I recently watched a 60 Minutes piece from Lesley Stahl where she discussed the terror attack in Paris with a French prosecutor. The prosecutor bemoaned ISIS using the popular app, "Telegram" which has the capacity to provide end to end encryption for messaging on the Internet. He used several of the same arguments law enforcement in the United Stated uses when discussing encryption, such as law enforcement is going dark, there needs to be a balance, terror communication is a black hole, etc. Pretty standard the sky is falling type of arguments.
As a former Special Agent from the pre popular encryption apps era, I was amazed at the amount of information law enforcement was able to access in this new digital world. People think very little before putting something online and it is often there for all to see for an indefinite time. The advent of computers and smart phones has given law enforcement far more information and investigative leads then ever could have been imagined even just 10 years ago. While encryption limits some of this overall it is still a huge net gain of visibility by law enforcement. After the Snowden leaks it should be surprising to no one that private citizens are increasingly concerned about their own privacy.
I served many search warrants in my law enforcement capacity. Something that most people do not think about is just how private the nature of photographs is. For instance, I have gone through dozens of people's houses during the execution of warrants and while it is certainly an invasion of privacy for the affected individual, it pales in comparison to going through someone's private pictures found on the same search warrant. I will never forget going through a man's house from top to bottom, including all of his and his wife's underwear drawers, with several other agents and not finding what we were looking for. However, we did come across a stash of private pictures he had of himself and his wife in many different sexual positions. Mind you these photos had nothing to do with the execution of the warrant. Yes, looking at someone's personal pictures on a search warrant where I was authorized to also go through their underwear drawers was the most I ever invaded someone's privacy. To make matters worse in this case, other agents left a particular picture they found of the man's wife engaging in fellatio with him on his table so the wife would know that we had looked at them. This was meant to embarrass her and to put her on notice that her privacy had been severely violated.
This always pissed me off. A lot of folks I worked with in law enforcement behaved in a manner such as this, very short on respect for many of the people they were investigating. Not all law enforcement officers were like this but there was no shortage of them either. When some want to pretend that law enforcement will act responsibly with the most sensitive private data belonging to someone I hope they will think of this story. Cops are people too and people do stupid shit. Encryption is a way to keep assholes out of your stuff. Think about the pictures, banking information, texts, email, etc you have on your own cell phone. It would be a phenomenal intrusion of your privacy should it be breached. I would argue, even a bigger invasion than merely serving a search warrant on a house because of the nature of the data being stored on phones nowadays. A cell phone and the data in it really gives someone a window into your innermost thoughts and beliefs.
People should want to keep this sensitive data protected. Encryption by its mathematical nature is binary. It is secure or it is not. A backdoor can not only be provided to law enforcement that does not seriously undermine the security of the device. There is no magic golden key or any other means to make your device secure from everyone except law enforcement. I didn't agree with all of Justice Antonin Scalia's legal decisions but there is something he got exactly right. In Arizona v. Hicks in 1987 he said,
"There is nothing new in the realization that the Constitution sometimes insulates the criminality of a few in order to protect the privacy of us all."
I can think of nothing more appropriate in this recent debate over encryption. Ironically, at the end of the Stahl segment in which she and the French prosecutor were clearly on the side of magically getting law enforcement more access to encrypted communication they closed with, "You Can Not Have Freedom Without Security". This was to suggest that police need to have access to our smart phones in order for us to live in a free and functioning society. What they missed is that those of us on my side of the argument would say the same thing. We can not enjoy the great things the Internet has to offer without security. The only way that security is currently possible is with strong encryption. Encryption either works or it doesn't. It is the classic Yoda, do or do not. You can not have freedom without security. Indeed.
Saturday, March 26, 2016
Thursday, March 24, 2016
An Open Letter to Cryptophobes
— Cory Doctorow (@doctorow) March 26, 2016
Before beginning, I should point out a couple of things. One, I am a computer security professional. This can mean a lot of things as it's a very broad domain. So I will revise that to say I received my MS in Computer Science because of my thesis work on breaking a fingerprint crypto-system. It is fair to say that I know more than the average security bear about encryption. Frankly, it is what I find to be the most interesting of all security topics so I am passionate about it as well. Additionally, I will add that I was a Special Agent for the Department of Homeland Security in what seemed like another lifetime now. What this means is that I had oodles of more training in Constitutional law than your average security pro or crypto fiend. Constitutional law is also something I get excited about. Now that you know these things about me you can imagine how quickly my blood pressure rises when I get going about the FBI v. Apple shenanigans. It is with this in mind that I am posting a recent email I received from someone that I think is representative of what a lot of folks think and my response to it. The person that sent me the initial email has needled me for years over computer security so my response isn't one to just any random person on the street. It should be viewed as a frustrated response to someone that I have tried to educate on the subject on previous tries. Enjoy
Patrick,
I am going to open myself up to a lot of grief here but this Apple thing has been driving me crazy.
I am not an Apple fan. To me Steve Jobs played games with his product line very much like IBM did in the ‘60’s, ‘70’s, ‘80’s and even into the ‘90’s, namely trying to keep all competition off their product line. Whether it was software or hardware. Yes, they had a fine product but to me open access brings about a healthy competition which makes the overall product better for the consumer and for the industry in general. One problem with open access is it can be more vulnerable to hacking. Due to its control methods and it smaller user base, Apple wasn’t getting hacked as much as Microsoft and PC’s.
If Apple wanted to remain low on the hacker radar, they should have quietly had the FBI hand over the phone and given it back to them with a new password. By blowing this whole thing up in the press, they basically threw out a challenge to the hacking community saying “we dare you to find a way into our device”. How arrogant and foolish of them to think it could not be done. Next time I bet they will be a lot more cooperative with the Feds when they come knocking.
Sincerely,
John
John,
Your naivety on this topic is jarring. First, open access almost always leads to more secure products. Security by obscurity is a myth. Open source code is more secure over time and always will be. It's the nature of the beast. When people can see what's going on under the technical covers it results in better and more secure solutions being implemented. Apple products have not historically gotten hacked as much primarily because of economics. Windows systems are far more insecure and its what the majority use so that's where intrusion effort goes. But to say this is the only reason is silly.
"If Apple wanted to remain low on the hacker radar, they should have quietly had the FBI hand over the phone and given it back to them with a new password." This is beyond absurd. I think you have been watching too much Fox News or CNN to get this argument. Apple would have gladly accepted this scenario. The FBI wouldn't let them because they always wanted this case to set a precedent. As such, if the FBI had won in court (they wouldn't have by the way) they would have a back door into any Apple product running that version of iOS. If the FBI had that capability then so would every scum bag hacker as well as every repressive government in the world. A couple of other points here. One, if the FBI didn't have technical morons working for them they had all of the tools needed to get into the phone at the onset of the investigation. Those idiots screwed it up so that they needed someone else to get into the phone because of how they mishandled the device in its original state.
This is not the same as picking a lock. This is creating a key that unlocks every door in the world. Further, to suggest that Apple wanted to blow this up in the media is equally asinine. Again, the US government chose to have this fight to set precedent. This phone, which will yield 0 evidence, was not requested to be back-doored by the FBI for more than 50 days after San Bernandino (must have been a real emergency). The powers that be were trying to capitalize on a terror attack to further their power. Nothing more. Apple, as every security person with half a brain, knows that there is no infallible security technology. Measures are designed to merely buy time. We are always just weeks or months from the newest exploit subverting our privacy and digital security. The US government took up a losing fight and just got embarrassed by their own ineptitude.
As Apple and people like myself said since day 1, someone would find a way in and the government shouldn't be compelling a software company to write code. Do you know that the Supreme Court has already ruled that software code is protected free speech? How do you feel about the US government compelling someone to make a certain kind of speech they don't want to make. I am sure that would be very popular in North Korea but I for one, support the 1st and 4th amendments. At the end of the day the US government and sadly most Americans do not understand computer security, especially encryption. It is my hope that changes over time but in the mean time it should be terrifying to everyone that only a company with the resources of Apple could stand up to an unconstitutional and moronic request from the government. Frankly, there are not many, if any, serious computer security experts that support the FBI in this. As you probably wouldn't read any papers from experts as they can be exceedingly dull why don't you take a look at this from John Oliver. It is only about 15 minutes and really explains rather elegantly the problem with what the FBI is trying to do here.
Patrick
Subscribe to:
Posts
(
Atom
)