Senators Burr & Feinstein Write Ridiculous Ignorant Op-Ed To Go With Their Ridiculous Ignorant Bill

from the learn-something-people dept

Senators Richard Burr and Dianne Feinstein are not giving up that quickly on their ridiculous and technically ignorant plan to outlaw real encryption. The two have now penned an op-ed in the WSJ that lays out all the same talking points they've laid out before, without adding anything new. Instead, it just continues to make statements that show how incredibly ignorant they are. The piece is called Encryption Without Tears (and may be paywalled, though by now everyone knows how to get around that), which already doesn't make any sense. What they're pushing for is ending basic encryption, which will lead to many, many tears.

It starts out with their standard ridiculous line, pretending that because a company builds end-to-end encryption, it's acting "above the law."

In an increasingly digital world, strong encryption of devices is needed to prevent criminal misuse of data. But technological innovation must not mean placing individuals or companies above the law.

People have gone over this time and time again: this is not about anyone being "above the law." It's about whether or not companies can be forced to directly undermine the safety and security of their products (and the public). A paper shredder can destroy evidence. A paper shredder maker is not "above the law" when it decides not to build a system for piecing back together the shreds.

And speaking of "above the law" I still don't see Feinstein or Burr commenting on the FBI/DOJ announcing that it will ignore a court order to reveal how it hacked into computers over Tor. That is being above the law. That involves a situation where a court has asked for information that the FBI absolutely has. The FBI is just saying "nope." If Burr and Feinstein are really worried about being "above the law," shouldn't they worry about this situation?

Over the past year the two of us have explored the challenges associated with criminal and terrorist use of encrypted communications. Two examples illustrate why the status quo is unacceptable.

I love this. They give two examples that have been rolled out a bunch in the last few weeks. The attack in Garland, Texas, where the attackers supposedly exchanged some messages with potential ISIS people, and the case of Brittney Mills, who was tragically murdered, and whose case hasn't been solved. Mills had her smartphone, but no one can get into it. Of course, it took nearly two years of fretting before law enforcement could dig up these two cases, and neither make a very strong argument for why we need to undermine all encryption.

It's a simple fact that law enforcement never gets to have all of the evidence. In many, many, many criminal scenarios, that's just the reality. People destroy evidence, or law enforcement doesn't find it or law enforcement just doesn't understand it. That's not the end of the world. This is why we have police detectives, who are supposed to piece together whatever evidence they do have and build a picture for a case. Burr and Feinstein are acting like in the past, law enforcement immediately was handed all evidence. That's never been the way it works. Yes, law enforcement doesn't get access to some information. That's how it works.

You don't go and undermine the very basis of computer security just because law enforcement can't find a few pieces of evidence.

Our draft bill wouldn’t impose a one-size-fits-all solution on all covered entities, which include device manufacturers, software developers and electronic-communications services. The proposal doesn’t define the technological solutions or tell businesses how to solve the problem.

This is also misleading. The bill requires an end to real encryption. That's it. Real encryption means that only one person has the key. This is what Burr and Feinstein don't seem to get. They seem to think it's trivial to leave a key with Apple or whoever. But as basically every crypto expert has explained, it is not. Doing so creates a vulnerability... and worse, it's a vulnerability that cannot be patched. That's hellishly dangerous. Sure, the bill doesn't tell them exactly how to do this, but it does make it clear: you cannot offer real encryption, you can only offer something that can be hacked. That's a problem.

We want to provide businesses with full discretion to decide how best to design and build systems that maintain data security while at the same time complying with court orders.

We want to provide businesses with full discretion to decide how best to travel back in time, in order to prevent crimes.

Seriously: this is basically the same thing that Burr and Feinstein are saying here. They're asking for something that's impossible, and acting like it's a routine suggestion. If they need to comply with these All Writs Act style orders, they cannot build systems that maintain data security. That's a fact. It's mind-boggling that Burr and Feinstein still can't understand this.

Critics in the industry suggest that providing access to encrypted data will weaken their systems. But these same companies, for business purposes, already maintain and have access to vast amounts of encrypted personal information, such as credit-card numbers, bank-account information and purchase histories.

Argh. This paragraph shows that whatever poor staffer Burr and Feinstein assigned to write this drivel doesn't understand even the first thing about what he or she is talking about. Storing encrypted passwords, credit card info, bank account info, etc. is a totally different thing. Those are encrypted to keep them safe, and part of the reason they're encrypted is so that even those companies cannot reveal them. This point is making the opposite point of what Burr and Feinstein think. Companies encrypt passwords and credit card info and the like so that they're not storing the plaintext info, and there's no easy way for anyone to get that info. This protects user data, and the companies cannot actually provide the plaintext. They're comparing hashes. That's what keeps it safe.

If we received a court order demanding our users' passwords, we couldn't provide them. Because they're encrypted. We don't know our users' passwords and can't give them to you. When someone logs in to our website, we can compare a hash of their password to our hashed version and then if they match, we let them in. But we don't know what their password is. So this is a terrible example that actually goes against what Burr and Feinstein are saying. Those encrypted stores of information would be illegal under this bill!

We are not asking companies to provide law enforcement with unfettered access to encrypted data. We aren’t even asking companies to tell the government how they gain access to this encrypted data. All we are doing is asking companies to find a way to keep their data secure while also cooperating with law enforcement in terrorism and criminal investigations.

Again, that last line is impossible. They're asking the impossible -- and in the process, making everyone less safe. The only way to provide such info to law enforcement is to no longer keep the data truly secure. And the big concern is not unfettered access for law enforcement, but rather whatever this backdoor means for those with malicious intent, who will be very, very, very focused on finding these vulnerabilities and exploiting them.

President Obama said earlier this year, “You cannot take an absolutist view on this.” We agree—and believe that strong data security and compliance with the justice system don’t have to be mutually exclusive.

Because you don't know what you're talking about.

American technology companies have done some amazing things that are the envy of the world. We think that finding a way to achieve both goals simultaneously is not beyond their capabilities.

So, in the end, despite basically every cryptography expert telling them this is impossible, Burr and Feinstein come back with "NERD HARDER, NERDS!"

Filed Under: above the law, dianne feinstein, doj, encryption, fbi, going dark, richard burr
Companies: apple

Burr & Feinstein Officially Release Anti-Encryption Bill, As Wyden Promises To Filibuster It

from the and-off-we-go dept

Last week, we wrote about a "discussion draft" of Senators Richard Burr and Dianne Feinstein's new anti-encryption bill that would effectively require any company doing anything with encryption to make sure that encryption was flat out broken, putting everyone at risk. Feinstein and Burr's offices refused to comment on the criticism of the draft, insisting that they were still working on the bill. Well, late Wednesday Burr officially released a copy of the bill and it's basically the same insane bill we saw last week. As far as I can tell, the only real change is further defining what is meant by a "court order." It used to just say any court order, but now says only court orders for specific issues, but it's a pretty broad list: crimes involving serious bodily harm, foreign intelligence, espionage, terrorism, sexual exploitation of a minor, a "serious violent felony," or a serious drug crime. So, I guess we should feel relieved that it won't be used for cases where someone's caught trespassing or something? It's still a ridiculous bill (and it still doesn't explain what the penalties are).

Meanwhile, Senator Ron Wyden has renewed his opposition to the bill by going a step further and promising to filibuster if the bill is brought to the floor:

“The encryption debate is about having more security or having less security. This legislation would effectively outlaw Americans from protecting themselves. It would ban the strongest types of encryption and undermine the foundation of cybersecurity for millions of Americans. This flawed bill would leave Americans more vulnerable to stalkers, identity thieves, foreign hackers and criminals. And yet it will not make us safer from terrorists or other threats. Bad actors will continue to have access to encryption, from hundreds of sources overseas. Furthermore, this bill will empower repressive regimes to enact similar laws and crack down on persecuted minorities around the world,” Wyden said.

“Americans who value their security and liberty must join together to oppose this dangerous proposal. I intend to oppose this bill in committee and if it reaches the Senate floor, I will filibuster it.”

Stay tuned, because this fight is just beginning...

Filed Under: all writs act, backdoors, dianne feinstein, encryption, richard burr, ron wyden

Why Doesn't The Anti-Encryption Bill List Any Penalties?

from the they'll-be-added-in-later dept

We've already written a bit about the technologically ignorant bill from Senators Richard Burr and Dianne Feinstein that basically outlaws any encryption system that doesn't include backdoors for law enforcement. However, there are still some points in the bill that have left some folks scratching their heads. In particular, the lack of any penalty at all has some commenters wondering what the bill actually does. The bill both says that it doesn't "require or prohibit any specific design or operating system," but at the same time does require that anyone offering or supporting any kind of encryption be able to pass along unencrypted versions of the communication to law enforcement when presented with a legitimate court order or warrant (so not just a warrant...). As Orin Kerr noted, the bill mandates assistance, rather than using the more typical requirement of "reasonable" assistance.

Instead, the bill is explicit that if you receive an order, you have to hand over the unencrypted data. The law specifically reads: "a covered entity that receives a court order from a government for information or data shall provide such information or data to such government in an intelligible format; or provide such technical assistance as is necessary to obtain such information or data in an intelligible format or to achieve the purpose of the court order." No best efforts. No reasonable assistance in the face of situations where that can't be done. The bill requires that you provide unencrypted data. Or else.

Or else... what? The bill includes absolutely nothing on the penalties for failing to comply. This has led some on Twitter (including a guy I've been discussing it with who deletes all his tweets after tweeting them or I'd post them here...) to argue that the bill actually promotes encryption, since if a company can't provide unencrypted data, then the law has no impact. That's not true however. First of all, both Burr and Feinstein have been going on and on about demanding backdoors and whining about encryption for a long time. There's no way they wrote a bill that would support stronger encryption. Second, all of the rest of the language in the bill includes various statements like "shall provide" and other items that leave no wiggle room at all. Providing any kind of encryption without providing a backdoor for law enforcement would violate this law.

So... why the lack of penalties? There are a few theories floating around. (1) This is still a draft of the bill. Those penalties will be added in later, after everyone's fought over the rest of the bill. Leaving out the penalties at this stage lets Feinstein and Burr focus the fight. (2) The bill will allow courts to claim that any company not providing such unencrypted text is in contempt and issue increasingly large fines that make it practically impossible to be a business in the US without providing backdoors to encryption and basically demolishing everyone's security. Neither option is appealing.

This bill is bad in so many ways and no one's focusing on the punishment part because it's not even in the bill yet -- but make no mistake -- if this bill passes, there will be punishment (potentially severe punishment) for any company that wants to use actual encryption.

Filed Under: dianne feinstein, encryption, going dark, penalties, richard burr

Burr And Feinstein Plan One Sided Briefing For Law Enforcement To Bitch About 'Going Dark'

from the because-that-side-hasn't-been-heard-from-yet dept

With the world mocking the sheer ignorance of their anti-encryption bill, Senators Richard Burr and Dianne Feinstein are doubling down by planning a staff "briefing" on the issue of "going dark" with a panel that is made up entirely of law enforcement folks. As far as we can tell, it hasn't been announced publicly, but an emailed announcement was forwarded to us, in which they announce the "briefing" (notably not a "hearing") on "barriers to law enforcement’s ability to lawfully access the electronic evidence they need to identify suspects, solve crimes, exonerate the innocent and protect communities from further crime." The idea here is to convince others in Congress to support their ridiculous bill by gathering a bunch of staffers and scaring them with bogeyman stories of "encryption caused a crime wave!" As such, it's no surprise that the panelists aren't just weighted heavily in one direction, they're practically flipping the boat. Everyone on the panel comes from the same perspective, and will lay out of the argument for "encryption bad!"

PANELISTS

Chief Terrence M. Cunningham
President, International Association of Chiefs of Police
Wellesley, MA, Police Department

Hillar C. Moore, III
District Attorney, 19th Judicial District Attorney's Office
Baton Rouge, LA

Sheriff James Alton Cannon, Jr.
Charleston County, SC, Sheriff's Office

Chief Commissioner Patrick Stevens
Chief Commissioner, Liaison Officer for the Belgian Federal Police
to the United States, Canada, Mexico, and the Bahamas

Colonel Joseph R. Fuentes
Superintendent, New Jersey State Police

As Marcy Wheeler points out, it does seem odd that these two Senators who are on the Senate Intelligence Committee are pushing so strongly on this issue, when the focus on law enforcement should put it squarely in the Senate Judiciary Committee. In fact, it's not even clear that this briefing is officially Intelligence Committee business at all, but rather just a chance for Burr and Feinsten to push their story from the one side that's already been the most vocal in trying to turn something that isn't actually a problem into something that they insist must be a problem.

The briefing is scheduled to be held this coming Wednesday morning in the Capitol Visitor Center and will be the Senators latest effort to scare the logic out of their colleagues.

Filed Under: dianne feinstein, encryption, fud, going dark, law enforcement, richard burr

Burr And Feinstein Release Their Anti-Encryption Bill... And It's More Ridiculous Than Expected

from the are-they-serious? dept

They've been threatening this for months now, but Senators Richard Burr and Dianne Feinstein have finally released a "discussion draft" of their legislation to require backdoors in any encryption... and it's even more ridiculous than originally expected. Yesterday, we noted that the White House had decided to neither endorse nor oppose the bill, raising at least some questions about whether or not it would actually be released. Previously, Feinstein had said she was waiting for the White House's approval -- but apparently she and Burr decided that a lack of opposition was enough.

The basics of the bill are exactly what you'd expect. It says that any "device manufacturer, software manufacturer, electronic communication service, remote computing service, provider of wire or electronic or any person who provides a product or method to facilitate communication or the processing or storage of data" must respond to legal orders demanding access to said information. First off, this actually covers a hell of a lot more than was originally expected. By my reading, anyone providing PGP email is breaking the law -- because it's not just about device encryption, but encryption of communications in transit as well. I wonder how they expect to put that genie back in the bottle.

But, let's dig into a few other bits of insanity in the bill. It starts out with an insane assertion, right upfront:

It is the sense of Congress that--

1. no person or entity is above the law;
2. economic growth, prosperity, security, stability, and liberty require adherence to the rule of law;

What an absurd way to start the bill. As we've discussed over and over again, despite FBI director James Comey's statements, no one is claiming to be "above the law" here. When they offer end-to-end encryption they're not "above the law," they're just building a system to which they don't have the key. That's like saying that the safe maker who doesn't keep copies of the keys to every safe they sell is above the law. But no one requires safemakers to keep copies of every key.

Next, the claim that economic growth, prosperity, security, stability and liberty somehow depend on all of this is ridiculous. The second this bill becomes law, the US loses a massive economic advantage. Basically all of our technology becomes suspect globally, and the entire cybersecurity industry moves off shore. It will devastate American businesses outside of the US. Burr and Feinstein are basically offering a bill that completely undermines the economic prosperity of the American tech industry. This is especially insane coming from Feinstein, given that she supposedly represents so many tech companies in California.

all providers of communications services and products (including software) should protect the privacy of United States persons through implementation of appropriate data security and still respect the rule of law and comply with all legal requirements and court orders;

And they do... when they can. But what this bill requires is for tech companies to undermine the basics of encryption to make everyone less safe. This is not about disrespecting the rule of law, but about building systems as secure as possible to protect people from malicious attacks. You know, the very kinds of attacks that Senators Burr and Feinstein kept screaming about just months ago when they were demanding a bogus cybersecurity (really: surveillance) bill get passed by Congress. And yet now they want to undermine the very core concept of cybersecurity in the US.

to uphold both the rule of law and protect the interests and security of the United States, all persons receiving an authorized judicial order for information or data must provide, in a timely manner, responsive, intelligible information or data, or appropriate technical assistance to obtain such information or data;

And if that's literally impossible, as is the case with strong encryption or end-to-end encryption?

Let's be clear, here. This bill makes effective cybersecurity illegal. Think about that for a second. This is insane.

Then there's this kicker:

Nothing in this Act may be construed to authorize any government officer to require or prohibit any specific design or operating system to be adopted by any covered entity.

Yeah, except for the entire bill which absolutely prohibits the kind of design that basically all security experts say you need to adequately protect data and communications.

There are lots of other issues as well. As Jonathan Zdziarski notes, the bill is so ridiculously drafted that it doesn't distinguish between encrypted data and deleted data. Thus, if someone deletes all their data, companies are still on the hook to magically get it back. It also requires that any information that is requested be delivered "in an intelligible format." But what if the information itself is not intelligible? What if, prior to encrypting the data through technological means, the people doing the communications used some sort of cypher or code themselves to further obfuscate the information?

The whole thing is a mess and provides much more evidence for the fact that Feinstein and Burr have absolutely no clue what they're talking about on this particular issue. Of course, there are lots of clueless people, but it's pretty disturbing that these two particularly clueless people happen to be the highest ranking members on the Senate Intelligence Committee. Perhaps, like some others, they should talk to actual intelligence community professionals, who have also been arguing that backdooring encryption is a bad idea and puts Americans at much greater risk of being victims of computer attacks.

Filed Under: backdoors, dianne feinstein, encryption, richard burr

Back Door Legislation Won't Have The White House's Support (Nor Its Opposition, Most Likely)

from the punting dept

Senators Dianne Feinstein and Richard Burr have been talking about legislation that forces tech companies to help law enforcement break into encrypted devices for quite a while now. Nearly a month ago, they suggested it was almost ready to be formally introduced, but indicated that the White House's response would determine when exactly that happened.

Now, Reuters is reporting that sources in the administration told them backdooring encryption will not have the President's support, adding another question mark to when we'll actually see this bill (though there's a chance it will show up this week).

Although the White House has reviewed the text and offered feedback, it is expected to provide minimal public input, if any, the sources said.

Its stance is partly a reflection of a political calculus that any encryption bill would be controversial and is unlikely to go far in a gridlocked Congress during an election year, sources said.

A White House spokesman declined to comment on the pending legislation, but referred to White House press secretary Josh Earnest's statements on encryption legislation. Last month, Earnest said the administration is "skeptical" of lawmakers' ability to resolve the encryption debate given their difficulty in tackling "simple things."

This isn't entirely surprising, as the administration has suggested it won't support such legislation since as far back as September when a leaked document outlined their options for responding to the debate. That document, too, seemed primarily concerned with "political calculus" and what the reaction would be in the public and congress to different versions of "not supporting" the bill, ranging from standing up for the actual truth to punting on the whole issue. In October, they decided to stay silent, though the President has since trotted out the same problematic arguments about compromise and absolutism that we've heard from many politicians.

Now, with the issue refusing to die and Burr and Feinstein's bill perpetually on the horizon, it looks like the White House is going to stick to its silence with "minimal public input" and see what happens. Given the current political climate, and the fact that any such bill almost certainly doesn't stand a chance of passing, this isn't exactly shocking — but it's still disappointing. As we noted last year, when your options include "take a clear stance on the right side of the issue", you shouldn't really need to consider alternatives. The President's open disapproval may not be necessary to prevent the bill from moving forward, but it would go a long way to convincing technology companies and the privacy-aware public that the administration genuinely understands the issue and will fight for what's right.

Filed Under: dianne feinstein, encryption, obama, privacy, white house

Before We Even Know The Details, Politicians Rush To Blame Encryption For Brussels Attacks

from the it's-almost-like-you-have-an-agenda... dept

Support our crowdfunding campaign to help us keep covering stories like these!

You may remember that, right after the Paris attacks late last year, politicians rushed in to demonize encryption as the culprit, and to demand backdooring encryption before the blood was even dry. Of course, it later turned out that there was no evidence that they used encryption at all, but rather it appears that they communicated by unencrypted means. Just yesterday, we noted that the press was still insisting encryption was used, and using the lack of any evidence as evidence for the fact they must have used encryption (hint: that's not how encryption works...).

So, it should hardly be a surprise that following this morning's tragic attacks in Brussels that have left dozens dead and many more injured, that encryption haters, based on absolutely nothing, have rushed in to attack encryption again. The first up was Rep. Adam Schiff, who quickly insisted that he had no actual facts on the matter, but we should be concerned about encryption:

“We do not know yet what role, if any, encrypted communications played in these attacks,” Rep. Adam Schiff (D-Calif.) said in a statement.

“But we can be sure that terrorists will continue to use what they perceive to be the most secure means to plot their attacks,” he added.

Schiff, of course, is the same guy who just a few months ago was loudly promoting CISA, saying we needed it to protect our privacy from hackers. Of course CISA doesn't do that. You know what does? Encryption. The very encryption Schiff now wants to blame.

Not one to be left out, Senator Dianne Feinstein jumped in with a thinly veiled statement in support of her supposedly soon to be released bill, mandating backdoors in encryption:

“We must use all the tools at our disposal to fight back,” Sen. Dianne Feinstein, California Democrat and vice chairwoman of the Senate Intelligence Committee, said in a statement on Tuesday. “The way to prevent attacks like this is to develop good intelligence and always be vigilant.”

"All the tools" likely means including her plans to break encryption.

And, of course, the many in the press are no help at all. There have been reports that a talking head on NPR blamed encryption this morning, while a NY Times reporter, Rukmini Callimachi -- who was the lead reporter on that ridiculous article yesterday insisting that the lack of encryption was evidence of encryption -- is tweeting up a storm claiming that ISIS is now encouraging the use of encryption, even though the questionably-sourced document she links to (which is written in English?!?) isn't actually recommending encryption, but things like Tor and VPNs, which are designed to merely mask your IP address.

26. ISIS is now advising its "brothers" in Belgium to only go online with encryption. (Thanks @MichaelSSmithII) pic.twitter.com/eWb4SD3INi

— Rukmini Callimachi (@rcallimachi) March 22, 2016

It's like she sees encryption in absolutely anything. Meanwhile, as a number of other commenters have pointed out, if "ISIS brothers" actually follow the advice in that document, it will only likely help them get caught, as a sudden and abrupt change in behavior is a pretty good way for law enforcement to make you a suspect. And, really, encouraging people to jump onto tools like Tor that they don't understand, but which they think will keep them safe, almost certainly will lead to ridiculously bad implementations that make it easier to spot what they're doing.

Either way, in the wake of yet another attack we're left with people who don't understand and dislike encryption, rushing to demonize it for no good reason at all.

Support our crowdfunding campaign to help us keep covering stories like these!

Filed Under: adam schiff, attacks, blame, brussels, dianne feinstein, encryption, isis, rukmini callimachi

Senators Burr And Feinstein, Once Again, Threatening New Bill To Backdoor Encryption

from the yeah-that's-not-going-to-go-over-well dept

They've been promising it for months now, without ever actually doing anything, but Senators Dianne Feinstein and Richard Burr (the two top members of the Senate Intelligence Committee) now insist that they're finally ready to release their anti-encryption bill.

Feinstein told The Hill she passed the text along earlier this week to White House chief of staff Denis McDonough.

“My hope is since I was the one that gave it to Denis McDonough, they will take a look at it and let us know what they think,” she said.

The Obama administration’s response will determine the bill’s timing, Burr added.

The introduction “depends on how fast the White House gets back to us,” he said.

Since, to date, the administration has actually indicated that it does not support such a bill, one hopes that means the introduction will continue to be "sometime around never." Even if it is introduced, it sounds like the bill may actually have a tough time getting anywhere. As we've noted, recent hearings suggest that many in Congress are quite skeptical of the FBI/DOJ's claim that it needs backdoors into encryption. Indeed, even many in the intelligence community (which you'd think would have indicated this to Burr and Feinstein) don't seem particularly enthusiastic about this. Reliable Feinstein/Burr allies like former NSA and CIA director Michael Hayden, former Homeland Security director Michael Chertoff and former NSA director Mike McConnell have spoken out strongly against such plans.

Given all that, it's bizarre and ridiculous that Feinstein and Burr are continuing to move forward with this plan. Hopefully, the White House educates them on the issue and tells them to toss this bill into the garbage where it belongs.

Filed Under: backdoors, dianne feinstein, encryption, going dark, richard burr

Senator Feinstein Revives Stupid Idea That Internet Companies Are 'Materially Supporting Terrorism' If ISIS Members Use Their Sites

from the not-how-it-works dept

Last year, FBI Director James Comey floated a ridiculous idea that retweeting ISIS tweets could be seen as "material support" for terrorism. Indeed, an American teenager got sentenced to 11 years in jail for pro-ISIS tweets, with the "material support" being that some of those tweets linked to pages that taught people how to use Bitcoin. Some have taken this idea even further, and argued that internet companies can be slapped with "material support for terrorism" claims or charges if they let ISIS members or other terrorists make use of their services.

This is ridiculous for many, many reasons, not the least of which is that (like in the encryption debate) it seems to presume that there's some algorithm to magically determine who is good (not a terrorist) and who is bad (terrorist!). And just like ridiculous and impossible arguments for "kicking ISIS off the open web" -- it would be ridiculously counterproductive. Not only would it be ridiculously costly to internet companies, but it would actually take away a major source of intelligence about terrorist groups, since they often reveal useful things on social media.

But guess who's seriously thinking about looking to see if it's possible to slap "material support of terrorism" charges on internet companies? Why, it's a Senator who actually is supposed to be representing many of their interests as California companies, Senator Dianne Feinstein. Jenna McLaughlin, a national security reporter for The Intercept, noted that Feinstein floated the idea this week, as if Feinstein had just thought of it:

DiFi: have we tried slapping material support charges on companies for letting terrorists use their services?

— Jenna McLaughlin (@JennaMC_Laugh) March 9, 2016

We've already discussed how dumb an idea this is (even more so that it comes from a California Senator), but ACLU deputy legal director Jameel Jaffer had an excellent response as well, highlighting the sheer stupidity of Feinstein's suggestion:

I heard that terrorists use hotels, credit cards, and phones, too. We're going to need a lot of indictments. https://t.co/N6HsYIz2Tb

— Jameel Jaffer (@JameelJaffer) March 9, 2016

Filed Under: dianne feinstein, first amendment, intermediary liability, internet companies, isis, material s upport, material support for terrorism, terrorism

Lawmakers Speak Out On Apple Being Forced To Create Backdoors; Some Wisely, Some Ignorantly

from the some-good,-some-bad dept

Everyone's talking about the big legal fight that magistrate judge Sheri Pym has kicked off by ordering Apple to build a backdoor into an iPhone to get around security tools that would block attempts to decrypt the contents of the phone. As some are noting, if the ruling is not overturned it could force Congress to change the law. Over the last year or so, it had become clear that Congress did not support laws that mandate backdoors. Yes, some in Congress -- including Senators Richard Burr, Dianne Feinstein and John McCain -- have been pushing for such legislation, but most have admitted that there aren't nearly enough votes in support of that, and there are many in Congress who recognize the ridiculousness of such a law. A year ago, a congressional hearing made it clear that there was a ton of skepticism in Congress about ordering backdoors.

And now we see Congress speaking out about the court order as well. Rep. Ted Lieu -- who, people always point out, has a computer science degree, and who a year ago noted that backoors were "technologically stupid" -- has told the DailyDot that this order creates a very dangerous slippery slope:

"Can courts compel Facebook to provide analytics of who might be a criminal?" Lieu said in an email to the Daily Dot. "Or Google to give a list of names of people who searched for the term ISIS? At what point does this stop?"

Rep. Zoe Lofgren put out a detailed statement saying that the order was "an astonishing overreach of authority by the Federal government," and warned that it appeared to go against the wishes of Congress and that even if the order is upheld, it will only result in stronger encryption that can't be backdoored:

Apple, as do other technology companies, complies with lawful orders and warrants. But they are unable to deliver to the government what they do not have – in this case, a key to break into their operating system in the manner the FBI desires. It is astonishing that a court would consider it lawful to order a private American company be commandeered for the creation of a new operating system in response.

The issue of mandating back doors in encryption has been a topic of vigorous discussion in the Congress. The emerging consensus has been that creating back doors for the use of law enforcement, important as law enforcement is, would endanger Americans by generally weakening security. These weaknesses will inevitably be exploited by criminal hackers or foreign opponents. That a single magistrate should substitute her judgment for that of the duly elected President and Congress – that was already thoroughly engaged in the subject – is wrong as a matter of policy and of law.

Finally, should this order not be overturned, technology companies will have no choice but to further deploy robust encryption that would prevent their engineers from creating any system that would effectively open up previously deployed security measures.

I urge the judicial branch to swiftly overturn this misguided ruling and further urge the Director of the FBI to refrain from seeking public policy decisions from the courts that are more properly decided by the Legislative branch of government.”

Senator Ron Wyden put out a statement as well, noting how this ruling will be interpreted around the globe:

I don't take a backseat to anyone when it comes to hunting down terrorists and protecting Americans from harm. However, this unprecedented reading of a nearly 230-year-old law would create a dangerous precedent that would put at risk the foundations of strong security for our people and privacy in the digital age. If upheld, this decision could force U.S. technology companies to actually build hacking tools for government against their will, while weakening cybersecurity for millions of Americans in the process.

Furthermore, this move by the FBI could snowball around the world. Why in the world would our government want to give repressive regimes in Russia and China a blueprint for forcing American companies to create a backdoor? Companies should comply with warrants to the extent they are able to do so, but no company should be forced to deliberately weaken its products. In the long run, the real loses will be Americans' online safety and security.

Of course, not all our lawmakers are so enlightened. Senator Feinstein, despite technically representing Apple, has shown for a long time now that she has no interest at all in representing the true interests of anyone in California if it goes against the desire of the surveillance state. She basically told Apple to shut up and do what the court says. After pretending it's about protecting Californians (because San Bernardino is in California) she warns that if Apple doesn't obey it will force her and Senator Burr to push for the legislation they've already been pushing for:

I would hope that bill would not be necessary. I would hope Apple understand the seriousness of this request. I have no doubt that to deny the request would likely bring on law to change law, so that this can be done. We're in jeopardy if you cannot -- through proper evidence submitted by a probable cause warrant -- be able to open these systems.

The PBS interviewer who asked Feinstein about this also asked (twice!) about Apple's statement that creating backdoors will create opportunities for those with malicious intent to break into the phones as well, and Feinstein displays her technological ignorance by stating:

Oh I don't believe that's necessarily true.

She's wrong about that. She's literally advocating for everyone to be made less safe just so we can get a little more information on some people who we already know committed a crime. That's crazy.

And, of course, Senator Burr made a similar statement -- first by lying and pretending that the order is not about creating a backdoor:

There are no decryption demands in this case, and Apple is in no way required to provide a so-called backdoor. The FBI needs access to the phone so the agency can better piece together information about the terrorists and whom they contacted.

This is technologically ignorant as well. This is exactly what a backdoor is. Apple is being told to create a bit of software that disables security measures in order to decrypt encrypted material. That's the very definition of a backdoor. Burr goes on, pretending that weakening the safety and security of basically everyone is somehow making them more secure:

The iPhone precedent in San Bernardino is important for our courts and our ability to protect innocent Americans and enforce the rule of law. While the national security implications of this situation are significant, the outcome of this dispute will also have a drastic effect on criminal cases across the country. The newest Apple operating systems allow device access only to users — even Apple itself can’t get in. Murderers, pedophiles, drug dealers and the others are already using this technology to cover their tracks.

Yup, always bring up the holy trinity of "murderers, pedophiles and drug dealers." I'm amazed he didn't say terrorists as well. Of course, as people keep pointing out, there have always been ways for people with ill-intent to hide their communications. There's nothing in the law that says we have to be able to track every communication ever made by everyone. That's a dystopian vision -- but one that apparently Senator Burr likes.

Even worse, Burr insists that because the law "protects" Apple in other cases, it should roll over for this. And also, ridiculously, he argues that this is more about Apple's business model than protecting the safety of Americans.

Apple’s position in the San Bernardino case affirms that it has wrongly chosen to prioritize its business model above compliance with a lawfully issued court order. While the company may have routinely complied with such court orders in the past, it now claims that it cannot comply as a result of security features it has built into its newest products. Apple exists as a corporate entity with the protections provided by U.S. laws, but it cannot be allowed to pick and choose when to abide by those laws as it sees fit. We are a country of laws, and this charade has gone on long enough. Apple needs to comply with the court’s order.

Hilariously, this is the very same Senator Burr who, just months ago, was going on and on in Congress about the importance of cybersecurity, and fearmongering about "cyberattacks." What he doesn't seem to recognize is that the only real way to protect against those attacks is encryption. The very encryption he now seeks to undermine.

Others in the Senate are making similarly ignorant statements, including Senator Tom Cotton, whose statement is so over-the-top ridiculous and wrong as to almost not be worth mentioning:

"Apple chose to protect a dead ISIS terrorist's p‎rivacy over the security of the American people. The Executive and Legislative Branches have been working with the private sector with the hope of resolving the 'Going Dark' problem. Regrettably, the position Tim Cook and Apple have taken shows that they are unwilling to compromise and that legislation is likely the only way to resolve this issue. The problem of end-to-end encryption isn't just a terrorism issue. It is also a drug-trafficking, kidnapping, and child pornography issue that impacts every state of the Union. It's unfortunate that the great company Apple is becoming the company of choice for terrorists, drug dealers, and sexual predators of all sorts."

I mean, come on. Apple is not "protecting a dead ISIS terrorists' privacy," it's talking about the very real issue of whether or not courts have the power to order companies to hack their customers on behalf of the government. That's a big deal that you would think would matter to politicians.

These statements are not unsurprising, but they continue to show a level of profound ignorance about basic technology issues. The fact that Feinstein and Burr, at least, are working on legislation around an issue they so clearly have no clue about is downright scary. One hopes that the others who actually understand the technical and legal issues -- such as those at the top of this article -- will prevail in Congress.

Filed Under: all writs act, dianne feinstein, encryption, going dark, precedent, richard burr, ron wyden, ted lieu, tom cotton, zoe lofgren
Companies: apple