the FBI have access to so much other information thanks to social media, and various open source intelligence tools, that the idea that they need to attack encryption is just ridiculous.

And that leaves out something else too: if we put backdoors into encryption, guess what will become a huge target for "terrorists and criminals"? That's right: all of our communications.

“Tech companies’ increasing reliance on encryption has turned their platforms into a new, lawless playground of criminal activity. Criminals from child predators to terrorists are taking full advantage. This bill will ensure law enforcement can access encrypted material with a warrant based on probable cause and help put an end to the Wild West of crime on the Internet,” said Cotton.

This is just a joke. The internet is not "lawless" and there's no indication of increased criminal activity, nor any evidence that law enforcement cannot solve crimes because of encryption or the internet. This bill won't ensure anything other than opening up a new avenue for terrorists and criminals to terrorize.

“User privacy and public safety can and should work in tandem. What we have learned is that in the absence of a lawful warrant application process, terrorists, drug traffickers and child predators will exploit encrypted communications to run their operations,” said Blackburn.

Yes, user privacy and public safety do work in tandem. But you know would would ruin that? Breaking encryption and throwing both of those things into the gutter.

This bill should be trashed and these three Senators (and the Attorney General) deserve mockery for a technically ignorant, totally clueless and dangerous bill that would harm Americans and destroy both privacy and security, because some law enforcement agencies are too lazy to do their jobs. Frankly, the intelligence community should come out screaming about this bill as well, as they know full well how much more dangerous this will make their own work. This is a ridiculous attack on the internet.

Filed Under: backdoors, doj, earn it, encryption, fbi, going dark, laed, lindsey graham, marsha blackburn, tom cotton, william barr

Hell Hath No Fury Like A Federal Law Enforcement Agency That Keeps Finding Some Way To Break Into IPhones

from the flow-my-angry-tears dept

Nothing has made the FBI more irritated than its ability to break into phones it swears (often in court!) it cannot possibly get into without the device maker's assistance. The agency doesn't want third-party vendors to offer solutions and it doesn't seem to want its own technical staff to find ways to get stuff from encrypted devices. It wants the government to tell companies like Apple to do what they're told. It will accept any solution that involves a mandate, whether it's from a federal court or our nation's legislators. It will accept nothing else.

The FBI and DOJ's foul mood over its phone-cracking success and its courtroom failures came to a head recently. A joint press conference announcing not-so-breaking news about the contents of the Pensacola air base shooter's phones contained a whole lot of off-target griping about a company whose only crime was selling consumer products. Here's Rianna Pfefferkorn for TechCruch:

You’d think the FBI’s success at a tricky task (remember, one of the phones had been shot) would be good news for the Bureau. Yet an unmistakable note of bitterness tinged the laudatory remarks at the press conference for the technicians who made it happen. Despite the Bureau’s impressive achievement, and despite the gobs of data Apple had provided, Barr and Wray devoted much of their remarks to maligning Apple, with Wray going so far as to say the government “received effectively no help” from the company.

If the FBI's ultimate aim was to bury the lede -- that it could either break encryption or exfiltrate contents without cracking devices -- it succeeded. Everyone talked about Apple and how its unhelpfulness led to this petulant press conference where it was stated clearly and repeatedly that Apple was harming the nation's security by... um... temporarily delaying the discovery of evidence linking the shooter to the terrorist group that had already claimed responsibility for the attack months ago.

As Pfefferkorn points out, Bill Barr and Chris Wray's roughly concurrent tantrums allowed them to avoid discussing something that should have been much bigger news.

By reviving the old blame-Apple routine, the two officials managed to evade a number of questions that their press conference left unanswered. What exactly are the FBI’s capabilities when it comes to accessing locked, encrypted smartphones? Wray claimed the technique developed by FBI technicians is “of pretty limited application” beyond the Pensacola iPhones. How limited? What other phone-cracking techniques does the FBI have, and which handset models and which mobile OS versions do those techniques reliably work on? In what kinds of cases, for what kinds of crimes, are these tools being used?

After all of this, we don't know what the FBI is capable of and how often these previously unmentioned techniques are used to bypass or break device encryption. With the only suspect dead, it's obvious FBI agents didn't beat the passcode out of him. But that's all we really know.

The FBI can break into iPhones. But it won't celebrate that victory because -- without a federal government derived mandate -- it doesn't feel like a victory. This "sick of winning" attitude dates back to the FBI's efforts in the San Bernardino shooting where agency officials were upset a third party solved their access problem before they could talk a court into precedent compelling assistance from cell phone manufacturers.

By portraying this victory as a loss to a tech company, the FBI can avoid talking about its tools and techniques. It can bypass its oversight by glossing over this breakthrough as a very limited success that won't scale and possibly cannot be used against any other phones. It can also keep its secrets from our nation's courts, ensuring defendants are left in the dark about the true origin of evidence being used against them.

And that's if we're thinking positively. Here's where we're at if we bring to bear all the distrust and cynicism the government (at all levels) has earned:

The worst-case scenario would be that, between in-house and third-party tools, pretty much any law enforcement agency can now reliably crack into everybody’s phones, and yet nevertheless this turns out to be the year they finally get their legislative victory over encryption anyway. I can’t wait to see what else 2020 has in store.

USA! USA! USA!

We, the people, are going to get what's coming to us, even if we haven't earned it or asked for it. Encryption is public enemy number one, right behind device manufacturers and developers of encrypted communication services. If the first enemy is killed dead, the rest will be manageable. And the general public will be forced into sacrificing their personal security for jingoism-spouting opportunists who will never see the United States as safe enough to entrust citizens with their own decisions about the level of protection they want for their communications and data.

Filed Under: backdoors, doj, encryption, fbi, phone cracking
Companies: apple

After FBI Successfully Breaks Into IPhones, Bill Barr Says It's Time For Legislated Encryption Backdoors

from the drawing-exactly-the-wrong-conclusions-from-the-evidence-at-hand dept

FBI Director Chris Wray's potshots at Apple during the joint press conference about the Pensacola Air Base shooting weren't the only ones delivered by a federal employee. Famous anti-encryptionist/current DOJ boss Bill Barr made even more pointed comments during his remarks, mostly glossing over the FBI's brilliant discovery that the shooter was linked to al Qaeda -- something al Qaeda had claimed shortly after the shooting took place.

The DOJ never got the court battle it wanted. Its second attempt to talk a court into compelled decryption never gained momentum and FBI techs were eventually able to do the thing the DOJ couldn't make Apple do: access the phones' contents. Barr's comments had very little to do with the supposed matter at hand: the investigation of a shooting on a US military base. Instead, Barr gave perfunctory thanks to the hardworking men and women of the FBI before moving on to declaring Apple an enemy of the people, if not an actual enemy of the state.

Here's the first smear, which insinuates device encryption is a criminal co-conspirator.

Within one day of the shootings, the FBI sought and obtained court orders, supported by probable cause, authorizing the FBI to search the contents of both phones as part of its investigation. The problem was that the phones were locked and the FBI did not have the passwords, so they needed help to get in. We asked Apple for assistance and so did the President. Unfortunately, Apple would not help us unlock the phones. Apple had deliberately designed them so that only the user — in this case, the terrorist — could gain access to their contents.

Yes, this is a deliberate design decision by Apple. It secures all users' phones, not just users who engage in criminal acts. Barr wants insecure devices for everyone because it would make things easier for law enforcement. That it would make things easier for other criminals (phone thieves, stalkers, malicious hackers, etc.) never seems to cross his mind. Or if it does, he figures it's a sacrifice he's willing to force Americans to make.

That's not hyperbole. Later in Barr's remarks, he claims it's not even up to the public to vote with their phone-buying dollars on the subject of device encryption and the problems it poses for law enforcement. And despite this comment, Barr doesn't want it left up to citizens to vote with their actual votes.

Striking this balance should not be left to corporate boardrooms. It is a decision to be made by the American people through their representatives.

That sounds almost democratic. If you choose to stop reading here, it almost appears Barr will accept the will of the people even if they would prefer device security over encryption backdoors. But Barr doesn't stop there. He expands on this thought, dismissing the American people's momentary involvement in this issue.

The developments in this case demonstrate the need for a legislative solution. The truth is that we needed luck, in addition to ingenuity, to get into the phones this time. There is no guarantee that we will be successful again or that a delay of four months (or longer) will not have significant consequences for the safety of Americans. In addition, the costs in time and money of devising alternative methods of accessing encrypted information can be enormous. This is not a scalable solution.

There it is: a call for mandated encryption backdoors. If Apple and other device makers aren't willing to bend to Barr's will, perhaps the legislative branch can put its collective boot on tech companies' necks.

Barr's anti-encryption pitches are still as dishonest as ever. When not portraying encryption as almost solely beneficial to criminals, Barr deliberately misconstrues what's at stake. There's a reason he keeps discussing this in terms of privacy when it's actually about security. Privacy has wiggle room. Security doesn't. Encryption is secure. Backdoored encryption isn't. It's that simple. Barr's term-swap deceives listeners, many of whom are lawmakers.

Apple’s desire to provide privacy for its customers is understandable, but not at all costs. Under our nation’s long-established constitutional principles, where a court authorizes a search for evidence of a crime, an individual’s privacy interests must yield to the broader needs of public safety.  

It's not a privacy issue when the government demands all backdoors in the nation remain unlocked just in case law enforcement needs to enter them. It's a security issue. That's pretty much what Barr wants, using houses as an analogy for devices capable of holding far more sensitive info and data than any home possibly could. Barr wants encryption that can be bypassed at will. That's not a privacy issue. It's about securing devices users rely on to handle almost everything in their daily lives. Security helps protect their privacy, but the important thing here is the security -- not the government's lawful invasions of privacy when warrants are served.

If the FBI can break into a device without Apple's assistance -- as it has in at least two high-profile cases -- it can do it again. Weakening encryption shouldn't even be a discussion topic at this point. For all the talk about the problems encryption poses to securing the nation, arguing that a nation filled with insecure devices would be more secure than what we have now is ridiculous.

Filed Under: backdoors, bill barr, doj, encryption, fbi, iphones
Companies: apple

Filings In Facebook's Lawsuit Against NSO Show FBI Director Chris Wray Was For Encryption Before He Was Against It

from the just-a-little-awkward dept

I have opined that FBI Director Chris Wray needs to shut the fuck up about encryption. Wray has presented a completely skewed perspective on the issue, following in the footsteps of Jim Comey. Wray claims encryption is leading to a criminal apocalypse, even as crime rates remain at historic lows. He also claims encryption is making it impossible to follow through with investigations, but has presented no evidence to back this claim.

The best argument the FBI could present was its always-growing number of encrypted devices in its possession. In the space of a couple of years, the number jumped from less than 900 to nearly 8,000. This seemed to indicate encryption was a growing problem, but when the FBI tried to verify this number for Congress, it found out it had overstated the amount of locked devices in its possession. In reality, the number of locked devices is likely less than 2,000 -- hardly the apocalypse of impregnability Wray and Comey continuously presented. This was discovered in May 2018. The FBI has yet to hand over an accurate count of these devices.

Now, there's this bit of news, which surfaced during Facebook's lawsuit against malware developer, NSO Group. Chris Wray was for encryption before he was against encryption. Documents filed by Facebook detail Wray's defense of WhatsApp and its encryption in an earlier legal battle while Wray was working for the King & Spalding law firm. [paywall-free link here]

In the earlier case, which has never been made public, Mr. Wray, then a partner at King & Spalding, was hired to “analyze and protect” WhatsApp’s software from a Justice Department effort to weaken its encryption in order to conduct wiretap of a WhatsApp user’s data.

The arguments made by Mr. Wray’s firm in favor of WhatsApp’s encryption may undercut his recent calls to push tech firms — including his previous client WhatsApp — to roll back encryption, a move many security experts have likened to a government “backdoor.”

Facebook wants King & Spalding booted from the case, citing its previous involvement in defending WhatsApp against actions brought against it by the DOJ. Facebook raises a good point: someone with intimate knowledge of WhatsApp's inner workings shouldn't be allowed to use this inside information to defend itself against this lawsuit.

Facebook's redacted motion [PDF] names Chris Wray as one of the litigators with inside information, gleaned during a still-sealed legal proceeding that appears to have dealt with the DOJ seeking a court's permission to break (or block) WhatsApp's encryption to deploy wiretaps.

At the time, WhatsApp was in the process of implementing end-to-end encryption of communications sent on its platform.

[...]

WhatsApp was jointly represented by King & Spalding and ZwillGen PLLC. Specifically, Christopher Wray, Catherine O'Neil, Nick Oldham, and Paul Mezzina of King & Spalding…

Another filing [PDF] -- a letter sent from Facebook's legal reps to NSO Group after it became apparent it was seeking to retain King & Spalding -- names Chris Wray as well.

The man who declared Facebook's move to encrypt Messenger communications as a gift to the world's criminals once defended WhatsApp's encryption against the DOJ's attempt to have it broken or blocked. This apparently occurred around the same time the DOJ was trying to get Apple to break the encryption protecting the San Bernardino shooter's iPhone.

The New York Times learned of the 2015 matter through confidential sources. At the time, the Justice Department was also engaged in a court battle with Apple, pushing the company to unlock an iPhone belonging to one of the gunmen in a shooting in San Bernardino, Calif. The government ultimately dropped its case after security researchers helped them bypass Apple’s security.

The FBI sees no problem with Wray's shifting allegiance to encryption. Its statement to the New York Times says the agency supports Wray, no matter how inconsistent his stance. Apparently, it's fine that he's willing to change his views to match his employer's.

"Like all other lawyers, his duty of loyalty was to his client, and he did not put his personal views ahead of his clients’ interests or allow them to affect the legal work he did for clients. Today, as director of the FBI, his duty is to act in the best interests of the American people.”

If that's his new duty, he's falling short. He's acting in the best interest of the FBI and federal prosecutors -- the same FBI that also used to recommend people secure their devices with encryption. Strong encryption is in the best interests of the American people. Wray isn't serving the nation with nearly as much fervor as he apparently defended encryption back when he was getting paid to defend it. WhatsApp's encryption remains unbroken, despite the DOJ's efforts. If he didn't feel it was worth defending then, he probably shouldn't have defended it. This change of heart doesn't necessarily make him a hypocrite but it is just one more reason he needs to shut the fuck up about the subject.

Filed Under: backdoors, chris wray, encryption, fbi
Companies: facebook, nso, whatsapp

Michael Hayden Ran The NSA And CIA: Now Warns That Encryption Backdoors Will Harm American Security & Tech Leadership

from the good-for-him dept

There are very few things in life that former NSA and CIA director Michael Hayden and I agree on. For years, he was a leading government champion for trashing the 4th Amendment and conducting widespread surveillance on Americans. He supported the CIA's torture program and (ridiculously) complained that having the US government publicly reckon with that torture program would help terrorists.

But, there is one thing that he and I agree on: putting backdoors into encryption is a horrible, dreadful, terrible idea. He surprised many people by first saying this five years ago, and he's repeated it a bunch since then -- including in a recent Bloomberg piece, entitled: Encryption Backdoors Won't Stop Crime But Will Hurt U.S. Tech. In it, he makes two great points. First, backdooring encryption will make Americans much less safe:

We must also consider how foreign governments could master and exploit built-in encryption vulnerabilities. What would Chinese, Russian and Saudi authorities do with the encrypted-data access that U.S. authorities would compel technology companies to create? How might this affect activists and journalists in those countries? Would U.S. technology companies suffer the fate of some of their Australian counterparts, which saw foreign customers abandon them after Australia passed its own encryption-busting law?

Separately, he points out that backdooring encryption won't even help law enforcement do what it thinks it wants to do with backdoors:

Proposals that law-enforcement agencies be given backdoor access to encrypted data are unlikely to achieve their goals, because even if Congress compels tech firms to comply, it will have no impact on encryption technologies offered by foreign companies or the open-source community. Users will simply migrate to privacy offerings from providers who are not following U.S. mandates.

Indeed, this is the pattern we have seen in Hong Kong over the last six months, where pro-democracy protesters have moved from domestic services to encrypted messaging platforms such as Telegram and Bridgefy, beyond the reach of Chinese authorities. Unless Washington is willing to embrace authoritarian tactics, it is difficult to see how extraordinary-access policies will prevent motivated criminals (and security-minded citizens) from simply adopting uncompromised services from abroad.

None of this is new, but it's at least good to see the former head of various intelligence agencies highlighting these points. At this point, we've seen intelligence agencies highlight the value of encryption, Homeland Security highlight the importance of encryption, the Defense Department highlight the importance of encryption. The only ones still pushing for breaking encryption are a few law enforcement groups and their fans in Congress.

Filed Under: backdoors, encryption, michael hayden

Defense Department To Congress: 'No, Wait, Encryption Is Actually Good; Don't Break It'

from the seems-important dept

As Senate Judiciary Committee Chair Lindsey Graham has continued his latest quest to undermine encryption with a hearing whose sole purpose seemed to be to misleadingly argue that encryption represents a "risk to public safety." The Defense Department has weighed in to say that's ridiculous. As you may recall, the DOJ and the FBI have been working overtime to demonize encryption and pretend -- against nearly all evidence -- that widespread, strong encryption somehow undermines its ability to stop criminals.

However, it appears that other parts of the government are a bit more up to date on these things. Representative Ro Khanna has forwarded a letter to Senator Graham that he received earlier this year from the Defense Department's CIO Dana Deasy, explaining just how important encryption actually is. The letter highlights how DoD employees rely on the kind of strong encryption found on mobile devices and in VPN services to protect the data of their employees, both at rest (on the devices) and in transit (across the network).

All DoD issued unclassified mobile devices are required to be password protected using strong passwords. The Department also requires that data-in-transit, on DoD issued mobile devices, be encrypted (e.g. VPN) to protect DoD information and resources. The importance of strong encryption and VPNs for our mobile workforce is imperative. Last October, the Department outlined its layered cybersecurity approachto protect DoD information and resources, including service men and women, when using mobile communications capabilities.

[....]

As the use of mobile devices continues to expand, it is imperative that innovative security techniques, such as advanced encryption algorithms, are constantly maintained and improved to protect DoD information and resources. The Department believes maintaining a domestic climate for state of the art security and encryption is critical to the protection of our national security.

So, there you have it. The Defense Department believes that strong, unbroken encryption is critical to national security, as opposed to the DOJ which appears to think (incorrectly) that it undermines national security. At the very least, this should mean that politicians should stop uncritically claiming that encryption is some sort of "debate" between privacy and national security. It is not. Encryption protects both of those things. Breaking encryption harms both privacy and national security... in the hopes that it might make law enforcement's job marginally easier.

Filed Under: backdoors, dana deasy, defense department, dod, encryption, lindsey graham, ro khanna

FBI's Top Lawyer From The Apple Encryption Fight Says Law Enforcement Needs To Suck It Up And Embrace Encryption

from the didn't-see-that-coming dept

Jim Baker was the FBI's General Counsel during its well-publicized attempt to use the San Bernardino shootings from 2016 as a wedge to force Apple to build a backdoor into its data encryption scheme. As we noted at the time, this seemed like a very clear, somewhat cynical attempt to use a high profile attack as an excuse to force Apple's hand in building back doors. When that battle happened, then FBI director Jim Comey took to the pages of Lawfare to insist that there were good reasons for the FBI to fight with Apple in court to force it to create a backdoor.

Now, Baker has taken to the pages of Lawfare as well to... apparently point out that he and the FBI were totally wrong about all of that and that his former colleagues at the FBI and DOJ need to get it over it and embrace encryption. It's quite a piece.

In the face of congressional inaction, and in light of the magnitude of the threat, it is time for governmental authorities—including law enforcement—to embrace encryption because it is one of the few mechanisms that the United States and its allies can use to more effectively protect themselves from existential cybersecurity threats, particularly from China. This is true even though encryption will impose costs on society, especially victims of other types of crime.

Baker defends his own work on the San Bernardino case, but is now recognizing how dangerous backdoors can be and how important encryption is. He takes current Attorney General William Barr to task for his new anti-encryption propaganda campaign:

The attorney general’s perspective on encryption is far from universal. A range of individuals and groups—including some tech companies, computer scientists, engineers, cybersecurity experts, and privacy and human rights organizations—think that encryption protects both our security and our privacy. See here and here for examples. Well-designed and well-implemented encryption makes it harder for malicious cyber actors to unlawfully hack and steal our communications, personal data and intellectual property. In their view, weakening encryption through the installation of “back doors” on smartphones or in communications systems, or providing law enforcement with “golden keys” to allow them access to encrypted data, jeopardizes all of us. Many would disagree strongly with the attorney general’s assessment that an acceptable technical solution to law enforcement’s problem—one that appropriately balances

all of the equities at issue—actually exists.

Baker even highlights a key point many of us have pointed out in the past. For all the talk of "going dark," law enforcement has more access to information than ever before in history:

Further, the situation for law enforcement may not actually be as bad as some claim. In fact, some argue that society is in a “golden age of surveillance” as substantially more data—especially metadata—than ever before is available for collection and analysis by law enforcement. Finally, critics charge that law enforcement agencies have not provided the public with comprehensive and reliable data to explain exactly how many encrypted devices or communications those agencies encounter as well as the number and type of investigations that encryption negatively impacts.

Indeed, Baker highlights how misleading Barr and others (including Baker's old boss, Comey's) arguments are when they say that encryption leads to a lawless digital space:

So, encryption has not, as the attorney general complained in his speech, really created a “law free zone.” It’s just that the law that applies in this area is not what Barr or the Justice Department want the law to be.

Baker also highlights how undermining encryption puts us all at risk in a wide variety of ways, from basically handing over security services to non-US companies, to putting all our data at risk, to also creating a great opening for countries who wish to do us harm. There are a lot of really great points in this post, way beyond what I'm highlighting here, so I highly recommend reading the whole thing. Indeed, towards the end, Baker (correctly) highlights that protecting our own digital security almost certainly is a better way of protecting Americans than being able to hack into the phones of a few people:

If I’m correct about the existential nature of cyber threats and about the risks that nation-states such as China, in particular, pose to the United States and its allies, then federal, state and local governments should be doing everything they can to enhance the cybersecurity status of the nation. All public safety officials should think of protecting the cybersecurity of the United States as an essential part of their core mission to protect the American people and uphold the Constitution. And they should be doing so even if there will be real and painful costs associated with such a cybersecurity-forward orientation. The stakes are too high and our current cybersecurity situation too grave to adopt a different approach.

A key theme throughout the whole piece is that it's time for law enforcement to accept reality and to stop pretending there's some fantasy "magic bullet" or "golden key" that will allow them to safely backdoor their way into encrypted devices. He admits that this may, sometimes, make law enforcement's job harder, but the benefits for everyone's safety so vastly outweigh that potential downside as to suggest this shouldn't even be much of a debate.

All of this is stuff that many of us who have fought against encryption backdoors have been saying for decades, but it's pretty surprising (to the level of almost shocking) that Baker is now expressing this view -- given his role in literally working to backdoor Apple's encryption. This is not a privacy activist. This is someone who was basically in charge of the FBI's last big effort to have the courts break encryption. Baker insists that his actual views haven't changed very much, though that does seem at least somewhat difficult to square with the FBI's position in the Apple legal fight. But, either way, it's great to see someone of his stature and experience now agreeing that undermining encryption would be very, very dangerous -- and that he's willing to tell his former colleagues, directly, that they, too, should embrace this position.

Filed Under: backdoors, encryption, fbi, going dark, jim baker, law enforcement, san bernardino, william barr

Trump Administration Demands An End To Strong Encryption While Being Exhibit A For Why We Need It

from the secrets-we-keep dept

In the 18th Century the Founding Fathers were worried about tyrants. They were worried about government officials abusing the powers of their office and the fate of the nation if there were no check on their power. In the 21st Century those concerns have hardly faded. Today we have a presidential administration that, if nothing else, has publicly (and privately) attempted to turn the ship of state against multiple political opponents, and with such an audacious expectation of impunity that it leaves no basis to believe it would not do the same to anyone else who stands against it.

It now it demands more tools to perpetuate these attacks. At a time when the survival of our democracy most critically depends on the people's ability to push back against these sorts of abuses of governmental power, the government seeks to hobble the public's ability to do it –- this time by destroying the ability to keep their communications secret. Because that's what encryption "backdoors" do: completely and utterly obliterate any technical ability to maintain the secrecy in one's data. You can't just backdoor them a little bit -– either communications are secure from all prying eyes, or none of them. And this administration is insisting that it should get to see them all.

This administration is not, of course, the first to have demanded the ability to get access to people's data. Both Democratic and Republican administrations have made similar demands (and even helped themselves to it). Each time they have articulated policy arguments for why the government should have the power to read people's private communications, and sometimes these arguments have even been compelling. But none have ever outweighed the critical liberty interest that depends on being able to prevent government access to all of everyone's private communications, and today we see exactly why.

The Constitution guarantees the personal freedom necessary to stand against a tyrannical state actor prone to misusing its power. We have been sloppy over the years in preserving that liberty legally, thanks to the implicit assumption that the government is inherently one of the Good Guys and the people seeking to keep their data private presumably are the Bad Guys. It is a view that has infected our understanding of the Fourth Amendment and allowed the government to invade people's privacy in ways the text of the Constitution never allowed. But today we see with painful clarity how it was also a view predicated on wholly unsound assumptions.

Today we regularly see our President, Chief Executive, and most senior official charged with enforcing our laws not only routinely flout these very same laws but also routinely threaten those whose sole "crime" is standing against him with vindictive, and meritless, ruinous prosecution. These are not the actions of a benevolent government eager to protect the public from wrongdoing. They are the actions of an autocrat all too happy to victimize people as willingly as the most hardened criminal.

Which leaves the public on its own to protect itself, and already significantly hampered. It is bad enough that Trump makes it so treacherous to speak out against him publicly. But when we can no longer speak publicly it becomes all the more important that we be able to speak privately – yet that is exactly what this administration is trying to prevent in demanding encryption backdoors. Should it get its wish, no one will be able to keep secrets from this administration, or challenge its power. It will be able to continue its abuses unchecked.

This untenable state of affairs is not what the Founders had in mind, what the Constitution permits, or what our continued democracy can tolerate. It is thus vital to resist this backdoor demand.

Filed Under: authoritarianism, backdoors, doj, encryption, free speech, going dark, privacy

Tech Companies Are Leading The Fight Against Child Porn While The FBI And DOJ Complain About Encryption Helping Child Abusers

from the get-a-clue-[cough]-gentlemen dept

We hear so much from law enforcement agencies about how much tech companies -- and their encryption offerings -- are turning America into a lawless frontier where the criminals always win and the cops are eternally hamstrung. We mainly hear this from two law enforcement agencies in particular: the FBI and the DOJ.

Local cops seem to be doing just fine, but outside of Manhattan blowhard/DA Cy Vance, everyone seems to feel a rising tech tide lifts all cop boats. But these agencies insist we're "going dark." And they insist tech companies are screwing both cops and the public by allowing users to protect their communications and devices from criminals and snoopers alike, even if it means things are ever-so-slightly more difficult for criminal investigators.

But these arguments are being made using facts not in evidence. Tech companies do care about crime, public safety, law enforcement's concerns, and the general insecurity of having devices filled with personal info being carried around by the vast majority of the American public. And tech companies are doing far more to address all of these concerns (rather than just the law enforcement concerns touted by the FBI, et al) than the federales are willing to admit.

First off, tech companies are engaging in the "adult conversation" about lawful access. They're just doing it in a way the government doesn't like. They're approaching this with caution and concern, while the FBI and DOJ dishonestly claim the only "real" solution is unfettered, on-demand access to devices and communications.

White papers have been written. Honest discussions have been had. But these are ignored because they don't offer the "absolutist" options federal agencies desire. It's the DOJ and FBI who are engaging in the equivalent of kicking and screaming while ignoring the real adults in the room.

More evidence that tech companies are doing more to help than to hurt is rolling in. Casey Newton reports for The Verge that the fight against child sexual abuse is being lead by tech companies, and that law enforcement agencies are the beneficiaries of their contributions.

An example from the National Center for Missing and Exploited Children drove the point home. The organization has long operated a tipline in which people can report coming across child pornography and other incidents of abuse. In the late 1990s, the tipline received 200 to 300 reports per week, said Michelle DeLaune, NCMEC’s chief operating officer. But as the internet gained adoption, and platforms began collaborating with the organization, reports to the tipline exploded. In 2018, NCMEC received more than 18 million reports of exploitative imagery.

Strikingly, 99 percent of those reports come directly from the tech platforms. Through the use of artificial intelligence, hashed images, and partnerships between companies, we’re now arguably much better informed about the scope and spread of these images — and are better equipped to catch abusers.

Notably, these reports originate from communications platforms the DOJ and FBI have complained about.

A Facebook executive says that the company bans a whopping 250,000 WhatsApp accounts a month for sharing child exploitation imagery.

The implication that tech companies are doing nothing to respond to and to prevent criminal activities are, to put it politely, horseshit. These federal agencies have a vested interest in portraying tech companies as villains presiding over an internet Wild West. They want favorable court precedent and legislation.

As tech companies appear villainous -- something not helped by their numerous appearances in front of Congressional committees -- all branches of the government are more likely to screw tech companies into behaving as extensions of the federal government. This screws users and customers as well as the companies they use, but no price is too high to pay… as long as it's paid by others.

Filed Under: backdoors, encryption, going dark, law enforcement

William Barr Turns Up The Heat On The DOJ's Anti-Encryption Rhetoric

from the 4000-words,-zero-concessions dept

The DOJ has now spent more than a year dodging an obligation it created itself. For years, FBI directors and DOJ officials have told anyone who'd listen -- conference attendees, Congressional reps, law enforcement officials -- the world was going dark. Device encryption was making it far more difficult for the FBI to collect evidence from seized devices and the problem was escalating exponentially.

It wasn't. Every new "going dark" speech contained a larger number of impenetrable devices the FBI was sure contained all sorts of juicy evidence. When the FBI was asked about these devices by members of Congress, it finally decided to take a look at its numbers. The numbers were wrong. The FBI said there were around 8,000 locked devices in its possession. In reality, the number is probably less than 2,500.

The problem is we don't actually know what the correct number is. The DOJ has been promising an update since May 2018, but it has yet to release this number. Instead, it has released the mouth of its top man -- William Barr, a longtime fan of domestic surveillance.

Barr's keynote address to the International Conference on Cyber Security didn't deal much with cybersecurity. Instead, it was 4,000-word anti-encryption rant. William Barr wants encryption backdoors. There's no use in the DOJ denying after his verbal assault on device encryption and device manufacturers. There is no subtlety and no hedging. The only concession Barr makes is that encryption shouldn't vanish entirely. But any form of encryption that remains should leave a key under the doormat for the G-men.

While we should not hesitate to deploy encryption to protect ourselves from cybercriminals, this should not be done in a way that eviscerates society’s ability to defend itself against other types of criminal threats. In other words, making our virtual world more secure should not come at the expense of making us more vulnerable in the real world. But, unfortunately, this is what we are seeing today.

Service providers, device manufacturers and application developers are developing and deploying encryption that can only be decrypted by the end user or customer, and they are refusing to provide technology that allows for lawful access by law enforcement agencies in appropriate circumstances. As a result, law enforcement agencies are increasingly prevented from accessing communications in transit or data stored on cell phones or computers, even with a warrant based on probable cause to believe that criminal activity is underway. Because, in the digital age, the bulk of evidence is becoming digital, this form of “warrant proof” encryption poses a grave threat to public safety by extinguishing the ability of law enforcement to obtain evidence essential to detecting and investigating crimes. It allows criminals to operate with impunity, hiding their activities under an impenetrable cloak of secrecy.

According to Barr, the government has a right to the contents of encrypted devices. He attempts to draw this conclusion by referring repeatedly to the Fourth Amendment. This safeguards citizens against unreasonable searches. Unreasonable searches can be performed as long as the government has a warrant. That's as far as Barr takes this line of thought. As he sees it, encryption shouldn't be able to nullify a search warrant. He believes encryption does this.

The Fourth Amendment strikes a balance between the individual citizen's interest in conducting certain affairs in private and the general public's interest in subjecting possible criminal activity to investigation. It does so, on the one hand, by securing for each individual a private enclave around his “person, house, papers, and effects” — a "zone" bounded by the individual's own reasonable expectations of privacy. So long as the individual acts within this "zone of privacy,” his activities are shielded from unreasonable Government investigation. On the other hand, the Fourth Amendment establishes that, under certain circumstances, the public has a legitimate need to gain access to an individual’s zone of privacy in pursuit of public safety, and it defines the terms under which the Government may obtain that access. When the Government has probable cause to believe that evidence of a crime is within an individual’s zone of privacy, the Government is entitled to search for or seize the evidence, and the search usually must be preceded by a judicial determination that "probable cause" exists and be authorized by a warrant.

Nothing is preventing the government from seizing devices. The warrant can still accomplish that. What Barr is arguing is that the Fourth Amendment guarantees government access to evidence, which it doesn't. It only gives it the right to search for it. A search warrant may result in a searched house or vehicle, but there's no guarantee any useful evidence will be recovered. The evidence it's looking for may not be on the premises. Or it may reside in a safe law enforcement isn't able to crack. Or it simply may not exist at all.

The "locked safe" is the closest equivalent to an encrypted device. The government is free to continue trying to open the safe, but the warrant only allows it to seize evidence or items likely to contain evidence. It doesn't obligate the safe manufacturer to build master keys for all safes and distribute them to law enforcement. Encryption backdoors make that demand. And they make that demand of any device manufacturer or software developer that secures customers' communications and data with encryption.

So, how does Barr think this will be accomplished? It appears he thinks everyone else should spend time figuring that out and let the DOJ get back to the difficult work of not answering questions about the FBI's encrypted device stash.

He thinks the courts should fix it, pointing to the Supreme Court's 1925(!!) decision creating the automobile exception to search warrant requirements. He feels this concession to law enforcement (one that's abused frequently by cops searching for seizable cash) should be followed by more concessions. Courts may not be able to order across-the-board backdoors, but they can create useful precedents for compelled access -- either for device owners or device manufacturers.

He thinks society in general should fix this, even if it can't contribute directly. What society can do is stop arguing about the deliberate weakening of encryption and just accept the fact that governments (and whoever else can find the backdoor) should have access to their communications and data. It's a sacrifice we, the people, should be willing to make for our government, which pretty much has only its own interests in mind.

And Barr thinks the tech community should fix it. He lists a bunch of bad proposals, one of which was proposed by none other than the UK's version of the NSA. He talks up Ray Ozzie's take on key escrow and (former GCHQ security specialist) Matt Tait's "layered envelopes" pitch he made for a blog that's headed by noted surveillance state apologist, Ben Wittes. Those are the "experts:" the GCHQ, a former GCHQ employee, and a software pioneer.

Barr says the real risk posed by compromised encryption is worth it. He doesn't explain how it's worth to the millions of people he'll put at risk in exchange for law enforcement access, but he seems to assume we'll all feel much better about it when criminals start disappearing from the streets.

[T]he argument is that a business is thwarted in its purpose of offering the best protection against bad actors unless it can also override society’s interest in retaining lawful access. Some hold this view dogmatically, claiming that it is technologically impossible to provide lawful access without weakening security against unlawful access. But, in the world of cybersecurity, we do not deal in absolute guarantees but in relative risks. All systems fall short of optimality and have some residual risk of vulnerability — a point which the tech community acknowledges when they propose that law enforcement can satisfy its requirements by exploiting vulnerabilities in their products. The real question is whether the residual risk of vulnerability resulting from incorporating a lawful access mechanism is materially greater than those already in the unmodified product. The Department does not believe this can be demonstrated.

In the end, Barr hopes we'll be hit with a tragedy so awful, Congress will decide to end the debate by outlawing un-backdoored encryption.

Obviously, the Department would like to engage with the private sector in exploring solutions that will provide lawful access. While we remain open to a cooperative approach, the time to achieve that may be limited. Key countries, including important allies, have been moving toward legislative and regulatory solutions. I think it is prudent to anticipate that a major incident may well occur at any time that will galvanize public opinion on these issues.

This is much worse than the handful of spoken asides uttered by FBI directors and a handful of DOJ officials. This was the only focus of Barr's 4,000-word keynote address. He spent a few words at the opening to at least indicate to the crowd he knew where he was (a cybersecurity conference) before spending the rest of it arguing against effective encryption. This is Barr's DOJ and, by extension, his FBI. This is the issue the DOJ's going to run with as long as he's in charge.

Filed Under: backdoors, doj, encryption, security, william barr