Whether it's called the encryption debate or the battle over "going dark," experts on both sides testified this...
week at a hearing titled "Deciphering the Debate Over Encryption: Industry and Law Enforcement Perspectives" in Congress.
The law enforcement experts called first in a separate panel by the House Energy and Commerce Committee to testify included Amy Hess, executive assistant director for science and technology for the FBI; Thomas Galati, chief of the intelligence bureau of the New York City Police Department; and Captain Charles Cohen, commander of the office of intelligence and investigative technologies with the Indiana State Police.
"We are not asking to expand the Government's surveillance authority, but rather we are asking to ensure that we can continue to obtain electronic information and evidence pursuant to the legal authority that Congress provided to us to keep America safe," Hess said in her witness statement. Hess emphasized that the "going dark" debate is not about giving the government more powers, but rather to prevent criminals from hiding evidence from lawful search warrants.
"One of the bedrock principles upon which we rely to guide us is the principle of judicial authorization: that if an independent judge finds legally sufficient reason to believe that certain private communications contain evidence of a crime, then the Government can conduct a limited search for that evidence."
Hess said that over the past six months, 30% of the phones seized during investigations by the FBI were protected by passwords, and 13% of those devices yielded no information to investigators.
Talk of backdoors to resolve the going dark problem was limited, and Galati referred to the possibility of using a technical solution for accessing encrypted data under a court order as going through a "front door." He also noted that during the six months from October 2015 to March 2016, the NYPD had been locked out of 67 Apple devices as well as 35 non-Apple devices.
Galati said of the devices in custody: "In every case, we have the file cabinet, so to speak, and the legal authority to open it, but we lack the technical ability to do so because encryption protects its contents."
The second half of the hearing included panelists from the technology sector, including Bruce Sewell, Apple's senior vice president and general counsel; Matthew Blaze, associate professor of computer and information science, school of engineering and applied science at the University of Pennsylvania; Amit Yoran, president at RSA Security; and Daniel Weitzner, principal research scientist of MIT computer science and artificial intelligence lab and director of MIT Internet Policy Research Initiative.
Sewell stated: "The best way we, and the technology industry, know how to protect your information is through the use of strong encryption. Strong encryption is a good thing, a necessary thing. And the government agrees. Encryption today is the backbone of our cybersecurity infrastructure and provides the very best defense we have against increasingly hostile attacks.
"Keep in mind that the people subject to law enforcement inquiries represent far less than one tenth of one percent of our hundreds of millions of users. But all of those users -- 100% of our users would be made more vulnerable if we were forced to build a back door," Sewell said.
Blaze stated: "Any law enforcement access scheme of the kind apparently envisioned by the FBI would, necessarily, involve a mechanism for the transmission and storage of sensitive secret keys to a third party (whether the government or some other entity that holds it). This approach is sometimes called key escrow, key recovery or trusted-third party encryption; the secret is held "in escrow" by a third party. Key escrow was the widely criticized approach incorporated into the Clipper Chip in the early 1990's. It destroys the end-to-end design of robust encryption systems without any benefit to the application."
Blaze wrote the paper that sank the U.S. government's Clipper chip key escrow proposal in 1994, and he echoed similar points about encryption during this week's hearing. "The most basic problem with third-party access cryptography is simply that we do not fully understand how to design it securely," Blaze said. "Any key escrow or lawful access cryptography system, by its very nature, increases its number of points of failure. Unfortunately, we do not understand the problem well enough to even precisely quantify how this reduces security, let alone identify a safe level for this reduction."
EFF sues DoJ
The Electronic Frontier Foundation (EFF) this week filed a Freedom of Information Act (FOIA) lawsuit against the Department of Justice (DoJ) to discover "whether the government has ever used secret court orders to force technology companies to decrypt their customers' private communications."
The EFF argued that doing so undermines "the safety and security of devices used by millions of people," and that the DoJ must disclose whether it has "ever sought or obtained an order from the Foreign Intelligence Surveillance Court (FISC) requiring third parties -- like Apple or Google -- to provide technical assistance to carry out surveillance." The suit also charges that the DoJ has not made available FISC opinions that should have been declassified under the USA Freedom Act.
EFF Senior Staff Attorney Nate Cardozo said that breaking or weakening encryption, or creating backdoors to access personal information on laptops or smartphones, undermines the security and safety of the people who use those devices to store "deeply personal, private information."
"If the government is obtaining FISC orders to force a company to build backdoors or decrypt their users' communications, the public has a right to know about those secret demands to compromise people's phones and computers," Cardozo said. "The government should not be able to conscript private companies into weakening the security of these devices, particularly via secret court orders."
Further "going dark" and iPhone fallout
Sources in the FBI disclosed that data recovered from the San Bernardino shooter's work iPhone has helped them to confirm that that phone contained no evidence that it was used to contact ISIS, that it was not used to contact any of the killers' friends or family, and that no encrypted communications were sent using that phone, CNN reported.
According to FBI director James Comey, speaking at the Aspen Security Forum in London, the cost of the hack was "more than I will make in the remainder of this job." Comey's term has more than seven years to run, and at his current salary, that would be more than $1.3 million. Comey said "it was, in my view, worth it."
Polling shows government not winning hearts and minds over privacy, backdoors
U.S. voters of all stripes believe that their data should be secure and private, according to a survey conducted by Purple Insights on behalf of ACT | The App Association and released this week. And those same voters said they trust technology companies over the federal government when it comes to protecting personal data. According to the poll, which surveyed 1,250 registered voters, 54% trust technology companies more, while only 21% trust the federal government more -- and the results were consistent across political parties.
The results showed that 93% of voters believe "that it is important to keep information they store on their electronic devices and in mobile apps or share online secure and private."
ACT | The App Association also reported that 85% of those surveyed agreed with the statement: "Digital encryption and security features help prevent crime and terrorism -- they keep people from disrupting critical infrastructure like our financial system or our air traffic control system."
Meanwhile, Spiceworks, the online IT community based in Austin, Tex., this week asked its members: "Do you believe government and/or law enforcement backdoors (in encryption protocols, hardware, or software) put organizations more at risk of a data breach?" and (so far) over 600 IT professionals responded overwhelmingly: 87% said it did increase the risk of data breach; only 8% responded "no," while 4% didn't know.
Meanwhile, in Other News:
- Rep. Ted Lieu (D-Calif.) had his phone hacked on 60 Minutes using a flaw in the ancient Signaling System 7 (SS7) protocol, which allows attackers to track the phone's location and spy on all phone calls and texts. Lieu called for an investigation of the vulnerability on Monday.
- On the heels of WhatsApp's rollout of end-to-end encryption, the Viber messaging service, which claims over 700 million users worldwide, will provide "complete end-to-end encryption across all devices," the firm announced this week. Users need to get the latest version of the Viber app to get encryption on voice or video calling, messaging, video and photo sharing, both for group messaging and one-to-one communication. "As part of this update, Viber also launches "Hidden Chats" allowing users to hide specific chats from the main screen so no-one but the user knows they exist. These chats can only be accessed using a four-digit PIN, providing an optional additional layer of privacy to users' personal communications." Viber Media is owned by Japanese e-commerce company Rakuten.
- Google is updating its User Data Policy for the Chrome Web Store, the search giant announced late last week. "The new User Data Policy extends existing policies to ensure transparent use of the data in a way that is consistent with the wishes and expectations of users," the company said. Google's new rules included requirements that developers be transparent about how user data is handled and privacy practices are disclosed, post privacy policies, encrypt personal or sensitive data and get consent from users before collecting personal or sensitive data. The new policy also prohibits "the collection of Web browsing activity when it's not required for an item's main functionality."
- The NTT Group published its "2016 Global Threat Intelligence Report" this week, and one key finding was "a steady increase in Adobe Flash exploit usage in exploit kits from 2012 to 2014, followed by a dramatic increase in 2015." According to NTT, exploit researchers turned their attention to Flash after improvements were made to Java security in 2014. "The total number of Flash vulnerabilities identified in 2015 was the highest ever, with an almost 312% increase over 2014," the report stated. NTT also reported that almost 21% of vulnerabilities detected in client networks were more than three years old; 12% were more than five years old; and over 5% were more than 10 years old.
- Shortened URLs can be vulnerable to brute-force attacks that can reveal documents shared over the cloud as well as inference of "residential addresses, true identities, and extremely sensitive locations they visited that, if publicly revealed, would violate medical and financial privacy," researchers working at Cornell University reported last week. Vitaly Shmatikov, professor of computer science at Cornell Tech, and grad student Martin Georgiev of the University of Texas at Austin reported that cloud storage providers such as Microsoft OneDrive and mapping services like Google Maps used shortened URLs that were vulnerable. "Our scan discovered a large number of Microsoft OneDrive accounts with private documents," Shmatikov wrote. "Many of these accounts are unlocked and allow anyone to inject malware that will be automatically downloaded to users' devices. We also discovered many driving directions that reveal sensitive information for identifiable individuals, including their visits to specialized medical facilities, prisons, and adult establishments."
Learn more about the public safety costs of end-to-end encryption.