Weak email encryption laws put Aussie consumers at risk of fraud

Weak email encryption laws put Aussie consumers at risk of fraud

A consumer alert issued by Victoria’s Legal Services Commissioner a few weeks ago raised, to our mind, an old and curious issue. Why aren’t Australian professionals required to secure their email?

Eighteen years ago, Victoria’s Law Institute Journal carried an excellent feature article on the ease with which email can be forged, the fact that it was already happening and the gold standard technology for mitigating the risk, digital signatures and encryption. We have to say it was excellent, since we wrote it, but it did get a lot of attention. It even won an award. But it had no practical impact at all.

Fast forward to 2016 and the same State’s Legal Services Commissioner is alarmed by a UK report of an email hoax that fleeced a newly married couple of their home deposit. Just when they were waiting for instructions from their lawyers on where to transfer their hard earned ₤45,000, fraudsters sent a bogus message that impersonated the attorneys and nominated a false bank account. The hapless couple complied and the scammers collected their cash.

UNSECURED SYSTEM

The Victorian Commissioner’s alert includes several good points of advice to consumers, like being cautious about links and attachments in emails from unfamiliar senders and using antivirus software. But curiously, it doesn’t canvass the key technology question raised in the UK report: Why wasn’t the lawyers’ email secured against forgery?

The newlywed groom pointed the finger right at the problem, quoted as saying “‘Losing this money is bad enough. But what makes it worse is that this could have all been avoided if our emails had been encrypted. It seems crazy to ask us to transfer such huge amounts by sending a bank account number.”

The lawyers’ response: “Advantage Property Lawyers said that the firm was not responsible for the couple’s loss. It said its emails were not encrypted but that this was standard industry practice. We stick to the highest industry standards in all aspects of our business.”

So non-encryption, fairly described by Joe Public as crazy, is the standard industry practice in the UK, just as it is in Australia.

There may be more to this than meets the eye. A couple of years after our 1997 article, we were asked to host a media lunch for Phil Zimmerman, the US tech wizard who created the first user friendly email encryption and signing software. We invited a senior officer of the Law Institute, thinking the topic would be of vital interest. Apparently not.

Over lunch, Zimmerman offered to supply the Institute with free copies of the tool so it could lead the profession down the road of best practice. For reasons we didn’t understand then and still don’t, the offer created no interest.

LACK OF INTEREST

We recounted the story of that lunch in this column years later, wondering if that would spark some enquiry into the options for fighting exactly the kind of fraud that’s happening in the UK. Silence. It seems that, at the highest levels, legal eagles’ eyes glaze over when the topic of secure email arises. As long as the entire profession ignores the issue, we can all say that “our emails are not encrypted but this is standard industry practice.”

For the record, encryption can help secure email in two ways. First, it can prove that a message is from an authenticated sender, and hasn’t been tampered with in transit. Optionally, it can also scramble the contents of messages so only the intended recipient can read them. Implementing these protections requires some centralised infrastructure and a way to ensure it is used by the target audience. Australia’s law societies are ideally placed to sponsor a more secure system, especially now that a uniform national legal practice regime is in operation.

We used Zimmerman’s product for a couple of years, and it was simple. Using an Outlook plug in, you clicked a button to send a signed message. You entered a password, the software worked its magic in the background, and a digital signature was applied. We gave it up when it became clear that insecure email was set to remain industry best practice for years to come.

Back in 1997, we wrapped up our article with the wildly inaccurate prediction that “in two years, all commercial documentation will be digitally signed. Lawyers have every reason to lead the way.”

Here’s hoping it doesn’t take another 18 years.

Top senator: Encryption bill may “do more harm than good”

Top senator: Encryption bill may "do more harm than good"

Legislating encryption standards might “do more harm than good” in the fight against terrorism, Senate Homeland Security Committee Chairman Ron Johnson (R-Wis.) said on Thursday.

In the wake of the terrorist attacks in Paris and San Bernardino, Calif., lawmakers have been debating whether to move a bill that would force U.S. companies to decrypt data for law enforcement.

“Is it really going to solve any problems if we force our companies to do something here in the U.S.?” Johnson asked at the American Enterprise Institute, a conservative think tank. “It’s just going to move offshore. Determined actors, terrorists, are still going to be able to find a service provider that will be able to encrypt accounts.”
Investigators have said the Paris attackers used encrypted apps to communicate. It’s part of a growing trend, law enforcement says, in which criminals and terrorists are using encryption to hide from authorities.

For many, the solution has been to require that tech companies maintain the ability to decrypt data when compelled by a court order. Sens. Richard Burr (R-N.C.) and Dianne Feinstein (D-Calif.) are currently working on such a bill.

But the tech community and privacy advocates have pushed back. They warn that any type of guaranteed access to encrypted data puts all secure information at risk. Keeping a key around to unlock encryption means that anyone, they argue, including hackers can use that key.

Johnson said he understands the importance of strong encryption.

“Let’s face it, encryption helps protect personal information,” he said. “It’s crucial to that. I like the fact that if somebody gets my iPhone, they’re going to have a hard time getting into it.”

Capitol Hill faces a learning curve on the issue, Johnson explained.

“It really is not understanding the complexity,” he said. “And I’m not being critical here. It’s really complex, which is the biggest problem you have in terms of cyber warfare [and] cyberattacks.”

“The experts, the attackers are multiple steps ahead of the good guys trying to reel them in, trying to find them,” Johnson added.

McCaul: US playing ‘catchup’ to terrorists using encryption

McCaul: US playing 'catchup' to terrorists using encryption

The U.S. is playing “catchup” with terrorists and cyber vigilantes who coordinate via encrypted communications, according to the chairman of the House Homeland Security Committee.

“Today’s digital battlefield has many more adversaries that just nation states,” Rep. Michael McCaul (R-Texas) said in a Tuesday column for Bloomberg. “Terrorist groups such as ISIS [the Islamic State in Iraq and Syria], as well as hacktivists … are adept at using encryption technologies to communicate and carry out malicious campaigns, leaving America to play catchup.”

McCaul has been outspoken in the fight between tech companies and law enforcement over the regulation of encryption technology. He is currently prepping legislation that would establish a national commission to find ways to balance the public’s right to privacy with giving police access to encrypted information.

“I do think this is one of the greatest challenges to law enforcement that I have probably seen in my lifetime,” the former federal prosecutor told reporters last week.

Lawmakers are split over whether legislation is needed to address the growing use of technology that can prevent even a device manufacturer from decrypting data.

Tech experts argue that any guaranteed access for law enforcement weakens overall Internet security and makes online transactions such as banking and hotel bookings riskier. Privacy advocates say strong encryption provides important protection to individuals.

But law enforcement officials, along with some lawmakers, continue to argue that impenetrable encryption is a danger to public safety.

“From gang activity to child abductions to national security threats, the ability to access electronic evidence in a timely manner is often essential to successfully conducting lawful investigations and preventing harm to potential victims,” Assistant Attorney General Leslie Caldwell said at the annual State of the Net conference on Monday.

The White House has tried to engage Silicon Valley on the topic, recently meeting with top tech executives on the West Coast. But some lawmakers feel the process should move quicker.

In the upper chamber, Sens. Richard Burr (R-N.C.) and Dianne Feinstein (D-Calif.)  are working on a bill that would force companies to build their encryption so they could respond to a court order for secured data.

Both members of the Intelligence Committee have expressed a desire to move swiftly on encryption legislation and bypass the proposed national commission to study the topic.

McCaul warned that the threats the U.S. faces online “will only grow more prevalent.”

“The security of Americans’ personal information needs to keep pace with the emerging technologies of today,” McCaul said.

Half-Measures on Encryption Since Snowden

Half-Measures on Encryption Since Snowden

When the NSA subcontractor Edward Snowden released classified documents in June 2013 baring the U.S. intelligence community’s global surveillance programs, it revealed the lax attention to privacy and data security at major Internet companies like Apple, Google, Yahoo, and Microsoft. Warrantless surveillance was possible because data was unencrypted as it flowed between internal company data centers and service providers.

The revelations damaged technology companies’ relationships with businesses and consumers. Various estimates pegged the impact at between $35 billion and $180 billion as foreign business customers canceled service contracts with U.S. cloud computing companies in favor of foreign competitors, and as the companies poured money into PR campaigns to reassure their remaining customers.

There was a silver lining: the revelations catalyzed a movement among technology companies to use encryption to protect users’ data from spying and theft. But the results have been mixed. Major service providers including Google, Yahoo, and Microsoft—who are among the largest providers of cloud- and Web-based services like e-mail, search, storage, and messaging—have indeed encrypted user data flowing across their internal infrastructure. But the same isn’t true in other contexts, such as when data is stored on smartphones or moving across networks in hugely popular messaging apps like Skype and Google Hangouts. Apple is leading the pack: it encrypts data by default on iPhones and other devices running newer versions of its operating system, and it encrypts communications data so that only the sender and receiver have access to it.

When the NSA subcontractor Edward Snowden released classified documents in June 2013 baring the U.S. intelligence community’s global surveillance programs, it revealed the lax attention to privacy and data security at major Internet companies like Apple, Google, Yahoo, and Microsoft. Warrantless surveillance was possible because data was unencrypted as it flowed between internal company data centers and service providers.

The revelations damaged technology companies’ relationships with businesses and consumers. Various estimates pegged the impact at between $35 billion and $180 billion as foreign business customers canceled service contracts with U.S. cloud computing companies in favor of foreign competitors, and as the companies poured money into PR campaigns to reassure their remaining customers.

There was a silver lining: the revelations catalyzed a movement among technology companies to use encryption to protect users’ data from spying and theft. But the results have been mixed. Major service providers including Google, Yahoo, and Microsoft—who are among the largest providers of cloud- and Web-based services like e-mail, search, storage, and messaging—have indeed encrypted user data flowing across their internal infrastructure. But the same isn’t true in other contexts, such as when data is stored on smartphones or moving across networks in hugely popular messaging apps like Skype and Google Hangouts. Apple is leading the pack: it encrypts data by default on iPhones and other devices running newer versions of its operating system, and it encrypts communications data so that only the sender and receiver have access to it.

Half-Measures on Encryption Since Snowden

But Apple products aren’t widely used in the poor world. Of the 3.4 billion smartphones in use worldwide, more than 80 percent run Google’s Android operating system. Many are low-end phones with less built-in protection than iPhones. This has produced a “digital security divide,” says Chris Soghoian, principal technologist at the American Civil Liberties Union. “The phone used by the rich is encrypted by default and cannot be surveilled, and the phone used by most people in the global south and the poor and disadvantaged in America can be surveilled,” he said at MIT Technology Review’s EmTech conference in November.

Pronouncements on new encryption plans quickly followed the Snowden revelations. In November 2013, Yahoo announced that it intended to encrypt data flowing between its data centers and said it would also encrypt traffic moving between a user’s device and its servers (as signaled by the address prefix HTTPS). Microsoft announced in November and December 2013 that it would expand encryption to many of its major products and services, meaning data would be encrypted in transit and on Microsoft’s servers. Google announced in March 2014 that connections to Gmail would use HTTPS and that it would encrypt e-mails sent to other providers who can also support encryption, such as Yahoo. And finally, in 2013 and 2014, Apple implemented the most dramatic changes of all, announcing that the latest version of iOS, the operating system that runs on all iPhones and iPads, would include built-in end-to-end encrypted text and video messaging. Importantly, Apple also announced it would store the keys to decrypt this information only on users’ phones, not on Apple’s servers—making it far more difficult for a hacker, an insider at Apple, or even government officials with a court order to gain access.

Google, Microsoft, and Yahoo don’t provide such end-to-end encryption of communications data. But users can turn to a rising crop of free third-party apps, like ChatSecure and Signal, that support such encryption and open their source code for review. Relatively few users take the extra step to learn about and use these tools. Still, secure messaging apps may play a key role in making it easier to implement wider encryption across the Internet, says Stephen Farrell, a computer scientist at Trinity College Dublin and a leader of security efforts at the Internet Engineering Task Force, which develops fundamental Internet protocols. “Large messaging providers need to get experience with deployment of end-to-end secure messaging and then return to the standards process with that experience,” he says. “That is what will be needed to really address the Internet-scale messaging security problem.”

AT&T CEO won’t join Tim Cook in fight against encryption backdoors

AT&T CEO won’t join Tim Cook in fight against encryption backdoors

US politicians have been urging tech companies to weaken the security of smartphones and other products by inserting encryption backdoors that let the government access personal data.

Numerous tech companies—including Apple—have come out strongly against the idea, saying that encryption backdoors would expose the personal data of ordinary consumers, not just terrorists.

But tech company leaders aren’t all joining the fight against the deliberate weakening of encryption. AT&T CEO Randall Stephenson said this week that AT&T, Apple, and other tech companies shouldn’t have any say in the debate.

“I don’t think it is Silicon Valley’s decision to make about whether encryption is the right thing to do,” Stephenson said in an interview with The Wall Street Journal. “I understand [Apple CEO] Tim Cook’s decision, but I don’t think it’s his decision to make.”

AT&T has been criticized repeatedly for its cooperation with the US National Security Agency, but Stephenson says his company has been singled out unfairly.

“‘It is silliness to say there’s some kind of conspiracy between the US government and AT&T,’ he said, adding that the company turns over information only when accompanied by a warrant or court order,” the Journal reported yesterday.

While presidential candidate Hillary Clinton called for a “Manhattan-like project” to help law enforcement break into encrypted communications, Cook argues that it’s impossible to make an encryption backdoor that can be used only by law enforcement. “The reality is if you put a backdoor in, that backdoor’s for everybody, for good guys and bad guys,” Cook said last month.

Security researchers recently discovered a backdoor password in Juniper firewall code. Researchers also found a deliberately concealed backdoor in dozens of products sold by a company that supplies audio-visual and building control equipment to the US Army, White House, and other security-conscious organizations.

FBI Director James Comey told lawmakers in October that the Obama administration won’t ask Congress for legislation requiring tech companies to install backdoors in their products, but he said the administration would continue lobbying companies to create backdoors even though they’re not required to.

Despite AT&T sitting out the debate, plenty of tech companies balk at the idea. A letter to President Obama protesting deliberate weakening of security last year was signed by Adobe, Apple, Cisco, CloudFlare, Dropbox, Evernote, Facebook, Google, Level 3, Microsoft, Mozilla, Rackspace, Symantec, Tumblr, Twitter, and others. AT&T did not sign the letter.

Cisco Security Report: Dwell time and encryption security struggles

Cisco Security Report: Dwell time and encryption security struggles

The 2016 Cisco Security Report highlighted the duality of cybersecurity and described a number of issues, including encryption security and dwell time as a constant struggle between threat actors looking for more effective and efficient attack techniques and security providers responding to those changes.

One of the statistics in the report that could have been spun as a net positive for Cisco was that since May, Cisco reduced the median time to detection (or dwell time) of known threats on its networks to 17 hours. However, Jason Brvenik, principal engineer for the Security Business Group at Cisco, noted that this metric was more representative of the “push and pull” between threat actors and security and should be used more as a way to see which side is improving at a given time.

“Our point in talking about time to detection is that it’s a durable metric that organizations can use, establish and measure to help them understand how well they’re doing and what their opportunity is to improve,” Brvenik said. “And, if you don’t start paying attention to time to detection, then the attacker basically has unfettered access until you get that.”

Fred Kost, senior vice president at HyTrust, said that although dwell time is an important security metric, it is reactive and not preventative.

“Time to detection will vary over time as the cat and mouse game plays out between attackers and defenders,” Kost said. “Part of the challenge for enterprises is the improving ability of attackers to remain covert once they have access to the network and servers, driving the need to have better segmentation and controls on what privileges users have, especially as virtualization and cloud makes access to a greater number of systems more likely.”

Brvenik said Cisco has had some success in bringing down dwell time, but that this measurement would ultimately vary.

“I fully expect that [threat actors] are going to recognize the lack of ROI or the reduction of ROI they’re getting and they’re going to come back and try something new,” Brvenik said. “As a defender, you have to be right 100% of the time and the attacker only has to be right once.”

Cisco found this was already true in the evolution of botnets and exploit kits (EK) like Angler. The Security Report showed that attackers using Angler had large scale campaigns with 90,000 targets per server per day, 10% of which were served exploits. Of those served exploits, 40% were compromised and 62% of those were served ransomware. Though only a small fraction paid the ransom (2.9%) and each instance was a few hundred dollars, that still added up to $34 million per ransomware campaign over the course of a year.

Craig Williams, senior technical leader and outreach manager at Cisco, said the advancements seen in how attackers use the Angler EK and botnets can be directly attributed to the security industry getting better at its job. Williams described how five or ten years ago, botnets were simple setups of one server connecting to another, so it was easy to block the host server to take down the botnet. But, attackers have found a way to use Angler to make this much more difficult to stop.

“The way that they set up the network to host these exploits is really intelligently architected around the fact that they want to have the ability to rotate servers as we take them down. You can kind of think of it like a Hydra,” Williams said. “When the customer gets redirected to the Angler exploit kit’s landing page, to them it looks like the front-end proxy server is all there is. But, the reality is that behind the scenes it’s actually being connected to another server hosting the exploit and yet a third server that’s actually continuously pinging it to make sure it’s online. The second it goes down from an abuse ticket or blocked by a good guy, it’ll actually rotate that server out and replace it with another server with a completely different IP address. So, effectively cutting the head off the Hydra, another head pops up in place and takes over. It’s a really unique design and I think it’s one that we’ve seen and will continue to see people evolve to just because it’s a little more efficient way to be a bad guy and that’s just the nature of the game in this day and age.”

Another subject that Cisco found to have both positive and negative consequences was encryption. The report stated that encryption can create security issues for organizations, including a false sense of security. Research found that encrypted traffic, especially HTTPS, crossed a tipping point in 2015 and now more than 50% of bytes transferred were encrypted over the year. But, Brvenik said this is something organizations need to plan for because it means “they’re rapidly losing visibility into some of the threats that can present there.”

Williams noted that while the push towards encryption is good from a privacy standpoint, it will also introduce “significant security issues.” Williams said the biggest misconceptions were that people tend to think if something is encrypted, it is safe, and that more encryption is always better.

“Think about what encryption was designed to be used for — only the sensitive pieces of data. That’s how encryption is intended to be used,” Williams said. “An advertisement from a website is not a sensitive piece of data and it shouldn’t be encrypted. If it is, then you’re effectively hiding any potential attacks from detection systems. So, even if your company has IPS or in-line antivirus, you’re not going to see potential attacks.”

Brvenik said the loss of visibility will have cascading impacts and organizations need to plan security strategies now.

“The impact of a lack of visibility in one layer will affect others. There are solutions that can move to the endpoint; there are solutions that can move to decapsulation; there are a lot of approaches there,” Brvenik said. “The point is — they need to start thinking about it now because they’re going to find themselves in a situation where it’s too late.”

Gur Shatz, co-founder and chief technology officer of Cato Networks, said enterprises need to be careful about how they plan security strategies because dealing with encrypted data can be resource-intensive.

“Encrypted traffic requires decryption before it can be analyzed. This is a CPU-intensive process, and could add latency,” Shatz said. “Ideally, you want to decrypt once, and do all the threat detection (multiple layers) on the decrypted traffic. When using point solutions, each one will need to decrypt the traffic separately, potentially slowing down traffic. On the flip side, some enterprises will want to choose and integrate best-of-breed point solutions, because they believe they can get better detection.”

Jeff Schilling, CSO for Armor, said the latency issue could force difficult decisions.

“More complex encryption algorithms are harder to decrypt for Layer 7 inspection, looking for common web OWASP top ten application attacks. This is driving the web industry to look to CDN application inspection architectures, which can inject latency, which many of our customers can’t tolerate,” Schilling said. “We have to ask ourselves, which problem has more risk? Threat actors decrypting data or launching application layer attacks? I think there is more risk in the latter.”

One attack vector that Cisco said was being overlooked was in malicious browser extensions. Cisco’s research found that more than 85% of organizations encounter malicious extensions in the browser, which can lead to leaked data, stolen account credentials, and even attackers installing malicious software on a victim’s computer.

Williams said this is especially dangerous because the browser is the largest attack surface in an organization. But, Williams also said that this should be a very easy problem to fix, because although internal Web apps may need a specific plugin or browser version, the tools exist to secure the enterprise environment.

“The reality is in this day and age there are so many different types of browsers out there and so many different ways to install those, that you can easily have a secured browser for the Internet and another browser you use because you have to have a specific plugin or a specific variant,” Williams said. “You can determine this from the network. There is no reason companies should allow insecure browsers to access the Internet anymore. We have the technology. We have solutions that can filter out vulnerable browsers and just prevent them from connecting out.”

Robert Hansen, vice president of WhiteHat Labs at WhiteHat Security, said enterprises should have strong policies about what browser extensions can be installed by employees.

“Browser extensions often leak data about their presence, people’s web-surfing habits, and other system level information. Sometimes this can be fairly innocuous (for instance anonymized metadata about usage) and sometimes it can be incredibly dangerous, like full URL paths of internal sensitive devices,” Hansen said. “In general, people really shouldn’t be installing their own browser extensions – that should be for IT to vet and do for them to ensure they aren’t inadvertently installing something malicious.”

British voice encryption protocol has massive weakness, researcher says

A protocol designed and promoted by the British government for encrypting voice calls has a by-design weakness built into it that could allow for mass surveillance, according to a University College London researcher.

Steven Murdoch, who works in the university’s Information Security Research Group, analyzed a protocol developed by CESG, which is part of the spy agency GCHQ.

The MIKEY-SAKKE (Multimedia Internet KEYing-Sakai-KasaharaKey Encryption) protocol calls for a master decryption key to be held by a service provider, he wrote in an analysis published Tuesday.

Cryptography engineers seeking to build secure systems avoid this approach, known as key escrow, as it makes whatever entity holding the key a target for attack. It also makes the data of users more vulnerable to legal action, such as secret court orders.

The approach taken by the British government is not surprising given that it has frequently expressed its concerns over how encryption could inhibit law enforcement and impact terrorism-related investigations.

The technology industry and governments have been embroiled in a fierce ongoing debate over encryption, with tech giants saying building intentionally weak cryptography systems could provide attack vectors for nation-state adversaries and hackers.

Murdoch wrote CESG is well aware of the implications of its design. Interestingly, the phrase “key escrow” is never used in the protocol’s specification.

“This is presented as a feature rather than bug, with the motivating case in the GCHQ documentation being to allow companies to listen to their employees calls when investigating misconduct, such as in the financial industry,” he wrote.

The endorsement of the protocol has wide-ranging implications for technology vendors. Murdoch wrote that the British government will only certify voice encryption products that use it. The government’s recommendations also influence purchasing decisions throughout the industry.

“As a result, MIKEY-SAKKE has a monopoly over the vast majority of classified U.K. government voice communication, and so companies developing secure voice communication systems must implement it in order to gain access to this market,” he wrote.

GCHA has already begun certifying products under its Commercial Product Assurance (CPA) security evaluation program. Approved products must use MIKEY-SAKKE and also Secure Chorus, an open-source code library that ensure interoperability between different devices.

There is no ‘compromise’ in encryption debate between Silicon Valley and government leaders

During last night’s democratic debate we were once again inundated with calls from politicians who sought compromise from Silicon Valley in its on-going battle with terrorism. Encryption was the point of contention.

The candidates echoed previous statements regarding the dangerous world we live in. The reason for danger, or so it goes, is the inability of law enforcement to pursue threats from terrorists, both domestic and international, who are increasingly reliant on encryption to communicate.

The sentiment is true, albeit misguided, but more on that in a moment.

Currently, the argument is painted as black and white, a “you’re either for us, or against us” exchange that leaves average Americans scratching their collective heads wondering why Silicon Valley isn’t stepping up the fight against terrorism by cooperating with government.

Arguments, even this one, are rarely binary.

In fact, from a security standpoint, the compromise the government seeks is impossible.

“Technically, there is no such backdoor that only the government can access,” says cyber security expert Swati Khandelwal of The Hacker News. “If surveillance tools can exploit ‘vulnerability by design,’ then an attacker who gained access to it would enjoy the same privilege.”

Microsoft MVP of developer security, Troy Hunt adds:

There is no ‘compromise’ in encryption debate between Silicon Valley and government leaders

The encryption smear campaign

For all that encryption does for us, it has become a quagmire of political talking points and general misuderstanding by citizens and I’d argue, politicians.

“The truth is that encryption is a tool that is used for good, by all of us who use the internet everyday,” says famed computer security expert Graham Cluley.

“Encryption is a tool for freedom. Freedom to express yourself. Freedom to be private. Freedom to keep your personal data out of the hands of hackers.”

The term itself has become a bit of a paradox. Numbers paint a picture of citizens who think it’s important but have no real idea of how and where it protects them.

According to a Pew Research report, fewer than 40 percent of US citizens feel their data is safe online, yet only 10 percent of adults say they’ve used encrypted phone calls, text messages or email and 9 percent have tried to cover online footprints with a proxy, VPN or TOR.

There is no ‘compromise’ in encryption debate between Silicon Valley and government leaders

These numbers demonstrate a fundamental misunderstanding of encryption and further detail its public perception.

It is, after all, only natural to attempt to protect yourself when you can foresee a threat, yet US citizens have a rather apathetic view of the very technology that could make them safer online.

According to the experts in the field that I spoke with, they all seem to agree that there are two reasons people aren’t taking more steps to remain secure.

  1. Barrier to entry: These technologies feature a lot of jargon and many aren’t all that user friendly. PGP for example, the email encryption technology used by Edward Snowden to communicate with Laura Poitras and Glenn Greenwald, involves relatively-foreign setup instructions for your average citizen.
  2. Negative connotation: Most Americans don’t realize they use encryption every day of their lives. Instead, they know encryption as the tool terrorists use to send private messages, recruit new members and spread propaganda online. This is largely due to the on-going encryption debate.

This debate, whether planned or incidental, is doubling as a smear campaign for the very suite of tools that keeps our online lives secure.

It wasn’t mentioned amongst our expert panel, but I believe there is a third reason that the general public isn’t taking action to better secure themselves online.

There is no ‘compromise’ in encryption debate between Silicon Valley and government leaders

Silicon Valley isn’t backing down

So far, the term “debate” may be more of a misnomer. Silicon Valley isn’t debating anything. Furthermore, there may not be anything to debate in the first place.

You can’t “compromise” on weakened security; either it’s secure, or it isn’t.

This veritable Pandora’s Box the US Government wants to explore would lead to backdoor access into our personal lives not just for the government but for hackers and bad actors around the globe. And once you open it, there’s no going back.

“You can’t have secure encryption with a government backdoor. Those two things are mutually exclusive,” notes Cyber security thought leader at Script Rock, Jon Hendren. “‘Working with Silicon Valley’ is essentially code for ‘Giving us a backdoor into the accounts, data, and personal lives of users’ and should be totally unacceptable to anyone who even remotely values their privacy.”

There’s also the issue of trust. Even if these backdoors weren’t creating vulnerabilities for bad actors to attack, do we trust the government with our data in the first place?

Our expert panel says, no.

“Handing over such backdoor access to the government would also require an extraordinary degree of trust,” says Khandelwal, “but data breaches like OPM [Office of Personnel Management] proved that government agencies cannot be trusted to keep these backdoor keys safe from hackers.”

Hendren adds:

There is no ‘compromise’ in encryption debate between Silicon Valley and government leaders

Compromise, in this case, is a rather contentious point of view. The compromise the government seeks isn’t a compromise at all; it’s a major loss of privacy and security as it relates to citizens around the globe.

Clulely shows us how this “compromise” might play out.

There is no ‘compromise’ in encryption debate between Silicon Valley and government leaders

The third option is to keep things as they are, or further expound on the efforts to secure the internet.

There really is no middle ground in this debate.

Would providing a backdoor help to fight terrorism?

Since fighting terrorism is the narrative in which the government is using to attempt to stamp out encryption, you have to wonder if encryption is truly the thorn in its side that government officials claim it to be.

It’s well-known that ISIS is using encrypted chat apps, like Telegram, to plan attacks and communicate without detection, but would a backdoor have any effect on the surveillance or capture of extremists?

“A backdoor would also have a limited window of efficacy– bad guys would avoid it once that cat is out of the bag,” says Hendren. “This would have the effect of pushing bad actors further down into more subtle and unconventional ways of communication that counter-terrorists might not be aware of, or watching out for, lessening our visibility overall.”

Khandelwal agrees:

There is no ‘compromise’ in encryption debate between Silicon Valley and government leaders

It’s naive to believe that an extremist group that recruits and grooms new members from the keyboard, not the battlefield, isn’t tech savvy enough to find a new means of communication as current ones become compromised.

The privacy debate isn’t going anywhere. Moreover, the ambient noise created by politicians spouting off about technologies they don’t understand should grow in volume as we near the primaries and then the general election.

What’s clear though, is that this isn’t a debate and that Silicon Valley has no means to compromise.

Without compromise, the government is left with but one recourse, policy. One can only hope that we have leaders and citizens who better understand the need for encryption before that day comes.

In this debate, no one is compromising — or compromised — but the end user.

What “El Chapo”, Sean Penn and BlackBerry teach us about encryption

Have you heard the one about the Mexican drug kingpin, the eccentric movie star and the Ugly Duckling smartphone that’s all of a sudden the talk of the tech town for all the wrong reasons?

No? Me neither, but recent reports about the role Sean Penn and BlackBerry phones allegedly played in the capture of two-time prison escapee and illegal-substance peddler extraordinaire Joaquin “El Chapo” Guzman have all the makings of a classic knee-slapper.

If you just came out of some sort of coma and have no idea about the connection between, Penn, El Chapo, BlackBerry and the hoosegow, you’ll first want to read Penn’s exclusive interview with the wily drug lord on RollingStone.com, in which the leathery actor describes communications between he and Guzman, and Guzman and actress Kate del Castillo, using “a web of BBM devices.” Next, check out this CNN.com story that details the most recent capture of El Chapo, and how it allegedly stemmed from intercepted BlackBerry messages sent between Guzman, his associates and del Castillo last fall.

BlackBerry texts vs. BBM messages vs. BBM Protected

Just yesterday, I received an odd tweet from some random weirdo on Twitter, and it got me thinking about BlackBerry’s role in this whole charade. (See below.)

What "El Chapo", Sean Penn and BlackBerry teach us about encryption

The majority of stories I found on the subject refer to the messages as “BlackBerry texts,” or something of the like. Based on Penn’s use of the term BBM (he never once writes “BlackBerry” in his many-thousand-word Rolling Stone diatribe, and likely has no idea what BBM stands for) we’ll assume they used BBM and not SMS texts sent via BlackBerry. (Why else would they think BlackBerry messages were more secure than texts?)

Señor Guzman must be a fairly intelligent man, right? I mean, could you escape prison twice and evade Mexican law enforcement for years, while continuing to “supply more heroin, methamphetamine, cocaine and marijuana than anybody else in the world.” (His words, not mine.) However, if he’s so smart, why not use the BBM Protected service, which routes messages through private BlackBerry Enterprise Service (BES) servers so they are truly 100-percent secure and cannot be obtained by law enforcement, according to BlackBerry, as long as recipients are also connected to the same BES. So El Chapo could have simply sent Mr. Spicoli Penn and his other associates secure BlackBerrys and not had to worry. (BBM Protected also encrypts BBM messages sent via the company’s iPhone and Android apps.)

While regular BBM messages are encrypted when they’re sent, BlackBerry uses a “global cryptographic key” that it can use to decrypt BBM messages when they pass through its relay station, according to EncryptedMobile.com. And those decrypted messages can be shared with law enforcement under the right circumstances.

The Mexican government presumably determined that Guzman and his associates were using BBM and served BlackBerry with a lawful access request that just about required the company to hand over those text records. BlackBerry wouldn’t provide a specific comment on the situation, and instead directed me to its Public Policy and Government Relations page, which details its lawful access policies.

From BlackBerry’s lawful access statement:

What "El Chapo", Sean Penn and BlackBerry teach us about encryption

Note to self: If I ever decide to leave the lucrative world of journalism to take control of a massive criminal syndicate, shell out the extra cash for BES, and make sure to enable BBM Protected.

Smartphone encryption yesterday and today

BlackBerry, a company that’s always been focused on enterprise security, has fought the good fight with various governments over its ability to provide encryption keys for years. BlackBerry went back and forth with the Indian government over encryption demands, for example. And in November, it pulled out of Pakistan after the country demanded access to its customers’ encrypted email and messages, though the government eventually backed down and BlackBerry returned to the market.

BlackBerry’s stance has always been that it cannot and will not provide encryption keys for BES customer data. But governments won’t take no for an answer, and today, other mobile platform providers including Apple and Google must also balance customer privacy needs with government encryption demands.

Just this week, New York State Assemblyman Matt Titone reintroduced a 2015 bill that attempts to require encryption “backdoors” in all smartphones sold in the state, according to TechDirt.com. The bill would reportedly make New York smartphone retailers stop selling devices that don’t have encryption backdoors, which would only hurt New York businesses and lead the state’s residents to simply buy their phones out of state or via black market resellers.

Titone’s bill won’t likely have legs, but it represents the latest (and definitely not the last) attempt by a U.S. lawmaker to circumvent the encryption protections mobile software companies purposefully build into products, which many organizations — legal and illegal — depend on to protect sensitive data.

Of course, unless he pulls off another great escape, it’s too late for encryption to help El Chapo.

Tim Cook pushes for strong encryption at White House summit

As expected, Apple CEO Tim Cook urged White House and government officials to come to terms with strong encryption practices that protect consumer data, at one point saying such intentions should be stated publicly.

Tim Cook pushes for strong encryption at White House summit

Cook’s plea came during a cybersecurity summit held in San Jose, Calif., last week, where government officials met with Silicon Valley tech executives to discuss how best to stymie threats posed by non-state actors like ISIS, reports The Guardian.

According to a follow-up report from The Intercept, Cook asked the White House to take a “no backdoors” stance on encryption. Law enforcement agencies, specifically the FBI, have clamored for so-called “weak encryption” policies that would allow access to protected data through supervised software backdoors.

In response, Attorney General Loretta Lynch said a balance must be struck between personal privacy and national security. The current administration is still grappling with the issue and has yet to reach a resolution that would not tip the scales.

FBI director James Comey was among those in attendance at last week’s summit. White House Chief of Staff Denis McDonough, counterterrorism adviser Lisa Monaco, Attorney General Loretta Lynch, National Intelligence Director James Clapper and National Security Agency Director Mike Rogers were also present.

Government officials say existing strong encryption techniques employed by Apple, Google and other tech firms make it easy for criminals and terrorists to communicate in relative safety. Cook maintains a hardline stance on the issue, saying that “any backdoor means a backdoor for bad guys as well as good guys.” Apple’s introduced a nearly impenetrable data encryption protocol with iOS 8, one that the company itself is unable to crack even with the proper warrants.

A document obtained by The Intercept notes summit talks included questions on whether tech companies would be willing to enact “high level principles” relating to terrorists’ use of encryption, or technologies that “could make it harder for terrorists to use the internet to mobilize, facilitate, and operationalize.” Also on the docket was the potential use of unencrypted data like metadata. Such far-reaching strategies would be difficult, if not impossible, to implement without actively policing customer data.

The summit was held less than three months after the controversial Cybersecurity Information Sharing Act cleared the U.S. Senate floor in October, legislation that would allow private companies to share customer data with government agencies, including the Department of Homeland Security and the NSA. While not labeled a surveillance bill, Apple and other powerful tech companies dispute its merit, saying CISA disregards user privacy.