As US Turns Away From Idea Of Backdooring Crypto, David Cameron Has A Problem

from the saber-rattling dept

Last week, Mike wrote about what seems an important shift in US government policy on encryption, as the White House finally recognizes that adding backdoors isn't a sensible option. That leaves a big question mark over what the UK will do, since David Cameron and intelligence officials have been hinting repeatedly that they wanted to undermine encryption in some unspecified way. Just last week, the new head of MI5, the UK's domestic intelligence service, gave the first-ever live media interview by a senior British intelligence official. Asked about the alleged danger of parts of the Internet "going dark", he said:

"It requires the cooperation of the companies who run and provide services over the internet that we all use. It is in no one's interest that terrorists would be able to plot and communicate out of the reach of any authorities with the proper legal power."

That's from The Guardian, and another article there points out that the UK government's strategy of trying to get the big US online services to co-operate now looks in trouble:

If the White House does drop the battle [over backdoors] it will leave Britain with little option but to accept the widespread use of encryption. The UK's ability to directly lobby the big American technology firms is limited, and in a report leaked in June the former British diplomat Sir Nigel Sheinwald said that a new international treaty was the only way to get the co-operation of the companies. Without the support of the White House such a treaty seems unlikely.

Without the co-operation of the tech firms what the UK government can do when facing widespread encryption is limited. In June the Home Office confirmed that, for extreme cases, it was considering inserting "black box" probes into the transatlantic cables, to collect data leaving and entering the UK. But if the communications were encrypted on their way to the US, such collection would have little value.

Of course, a lot depends on the detailed policy adopted by the US government, and whether the US intelligence community manages to exploit any future terrorist attacks to get backdoors on the agenda again. But for the moment, it seems that David Cameron's anti-encryption saber-rattling will remain just that.

Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+

Filed Under: backdoors, david cameron, encryption, going dark, mandates, uk

Twitter Makes All Its Shortlinks HTTPS By Default

from the good-move dept

The push to encrypt more and more of the web's traffic will get a nice little boost on October 1st, when Twitter will change its t.co link wrapper/shortner service to go to HTTPS by default:

On October 1 all new links wrapped with Twitter's t.co wrapper will use the https URL scheme. The https scheme helps Twitter securely deliver readers to the intended destination.

We have discussed for years, of course, the value of encrypting more of the web, and especially increasing use of HTTPS-by-default. Kudos to Twitter for making this move and encouraging widespread use of HTTPS to better protect people's surfing. It's worth noting that Twitter is also warning sites that they may see a drop in referrals from Twitter, because browsers drop the referrer from the header when an HTTPS link goes to an HTTP destination -- but it notes that it will be using referrer policy instead, which is good. Most modern browsers support referrer policy, and thus this isn't really that big a deal. However, it's one of the random complaints that some anti-HTTPS campaigners have argued over the years (that the lack of referrer is a big loss under HTTPS).

Filed Under: encryption, https, shortlinks, social media
Companies: twitter

India's Government Looking At Mandating Backdoors In Encryption

from the selling-out-the-people-for-the-good-of-the-people dept

Here in the US, the FBI really really really wants to be able to let itself in your backdoor if it feels the urge to paw through your personal communications. (Perhaps the FBI's lack of respect for encryption is due to its own unwillingness to encrypt its communications...) Congress isn't pushing this forward and the administration has indicated it won't back an encryption backdoor mandate. Over in Europe, a mixed bag of terrorism-related legislation is going the other way, pushing for "good guys only" holes in encryption, with any negative use by criminals and foreign governments apparently being the price that must be paid to secure whatever liberty still remains once the "securing" is completed.

India's government -- never one to shy away from overreach, censorship or other bad ideas -- similarly sees encryption backdoors as A Good Thing. A draft proposal from India Department of Electronics and Technology, posted by essential government doc stash Public Intelligence, indicates that the government may be looking to mandate a variety of encryption backdoors in the near future.

It starts out with some positive thinking…

The recognition of the need to protect privacy and increase the security of the Internet and associated information systems have resulted in the development of policies that favour the spread of encryption worldwide. The Information Technology Act 2000 provides for prescribing modes or methods for encryption (Section 84A) and for decryption (Section 69). Taking into account the need to protect information assets, international trends and concerns of national security, the cryptographic policy for domestic use supports the broad use of cryptography in ways that facilitates individual / businesses privacy, international economic competitiveness in all sectors including Government.

...before cutting the floor away entirely.

This policy is not applicable to sensitive departments / agencies of the government designated for performing sensitive and strategic roles. This policy is applicable to all Central and State Government Departments (including sensitive Departments / Agencies while performing non-strategic & non-operational role), all statutory organizations, executive bodies, business and commercial establishments, including public sector undertakings and academic institutions and all citizens (including Personnel of Government / Business performing non-official / personal functions).

The "policy" is mandated backdoors -- not for "sensitive" and "strategic" government agencies, but for everyone else, from other government agencies to "all citizens."

The suggested policy splits up the country's population in three groups, with businesses and citizens designated as "B" and "C." The government says, yes, use encryption for better privacy and security... but don't lock us out.

B / C groups (i.e. B2C, C2B Sectors) may use Encryption for storage and communication. Encryption algorithms and key sizes will be prescribed by the Government through Notification from time to time. On demand, the user shall reproduce the same Plain text and encrypted text pairs using the software / hardware used to produce the encrypted text from the given plain text. All information shall be stored by the concerned B / C entity for 90 days from the date of transaction and made available to Law Enforcement Agencies as and when demanded in line with the provisions of the laws of the country. In case of communication with foreign entity, the primary responsibility of providing readable plain-text along with the corresponding Encrypted information shall rest on entity (B or C) located in India.

And any ISP looking to provide service in India -- including those not actually located in India -- is expected to give the government access to encrypted transmissions.

Service Providers located within and outside India, using Encryption technology for providing any type of services in India must enter into an agreement with the Government for providing such services in India. Government will designate an appropriate agency for entering into such an agreement with the Service provider located within and outside India. The users of any group G,B or C taking such services from Service Providers . are also responsible to provide plain text when demanded.

On top of that, creators of encryption products would be required to register with the government and submit to a "security evaluation." Presumably, the evaluation will include discussion of where to best place backdoors and/or involve a handover of Golden Keys.

The proposal also suggests the government take a more active role in the development of "indigenous" encryption products. While not specifically detailed in the draft, one assumes any government-produced, pre-compromised encryption products will make their debut accompanied by mandates requiring use going forward, if not retroactively as well.

For what it's worth, the Indian government is accepting comments on the proposed policy until October 16th. Presumably, the draft will move forward despite any negative feedback, given the country's track record on internet freedom and human rights. Factor in the threat of terrorism, and there's very little chance the government won't find some way to push this through mostly unaltered.

Filed Under: backdoors, encryption, going dark, india, mandates

CIA, FBI And Much Of US Military Aren't Doing The Most Basic Things To Encrypt Email

from the are-they-that-clueless? dept

It's no secret that FBI Director James Comey is somewhat clueless about encryption -- to the point that he doesn't even realize that stronger encryption will actually better protect Americans. But it seems to go beyond that. Apparently he's so clueless about encryption that he doesn't realize that it will help protect FBI agents. Lorenzo Franceschi-Bicchierai has a great story over at Vice Motherboard concerning key parts of our government that should understand the importance of keeping emails secret, that have failed to take the most basic steps in securing email communications. And the FBI is one of the agencies that has not done so. Ditto with the CIA. Or most branches of the military (the Air Force -- which used to run the US cybersecurity efforts -- is the one exception).

Specifically, the article focuses on the use of STARTTLS, which is used to encrypt emails in transit between service providers (it's not nearly as secure as doing full end-to-end encryption of the messages like PGP -- in which case the email providers can't read your email -- but it's a key tool for at least protecting your messages in transit between those providers). Most email systems use STARTTLS these days. Gmail has offered it since it launched over a decade ago. And for STARTTLS to work, both sides of the email provider chain need to be using it. Google has published stats on how much of the emails sent via Gmail are able to be sent with STARTTLS for a little while now and it keeps going up, such that these days, it's pretty rare for email providers not to offer STARTTLS -- with 80% of outbound mail and 61% of inbound mail using it. Yet the US military, the CIA and the FBI don't use it (the NSA does, because they're no dummies about encryption). Google and others in the tech industry have been begging email providers to use STARTTLS for a while, but apparently the US government, including agencies that you'd figure would want to protect secrets, apparently still hasn't figured this out.

When Franceschi-Bicchierai asked the Defense Department why most of the military doesn't support it, he got a nonsensical answer:

In a statement emailed to Motherboard, a spokesperson for the Defense Information Systems Agency (DISA), the Pentagon’s branch that oversees email and other technologies, said the DISA's DOD Enterprise Email (DEE) does not support STARTTLS.

“STARTTLS is an extension for the Post Office Protocol 3 and Internet Message Access protocols, which rely on username and password for system access,” the spokesperson wrote. “To remain compliant with DOD PKI policy, DEE does not support the use of username and password to grant access, and does not leverage either protocol.”

The spokesperson did not respond to several follow-ups, asking to clarify the statement. Michael Adams, an information security expert who served more than two decades in the US Special Operations Command, said that DISA’s explanation is “an unacceptable and technically inept answer,” and criticized the Pentagon for not taking security seriously and implementing STARTTLS.

“I can’t think of a single technical reason why they wouldn’t use it,” he told Motherboard in a phone interview. “It’s absurd.”

That opening sentence of the statement from the DOD reads like someone who is just discovering the technical details of email. It's stating something that is (1) meaningless to the question and (2) stated in a manner different than any knowledgeable person would say things. Someone who deals with this stuff would just say POP3 and IMAP rather than spell them out -- and again, that's totally unrelated to the question of STARTTLS. So is the use of PKI (public key infrastructure) for emails.

In the past, I'd mainly assumed that when the FBI spoke out against encryption, it was mainly a smokescreen to try to get more backdoors to make its own life easier. But could it actually be that the FBI (and the CIA and the DOD) don't even realize how important encryption is to protect their own information?

Filed Under: cia, cybersecurity, dod, email, encryption, fbi, security, starttls

China Makes Big Push To Get American Tech Companies To Agree To Its Rules

from the this-is-getting-interesting dept

China is a big -- and quite appealing -- market. I think just about everyone recognizes that. But it's also a troubling market for a variety of reasons, and American tech companies have struggled with how to handle China. Beyond the fact that China often requires American firms to "partner" with a local Chinese firm, China often helps local firms get a leg up on American firms. And, then, of course, there's the whole "Great Firewall" censorship issue, and concerns about the Chinese government's desire for greater surveillance powers. Google famously left China about five years ago after it got tired of pressure to change its search results. However, just recently it was reported that Google has (at least somewhat) caved to China with a plan to bring a censored version of the Android Play store to China.

On the flipside, however, after years of appearing somewhat hostile to American tech firms, China is now making a big push to "open" its doors to those companies -- but with a few conditions baked in. It appears that China recognizes that it's in the power position with American tech companies, and it's going to use that to its advantage. China's President Xi Jinping is making his first state visit to the US shortly, and the Chinese government surprised (and annoyed) a bunch of folks by announcing that it is hosting its own tech/internet forum in Seattle, inviting basically all the big US tech firms: Apple, Microsoft, Facebook, Google, Uber, IBM and more. Apple's Tim Cook is likely to appear.

Apparently the White House isn't at all happy about this, as it was planning to use the visit to put pressure on China over its online spying and its anti-competitive practices against US companies. Having those very same US companies slobbering all over Chinese politicians that same week sort of takes away from the White House's talking points.

The meeting is rankling the Obama administration by veering off the script agreed to for Mr. Xi’s carefully stage-managed visit, two American officials said. There are also concerns the meeting could undercut President Obama’s stern line on China by portraying its leadership as constructively engaging American companies about doing business in China, even as the administration suggests American companies are hurt by anticompetitive Chinese practices.

And then there's... "the pledge." China is pushing US tech firms to sign this pledge to commit to certain data practices if they're to operate in China. It's believed that China is hoping to highlight companies signing the pledge at that forum. And if you look at the basic text of the pledge, much of it looks and sounds like really good things. The kinds of things companies should be proud to do and users should be happy to see companies commit to. It includes things like making sure users have control over their own data, that companies are clear and transparent in how that data is used, and that they can stop allowing companies to use their data. It also requires companies not to "install hidden functionalities" that users are unaware of inside products.

But it's really the last two items that everyone knows are the key here, and where China is really trying to flex its power. They're both worded somewhat innocuously, such that they might sound fine after a quick read, but it's the details that concern people.

Guarantee the security of user information. To employ effective measures to guarantee that any user information that is collected or processed isn't illegally altered, leaked, or used; to not transfer, store or process any sensitive user information collected within the China market outside China's borders without express permission of the user or approval from relevant authorities.

Accept the supervision of all parts of society. To promise to accept supervision from all parts of society, to cooperate with third-party institutions for assessment and verification that products are secure and controllable and that user information is protected etc. to prove actual compliance with these commitments.

The first one is a big concern because it's saying all data has to be kept within China. While it's likely that some companies would want to keep data within China, there are also good reasons to keep the data elsewhere -- including to protect users from the prying eyes of the Chinese government. And, of course, many other countries have been pushing for these kinds of "localization" requirements that actually take away many of the advantages of a global internet.

The second point above is the really concerning one, and all of the concern is focused on the single word: "controllable." Many are taking this to mean you're agreeing to backdoor encryption for the Chinese government. In the past few months, China has been much more aggressive in pushing for backdoors to encryption, and this is the next step in that process.

This is why it's actually more important than ever for the Obama administration to stop twiddling its thumbs over the issue of backdoors, and to come out with a clear and strong position that it is absolutely against backdoors, because that harms the public and puts them at risk. Anything less than that will clearly give the Chinese extra cover in pushing US tech companies to give them backdoors.

Either way, how American tech companies deal with China over the next few years is going to be an increasingly important issue, and so far, it seems like China has the upper hand, while the US is still struggling to come up with a coherent policy.

Filed Under: china, encryption, markets, privacy, tech companies

Having Lost The Debate On Backdooring Encryption, Intelligence Community Plans To Wait Until Next Terrorist Attack

from the this-is-ridiculous dept

We already wrote about the Obama administration considering its options on how to handle the whole "going dark" debate concerning backdooring encryption. The key point in all of that is that there is no chance in hell that backdoors will be mandated by law. The administration recgonizes that's a lost cause. However, within the Washington Post's article that revealed this, there was also a somewhat disturbing argument from the losing side of this battle. The intelligence community seems to be gleefully awaiting the next terrorist event, knowing that it can then reintroduce its push for backdoors:

Although “the legislative environment is very hostile today,” the intelligence community’s top lawyer, Robert S. Litt, said to colleagues in an August e-mail, which was obtained by The Post, “it could turn in the event of a terrorist attack or criminal event where strong encryption can be shown to have hindered law enforcement.”

There is value, he said, in “keeping our options open for such a situation.”

In other words, Litt admits that his side has lost this battle, but he doesn't want the administration to come out totally against legislation, because, you know, if there's an attack, then maybe the idiots in the public will finally accept the intelligence community shoving backdoors down their throat. After all, such a plan worked out pretty well with the PATRIOT Act, which took a bunch of bad and rejected ideas and rushed them into law. In fact, it's almost amazing that the law enforcement community didn't get backdooring encryption into the PATRIOT Act back in 2001 in the first place...

Either way, given this, it really looks like Litt is hoping for another attack to get through, just so he can better spy on people. Why are these people in positions of power again?

Filed Under: backdoors, encryption, going dark, mandates, nsa, robert litt, surveillance, white house

White House Realizes Mandating Backdoors To Encryption Isn't Going To Happen

from the option-1-please dept

Over the last few months, I've heard rumblings and conversations from multiple people within the Obama administration suggesting that they don't support the FBI's crazy push to back door all encryption. From Congress, I heard that there was nowhere near enough support for any sort of legislative backdoor mandate. Both were good things to hear, but I worried that I was still only hearing from one side, so that there could still be serious efforts saying the opposite as well. However, the Washington Post has been leaked quite a document that outlines three options that the Obama administration can take in response to the whole "going dark" question. And the good news? None of them involve mandating encryption. Basically, the key message in this document is that no one believes legislation is a realistic option right now (more on that in another post coming shortly).

That's big!

The document's three options can be summarized as follows:

1. Option 1: Do the right thing, admit that backdooring encryption is a bad idea and dumb, and stand up for real cybersecurity by saying that more encryption is generally good for society. This will make lots of people happy -- including civil liberties folks and the tech industry, and it will also do more to protect the public. It will also help the most with many foreign countries in showing that the US isn't just trying to spy on everyone -- though it may piss off a few countries (mainly the UK) who have doubled down on backdooring encryption. Also, it will undermine China's plan to backdoor encryption as well. Let's call this the right option.
2. Option 2: Yeah, we know what the right thing to do is, but we'll take a half-assed approach to it to try to appease the FBI/law enforcement folks and not come out nearly as strongly against legislation. We'll say there's no legislation, but we'll at least leave the door open to it. In private, we may still push tech companies to backdoor stuff. This will anger lots of folks, but maybe (the administration believes) some civil liberties types will think it's enough of a win to celebrate. Then we pretend that we can hold some sort of "discussion" between people who disagree.
3. Option 3: We totally punt on the issue and don't really say anything. If we do say something, we say that this issue needs a lot more discussion and study (just like people have been saying for the last year). In other words, endless cryptowars with no end in sight.

Clearly, Option 1 is the only sensible option, and the report lays out some pretty strong arguments for why coming out against backdooring encryption would be good. It would actually make the tech industry much more willing to work with the government in productive ways, rather than stupid, privacy and security-destroying ways. It would actually better protect the public and it would stop authoritarian regimes from using our own language against us to break encryption. The cons are basically that law enforcement might whine about it. Well, the administration actually says that it "provides no immediate solution to the challenges that the expanding use of encryption poses to law enforcement and national security" but given that law enforcement still hasn't done a good job showing this is a real problem, that's not really a big deal.

In fact, law enforcement is still relying on made up ghost stories rather than any real evidence that encryption is a problem.

So, now the big question is which option the administration will choose. Will it stand up and take leadership on this issue (Option 1), thereby actually protecting Americans? Or will it do a variety of half-assed measures believing that it has to support "both sides" or some crap like that? From the leaked report, it appears that if it chooses either Option 1 or 2, the White House will make a public statement on the matter within the next few weeks.

Filed Under: backdoors, cybersecurity, encryption, going dark, james comey, obama administration, white house

Apple Refused Court Order To Decrypt iMessages For DOJ; DOJ Debates What To Do

from the warning-shot dept

For many months now, there's been a war of words over the whole "going dark" issue, with the two loudest participants being the DOJ demanding backdoors to encryption, and Apple standing up and speaking out loudly about the importance of encryption. Sooner or later you knew the two would meet in a legal situation -- and now it's happened, with Apple clearly winning round one. The NY Times is reporting that the DOJ obtained a court order earlier this summer, demanding that Apple hand over decrypted iMessage messages (in real time) for an investigation. Apple, apparently, told the DOJ that those messages are encrypted, and it has no way to comply with the order. This is exactly the scenario that everyone's been chattering about for the past year. And apparently, people inside the DOJ are debating what to do about it:

The case, coming after several others in which similar requests were rebuffed, prompted some senior Justice Department and F.B.I. officials to advocate taking Apple to court, several current and former law enforcement officials said.

However, the article notes that any plans to take Apple to court have "been shelved for now." The rest of the article focuses on a somewhat related situation that we've discussed in the past, involving Microsoft refusing to comply with a DOJ subpoena to hand over emails that are stored on an Irish server. The issue in that case is not about encryption, so much as jurisdiction and the differences between a warrant and a subpoena. That case heads back to court this week. However, the issue about encryption and demands to decrypt communications or stored data will continue for quite some time.

The article notes that Apple did turn over some information, which the DOJ took as a sign of good faith:

In the drug and gun investigation this summer, Apple eventually turned over some stored iCloud messages. While they were not the real-time texts the government most wanted, officials said they saw it as a sign of cooperation.

Of course, the major difference here is that the iMessages are encrypted end-to-end, while data stored in iCloud is not, meaning that Apple actually has access to that content. Many have pointed out that in most cases, the important information that the DOJ will want is probably backed up in iCloud anyway, so perhaps that keeps the DOJ from actually going after Apple for the time being. But, still, it is noteworthy that a clash has already happened. Sooner or later, assuming Apple doesn't give in to the backdoor demands, the DOJ is likely to take someone to court over this... Perhaps it's just waiting for a company with pockets not quite as deep as Apple's.

Filed Under: doj, encryption, fbi, going dark, imessages
Companies: apple, microsoft

FTC Commissioner Says The Public Needs Strong Encryption, Not Backdoors

from the good-move dept

It would appear that the FTC is quickly emerging as the counterforce to the FBI/NSA's push to backdoor encryption. We recently wrote about how the FTC's CTO, Ashkan Soltani, put up a blog post extolling the virtues of full disk encryption for devices, noting that it can even help to prevent or solve crimes (contrary to the scare stories you hear from the FBI and other law enforcement officials). And now, pretty quickly after that, FTC Commissioner Terrell McSweeny, has written a post for the Huffington Post arguing in favor of strong encryption as well. After discussing the range of threats, as well as the rise of personal data being collected by services, she notes that strong encryption is now being used to better protect consumers:

Encouragingly, many companies are taking meaningful steps to improve their security practices including greater use of encryption technology for data in transit and at rest, whether it be stored in the cloud or on devices. Encryption has helped protect the information of millions of consumers -- for example, protecting credit card information when a merchant is breached or protecting passwords when a popular website is hacked. The impact of major breaches may also be reduced the more that users' data and communications are encrypted end-to-end.

Moreover, there are more products on the market providing consumers with better security and privacy tools -- including encryption as the default for information stored on smartphones, apps that use end-to-end encryption, and services that encrypt data on devices and then back them up in the cloud. Competition in the marketplace of security and privacy technology holds considerable promise for consumers.

She also discusses how any attempt to backdoor encryption could create serious harm for future innovation and our economy:

This debate, sometimes called the crypto wars, is hardly new -- it has been going on in some form or another for decades. But what is changing is the extent to which we are using connected technology in every facet of our daily lives. If consumers cannot trust the security of their devices, we could end up stymieing innovation and introducing needless risk into our personal security. In this environment, policy makers should carefully weigh the potential impact of any proposals that may weaken privacy and security protections for consumers.

It's great to see the FTC coming out so publicly on this issue. I hope that others in other parts of the government will do the same as well. Unfortunately, thanks to the overly vocal FBI and NSA, many believe that the entire federal government believes that we should backdoor encryption, and that sets up a very unfortunate "us v. them" attitude between technologists and the government. Instead, it's clear that many, many people in government support strong encryption and are against backdoors. It's good to see more of them speaking up and making their voices heard.

Filed Under: encryption, fbi, ftc, going dark, james comey, mobile encryption, nsa, security, terrell mcsweeny

Vice News Employees Charged With Terrorism In Turkey... Because They Used Encryption

from the insanity-rules dept

If you thought US law enforcement's freakout about "going dark" due to encryption was insane, leave it to Turkey to take the insanity to new levels. Two journalists and a "fixer" working for Vice News in Turkey were arrested and charged with "engaging in terrorist activity" because they used the same encryption tools that ISIS uses. Really.

Three staff members from Vice News were charged with "engaging in terrorist activity" because one of the men was using an encryption system on his personal computer which is often used by the Islamic State of Iraq and the Levant (ISIL), a senior press official in the Turkish government has told Al Jazeera.

[....]

The Turkish official, who spoke on condition of anonymity, told Al Jazeera: "The main issue seems to be that the fixer uses a complex encryption system on his personal computer that a lot of ISIL militants also utilise for strategic communications."

In the article, some point out that this may really just be about scaring journalists away from the area, though it may also serve a double purpose of scaring more people away from using encryption. Just the idea that using encryption is seen as "suspicious" is already ridiculous, but to be charged with terrorism solely because you encrypt your messages is utter insanity.

Filed Under: encryption, isis, journalism, reporting, terrorism, turkey
Companies: vice