Tim Cook defends encryption

The Intercept is reporting that the Tim Cook lashed out at the Obama administration delegation that travelled to the west coast last week to open so-called “back doors” in the major tech companies.

Excerpt:

Apple CEO Tim Cook lashed out at the high-level delegation of Obama administration officials who came calling on tech leaders in San Jose last week, criticizing the White House for a lack of leadership and asking the administration to issue a strong public statement defending the use of unbreakable encryption.

The White House should come out and say “no backdoors,” Cook said. That would mean overruling repeated requests from FBI director James Comey and other administration officials that tech companies build some sort of special access for law enforcement into otherwise unbreakable encryption. Technologists agree that any such measure could be exploited by others.

But Attorney General Loretta Lynch responded to Cook by speaking of the “balance” necessary between privacy and national security – a balance that continues to be debated within the administration.

Good for Tim Cook. He seems to be determined to undermine the vast surveillance state that has been indiscriminately collecting private information of Americans.

Obama administration explores breaching encrypted smartphones

Portions of the Obama administration seemingly will not give up on its quest to continue mass surveillance of US citizens without warrants. According to the Washington Post, work continues to breach legal encryption.

An Obama administration working group has explored four possible approaches tech companies might use that would allow law enforcement to unlock encrypted communications — access that some tech firms say their systems are not set up to provide.

The group concluded that the solutions were “technically feasible,” but all had drawbacks as well.

The approaches were analyzed as part of a months-long government discussion about how to deal with the growing use of encryption in which no one but the user can see the information. Law enforcement officials have argued that armed with a warrant they should be able to obtain communications, such as e-mails and text messages, from companies in terrorism and criminal cases.

Senior officials do not intend to advance the solutions as “administration proposals” — or even want them shared outside the government, according to a draft memo obtained by The Washington Post.

Why?

They fear blowback.

The administration’s fears of blowback are real. The massive surveillance state apparatus that has been built is a direct threat to privacy and any breach technologies that may be created would certainly result in outrage not only in the US but around the world. Strong encryption should be treated as a human right. Perhaps they will come to their senses.

Quote of the day

A decade of fear-mongering has brought power and wealth to those who have been most skillful at hyping the terrorist threat. Fear sells. Fear has convinced the White House and Congress to pour hundreds of billions of dollars — more money than anyone knows what to do with — into counterterrorism and homeland security programs, often with little management or oversight, and often to the detriment of the Americans they are supposed to protect. Fear is hard to question. It is central to the financial well-being of countless federal bureaucrats, contractors, subcontractors, consultants, analysts, and pundits. Fear generates funds.

James Risen,  journalist, in his 2014 book Pay Any Price: Greed, Power, and Endless War. (via Quotation of the Day Mailing List)

FCC challenges FBI and NSA over unbreakable encryption

FCC Commissioners have called for an expansion of strong data encryption, in a direct challenge to the demands of the FBI and NSA to require so-called “back door” encryption keys that would allow the government to breach encrypted communications. Most encryption experts believe that any insertion of such back doors would place at risk virtually all encrypted data. If the government uses the back doors, the bad guys can do the same.

From Extreme Tech:

According to FTC Commissioner Terrell McSweeny, encryption is absolutely necessary if the so-called Internet of Things is ever to become a reality. Writing for HuffPo, McSweeny praises the steps that companies like Apple have taken to provide end-to-end encryption and notes that encrypting devices is one of the only way to secure smartphones, tablets, and laptops against the loss of potentially critical information if the device is physically stolen. In her Op/ed, Sweeny notes:

If consumers cannot trust the security of their devices, we could end up stymieing innovation and introducing needless risk into our personal security. In this environment, policy makers should carefully weigh the potential impact of any proposals that may weaken privacy and security protections for consumers.

Compare that against Cyrus Vance’s comments from earlier this summer:

This defendant’s appreciation of the safety that the iOS 8 operating system afforded him is surely shared by criminal defendants in every jurisdiction in America charged with all manner of crimes, including rape, kidnapping, robbery, promotion of child pornography, larceny, and presumably by those interested in committing acts of terrorism. Criminal defendants across the nation are the principal beneficiaries of iOS 8, and the safety of all American communities is imperiled by it.

Former security executives endorse unbreakable encryption

The Washington Post has published an editorial written by three former governmental security officials who (now) fully support end-to-end encryption.

Mike McConnell is a former director of the National Security Agency and director of national intelligence. Michael Chertoff is a former homeland security secretary and is executive chairman of the Chertoff Group, a security and risk management advisory firm with clients in the technology sector. William Lynn is a former deputy defense secretary and is chief executive of Finmeccanica North America and DRS Technologies.

The three men, now firmly ensconsed in the private sector, believe that an encryption “back-door” is not worth the risk of privacy rights.

We recognize the importance our officials attach to being able to decrypt a coded communication under a warrant or similar legal authority. But the issue that has not been addressed is the competing priorities that support the companies’ resistance to building in a back door or duplicated key for decryption. We believe that the greater public good is a secure communications infrastructure protected by ubiquitous encryption at the device, server and enterprise level without building in means for government monitoring.

First, such an encryption system would protect individual privacy and business information from exploitation at a much higher level than exists today. As a recent MIT paper explains, requiring duplicate keys introduces vulnerabilities in encryption that raise the risk of compromise and theft by bad actors. If third-party key holders have less than perfect security, they may be hacked and the duplicate key exposed. This is no theoretical possibility, as evidenced by major cyberintrusions into supposedly secure government databases and the successful compromise of security tokens held by a major information security firm. Furthermore, requiring a duplicate key rules out security techniques, such as one-time-only private keys.

Second, a requirement that U.S. technology providers create a duplicate key will not prevent malicious actors from finding other technology providers who will furnish ubiquitous encryption. The smart bad guys will find ways and technologies to avoid access, and we can be sure that the “dark Web” marketplace will offer myriad such capabilities. This could lead to a perverse outcome in which law-abiding organizations and individuals lack protected communications but malicious actors have them.

Finally, and most significantly, if the United States can demand that companies make available a duplicate key, other nations such as China will insist on the same. There will be no principled basis to resist that legal demand. The result will be to expose business, political and personal communications to a wide spectrum of governmental access regimes with varying degrees of due process.

It is well past time

While a lot can happen before the expiration of the Patriot Act on June 1, it looks like Congress (or at the least the House) are prepared for major reductions in US domestic spying and surveillance.

From the New York Times:

After more than a decade of wrenching national debate over the intrusiveness of government intelligence agencies, a bipartisan wave of support has gathered to sharply limit the federal government’s sweeps of phone and Internet records.

On Thursday, a bill that would overhaul thePatriot Act and curtail the so-called metadata surveillance exposed by Edward J. Snowden was overwhelmingly passed by the House Judiciary Committee and was heading to almost certain passage in that chamber this month.

An identical bill in the Senate — introduced with the support of five Republicans — is gaining support over the objection of Senator Mitch McConnell, Republican of Kentucky, who is facing the prospect of his first policy defeat since ascending this year to majority leader.

The push for reform is the strongest demonstration yet of a decade-long shift from a singular focus on national security at the expense of civil liberties to a new balance in the post-Snowden era.

Under the bipartisan bills in the House and Senate, the Patriot Act would be changed to prohibit bulk collection, and sweeps that had operated under the guise of so-called National Security Letters issued by the F.B.I. would end. The data would instead be stored by the phone companies themselves, and could be accessed by intelligence agencies only after approval of the secret Foreign Intelligence Surveillance Act court.

The legislation would also create a panel of experts to advise the FISA court on privacy, civil liberties, and technology matters, while requiring the declassification of all significant FISA court opinions.

More details from the Times here.

Decades of surveillance (updated)

USA Today is reporting that the government started collecting data on citizens’ international telephone calls a decade prior to 9/11.

For more than two decades, the Justice Department and the Drug Enforcement Administration amassed logs of virtually all telephone calls from the USA to as many as 116 countries linked to drug trafficking, current and former officials involved with the operation said. The targeted countries changed over time but included Canada, Mexico and most of Central and South America.

Federal investigators used the call records to track drug cartels’ distribution networks in the USA, allowing agents to detect previously unknown trafficking rings and money handlers. They also used the records to help rule out foreign ties to the bombing in 1995 of a federal building in Oklahoma City and to identify U.S. suspects in a wide range of other investigations.

The Justice Department revealed in January that the DEA had collected data about calls to “designated foreign countries.” But the history and vast scale of that operation have not been disclosed until now.

How Americans can ever trust the government to protect their privacy, and comply with the Constitution, is a real puzzle. Secret data collection by the government is apparently unstoppable in the current political environment. Shameful.

Update: The EFF has agreed to represent Human Rights Watch, a civil liberties group, in a lawsuit challenging the legality of the DEA’s massive data collection program.

Human Rights Watch, a nonpartisan organization that fights human rights abuses across the globe, filed suit against the U.S. Drug Enforcement Administration late Tuesday for illegally collecting records of its telephone calls to certain foreign countries as part of yet another government bulk surveillance program. The group is represented by the Electronic Frontier Foundation (EFF), which has launched a series of legal challenges against unconstitutional government surveillance.

“The DEA’s program of untargeted and suspicionless surveillance of Americans’ international telephone call records—information about the numbers people call, and the time, date, and duration of those calls—affects millions of innocent people, yet the DEA operated the program in secret for years,’’ said EFF Staff Attorney Nate Cardozo. “Both the First and Fourth Amendment protect Americans from this kind of overreaching surveillance. This lawsuit aims to vindicate HRW’s rights, and the rights of all Americans, to make calls overseas without being subject to government surveillance.”