As The DOJ Continues To Complain About Encryption, Cellebrite (Again) Announces It Can Crack Any IPhone

from the do-y'all-not-get-the-internet? dept

On Monday, June 17, Deputy Attorney General Jeffrey Rosen said this during his speech to the National Sheriffs' Association:

In recent years, criminals have become more and more adept at using technology to avoid law enforcement in what we call “going dark.” While “going dark” has many manifestations, some of its greatest impacts are in the areas of encryption, in assuring the security of information. But, as you well know, encryption also allows criminals to frustrate law enforcement's access to evidence — even where a neutral judge has found probable cause and ordered that we have access to that evidence.

I guess the "going dark" crowd doesn't get out much.

On Friday afternoon, the Israeli forensics firm and law enforcement contractor Cellebrite publicly announced a new version of its product known as a Universal Forensic Extraction Device or UFED, one that it's calling UFED Premium. In marketing that update, it says that the tool can now unlock any iOS device cops can lay their hands on, including those running iOS 12.3, released just a month ago. Cellebrite claims UFED Premium can extract files from many recent Android phones as well, including the Samsung Galaxy S9. No other law enforcement contractor has made such broad claims about a single product, at least not publicly.

It was announced very publicly. This wasn't a press release sent only to government agencies or the byproduct of leaked internal documents. It was announced on the company's Twitter account, letting everyone know Cellebrite is apparently beating almost every device maker at their own encryption game. Like GrayKey's offering, Cellebrite's updated encryption-breaker is hardware that can be used on site by purchasers, allowing law enforcement agencies to perform their own cracking and extraction.

Sure, the flaws used to bypass device security will be patched, and Cellebrite and its competitors will keep digging around in device hardware/software to find holes to exploit. The security vs. insecurity war will continue. But for all the weak arguments made by the head of the FBI -- especially the ones about Apple, etc. "profiting" from locking out law enforcement -- it would seem companies like Cellebrite are more likely to directly profit from device encryption. Encryption on phones is a standard offering, not a selling point. Tools that break encryption? Now, that's where the real money is.

Cellebrite, along with companies like GrayKey, are providing the solutions the FBI and DOJ think device manufacturers should be creating for them. We don't hear much from FBI officials about third party offerings because this agency would prefer a permanent fix delivered by Congress and the courts, rather than spend any of their own money and time trying to find a solution. The FBI has been misleading and dishonest for the entirety of its "going dark" campaign, all the while claiming tech companies would willingly give the FBI what it wants -- encryption backdoors -- if they would just engage in an "honest" conversation about the issue.

Filed Under: doj, encryption, fbi, going dark, ios, iphone
Companies: apple, cellebrite

James Comey Offers Up Half-Assed Apology For Being Such An Asshole About Encryption

from the still-mostly-an-asshole dept

Former FBI director James Comey's move to the private sector has been… well… annoying, if we're honest. After being booted by President Trump for allegedly failing to pledge his fealty to the Oval Office throne, Comey has become a hero of the so-called Resistance. Those lionizing Comey as some sort of truth-to-power speaker seem to have forgotten he ignored everything ever about pre-election propriety to announce his reopening of the investigation into Hillary Clinton's private email server, and his years spent trying to undermine encryption.

You can take a man out of the FBI, but you can't take the g-man out of the man. Comey may be as unimpressed as many of us are with the current White House leadership, but that only makes him somewhat relatable, not some hero molded from the fires of the long tradition of reshuffling agency leadership with every peaceful transfer of power.

Comey will speak to whoever will listen and/or publish his thoughts. He recently spoke at a conference and offered up his limited apologies for the War on Encryption he waged following the San Bernardino shooting.

As apologies go, it isn't one. Comey says the only error he made was being a bit too aggressive when seeking to undermine the security of millions of device users. (h/t Riana Pfefferkorn)

Comey said it was "dumb" to launch the encryption debate by loudly criticizing companies for seeking encryption that would prevent law enforcement access even with a warrant. "I would do that differently if I had the chance," he said at a conference hosted by the Hewlett Foundation last week.

Beyond that, Comey wouldn't have changed much. And his stance is still firmly anti-encryption. Sure, it sounds like he thinks encryption is important, but the only version he'd be willing to live with if he were still running the FBI would be a version no one would trust.

Comey says, "you could build a key that sits with the U.S. government, a key that sits with the maker of that device and a key that sits with a non governmental agency" and a judge could order these keys to be combined to grant access to the data. He argued such a model could still be built despite widespread criticism from technologists who think such a solution would be impossible or insecure.

This proves Comey still unwilling to be the adult in the room, even as he repeated his assertion that it's all he really wants: an "adult conversation." Plenty of adults have spoken, contradicting Comey's fervent, but unfounded, beliefs that compromised encryption is still secure encryption.

Comey says it's time for the U.S. to have an "adult conversation" about what's at stake as more and more devices and services are encrypted. He warns that "broad swaths" of American life are now occurring out of the reach of law enforcement, and he's worried that the public isn't talking enough about the implications that could have for society.

Whatever. As far as I can tell, law enforcement is doing just fine. The stuff that's encrypted doesn't appear to be much of a problem. The FBI is having no problem radicalizing troubled youths into DOJ prosecution fodder. The ATF is still running stash house stings, turning poor people into federal inmates for thinking about robbing a fake drug stash house of its nonexistent drugs. The DEA is still spending a great deal of time looking for cash, rather than drugs. And local law enforcement is doing the same thing, concentrating on asset forfeiture, SWAT team raids, and talking people into having sex with officers pretending to be 14-year-old girls. Not really seeing the problem encryption poses for the law enforcement in any of these endeavors.

Comey isn't here to speak truth to power or expound on the virtues of the rule of law. He isn't even truly apologetic for his heavy-handed anti-encryption rhetoric over the past few years. He wants people to believe he's a paragon of virtue, thanks to his unceremonious ouster. But he's still the same guy who used to run the FBI and he still has the same goals. Getting fired hasn't made him a better person and it sure as shit hasn't made him a hero.

Filed Under: computer security, doj, encryption, fbi, going dark, james comey

FBI Director Chris Wray Needs To Shut The Fuck Up About Encryption

from the SHOW-YOUR-WORK dept

FBI Director Chris Wray is still hoping to sell Americans on trading away their security for a little bit of law enforcement convenience. Wray believes the only way the FBI and other agencies will ever keep up with criminals is to do away with encryption. The "going dark" campaign may have started with Jim Comey, but Wray has proven to be every bit as obtusely tenacious as his predecessor.

Wray's latest anti-encryption pep talk occurred at the RSA Conference. CNET reports the FBI director delivered another misguided, but impassioned, speech in defense of making everything worse for everyone but the FBI.

Encryption should have limits. That's the message FBI Director Christopher Wray had for cybersecurity experts Tuesday. The technology that scrambles up information so only intended recipients can read it is useful, he said, but it shouldn't provide a playground for criminals where law enforcement can't reach them.

"It can't be a sustainable end state for there to be an entirely unfettered space that's utterly beyond law enforcement for criminals to hide," Wray said during a live interview at the RSA Conference, a major cybersecurity gathering in San Francisco.

Wray can't honestly define where encryption should stop and law enforcement access begin. All he can do is claim the status quo isn't working because sometimes the FBI can't get into a seized device. But how many times is encryption actually bringing an investigation to a halt? That's something Wray won't talk about, even though he has access to this information.

What CNET charitably calls a "back and forth" conversation between Chris Wray and tech companies is actually nothing more than Wray complaining about encryption and ignoring everything he hears back from the companies that would be affected.

Wray needs to take his anti-encryption ball and go home. Not because I disagree with him, but because the FBI has handled this "conversation" disingenuously since day one. The "going dark" narrative hasn't been backed by evidence or facts. The FBI misrepresented the number of uncrackable devices it had in its possession for more than three years. Once legislators started demanding proof, the FBI discovered it had no idea how many devices it had on hand.

No further details have been delivered by the FBI, but it's safe to assume the original estimate of 8-9,000 devices is actually less than a quarter of that. But we don't know what the actual count is because the FBI has yet to issue an updated number.

The FBI said it would recount the devices and get back to us. As of March 6th, it has been 281 days since the FBI started replacing statements of 8,000+ locked devices with asterisks and footnotes. This is why Wray needs to shut his mouth. Until his agency delivers the real number of locked devices, we don't need to entertain his anti-encryption dreams. If he and his agency are unwilling to have a real conversation about device encryption -- one containing actual facts about locked devices and their impact on investigations -- no one should grant him or his comments any credibility.

Filed Under: chris wray, doj, encryption, facts, fbi, going dark

Indian Government Wants Tech Companies To Give Law Enforcement 24-Hour Access To User Data And Broken Encryption

from the it's-going-to-get-a-whole-lot-worse-before-it-gets-even-worse dept

India's government is joining the rest of the world in seeking more direct control of the internet. We in the US used to be able to point at Section 230 immunity and the First Amendment as evidence of our hands-off approach, but with the passage of FOSTA and multiple legislators demanding tech companies engage in more moderation and less moderation simultaneously, we've ceded a lot of the high ground.

The Indian government, however, is seeking to expand its control of the internet far past what should be considered reasonable in a nation whose government pays occasional lip service to protecting free speech. In addition to its already-abused laws covering certain forms of speech -- which, in practice, tends to mean criticism of government officials -- the Indian government is demanding speedy takedowns of content and direct access for law enforcement to user info, posts, and comments around the clock.

The proposals would… require any platform with more than 5 million users in India to appoint a “person of contact” for “24x7 coordination with law enforcement agencies and officers”, keep a record of all “unlawful activity” for 180 days (or indefinitely if mandated by a court), and send monthly notifications to every user informing them that the platform can “remove non-compliant information” immediately and kick the user off.

This is the result of discussions with representatives from companies including Google, Facebook, Whatsapp, and Twitter. There's no word yet on how compliant these companies will be. The only news that's surfaced so far is the Indian government's long list of demands. And those demands include something becoming distressingly popular in world governments: broken encryption.

“[On] the face of it, [the government seems] to be contemplating pro-active censorship and breaking encryption with traceability,” Apar Gupta, an Indian Supreme Court lawyer and cofounder of the Internet Freedom Foundation, told the Indian Express. “They will make the internet a corporal environment, damaging the fundamental rights of users.”

This will more closely align India's control of the internet with the Chinese model (or the Australian model!) -- something no nation should be in any hurry to adopt. That tech companies may be willing to comply with these demands rather than lose millions of users is worse news for everyone who uses their platforms. One just needs to look at Turkey's stranglehold on Twitter to see where this will be headed: tech companies will be complying with laws not valid in their home countries, allowing authoritarian rulers to silence critics and stifle dissent by proxy.

From what's been observed so far, Whatsapp seems to be the only company publicly resisting the Indian government's advances. Buzzfeed reached out to the other companies involved in these talks but has not received any comments or statements in response. Whatsapp's refusal to cooperate with India's demands for broken encryption dates back several months, but it's unlikely to have changed its views on undermining the protections it offers its users.

It's more bad news for internet users around the world, some of whom are going to be caught up in the Indian government's new net rules, even though they don't reside in that nation. Agreeing to help the government directly police users and/or break encryption will create ripple effects felt far outside the borders of India.

Filed Under: encryption, going dark, india, law enforcement

GCHQ Propose A 'Going Dark' Workaround That Creates The Same User Trust Problem Encryption Backdoors Do

from the wiretaps-but-for-Whatsapp dept

Are we "going dark?" The FBI certainly seems to believe so, although its estimation of the size of the problem was based on extremely inflated numbers. Other government agencies haven't expressed nearly as much concern, even as default encryption has spread to cover devices and communications platforms.

There are solutions out there, if it is as much of a problem as certain people believe. (It really isn't… at least not yet.) But most of these solutions ignore workarounds like accessing cloud storage or consensual searches in favor of demanding across-the-board weakening/breaking of encryption.

A few more suggestions have surfaced over at Lawfare. The caveat is that both authors, Ian Levy and Crispin Robinson, work for GCHQ. So that should give you some idea of which shareholders are being represented in this addition to the encryption debate.

The idea (there's really only one presented here) isn't as horrible as others suggested by law enforcement and intelligence officials. But that doesn't mean it's a good one. And there's simply no way to plunge into this without addressing an assertion made without supporting evidence towards the beginning of this Lawfare piece.

Any functioning democracy will ensure that its law enforcement and intelligence methods are overseen independently, and that the public can be assured that any intrusions into people’s lives are necessary and proportionate.

By that definition, the authors' home country is excluded from the list of "functioning democracies." Multiple rulings have found GCHQ's surveillance efforts in violation of UK law. And a number of leaks over the past half-decade have shown its oversight is mostly ornamental.

The same can be said for the "functioning democracy" on this side of the pond. Leaked documents and court orders have shown the NSA frequently ignores its oversight when not actively hiding information from Congress, the Inspector General, and the FISA court. Oversight of our nation's law enforcement agencies is a patchwork of dysfunction, starting with friendly magistrates who care little about warrant affidavit contents and ending with various police oversight groups that are either filled with cops or cut out of the process by the agencies they nominally oversee. We can't even get a grip on routine misconduct, much less ensure "necessary and proportionate intrusions into people's lives."

According to the two GCHQ reps, there's a simple solution to eavesdropping on encrypted communications. All tech companies have to do is keep targets from knowing their communications are no longer secure.

In a world of encrypted services, a potential solution could be to go back a few decades. It’s relatively easy for a service provider to silently add a law enforcement participant to a group chat or call. The service provider usually controls the identity system and so really decides who’s who and which devices are involved - they’re usually involved in introducing the parties to a chat or call. You end up with everything still being end-to-end encrypted, but there’s an extra ‘end’ on this particular communication. This sort of solution seems to be no more intrusive than the virtual crocodile clips that our democratically elected representatives and judiciary authorise today in traditional voice intercept solutions and certainly doesn’t give any government power they shouldn’t have.

We’re not talking about weakening encryption or defeating the end-to-end nature of the service. In a solution like this, we’re normally talking about suppressing a notification on a target’s device, and only on the device of the target and possibly those they communicate with. That’s a very different proposition to discuss and you don’t even have to touch the encryption.

Suppressing notifications might be less harmful than key escrow or backdoors. It wouldn't require a restructuring of the underlying platform or its encryption. If everything is in place -- warrants, probable cause, exhaustion of less intrusive methods -- it could give law enforcement a chance to play man-in-the-middle with targeted communications.

But there's a downside -- one that isn't referenced in the Lawfare post. If both ends of a conversation are targeted, this may be workable. But what if one of the participants isn't a target? This leaves them unprotected because the suppressed messages wouldn't inform other non-target parties the conversation isn't protected. Obviously it wouldn't do the let anyone targets converse with know things are no longer normal on the target's end, as it's likely one of those participants will let the target know they've encountered a security warning while talking to them.

In that respect, it is analogous to a wiretap on someone's phones. It will capture innocent conversations irrelevant to the investigation. In those cases, investigators are told to stop eavesdropping. It's unclear how the same practice will work when the communications are being harvested digitally via unseen government additions to private conversations.

This proposal seems at odds with the authors' suggested limitations, especially this one:

Any exceptional access solution should not fundamentally change the trust relationship between a service provider and its users.

When a service provider starts suppressing warning messages, the trust relationship is going to be fundamentally altered. Even if users are made aware this is only happening in rare instances involving targets of investigations, the fact that their platform provider has chosen to mute these messages means they really can't trust a lack of warnings to mean everything is still secure.

On the whole, it's a more restrained solution than others have proposed -- but it still has the built-in exploitation avenue key escrow does. It's better than a backdoor but not by much. And the authors of this proposal shouldn't pretend the solution lives up to the expectations they set for it. Their own proposal falls short of their listed ideals… and the whole thing is delivered under the false pretense law enforcement/intelligence agencies are subject to robust oversight.

Filed Under: backdoors, encryption, gchq, going dark, third parties, vulnerabilities

Deputy AG Claims There's No Market For Better Security While Complaining About Encryption At A Cybercrime Conference

from the an-actual-thing-that-happened dept

The FBI still hasn't updated its bogus "uncrackable phones" total yet, but that isn't stopping the DOJ from continuing its push for holes in encryption. Deputy AG Rod Rosenstein visited Georgetown University to give a keynote speech at its Cybercrime 2020 Conference. In it, Rosenstein again expressed his belief that tech companies are to blame for the exaggerated woes of law enforcement.

Pedophiles teach each other how to evade detection on darknet message boards. Gangs plan murders using social media apps. And extortionists deliver their demands via email. So, it is important for those of us in law enforcement to raise the alarm and put the public on notice about technological barriers to obtaining electronic evidence.

One example of such a barrier is “warrant-proof” encryption, where tech companies design their products or services in such a way that they claim it is impossible for them to assist in the execution of a court-authorized warrant. These barriers are having a dramatic impact on our cases, to the significant detriment of public safety. Technology makers share a duty to comply with the law and to support public safety, not just user privacy.

Rosenstein says this has resulted in a "significant detriment [to] public safety," but can't point to any data or evidence to back that claim up. The FBI's count of devices it can't access is off by at least a few thousand devices, by most people's estimates. In terms of this number alone, the "public safety" problem is, at best, only half as bad as the DOJ has led us to believe.

Going beyond that, crime rates remain at historic lows in most places in the country, strongly suggesting no crime wave has been touched off by the advent of default encryption. Law enforcement agencies aren't complaining about cases they haven't cleared -- if you exclude encryption alarmist/Manhattan DA Cyrus Vance. (Anyone hoping to have an honest conversation about encryption certainly should.)

Somehow, Rosenstein believes the public would experience a net safety gain by making their devices and personal info more easily accessed by criminals. Holes in encryption can be marked "law enforcement only," much like private property owners can hang "no trespassing" signs. But neither is actually a deterrent to determined criminals.

Rosenstein goes on to tout "responsible encryption" -- a fairy tale he created that revolves around the premise tech companies can break/unbreak encryption at the drop of a warrant. But broken encryption can't be unbroken, not even with some form of key escrow. The attack vector may change, but it still exists.

That Rosenstein is advocating inferior encryption during a cybercrime conference speaks volumes about what the DOJ actually considers to be worth protecting. It's not businesses and their customers. It's law enforcement's access. He spends half the run time talking about security breaches involving tech companies and follows it up by suggesting they take less care securing all this info they collect.

He even goes so far as to claim better security is something customers don't want and is bad for tech companies' bottom lines.

Building secure devices requires additional testing and validation—which slows production times — and costs more money. Moreover, enhanced security can sometimes result in less user-friendly products. It is inconvenient to type your zip code when you use a credit card at the gas station, or type a password into your smartphone.

Creating more secure devices risks building a product that will be later to market, costlier, and harder to use. That is a fundamental misalignment of economic incentives and security.

The implicit statement Rosenstein's making is that ramped-up security -- including default encryption -- is nothing more than companies screwing shareholders just so they can stick it to The Man. Following this bizarre line of thought is to buy into Rosenstein's conspiracy theory: one that views tech companies as a powerful cabal capable of rendering US law enforcement impotent.

And as much as Rosenstein hammers tech companies for security breaches that have exposed the wealth of personal data they collect, he ignores the question his encryption backdoor/side door advocacy raises. This question was posed in an excellent post by Cathy Gellis at the beginning of this year:

"What is a company to do if it suffers a data breach and the only thing compromised is the encryption key it was holding onto?"

We're headed into 2019 and no one in the DOJ or FBI is willing to honestly discuss the side effects of their proposals. Rosenstein clings to his "responsible encryption" myth and the director of the FBI wants to do nothing more than make it the problem of "smart people" at tech companies he's seeking to bend to his will. No one in the government wants to take responsibility for the adverse outcomes of weakened encryption, but they're more than willing to blame everyone else any time their access to evidence seems threatened.

Rosenstein's unwavering stance on the issue makes this statement, made at the closing of his remarks, ring super-hollow.

We should not let ideology or dogma stand in the way of constructive academic engagement.

Fair enough, Rod. You go first.

Filed Under: backdoors, blame, doj, encryption, fbi, going dark, responsible encryption, rod rosenstein

EFF, ACLU Petition Court To Unseal Documents From DOJ's Latest Anti-Encryption Efforts

from the talk-to-us,-DOJ dept

Back in August, the DOJ headed to court, hoping to obtain some of that sweet sweet anti-encryption precedent. Waving around papers declaring an MS-13 gang conspiracy, the DOJ demanded Facebook break encryption on private Messenger messages and phone calls so the government could eavesdrop. Facebook responded by saying it couldn't do that without altering -- i.e., breaking -- Messenger's underlying structure.

Not that breaking a communications platform would give the FBI any sleepless nights. Worthless encryption is better than good encryption when it comes to demanding the content of communications or, as in this case, operating as the unseen man-in-middle when suspected gang members chatted with each other.

Unfortunately (for the FBI), this ended in a demurral by the federal court. The details of the court's decision are, just as unfortunately, unknown. Reuters was able to obtain comments from "insiders familiar with the case," but the public at large is still in the dark as to how all of this turned out.

The EFF and ACLU are hoping to change that.

In our petition filed today in the United States District Court for the Eastern District of California, EFF, the ACLU, and Riana Pfefferkorn of Stanford Law School’s Center for Internet and Society seek to shed light on this important issue. We’re asking the court to release all court orders and related materials in the sealed Messenger case.

Given the importance of encryption in widely used consumer products, it is a matter of public interest any time law enforcement tries to compel a company to circumvent its own security features.

The petition [PDF] points out the First Amendment guarantees access to courtroom proceedings and the courts are supposed to adhere to this by operating with a presumption of openness. Only in rare, rare cases should they side with the government and allow the public to be cut out of the loop by sealing documents.

This is doubly true in cases of significant public interest. Any time the DOJ is in court agitating for broken encryption, it's safe the say the public will be affected by the case's outcome. At this point, we don't know anything more than the DOJ didn't get what it wanted. What we don't know is why, or what impact the ruling here will have on similar cases in the future. And we should know these details because, if nothing else, the FBI has proven it cannot be trusted to deal with device encryption honestly.

Filed Under: breaking encryption, compelled access, doj, encryption, facebook messenger, fbi, going dark, ms-13, public records, sealed court documents, transparency
Companies: facebook

Manhattan DA Cy Vance Says The Only Solution To Device Encryption Is Federally-Mandated Backdoors

from the picking-up-the-torch-the-FBI-accidentally-dropped dept

Because no one has passed legislation (federal or state) mandating encryption backdoors, Manhattan DA Cy Vance has to publish another anti-encryption report. An annual tradition dating back to 2014 -- the year Apple announced default encryption for devices -- the DA's "Smartphone Encryption and Public Safety" report [PDF] is full of the same old arguments about "lawful access" and evidence-free assertions about criminals winning the tech arms race. (h/t Riana Pfefferkorn)

You'd think there would be some scaling back on the alarmism, what with the FBI finally admitting its locked device count had been the victim of software-based hyperinflation. (Five months later, we're still waiting for the FBI to update its number of locked devices.) But there isn't. Vance still presents encryption as an insurmountable problem, using mainly Apple's multiple patches of security holes cops also found useful as the leading indicator.

The report is a little shorter this year but it does contain just enough stuff to be persuasive to those easily-persuaded by emotional appeals. Vance runs through a short list of awful crime solved by device access (child porn, assault) and another list of crimes unsolved (molestation, murder) designed to make people's hearts do all their thinking. While it's certainly true some horrible criminal acts will directly implicate device encryption, the fact of the matter is a majority of the locked phone-centric criminal acts are the type that won't make headlines or motivate lawmakers.

More than a third of these cases involve minor crimes like theft and check kiting. Another 20% is comprised of "sex crimes," which encompasses prostitution -- a crime where law enforcement sometimes chooses to believe the device itself is an "instrument of crime," never mind what other evidence might be hidden inside it.

So, more than half the crime involving locked phones isn't the sort of stuff that suggests encryption backdoors are the key to making New York City a safer place to reside. The stuff Vance throws in about unlocked devices producing exonerating evidence is a dodge. It's meant to show how granting law enforcement carte blanche access would be a net benefit for the public. But the examples given use stuff like cell site location info and social media app data -- things that could be obtained from third parties without having to go through the locked phone.

Then there's the other part of this argument Vance leaves completely undiscussed: if someone's phone contains exonerating evidence, it's very likely they'll provide officers with this evidence voluntarily, either by unlocking the device or handing over the relevant info/files. Using the very small percentage of cases where exonerating evidence may be recovered from locked phones as an argument for mandated backdoors is incredibly disingenuous.

And that's all this "report" is: a petition for federally-legislated encryption backdoors.

III. Federal Legislation Remains the Only Answer

[...]

For the reasons advanced in each of our prior Reports, national legislation of the sort we have proposed remains the most rational and least intrusive means to require device manufacturers to comply with lawful court orders in serious criminal cases upon a finding of probable cause.

"Most rational and least intrusive." I guess creating new security holes in millions of personal devices isn't "intrusive." And if this wasn't enough of a laugher, Vance ends his report with this sentence:

[O]ur Office stands willing to assist Congress and all relevant stakeholders in the effort to find a more rational balance among the interests of device makers, consumers and law enforcement in the regulation of smartphone encryption.

When your conclusion is that the only solution is federally-mandated encryption backdoors, you cannot honestly assert you're seeking to "balance" the interests of everyone involved. The only interest served by mandated backdoors is law enforcement's. Portraying device encryption as a threat to public safety is intellectually dishonest. Vance's own numbers undercut his threat level claims and his repeated failure to even generate serious discussion among federal legislators shows it's probably time for the Manhattan DA to retire his annual alarmism.

Filed Under: backdoors, cy vance, encryption, going dark, law enforcement, moral panic, privacy, security

Australian Gov't Floats New Batch Of Compelled Access Legislation With An Eye On Encryption

from the hello-darkness-my-old-friend dept

The Australian government is looking to revamp its compelled access laws to fight encryption and other assorted technological advances apparently only capable of being used for evil. It's getting pretty damn dark Down Under, according to the Department of Home Affairs' announcement of the pending legislation.

Encryption conceals the content of communications and data held on devices, as well as the identity of users. Secure, encrypted communications are increasingly being used by terrorist groups and organised criminals to avoid detection and disruption. The problem is widespread, for example:

• Encryption impacts at least nine out of every ten of ASIO’s priority cases.

• Over 90 per cent of data being lawfully intercepted by the AFP now use some form of encryption.

• Effectively all communications among terrorists and organised crime groups are expected to be encrypted by 2020.

An example of harmful encryption is provided for readers at home, so they can weigh their own security and privacy against an anecdote about a registered sex offender who may or may not have escaped prosecution (the outcome of the case isn't provided) by using encrypted messaging apps. And it includes an inadvertently helpful lesson about the stupidity of targeting encryption with legislation, even if the DHA likely doesn't realize it.

The suspect was arrested and his mobile phone was seized but despite legislative requirements he refused to provide his passcode.

There's the limitation of lawmaking. Lawbreakers break laws and they're not going to stop just because you've told them not to with a government mandate. Legislation [PDF] like this does little more than make life more difficult for service providers and device makers while undermining the privacy and security of millions of law-abiding citizens.

The explanation sheet [PDF] notes the government is not seeking to mandate encryption backdoors. That being said, it would like providers of encrypted services/devices to leave the door cracked open so the government can step inside whenever it feels the need to look around.

The type of assistance that may be requested or required under the above powers include (amongst other things):

• Removing a form of electronic protection applied by the provider, if the provider has an existing capability to remove this protection.

• Providing technical information like the design specifications of a device or the characteristics of a service.

• Installing, maintaining, testing or using software or equipment given to a provider by an agency.

• Formatting information obtained under a warrant.

• Facilitating access to devices or services.

• Helping agencies test or develop their own systems and capabilities.

• Notifying agencies of major changes to their systems, productions or services that are relevant to the effective execution of a warrant or authorisation.

• Modifying or substituting a target service.

• Concealing the fact that agencies have undertaken a covert operation.

The law can't retroactively force companies to produce crackable devices and messaging systems. But the first bullet point could see the Australian government demanding they do so in the future if they want to provide goods and services to the Australian public. Fortunately, the bill includes a clause making future demands along these lines impossible for the time being.

The Bill expressly prohibits technical assistance notices or technical capability notices from requiring a provider to build or implement a systemic weakness or systemic vulnerability into a form of electronic protection. This includes systemic weaknesses that would render methods of authentication or encryption less effective. The Australian Government has no interest in undermining systems that protect the fundamental security of communications. The new powers will have no effect to the extent that requirements would reasonably make electronic services, devices or software vulnerable to interference by malicious actors. Importantly, a technical capability notice cannot require a provider to build a capability to remove electronic protection and puts beyond doubt that these notices cannot require the construction of decryption capabilities.

Without further discussion by the legislature, it's tough to tell whether creating an escrow system would be considered a "system weakness" or make "encryption less effective." I mean, it obviously is and does, but does the DHA see it that way? And will this clause survive the final markup? Compelling decryption using "existing" methods seems especially useless if most services and devices cannot currently be decrypted by providers. The government is better off seeking outside help from contractors who do nothing else but find ways to crack or bypass encryption, rather than dropping language into the law that suggests backdoors the government won't call "backdoors" will be mandated in the future.

It also gives the government a considerable expansion of power, allowing it to peruse private companies' design specs and a heads up if any redesigns are in the works. It also forces companies to be compliant partners in government surveillance by mandating their assistance in man-in-the-middle attacks ("modifying or substituting a target service") and ordering them to withhold information from affected customers.

There is a public comment period, which is a nice touch. There also appears to be some respect for the good encryption does, rather than simply viewing it as an escape route for criminals and terrorists. But there's also a good deal of power expansion tied to rickety wording that suggests backdoors might be mandated if the government can talk itself into viewing proposals as something other than backdoors. And there's no guarantee this vague promise will make the final cut.

Filed Under: australia, backdoors, encryption, going dark, law enforcement, surveillance

New Report Says The Feds' Focus On Device Encryption Is Holding Local Law Enforcement Back

from the get-what-you-can-instead-of-dreaming-about-an-all-access-pass dept

CSIS (Center for Strategic and International Studies) has just released another report [PDF] on device encryption. But there's a difference: this one isn't so much about encryption but what law enforcement isn't doing to access the wealth of digital data available to it. (h/t Robyn Greene)

What CSIS found is there are plenty of powerful tools and options available. The problem -- especially at the local level -- is law enforcement appears to be unsure of how to proceed when seeking digital data. This results in a couple of problems, the latter of which has definite civil liberties implications.

Our survey of federal, state, and local law enforcement officials suggests that challenges in accessing data from service providers—much of which is not encrypted—is the biggest problem that they currently face in terms of their ability to use digital evidence in their cases. Specifically, the inability to effectively identify which service providers have access to relevant data was ranked as the number-one obstacle in being able to effectively use digital evidence in particular cases.

Following closely after that is the difficulty of obtaining data and evidence from service providers if agencies do manage to narrow down where it's located. While there are a variety of federal resources available to train and educate law enforcement investigators about seeking digital evidence, they're underfunded and underutilized.

This lack of education and overall uncertainty is leading to unfortunate results -- both in terms of targeted citizens and the law enforcement agencies hoping to hold onto whatever evidence they may obtain. Overbroad warrants are routine and it's not always the result of a "collect it all" philosophy.

Law enforcement claims... they often lack enough information to know what data is and is not available and make the kind of relevancy determination needed. Put simply, unless law enforcement officials are adequately informed about what kind of data providers have available, they are not in a position to know what there is to ask for—let alone determine if it is relevant. Law enforcement officials also point out that in many cases it is appropriate to ask for “any and all data,” particularly when the universe of available data is sufficiently limited—for example, if the request is directed toward “any and all data” about a particular account and during a specific time horizon.

These broad requests result in pushback from tech company recipients (who, unfortunately, likely understand the law better), which further strains the relationship between service providers and law enforcement agencies. The problem with the law enforcement side is the numbers don't support this perception.

The number of law enforcement requests, at least as directed at the major U.S.-based tech and telecom companies, has significantly increased over time. Yet, the response rates have been remarkably consistent.

The increase in requests has led to an increase in rejected requests as a whole -- which fuels the perception service providers are giving lawmen the figurative finger -- but the percentage of rejected requests (around 20%) has remained constant.

It's not just law enforcement personnel needing more training and info. The lack of training leads to broad warrant requests and subpoenas from law enforcement. These requests should be receiving pushback before they're delivered to service providers. But far too often, they're not receiving enough scrutiny at the judicial level. This is also an education/information problem.

[R]esources should be invested in training judges, in addition to law enforcement officials engaged in the investigative and prosecutorial functions. Judges serve as crucial intermediaries in the request process, ensuring that data requests are lawful and appropriately tailored. Resources should also be expended to train defense attorneys, who also need the ability to access and interpret digital evidence in order to mount an adequate defense.

The broad requests that do make it through post additional issues that are rarely discussed. While FISA court orders authorizing surveillance (including domestic surveillance) stress minimization of non-target info, demands for data from service providers aren't subject to these restrictions. Data/communication dumps can expose a lot of info about non-targets and there's almost zero recourse for non-targets whose privacy has been violated. "Incidental" collection isn't just something the NSA does. It's the inevitable byproduct of overbroad requests and few, if any, rules governing the collection and use of this info.

The report details a large number of deficiencies in the process which has made law enforcement's job far more difficult than it needs to be. Tech advances don't solely benefit crafty criminals. They also aid law enforcement, but there's been no cohesive effort made by the federal government to ensure local agencies can make the most of the tools available. Until this is nailed down, worrying about defeating or bypassing encryption is a waste of time.

That the FBI's director has decided that's how he's going to use his time and energy, suggests the agency -- the most frequent contact for local agencies seeking tech help -- isn't going to prioritize sharing knowledge over seeking legislative mandates. The FBI is hurting itself and others by limiting their ability to do everything they can right now in hopes of getting a law enforcement-sized hole drilled in encryption at some point in the next few decades.

Filed Under: doj, encryption, fbi, going dark, law enforcement
Companies: csis