Lance Bellers - Fotolia
The Apple-FBI legal battle has concluded with the government unlocking the San Bernardino shooter's iPhone with the help of an unnamed outside third party, but the crypto wars have continued as Google finds itself under similar pressure.
This week the American Civil Liberties Union reported it has uncovered 63 confirmed cases "in which the government applied for an order under the All Writs Act to compel Apple or Google to provide assistance in accessing data stored on a mobile device."
"Even though the FBI no longer needs Apple's help in that case, the FBI's request was part of a sustained government effort to exercise novel law enforcement power," wrote Eliza Sweren-Becker, attorney for the ACLU Speech, Privacy, and Technology Project. "We've found that the government has been using the law to force tech companies to help unlock their customers' devices in dozens of cases since 2008. To the extent we know about the underlying facts, these cases predominantly arise out of investigations into drug crimes."
It was possible to determine the specific crime involved for 41 of those cases, and the only one involving terrorism was the San Bernardino, Calif., shootings, Wired reported. Of the rest of the cases, 17 were drug-related, 10 involved financial crimes, eight were child pornography cases and three involved counterfeiting. Another 13 likely cases were uncovered but not confirmed.
Not on the ACLU's list is a case in Faulkner County, Arkansas, in which a prosecutor is seeking to access data on an iPhone and an iPod linked to the murder of a couple last year -- devices from which the FBI has agreed to attempt to recover data, the Associated Press reported this week.
White House: Privacy not at risk in U.S.
Meanwhile, the White House this week reassured Americans that they should still be confident in their privacy "because there are laws on the books that are assiduously followed by our law enforcement and national security officials that protect the privacy of the American people," said White House spokesman Josh Earnest at a press briefing this week.
However, Earnest was unable to say whether the government would provide Apple with more information about the vulnerability used to access the San Bernardino shooter's phone.
Robert Knake, Whitney Shepardson senior fellow at New York-based Council on Foreign Relations, wrote that while "any vulnerability used to access the data must be subject to the Vulnerabilities Equities Process (VEP), the process by which the U.S. government decides whether to disclose a computer vulnerability," such a disclosure seemed unlikely because the FBI may not even know what the vulnerability is.
"The vendor probably demonstrated they could access data off of a phone but refused to share the details on how they did it to protect their future market," Knake wrote. "All the FBI can likely tell Apple is what they have already made public: there's a vulnerability in iOS. Good luck finding it."
Encryption gets a new crypto wars hero
Even though the Apple-FBI suit was dropped, the crypto wars continue, and Sen. Ron Wyden (D-Ore.) took a strong stand against efforts to break strong encryption in a speech at the RightsCon Summit event held in San Francisco this week.
"I am here to tell you why I will use every power I have as a senator to block plans to weaken strong encryption," Wyden said. "I am here to tell you why FBI Director Comey's plans and expected legislation will be a lose-lose -- they would lead to less security and less liberty."
Wyden called for what he termed a "New Compact for Security and Liberty," saying that he wants to "refocus the debate on how to have policies that are win-win: that produce more security and more liberty." Wyden's "new compact" calls for ending the campaign against strong encryption and for strengthening privacy protections, while also calling on Congress to hold more "open hearings to examine the privacy impacts of surveillance laws, authorities and practices."
Wyden also called on "defenders of digital rights" to be aware of "attempts to undermine those rights without anybody noticing," noting that the Justice Department is attempting to change the Federal Rule of Criminal Procedure 41 to allow law enforcement agencies to remotely access, under a single warrant, any computer a suspected hacker is believed to have broken into. The change to Rule 41 "could potentially allow federal investigators to use one warrant to access millions of computers, and it would treat the victims of the hack the same as the hacker himself."
"[I]t is important to recognize that advances in technology do create some legitimate challenges for our intelligence and law-enforcement officials," Wyden concluded. "And it is possible to help them adapt and develop new investigative methods without tossing our fundamental freedoms in the trash can."
Meanwhile, the FBI is fighting a court order to reveal how it managed to break Tor anonymity. Earlier this year, a judge ruling in a child pornography case told the FBI that it must turn over to defense attorneys the code used to deanonymize the defendant while using the Tor anonymity network.
Department of Justice attorneys submitted a sealed motion to the judge this week asking that the order be reconsidered, reported Motherboard. Included in the DoJ's filing was a statement from an agent involved in the investigation arguing that the FBI's "network investigative technique" -- fed-speak for exploit code -- was not relevant to the defense attorney's client's defense.
Tor may also be losing the public relations battle. According to a survey of more than 24,000 individuals in 24 countries, seven in 10 believe the dark web should be shut down, according to Canadian think tank Centre for International Governance Innovation, which reported the results.
Because many of the survey participants were not familiar with Tor, they were told that the anonymity network was used by "journalists, human rights activists, dissidents and whistleblowers [who] can use these services to rally against repression, exercise their fundamental rights to free expression and shed light upon corruption," as well as being used by "hackers, illegal marketplaces (e.g. selling weapons and narcotics), and child abuse sites [that] can also use these services to hide from law enforcement."
In the U.S., 72% believed it should be shut down, though the researchers noted that countries with a "stronger tradition of protest" also showed more support for the dark web. Only 62% of respondents in Hong Kong believed it should be shut down, but 79% of mainland China respondents felt that the dark web should be shuttered.
In other news:
- Reddit may have been served with a National Security Letter (NSL) by the U.S. government at some point since Jan. 29, 2015, based on a change in a "warrant canary" posted this week in the 2015 Transparency Report for the San Francisco-based social networking website. NSLs are administrative subpoenas issued by federal agencies without prior judicial approval and are used to solicit information deemed to be for national security purposes. A "warrant canary" is "a regularly published statement that a service provider has not received legal process (like a national security letter) that it would be prohibited from disclosing to the public," according to Canarywatch, a coalition of digital rights groups. "Once a service provider does receive legal process, the speech prohibition goes into place, and the provider no longer makes the statement about the number of such process received." The legal theory behind warrant canaries is that, while the person or organization served with an NSL is not permitted to say that they have been served with the NSL, the gag order cannot be used to compel that person or organization to make an untrue statement. "On its own, at first I believed it was a strong indicator that Reddit had received some type of gag order to stop communicating such government requests to access their users' data," Rebecca Herold, CEO of The Privacy Professor, told SearchSecurity. "Or worse, [it indicates] that they have now been compelled to make bulk data collection available to the FBI, NSA, et cetera. But then I looked at my calendar. Today is April 1. Is this some type of April Fools' Day joke to give privacy pros a heart attack? Perhaps. Hopefully it is an April 1 trick, and not truly an indication of full data access to allow government collection."
- This week hospitals were warned to be on the lookout for the SamSam ransomware campaign, which can hit on the server side and can spread rapidly through networks once it takes up residence on a victim's system. "Unlike most ransomware, SamSam is not launched via user focused attack vectors, such as phishing campaigns and exploit kits," Cisco Talos reported. "This particular family seems to be distributed via compromising servers and using them as a foothold to move laterally through the network to compromise additional machines which are then held for ransom. A particular focus appears to have been placed on the healthcare industry." Meanwhile, another nasty new ransomware variant was reported by Lawrence Abrams, founder of online community BleepingComputer. The Petya ransomware program first takes control over the victim's hard drive Master Boot Record (MBR), causes a reboot to gain control of the system, and then encrypts the drive's Master File Table (MFT), rendering it impossible to recover files on the drive -- or to even reboot the system -- without paying the ransom.
- With U.S. retailers six months into the transition to EMV chip and signature cards, cybersecurity firm FireEye reported that attackers are using a custom point of sale (POS) malware tool dubbed TREASUREHUNT to grab the last of the low hanging fruit of infectable POS terminals before U.S. retailers complete the transition to the new card scanners. TREASUREHUNT is "POS malware that appears to have been custom-built for the operations of a particular 'dump shop,' which sells stolen credit card data," wrote Nart Villeneuve, principal threat intelligence analyst at FireEye. "TREASUREHUNT enumerates running processes, extracts payment card information from memory, and then transmits this information to a command and control server."
- The OPM breach wasn't the first or the biggest instance of a government agency having fingerprint records going astray. The State of New York Office of the Inspector General reported this week that in 2008-2009, a contractor had "improperly transmitted electronic images of fingerprint cards from a secure DCJS warehouse to a company in India," while working on a $3.45 million project to scan and index 22 million fingerprint cards maintained by the New York State Division of Criminal Justice Services. The terms of the contract specified that the original records must remain inside a secured warehouse, but the contractor "improperly transmitted electronic images of fingerprint cards from a secure DCJS warehouse to a company in India." The contractor and its principals were slapped with more than $3 million in penalties by the State of New York.
Find out more about the FBI's use of zero-day exploits.
Read about how encryption and data protection work on iOS.
Senate acts to limit remote, unlimited government hacking with bill to reverse Rule 41.