Trump's Pick For FBI Head Sounds A Lot Like The Guy He Fired When It Comes To Encryption

from the BACK-TO-WORK,-NERDS dept

Trump's pick to head the FBI -- former DOJ prosecutor Christopher Wray -- appeared before the Senate to answer several questions (and listen to several long-winded, self-serving statements). Wray's confirmation hearing went about as well as expected. Several senators wanted to make sure Wray's loyalty lay with the nation rather than the president and several others hoped to paint him into a Comey-bashing corner in order to belatedly justify Trump's firing of his (potential) predecessor.

Wray also spent a lot of time not talking about things he claimed he was unfamiliar with -- covering everything from presidential directives, to Donald Trump Jr.'s Russian emails, to questions about CIA human rights violations that went unnoticed/unprosecuted during his tenure in the DOJ.

Sen. Orrin Hatch -- as he did during a recent Comey hearing -- brought up the subject of encryption. Hatch claims he "agrees with Tim Cook," which places him in opposition to Sens. Feinstein and Burr. It also puts him in opposition of the possible new FBI boss, who had this to say about encryption. (h/t Politico's Eric Geller)

I think this is one of the most difficult issues facing the country. There's a balance that has to be struck between the importance of encryption, which I think we can all respect when there are so many threats to our systems, and the importance of giving law enforcement the tools that they need to keep us safe.

You can already tell where this is going. Encryption is great and all, but what's would be really great is some sort of backdoor-type thingy.

Wray continued by swiftly jumping to the other side of the argument -- at least in terms of team uniform. Certainly not in terms of how the "other side" feels about encryption and backdoors.

I don't know sitting here today as an outsider and a nominee before this committee what the solution is, but I do know that we have to find a solution. And my experience in trying to find solutions is that it's more productive for people to work together than to be pointing fingers blaming each other. And that's the approach I've tried to take to almost every problem I've tackled. And that's the approach I would want to take here in working with this committee and the private sector.

One advantage to having been in the private sector for a while is that I think I know how to talk to the private sector, and I would look for ways to try to see if I could get the private sector more on-board to understand why this issue is so important to keep us all safe.

So far, so Comey. New suit in the office, but it fits the same as the last one. Wray thinks both sides should work together but strongly hints the actual work will have to be done by the private sector. The problem, according to a guy who's worked "both sides," is the private sector needs to be more "on-board." And that indicates Wray feels the problem isn't the lack of both sides working together, but the other side not capitulating. That's a problem, and it sounds a whole lot like X more years of Comey.

Filed Under: chris wray, encryption, fbi, going dark, james comey

Aussie Prime Minister Says The Laws Of Math Don't Apply In Australia When It Comes To Encryption

from the good-luck-with-that,-mate dept

Oh boy. It's no secret that the Australian government -- led by George Brandis (who has made it abundantly clear he has no clue what a VPN is or what metadata is) -- is pushing strongly for mandated backdoors to encryption. At this point, it's beating a dead horse, but this is a very, very bad idea for a whole host of reasons -- mainly having to do with making absolutely everyone significantly less safe.

And it appears that Brandis' ignorance has moved up the chain of command. Australian Prime Minister Malcolm Turnbull has now put out what may be the single dumbest statement on encryption yet (and that's a pretty high bar). After being told yet again that safe encryption backdoors violate basic mathematics, Turnbull became super patriotic about the ability of Australian law to trump mathematics:

"The laws of Australia prevail in Australia, I can assure you of that," he said on Friday. "The laws of mathematics are very commendable, but the only law that applies in Australia is the law of Australia."

And, then he pulled out the "nerd harder, nerds" argument:

"I'm not a cryptographer, but what we are seeking to do is to secure their assistance," Turnbull said. "They have to face up to their responsibility. They can't just, you know, wash their hands of it and say it's got nothing to do with them."

"I am sure they know morally they should. Morally they should."

So after admitting that he doesn't understand how this works, he's saying that the "moral" responsibility of cryptographers -- who have basically all told him his plan will make people less safe -- is to make people less safe.

Turnbull seems to think he can get around the whole problem by... semantics. You see, if we just redefine things and say we're not asking for "backdoors" then it's fine:

"A back door is typically a flaw in a software program that perhaps the -- you know, the developer of the software program is not aware of and that somebody who knows about it can exploit," he said. "And, you know, if there are flaws in software programs, obviously, that's why you get updates on your phone and your computer all the time."

"So we're not talking about that. We're talking about lawful access."

That bit of word salad suggests that at least a tiny smidgen of actual knowledge made it into his brain. A backdoor is an exploit. But "lawful access" is a backdoor. Pretending they are different suggests a fairly staggering level of ignorance.

Not to be outdone, but Brandis then took his own turn at the podium to spew more ignorance:

Asked how Australia's proposed regime would allow local authorities to read messages sent with either WhatsApp or Signal, Brandis said “Last Wednesday I met with the chief cryptographer at GCHQ ... And he assured me that this was feasible.”

Right. It's pretty well known that intelligence communities can frequently hack into things to get messages, but not because of backdoors to encryption but through other flaws. This includes things like keyloggers or other spyware that effective route around the encryption. But that's entirely different than demanding backdoors. And, of course, this all comes about a week after GCHQ's own former boss argued that attacking the end points was a better strategy than backdoors. It's almost certain that what GCHQ told Brandis is that they can be pretty successful in attacking those endpoints, without undermining encryption -- and that message got twisted in Brandis' mind to believe that it meant that there were already backdoors in Whatsapp and Signal (there are not).

This whole thing is a somewhat tragic comedy of errors with completely clueless politicians making policy badly, potentially putting everyone at risk... while astoundingly claiming that laws can trump basic mathematics. What a joke.

Filed Under: australia, encryption, gchq, george brandis, going dark, malcolm turnbull, math, nerd harder
Companies: signal, whatsapp

Former Head Of GCHQ Says Don't Backdoor End-To-End Encryption, Attack The End Points

from the putting-an-end-to-the-end-to-end-debate dept

When he was head of GCHQ, Robert Hannigan said some pretty clueless things about the Internet and encryption. For example, in 2014, he accused tech companies of 'facilitating murder', and joined in the general demonization of strong crypto. Last year, he called for technical experts to work more closely with governments to come up with some unspecified way around encryption. Nobody really knew what he meant when he said:

"I am not in favor of banning encryption. Nor am I asking for mandatory back doors. … Not everything is a back door, still less a door which can be exploited outside a legal framework."

Now, speaking to the BBC, he has clarified those remarks, and revealed how he thinks governments should be dealing with the issue of end-to-end encryption. As he admits:

"You can't uninvent end-to-end encryption, which is the thing that has particularly annoyed people, and rightly, in recent months. You can't just do away it, you can't legislate it away. The best that you can do with end-to-end encryption is work with the companies in a cooperative way, to find ways around it frankly."

He emphasized that backdoors are not the answer:

"I absolutely don't advocate that. Building in backdoors is a threat to everybody, and it's not a good idea to weaken security for everybody in order to tackle a minority."

So what is the solution? This:

"It's cooperation to target the people who are using it. So obviously the way around encryption is to get to the end point -- a smartphone, or a laptop -- that somebody who is abusing encryption is using. That's the way to do it."

As Techdirt reported earlier this year, this is very much the approach advocated by top security experts Bruce Schneier and Orin Kerr. They published a paper describing ways to circumvent even the strongest encryption. It seems that Hannigan has got the message that methods other than crypto backdoors exist, some of which require cooperation from tech companies, which may or may not be forthcoming. It's a pity that he's no longer head of GCHQ -- he left for "personal reasons" at the beginning of this year. But maybe that has given him a new freedom to speak out against stupid approaches. We just need to hope the UK government still listens to him.

Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+

Filed Under: encryption, gchq, going dark, hacking, robert hannigan, security

The Great Firewall Of China Grows Stronger As China Forces App Stores To Remove VPNs

from the total-information-control dept

Like clockwork, governments eager to censor the internet inevitably shift their gaze toward tools like VPNs used to get around restrictions. We've documented rising efforts to ban the tools use in countries like Russia, where VPN providers are being forced out of business for refusing to aid internet censorship. Whether it's to protect VoIP revenue for state-run telecom monopolies, or to prevent users from tap-dancing around state-mandated filters or other restrictions, VPNs have become the bogeyman du jour for oppressive governments looking to crack down on pesky free speech and open communication.

China's great firewall is a sterling example of draconian censorship, and since 2012 or so China has been trying to curtail both encryption and VPN use. Earlier this year China's Ministry of Industry and Information Technology declared that all VPN providers now needed prior government approval to operate, a move generally seen as the opening salvo of an outright ban. These new restrictions will last until July 2021, impose fines up to $2000 on companies offering unsanctioned VPNs (read: all of them), and feature government warnings sent to users consistently caught using the tools.

But in some areas, the pretense has washed away and VPN usage has been simply banned entirely. And as of July, VPN services began disappearing from both the Android and iOS app stores, with popular VPN providers like Green informing their customers the government has forced them to shut down completely:

"Dear respected Green customers,

We have received notice from the higher authorities. We regret to inform you that Green will cease our service on July 1st, 2017. We apologize for any inconvenience caused.

We will start processing our users’ refund request after service stopped (the amount will be calculated based on the remaining days in your plan). If you need a refund, please make sure to submit your refund request by August 31, 2017. We won’t be able to process any refund request submitted after that date. Since the workload of processing the requests, information verification and money transfer would be huge, we won’t be able to set an exact date for the refund. We plan to process the refund soon after August 31, please wait patiently.

Originally, statements made by the Ministry of Industry and Information Technology seemed to suggest the country's VPN ban wouldn't be fully implemented until March 2018. But these recent reports indicate that the Chinese government has grown tired of the pretense and has expedited its VPN crackdown dramatically. Since around 1-3% of China's 731 million internet users use tools like VPNs to tap dance around internet filters, even with this crackdown this will be a long, difficult, expensive game of Whack-a-Mole for the Chinese government all the same.

While VPNs are not a panacea for our endlessly eroded privacy rights, they remain an incredibly useful tool for those living under repressive regimes. Most legislative VPN bans are of the "death by a thousand cuts" variety, where lawmakers go out of their way to pretend they're not trying to kill VPNs, even if the end goal always remains the same: the elimination of any tool that might let citizens peek through the curtain of draconian efforts at information control.

Filed Under: app stores, china, encryption, great firewall, mobile, privacy, security, surveillance, vpns

Moving Beyond Backdoors To Solve The FBI's 'Going Dark' Problem

from the though-it-seems-the-FBI-should-be-doing-more-to-solve-it... dept

Former FBI Director James Comey stated on more than one occasion that he'd like to have an "adult conversation" about device encryption. He wasn't sincere. What he actually meant was he'd like to have all the "smart people" in the tech world solve his problems for him, either by capitulating to his requests for encryption backdoors or by somehow crafting the impossible: a secure backdoor.

Comey is gone, but his legacy lives on. The FBI wants to keep the "going dark" narrative alive. Deputy Attorney General Rod Rosenstein has already asked Congress for $21 million in "going dark" money, supposedly to help the agency explore its options.

The problem is, the options could be explored for a much lower price. Kevin Bankston offers up a few solutions -- or at least a few improved adult conversational gambits -- for the low price of $free over at Lawfare. The starting point is Comey's "adult conversation" talking point. Bankston points out you can't hold an adult conversation if you refuse to act like one.

Recently in Slate I responded to Comey’s repeated calls for an “adult conversation” on this seemingly endless debate. I replied that an “adult conversation” means moving past any discussion of discouraging or undermining the deployment of unbreakable encryption, in light of the broad consensus outside of the FBI that such a move would be dangerously bad policy. Rather than continuing to argue about whether or how we might force encryption technology to adapt to law enforcement’s needs, our time would be better spent focusing on how we can help law enforcement adapt to the technology.

This is a point many have tried to make, but Comey refused to listen. Let's stop talking about crafting magical backdoors and accept the fact it just isn't possible. Once this is accepted, everyone can move on. Plenty of options remain for law enforcement and, with the exception of the usual post-terrorist attack calls for backdoors, no one is really pushing backdoor legislation. Legislators are well-aware of the fact that weakening encryption causes far more problems than it solves and asks citizens to sacrifice their safety and security for the good of the nation a single federal law enforcement agency.

Bankston moves the discussion forward by discussing three areas the FBI could explore. The first involves lawful device hacking, which uses exploits and/or external hardware/software to access the content of locked devices. This sounds more nefarious than it actually is (vulnerability disclosure concerns aside). Basically, this just means doing what the FBI did to open up the iPhone seized in the San Bernardino shooting case.

The main problem Comey had with this approach is that it wouldn't scale. But that's kind of the point.

[T]he objection that hacking will never give law enforcement as much access as would a backdoor into or a ban on user-controlled encryption misunderstands the problem we’re trying to solve. The societal goal here is not to ensure that law enforcement can access every piece of data it might ever seek, but that it can get enough information to do its job, and hacking is certainly a part of the solution.

This route also involves legislation, both to define the limits of lawful hacking as well as to act as oversight for these activities. Obviously, both of these are things Congress doesn't do all that well: oversight and writing computer laws. So, there will be concerns that need to be addressed, but hacking is a far better solution than legislated backdoors or judicial precedent that does the same thing by allowing a 1789 law to govern access to smartphones and other locked devices.

Another key area Bankston addresses is the tech curve itself. Law enforcement often laments it's losing the Tech War to the bad guys. It's not as though this needs to be a foregone conclusion. Criminal minds are rarely the brightest minds. Even though the same could be said for law enforcement minds, the good guys do have a distinct advantage: the ability to coordinate talent and expertise for the benefit of all agencies. That, and a mostly cooperative bunch of tech companies that still want to help the good guys beat the bad guys.

Another key aspect of upping government investigators’ tech game is making sure that they all know exactly what data they can lawfully obtain from internet companies today, without any new technical mandates. That means we need companies to step up and educate law enforcement and everyone else about the data they have—all of it, and not just the data they typically offer as matter or course in response to legal process.

It's not like there's only one path to data and communications stored on a suspect's phone. Almost everything is backed up somewhere else by service providers. Concerns about users' privacy will need to be addressed by everyone involved, starting with a revamping of the Third Party Doctrine. But tech companies will also need to be more honest with their customers, letting them know exactly what's being stored outside of their devices and what law enforcement needs to have (warrant, subpoena, etc.) before the company turns over information.

[C]omprehensive transparency to law enforcement and the public about what data the companies are creating and storing is the only way that policymakers or the market will ever be able to enforce any real accountability over those practices, and I think (or at least hope) that the overall benefit to consumers’ privacy from that accountability will balance out the harmful effects of giving the government a full menu of data.

The final aspect Bankston addresses is obtaining data and communications stored overseas. Much of this is academic now that jurisdiction limitations have been removed by the recent Rule 41 changes. Unfortunately, there's little positive to note here. Mutual assistance treaties take too long to be of much use (6-12 months for compliance) and there being little direct translation of civil liberties between participating countries makes this even more difficult.

Unfortunately, as Bankston points out, American exceptionalism doesn't seem to be working out in our favor. It appears President Trump is trying to work out an exclusive deal with the UK to make this process easier. But "easier" just means more collateral damage to civil liberties and privacy on both sides of the pond. This may work in law enforcement's favor, but it's hardly the best solution to "going dark," seeing as it ignores 99% of the stakeholders (citizens) to give each government what it wants.

The answers aren't easy and they will involve compromises not everyone will be happy with. But it's far better than taking the FBI's approach, which appears to be demanding concessions from every tech company it might have to deal with. The discussion does need to push forward, with or without the FBI's input. It can't stay hung up where it is now, due to Comey's stubborn refusal to ask for anything but the impossible.

Filed Under: backdoors, encryption, fbi, going dark

Australia To Push For Encryption Backdoors At Next 'Five Eyes' Meeting

from the yet-another-forever-war dept

There's been no unified push for encryption backdoors from world leaders, but the number of those suggesting it might be a good idea has increased in recent months. UK Prime Minister Theresa May recently said terrorists shouldn't be allowed to use Whatsapp to hide their conversations from law enforcement even as her own party members routinely use the app to engage in secure communications. Newly-elected French president Emmanuel Macron said basically the same thing while campaigning, stating a preference for compelled access to encrypted communications.

Shortly before he was shown the exit door, former FBI director James Comey floated the idea of an "international framework" for encryption backdoors. It appeared Comey realized he wasn't going to be able to sell this idea at home, so perhaps a little international peer pressure would push US legislators towards mandating lawful access.

Comey may get his wish, even if he won't be able to take advantage of it himself. Australian Attorney General George Brandis is stating he'll be pushing for backdoors at the next Five Eyes meetup.

The United States, United Kingdom, Canada, Australia, and New Zealand, will meet in the Canadian city of Ottawa next week, where they will discuss tactics to combat terrorism and border protection, two senior Australian ministers said.

Australia has made it clear it wants tech companies to do much more to give intelligence and law enforcement agencies access to encrypted communications.

“I will raise the need to address ongoing challenges posed by terrorists and criminals using encryption,” Australian Attorney General Senator Brandis said in a joint statement.

“These discussions will focus on the need to cooperate with service providers to ensure reasonable assistance is provided to law enforcement and security agencies.”

Brandis has already rationalized away potential objections to backdooring encryption, reasoning that people's tendency to overshare on social media indicates they won't care if the government (or several governments, actually) has access to their private messages.

So far, there's very little real evidence criminals and terrorists are using encrypted services at a higher rate than non-criminals/terrorists. There have been several statements made to that effect and backed by public displays of devices law enforcement officials claim can't be unlocked, but most post-attack investigations show terrorists are still mostly using unencrypted communications platforms. Available evidence also shows investigations of normal criminal activity is rarely thwarted by device encryption. At this point, backdoors are a "solution" in need of a problem.

All that's happening here is a push to compromise personal security in the name of national security. A hole is hole, no matter how it's pitched in secret spy meetings.

Filed Under: australia, encryption, five eyes, going dark, surveillance

Deputy Attorney General Asks Congress For $21 Million To Solve The FBI's 'Going Dark' Problem

from the 21-million-buys-a-lot-of-hysteria dept

James Comey may have been unceremoniously dumped by the Commander-in-Chief, but his device encryption legacy lives on.

The Justice Department is requesting more than $20 million in federal funding to bankroll efforts related to resolving the government’s continuing “Going Dark” problem, Deputy Attorney General Rod Rosenstein said Tuesday, signaling one of the Trump administration’s first attempts at tackling the issue of ubiquitous, hard-to-crack encryption amid growing concerns involving its impact on criminal investigations.

The request came during Rosenstein's testimony before the Appropriations Committee -- the place where all government officials perform their most sincere acts of begging. Not that the FBI was likely to be faced with budget cuts -- not with a "law and order" president running the country and overseen by an Attorney General who appears to believe we're currently engulfed in a massive drug-and-immigrant crimewave.

Here's Rosenstein's full "going dark" budget request:

Department of Justice must continue to take a leading role in enhancing the capabilities of the law enforcement and national security communities. This budget request will provide $21.6 million in funding to counter the “Going Dark” threat. The seriousness of this threat cannot be overstated. “Going Dark” refers to law enforcement’s increasing inability to lawfully access, collect, and intercept real-time communications and stored data, even with a warrant, due to fundamental shifts in communications services and technologies. This phenomenon is severely impairing our ability to conduct investigations and bring criminals to justice. The FBI will use this funding to develop and acquire tools for electronic device analysis, cryptanalytic capability, and forensic tools. The Department’s role has been to collect, house, analyze, and share critical data among our federal, state, local, and tribal partners.

Beg to differ, but the "seriousness of this threat" can be overstated. Comey did so on multiple occasions. Sometimes others -- mainly Manhattan DA Cyrus Vance -- followed suit. Both claimed to have a large number of phones in their possession that couldn't be cracked. Even if the underlying assumption that all of these phones contained valuable evidence directly related to investigations, one still had to wonder how hard investigators were trying to get into these phones. Or how many other options they'd explored before throwing their hands up in frustration and resigning the devices to a dismal future as press conference props.

Take, for instance, this quote from the Washington Times article:

Days before leaving office on May 9, Mr. Comey said federal investigators had legally seized more than 6,000 smartphones and electronic devices during a recent six-month span but found that 46 percent couldn’t be opened “with any technique.”

This stat is almost completely unbelievable. Documents obtained from local law enforcement agencies with much smaller budgets show investigators are finding multiple ways to obtain data and communications from locked phones. We're also not hearing these sentiments echoed by law enforcement officials at the local level. If it's this much of a problem for the FBI -- nearly half of all devices seized -- one would think smaller agencies would be seeing a much higher access failure rate, followed directly by public complaints about device encryption. But we're just not seeing that.

Hopefully whatever's handed to the FBI to solve its apparently singular "going dark" program is put to use wisely. But nothing about the "going dark" hype suggests this will be the case. It may just disappear into some sort of talking points war fund and used to promote the spread of "going dark" hysteria until enough legislators are on the hook. If the money is deployed intelligently, it could actually make a difference for the agency. But all evidence points to the agency angling for legislation and favorable court precedent that will make the rest of us pay the price for the agency's inability or unwillingness to see anything but darkness when confronted with technical hurdles.

Filed Under: doj, encryption, going dark, hacking, rod rosenstein

There Is No 'Going Dark' Problem

from the to-make-investigative-omelets,-you've-got-to-crack-a-few-phones dept

Former FBI Director James Comey made plenty of headlines with his insistence cellphone encryption would be the end of law enforcement as we know it. Comey's assertions made it seem as though regular police investigative work was no longer of any use and that any and all evidence pertinent to cases resided behind cellphone passcodes.

He insisted the problem would only get worse in the future. If not put to an end by legislated backdoors or smart tech guys coding up "safe" holes in device encryption, we may as well accept the fact that no criminal committing more than a moving violation would ever be brought to justice.

Default encryption does pose a problem for law enforcement, but it's nowhere near as insurmountable as Comey has portrayed it. Multiple FOIA requests handled through MuckRock have shown law enforcement still has several phone-cracking options at its disposal and doesn't seem to be having many problems recovering evidence.

This is superbly illustrated in documents obtained from the Tulsa and Tuscon (AZ) Police Departments by Curtis Waltman. Tuscon PD documents [PDF] show law enforcement officers are using tools crafted by the same company that provided the hack to the FBI in the San Bernardino case, among several other options. But the real motherlode is the Tulsa PD's log of cracked phones.

The kicker really is how often these are being used - it is simply really hard to believe that out of the 783 times Tulsa Police used their extraction devices, all were for crimes in which it was necessary to look at all of the phone’s data… There are some days where the devices were used multiple times - Tulsa used theirs eight times on February 28th of this year, eight again on April 3rd, and a whopping 14 times on May 10th 2016. That is a whole lot of data that Tulsa was able to tap into, and we aren’t even able to understand the why.

The document contains page after page of cracked phones, ranging from Samsungs to HTCs to LGs… even iPhones (5 and 6). "Going dark" remains a Comey fairy tale, for the most part, if these documents are anything to go by.

And there's apparently very few rules for deployment of cellphone-cracking devices. Only one PD in Arizona returned any guidelines in response to requests and those rules basically state there are no rules. The Mesa PD's Computer Forensic Unit makes the most of its limited resources by limiting its work to… any crime at all.

This is the list of criminal activity the unit provides forensic work for, listed in order of priority.

Homicide
Sexual Assault
Child Crimes (which I assume means "crimes against children," rather than crimes committed BY children)
Aggravated Assault/Robbery
Property Crimes
All other felonies
All misdemeanors

Everything. That would explain the number of cellphones accessed by these PDs. Presumably other PDs are also operating under very loose guidance or none at all.

This sort of intrusiveness should be limited to serious felonies and investigations where it's plainly apparent the best route to evidence runs through the suspect's cellphone. Otherwise, law enforcement agencies are just using these tools because they have them, not because they necessarily need them.

Filed Under: data extraction, encryption, fbi, going dark, jim comey, law enforcement

Man To Spend 180 Days In Jail For Turning Over Non-Working Password

from the inadvertently-building-up-time-served-credit dept

The protections of the Fifth Amendment are running up against technology and often coming out on the losing end. Court rulings have been anything but consistent to this point. So far it appears password protection beats fingerprints, but not by much.

It all comes down to the individual court. Some view passwords as possibly testimonial in and of themselves, and side with defendants. Others view passwords as something standing in the way of compelled evidence production and punish holdouts with contempt of court charges.

That's what's happening to a Florida man suspected of child abuse. He claims he's given law enforcement his phone's password already, but prosecutors claim the password failed to unlock his phone. They believe his phone holds evidence of the physical abuse alleged -- a claim that seems a bit less believable than those made about child porn viewers and drug dealers.

The court, however, has sided with prosecutors.

A Hollywood man must serve 180 days in jail for refusing to give up his iPhone password to police, a Broward judge ruled Tuesday — the latest salvo in intensifying legal battles over law-enforcement access to smart phones.

Christopher Wheeler, 41, was taken into custody in a Broward Circuit Court, insisting he had already provided the pass code to police investigating him for child abuse, although the number did not work.

All that can be said for certain is prosecutors still don't have an unlocked phone. As prosecutors and this judge see it, the only explanation is that Wheeler lied. That earns him six months of jail time. Maybe Wheeler should have said he couldn't remember.

As Wheeler was jailed Tuesday, the same issue was unfolding in Miami-Dade for a man accused of extorting a social-media celebrity over stolen sex videos.

That man, Wesley Victor, and his girlfriend had been ordered by a judge to produce a pass code to phones suspected of containing text messages showing their collusion in the extortion plot.

Victor claimed he didn't remember the number. He prevailed.

This would be the same judge who determined turning over a password had no Fifth Amendment implications. However, the court found it plausible the defendant might not be able to remember the password to a phone he'd last used over ten months ago. But the ruling doesn't necessarily say the defendant is telling the truth. It only goes so far as saying it's almost impossible to prove he's lying. Given the gap between the phone's seizure and the demand for a password, it's a plausible claim.

His co-defendant made no such claim. Like Wheeler above, Victor's girlfriend handed over a password but it didn't work. The court has asked her to explain why. Given the judge's earlier Fifth Amendment determination, it's safe to assume Hencha Voigt will be facing jail time if the explanation isn't to the judge's liking.

Filed Under: 4th amendment, 5th amendment, christopher wheeler, encryption, forced revelation, locked phones, password, wesley victor

Russia Stumbles Forth In Quest To Ban VPNs, Private Messenger Apps

from the feel-safer-yet? dept

Last year we noted how Russia had introduced a new surveillance bill promising to deliver greater security to the country. Of course, like in so many countries, the bill actually did the exact opposite -- not only mandating new encryption backdoors, but also imposing harsh new data-retention requirements on ISPs and VPN providers. As a result, some VPN providers like Private Internet Access wound up leaving the country after finding their entire function eroded and having some of their servers seized.

This year, Russia hopes to deliver the killing blow to the use of VPNs and other privacy-protection tools.

The Duma's (the lower house of the Russian parliament) Information and Technology Committee has approved controversial draft legislation that would ban anonymity on messenger apps entirely. It's part of a crackdown on anonymous journalists that have (stop us if this sounds familiar) been leaking details on many of the sordid occurrences inside the often-corrupt Russian political machinery. Expected to take effect in 2018, the new law would require messenger users to verify their identities using their phone numbers, with Russian mobile phone operators expected to assist the government with this effort.

In concert, a bill has been submitted attempting to effectively ban VPN use entirely. In Russia, broadband users have increasingly turned to VPNs to avoid the growing-list of censored websites. To help thwart such usage, the bill would not only impose steep fines on VPN providers that don't agree to block blacklisted websites, but would require that ISPs terminate these companies' connection to the internet should they not comply:

As it stands, the bill requires local telecoms watchdog Rozcomnadzor to keep a list of banned domains while identifying sites, services, and software that provide access to them. Once the bypassing services are identified, Rozcomnadzor will send a notice to their hosts, giving them a 72-hour deadline to reveal the identities of their operators.

After this stage is complete, the host will be given another three days to order the people running the circumvention-capable service to stop providing access to banned domains. If the service operator fails to comply within 30 days, all Internet service providers will be required to block access to the service and its web presence, if it has one.

In short: help us censor the internet or you won't be allowed to do business in Russia. 100 VPN providers are already blocked in Russia for one reason or another, and Opera scaled back its Russian operations last November after Russian telecom regulator Roskomnadzor pressured it to include website filtering in the integrated VPN (now included in its Opera browser for free). The bill would also levy additional penalties on Russian search engines, forcing them to remove all links to sites Rozcomnadzor determines to be ban-worthy.

Like countless similar efforts across numerous countries, this is all framed as an utterly necessary step to thwart piracy, combat extremism and ensure the safety and security of the Russian people. But as with comparable proposals in the States and elsewhere, these proposals undermine encryption and essential security and privacy tools, making the general public notably less secure. They're also an expensive game of Whack-a-Mole as users looking for privacy simply flee to services like Tor or Zeronet, ensuring these services will be the demonized bogeymen of tomorrow.

Filed Under: encryption, private messaging, russia, vpns