Month: January 2016

Ubuntu Touch to Support Encryption of User Data

The Ubuntu Touch operating system is also going to provide support for encryption of user data, developers have revealed.

It wasn’t a secret that Ubuntu Touch will get encryption, but it’s also not listed as an upcoming feature. It’s buried in a wiki entry with plans for Ubuntu Touch, but it’s nice to see that it’s still being considered, even if it’s not going to arrive anytime soon.

Ubuntu Touch is a Linux distribution before being an operating system for mobile devices, which means that integrating encryption shouldn’t be a difficult thing to implement. The problem is encryption usually has an impact on the overall performance. Powerful PC can deal with each much easier, but a phone that has limited hardware won’t be too happy.

Ubuntu Touch is getting encryption

Encryption on phones is not something new. For example, Google was supposed to make it mandatory for Android 5.x, but that didn’t happen. It’s now present in Android 6 Marshmallow, but in a limited fashion, for the /Data folder and SDcard. The OS itself is not covered, and the reason is of course performance.

“We have high-level plans to support encryption of user data. It isn’t clear at this time if that will be based on LUKS, eCryptfs, or ext4/f2fs encryption. We’ll know more once we’re a bit closer to implementing the, feature but there is currently no set timeline,” developer Tyler Hicks explained on the official mailing list.

Pat McGowan, the Director of Tools and Applications at Canonical, explained that they are tracking this feature in Launchpad, but as of now it’s been pushed after the launch of Ubuntu 16.04 LTS that will happen in April.

It’s also worth noting that Tyler said “encryption of user data,” which probably means that the encryptions will also cover some sensitive parts of the phone and not the OS itself.

Tech big guns confront U.K. parliament on backdoors, encryption

A group of high tech corporate powerhouses has gathered together to protest a law proposed by the U.K. government that would allow an array of legal and intelligence agencies the ability to access computer data through backdoors and decryption.

Facebook, Google, Microsoft, Twitter and Yahoo submitted a letter, dated December 21, 2015, to the parliamentary committee charged with reviewing the Investigatory Powers Bill saying it would have a negative impact on both the nation’s citizenry and the corporation’s customers.

“We believe the best way for countries to promote the security and privacy interests of their citizens, while also respecting the sovereignty of other nations, is to ensure that surveillance is targeted, lawful, proportionate, necessary, jurisdictionally bounded, and transparent. These principles reflect the perspective of global companies that offer borderless technologies to billions of people around the globe. The actions the U.K. Government takes here could have far reaching implications – for our customers, for your own citizens, and for the future of the global technology industry,” the companies wrote.

The five companies belong to a larger group, the two-year-old Reform Government Surveillance (RGS) coalition that is fighting similar legislation in the United States. The RGS website lists Apple, AOL, Dropbox, Evernote and LinkedIn as members, but these names were not included in the U.K. letter.

The group spelled out its misgivings stating the implementation of such a policy could undermine consumer trust of their products, a fear that any legislation passed by the U.K. could be duplicated in another country and making it difficult for companies to understand what is legal and what is not.

“An increasingly chaotic international legal system will leave companies in the impossible position of deciding whose laws to violate and could fuel data localization efforts,” the companies said.

The letter also strongly rejected any use of backdoors, forced decryption or any other technological method allowing government agencies to enter their products.

“The companies believe that encryption is a fundamental security tool, important to the security of the digital economy as well as crucial to ensuring the safety of web users worldwide,” the group wrote.

RGS itself in May 2105 wrote to the U.S. Senate encouraging it to pass the USA Freedom Act. However, it has not yet, as a group, confronted American legislators on the issues of encryption and backdoors.

Microsoft, Google, Facebook to U.K.: Don’t weaken encryption

Microsoft, Google, Facebook to U.K.: Don’t weaken encryption

Microsoft, Google and Facebook are urging U.K. officials not to undermine encryption as they work on laws that would authorize forcing communications service providers to decrypt customer traffic.

In a joint written submission to the U.K. Parliament the three U.S.-based companies lay down several areas of concern, which, if not addressed, they say could damage their businesses and leave them caught in legal crossfires among the many countries where they do business.

The companies say they don’t want the U.K. to impose restrictions and apply them to foreign service providers such as themselves because, if other countries followed suit, it would lead to a morass of laws impossible to navigate. “Conflicts of laws create an increasingly chaotic legal environment for providers, restricting the free flow of information and leaving private companies to decide whose laws to violate,” the submission says.

They staunchly support encryption without backdoors. “The companies believe that encryption is a fundamental security tool, important to the security of the digital economy as well as crucial to ensuring the safety of web users worldwide,” they write. “We reject any proposals that would require companies to deliberately weaken the security of their products via backdoors, forced decryption, or any other means.”

Despite what the U.K.’s Home Secretary Theresa May has said about not seeking encryption backdoors, they want it in writing. “We appreciate the statements in the Bill and by the Home Secretary that the Bill is not intended to weaken the use of encryption, and suggest that the Bill expressly state that nothing in the Bill should be construed to require a company to weaken or defeat its security measures.”

The Parliament is considering bills that would give government agencies access to communications across service provider networks with proper legal authorization, which would affect Microsoft, Google and Facebook, all of which operate globally and face compliance with laws in many countries.

As the U.K. is considering such laws, the Netherlands have rejected forcing providers to break encryption on demand. In the U.S., Congress has held hearings in which members say they will propose legislation to require providing cleartext versions of encrypted traffic when presented with a judge’s order.

The three companies ask that if the U.K. does create lawful access to encrypted communications, companies based outside the U.K. would not be required to comply if that would go against laws it has to follow in other countries.

They urge an international agreement on how the lawful-access laws of individual countries should be observed in other countries to remove ambiguities that might prevent them from complying with all of them.

The companies want to protect customer privacy by requiring notification of those whose communications are intercepted. “While it may be appropriate to withhold or delay notice in exceptional cases, in those cases the burden should be on the Government to demonstrate that there is an overriding need to protect public safety or preserve the integrity of a criminal investigation,” they say.

They also seek to protect data stored in the cloud the same way it is protected in private data centers. The government should go to a business if it is seeking a business’s data, just as it did before cloud services existed. “This is an area where the UK can lead the rest of the world, promoting cloud adoption, protecting law enforcement’s investigative needs, and resolving jurisdictional challenges without acting extraterritorially,” they say.

They note that the draft lacks requirements for agencies to tell the providers if they know of vulnerabilities in their networks that could be exploited, and that any authorized actions agencies take don’t introduce new vulnerabilities.

Microsoft, Google and Facebook seem concerned that agencies granted legal access to their networks might alter them lest that have a negative effect on the services they deliver over those networks. “The clearest example is the authority to engage in computer network exploitation, or equipment interference,” they say. “To the extent this could involve the introduction of risks or vulnerabilities into products or services, it would be a very dangerous precedent to set, and we would urge your Government to reconsider.”

The companies want protections for their executives located within the U.K. They want warrants, when they have to be served on communications companies, to be served to officers of the companies who are located at the companies’ headquarters, not to employees of the companies located in the U.K. “We have collective experience around the world of personnel who have nothing to do with the data sought being arrested or intimidated in an attempt to force an overseas corporation to disclose user information,” they write. “We do not believe that the UK wants to legitimize this lawless and heavy-handed practice.”

They don’t want to be forced to create and retain data about customers that they don’t already in the normal course of business. “Some language under the retention part of the Bill suggests that a company could be required to generate data – and perhaps even reconfigure their networks or services to generate data – for the purposes of retention,” they write.

The companies think whatever judicial approvals are required to issue warrants to decrypt communications ought to apply to other U.K. orders issued to communications providers by the U.K.’s Defense Intelligence and other intelligence services. These other orders include national security notices, maintenance of technical capability orders, and modifications to equipment interference warrants.

They want the law to narrowly define bulk collection of data so it doesn’t include all traffic on a given channel, but rather is restricted to traffic specified by specific indicators such as source and destination, for example. The law should allow only necessary and proportionate amounts of data be analyzed and retained, and the rest be destroyed, they say.

Service providers should be allowed to hire attorneys and protest warrants without running the risk of violating disclosure laws or acknowledging that they actually are subject to the law, they write.

They take exception to a single word – urgent – not being defined in drafts of the law where it says requiring decryption of communications in urgent cases. “Clarity on this term – which other countries may seek to emulate and even abuse – is important,” they say.

Netherlands opposes backdoors, but encryption still under assault

Netherlands opposes backdoors, but encryption still under assault

The Dutch government has officially declared its opposition to any restrictions on the development or use of encryption products, even as Dutch lawmakers are weighing legislation that could mandate backdoor government access to encrypted communications.

In a 4 January 2016 letter to the Dutch parliament, the head of the Ministry of Security and Justice, Ard van der Steur, explained the government’s reasons for endorsing strong encryption, which sound quite similar to those cited by technologists such as Apple’s Tim Cook, the most high-profile critic of backdoors.

According to a translation of the letter, provided by Dutch cybersecurity consultant Matthijs R. Koot, van der Steur points to the uses of encryption for protecting the privacy of citizens, securing confidential communications by government and businesses, and ensuring the security of internet commerce and banking against cybercrime.

Privacy of communications is also a protected right under the Dutch constitution, and a fundamental right protected by the European Convention on Human Rights and the Charter of Fundamental Rights of the EU, van der Steur’s letter says.

The minister acknowledges that criminals and terrorists may also use encryption, making it difficult if not impossible for law enforcement and intelligence services to monitor their communications in defense of national security and public safety.

But van der Steur also observes that encryption is widely available and requires “little technical knowledge, because encryption is often [an] integral part of the internet services that they too can use.”

But because today’s communications products and services use unbreakable encryption, demands that technology companies hand over decrypted data would essentially require weakening encryption to provide backdoors.

Van der Steur notes that any “technical doorways” [backdoors] in encryption would undermine the security of digital systems, making them “vulnerable to criminals, terrorists and foreign intelligence services.”

As fellow Naked Security writer Paul Ducklin put it in a recent article we published about the risks of deliberately weakening cryptographic systems:

[M]andatory cryptographic backdoors will leave all of us at increased risk of data compromise, possibly on a massive scale, by crooks and terrorists…

…whose illegal activities we will be able to eavesdrop and investigate only if they too comply with the law by using backdoored encryption software themselves.

Van der Steur agrees very strongly:

[Backdoors] would have undesirable consequences for the security of communicated and stored information, and the integrity of IT systems, which are increasingly important to the functioning of society.

In his conclusion, van der Steur states:

The government endorses the importance of strong encryption for internet security, for supporting the protection of citizens’ privacy, for confidential communication by the government and companies, and for the Dutch economy.

Therefore, the government believes that it is currently not desirable to take restricting legal measures concerning the development, availability and use of encryption within the Netherlands.

A VICTORY IN THE CRYPTO WARS?

The debate over encryption backdoors goes back to the 1980s and 1990s, was revived in the past two years by law enforcement officials like FBI Director James Comey, and has intensified since the 13 November 2015 terrorist attacks in Paris.

While efforts to pass legislation in the US and UK mandating backdoors have so far been unsuccessful, some advocates fighting against backdoors are worried the Crypto Wars have gone global.

China recently passed an anti-terrorism law that compels technology companies to decrypt data upon request of the government; while in Pakistan, the government’s demand for backdoor access to BlackBerry customer data led the company to pull out of the country entirely.

Concerns over proposed surveillance legislation in the UK has led Apple to take unusually bold steps to oppose passage of the Investigatory Powers Bill.

Apple submitted a letter to the bill’s oversight committee saying language in the draft bill could force Apple to “weaken security for hundreds of millions of law-abiding customers,” in order to allow security services to eavesdrop on encrypted communications such as iMessage.

In the US, Republican Senator Richard Burr, chairman of the Senate Intelligence Committee, has indicated that he wants to propose legislation requiring companies to decrypt data at the government’s request.

Even in the Netherlands, the government’s recent pro-encryption stance is not a complete victory for opponents of backdoors.

As Koot noted on his blog, the pro-encryption policy isn’t guaranteed to remain policy in the future, and Dutch law already requires technology companies to decrypt data sought in targeted investigations.

Meanwhile, the Dutch parliament is considering updating a 2002 security and intelligence law to compel bulk decryption of communications, Koot reports.

The war over backdoors has yet to be lost or won, and it is far from over.

The Netherlands will not weaken encryption for security purposes

The Netherlands will not weaken encryption for security purposes

The Dutch government believes that confidence in secure communication and storage data is essential for the development of the Dutch economy.

The Netherlands will not follow the trend of weakening encryption for security purposes, according to a statement by the Dutch Minister of Security and Justice.

In contrast, with the United Kingdom where the Investigatory Powers Bill, will ban internet firms of holding client’s private communication information the Dutch government believes that strong encryption is key for the future growth of the Dutch economy.

Daily Dot website reported that Ard van der Steur, the Dutch minister of security and justice, wrote in a statement that the Dutch executive cabinet endorsed “the importance of strong encryption for Internet security to support the protection of privacy for citizens, companies, the government, and the entire Dutch economy”.

The statement continues saying: “Therefore, the government believes that it is currently not desirable to take legal measures against the development, availability and use of encryption within the Netherlands.”

Van der Steur added in the statement that “confidence in secure communication and storage data is essential for the future growth potential of the Dutch economy, which is mainly in the digital economy.”

The Dutch Minister also explained that weakening encryption will not lead to a safer world, as criminal organizations will have easier access to sensitive private information.

According to Daily Dot, the minister of security and justice described at length the virtues of encryption, from protecting laptops against theft to allowing the Dutch government itself to communicate online safely with its citizens about taxes and digital IDs. “Cryptography is key to security in the digital domain,” Van der Steur argued.