As part of our funding campaign for our coverage of encryption, we reached out to some companies that care about these issues to ask them to show their support. This post is sponsored by Golden Frog, a company dedicated to online privacy, security and freedom.
James Clapper, Director of National Intelligence, is claiming that, according to NSA estimates the Snowden revelations sped up the adoption rate of encryption by 7 years. Apparently, that's based on NSA estimates of the adoption curve of encryption. As reported by Jenna McLaughlin at the Intercept:
“As a result of the Snowden revelations, the onset of commercial encryption has accelerated by seven years,” James Clapper said during a breakfast for journalists hosted by the Christian Science Monitor.
The shortened timeline has had “a profound effect on our ability to collect, particularly against terrorists,” he said.
When pressed by The Intercept to explain his figure, Clapper said it came from the National Security Agency. “The projected growth maturation and installation of commercially available encryption — what they had forecasted for seven years ahead, three years ago, was accelerated to now, because of the revelation of the leaks.”
Of course, it's worth noting that, in the past few months, it seemed as if the NSA and the intelligence community was moving away from its kneejerk hatred of encryption, pushing back against the FBI's argument that we need to backdoor encryption. But, apparently they're not willing to go quite this far. Basically, the NSA wants strong encryption out there, but it doesn't really want you to use it.
Asked if that was a good thing, leading to better protection for American consumers from the arms race of hackers constantly trying to penetrate software worldwide, Clapper answered no.
“From our standpoint, it’s not … it’s not a good thing,” he said.
Yup. James Clapper would prefer that the American public be less safe by not using encryption, rather than protecting their digital lives.
Of course, many other people do think it's a very, very good thing. Including Ed Snowden:
So, the guy in the US government is upset that the public is more safe, and the guy that people want to accuse of being a traitor is proud of helping Americans to better protect themselves. Maybe we ought to reverse their roles...
While so much of the attention had been focused on the case in San Bernardino, where the DOJ was looking to get into Syed Farook's iPhone, we've pointed out that perhaps the more interesting case was the parallel one in NY (which actually started last October), where the magistrate judge James Orenstein rejected the DOJ's use of the All Writs Act to try to force Apple to help unlock the iPhone of Jun Feng, a guy who had already pled guilty on drug charges, but who insisted he did not recall his passcode.
There were some oddities in the case. Feng had pled guilty and there was some issue over whether or not there was still a need to get into the iPhone. The DOJ insisted yes, because Feng's iPhone might provide necessary evidence to find others involved in the drug ring. The other oddity: Feng's iPhone was running iOS7. While the device itself was a newer model iPhone than the one in the Farook case, it still has an older operating system, where it was known that Apple (and others) could easily get in. So it made no sense that the FBI couldn't get into this phone. In fact, Apple's latest filing in the case, just over a week ago was basically along those lines, noting that the DOJ claimed Apple's assistance was "necessary," but that seemed unlikely.
And... late on Friday, the DOJ did the exact same "run away!" move it did in the Farook case, telling the judge that it had suddenly been given the passcode, so there was no need to move forward with the case at all.
The government respectfully submits this letter to update the Court and the
parties. Yesterday evening, an individual provided the passcode to the iPhone at issue in this
case. Late last night, the government used that passcode by hand and gained access to the
iPhone. Accordingly, the government no longer needs Apple’s assistance to unlock the
iPhone, and withdraws its application.
According to a (paywalled) WSJ article, Feng, who has been waiting for his sentencing, and thinking that his case was otherwise over, only just found out that there was this big fuss around his own case... and told the DOJ he miraculously remembered the passcode. Hallelujah. A miracle... and the DOJ was magically saved from a precedent it didn't want.
The Wall Street Journal reported last week that Mr. Feng only recently learned his phone had become an issue in a high-stakes legal fight between prosecutors and Apple. Mr. Feng, who has pleaded guilty and is due to be sentenced in the coming weeks, is the one who provided the passcode to investigators, according to people familiar with the matter.
Of course, it's worth noting, however that while this particular case may be effectively over, it's not that great for the DOJ, in that no one got to officially review magistrate judge James Orenstein's fairly epic smackdown of the DOJ earlier in the case. That, of course, has no value as a precedent, but that doesn't mean it won't be quoted or pointed to in other, similar cases.
On the flip side, of course, there's the argument that every time the case starts looking bad for the DOJ, they miraculously get into the phone in question. At the very least, this ought to raise questions about why the DOJ keeps insisting that it needs Apple's help... But the fact is these cases are going to keep coming.
It appears that more fully encrypting messaging and content is really catching on. Following Whatsapp's big move to roll out end-to-end encryption, the super popular communications app Viber has announced it intends to do the same for its 700 million (and growing) users. It's already testing encryption in a few markets, before rolling it out globally. The company claims that the encrypted system will also let you know if your content is encrypted based on color coding.
Unfortunately, Viber is not entirely clear on what encryption tools they're using. With Whatsapp, the company was upfront in saying that it was using the popular and tested open source encryption from Open Whisper Systems. Viber doesn't say what it's using, leading some to speculate that the company tried to roll its own (generally not a good idea -- and likely means there are serious security flaws). The company, however, says that they're doing "open source plus," but have not yet named what open source tools it's pulling from:
“We built [our end-to-end encryption] based on the concept of an established open-source solution with an extra level of security developed in-house,” a Viber spokesperson says, refusing to be more specific.
There are some that will argue that an opaque/unknown encryption system can, in some ways, be worse than no encryption, in that users may think their communications are private, when they really are not. So, the lack of an open, audited encryption solution is definitely a concern here.
However, what's encouraging is that we're seeing more and more apps embracing end-to-end encryption for communications, as well as strong disk encryption for data at rest. This is something that cryptographers and security experts pushed for for years without much actual support or adoption. However, it's finally starting to become a necessary piece of the puzzle for communications service providers, and that's a good thing.
Here comes the inevitable government backlash against WhatsApp rolling out end-to-end encryption for one billion users worldwide: if governments can no longer demand access to communications, the next best thing is to demand access to WhatsApp users.
According to India resident Prasanto K. Roy, local governments are demanding that administrators of WhatsApp groups (the latest beneficiaries of the encryption rollout) register with the local magistrate, and will apparently hold them accountable for any "irresponsible remarks" or "untoward actions" by members of the group.
The government's unsubtle man-in-the-middle approach to accessing WhatsApp communications also involves placing a literal government man in the middle, according to the Times of India.
The spokesperson also said that a government representative might also have to be added to the WhatsApp group as an admin. "If any government admin is present in a WhatsApp group, it will immediately prevent any sort of rumour-mongering," he said.
Whenever a government agency develops an overweening urge to curb "rumor-mongering," one can be sure that particular government is fucking something up somewhere. And, indeed, that is the case here.
The government had imposed a blackout on mobile internet in the troubled area after clashes between security forces and protestors claimed the lives of five people. The area had seen protests after the alleged molestation of a teenager by security personnel. The mobile internet blackout had been aimed at curbing the spread of potentially inflammatory messages that could spark further tension in the area.
It would seem to me the tension was created by the alleged molestation, the government's lack of interest in investigating/punishing the wrongdoer and the killing of five people. The government appears to be more interested in saving itself from its constituency, so the obvious move is to shut down any communication platform that it can't monitor or control. It can't kill WhatsApp, so it's demanding to be inserted into these conversations -- either directly or by lurking just offscreen whispering legal threats.
Not only that, but the quelling of dissent extends to the government itself. The flier also notes punishment awaits government employees who find the registration demand heavy-handed.
Govt. Employees serving in the district are directed to restrain from making any comments/remarks with regard to the policies and decisions of government on these WhatsApp groups running in the district and if anyone found involved in such activities, strict action will be initiated against them as required under rules.
Looking beyond this local dispute that has managed to drag in the world's most popular messaging service, one can see why it is essential that citizens have communication platforms that keep the government locked out. Encryption doesn't just "protect" criminals from law enforcement and innocent people from criminals. It also protects the innocent from their governments' self-serving overreach.
When you testify before Congress, it helps to actually have some knowledge of what you're talking about. On Tuesday, the House Energy & Commerce Committee held the latest congressional hearing on the whole silly encryption fight, entitled Deciphering the Debate Over Encryption: Industry and Law Enforcement Perspectives. And, indeed, they did have witnesses presenting "industry" and "law enforcement" views, but for unclear reasons decided to separate them. First up were three "law enforcement" panelists, who were free to say whatever the hell they wanted with no one pointing out that they were spewing pure bullshit. You can watch the whole thing below (while it says it's 4 hours, it doesn't actually start until about 45 minutes in):
Lots of craziness was stated -- starting with the idea pushed by both chief of intelligence for the NYPD, Thomas Galati and the commander of the office of intelligence for the Indiana State Police, Charles Cohen -- that the way to deal with non-US or open source encryption was just to ban it from app stores. This is a real suggestion that was just made before Congress by two (?!?) separate law enforcement officials. Rep. Morgan Griffith rightly pointed out that so many encryption products couldn't possibly be regulated by US law, and asked the panelists what to do about it. You can watch the exchange here:
You see Cohen ridiculously claim that since Apple and Google are gatekeepers to apps, that the government could just ban foreign encryption apps from being in the app stores:
Right now Google and Apple act as the gatekeepers for most of those encrypted apps, meaning if the app is not available on the App Store for an iOS device, if the app is not available on Google Play for an Android device, a customer of the United States cannot install it. So while some of the encrypted apps, like Telegram, are based outside the United States, US companies act as gatekeepers as to whether those apps are accessible here in the United States to be used.
This is just wrong. It's ignorant and clueless and for a law enforcement official -- let alone one who is apparently the "commander of the office of intelligence" -- to not know that this is wrong is just astounding. Yes, on Apple phones it's more difficult to get apps onto a phone, but it's not impossible. On Android, however, it's easy. There are tons of alternative app stores, and part of the promise of the Android ecosystem is that you're not locked into Google's own app store. And, really, is Cohen literally saying that Apple and Google should be told they cannot allow Telegram -- one of the most popular apps in the world -- in their app stores? Really?
Galati then agreed with him and piled on with more ignorance:
I agree with what the Captain said. Certain apps are not available on all devices. So if the companies that are outside the United States can't comply with same rules and regulations of the ones that are in the United States, then they shouldn't be available on the app stores. For example, you can't get every app on a Blackberry that you can on an Android or a Google.
Leaving aside the fact he said "Android or a Google" (and just assuming he meant iPhone for one of those)... what?!? The reason you can't get every app on a BlackBerry that's on other devices has nothing to do with any of this at all. It's because the market for BlackBerry devices is tiny, so developers don't develop for the BlackBerry ecosystem (and, of course, some BlackBerries now use Android anyway, so...). That comment by Galati makes no sense at all. Using the fact that fewer developers develop for BlackBerry says nothing about blocking foreign encryption apps from Android or iOS ecosystems. It makes no sense.
Why are these people testifying before Congress when they don't appear to know what they're talking about?
Later in the hearing, when questioned by Rep. Paul Tonko about how other countries (especially authoritarian regimes) might view a US law demanding backdoors as an opportunity to demand the same levels of access, Cohen speculated ridiculously, wildly and falsely that he'd heard that Apple gave China its source code:
Here's what Cohen says:
In preparing for the testimony, I saw several news stories that said that Apple provided the source code for iOS to China, as an example. I don't know whether those stories are true or not.
Yeah, because they're not. He then goes on to say that Apple has never said under oath whether or not that's true -- except, just a little while later, on the second panel, Apple's General Counsel Bruce Sewell made it quite clear that they have never given China its source code. Either way, Cohen follows it up by saying that Apple won't give US law enforcement its source code, as if to imply that Apple is somehow more willing to help the Chinese government hack into phones than the US government. Again, this is just blatant false propaganda. And yet here is someone testifying before Congress and claiming that it might be true.
Thankfully, at the end of the hearing, Rep. Anna Eshoo -- who isn't even a member of the subcommittee holding the hearing (though she is a top member of the larger committee) joined in and quizzed Cohen about his bizarre claims:
She notes that it's a huge allegation to make without any factual evidence, and asks if he has anything to go on beyond just general "news reports." Not surprisingly, he does not.
Elsewhere in the hearing, Cohen also insists that a dual key solution would work. He says this with 100% confidence -- that if Apple and law enforcement had a shared key it would be "just like a safety deposit box." Of course, this is also just wrong. As has been shown for decades, when you set up a two key solution, you're introducing vulnerabilities into the system that almost certainly let in others as well.
And then, after that, Rep. Jerry McNerney raises the point -- highlighted by many others in the past -- that rather than "going dark," law enforcement is in the golden age of surveillance and investigation thanks to more and new information, including that provided by mobile phones (such as location data, metadata on contacts and more). Cohen, somewhat astoundingly, claims he can't think of any new information that's now available thanks to mobile phones:
Here's Cohen:
Sir, I'm having problems thinking of an example of information that's available now that was not before. From my perspective, thinking through investigations that we previously had information for, when you combine the encryption issue along with shorter and shorter retention periods, in a service provider, meaning they're keeping their records, for both data and metadata, for a shorter period of time, available to legal process. I'm having difficulty finding an example of an avenue that was not available before.
Huh?!? He can't think of things like location info from mobile phones? He can't think of things like metadata and data around unencrypted texts? He can't think of things like unencrypted and available information from apps? Then why is he on this panel? And the issue of data retention? Was he just told before the hearing to make a point to push for mandatory data retention and decided to throw in a nod to it here?
At least Galati, who went after him, was willing to admit that tech has provided a lot more information than in the past -- but then claimed that encryption was "eliminating those gains."
Cohen is really the clown at the show here. He also claims that Apple somehow decided to throw away its key and that it was "solving a problem that doesn't exist" in adding encryption:
There he's being asked by Rep. Yvette Clarke if he sees any technical solutions to the encryption issue, and he says:
The solution that we had in place previously, in which Apple did hold a key. And as Chief Galati mentioned, that was never compromised. So they could comply with a proper service of legal process. Essentially, what happened is that Apple solved a problem that does not exist.
Again, this is astoundingly ignorant. The problem before was that there was no key. It wasn't that Apple had the key, it's that the data was readily available to anyone who had access to the phone. That put everyone's information at risk. It's why there was so much concern about stolen phones and why stolen phones were so valuable. For a law enforcement official to not realize that and not think it was a real problem is... astounding. And, again, raises the question of why this guy is testifying before Congress.
It also raises the question of why Congress put him on a panel with no experts around to correct his many, many errors. At the very least, towards the beginning of the second panel, Apple GC Sewell explained how Cohen was just flat out wrong on these points:
If you can't see that, after his prepared remarks, Sewell directly addresses Cohen's claims:
That's where I was going to conclude my comments. But I think I owe it to this committee to add one additional thought. And I want to be very clear on this: We have not provided source code to the Chinese government. We did not have a key 19 months ago that we threw away. We have not announced that we are going to apply passcode encryption to the next generation iCloud. I just want to be very clear on that because we heard three allegations. Those allegations have no merit.
A few minutes later, he's asked directly about this and whether or not the Chinese had asked for the source code, and Sewell says that, yes, the Chinese have asked, and Apple has refused to give it to them:
Seems like they could have killed 3 hours of ignorant arguments presented to Congress, if they had just not allowed such ignorance to be spewed earlier on.
BlackBerry has finally responded to Motherboard's story on the Royal Canadian Mounted Police's apparent full access to encrypted communications -- something that hinted the RCMP may have been given BlackBerry messaging's "Golden Key." Sort of. It's mostly an indirect Glomar followed by a statement that confirms something people already know.
BlackBerry still has not commented directly to Motherboard or VICE News on the specifics of the investigation, but CEO John Chen published a blog post on Monday addressing the report in broad strokes… very broad strokes.
[...]
“Regarding BlackBerry’s assistance,” Chen wrote instead, “I can reaffirm that we stood by our lawful access principles. Furthermore, at no point was BlackBerry’s BES server involved.”
BES is BlackBerry Enterprise Server -- the only option available where customers can lock BlackBerry out of access to communications. With BES, encryption keys are set by users, which means BlackBerry can no longer decrypt messages using its global PIN encryption key. Notably, this option is only available to corporate or government customers. Everyone else gets vanilla encryption, which can be decrypted by BlackBerry for law enforcement. Or, as appears to be the case in Canada, the key can be handed out to law enforcement agencies, allowing them to decrypt at will… because there's only one encryption key for all non-BES users.
According to BlackBerry CEO John Chen, the ends justify the means he pointedly won't be discussing in detail.
We have long been clear in our stance that tech companies as good corporate citizens should comply with reasonable lawful access requests.
[...]
This very belief was put to the test in an old case that recently resurfaced in the news, which speculated on and challenged BlackBerry’s corporate and ethical principles. In the end, the case resulted in a major criminal organization being dismantled.
BlackBerry continues to play both sides of the equation, providing "regular" users with less secure communications while claiming to be the "gold standard" in encrypted communications -- a privilege it only extends to some of its customers, unlike Apple or Google, which provide encryption to all of their customers.
The company has nothing to offer customers in the way of assurances, but it does seem to be going out of its way to soothe the nerves of law enforcement officials frustrated by smartphone encryption. It may make a big deal about its fight against Pakistan and its demands for access (Chen highlights this in his blog post), but it seems less than likely to go to bat for a majority of its users when faced with overreach by more "acceptable" governments.
Yesterday morning, things kicked off with a ridiculous tweet from the NY Police Department, announcing that it "stood with" the Manhattan DA in calling for "encryption" legislation. Of course, that's inaccurate. What it was really calling for was anti-encryption legislation.
But, suddenly we discovered that not only was Manhattan District Attorney -- and proudly technologically ignorant -- Cyrus Vance continuing to push his dangerous anti-encryption views, but he had somehow created a hashtag and a logo for it (I've sent in a FOIA request to see how much tax payer dollars were spent on the logo, though I doubt I'll get a response). Vance held quite the grandstanding press conference over this, in which he repeated the same misleading claims as in the past about how horrible encryption is, and then trotted out some sob stories of cases where law enforcement failed to do their job, and then blamed it on encryption.
You can watch the half-hour press conference below if you have the stomach for it:
Of course, just about everything about this is ridiculous. It took place just a few days after Patrick O'Neill, over at the DailyDot, revealed some details of a FOIA request he'd made with Vance's office about all those cases he claimed he needed to get into phones for -- and found that, of the ones that were listed all had resulted in convictions anyway, even without getting into the phones. And most didn't appear to be for really serious crimes.
Meanwhile, as is often the case, an attempt by law enforcement to co-opt whatever "the kids these days" are doing by setting up a hashtag failed spectacularly. First off, Vance's office just happened to pick a hashtag that was already in use. Even worse, it was in use by the Quakers to push for criminal justice reform that would "start to reverse the failed 40-year 'war on drugs.' Ooops.
Then, of course, the folks who actually understand technology took the hashtag and ran with it, explaining why Vance's campaign was idiotic.
Remember: encryption protects the families of police too. If you break it, you put them at risk. #unlockJustice
After going through lots and lots of tweets, I have to admit that I couldn't find any -- outside of those from the DA's office and various law enforcement people that were actually supportive of the campaign. It really makes you wonder, just who does Cyrus Vance think he's protecting?
For the dozenth time, Comey once again asserted his belief that unicorns are not only real, but that smart people at tech companies can provide him with one.
“I think it’s a bit of a false premise to say that the only answer to the challenge we face is to introduce vulnerabilities into code,” Comey told the Daily Dot, before adding, “I’ll leave that to experts.”
This is Comey's backdoor: a backdoor for all intents and purposes, except that he refuses to call it a backdoor. It's a secret entrance, only known to law enforcement, intelligence agencies and any other government entity that might like access to encrypted devices. It's a bell that can't be unrung, but Comey thinks the FBI can ring it quietly enough, provided the smart tech people come up with a foolproof way to suppress the ringing noise.
Experts -- hundreds of them -- have already offered their opinion. What Comey wants is impossible without introducing abusable vulnerabilities. And while the FBI was seeking access to the infamous San Bernardino iPhone, dozens of experts offered their help, but the FBI wasn't interested. And yet, Comey soldiers on, secure in his delusion that the "experts" will fix his problem, on his terms, even after he and his agency have done all they can to alienate them. No one has made more out of their own ignorance than Comey, who seems to be willfully avoiding any actual discussions with experts -- experts who will very definitely disabuse him of his stupid, dangerous notions.
But that's not the dumbest statement made by Comey in this interview. He tops himself later while addressing the possible repercussions of forcing tech companies to glue horns on horses to sastify his unicorn requests.
Asked about the danger of pushing people to foreign platforms by limiting U.S. encryption, Comey seemed to suggest that the answer was to regulate encryption worldwide. “Every country that cares about the rule of law cares about this,” he said. “I think whatever we come up with—we as a people that care about these issues, in and out of government—it has to have some international component to it.”
Let me get this straight: the guy who couldn't even persuade Congress that it was a good idea to force one company to help unlock one phone believes he can talk the rest of the world into getting on board with his anti-encryption plans. If insanity is doing saying the same thing over and over and expecting different results responses, then his planned "we are the backdoored world" singalong is basically Comey assuring the general public that he is mentally unfit -- without having to urinate on himself or submit 244 pages of truther theories as Exhibit A to an unamused judge.
The audacity of that shrug ("no prob, we'll just get the rest of the world to bend to my will") is breathtaking. The best thing the FBI could do to protect its iPhone-cracking interests is chain Comey to a desk in a basement and go back to delivering a steady stream of "no comments" through DOJ lawyers.
As we've discussed at length, there are multiple cases going on right now in which the US Justice Department is looking to compel Apple to help access encrypted information on iPhones. There was lots of attention paid to the one in San Bernardino, around Syed Farook's work iPhone, but that case is now over. The one getting almost but not quite as much attention is the one happening across the country in NY, where magistrate judge James Orenstein ruled against the DOJ a little over a month ago, with a very detailed explanation for why the All Writs Act clearly did not apply. The DOJ, not surprisingly, appealed that ruling (technically made a "renewed application" rather than an appeal) to an Article III judge and the case was assigned to judge Margo Brodie.
Apple has now filed its argument against the DOJ, making a variety of points, but hitting hard on the idea that the DOJ is flat out lying in now claiming that Apple's assistance in unlocking this phone is "necessary." As we've noted, the end result of the San Bernardino case, where the FBI eventually "figured out" how to get into the phone, raises questions about whether it truly exhausted all possibilities in this case -- which involves a newer phone, but an older operating system.
... the record is devoid of evidence that Apple’s assistance is
necessary—and remains so even after a similar claim of necessity was proven untrue in a recent
proceeding in California. Indeed, in its original application to Judge Orenstein, the government
acknowledged that it sought Apple’s help to spare the government from having to expend
“significant resources.”...
[....]
The government has made no showing that it has
exhausted alternative means for extracting data from the iPhone at issue here, either by making a
serious attempt to obtain the passcode from the individual defendant who set it in the first
place—nor to obtain passcode hints or other helpful information from the defendant—or by
consulting other government agencies and third parties known to the government. Indeed, the
government has gone so far as to claim that it has no obligation to do so...
notwithstanding media reports that suggest that companies already offer commercial solutions
capable of accessing data from phones running iOS 7, which is nearly three years old.
And, of course, Apple suggests (as it has all along) that the DOJ is totally misreading and/or misrepresenting the All Writs Act:
The government would have this Court believe that the All Writs
Act, first enacted in 1789, is a boundless grant of authority that permits courts to enter any order
the government seeks—including orders conscripting private third parties into providing
whatever assistance law enforcement deems appropriate—as long as Congress has not expressly
prohibited its issuance. DE 30 at 18. But that characterization of the All Writs Act turns our
system of limited government on its head. It simply is not the case that federal courts can issue
any order the executive branch dreams up unless and until Congress expressly prohibits it. That
construction of the All Writs Act has it exactly backwards. If the government’s view is correct,
Congress would never need to pass permissive legislation in the law enforcement context
because everything would be on the table until explicitly prohibited. That may be what the
government prefers, but it is not the legal system in which it operates.
The company also questions whether or not it's really necessary for the government to get into this phone, given that the defendant in the case, Jun Feng, has already pled guilty and the phone hasn't been used in years. Also, the government didn't even seek a warrant to get into the phone for over a year after seizing it.
Apple also raises some procedural concerns. As noted above, the government just asked for a new judge to review, rather than doing an official appeal, and Apple points out that it's doing this to try to avoid certain standards:
In its papers, the government takes great pains to characterize its brief as a renewed
application rather than an appeal from Judge Orenstein’s order, presumably to bolster its
contention that Judge Orenstein’s order should be reviewed de novo.... In doing
so, the government attempts to obscure the fact that this matter was extensively briefed, a
hearing was held, supplemental briefing was provided, and Judge Orenstein issued a 50-page
order. Moreover, the government’s insistence that it is entitled to a do-over is belied by Federal
Rule of Criminal Procedure 59 and Section 636 of the Federal Magistrates Act.
One of the key points made by the DOJ in its filing in this case was that Apple had been fine with previous such All Writs Act orders on phones running iOS 7, where it does have more access to information. But Apple notes that the details of this case are different in important ways: this is the first case where the judge specifically brought Apple into court, rather than ruling without Apple being involved at all (i.e. "ex parte").
To be sure, courts have previously issued ex parte orders directing Apple to “assist in
extracting data from an Apple device through bypassing the passcode in order to execute a search warrant.” But the government’s cited orders were issued ex
parte, without Apple’s participation, without the benefit of adversarial briefing on the scope of
the All Writs Act, and with no supporting analysis. Apple also was not a party in United States
v. Blake, No. 13-CR-80054 (S.D. Fl. July 14, 2014), in which the court denied the defendant’s
motion to suppress evidence gathered from an iPhone that Apple helped unlock. Accordingly,
such cases are not even persuasive authority on the scope of the All Writs Act, let alone
precedential; certainly such ex parte orders issued with little analysis should carry less weight
than Judge Orenstein’s lengthy and reasoned opinion.
Most of the other arguments cover things discussed earlier, around why the All Writs Act doesn't apply and why CALEA covers this situation and does not require Apple to assist.
So, while the San Bernardino case may be over, the NY case is still raging. I imagine the DOJ's next filing will be... interesting as well.
Blackberry's CEO, John Chen, didn't care for the fact that Apple was "locking" law enforcement out of its devices by providing customers with default encryption. As he saw it, Apple was placing profits ahead of Mom, Apple pie and American-made motorcars.
For years, government officials have pleaded to the technology industry for help yet have been met with disdain. In fact, one of the world's most powerful tech companies recently refused a lawful access request in an investigation of a known drug dealer because doing so would "substantially tarnish the brand" of the company. We are indeed in a dark place when companies put their reputations above the greater good.
Chen refused to "extend privacy to criminals." How he had any way of knowing who was or wasn't a criminal at the point of sale was not detailed in his rant.
Then news surfaced that Dutch law enforcement could bypass Blackberry encryption with seeming impunity. At that point, Blackberry became defensive about its new stature as the least secure smartphone option. It claimed in a blog post that its stock phones were not open books for the world's law enforcement agencies. Despite promising earlier that the company would not aid criminals in keeping their secrets from law enforcement, Blackberry heatedly claimed its devices were secure as ever -- even in the hands of criminals.
[T]here are no backdoors in any BlackBerry devices, and BlackBerry does not store and therefore cannot share BlackBerry device passwords with law enforcement or anyone else.
Imagine for a moment that everybody's front door has the same key. Now imagine that the police have a copy of that key, and can saunter into your living room to poke around your belongings while you're out, and without your knowledge.
By way of metaphor, this is exactly how the Royal Canadian Mounted Police, Canada's federal police force, intercepted and decrypted "over one million" BlackBerry messages during an investigation into a mafia slaying, called “Project Clemenza," that ran between 2010 and 2012.
In addition to routing and compressing data traffic, RIM's service offerings also include a measure of security in excess of the practices adopted by their competitors. BBM, as an example, is encrypted. However, it is encrypted using a global key. RIM has written that,
"The BlackBerry device scrambles PIN messages using the PIN encryption key. By default, each BlackBerry device uses a global PIN encryption key, which allows the BlackBerry device to decrypt every PIN message that the BlackBerry device receives."
This means that RIM can decrypt consumers' messages that are encrypted with the global key. Consumer devices include all RIM offerings that are not integrated with a BlackBerry Enterprise Server (BES). The BES lets administrators change the encryption key, which prevents RIM from using the global decryption key to get at the plaintext of BES-secured communication.
Blackberry may be technically correct when it asserts it has no access to user passwords. But that hardly matters when it holds the key that can decrypt any BBM communications that pass through its service (with the exception of administrator-level business accounts). This single key's access to unencrypted communications is likely what allowed (and possibly still allows) the RCMP to obtain plaintext messages.
According to the documents obtained by Motherboard, the RCMP appears to be using some sort of Stingray-but-for-BBM technology to intercept and decrypt messages.
[The RCMP maintains a server in Ottawa that "simulates a mobile device that receives a message intended for [the rightful recipient]." In an affidavit, RCMP sergeant Patrick Boismenu states that the server "performs the decryption of the message using the appropriate decryption key." The RCMP calls this the "BlackBerry interception and processing system."
By inserting itself into the middle of communications, the RCMP can intercept the messages. Access to the Golden Key ensures they can be read. The conclusion reached by both the defense team and the judge presiding over the case? The RCMP has Blackberry's global encryption key.
The defence in the case surmised that the RCMP must have used the "correct global encryption key," since any attempt to apply a key other than BlackBerry's own global encryption key would have resulted in a garbled mess. According to the judge, "all parties"—including the Crown—agree that "the RCMP would have had the correct global key when it decrypted messages during its investigation."
Unfortunately, there aren't many more details. Many of the documents related to this case remain under seal and the RCMP certainly isn't going to discuss its interception/decryption secrets if it doesn't have to. It could very well be that it demanded (and obtained) the key from Blackberry, much in the way the FBI demanded Lavabit's SSL key. If so, Blackberry was far more cooperative than Lavabit, which chose to shut down the service rather than allow the government to have total access. (And it has been hinted by the DOJ that this sort of request may be headed Apple's way if it continues to fight its All Writs orders.)
Somewhat ironically, the RCMP acknowledged in court that outing a cellphone provider as Junior G-Men would probably tarnish Blackberry's reputation -- basically the same thing Blackberry CEO John Chen claimed was the height of Apple impudence
RCMP inspector Mark Flynn testified in a heavily redacted transcript that BlackBerry "facilitated the interception process," however, Flynn also stated that facilitation could mean mere information sharing or a physical action to aid interception.
Flynn further testified that revealing the key would jeopardize the RCMP's working relationship with BlackBerry, and harm BlackBerry itself, since "it is not a good marketing thing to say we work with the police."
The question now is whether the RCMP still has this level of access. To cut off the RCMP, Blackberry would have needed to alter the global decryption key -- something that would have required "a massive update... on [a] per-handset basis," according to Citizen Lab's Christopher Parsons. And if Canada's law enforcement has it (or had it), odds are law enforcement agencies in other countries had similar access. Investigators may not be keen to expose techniques in court or in released documents, but they're usually pretty good about sharing this info with like-minded law enforcement agencies.
