Obama administration explores breaching encrypted smartphones

Portions of the Obama administration seemingly will not give up on its quest to continue mass surveillance of US citizens without warrants. According to the Washington Post, work continues to breach legal encryption.

An Obama administration working group has explored four possible approaches tech companies might use that would allow law enforcement to unlock encrypted communications — access that some tech firms say their systems are not set up to provide.

The group concluded that the solutions were “technically feasible,” but all had drawbacks as well.

The approaches were analyzed as part of a months-long government discussion about how to deal with the growing use of encryption in which no one but the user can see the information. Law enforcement officials have argued that armed with a warrant they should be able to obtain communications, such as e-mails and text messages, from companies in terrorism and criminal cases.

Senior officials do not intend to advance the solutions as “administration proposals” — or even want them shared outside the government, according to a draft memo obtained by The Washington Post.


They fear blowback.

The administration’s fears of blowback are real. The massive surveillance state apparatus that has been built is a direct threat to privacy and any breach technologies that may be created would certainly result in outrage not only in the US but around the world. Strong encryption should be treated as a human right. Perhaps they will come to their senses.

Quote of the day

A decade of fear-mongering has brought power and wealth to those who have been most skillful at hyping the terrorist threat. Fear sells. Fear has convinced the White House and Congress to pour hundreds of billions of dollars — more money than anyone knows what to do with — into counterterrorism and homeland security programs, often with little management or oversight, and often to the detriment of the Americans they are supposed to protect. Fear is hard to question. It is central to the financial well-being of countless federal bureaucrats, contractors, subcontractors, consultants, analysts, and pundits. Fear generates funds.

James Risen,  journalist, in his 2014 book Pay Any Price: Greed, Power, and Endless War. (via Quotation of the Day Mailing List)

FCC challenges FBI and NSA over unbreakable encryption

FCC Commissioners have called for an expansion of strong data encryption, in a direct challenge to the demands of the FBI and NSA to require so-called “back door” encryption keys that would allow the government to breach encrypted communications. Most encryption experts believe that any insertion of such back doors would place at risk virtually all encrypted data. If the government uses the back doors, the bad guys can do the same.

From Extreme Tech:

According to FTC Commissioner Terrell McSweeny, encryption is absolutely necessary if the so-called Internet of Things is ever to become a reality. Writing for HuffPo, McSweeny praises the steps that companies like Apple have taken to provide end-to-end encryption and notes that encrypting devices is one of the only way to secure smartphones, tablets, and laptops against the loss of potentially critical information if the device is physically stolen. In her Op/ed, Sweeny notes:

If consumers cannot trust the security of their devices, we could end up stymieing innovation and introducing needless risk into our personal security. In this environment, policy makers should carefully weigh the potential impact of any proposals that may weaken privacy and security protections for consumers.

Compare that against Cyrus Vance’s comments from earlier this summer:

This defendant’s appreciation of the safety that the iOS 8 operating system afforded him is surely shared by criminal defendants in every jurisdiction in America charged with all manner of crimes, including rape, kidnapping, robbery, promotion of child pornography, larceny, and presumably by those interested in committing acts of terrorism. Criminal defendants across the nation are the principal beneficiaries of iOS 8, and the safety of all American communities is imperiled by it.

Former security executives endorse unbreakable encryption

The Washington Post has published an editorial written by three former governmental security officials who (now) fully support end-to-end encryption.

Mike McConnell is a former director of the National Security Agency and director of national intelligence. Michael Chertoff is a former homeland security secretary and is executive chairman of the Chertoff Group, a security and risk management advisory firm with clients in the technology sector. William Lynn is a former deputy defense secretary and is chief executive of Finmeccanica North America and DRS Technologies.

The three men, now firmly ensconsed in the private sector, believe that an encryption “back-door” is not worth the risk of privacy rights.

We recognize the importance our officials attach to being able to decrypt a coded communication under a warrant or similar legal authority. But the issue that has not been addressed is the competing priorities that support the companies’ resistance to building in a back door or duplicated key for decryption. We believe that the greater public good is a secure communications infrastructure protected by ubiquitous encryption at the device, server and enterprise level without building in means for government monitoring.

First, such an encryption system would protect individual privacy and business information from exploitation at a much higher level than exists today. As a recent MIT paper explains, requiring duplicate keys introduces vulnerabilities in encryption that raise the risk of compromise and theft by bad actors. If third-party key holders have less than perfect security, they may be hacked and the duplicate key exposed. This is no theoretical possibility, as evidenced by major cyberintrusions into supposedly secure government databases and the successful compromise of security tokens held by a major information security firm. Furthermore, requiring a duplicate key rules out security techniques, such as one-time-only private keys.

Second, a requirement that U.S. technology providers create a duplicate key will not prevent malicious actors from finding other technology providers who will furnish ubiquitous encryption. The smart bad guys will find ways and technologies to avoid access, and we can be sure that the “dark Web” marketplace will offer myriad such capabilities. This could lead to a perverse outcome in which law-abiding organizations and individuals lack protected communications but malicious actors have them.

Finally, and most significantly, if the United States can demand that companies make available a duplicate key, other nations such as China will insist on the same. There will be no principled basis to resist that legal demand. The result will be to expose business, political and personal communications to a wide spectrum of governmental access regimes with varying degrees of due process.

It is well past time

While a lot can happen before the expiration of the Patriot Act on June 1, it looks like Congress (or at the least the House) are prepared for major reductions in US domestic spying and surveillance.

From the New York Times:

After more than a decade of wrenching national debate over the intrusiveness of government intelligence agencies, a bipartisan wave of support has gathered to sharply limit the federal government’s sweeps of phone and Internet records.

On Thursday, a bill that would overhaul thePatriot Act and curtail the so-called metadata surveillance exposed by Edward J. Snowden was overwhelmingly passed by the House Judiciary Committee and was heading to almost certain passage in that chamber this month.

An identical bill in the Senate — introduced with the support of five Republicans — is gaining support over the objection of Senator Mitch McConnell, Republican of Kentucky, who is facing the prospect of his first policy defeat since ascending this year to majority leader.

The push for reform is the strongest demonstration yet of a decade-long shift from a singular focus on national security at the expense of civil liberties to a new balance in the post-Snowden era.

Under the bipartisan bills in the House and Senate, the Patriot Act would be changed to prohibit bulk collection, and sweeps that had operated under the guise of so-called National Security Letters issued by the F.B.I. would end. The data would instead be stored by the phone companies themselves, and could be accessed by intelligence agencies only after approval of the secret Foreign Intelligence Surveillance Act court.

The legislation would also create a panel of experts to advise the FISA court on privacy, civil liberties, and technology matters, while requiring the declassification of all significant FISA court opinions.

More details from the Times here.

Decades of surveillance (updated)

USA Today is reporting that the government started collecting data on citizens’ international telephone calls a decade prior to 9/11.

For more than two decades, the Justice Department and the Drug Enforcement Administration amassed logs of virtually all telephone calls from the USA to as many as 116 countries linked to drug trafficking, current and former officials involved with the operation said. The targeted countries changed over time but included Canada, Mexico and most of Central and South America.

Federal investigators used the call records to track drug cartels’ distribution networks in the USA, allowing agents to detect previously unknown trafficking rings and money handlers. They also used the records to help rule out foreign ties to the bombing in 1995 of a federal building in Oklahoma City and to identify U.S. suspects in a wide range of other investigations.

The Justice Department revealed in January that the DEA had collected data about calls to “designated foreign countries.” But the history and vast scale of that operation have not been disclosed until now.

How Americans can ever trust the government to protect their privacy, and comply with the Constitution, is a real puzzle. Secret data collection by the government is apparently unstoppable in the current political environment. Shameful.

Update: The EFF has agreed to represent Human Rights Watch, a civil liberties group, in a lawsuit challenging the legality of the DEA’s massive data collection program.

Human Rights Watch, a nonpartisan organization that fights human rights abuses across the globe, filed suit against the U.S. Drug Enforcement Administration late Tuesday for illegally collecting records of its telephone calls to certain foreign countries as part of yet another government bulk surveillance program. The group is represented by the Electronic Frontier Foundation (EFF), which has launched a series of legal challenges against unconstitutional government surveillance.

“The DEA’s program of untargeted and suspicionless surveillance of Americans’ international telephone call records—information about the numbers people call, and the time, date, and duration of those calls—affects millions of innocent people, yet the DEA operated the program in secret for years,’’ said EFF Staff Attorney Nate Cardozo. “Both the First and Fourth Amendment protect Americans from this kind of overreaching surveillance. This lawsuit aims to vindicate HRW’s rights, and the rights of all Americans, to make calls overseas without being subject to government surveillance.”

The CIA seeks to break security of Apple devices

The Intercept is reporting that the CIA has conducted a multi-year campaign to break the security of Apple iPhones and iPads.

By targeting essential security keys used to encrypt data stored on Apple’s devices, the researchers have sought to thwart the company’s attempts to provide mobile security to hundreds of millions of Apple customers across the globe. Studying both “physical” and “non-invasive” techniques, U.S. government-sponsored research has been aimed at discovering ways to decrypt and ultimately penetrate Apple’s encrypted firmware. This could enable spies to plant malicious code on Apple devices and seek out potential vulnerabilities in other parts of the iPhone and iPad currently masked by encryption.

* * *

The security researchers also claimed they had created a modified version of Apple’s proprietary software development tool, Xcode, which could sneak surveillance backdoors into any apps or programs created using the tool. Xcode, which is distributed by Apple to hundreds of thousands of developers, is used to create apps that are sold through Apple’s App Store.

The modified version of Xcode, the researchers claimed, could enable spies to steal passwords and grab messages on infected devices. Researchers also claimed the modified Xcode could “force all iOS applications to send embedded data to a listening post.” It remains unclear how intelligence agencies would get developers to use the poisoned version of Xcode.

Researchers also claimed they had successfully modified the OS X updater, a program used to deliver updates to laptop and desktop computers, to install a “key logger.”

* * *

“Spies gonna spy,” says Steven Bellovin, a former chief technologist for the U.S. Federal Trade Commission and current professor at Columbia University. “I’m never surprised by what intelligence agencies do to get information. They’re going to go where the info is, and as it moves, they’ll adjust their tactics. Their attitude is basically amoral: whatever works is OK.”

Bellovin says he generally supports efforts by U.S. intelligence to “hack” devices — including Apple’s — used by terrorists and criminals, but expressed concern that such capabilities could be abused. “There are bad people out there, and it’s reasonable to seek information on them,” he says, cautioning that “inappropriate use — mass surveillance, targeting Americans without a warrant, probably spying on allies — is another matter entirely.”

Documents provided by Edward Snowden revealed the CIA attacks on Apple software and hardware. The documents also reveal that other tech companies were also attacked.  Tim Cook has repeatedly attacked the efforts of the CIA and the NSA and he has called for privacy protection for all Apple customers.

“If I were Tim Cook, I’d be furious,” says the ACLU’s Soghoian. “If Apple is mad at the intelligence community, and they should be, they should put their lawyers to work. Lawsuits speak louder than words.”

* * *

“I want to be absolutely clear that we have never worked with any government agency from any country to create a backdoor in any of our products or services. We have also never allowed access to our servers. And we never will,” Cook said last September in announcing Apple’s new privacy policy. More recently, Cook said, “None of us should accept that the government or a company or anybody should have access to all of our private information. This is a basic human right. We all have a right to privacy. We shouldn’t give it up. We shouldn’t give in to scare-mongering.”

* * *

As corporations increasingly integrate default encryption methods and companies like Apple incorporate their own indigenous encryption technologies into easy-to-use text, voice and video communication platforms, the U.S. and British governments are panicking. “Encryption threatens to lead all of us to a very dark place,” declared FBI Director James Comey in an October 2014 lecture at the Brookings Institution. Citing the recent moves by Apple to strengthen default encryption on its operating systems, and commitments by Google to incorporate such tools, Comey said, “This means the companies themselves won’t be able to unlock phones, laptops, and tablets to reveal photos, documents, e-mail, and recordings stored within.”

Under current U.S. regulations, law enforcement agencies can get a court order to access communications channeled through major tech companies and wireless providers. But if those communications are encrypted through a process not accessible by any involved company, the data is essentially meaningless, garbled gibberish. “In a world in which data is encrypted, and the providers don’t have the keys, suddenly, there is no one to go to when they have a warrant,” says Soghoian. “That is, even if they get a court order, it doesn’t help them. That is what is freaking them out.”

You can read the full, detailed and shocking article here.

Wikipedia sues NSA over mass surveillance

Wikipedia is suing the NSA over the spy agency’s so-called “upstream” surveillance, which collects information around the world by tapping into Internet cables.

The notion that the N.S.A. is monitoring Wikipedia’s users is not, unfortunately, a stretch of the imagination. One of the documents revealedby the whistle-blower Edward J. Snowden specifically identified Wikipedia as a target for surveillance, alongside several other major websites like CNN.com, Gmail and Facebook. The leaked slide from a classified PowerPoint presentation declared that monitoring these sites could allow N.S.A. analysts to learn “nearly everything a typical user does on the Internet.”

The harm to Wikimedia and the hundreds of millions of people who visit our websites is clear: Pervasive surveillance has a chilling effect. It stifles freedom of expression and the free exchange of knowledge that Wikimedia was designed to enable.

* * *

In the lawsuit we’re filing with the help of the American Civil Liberties Union, we’re joining as a fellow plaintiff a broad coalition of human rights, civil society, legal, media and information organizations. Their work, like ours, requires them to engage in sensitive Internet communications with people outside the United States.

That is why we’re asking the court to order an end to the N.S.A.’s dragnet surveillance of Internet traffic.

Privacy is an essential right. It makes freedom of expression possible, and sustains freedom of inquiry and association. It empowers us to read, write and communicate in confidence, without fear of persecution. Knowledge flourishes where privacy is protected.

This is an excellent, well-funded effort that might have a decent chance of limiting at least some of the “collect it all” operations of the NSA.