Manhattan District Attorney Ratchets Up The 'Going Dark' FUD; Leaves Out Its Connection To Shady Hacking Team

from the because-those-little-details-aren't-important dept

After the FBI's James Comey, it seems that the biggest proponent of backdooring encryption for law enforcement has been Manhattan District Attorney Cyrus Vance, who has now penned a ridiculous fear-mongering opinion piece for the NY Times (along with City of London Police Commissioner Adrian Leppard, Paris Chief Prosecutor Francois Molins and Spanish chief prosecutor Javier Zaragoza). Vance has been whining about encryption for a while. And Leppard, you may recall, is the guy who recently claimed "the tor" is 90% of the internet and a "risk to society." He's not exactly credible on technology or encryption issues. But, still... he gets to team up on a NYT op-ed about encryption.

While Comey has been struggling to find a dead child to use as the literal poster child of his campaign to weaken encryption, these prosecutors are now parading out a few stories, starting with a murder in Evanston, Illinois (note: not anywhere near Manhattan, Paris, London or Madrid):

In June, a father of six was shot dead on a Monday afternoon in Evanston, Ill., a suburb 10 miles north of Chicago. The Evanston police believe that the victim, Ray C. Owens, had also been robbed. There were no witnesses to his killing, and no surveillance footage either.

With a killer on the loose and few leads at their disposal, investigators in Cook County, which includes Evanston, were encouraged when they found two smartphones alongside the body of the deceased: an iPhone 6 running on Apple’s iOS 8 operating system, and a Samsung Galaxy S6 Edge running on Google’s Android operating system. Both devices were passcode protected.

An Illinois state judge issued a warrant ordering Apple and Google to unlock the phones and share with authorities any data therein that could potentially solve the murder. Apple and Google replied, in essence, that they could not — because they did not know the user’s passcode.

The homicide remains unsolved. The killer remains at large.

Cool story. Totally bogus, but cool story. There are all sorts of problems with it starting with the fact that, as of last check Samsung is not requiring encryption by default, because of performance issues. Thus, if it's true that the phone was encrypted, that's not an issue with Google/Android, but the user setting up something himself -- something that anyone has been able to do for ages and has nothing to do with recent moves by Google (and it's not even entirely clear from the description by Vance if the phones were actually encrypted or just had a passcode/lockscreen).

More importantly, the idea that this is why the murder "remains unsolved" and "the killer remains at large" is ridiculous. It's not even clear why the smartphones are all that relevant in this case. But nothing in having a passcode on the phones would stop police from figuring out the phone numbers, contacting service providers for information or issuing perfectly working warrants for communications data (remember, the only issue with encryption would be stored data at rest on the phone). Indeed, the Evanston police did obtain call records related to the phone, but they didn't help the investigation. In fact, the Commander of the Evanston Police Department told The Intercept that while accessing the phones might provide some useful clues he's not sure if it would actually help solve the case -- just as the call records did not.

In other words, this is nothing but blatant factually challenged fear mongering.

And it goes on:

Between October and June, 74 iPhones running the iOS 8 operating system could not be accessed by investigators for the Manhattan district attorney’s office — despite judicial warrants to search the devices. The investigations that were disrupted include the attempted murder of three individuals, the repeated sexual abuse of a child, a continuing sex trafficking ring and numerous assaults and robberies.

This is the first time anyone has actually given numbers of the times law enforcement was "stymied," but notice that none of these cases, including the "attempted murder of three individuals, the repeated sexual abuse of a child or the continuing sex trafficking ring" were described in any more detail to explain how the encrypted phones were the real problem (again: remember there is nothing stopping the police from getting other data, including communications data or any of the data backed up in the cloud, as most data on iPhones is).

Oh, and then there's this: As Kade Crockford highlights, Muckrock recently noted that the leaked emails from the Hacking Team showed that the Manhattan DA's office was a potential client of the Hacking Team, meaning that it would have had access to plenty of tools on hand to break into phones -- even those that make use of encryption.

As recently as this past May, Hacking Team and an assistant district attorney with the Manhattan District Attorney’s Office emailed back and forth about a potential software “solution.” Hacking Team sales staff fielded questions about jailbreaking iPhones remotely, and discussed among themselves about how high a price to quote.

Hacking Team hosted a spyware demo in September 2013 for Manhattan district attorney staff, and again in February 2015. When the assistant DA requested a price estimate, a Hacking Team operations manager suggested a starting ask of $3 million.

"If it's totally out of budget, we can come up with a special 'deal' for them and the usual accommodations," wrote Hacking Team’s Daniele Milan on an internal email thread about discussions with the DA.

The DA’s office confirmed that it has met with Hacking Team to review their products.

"In order to keep pace with rapid developments in the private sector, we invite groups to demo various emerging technologies," wrote Joan Vollero, Manhattan DA spokeswoman, in an emailed statement.

The Vance op-ed also completely misrepresents things, arguing that because some criminals falsely believe that everything is now encrypted, it means they are:

Criminal defendants have caught on. Recently, a suspect in a Manhattan felony, speaking on a recorded jailhouse call, noted that “Apple and Google came out with these softwares” that the police cannot easily unlock.

Except, Google and Apple have long offered the software, and (again) it's not yet default on Android phones and it only protects stored data on the phones -- while most people will likely (falsely) assume that it also protects communications data or backed up data.

The op-ed also ignores the valid reasons for protecting your own privacy, or what happens when malicious actors use backdoors to get into your data. Or how foreign states, such as China and Russia will also demand backdoors. Instead, it pretends the only criticism of backdoors is because of worries about government surveillance. This is wrong. The article falsely argues that full disk encryption only provides "marginal" benefits to users, and shouldn't be allowed because what prosecutors want to do is different than the NSA's mass surveillance efforts. Once again, this misstates the reasons for full-disk encryption and completely ignores the dangers of backdoors.

We had hoped the ridiculousness over the whole "going dark" hysteria would start to die down by now, but apparently that was being optimistic. One wonders if Cyrus Vance, Francois Molins, Adrian Leppard and Javier Zaragoza also bemoan the act that criminals can speak to each other in person and no warrant will ever reveal what they said.

Filed Under: adrian leppard, cyrus vance, encryption, fud, going dark, mobile encryption

City Of London Police Issue Vague, Idiotic Warning To Registrars That They're Engaged In Criminal Behavior Because It Says So

from the say-what? dept

This was mentioned briefly in our recent post about EasyDNS changing how it deals with online pharmacies, but it's still dealing with bizarre requests from the City of London Police. As we've been detailing, the City of London Police seem to think that (1) their job is to protect the business model of the legacy entertainment industry and (2) that they can do this globally, despite actually just representing one-square mile and (3) that they can do this entirely based on their own say so, rather than any actual court ruling. It started last year when the City of London Police started ordering registrars to transfer domains to the police based entirely on their say so, rather than any sort of due process/trial that found the sites guilty of violating a law. The police wanted the domains to point to sites that the legacy entertainment industry approved of, which makes you wonder why the police are working on behalf of one particular industry and acting as an ad campaign for them.

Speaking of advertising, the City of London Police's more recent tactic is inserting ridiculous and misleading banner ads on websites based on a secret blacklist that has no oversight and no due process or way to appeal. Such lists often include perfectly legitimate sites. But, I'm sure we can trust the City of London Police to get this right, given that the guy in charge of the City of London Police's Intellectual Property Crime Unit (PIPCU), Adrian Leppard, believes that "the Tor" is 90% of the internet and that "Bitnet" is a "huge risk and threat to our society."

The latest move, as detailed in a post by Mark Jeftovic from EasyDNS, is sending registrars like EasyDNS a "notice of criminality" that doesn't directly tell the company to do anything, other than to think long and hard about who they do business with.

Classification: NOT PROTECTIVELY MARKED
Dear Sir or Madam,

Notice of Criminality

[domain name redacted by easyDNS]

EASYDNS TECHNOLOGIES, INC.

Receipt of this email serves as notice that the aforementioned domain, managed by EASYDNS TECHNOLOGIES, INC. 28/03/2014 is being used to facilitate criminal activity, including offences under:

Fraud Act 2006
Copyright, Designs and Patents Act 1988
Serious Crime Act 2007

We respectfully request that EASYDNS TECHNOLOGIES, INC. give consideration to your ongoing business relationship with the owners/purchasers of the domain to avoid any future accusations of knowingly facilitating the movement of criminal funds.

Should you require any clarification please do not hesitate to make contact.

Kind regards,

PIPCU Anti-Piracy | Operations | Police Intellectual Property Crime Unit | PIPCUantipiracy@cityoflondon.police.uk<PIPCUantipiracy@cityoflondon.police.uk > | Address: City of London Police Economic Crime Directorate, 21 New Street, London, EC2M 4TP | ü www.cityoflondon.police.uk<http://www.cityoflondon.police.uk/>

As Jeftovic notes, the implication here is pretty clear. The City of London Police wants to "build a case" that EasyDNS is somehow responsible for aiding and abetting criminal activity.

Once again, we are being asked to do (something, we're actually not sure what this time) based entirely on an allegation which has never been tested in a court of law and has been afforded absolutely zero "due process". (The domain in question is a search engine that hosts no content).

[....]

We think this time the intent is not to actually get the domain name taken down, but rather to build some sort of "case" (I won't call it legal, perhaps the better word would be "kafka-esque") that we, easyDNS by mere "Receipt of this email" are now knowingly allowing domains under management to be "used to facilitate criminal activity".

Thus, if we don't takedown the domains PIPCU want us to, when they want us to, then we may face accusations in the future (in their own words) "of knowingly facilitating the movement of criminal funds."

Which of course, we don't know at all because there has never even been a court case anywhere to test the PIPCU allegations. I know I never went to law school or anything, but in my mind, until that happens, that is all they are – allegations.

And, of course, it's tough to see how the City of London Police have any jurisdiction at all over EasyDNS, a Canadian company. Jeftovic goes on to wonder if the City of London Police are actually defaming the websites they accuse in these notices. Of course, the problem is that these sites tend to be small and powerless. As we've seen with sites like Dajaz1 and Rojadirecta, even after they were taken down and businesses were destroyed for over a year before the Justice Department in the US simply dropped the cases and handed back the domain names, there was little those sites could do in response. Sure, they could have filed a lawsuit, but lawsuits are expensive, and a lawsuit for a tiny struggling website against the US government? That's just not likely to get anywhere productive.

What's extra troubling is how this tactic of targeting registrars for non-judicial censorship like this is becoming increasingly common -- and it's happening in countries like the US and the UK which claim to support basic principles of due process and are (supposedly) against prior restraint. When it comes to the City of London Police, they seem to be operating without any sort of controls or oversight, just making it up as they go along. Unfortunately, because they're "the police," it doesn't seem likely that anyone will get them to cut out this censorious and harassing activity.

Filed Under: adrian leppard, city of london police, copyright, facilitation, jurisdiction, notice of criminality, pipcu, registrars
Companies: easydns

City Of London Police Claim That 'The Tor' Is 90% Of The Internet, And Is A Risk To Society

from the say-what-now? dept

We've written a bunch about the City of London Police* and their extrajudicial campaign against "piracy" by trying to scare web hosting and domain registrar firms into taking down websites based on nothing more than the City of London Police's say so. However, Adrian Leppard, the guy in charge of the City of London Police's Intellectual Property Crime Unit (funded both by taxpayers and legacy entertainment companies) spoke at an IP Enforcement Summit in London and his comments, relayed by Torrentfreak, should raise questions about whether or not this is the right person to have anything to do with stopping "crime" on the internet:

“Whether it’s Bitnet, The Tor – which is 90% of the Internet – peer-to-peer sharing, or the streaming capability worldwide. At what point does civil society say that as well as the benefits that brings, this enables huge risk and threat to our society that we need to take action against?”

Yeah, try to parse that one. Beyond not being true, it's almost entirely nonsensical. And this guy is ordering websites completely shut down based on nothing more than his say so?

This sounds kind of like the idiotic debates that were had a decade or so ago, when clueless folks from the entertainment industry were first getting online.

"The Internet pushes through every border control legislation we have and it is carrying a huge amount of harm to our society, as well as offering creative opportunity for business. At some point there has to be a debate and a challenge about the harm the Internet brings."

Yeah, that debate happened long ago, and people realized (1) the claims of harm are completely overblown by folks like yourself and (2) the benefits are massive. Debate closed.

But, really, what Leppard is doing is trying to declare war on the internet, because it's upset the business model of a few businesses that are funding this effort (which would suggest a less-than-unbiased view of the issue):

"The new legislation that’s necessary is not just about prosecuting people and protecting people, we’ve got to think about some of the enabling functions that allow this to happen that we just take for granted."

"Enabling functions"? He's talking about regulating the internet to add deeper layers of secondary liability, thereby effectively destroying one of the most important ingredients to the internet's success. All because his friends in the obsolete legacy parts of the entertainment industry haven't figured out how to adapt.

It would appear that the City of London Police are the legacy entertainment industry's dream law enforcement group: completely clueless about technology and innovation, and not all that concerned about basic legal concepts like due process and protections against third party liability. That lets them rampage through the internet like bullies trying to shut down anything their friends in the industry don't like, oblivious to any collateral damage it might cause. That's a very dangerous tool, and it's going to cause serious problems before too long.

* I don't know what it is about the City of London Police that always seems to make people want to clarify stuff in the comments, but just to cut all this off: (1) Yes, I know that the City of London Police covers just "the City of London" which is about a 1-square mile area within London, rather than the wider London police force and (2) I also know that many of the big banks and big London businesses are in City of London, so the City of London Police have some amount of powerful connections with businesses. There is no reason to clarify any of that in the comments. We know already.

Filed Under: adrian leppard, city of london, city of london police, copyright, enforcement, infringement, secondary liability, tor