French Law Enforcement 'Wishlist' Includes Banning Open WiFi, Tor Connections And Encrypted Communications

from the the-War-on-Citizens dept

More bad news for French citizens. Not only were they recently attacked by terrorists, but now their government is using these attacks against them to strip away civil liberties and shift more power to police and intelligence agencies.

A document viewed by Le Monde contains several very concerning suggestions from government agencies on how to better combat terrorism -- starting with blacklisting suspicious people and detaining them with administrative police orders. (via Galou Gentil and Numerama)

That's only the beginning of the wishlist. The document is not, by any means, a formal presentation of future legislative issues, but rather the equivalent of an open "suggestion" box, which has now been filled with terrible ideas by law enforcement agencies. How seriously French legislators take these suggestions won't be seen until early next year when the legislature reconvenes.

Other suggestions from "local police and gendarmes":

• Nonconsensual searches of vehicles and luggage (apparently without proper legal justification)
• "Papers please" identity checks, again with minimal legal justification
• Forcing those on the receiving end of administrative searches to give up DNA samples

From that point, law enforcement starts asking for more ways to control communications.

• Banning open WiFi connections during a state of emergency.

It's unclear whether they're looking for a preemptive ban or simply a kill switch. Either way, the state of emergency in France has been extended, and may never truly go away. If so, the ban/kill would be as permanent as the state of emergency itself. Open or shared connections would be subject to criminal sanctions.

• Blocking TOR connections in France
• Identifying communication sources (including VOIP) in France and forcing purveyors to hand over encryption keys

Back in the physical realm, police also want the power to shut down roads to search for vehicles -- again with little to no legal justification. They also want a centralized database containing information on anyone renting hotel rooms or vehicles.

As Le Monde notes, some of the requests fall outside of the realm of possibility and several fall outside the constraints of France's constitution. But the latter is definitely malleable. The government can't do anything about the impossible but it can use the current state of emergency to carve more holes in the rights of its citizens.

How seriously these requests will be taken remains to be seen. The post-terrorist attack spitballing by law enforcement agencies almost reaches the point of self-parody. Le Monde snarkily notes that it's not sure if this wishlist was meant for legislators or for "Santa." But it also notes that the expanded-government-power Santa may actually be presiding over this wishlist, unfortunately.

Santa has a new name: State of Emergency.

Whether or not any of this makes its way into actual law, it still clearly documents the law enforcement mindset -- one that never stops looking for ways to expand its own power at the expense of the citizens it's supposed to serve.

Filed Under: bans, encryption, france, going dark, law enforcement, open wifi, over reaction, paris attacks, state of emergency, tor

President Obama Hints At Asking Silicon Valley To Magically Block Terrorists From Using Tech Products

from the not-good dept

As you probably know, last night President Obama gave a big address from the Oval Office about what he plans to do about ISIS, along with dealing with the threat of lone wolf and other attacks at home. Buried deep within (in fact, I missed it the first time through) was a nod towards the idea of pushing Silicon Valley to magically undermine encryption. Here's the entirety of what he said on the subject:

I will urge high tech and law enforcement leaders to make it harder to use technology to escape from justice.

That seems like a simple sentence, but it's loaded with meaning, and most of it's not good. As we've noted over and over again, the last refuge of those looking to undermine encryption is to bring up the idea of "if only Silicon Valley techies and law enforcement could get together, surely they could come up with some magic golden key. But that's clueless, because what they're asking for is impossible. This isn't something that's "difficult" -- it's impossible. You can't make a backdoored encryption system that doesn't make everyone vulnerable and less safe.

And, yes, while you can say he doesn't specifically say "encryption" here, the use of the phrase "technology to escape from justice" clearly implies encryption. Of course, as we've noted time and time again, the hand-wringing over encryption is totally overblown. Every time we look at terrorist attacks, they seem to do plenty of planning out in the open. And, even when encryption is used, law enforcement and the intelligence community have admitted that either the people often mess up, making them trackable, or they leave other trails.

Besides, what changes does President Obama think technology needs to stop a husband and wife from plotting at home to shoot up an office holiday party?

The whole thing is ridiculous -- and perhaps the only redeeming thing is that he didn't say he was going to ask Congress for a law on this, but rather just put pressure on US tech companies. Unfortunately, as we've seen in the past, sometimes that pressure can be intense and almost impossible to refuse. The President's statement today just undermined a whole bunch of the US tech industry's claims towards keeping information private. He just handed a gift to foreign companies.

Filed Under: encryption, going dark, gun control, isis, president obama, terrorists

A Month Ago, Dianne Feinstein Said Cybersecurity Was Super Important... Now She Says We Should Undermine Encryption

from the which-side-is-she-on? dept

Look, everyone has known for quite some time that Senator Dianne Feinstein's big push for so-called "cybersecurity" legislation in the form of CISA had absolutely nothing to do with cybersecurity. It was always about giving another surveillance tool to her friends at the NSA. However, given that she was one of the most vocal in selling it as a "cybersecurity" bill (despite the fact that no cybersecurity experts actually thought the bill would help) it seems worth comparing her statements from just a month ago, with her new attacks on actual cybersecurity in the form of encryption.

Here is Feinstein just a month ago, claiming to worry about "cyberattacks" on Americans:

"Millions of personal records and hundreds of billions of dollars fall victim to cyber-attacks every year, and we’ve done little to stem the tide."

Of course, CISA does nothing to protect any of that. You know what does protect against that -- better use of encryption to keep that information from getting hacked in any useful manner.

Okay, fast forward. Following the Paris attacks, Feinstein has been among the most vocal in claiming that we need to undermine encryption, which is pretty amazing given that she represents California (and is from San Francisco), home to tons of tech companies that actually get this and think she's completely crazy for undermining actual cybersecurity.

Never mind that, though. Here she is this past weekend, on CBS's Face the Nation totally attacking encryption itself and mocking the tech companies that just a month ago she was insisting needed special government help to protect against cyberattacks. She was asked if the intelligence community has the tools it needs, and she decides to attack encryption -- even choosing to cite as a source CIA director John Brennan -- the same John Brennan who illegally spied on her staffers and then lied about it repeatedly.

"I can say this. [FBI] Director [James Comey] and, I think John Brennan, would agree, that the Achilles Heel in the internet is encryption. Because there are now... it's a black web! And there's no way of piercing it. And this is even in commercial products! PlayStation, John! Which our kids use. If the two ends communicate, that's encrypted. So terrorists can use PlayStation to be able to communication and there's nothing that can be done about it."

The host, John Dickerson, then points out that the tech industry (again, mostly based in or near Feinstein's hometown, and that she's supposed to be representing) says that backdooring encryption makes us less safe and opens us up to more attack, and Feinstein brushes it off, relying on her apparent years of computer security training...

No. I don't think so. I think with a court order, with good justification, all of that can be prevented. It can be prevented in Europe, because Europe has been a major driver for more encryption. And I think that they are now seeing the results. I have visited with all of the General Counsels of the tech companies, just to try to get them to take bomb building recipes off the internet. Recipes that have been tested and we know can explode a plane. Directions. Where to sit on the plane to blow it up. We know that there are bombs that can go through magnetometers. And to put that information out on the internet, is terrible. And I sorta got 'well, pass a law.' So, we may just have to do that. But I am hopeful that the companies, most of whom are my constituents -- not most, but many -- will understand what we're facing. And we're not crying wolf. There's good reason for this. And people are dying all over the world. And I think the Sinai-Russian airliner is a classic example of a bomb that got on a plane, that blew up that plane.

Where to start with this nonsense? First, note that she doesn't actually respond to the question concerning how undermining encryption will make us all less safe and make all that information Feinstein herself claimed was under attack just a month ago more vulnerable, other than to say that she, personally, doesn't think that what every computer security expert has been saying is true. Yikes.

Second, rather than focus on encryption, she pivots to her other pet projects, claiming that the government should force internet companies to censor The Anarchist's Cookbook. She keeps on this despite the fact that all the way back in 1997, the DOJ directly told Feinstein that this would violate the First Amendment. From the DOJ to Feinstein:

The First Amendment would impose substantial constraints on any attempt to proscribe indiscriminately the dissemination of bombmaking information. The government generally may not, except in rare circumstances, punish persons either for advocating lawless action or for disseminating truthful information -- including information that would be dangerous if used -- that such persons have obtained lawfully.

Third, this weird infatuation with The Anarchist's Cookbook, despite the fact that it's generally recognized as a joke for fools, where the likelihood of being able to build an actual bomb from it are minimal at best. And, while she pretends that the GCs of tech companies just sort of shrugged their shoulders about this, it's much more likely that it's because they thought she was being ridiculous trying to censor the internet in violation of the First Amendment. Whoever told her "well, pass a law" was almost certainly trying to get rid of her, knowing that any such law would be unconstitutional.

Fourth, this tangent about "bomb making instructions" online still has absolutely nothing to do with encryption or the question about how encryption makes us all much more vulnerable to attack and actually makes us all less safe.

Fifth, the comment about Europe is insane. Again, while the attackers may have used some encryption, it's been revealed (since long before Feinstein did this interview) that they did an awful lot of communicating in the clear, including unencrypted SMS and Facebook messenger. On top of that, what the hell does "Europe has been a major driver for more encryption" even mean? Perhaps it's true that they've been adopting more encryption to hide from the NSA's spying that Feinstein herself helped hide from everyone.

Sixth: the whole PlayStation thing has been debunked as a way that the Paris attackers communicated. They did not. Furthermore, she's just wrong that the PlayStation has end-to-end encryption. It does not.

Seventh, does she honestly believe that whoever blew up that Russian airplane downloaded bomb-making instructions from the internet? Also, if it were really so easy to get such instructions and get them through security, don't you think we'd have seen a lot more airplanes blown up by now?

In summary, Feinstein (a month ago) said we should all be deathly afraid of cyberattacks, and the only way to solve it was to give the government much greater access to companies' computer systems, via CISA. And, now, she insists that encryption is an "Achilles's heel" and that actual cybersecurity experts are lying when they say undermining encryption will put everyone at risk. Why? Because The Anarchist's Cookbook is online and Google won't take it down.

Is it really so much to ask for politicians to actually understand technology before they go off on ridiculous, ignorant, uninformed rants about it -- often leading to even more ridiculous and dangerous legislation?

Filed Under: cisa, cybersecurity, dianne feinstein, encryption, going dark, surveillance, terrorists

Telegraph Publishes The Dumbest Article On Encryption You'll Ever Read... Written By David Cameron's Former Speechwriter

from the no dept

Over the weekend, the Telegraph (which, really, is probably only the second or third worst UK tabloid), published perhaps the dumbest article ever on encryption, written by Clare Foges, who until recently, was a top speech writer for UK Prime Minister David Cameron (something left unmentioned in the article). The title of the article should give you a sense of its ridiculousness: Why is Silicon Valley helping the tech-savvy jihadists? I imagine her followups will including things like "Why is Detroit helping driving-savvy jihadists?" and "Why are farmers feeding food-savvy jihadists?"

The article is perhaps even dumber than the headline, but let's dig in.

What will it take? 129 dead on American soil? 129 killed in California? What level of atrocity, what location will it take for the Gods of Silicon Valley to wake up to the dangerous game they are playing by plunging their apps and emails ever deeper into encryption, so allowing jihadists to plot behind an impenetrable wall?

"Plunging their apps even deeper into encryption"? I don't even know what that means, but let's flip it around: How many hacked credit cards, medical information and email accounts will it take for the Gods of Silicon Valley to wake up and recognize they need to better protect user data. Because that's what's actually happening. Encryption is not about "allowing jihadists to plot behind an impenetrable wall" it's about protecting your data -- even that of Clare Foges -- from malicious attackers who want access to it. Or does Foges and her former boss David Cameron communicate out in the open where any passerby can snoop on their messages?

Does this mean some bad people can use encryption? Yes. But it's not as "impenetrable" as she seems to think (we'll get to her knowledge of technology and encryption in a moment). Even if you're using encryption, there is still plenty of metadata revealed. Furthermore, there have always been ways to communicate in less-than-understandable or less-than-trackable way -- and the terrorist community has used them forever. They don't need to rely on "Silicon Valley" giants.

But, more to the point, undermining encryption makes everyone significantly less safe. The whole idea that weakening encryption makes people more safe is profoundly ignorant. Even more ridiculously, Foges blames Ed Snowden for this:

Why? It goes back to Edward Snowden, the weaselly inadequate whose grasp for posterity has proved a boon for Isil. They should be gratefully chanting his name in Raqqa, for it was Snowden’s revelations about government surveillance methods that triggered this extraordinary race towards deeper encryption.

This, of course, is wrong. Stupidly, ignorantly, wrong. Again, studies have shown that post-Snowden, terrorists didn't change anything in how they communicate. They were already using encryption and reports suggest that they'd been using encryption going back more than a decade. Snowden's revelations only pointed out how governments were doing mass surveillance on ordinary citizens. Everyone -- including various terrorist organizations -- already assumed (correctly) that they were spying on terrorist organizations and sympathizers. So it's not clear what Foges is claiming here, other than that she's pulling a Dana Perino and shielding her ex-boss from criticism by blaming the whistleblower.

All this is making the job of the security services infinitely harder. FBI Director James Comey calls the challenge “going dark”. Leads are followed until they hit the brick wall of indecipherable data. A few years ago law enforcement agencies could approach Hotmail or Google with a warrant and get vital information to stop horrors unfolding. Now the data they salvage is often gobbledegook – a load of encrypted numbers that are impossible to read. They are trying to save lives but are being frustrated by encrypted technology.

This is also astoundingly ignorant and wrong. To date, the FBI and others have failed to present a single example of where encryption has actually been a problem in deciphering this information. Also, naming Hotmail and Google is wrong as well, as neither Hotmail nor Gmail currently offer end-to-end encryption in a manner that anyone really uses. Google does have a test version available, but the number of people using it is barely notable. So, yes, if law enforcement goes to Google with a valid warrant, it's going to turn over your emails.

This isn’t about privacy, it’s about profit

This may be the most ignorant statement of all. Encryption also means that these same companies cannot scan the contents of your email, for example to place ads against them. In fact, most people have noted that the reason Google hasn't really embraced end-to-end encryption in Gmail is that it would undermine the business model of that product. But, Foges is on a roll of ignorant bullshit and she can't let little things like facts get in the way.

And, of course she concludes with the usual ridiculousness about how she's just so sure that if they put their minds and money to it, they can figure out how to fix this "problem."

The global tech industry made around $3.7 trillion last year. They employ some of the brightest people on the planet. Apple et al could, if they wanted, employ a fraction of these resources to work out how we can simultaneously keep the good guys’ data secure and keep the bad guys in plain sight. The geniuses of Silicon Valley would be more than a match for the dunderheads in the desert.

Except, overestimating your side and underestimating the enemy seems like a pretty stupid idea -- especially when you're pushing for the impossible. And the idea that you can magically "keep the good guys’ data secure and keep the bad guys in plain sight" is pretty laughable. You don't need to be an expert to recognize the ridiculousness of that statement. Who do you determine are "the good guys" and who are "the bad guys"? Is that something you can code? Because, based on this, I'd argue that Foges is "a bad guy." Is she okay with her information being passed in plain sight? And, of course, the reality is even more ridiculous because, as has been explained in great detail in the past, encryption where "the good guys" have access is encryption that doesn't work -- and thus it's encryption that makes us all less safe.

Asking for encryption that only protects "the good guys" is publicly asking for the impossible. It's an astoundingly ignorant question, that anyone with any amount of expertise would tell you is not a good question to ask.

On Twitter, some people have been pushing back on Foges, and her response has been... well, less than inspiring. When people have pointed out that she seems ignorant of the facts, she not only misses the point, but seems proud of her ignorance. It's fairly stunning, but Foges article gets almost everything wrong. It doesn't understand encryption. It doesn't understand what tech companies are doing. It doesn't understand how security works. It's just... wrong. When someone on Twitter confronted her about this, she insisted that she interviewed people who felt that it was possible to create such encryption, but then went silent when lots and lots of tech experts asked her to name a single technology professional who agreed with her.

Similarly, it's somewhat bizarre that the Telegraph doesn't note that Foges spent the past few years as UK Prime Minister David Cameron's chief speech writer, and still lists herself as an advisor to Cameron. Seems like something that should have been disclosed. The newspaper isn't exactly known for its accuracy, but this is an embarrassment for both Foges and the Telegraph.

Filed Under: clare foges, encryption, going dark, privacy, security

Hillary Clinton Joins The 'Make Silicon Valley Break Encryption' Bandwagon

from the are-there-any-good-presidential-candidates? dept

Presidential candidate Hillary Clinton gave a speech yesterday all about the fight against ISIS in the wake of the Paris attacks. While most of the attention (quite reasonably so) on the speech was about her plan to deal with ISIS, as well as her comments on the ridiculous political hot potato of how to deal with Syrian refugees, she still used the opportunity to align herself with the idiotic side of the encryption debate, suggesting that Silicon Valley has to somehow "fix" the issue of law enforcement wanting to see everything. Here's what she said:

Another challenge is how to strike the right balance of protecting privacy and security. Encryption of mobile communications presents a particularly tough problem. We should take the concerns of law enforcement and counterterrorism professionals seriously. They have warned that impenetrable encryption may prevent them from accessing terrorist communications and preventing a future attack. On the other hand, we know there are legitimate concerns about government intrusion, network security, and creating new vulnerabilities that bad actors can and would exploit. So we need Silicon Valley not to view government as its adversary. We need to challenge our best minds in the private sector to work with our best minds in the public sector to develop solutions that will both keep us safe and protect our privacy.

Now is the time to solve this problem, not after the next attack.

It does not. Weakening encryption undermines both security and privacy. There's no "balance" to be had here. You want to maximize both security and privacy and the way you do that is with strong encryption.

Also, the bit about "Silicon Valley" has to "not view government as its adversary" is another bullshit line that has been favored by James Comey and others, who keep insisting that when technologists explain to him that backdooring encryption in a manner that only "the good guys" can use it is impossible that they really mean they haven't tried hard enough. Once again, that's not it. What pretty much the entire tech community has been saying is that it's impossible to create such a thing without undermining the whole thing and making everyone less safe. Hell, here's security expert Steve Bellovin explaining this pretty clearly. He goes step by step through why it won't work, why it makes things more dangerous, why it will be abused, and why it will put us all at risk.

And the reason that Silicon Valley views the government as adversaries is because speeches like Clinton's sets them up that way. Her speech, like Comeys' past speeches are directly setting up the government as an adversary to good computer security, asking technologists to undermine their own creations and make everyone less safe for some unclear amorphous belief that it might make a few people more safe at some point in the future. So, the answer isn't scolding Silicon Valley as Hillary has chosen to do, but rather understanding reality, and recognizing that what she is directly advocating for is to harm the safety of Americans and others around the globe.

This raise serious questions about who is advising Clinton on tech policy. When she was at the State Department, it actually did a lot of really good things on encryption and protecting communications of people around the globe. It's pretty ridiculous for Clinton to undermine her own efforts with such a dumb statement in this speech.

Filed Under: encryption, going dark, hillary clinton, security, silicon valley

The Paris Attacks And The Encryption/Surveillance Bogeyman: The Story So Far

from the let's-review dept

Okay, let's review. On Friday, a horrific and tragic series of attacks took place in Paris. And then:

1. Surveillance state apologists blame Ed Snowden, insisting that he has "blood on his hands" because the terrorists must have learned how to avoid surveillance from his releases.
2. Hysterical politicians blame encryption for the attacks, insisting that tech companies and basic math are clearly to blame.
3. The Manhattan DA and others call for end-to-end encryption to be banned (while amusingly insisting they're not calling for a ban).
4. Senator John McCain promises to outlaw end-to-end encryption despite the fact that there is still no actual evidence that encryption was the issue at all.

All of this is no surprise, as just a couple of months ago the intelligence community's top lawyer flat-out admitted that he and his friends planned to wait for the next terrorist attack to push their agenda.

Of course, over the past few days, the following has happened:

1. It turns out the attackers used unencrypted SMS to communicate. All the hand-wringing over encryption and "learning from Snowden" appears to have been exaggerated.
2. There is no evidence that mass surveillance has ever stopped an attack which seems to raise some important questions about why it's such a focus.
3. It turns out some of the attackers were already known to the intelligence community and law enforcement, and yet they failed to make use of existing powers and authorities to prevent the attacks.
4. And, for good measure, there still remains little actual evidence that terrorists have changed anything in how they communicate post-Snowden. That last one is from a study from a year ago, but does seem relevant.

So that seems to be the story so far, despite what you may have seen with hand-wringing and all sorts of freakouts in the press about encryption.

Yes, preventing terrorism is important. And it would be great if the intelligence community were actually able to do that. But it seems pretty clear that mass surveillance techniques aren't doing much to help at all, though it is diminishing the privacy of everyday citizens. Perhaps before rushing to expand the surveillance state and undermine the encryption that actually does keep us all safe, we should recognize reality, rather than the fantasy-land pronouncements of FBI Director James Comey, CIA Director John Brennan and their friends.

Filed Under: encryption, going dark, intelligence community, paris attacks, surveillance

The Paris Attacks Were An Intelligence Community Failure, Not An 'Encryption' Problem

from the let's-put-the-blame-where-it-belongs dept

Over the past few days, we've been highlighting the fever pitch with which the surveillance state apologists and their friends have been trampling over themselves to blame Ed Snowden, blame encryption and demand (and probably get) new legislation to try to mandate backdoors to encryption.

And yet, as we noted yesterday, it now appears that the attackers communicated via unencrypted SMS and did little to hide their tracks. On top of that, as Ryan Gallagher at the Intercept notes, some of the attackers were already known to law enforcement and the intelligence community as possible problems. But they were still able to plan and carry out the attacks. Even more to the point, Gallagher points out that after looking at the 10 most recent high profile terrorist attacks, the same can be said for each of them:

The Intercept has reviewed 10 high-profile jihadi attacks carried out in Western countries between 2013 and 2015..., and in each case some or all of the perpetrators were already known to the authorities before they executed their plot. In other words, most of the terrorists involved were not ghost operatives who sprang from nowhere to commit their crimes; they were already viewed as a potential threat, yet were not subjected to sufficient scrutiny by authorities under existing counterterrorism powers. Some of those involved in last week’s Paris massacre, for instance, were already known to authorities; at least three of the men appear to have been flagged at different times as having been radicalized, but warning signs were ignored.

Nicholas Weaver, writing over at Lawfare, has a really fantastic article over "the limits of the panopticon" that basically puts all of this into perspective, noting (1) with so many "known radicals" to follow, there is no way for the intelligence community/law enforcement to actually get the information to predict these attacks and (2) there are plenty of ways for people who know each other to communicate, even without encryption, that won't increase suspicion.

First, the sheer volume of “known radicals” –at least 5000—makes prospective monitoring impossible. How does one effectively monitor 5000 individuals and identify who among them will pose an actual threat? After all, most never will. It didn’t matter that Salah Abdeslam used his own name and credit card when booking his hotel room. Abdeslam was simply one of thousands identified as maybe or maybe not posing a threat.

Even reducing the volume of targets may be insufficient. Assuming the authorities were able to focus on 500 or 50 individuals instead of 5000, the communication patterns of a terrorist cell are remarkably similar to those of any family or group. Unless authorities are aware that an individual is actively (rather than potentially) dangerous, electronic monitoring may provide little prospective benefit, unless they can intercept the contents of a communication that makes a threat clear.

But the communication content of an even minimally proficient terrorist provides little value. Human codes are often employed. We now know that final coordination took place using unencrypted SMS, but unless one already has already identified the terrorist cell and at least some basic details of a plot, tracking an SMS that says "On est parti on commence" (which roughly translates to “Let’s go, we’re starting”) provides little actionable intelligence.

In other words, all the calls for increased surveillance and less encryption really seem like a smoke screen by an intelligence community that failed. It's entirely possible that their job is an impossible one, but at the very least we should be dealing in that reality. Instead, the intelligence community that failed is doing everything possible to shift the blame to encryption and Snowden, rather than admitting the fact that they knew who these people were, that encryption wasn't the issue and that maybe doubling down on those policies won't help at all. Of course, it might take some of the pressure off of them for failing to prevent the attack.

Still, as we've noted, almost every case of a "prevented" attack hasn't involved actual plotters, but rather the fake cooked-up plots by the FBI itself. So, we seem to have a law enforcement and intelligence community that is terrible at stopping real plots, but really good at putting unrelated people in jail for made-up plots. And now they want more power for surveillance and to undermine the encryption that keeps us all safe?

Filed Under: encryption, going dark, intelligence community, mass surveillance, paris attacks, surveillance

Manhattan DA's Office Serves Up Craptastic White Paper Asking For A Ban On Encryption

from the and-just-a-couple-of-backdoors,-maybe-FOR-SAFETY! dept

Manhattan DA Cyrus Vance may not know what the fuck he's talking about when he discusses encryption, the internet and other tech-related issues. But that's certainly not going to keep him from talking about them.

A just-published "white paper" from the Manhattan DA's office (h/t Matthew Green) offers up all sorts of stupidity in its attempt to justify anti-encryption legislation.

It starts with lofty ideals…

This Report is intended to:

1) Summarize the smartphone encryption debate for those unfamiliar with the issue;
2) Explain the importance of evidence stored on smartphones to public safety;
3) Dispel certain misconceptions that many privacy advocates hold about law enforcement’s position related to encryption, including the myth that we support a “backdoor” or government-held “key;”
4) Encourage an open discussion with technology companies, privacy advocates, and lawmakers; and
5) Propose a solution that protects privacy and safety.

… before throwing most of these out completely, starting with the "open discussion" with the affected stakeholders.

Vance's office doesn't want to burden the nation's tech companies with "golden keys" or "good guy-only" backdoors. The paper admits such a "solution" would be complicated and expensive. (But not impossible, notably.)

His solution? Something that doesn't burden tech companies, but simply leaves their customers unprotected. No backdoors will be needed because there will be nowhere to install one.

The federal legislation would provide in substance that any smartphone manufactured, leased, or sold in the U.S. must be able to be unlocked, or its data accessed, by the operating system designer. Compliance with such a statute would not require new technology or costly adjustments. It would require, simply, that designers and makers of operating systems not design or build them to be impregnable to lawful governmental searches.

That's the big idea: a ban on encryption, presented disingenously as "Not A Ban." For all the paper's supposed "discussion" of the issues and contemplation of concerns expressed by companies and their customers, this is the DA's office's brilliant cure-all: federal legislation that would prevent companies from deploying encryption -- at least not without holding onto a set of keys for government use.

Offered in support of these arguments are the horrendous laws being contemplated/passed in other countries like the UK and France. If they can do it, we can do it! Vance's office argues any resulting harm to human rights civil liberties will be minimal. Undiscussed is the resulting harm to innocent users whose phones' contents are no longer encrypted.

The paper also discusses various workarounds that have been suggested, like accessing the unencrypted contents of cloud storage services connected to users' phones. The DA's office says that just isn't good enough. For one thing, not every user utilizes the cloud services offered by Google and Apple. The office's argument against seeking other routes to communications and data is astoundingly terrible.

[S]martphone users are not required to set up a cloud account or back up to the cloud, and therefore, many device users will not have data stored in the cloud. Even minimally sophisticated wrongdoers who use their devices to perpetrate crimes and who have cloud accounts will likely take the relatively simple steps necessary to avoid backing up those devices, or data of interest, to the cloud. In most instances, only one or two selections must be made in the device’s settings to turn off the back-up function or to remove certain types of content from the back up.

There's a huge problem with this paragraph. It makes the assertion that criminals are more likely to avoid utilizing cloud backup services while simultaneously noting that this process is entirely optional and will not be used by most people. Using this logic, an average user may also be a "minimally sophisticated wrongdoer," at least as far as law enforcement can tell from what it finds stored in the cloud.

The underlying point is that lots of data and communications still reside within the phone itself and law enforcement will not be able to access this without Apple or Google leaving a door open for it.

The office does further damage to its own arguments for banning encryption by highlighting a string of successful prosecutions utilizing evidence recovered from cell phones. It uses this list to highlight the amount of "probative evidence" obtained from cell phones while simultaneously (and inadvertently) pointing out that law enforcement really hasn't been stymied by encryption, despite Vance's FUD-filled imaginations to the contrary.

And, finally, let's take a look at one more bogus analogy made by Vance's office, in which he tries to equate phones with houses.

The Fourth Amendment dictates that search warrants may be issued only when a judge finds probable cause to believe that a crime has been committed and that evidence or proceeds of the crime might be found on the device to be searched. The warrant requirement has been described by the Supreme Court as “[t]he bulwark of Fourth Amendment protection,” and there is no reason to believe that it cannot continue to serve in that role, whether the object that is to be searched is an iPhone or a home.

In fact, what makes full-disk encryption schemes remarkable is that they provide greater protection to one’s phone than one has in one’s home, which, of course, has always been afforded the highest level of privacy protection by courts. Apple and Google should not be able to alter this constitutional balance unilaterally. Every home can be entered with a search warrant. The same should be true of devices.

A more honest analogy would compare phones to computers, which is basically what they are. While a warrant may give cops access to someone's computer -- allowing them to seize it -- it does not guarantee they'll be able to access its contents. Vance wants to compare opening a phone to opening a door, but it's not a true comparison. If people could make their houses as impregnable as their phones and computers, some very likely would -- and not just the theoretical "minimally sophisticated criminals." A house that cops can't get into is a house criminals can't get into. But there's no way to encrypt a door or window.

The paper tries to portray this as somehow making phones more private than houses in terms of the Fourth Amendment. But encrypted phones have nothing to do with a heightened expectation of privacy. Encryption makes phones more secure than houses, not more private than houses. The Fourth Amendment considerations aren't being shifted. It's only the level of instant access that's being changed. Vance's office -- being part of the law enforcement community -- should welcome efforts that make citizens more secure. Instead, all it's doing is bitching loudly and disingenously about all the power it imagines encryption will strip away from it.

Filed Under: backdoors, cyrus vance, encryption, encryption backdoors, going dark, ny

After Endless Demonization Of Encryption, Police Find Paris Attackers Coordinated Via Unencrypted SMS

from the anonymous-sources-say dept

In the wake of the tragic events in Paris last week encryption has continued to be a useful bogeyman for those with a voracious appetite for surveillance expansion. Like clockwork, numerous reports were quickly circulated suggesting that the terrorists used incredibly sophisticated encryption techniques, despite no evidence by investigators that this was the case. These reports varied in the amount of hallucination involved, the New York Times even having to pull one such report offline. Other claims the attackers had used encrypted Playstation 4 communications also wound up being bunk.

Yet, pushed by their sources in the government, the media quickly became a sound wall of noise suggesting that encryption was hampering the government's ability to stop these kinds of attacks. NBC was particularly breathless this week over the idea that ISIS was now running a 24 hour help desk aimed at helping its less technically proficient members understand encryption (even cults help each other use technology, who knew?). All of the reports had one central, underlying drum beat implication: Edward Snowden and encryption have made us less safe, and if you disagree the blood is on your hands.

Yet, amazingly enough, as actual investigative details emerge, it appears that most of the communications between the attackers was conducted via unencrypted vanilla SMS:

"...News emerging from Paris — as well as evidence from a Belgian ISIS raid in January — suggests that the ISIS terror networks involved were communicating in the clear, and that the data on their smartphones was not encrypted.

European media outlets are reporting that the location of a raid conducted on a suspected safe house Wednesday morning was extracted from a cellphone, apparently belonging to one of the attackers, found in the trash outside the Bataclan concert hall massacre. Le Monde reported that investigators were able to access the data on the phone, including a detailed map of the concert hall and an SMS messaging saying “we’re off; we’re starting.” Police were also able to trace the phone’s movements.

The reports note that Abdelhamid Abaaoud, the "mastermind" of both the Paris attacks and a thwarted Belgium attack ten months ago, failed to use any encryption whatsoever (read: existing capabilities stopped the Belgium attacks and could have stopped the Paris attacks, but didn't). That's of course not to say batshit religious cults like ISIS don't use encryption, and won't do so going forward. Everybody uses encryption. But the point remains that to use a tragedy to vilify encryption, push for surveillance expansion, and pass backdoor laws that will make everybody less safe -- is nearly as gruesome as the attacks themselves.

Filed Under: clear text, encryption, going dark, isis, overreaction, paris attacks, sms, surveillance, terrorism

Senator McCain Promises To Introduce Legislation To Backdoor Encryption, Make Everyone Less Safe

from the bad-ideas dept

Two months ago, the Obama administration came to the conclusion that mandating backdoors to encryption through legislation was a non-starter. They seemed to recognize that it was mostly a bad idea and (more importantly) that Congress would not approve such legislation. Almost immediately, we noted that intelligence officials (almost gleefully) noted that they really just needed to wait for the next terrorist attack to restart the campaign. Here was Robert Litt, the top lawyer in the intelligence community:

Although “the legislative environment is very hostile today,” the intelligence community’s top lawyer, Robert S. Litt, said to colleagues in an August e-mail, which was obtained by The Post, “it could turn in the event of a terrorist attack or criminal event where strong encryption can be shown to have hindered law enforcement.”

There is value, he said, in “keeping our options open for such a situation.”

Given all that, it was disappointing that the Obama administration then took the cowardly way out, and refused to take an official public stance against backdooring encryption.

Either way, with the attacks in Paris last week, it almost seems like the anti-encryption crowd was somewhat gleeful in their response. Why, here was the exact terrorist attack they needed to push their agenda.

And, of course, the idea of mandated backdoors is back on the table, with Senator John McCain announcing plans to introduce just such legislation:

“In the Senate Armed Services we're going to have hearings on it and we're going to have legislation,” Sen. John McCain (R-Ariz.), who chairs the committee, told reporters Tuesday, calling the status quo “unacceptable.”

Of course, that legislation was ready to go, sitting in a top drawer just waiting for this kind of situation. And now we have to waste all sorts of time responding to this idiocy even though just months ago we went through this whole debate all over again, during which it was pretty clear that backdooring encryption makes us all much less safe. It puts everyone at greater risk, not less.

So the question remains: why do officials and politicians like Senator McCain want to undermine our safety and security? And, even more bizarrely, how is this the same John McCain who was on the other side during the last crypto wars?

Filed Under: backdoors, encryption, going dark, john mccain