Documents Shows Just How Much The FBI Can Obtain From Encrypted Communication Services

from the plenty-of-data-but-content-not-so-much dept

There is no "going dark." Consecutive FBI heads may insist there is, but a document created by their own agency contradicts their dire claims that end-to-end encryption lets the criminals and terrorists win.

Andy Kroll has the document and the details for Rolling Stone:

[I]n a previously unreported FBI document obtained by Rolling Stone, the bureau claims that it’s particularly easy to harvest data from Facebook’s WhatsApp and Apple’s iMessage services, as long as the FBI has a warrant or subpoena. Judging by this document, “the most popular encrypted messaging apps iMessage and WhatsApp are also the most permissive,” according to Mallory Knodel, the chief technology officer at the Center for Democracy and Technology.

The document [PDF] shows what can be obtained from which messaging service, with the FBI noting WhatsApp has plenty of information investigators can obtain, including almost real time collection of communications metadata.

WhatsApp will produce certain user metadata, though not actual message content, every 15 minutes in response to a pen register, the FBI says. The FBI guide explains that most messaging services do not or cannot do this and instead provide data with a lag and not in anything close to real time: “Return data provided by the companies listed below, with the exception of WhatsApp, are actually logs of latent data that are provided to law enforcement in a non-real-time manner and may impact investigations due to delivery delays.”

The FBI can obtain this info with a pen register order -- the legal request used for years to obtain ongoing call data on targeted numbers, including numbers called and length of conversations. With a warrant, the FBI can get even more information. A surprising amount, actually. According to the document, WhatsApp turns over address book contacts for targeted users as well as other WhatsApp users who happen to have the targeted person in their address books.

Combine this form of contact chaining with a few pen register orders, and the FBI can basically eavesdrop on hundreds of conversations in near-real time. The caveat, of course, is that the FBI has no access to the content of the conversations. That remains locked up by WhatsApp's encryption. Communications remain "warrant-proof," to use a phrase bandied about by FBI directors. But is it really?

If investigators are able to access the contents of a phone (by seizing the phone or receiving permission from someone to view their end of conversations), encryption is no longer a problem. That's one way to get past the going darkness. Then there's stuff stored in the cloud, which can give law enforcement access to communications despite the presence of end-to-end encryption. Backups of messages might not be encrypted and -- as the document points out -- a warrant will put those in the hands of law enforcement.

If target is using an iPhone and iCloud backups enabled, iCloud returns may contain WhatsApp data, to include message content.

This is a feature of cloud backups -- a way to retrieve messages if something goes wrong with someone's phone or their WhatsApp account. It's also a bug that makes encryption irrelevant. The same goes for Apple's iMessage service. Encryption or no, backups are not encrypted by service providers. In the case of Apple's iMessage, warrants for iCloud backups will give law enforcement the encryption key needed to decrypt the stashed messages.

On the other side, there are truly secure options that the FBI considers dead ends, starting with Signal. Signal retains no user info, which means there's nothing to be had no matter what paperwork the feds produce. But, for the most part, even encrypted messaging and email services generate metadata that can be obtained without a warrant. If investigators want more, warrants can actually result in investigators obtaining a great deal of information about users, their interactions, and their communications. And, as is noted directly above, it can also grant access to communications users mistakenly believed were beyond the reach of law enforcement.

But not everyone using encrypted services is a criminal, no matter what FBI directors say in public. Communications metadata being only a subpoena or pen register order away is concerning, especially for those who use encrypted services not only to maintain their own privacy, but to protect those they communicate with.

“WhatsApp offering all of this information is devastating to a reporter communicating with a confidential source,” says Daniel Kahn Gillmor, a senior staff technologist at the ACLU.

Those who truly understand the protocols and platforms they use for communications will understand the tradeoffs. For everyone else, there's this handy tip sheet, compiled by none other than the FBI, which explains exactly what each service retains and what each service will hand over in response to government paperwork.

It also shows that encryption isn't keeping law enforcement from pursuing investigations. In rare cases, investigators may have zero access to communications. But every communications platform or service creates a digital paper trail investigators can follow until they find something that breaks the case open. "Going dark" -- the idea that law enforcement is helpless in the face of increased use of encryption -- is a lie. And the FBI knows it.

Filed Under: 4th amendment, encryption, fbi, going dark, lawful access, subpoena, warrant
Companies: apple, facebook, meta, whatsapp

German Court Orders Encrypted Email Service Tutanota To Backdoor One Account

from the end-to-end-crypto-is-still-your-friend dept

A legal requirement to add backdoors to encrypted systems for "lawful access" has been discussed for many years. Last month, the EU became the latest to insist that tech companies should just nerd harder to reconcile the contradictory demands of access and security. That's still just a proposal, albeit a dangerous one, since it comes from the EU Council of Ministers, one of the region's more powerful bodies. However, a court in Germany has decided it doesn't need to wait for EU legislation, and has ordered the encrypted Web-email company Tutanota to insert a backdoor into its service (original in German). The order, from a court in Cologne, is surprising, because it contradicts an earlier decision by the court in Hanover, capital of the German state of Lower Saxony, and Tutanota's home town. The Hanover court based its ruling on a judgment by the Court of Justice of the European Union (CJEU), the EU's highest court. In 2019, the CJEU said that:

a web-based email service which does not itself provide internet access, such as the Gmail service provided by Google, does not consist wholly or mainly in the conveyance of signals on electronic communications networks and therefore does not constitute an 'electronic communications service'

Despite this, in the Tutanota case the Cologne court applied a German law for telecoms. Tutanota's co-founder Matthias Pfau explained to TechCrunch:

"The argumentation is as follows: Although we are no longer a provider of telecommunications services, we would be involved in providing telecommunications services and must therefore still enable telecommunications and traffic data collection," he told TechCrunch.

"From our point of view -- and law German law experts agree with us -- this is absurd. Neither does the court state what telecommunications service we are involved in nor do they name the actual provider of the telecommunications service."

Given that ridiculous logic, it's no surprise that Tutanota will be appealing to Germany's Federal Court of Justice. But in the meantime the company must comply with the court order by developing a special surveillance capability. Importantly, it only concerns one account -- allegedly involved in an extortion attempt -- that seems to be no longer in use. Moreover, as the TechCrunch article explains, the monitoring function will apply to future emails that the account receives. And even then, it will only deliver any unencrypted emails that are present, because Tutanota is not able to decrypt users' emails that apply end-to-end encryption, which is entirely under the user's control, not Tutanota's.

That means the practical effect of this court order is extremely limited: to future unencrypted emails of just one quiescent account. But independently of its real-life usefulness, this order sets a terrible precedent of a court ordering an Internet company to insert what amounts to a backdoor in an account. That's why it is vital that Tutanota's appeal prevails -- for both the company, and for the EU Internet as a whole.

Follow me @glynmoody on Twitter, Diaspora, or Mastodon.

Filed Under: backdoors, email, encrypted email, encryption, eu, germany, lawful access
Companies: tutanota

EU Takes Another Small Step Towards Trying To Ban Encryption; New Paper Argues Tech Can Nerd Harder To Backdoor Encryption

from the that's-now-how-any-of-this-works dept

In September, we noted that officials in the EU were continuing an effort to try to ban end-to-end encryption. Of course, that's not how they put it. They say they just want "lawful access" to encrypted content, not recognizing that any such backdoor effectively obliterates the protections of end-to-end encryption. A new "Draft Council Resolution on Encryption" has come out as the EU Council of Ministers continues to drift dangerously towards this ridiculous position.

We've seen documents like this before. It starts out with a preamble insisting that they're not really trying to undermine encryption, even though they absolutely are.

The European Union fully supports the development, implementation and use of strong encryption. Encryption is a necessary means of protecting fundamental rights and the digital security of governments, industry and society. At the same time, the European Union needs to ensure the ability of competent authorities in the area of security and criminal justice, e.g. law enforcement and judicial authorities, to exercise their lawful powers, both online and offline.

Uh huh. That's basically we fully support you having privacy in your own home, except when we need to spy on you at a moment's notice. It's not so comforting when put that way, but it's what they're saying. Then there's a lot of nonsense about how encryption is creating a "challenge" for public safety, even though there is no evidence at all to support this claim. The reality is that law enforcement has access to more data and more tools than ever before in history. That one small fragment of it might sometimes be encrypted, is not an issue. And it's certainly not an issue that requires the wholesale destruction of end-to-end encryption. But, of course, that's not where the EU is coming out on this.

Instead, it concludes with the inevitable "nerd harder" bullshit argument without ever explaining how this can be done (answer: because it cannot be done safely).

Moving forward, the European Union strives to establish an active discussion with the technology industry, while associating research and academia, to ensure the continued implementation and use of strong encryption technology. Competent authorities must be able to access data in a lawful and targeted manner, in full respect of fundamental rights and the data protection regime, while upholding cybersecurity. Technical solutions for gaining access to encrypted data must comply with the principles of legality, transparency, necessity and proportionality.

Since there is no single way of achieving the set goals, governments, industry, research and academia need to work together to strategically create this balance.

This is the same old garbage we've seen before. Technologically illiterate bureaucrats who have no clue at all, insisting that if they just "work together" with the tech industry, some magic golden key will be found. This is not how any of this works. Introducing a backdoor into encryption is introducing a massive, dangerous vulnerability that basically takes the secure walls of a house and rams a giant tank through the side. It's not adding a special key for law enforcement. It's breaking the very foundation of how end-to-end encryption works, and introducing a wide variety of shaky dangerous elements that they insist will never get exploited. But, with encryption, any vulnerability inevitably gets exploited.

Attacking end-to-end encryption in order to deal with the miniscule number of situations where law enforcement is stymied by encryption would, in actuality, put everyone at massive risk of having their data accessed by malicious parties. It's incredibly clueless and incredibly shortsighted.

And it's absolutely stunning that it's coming from the EU. After all, we keep hearing how the EU believes in "privacy" and "data protection" much more than the US. We hear stories about the lessons learned from World War II about how governments can abuse access to the private information on citizens. Indeed, the EU courts recently blew up the EU/US "Privacy Shield" agreement regarding transferring data from the EU to the US because of NSA surveillance efforts that cannot guarantee EU data remains protected.

And then they turn around and want to destroy encryption? Incredible.

At this point, this is nothing more than a draft policy paper from the Council. A lot more needs to happen before this becomes anything resembling a law in the EU. But just the fact that this continues to lurch forward, pushed by ridiculously ignorant bureaucrats is hugely problematic. People in the EU need to speak up loudly about what a mess this is.

Filed Under: backdoors, encryption, end-to-end encryption, eu, eu council, lawful access

EU Still Asking For The Impossible (And The Unnecessary): 'Lawful Access' To Encrypted Material That Doesn't Break Encryption

from the security-through-encryption-and-security-despite-encryption dept

A few months ago, Techdirt wrote about a terrible bill in the US that would effectively destroy privacy and security on the Internet by undermining encryption. Sadly, that's nothing new: the authorities have been whining about things "going dark" for years now. Moreover, this latest proposal is not just some US development. In an official document obtained by Statewatch (pdf), the current German Presidency of the Council of the European Union (one of the key organizations in the EU) has announced that it wants to move in the same direction (found via Netzpolitik). It aims to prepare:

an EU statement consolidating a common line on encryption at EU level in the area of internal security to support further developments and the dialogue with service providers. It should seek to find a proper balance between the protection of privacy, intellectual property protection and lawful law enforcement and judicial access, thereby stressing security through encryption as well as security despite encryption

In other words, the EU is still chasing the unicorn of "lawful access" to encrypted material without somehow breaking encryption. An accompanying unofficial "note" from the European Commission services lists some of what it calls "key considerations", but these are still chasing that unicorn without explaining how that can be done (pdf):

Technical solutions constituting a weakening or directly or indirectly banning of encryption will not be supported.

Technical solutions to access encrypted information should be used only where necessary, i.e. where they are effective and where other, less intrusive measures are not available. They must be proportionate, used in a targeted and in the least intrusive way.

Slightly more detail about the options is found in another unofficial note exploring "Technical solutions to detect child sexual abuse in end-to-end encrypted communications" (pdf). Most of the solutions involve installing detection tools on the user's device. That can be circumvented by using devices without the detection software, or using a service that does not install them. Perhaps the most interesting technical approach involves on-device homomorphic encryption with server-side hashing and matching:

In this solution, images are encrypted using a carefully chosen partially homomorphic encryption scheme (this enables an encrypted version of the hash to be computed from the encrypted image). The encrypted images are sent to the [online service provider] server for hashing and matching against an encrypted version of the hash list (the server does not have the homomorphic encryption keys).

But this only works for services that implement such a scheme, and it only applies to existing images, not general messages or even videos. Moreover, the technology to implement such an approach is still under development.

Essentially, the EU, like the US, is telling people to "nerd harder", and come up with a solution that allows lawful access, but does not break encryption. Since hard nerding for many decades has failed to produce a way of doing that, maybe it's time for the authorities to accept that it just can't be done. The good news is that doesn't matter. Techdirt has been explaining why for years: there are encryption workarounds that mean law enforcement and others can get what they need in other ways. Indeed, one of the EU papers mentioned above provides perhaps the best example of this approach (pdf):

The recent dismantling of the EncroChat network in a joint investigation coordinated by Eurojust and Europol shows the degree to which those involved in criminal activity utilise all available technology, such as crypto telephones, which go well beyond publicly available end-to-end encrypted services.

Although it cites the case of EncroChat -- a Europe-based encrypted mobile network widely used by organized crime there -- in an attempt to prove how serious the problem is, it actually does the opposite. As the detailed explanation of how EU police managed to hack into the network and place malware on handsets explains, breaking the encryption proved irrelevant, because the authorities found a workaround.

The EncroChat bust demonstrates something else that is generally overlooked. It is already clear that far from going dark, the authorities today have access to unprecedented quantities of useful information that can be used to track down suspects and prevent crimes. That's from things like social media and e-commerce sites. But as the EncroChat materials show, when criminals use closed, encrypted channels to communicate, they paradoxically open up, speaking freely about their past, present and future crimes, naming names, and giving detailed information about their activities. That means it's actually in the interest of the authorities to allow criminals and terrorists to use encrypted services. When workarounds are found, these hitherto secret channels provide greater quantities of high-quality intelligence than would ever be obtained if people knew their communications had backdoors and were therefore not safe.

Follow me @glynmoody on Twitter, Diaspora, or Mastodon.

Filed Under: encryption, eu, going dark, law enforcement, lawful access

BlackBerry: We're Here To Kick Ass And Sell Out Users To Law Enforcement. And We're (Almost) All Out Of Users.

from the thank-you,-sir!-may-I-get-you-another?-and-another? dept

Back in mid-April, it was discovered that Canadian law enforcement (along with Dutch authorities) had the ability to intercept and decrypt BlackBerry messages. This level of access suggested the company had turned over its encryption key to the Royal Canadian Mounted Police. BlackBerry has only one encryption key for most customers -- which it maintains control of. Enterprise users, however, can set their own key, which cuts BlackBerry out of the loop completely.

BlackBerry CEO John Chen -- despite publicly criticizing Apple for locking law enforcement out of its phone with default encryption -- refused to provide specifics on this apparent breach of his customers' trust. Instead, he offered a non-denial denial, stating that BlackBerry stood by its "lawful access principles."

The matter was left unsettled… until now.

A specialized unit inside mobile firm BlackBerry has for years enthusiastically helped intercept user data — including BBM messages — to help in hundreds of police investigations in dozens of countries, a CBC News investigation reveals.

This unit, which cracks open BlackBerries for nearly anyone who comes asking, is very proud of its work.

One document obtained by CBC News reveals how the Waterloo, Ont.-based company handles requests for information and co-operates with foreign law enforcement and government agencies, in stark contrast with many other tech companies.

"We were helping law enforcement kick ass," said one of a number of sources who told CBC News that the company is swamped by requests that come directly from police in dozens of countries.

Go team! While these sources remain generally upbeat about throwing customer privacy and security to the wind, the official word from the company is less enthused. In fact, it's nonexistent.

In response to questions from CBC News, a BlackBerry spokesperson said it "will not address the questions given the extremely sensitive nature of this process."

This unadvertised service is apparently so popular BlackBerry has streamlined the process. It offers government agencies a list of boxes to check for what kind of information they'd like retrieved from a phone (including the ominously vague "other"), as well as the option to declare any request "exigent."

It also asks that the requesting party sign off on some boilerplate saying the request is legal in the requester's country and that it is not being done to "control, suppress or punish… political or religious opinion."

Of course, BlackBerry is not a government agency so it really can't do anything if someone "perjures" themselves by signing the form and moving directly towards suppression, punishment, etc. The best it can do is not allow that entity to make any more requests. I'm guessing this almost never happens because the quoted sources seem like a bunch of overly-cheery do-gooders. Policing the police would require BlackBerry to second-guess the government entities it seemingly can't wait to assist.

"Narco trafficking, human trafficking, money laundering, kidnapping, crime against children, knowing you are stopping those things … how do you not love doing something like that?" said the insider.

Yup. [Insert whatever the Canadian equivalent of "'Murica!" here.]

In its hurry to help supposed good guys track down alleged bad guys, the Canadian branch of BlackBerry's "full give" operations is skirting around statutes meant to protect locals from inappropriate demands made by foreign countries.

Christopher Parsons, a research associate at the University of Toronto's Citizen Lab, who has studied the privacy practices of tech companies, is worried by the secrecy of BlackBerry's process and its potential for abuse.

[...]

He said BlackBerry is allowing foreign police to bypass the Mutual Legal Assistance Treaty, a diplomatic agreement that allows Canadian officials to review requests from foreign police and consider whether they are legal under Canadian law.

But, as Parsons points out, law enforcement agencies are probably thrilled to have someone on the inside willing to violate treaties with the drop of pre-printed form. Adhering to MLAT may result in significant delays, whereas approaching BlackBerry directly sets its team of super-secret gofers in motion immediately.

Of course, the major downside here is that very few criminals are likely still using BlackBerries. Most of the company's customers are enterprise users and they have the ability to lock down their phones so tight not even BlackBerry can get into them. But for all the panicked talk about going dark, BlackBerry's special ops unit says it's still surprised at how many criminals are unaware the company is basically the local PD at this point.

The nails were already in the coffin for BlackBerry. Each new exposure of its highly-proactive law enforcement assistance is only going to hasten the dwindling of its user base.

Filed Under: blackberry, encryption, law enforcement, lawful access
Companies: blackberry

Remember, It Was A 'Lawful Access' Tool That Enabled iCloud Hacker To Download Celebrity Nudes

from the lawful-access-opens-a-door-that's-difficult-to-close dept

You may have heard, recently, that the guy who was apparently behind the celebrity nudes hacking scandal (sometimes called "Celebgate" in certain circles, and the much more terrible "The Fappening" in other circles) recently pled guilty to the hacks, admitting that he used phishing techniques to get passwords to their iCloud accounts. But... that's not all that he apparently used. He also used "lawful access" technologies to help him grab everything he could once he got in.

We keep hearing from people who think that just "giving law enforcement only" access to encrypted data is something that's easy to do. It's not. Over and over again, security experts keep explaining that opening up a hole for law enforcement means opening up a hole for many others as well, including those with malicious intent. ACLU technologist Chris Soghoian reminds us of this by pointing to an earlier article about how the guy used a "lawful access" forensics tool designed for police to get access to such data (warning, link may ask ask you to pay and/or disable adblocker):

On the web forum Anon-IB, one of the most popular anonymous image boards for posting stolen nude selfies, hackers openly discuss using a piece of software called EPPB or Elcomsoft Phone Password Breaker to download their victims’ data from iCloud backups. That software is sold by Moscow-based forensics firm Elcomsoft and intended for government agency customers. In combination with iCloud credentials obtained with iBrute, the password-cracking software for iCloud released on Github over the weekend, EPPB lets anyone impersonate a victim’s iPhone and download its full backup rather than the more limited data accessible on iCloud.com. And as of Tuesday, it was still being used to steal revealing photos and post them on Anon-IB’s forum.

Obviously, the situation with encryption on the iPhone is a bit different, but the same basic principle applies. Opening up a door is, by definition, opening up a vulnerability. And we should be very, very, very wary about opening up any kind of vulnerability. It's tough enough to find and close vulnerabilities. Deliberately opening one can be catastrophic.

Filed Under: backdoors, celebgate, celebrity nudes, hacking, icloud, law enforcement, lawful access, nudes
Companies: apple, elcomsoft

Another Victory For The Public Speaking Up: Canada Drops Digital Spying Bill (For Now)

from the a-good-step dept

A year ago, we had a series of posts concerning attempts in Canada to pass a "lawful access" bill, which is a nice way of saying "a bill to let Canadian law enforcement spy on your digital information." Politicians who supported this, like Public Safety Minister Vic Toews, kicked things off in the most ridiculous of ways, saying that anyone who was against such a bill supported child pornographers. In response, tons of Canadians spoke up, even creating a whole meme in which they revealed random info to Toews. And, of course, when people shared some of Toews' own info, he went ballistic.

Earlier this week, it was announced that the Canadian government has agreed not to move forward with the bill, claiming that they "listened" to the concerns of the public:

We will not be proceeding with Bill C-30 and any attempts that we will continue to have to modernize the Criminal Code will not contain the measures contained in C-30, including the warrantless mandatory disclosure of basic subscriber information or the requirement for telecommunications service providers to build intercept capability within their systems. We've listened to the concerns of Canadians who have been very clear on this and responding to that.

This is, undoubtedly, another big win for consumers speaking out when their government tries to put in place something ridiculous. As always, Michael Geist has an excellent analysis of what this all means, including that we should add this to the still small, but rapidly growing list of internet advocacy success stories. But, of course, as with any of these success stories, the story is not actually over. He notes that there are still problems and challenges concerning privacy of info:

Third, even with Bill C-30 dead, there is a problem with the current system of voluntary disclosure of customer information by ISPs. The lawful access debate placed the spotlight on the fact that ISPs disclose customer information tens of thousands of times every year without court oversight. The law permits these disclosures, but there are no reporting requirements or accountability mechanisms built into the process. Those are needed and the government should move swiftly to add this to the law, either within Bill C-12 (the PIPEDA reform bill) or Bill C-55, which was introduced yesterday.

Fourth, Bill C-30 may be dead, but lawful access surely is not.  On the same day the government put the bill out its misery, it introduced Bill C-55 on warrantless wiretapping. Although the bill is ostensibly a response to last year's R v. Tse decision from the Supreme Court of Canada, much of the bill is lifted directly from Bill C-30.  Moreover, there will be other ways to revive the more troublesome Internet surveillance provisions. Christopher Parsons points to lawful intercept requirements in the forthcoming spectrum auction, while many others have discussed Bill C-12, which includes provisions that encourage personal information disclosure without court oversight.  Of course, cynics might also point to the 2007 pledge from then-Public Safety Minister Stockwell Day to not introduce mandatory disclosure of personal information without a warrant. That position was dropped soon after Peter Van Loan took over the portfolio. 

This is a key point that many people keep trying to drive home. There have been a few very important internet advocacy success stories recently, but these fights don't end when a single bill is killed. Supporters of bad policies are playing the long game -- pushing for these changes in a variety of different places in a variety of different ways over a long period of time. Killing one part is absolutely a victory, but it still requires significant and continued vigilance.

Filed Under: canada, digital spying, lawful access, surveillance

How New Internet Spying Laws Will Actually ENABLE Stalkers, Spammers, Phishers And, Yes, Pedophiles & Terrorists

from the not-as-simple-as-you-might-think dept

There's proposed legislation in the US (sponsored by Lamar Smith) and in Canada (sponsored by Vic Toews) and in the UK that uses various flimsy justifications for the mass collection of data on telecommunications users. The data covered by these proposals varies, but includes things like URLs, phone calls, text/instant/email messages, and other forms of communication. Some of this proposed legislation deals with communication metadata, e.g., sender, recipient, time, etc.; some of it deals with communication content, e.g., the full text of messages.

I'm going to gloss over the specifics for two reasons: first, they've been covered exhaustively elsewhere, and second, I think it's an absolute certainty that whatever these proposals contain, the next ones will contain more.

The putative reasons given for these proposals are the usual Four Horseman of the Infocalypse: terrorists, pedophiles, drug dealers, and money launderers. One would think, given the hysteria being whipped up by the proponents of these bills, that one could hardly walk down the street without being offered raw heroin by a grenade-throwing child pornographer carrying currency from 19 different countries.

Of course, everyone who's actually studied terrorists, pedophiles, drug dealers and money launderers in the context of telecommunications knows full well that nothing in these bills will actually help deal with them. The very bad people who are seriously into these pursuits are not stupid, and they're not naive: they use firewalls, encryption, and tunneling. They use strong operating systems and robust application software. They use rigorous procedures guided by a strong sense of self-preservation and appropriate paranoia. They're not very likely to be caught by any of the measures in these bills because they'll (a) read the text and (b) evade the enumerated measures.

Yes, there are occasional exceptions: every now and then, a clueless newbie or a careless dilettante turns up when they're caught. And of course when that happens, there's always a press conference announcing the event, and many claims that it's a "major blow against crime" and a flood of self-congratulatory press releases. But it doesn't mean anything, except that someone was either stupid...or careless...or was set up.

The unpleasant reality that these bills are trying to avoid is that catching very bad people requires diligence, patience, expertise and intelligence, aka "competent police work." There's no substitute and there are no shortcuts. This means that these bills will achieve very few of their stated goals; that is, the benefit to society from them will be minimal, if any.

But what about the cost?

I don't mean the financial cost, although that will be high -- much higher than those proposing such legislation are prepared to admit; I mean the cost to society as a whole.

If such legislation passes, then everyone will know that every ISP is building a database -- a highly useful database for very bad people. It's the sort of thing that some very bad people have been trying to construct for years, often at considerable expense and effort. How very nice of someone else to build it for them, saving them the cost and trouble -- because they, and/or their agents, will of course target it for acquisition. And given the parade of security breaches and dataloss incidents we see on a daily basis, it's certain they'll get it. (My bet is that they'll get it before it's even finished. Any takers?)

There's an old military saying -- a bit of inter-service trash talk: "The Air Force builds weapons; the Navy builds targets".

Politicians who propose such measures appear to be thinking that they're building a weapon -- a weapon that law enforcement agencies can use to pursue people who've committed, or are suspected of committing, crimes. But they're not. They're building a target. They're building the mother lode for stalkers, pedophiles, spammers, identity thieves, child pornographers, blackmailers, extortionists, and yes -- terrorists. A Techdirt story just a few days ago gave some rather creepy examples of what Target's data mining can do...and they're just trying to sell you stuff. Imagine what very bad people are capable of, given far richer data and the rather obvious inclination to break the law at will.

What's worse than building a target? Telling everyone you're building a target. What's worse than telling everyone you're building a target? Telling everyone where it is. What's worse than telling everyone where it is? Telling them what's in it. Yet that's exactly what these bills would do: force the construction of a target, inform everyone that it exists, where it is, and what's in it.

I'm sure that the very bad people these bills allegedly target are delighted. I'll bet they're having a hard time not expressing their enthusiastic support. But my guess is that most of them will heed Napoleon's sage advice: "Never interrupt your enemy when he is making a mistake."

I'm not the only one who's observed that these databases are targets, not weapons. So has Ontario Information and Privacy Commissioner Ann Cavoukian:

"This is going to be like the Fort Knox of information that the hackers and the real bad guys will want to go after. This is going to be a gold mine. [...] The government will say that they can protect the data, and they can encrypt it. Are you kidding me? The bad guys are always one step ahead."

But this is not the worst of it -- that is, the certainty that very bad people will find ways to acquire these databases and to correlate them with each other and with still more databases isn't the endgame.

Particularly talented intruders will not only get it, they'll monitor it in real time. How do you feel about someone knowing where you bank, that you've made three phone calls to stores today, and that you have a Visa card with the following number that you just used from a hotel room 300 miles from home? How do you feel about the web browsing of your teenage daughter being observed by someone who's also reading her instant messages and listening to her VOIP calls, and has the IP address she's using in her college dorm room?

And even this is STILL not the worst of it. Given the rampant Internet and computer illiteracy that we see every day out of law enforcement, private investigators, journalists, and others around the world -- such as the clueless people behind these bills -- it's only going to be a short time until "the logs say X" becomes semantically equivalent in the vernacular to "X is true". And it is at that point that some of the more talented very bad people won't just acquire this data: they'll modify it.

Filed Under: canada, data retention, lamar smith, lawful access, uk, us, vic toews

'Lawful Access' Rhetoric Rings Hollow When The Facts Are Wrong

from the muddled-analogies dept

Ever since our Public Safety Minister made the infamous claim that his opponents were standing "with the child pornographers", support for Canada's proposed "lawful access" legislation—which would force ISPs to turn customer information over to police without a warrant, and install network surveillance equipment—has been characterized by two things: sensationalism and a lack of clarity. This is hardly surprising in a debate that opened with accusations of supporting child porn (a seeming corollary of Godwin's Law) and nowhere is it better exemplified than Lorna Dueck's tragically confused column in Friday's Globe and Mail.

[Full disclosure: I work for one of the Globe's main competitors, but not in an editorial capacity.]

Dueck makes the bizarre claim that what should be a discussion about protecting children was "transformed" into a debate about privacy, as though there is no room to consider both. She then attempts to brush off all concerns about the bill, claiming it is akin to driving your car:

The car is your private property and you know how to use it, but some people keep making the road dangerous. You appreciate the radar gun or spot checks at the side of the road, and you take down a licence-plate number when a driver needs to be reported. It's a public service that keeps us safe. That's how police see access to your IP address – it will help them to identify lawbreakers.

The metaphor fits for why Bill C-30 is applauded by those on the front lines of child protection. Like using a radar gun, hackers employed by the police have developed software that catches images of child sexual exploitation. It's illegal images that are being tracked. Police will take that digital evidence to ask who's trading this, and that leads to an IP address – the licence plate of your car, if you will.

Unfortunately, Dueck has things backwards. C-30 is not about making IP addresses more accessible. Although the text of the bill does include them as one of the pieces of information that ISPs must hand over without a warrant, that is rarely, if ever, how online investigations proceed. Rather, police monitor networks to collect IP addresses that are exchanging child pornography, then investigate those addresses. In a way, IP addresses already do work like license plates (including the fact that they are not enough to positively identify an individual user/driver).

Currently, only a warrant can compel an ISP to hand over information, but they can also choose to cooperate with police. There are conflicting accounts as to how this plays out: supporters of the bill (including some police) claim that criminals are going uncaught thanks to the difficulty of obtaining warrants, while opponents, like Ontario's Privacy Commissioner, claim that ISPs already comply with the vast majority of warrantless requests when child pornography is involved. The truth is probably somewhere in the middle.

Bill C-30 would force ISPs to hand over customer information without the warrant. Amusingly, Dueck's car analogy could have been more appropriate if she used it correctly, since the police do not need a warrant to trace a license plate back to its owner. But even this misses the key point that vehicles are publicly licensed by the government, while ISPs are private companies offering a service to private citizens. It's well-established that there is no right to drive anonymously, but C-30 legislates the end of anonymity online, and sets a disturbing precedent against the right to privacy when using any form of communication. Should the police be able to obtain customer information from printing shops without a warrant, just because some people distribute obscene or libelous flyers? That is a far more analogous question, and one that underlines the fundamental concept of privacy that C-30 violates.

We all want to prevent the exploitation of children, but the proposed methods for doing so would have unintended consequences, and that conversation can't be hidden behind emotionally charged rhetoric. An urgent goal does not justify a reckless solution—nor a reckless column that confuses the facts. Dueck calls the conflict over C-30 a "sideshow" and hopes to "elevate the debate", but in fact all she has done is join one of the existing sides—those who let the emotional resonance of child pornography override their sobriety, and believe that laudable motives excuse them from examining their methods or even understanding the details of the problem.

Filed Under: canada, child porn, internet, lawful access, spying, surveillance, vic toews

Vic Toews Apparently Not A Fan Of Others Seeing His Personal Data

from the is-he-for-child-porn? dept

You may recall that Canadian Minister of Public Safety Vic Toews announced Canada's "lawful access" (read: government monitoring of the internet) bill by saying that if you weren't in favor of the bill, you supported child porn. Over the weekend, he also seemed to admit that he didn't even understand the bill he was supporting.

That was pretty ridiculous, and a Twitter meme was developed in which lots of people shared info with Toews about things that were going on in their lives. Of course, it was only a matter of time until someone did the opposite... and started revealing info about Toews. Indeed, late last week, a Twitter account calling itself Vikileaks showed up on the scene... leaking info about things like Toews' divorce. After that created a lot of press attention and controversy, the anonymous person behind the account shut it down. However, Brendan noted that for a while it appeared to be blocked in Canada, but not elsewhere. He provided a screenshot from Canada where it says no such account exists, as well as one via a proxy which shows the account. If the user deleted the account, it's possible that it was a caching issue...

Either way, it appears that Toews is not at all happy that his own personal info is being shared. There were some claims that the account holder was accessing the account from within the Canadian House of Commons (something the user denied), leading Toews to demand an investigation into who was behind the account. Of course, as the report notes, it may be difficult to impossible to get any useful info, since all House of Commons traffic shows up as coming from one of just four IPs, so zeroing in on the particular user may not be possible.

But, no matter, Toews wants an investigation (at taxpayer expense). And who gets to investigate those who abuse Toews' lawful access proposal to access private info of citizens? Perhaps, rather than chasing down a ghost, Toews would be better served to think a little more seriously about the complaints people have raised about government over-surveillance.

Filed Under: canada, internet, lawful access, spying, surveillance, vic toews