Trump Administration Demands An End To Strong Encryption While Being Exhibit A For Why We Need It

from the secrets-we-keep dept

In the 18th Century the Founding Fathers were worried about tyrants. They were worried about government officials abusing the powers of their office and the fate of the nation if there were no check on their power. In the 21st Century those concerns have hardly faded. Today we have a presidential administration that, if nothing else, has publicly (and privately) attempted to turn the ship of state against multiple political opponents, and with such an audacious expectation of impunity that it leaves no basis to believe it would not do the same to anyone else who stands against it.

It now it demands more tools to perpetuate these attacks. At a time when the survival of our democracy most critically depends on the people's ability to push back against these sorts of abuses of governmental power, the government seeks to hobble the public's ability to do it –- this time by destroying the ability to keep their communications secret. Because that's what encryption "backdoors" do: completely and utterly obliterate any technical ability to maintain the secrecy in one's data. You can't just backdoor them a little bit -– either communications are secure from all prying eyes, or none of them. And this administration is insisting that it should get to see them all.

This administration is not, of course, the first to have demanded the ability to get access to people's data. Both Democratic and Republican administrations have made similar demands (and even helped themselves to it). Each time they have articulated policy arguments for why the government should have the power to read people's private communications, and sometimes these arguments have even been compelling. But none have ever outweighed the critical liberty interest that depends on being able to prevent government access to all of everyone's private communications, and today we see exactly why.

The Constitution guarantees the personal freedom necessary to stand against a tyrannical state actor prone to misusing its power. We have been sloppy over the years in preserving that liberty legally, thanks to the implicit assumption that the government is inherently one of the Good Guys and the people seeking to keep their data private presumably are the Bad Guys. It is a view that has infected our understanding of the Fourth Amendment and allowed the government to invade people's privacy in ways the text of the Constitution never allowed. But today we see with painful clarity how it was also a view predicated on wholly unsound assumptions.

Today we regularly see our President, Chief Executive, and most senior official charged with enforcing our laws not only routinely flout these very same laws but also routinely threaten those whose sole "crime" is standing against him with vindictive, and meritless, ruinous prosecution. These are not the actions of a benevolent government eager to protect the public from wrongdoing. They are the actions of an autocrat all too happy to victimize people as willingly as the most hardened criminal.

Which leaves the public on its own to protect itself, and already significantly hampered. It is bad enough that Trump makes it so treacherous to speak out against him publicly. But when we can no longer speak publicly it becomes all the more important that we be able to speak privately – yet that is exactly what this administration is trying to prevent in demanding encryption backdoors. Should it get its wish, no one will be able to keep secrets from this administration, or challenge its power. It will be able to continue its abuses unchecked.

This untenable state of affairs is not what the Founders had in mind, what the Constitution permits, or what our continued democracy can tolerate. It is thus vital to resist this backdoor demand.

Filed Under: authoritarianism, backdoors, doj, encryption, free speech, going dark, privacy

The DOJ Is Conflating The Content Moderation Debate With The Encryption Debate: Don't Let Them

from the it's-not-the-same dept

As we've detailed a lot over the last week, the DOJ has decided that after years of failing to get backdoors mandated by warning about the "terrorism" bogeyman, it's decided to pick up the FOSTA playbook, and instead start focusing on child porn -- or what "serious people" now refer to as Child Sexual Abuse Material (CSAM). It did this last week with an assist from the NY Times, who published an article with (legitimately) scary stories, but somehow blaming the internet companies... because they actually report it when they find such content on their networks. I've seen more than a few people, even those who generally have been strong voices on the encryption debate and against backdoors, waver a bit on this particular subject, and note that maybe there shouldn't be encryption on social media networks, because it might (as the narrative says) help awful people hide their child porn.

Except... that's confusing a few different things. Mainly, it's mixing up the content moderation debate with the "lawful access" or "backdoors" debate. Yes, encryption makes it harder for the police to get in and see certain things, but that's by design. We live in a country with the 4th Amendment, in which we believe that it should be difficult for law enforcement to snoop deeply into our lives -- and that's always meant that some people will do and plot bad stuff out of the sight and hearing of law enforcement. Yet, if you were to look at law enforcement over the past 100 years, you can bet that they have many times more access to information about people today than they have in the past. The claim of "going dark" is laughable when you compare the information that law enforcement can get today even to what it could get 15 or 30 years ago.

But, importantly, bringing CSAM into the debate muddies the water by pretending -- incorrectly -- that in an end-to-end encrypted world you can't do any content moderation, and there's simply no way for platforms to block or report certain kinds of content. Yet, as Princeton professor Jonathan Mayer highlights in a new paper, content moderation is not impossible in an encrypted system. It may be different than it is today, but it's still very much possible:

Much of the public discussion about content moderation and end-to-end encryption over the past week has appeared to reflect two common technical assumptions:

1. Content moderation is fundamentally incompatible with end-to-end encrypted messaging.
   
2. Enabling content moderation for end-to-end encrypted messaging fundamentally poses the same challenges as enabling law enforcement access to message content.

In a new discussion paper, I provide a technical clarification for each of these points.

1. Forms of content moderation may be compatible with end-to-end encrypted messaging, without compromising important security principles or undermining policy values.
   
2. Enabling content moderation for end-to-end encrypted messaging is a different problem from enabling law enforcement access to message content. The problems involve different technical properties, different spaces of possible designs, and different information security and public policy implications.

You can read the whole thing, but as the paper notes, user reporting of such content still works in an end-to-end encrypted world, as does hash matching if done at the client end. There's a lot more in there as well, but what you realize in reading the paper is that while law enforcement has now latched onto the CSAM issue as its hook to break encryption (in part, I've been told by someone working with the DOJ, because they found it "polled well"), it's an entirely different problem. This is yet another "but think of the children" argument, which ignores the technical and societal realities.

Filed Under: chris wray, content moderation, doj, encryption, going dark, jonathan mayer, william barr
Companies: facebook

FBI Director Deploys Straw Men While Calling For The End Of Straw Men Arguments In The Encryption War

from the let-he-who-is-without-straw... dept

The DOJ's anti-encryption summit went off without a hitch. And why wouldn't it? No one who had anything good to say about encryption was invited. The only speaker without a history of criticizing encryption was John Walsh of "America's Most Wanted," who detailed the kidnapping of his son -- an event that took place long before encryption was viewed as an impediment to law enforcement.

Using a bit of the FOSTA playbook, but skewing it younger to facilitate appeals to emotion, the "summit" attempted to discuss the "creation" of "lawless spaces" resulting from end-to-end encryption. Facebook was front and center as the recent recipient of a letter from Attorney General William Barr, asking it to ditch its plans to encrypt Messenger communications.

Barr (who's already made his feelings about encryption clear) was joined by Deputy AG Jeffrey Rosen, FBI Director Chris Wray, UK Home Secretary Priti Patel, and Australia's Minister of Home Affairs Peter Dutton. No one representing the tech industry was included. Nor were any encryption experts. This was a preach-to-the-converted type of event and the speakers all made the most of it.

FBI Director Chris Wray offered his unsurprising take on encrypted communications: he's against it. Not that his opinion should be considered in any way an "expert" opinion. He runs an agency that can't even correctly count the number of encrypted devices it has in its possession. And it's the same agency where officials did everything they could to avoid unlocking a seized phone in a mass shooting case in hopes of securing favorable court precedent. Wray frequently presents the hardest skew on the issue (at least at the federal level), and his comments at the summit were no exception.

[I]f we don’t confront these real-life horrors happening to real people, if we don’t take action and do something soon to address the lawful access problem, it will be too late and we’ll lose the ability to find those kids who need to be rescued. We’re going to lose the ability to find the bad guys who need to be arrested and stopped. And we’re going to lose the ability to keep the most vulnerable people we serve safe from harm. We just cannot let that happen.

Technology has made life much easier for the good guy—there’s no doubt. But it’s also made life much easier for a wide range of bad guys—including international and domestic terrorists, hackers, opioid traffickers, and child predators. Like other criminals, child predators routinely rely on encrypted phones and laptops to store explicit photographs and exchange illegal media, contact victims, and coordinate with co-conspirators over encrypted messaging platforms.

These devices and platforms have become spaces where vital rules—against soliciting child abuse, against trading in and feeding that abuse, against threatening abuse victims struggling to make a normal life—can no longer effectively be applied.

The key word here is "effectively." Wray wants immediate access in exchange for a warrant. While end-to-end encryption may make it harder to obtain the content of communications from service providers, it does not make it impossible. There are vendors offering tools that can bypass phone encryption to access communication contents. Suspects have been known to volunteer passwords. More than one court has found that the application of biometric features to unlock devices does not violate the Fifth Amendment. Any number of third parties hold data that can give investigators clues about message content and link suspects with conspirators.

Going directly through Facebook -- and Facebook is the unspoken target of this "summit", thanks to its announcement of end-to-end encryption for Messenger -- is just not going to be a very useful option. Wray believes encryption shouldn't be able to defeat a warrant. But that short-sighted view ignores the fact that not every warrant results in the securing of evidence… or enough evidence to secure a guilty verdict.

The issue here is Facebook's plans for Messenger. According to stats mentioned in Barr's letter (and comments delivered by others), 70% of Facebook's 16 million child exploitation tips came from this service. Once the encryption is applied, even Facebook won't be able to see the contents of these communications. That's what the FBI, DOJ, and overseas government officials are hoping to prevent.

It's a legitimate concern, but it's being discussed with a lot of illegitimate arguments. Wray tries to pretend it's everyone else being disingenuous while he boldly speaks truth to tech power. But even this assertion is contradicted by Wray's statements.

I’m well aware that encryption is a provocative subject for some. Although I will tell you, I get more than a little frustrated when people suggest that we’re trying to weaken encryption—or weaken cybersecurity more broadly. We’re doing no such thing. And dispensing with straw men would be a big step forward in this discussion. Cybersecurity is a central part of the FBI’s mission. It’s one part of the broader safety net we try to provide the American people: not only safe data, safe personal information, but also safe communities, safe schools.

We also have no interest in any “back door,” another straw man. We—the FBI, our state and local partners—we go through the front door. With a warrant, from a neutral judge, only after we’ve met the requirements of the Fourth Amendment. We’ve got to look at the concerns here more broadly, taking into account the American public’s interest in the security and safety of our society, and our way of life. That’s important because this is an issue that’s getting worse and worse all the time.

Actually, no. It's still really safe and secure in the United States. Our "way of life" is under no greater threat in an era of increased encryption use than it was before this became the FBI's pet issue. In fact, we're safer today in terms of crime rates and terrorist activity than we've been in more than two decades.

Wray has built his anti-encryption side hustle on a pile of straw men. It's pretty rich to see him arguing no one else should have the privilege to argue their points as disingenuously as he has.

People want safety. People want security. These are inextricably intertwined, but Wray thinks it's possible to separate one from the other without a net loss in safety. And he can't even be honest about how he plans to do it. No one on this panel is willing to call the back doors they want "back doors." No, it's always something else. If the front door is the user's access to their communications, anyone coming in through another entrance is likely going to be viewed as using the back door. If the FBI prefers, we could just call it "using the bedroom window." It doesn't really matter what it's called when it's still access to encrypted communications that's achieved by going through anyone else but the end user.

Wray says everyone else -- everyone who doesn't immediately agree the security trade-off the FBI is pitching is worth it -- is wrong. We're allying ourselves with the most heinous criminals and actively thwarting law enforcement. We're all Wray's straw men now.

So to those out there who are resisting the need for lawful access, I would ask: What’s your solution? How do you propose to ensure that the hardworking men and women of law enforcement, sworn to protect you and your families, actually maintain lawful access to the information they need to do their jobs? What will you say to victims who are denied justice—or left unrescued—in the name of some incremental amount of additional data security?

Why limit your appeal to emotion when you can also appeal to authority? That's the rhetoric Wray is delivering to people who think he's right and will never push back against his oversimplifications, even as he decries the oversimplifications of others. What a train wreck.

It's not an "incremental amount." It's either secure or it isn't. It's not an incremental issue. I would say to the imagined crowd of "hardworking law enforcement" officers that demanding people relinquish their security just to make it easier for the government to access private communications is a bullshit deal. I'm sure Wray knows this. He just seems not to care.

Filed Under: chris wray, doj, encryption, fbi, going dark

Deputy Attorney General Rosen: Companies Like Facebook Are Making Everyone Less Safe By Offering Encryption

from the 'for-the-children'-beats-out-'because-terrorism' dept

The federal government's anti-encryption push is starting to turn into a really weird movement. Yanking pages from the FOSTA playbook, Attorney General William Barr threw an anti-encryption party featuring him, FBI Director Chris Wray, Deputy AG Jeffrey Rosen, and some overseas critics of secure communications.

It was full of loaded language, beginning with the conference's name:

Lawless Spaces: Warrant-Proof Encryption and Its Impact On Child Exploitation Cases

This is how the DOJ and FBI are going to play this game: the specter of exploited children vs. secure communications for millions of Facebook users. Facebook is definitely the target. This conference -- which featured zero tech experts or encryption advocates -- was preceded by the announcement of a data-sharing agreement between the US and UK government that namechecked Facebook's Messenger and WhatsApp.

It was also preceded by Attorney General William Barr's letter to Facebook, asking it to drop its plans to add end-to-end encryption to Messenger. The letter, signed by the participants in this one-sided conference, said the addition of encryption -- without some form of "lawful access" -- would result in massive amounts of undetectable child exploitation.

Now that William Barr has said his piece, the floor has been opened up to DOJ Deputy Attorney General Jeffrey Rosen. Rosen's pitch isn't all that different from the one Barr laid out in his open letter to Facebook. But Rosen does add a bit more color to his in the form of questionable analogies.

Outside the digital world, none of us would accept the proposition that grown-ups should be permitted to mingle in closed rooms with children they don’t know in order to groom them for sexual exploitation. Neither would we ever accept the idea that a person should be allowed to keep a hoard of child sexual abuse material from the scrutiny of the justice system when all of society’s traditional procedures for protecting the person’s privacy, like the Fourth Amendment’s warrant requirement, have been satisfied. But in the digital world, that is increasingly the situation in which we find ourselves.

First off, no one finds the propositions Rosen offers acceptable -- not the digital variety nor the real-world version. However, both versions still happen, with or without "lawful access." It's not that the DOJ and FBI shouldn't go after child exploiters. It's that pretending that undermining encryption will cause "lawless spaces" to cease to exist isn't an honest approach.

To be fair, Rosen isn't saying exactly that. But what he's pitching is encryption backdoors that will result in millions of insecure communications for millions of people. The potential for harm is immeasurable. But we -- and our service providers -- should apparently be willing to take that risk so law enforcement has easier access to these communications. That's the trade-off being demanded, even if Rosen, Barr, etc. aren't intellectually honest enough to use those exact words.

The intellectual dishonesty continues with Rosen's refusal to call backdoors "backdoors."

I am not for a moment suggesting that we should “weaken” encryption. As we confront the problem of “warrant-proof” encryption, nobody is calling for secret “back doors” to communications systems, even though that is often how the issue is misreported. As FBI Director Wray said this morning, law enforcement seeks a front door — that is, access through a transparent and publicly acknowledged system, and only once we have secured the authorization of a court. And we don’t want the keys to that door. The companies that develop these platforms should keep the keys, maintaining their users’ trust by providing access to content only when a judge has ordered it.

If you put an entrance anywhere, the building is compromised. A hole in a wall, floor, roof, wherever, is still a hole. It doesn't matter who holds the keys. The keys exist and can be copied or misplaced. Law enforcement may need a warrant, but criminals and state actors only need access to the key. Dressing it up as an escrow system doesn't magically make this problem go away.

Rosen is calling for more than backdoors. Using another emotional argument, Rosen appears to saying the government should be allowed to eavesdrop on encrypted communications.

Every day, companies like AT&T, Verizon, and Sprint provide law enforcement with targeted lawful access to the content of phone communications in ways that promote public safety — but only after the government has complied with the rigorous requirements of the law, and a judge has authorized access. Why should internet technology companies operate under different rules? For a young girl who is being trafficked for sex, it makes no difference whether her tormenters are communicating via traditional voice calls over a cell phone, or via an encrypted internet app. But it makes a huge difference to the investigators trying to find her, as they can gather the first category of electronic evidence, but not the second. From a policy point of view, it doesn’t make any sense.

The example Rosen uses is wiretaps. The FBI would definitely like to be the unseen party to any number of conversations, especially now that most of them don't take place over the phone. With this, Rosen is asking for more than unencrypted access to data at rest. He's asking for a "non-backdoor" that allows investigators to intercept communications. This increases the complexity of the government's demands and the insecurity of the targeted app's users.

Rosen says 70% of 16 million child sexual abuse reports Facebook made last year originated from its Messenger service. Once end-to-end encryption is applied, these messages will no longer be visible to Facebook, in addition to being less accessible to law enforcement. He compares the millions of Facebook reports to the very limited number produced by Apple, which has provided end-to-end encryption for a few years now. Apple has forwarded a little over 200 tips over the last three years. As Rosen conjectures, it can't simply be because no child abusers use iPhones.

Rosen isn't wrong. Encryption will result in far fewer reports, if Facebook can't scan messages for child porn. But he's completely wrong in his portrayal of the trade-offs being made.

Some companies have completely favored the privacy of their users over the safety of their users.

This isn't about privacy, even though there is definitely a net privacy gain. It's about security, something even the government realizes is essential for electronic communications. But the government wants less security for everyone, in exchange for an unknown quantity of law enforcement "wins." Rosen actually says users are "safer" when their communications providers scan communications for illicit content -- an argument few outside the FBI and DOJ would make. Rosen is spinning this from the viewpoint of law enforcement riding to the rescue of victimized children. But it won't just be the FBI making use of backdoors or intercepted communications. It will also be governments who treat criticism and dissent as crimes, which definitely makes things less safe for millions of people around the world.

Rosen closes with this last bit of intellectual dishonesty:

If we are to move to a world where even judge-approved search warrants become useless to the protection of exploited children, and to public safety more broadly, our country needs an open discussion of the costs some such technology platforms will be imposing on all of us. If our efforts to make the virtual world more secure leave us more vulnerable in the physical world, that decision should be an informed one.

But Rosen and the agencies he's speaking for don't want an "informed" decision. They've spent years blowing off experts who say what they want will result in less security and safety for users, as well as pointing out the impossibility of creating a "secure" backdoor. You only need to look at the speaker list for this event to see the DOJ and FBI aren't interested in being informed. When the only people being asked for opinions are those who think undermining encryption is a necessity, you're going to come to the conclusion that undermining encryption is a necessity.

Filed Under: doj, encryption, going dark, jeffrey rosen, security
Companies: facebook

DOJ Using The FOSTA Playbook To Attack Encryption

from the watch-out dept

For years now, the various DOJ folks pushing to break encryption have whined and complained that the tech industry won't even consider having an adult conversation about encryption. This, of course, has never been true. Indeed, in just the past few weeks we've highlighted two separate examples of attempts to bring together law enforcement folks and technology/cryptography experts to see if there are legitimate ways to move the conversation forward. That first one came up with an interesting and useful framework for judging any conversation about "lawful access" to encrypted communications, while the second demonstrated just how much various tech companies have been doing over the years -- in particular in helping law enforcement deal with the issue of child abuse.

And what do they get for all that? First, a horrific article in the NY Times that accurately highlights the awfulness of child sexual abuse online... but oddly frames the efforts that various tech companies have put into helping law enforcement as... evidence of not caring about the problem. And, of course, suggests that encryption is part of the problem:

After years of uneven monitoring of the material, several major tech companies, including Facebook and Google, stepped up surveillance of their platforms. In interviews, executives with some companies pointed to the voluntary monitoring and the spike in reports as indications of their commitment to addressing the problem.

But police records and emails, as well as interviews with nearly three dozen local, state and federal law enforcement officials, show that some tech companies still fall short. It can take weeks or months for them to respond to questions from the authorities, if they respond at all. Sometimes they respond only to say they have no records, even for reports they initiated.

And when tech companies cooperate fully, encryption and anonymization can create digital hiding places for perpetrators. Facebook announced in March plans to encrypt Messenger, which last year was responsible for nearly 12 million of the 18.4 million worldwide reports of child sexual abuse material, according to people familiar with the reports. Reports to the authorities typically contain more than one image, and last year encompassed the record 45 million photos and videos, according to the National Center for Missing and Exploited Children.

This is following the FOSTA/SESTA game plan. Highlight legitimately horrific examples of horrible things that people have done (in FOSTA's case, sex trafficking; here child porn). Then, follow it up by blaming the internet platforms and technology even if those platforms have actively helped law enforcement over and over again. Encryption is repeatedly suggested as truly evil.

Increasingly, criminals are using advanced technologies like encryption to stay ahead of the police.

"Advanced technologies"? And then:

Offenders can cover their tracks by connecting to virtual private networks, which mask their locations; deploying encryption techniques, which can hide their messages and make their hard drives impenetrable; and posting on the dark web, which is inaccessible to conventional browsers.

And again:

Tips included tutorials on how to encrypt and share material without being detected by the authorities.

Yes, encryption can be used to hide bad stuff. No doubt about it. However, it also protects the privacy and security of everyone else as well. There are real tradeoffs here to be discussed -- and we shouldn't forget that one element in that discussion is that law enforcement does have other tools to track down and find those involved in child porn. That encryption blocks some evidence does not mean there are not other ways for them to collect evidence -- as we've seen in many other cases.

But, given that Attorney General William Barr has been on an anti-encryption kick lately, as has FBI Director Chris Wray, it shouldn't be a huge surprise that they've teamed up for a DOJ "symposium" more or less building on the NY Times article (for which the DOJ appears to have been a major source), in which there appears to be an an entirely one-sided lineup of speakers to discuss the scary sounding:

Lawless Spaces: Warrant-Proof Encryption and Its Impact On Child Exploitation Cases

Barr is speaking, as is Wray. So is Deputy Attorney General Jeffrey Rosen, who also spent the summer trashing encryption. There are also two foreign speakers. There's Peter Dutton, the Home Affairs Minister from Australia, who lead that country's efforts to backdoor encryption with a bunch of ridiculously misleading claims about how companies that offer encryption should be blamed for anyone using it for illegal activity. Then there's the UK's Home Secretary, Priti Patel, who we had just mentioned earlier this week for her statements that encryption "empowers criminals."

There does not appear to be a single cryptographer on the program. There does not appear to be a single technologist on the program. There does not appear to be anyone who can provide even the slightest counterweight to the idea that encryption is just a tool for criminals. Contrast this to the sessions we talked about at the opening of this piece. The Carnegie Endowment and Stanford each actually invited people from a variety of different viewpoints and made sure to have actual experts involved. The DOJ is not doing that. This is pure theater as part of a public relations campaign to undermine the encryption that keeps us all safe.

Yes, you can point out very real and horrifying examples of people abusing just about any technology. But in a sane world, you then start looking at the actual size of the problem, the actual risks, the alternative approaches, and the costs and benefits associated with all of them. Not a single person on the DOJ's list of speakers seems equipped to do that. Given that we've quoted each and every one of them right here on Techdirt staking out an extreme anti-encryption standpoint over and over again, suggests that, unlike the tech industry, which has held and participated in various discussions, the DOJ just wants to set up scare mongering stories in the press before pushing for legislation that will destroy encryption and put us all at risk. For our safety.

As you'll recall, AG Barr himself had ominously warned that if the tech industry didn't "engage" then eventually there would be some sort of "incident" to "galvanize public opinion" against encryption:

Obviously, the Department would like to engage with the private sector in exploring solutions that will provide lawful access. While we remain open to a cooperative approach, the time to achieve that may be limited. Key countries, including important allies, have been moving toward legislative and regulatory solutions. I think it is prudent to anticipate that a major incident may well occur at any time that will galvanize public opinion on these issues.

Well, the industry was willing to engage and explain the costs of undermining encryption. But rather than understand that, it now looks like Barr is working overtime to manufacture that "major incident" to galvanize public opinion against their own security. It's a shame the NY Times decided to help.

Filed Under: child porn, chris wray, doj, encryption, fosta, going dark, moral panic, peter dutton, priti patel, william barr
Companies: facebook, google, ny times

Tech Companies Are Leading The Fight Against Child Porn While The FBI And DOJ Complain About Encryption Helping Child Abusers

from the get-a-clue-[cough]-gentlemen dept

We hear so much from law enforcement agencies about how much tech companies -- and their encryption offerings -- are turning America into a lawless frontier where the criminals always win and the cops are eternally hamstrung. We mainly hear this from two law enforcement agencies in particular: the FBI and the DOJ.

Local cops seem to be doing just fine, but outside of Manhattan blowhard/DA Cy Vance, everyone seems to feel a rising tech tide lifts all cop boats. But these agencies insist we're "going dark." And they insist tech companies are screwing both cops and the public by allowing users to protect their communications and devices from criminals and snoopers alike, even if it means things are ever-so-slightly more difficult for criminal investigators.

But these arguments are being made using facts not in evidence. Tech companies do care about crime, public safety, law enforcement's concerns, and the general insecurity of having devices filled with personal info being carried around by the vast majority of the American public. And tech companies are doing far more to address all of these concerns (rather than just the law enforcement concerns touted by the FBI, et al) than the federales are willing to admit.

First off, tech companies are engaging in the "adult conversation" about lawful access. They're just doing it in a way the government doesn't like. They're approaching this with caution and concern, while the FBI and DOJ dishonestly claim the only "real" solution is unfettered, on-demand access to devices and communications.

White papers have been written. Honest discussions have been had. But these are ignored because they don't offer the "absolutist" options federal agencies desire. It's the DOJ and FBI who are engaging in the equivalent of kicking and screaming while ignoring the real adults in the room.

More evidence that tech companies are doing more to help than to hurt is rolling in. Casey Newton reports for The Verge that the fight against child sexual abuse is being lead by tech companies, and that law enforcement agencies are the beneficiaries of their contributions.

An example from the National Center for Missing and Exploited Children drove the point home. The organization has long operated a tipline in which people can report coming across child pornography and other incidents of abuse. In the late 1990s, the tipline received 200 to 300 reports per week, said Michelle DeLaune, NCMEC’s chief operating officer. But as the internet gained adoption, and platforms began collaborating with the organization, reports to the tipline exploded. In 2018, NCMEC received more than 18 million reports of exploitative imagery.

Strikingly, 99 percent of those reports come directly from the tech platforms. Through the use of artificial intelligence, hashed images, and partnerships between companies, we’re now arguably much better informed about the scope and spread of these images — and are better equipped to catch abusers.

Notably, these reports originate from communications platforms the DOJ and FBI have complained about.

A Facebook executive says that the company bans a whopping 250,000 WhatsApp accounts a month for sharing child exploitation imagery.

The implication that tech companies are doing nothing to respond to and to prevent criminal activities are, to put it politely, horseshit. These federal agencies have a vested interest in portraying tech companies as villains presiding over an internet Wild West. They want favorable court precedent and legislation.

As tech companies appear villainous -- something not helped by their numerous appearances in front of Congressional committees -- all branches of the government are more likely to screw tech companies into behaving as extensions of the federal government. This screws users and customers as well as the companies they use, but no price is too high to pay… as long as it's paid by others.

Filed Under: backdoors, encryption, going dark, law enforcement

You'd Think The FBI Would Be More Sensitive To Protecting Encrypted Communications Now That We Know The Russians Cracked The FBI's Comms

from the guys,-encryption-matters dept

On Monday, Yahoo News had a bit of a new bombshell in revealing that the closures of various Russian compounds in the US, along with the expulsion of a bunch of Russian diplomats -- which many assumed had to do with alleged election interference -- may have actually been a lot more about the Russians breaching a key FBI encrypted communications system.

American officials discovered that the Russians had dramatically improved their ability to decrypt certain types of secure communications and had successfully tracked devices used by elite FBI surveillance teams. Officials also feared that the Russians may have devised other ways to monitor U.S. intelligence communications, including hacking into computers not connected to the internet. Senior FBI and CIA officials briefed congressional leaders on these issues as part of a wide-ranging examination on Capitol Hill of U.S. counterintelligence vulnerabilities.

These compromises, the full gravity of which became clear to U.S. officials in 2012, gave Russian spies in American cities including Washington, New York and San Francisco key insights into the location of undercover FBI surveillance teams, and likely the actual substance of FBI communications, according to former officials. They provided the Russians opportunities to potentially shake off FBI surveillance and communicate with sensitive human sources, check on remote recording devices and even gather intelligence on their FBI pursuers, the former officials said.

That all seems like a fairly big deal. And, it specifically targeted the FBI's encrypted communications phone system:

That effort compromised the encrypted radio systems used by the FBI’s mobile surveillance teams, which track the movements of Russian spies on American soil, according to more than half a dozen former senior intelligence and national security officials. Around the same time, Russian spies also compromised the FBI teams’ backup communications systems — cellphones outfitted with “push-to-talk” walkie-talkie capabilities. “This was something we took extremely seriously,” said a former senior counterintelligence official.

The Russian operation went beyond tracking the communications devices used by FBI surveillance teams, according to four former senior officials. Working out of secret “listening posts” housed in Russian diplomatic and other government-controlled facilities, the Russians were able to intercept, record and eventually crack the codes to FBI radio communications.

While this is all interesting in the "understanding what the latest spy v. spy fight is about," it's even more incredible in the context of the FBI still fighting to this day to weaken encryption for everyone else. The FBI, under both James Comey and Christopher Wray, have spent years trashing the idea that encrypted communications was important and repeatedly asking the tech industry to insert deliberate vulnerabilities in order to allow US officials to have easier access to encrypted communications. The pushback on this, over and over, is that any such system for "lawful access" will inevitably lead to much greater risk of others being able to hack in as well.

Given that, you'd think that the FBI would be especially sensitive to this risk, now that we know the Russians appear to have cracked at least two of the FBI's encrypted communications systems. Indeed, back in 2015, we highlighted how the FBI used to recommend that citizens use encryption to protect their mobile phones, but they had quietly removed that recommendation right around the time Comey started playing up the "going dark" nonsense.

Of course, it's possible that the folks dealing with the Russians cracking FBI encrypted comms are separate from the people freaking out about consumer use of encryption, but the leadership (i.e., Comey and Wray) certainly had to understand both sides of this. This leaves me all a bit perplexed. Were Comey and Wray so completely clueless that they didn't think these two situations had anything to do with one another? Or does it mean that they thought "hey, if we had our comms exposed, so should everyone else?" Or do they just not care?

Filed Under: communications, doj, encryption, fbi, going dark, protected communications, russia, russians

Encryption Working Group Releases Paper To 'Move The Conversation Forward'

from the what-conversation? dept

One of the frustrating aspects of the "debate" (if you can call it that) over encryption and whether or not law enforcement should be able to have any kind of "access" is that it's been no debate at all. You have people who understand encryption who keep pointing out that what is being asked of them is impossible to do without jeopardizing some fairly fundamental security principles, and then a bunch of folks who respond with "well, just nerd harder." There have been a few people who have suggested, at the very least, that "a conversation" was necessary between the different viewpoints, but mostly when that's brought up it has meant non-technical law enforcement folks lecturing tech folks on why "lawful access" to encryption is necessary.

However, it appears that the folks at the Carnegie Endowment put together an actual working group of experts with very varying viewpoints to see if there was any sort of consensus or any way to move an actual conversation forward. I know or have met nearly everyone on the working group, and it's an impressive group of very smart, and thoughtful people -- even those I frequently disagree with. It's a really good group and the paper they've now come out with is well worth reading. I don't know that it actually moves the conversation "forward" because, again, I'm not sure there is any conversation to move forward. But I do appreciate that it got past the usual talking points. The paper kicks off by saying that it's going to "reject two straw men," which are basically the two positions frequently stated regarding law enforcement access to encrypted communication:

First of all, we reject two straw men—absolutist positions not actually held by serious participants, but sometimes used as caricatures of opponents—(1) that we should stop seeking approaches to enable access to encrypted information; or (2) that law enforcement will be unable to protect the public unless it can obtain access to all encrypted data through lawful process. We believe it is time to abandon these and other such straw men.

And... that's fine, in that the first of those statements is not actually the position those who support strong encryption actually hold. I mean, there have been multiple reports detailing how we're actually in the "golden age of surveillance", and that law enforcement has so much greater access to basically every bit of communications possible, and that there are plenty of tools and ways to get information that is otherwise encrypted. Yes, it's true that some information might remain encrypted, but no one has said that law enforcement shouldn't do their basic detective work in trying to access information. The argument is just that they shouldn't undermine the basic encryption that protects us all to do so.

Where the paper gets perhaps more interesting is that it suggests that any debate about access to encrypted data should focus on "data at rest" (i.e., data that is encrypted on a device) rather than "data in motion" which is the data that is being transferred across a network or between devices in some form. The paper does not say that we should poke holes in encryption that protects data at rest, and says, explicitly:

We have not concluded that any existing proposal in this area is viable, that any future such proposals will ultimately prove viable, or that policy changes are advisable at this time

However, it does note that if there is a fruitful conversation on this topic, it's likely to be around data at rest, rather than elsewhere. And, from there it notes that any discussion of proposals for accessing such data at rest must take into account both the costs and the benefits of such access to determine if it is viable. While some of us strongly believe that there is unlikely to ever be a proposal where the costs don't massively outweigh the benefits, this is the correct framework for analyzing theses things. And it should be noted that, too often, these debates involve one group only talking about the benefits and another only talking about the costs. Having a fruitful discussion requires being willing to measure both.

From there, the group sets up a framework for how to weigh those costs and benefits -- including setting up a bunch of use cases against which any proposal should be tested. Again, this seems like the right approach to systematically exploring and stress testing any idea brought forth that claims it will "solve" the "problem" that some in law enforcement insist encryption has created for them. I am extremely skeptical that any such proposal can pass such a stress test in a manner that suggests that the benefits outweigh the costs -- but if those pushing to undermine encryption require a "conversation" and want people to explore the few proposals that have been brought up, this is the proper, and rigorous, way to do so.

The question, though, remains as to whether or not this will actually "move the conversation forward." I have my doubts on that, in part because those who keep pressing for undermining encryption have never appeared to have much interest in actually having this type of conversation. They have mostly only seemed interested in the "nerd harder, nerds" approach to this, that assumes smart techies will give them their magic key without undermining everything else that keeps us secure. I fully expect that it won't be long before a Willam Barr or Chris Wray or a Richard Burr or a Cy Vance starts talking nonsense again about "going dark" or "responsible encryption" and ignores the framework set out by this working group.

That's not so say this wasn't a useful exercise. It likely was, if only to be able to point to it the next time one of the folks listed above spout off again as if there are no tradeoffs and as if it's somehow easy to solve the "encryption problem" as they see it.

Filed Under: data at rest, encryption, going dark, law enforcement, nerd harder, responsible encryption

The FBI Can't Get Into The Dayton Shooter's Phone. So What?

from the time-to-exploit-some-deaths dept

A high-profile act of violence has brought FBI complaints about device encryption to the surface again. This has been a long-running theme with the agency, one amplified recently by domestic surveillance advocate/Attorney General William Barr. Barr claimed encryption was creating a more dangerous world for everyone. Barr's claims echoed those of successive FBI directors. Both Barr and Wray continue to talk about device encryption despite having (so far) refused to update the number of encrypted devices the FBI can't access.

As Barr warned in his rant against encryption, all it would take is one major attack to sway public opinion to the government's side.

I think it is prudent to anticipate that a major incident may well occur at any time that will galvanize public opinion on these issues.

Well, the FBI is talking about encryption again with lawmakers. But with all due respect, Mr. Barr, this ain't it, chief.

Top FBI officials informed congressional lawmakers this week that they have been unable to access the smartphone of the suspected gunman in the Dayton, Ohio, mass shooting, two sources told The Hill.

In a briefing about the weekend shootings in Dayton and El Paso, Texas, FBI Deputy Director David Bowdich told House Democrats that the agency is in possession of what’s believed to be Connor Betts’s primary phone but can’t open it because it requires a passcode, according to the two sources who took part in Wednesday's briefing.

Two mass shootings in 24 hours could have provoked the public response Barr is looking for. But it didn't. These shootings had nothing to do with encrypted devices, even if the FBI felt it needed to inform lawmakers it couldn't get into a dead suspect's phone.

The question is why the FBI needs to do this. Like its previous skirmish with device makers over the encrypted contents of the San Bernardino shooter's iPhone, this complaint features a dead suspect and the highly-dubious implication that there's something of value contained in the locked device. There's no investigation being impeded by inaccessible data. The shooter is dead and the shooting is over.

The FBI -- and William Barr -- likely truly believe encryption backdoors will make investigations easier and prevent criminal acts. But there's nothing in the recent past that suggests their beliefs are well-founded. These are the speculations being used to undermine the security of millions of peoples' devices. The only thing the government has to offer is the fact that sometimes phones produce usable evidence. But criminal acts were prevented and/or prosecuted for years before a large majority of the public decided to start carrying tracking devices loaded with tons of personal info with them wherever they went.

Then there's the dishonesty: intellectual and otherwise. Most of what's offered as arguments for backdoors is intellectually dishonest. The FBI's failure to inform the American public about the true number of locked devices in its possession is the regular kind of dishonest. So is the assertion made by the FBI that it could be "months or years" before it can access the phone's contents. Multiple companies offer devices that can (supposedly) bypass any device's encryption, including the latest iPhones. The FBI and DOJ simply pretend these options don't exist when talking to Congress, law enforcement agencies, and the general public.

Every tragedy is an opportunity. The FBI isn't going to let these pass without attempting to capitalize on them. Unfortunately, it seems our country is capable of generating an endless amount of tragic opportunities. And it only takes one to give the government everything it wants.

Filed Under: chris wray, dayton, encryption, fbi, going dark, william barr

Here We Go Again: Trump Administration Considers Outlawing Encryption

from the not-this-bullshit-again dept

Well, here we go again. According to Politico, on Wednesday, at Trump's National Security Council meeting, a proposal was floated that the administration should back legislation that would outlaw encryption. Of course, that's not how it'll be framed should they actually decide to go down this path. Instead, they'll be nonsense about "responsible encryption" and "lawful access." But, make no mistake, what's being proposed is outlawing encryption.

Senior officials debated whether to ask Congress to effectively outlaw end-to-end encryption, which scrambles data so that only its sender and recipient can read it, these people told POLITICO. Tech companies like Apple, Google and Facebook have increasingly built end-to-end encryption into their products and software in recent years — billing it as a privacy and security feature but frustrating authorities investigating terrorism, drug trafficking and child pornography.

“The two paths were to either put out a statement or a general position on encryption, and [say] that they would continue to work on a solution, or to ask Congress for legislation,” said one of the people.

It's unclear what the final decision was, but if it was to back such a law, we'll know about it soon enough. There are some sensible folks on this issue -- including some from the intelligence communities who actually understand the security value of encryption. The State Department and Commerce Departments are both also said to support keeping encryption legal. It's mostly the law enforcement folks who are against encryption: including parts of the DOJ and FBI, ICE and the Secret Service. As if any of those need any more power. Homeland Security (of which ICE is a part) is apparently "internally divided."

It's been said before, but this is not a debate. There is no debate. There is no "on the one hand, on the other hand." There is no "privacy v. security." This is "no privacy and weakened security v. actual privacy and actual security." There's literally no debate to be had here. If you understand the issues, encryption is essential, and any effort to take away end-to-end encryption is outlawing technology that keeps everyone safe. While Senators Feinstein and Burr released a truly dangerous bill a few years back to outlaw encryption, who knows what sort of nonsense would come out of this and whether or not it could actually get enough support in Congress. Hopefully not.

But just the fact that security folks now need to waste a ton of time and energy on this shit all over again is immensely frustrating and wasteful. This debate was over decades ago. There is no reason to do it again.

Filed Under: backdoors, doj, donald trump, encryption, end to end encryption, fbi, going dark, national security council