Month: March 2016

No room for compromise in Apple vs FBI iPhone encryption battle

No room for compromise in Apple vs FBI iPhone encryption battle

As Apple’s legal battle with the FBI over encryption heads toward a showdown, there appears little hope for a compromise that would placate both sides and avert a divisive court decision.

The FBI is pressing Apple to develop a system that would allow the law enforcement agency to break into a locked iPhone used by one of the San Bernardino attackers, a demand the tech company claims would make all its devices vulnerable.

In an effort to break the deadlock, some US lawmakers are pushing for a panel of experts to study the issue of access to encrypted devices for law enforcement in order to find common ground.

Senator Mark Warner and Representative Mike McCaul on Monday proposed the creation of a 16-member “National Commission on Security and Technology Challenges.”

But digital rights activists warn that the issue provides little middle ground — that once law enforcement gains a “back door,” there would be no way to close it.

“We are concerned that the commission may focus on short-sighted solutions involving mandated or compelled back doors,” said Joseph Hall, chief technologist at the Center for Democracy & Technology.

“Make no mistake, there can be no compromise on back doors. Strong encryption makes anyone who has a cell phone or who uses the Internet far more secure.”

Kevin Bankston of the New America Foundation’s Open Technology Institute expressed similar concerns.

“We’ve already had a wide range of blue ribbon expert panels consider the issue,” he said.

“And all have concluded either that surveillance back doors are a dangerously bad idea, that law enforcement’s concerns about ‘going dark’ are overblown, or both.”

The debate had been simmering for years before the Apple-FBI row.

Last year, a panel led by Massachusetts Institute of Technology scientists warned against “special access” for law enforcement, saying they pose “grave security risks” and “imperil innovation.”

Opening up all data

“I’m not sure there is much room for compromise from a technical perspective,” said Stephen Wicker, a Cornell University professor of computer engineering who specializes in mobile computing security.

Opening the door to the FBI effectively makes any data on any mobile device available to the government, he said.

“This is data that was not available anywhere 10 years ago, it’s a function of the smartphone,” Wicker said.

“We as a country have to ask if we want to say that anything outside our personal human memory should be available to the federal government.”

Apple has indicated it is ready for a “conversation” with law enforcement on the matter.

But FBI Director James Comey told a congressional panel that some answers are needed because “there are times when law enforcement saves our lives, rescues our children.”

Asked about the rights envisioned by the framers of the US constitution, he said, “I also doubt that they imagined there would be any place in American life where law enforcement, with lawful authority, could not go.”

A brief filed on behalf of law enforcement associations argued that because of Apple’s new encryption, criminals “have now switched to the new iPhones as the device of choice for their criminal wrongdoing.”

Ed Black, president of the Computer & Communications Industry Association, which includes major technology firms but not Apple, said that although tech firms and law enforcement have had many battles, “there are many areas where we cooperate and where we find middle ground.”

But Black said the tech sector is largely united in this case because the FBI wants Apple to create weaker software or introduce “malware” to be able to crack the locked iPhone.

“On this narrow specific issue of ‘can companies be compelled to create malware,’ I think there may not be an answer,” he said.

‘Going dark’ fears

Law enforcement fears about “going dark” in the face of new technology have been largely exaggerated, Black said.

While access to encrypted apps and smartphones is difficult and traditional wiretaps don’t work on new technology, “there are a lot of other tools for law enforcement,” he said.

“There is more information available in 2016 than in any year since the founding of the country.”

Although law enforcement has growing expectations about using technology to thwart criminals, that type of power is too broad, Black added.

“If they are seeking a level of total surveillance capability, I don’t see a compromise available,” he said.

Wicker said that to give law enforcement access, Congress could in theory mandate that devices use automatic cloud backups that could not be disabled. But that would constitute a dramatic departure from current views about privacy.

“From an individual rights standpoint,” he said, “that would take away control by the user of their personal information.”

Amazon Dropping Fire Encryption Has Nothing to Do With Apple

Amazon Dropping Fire Encryption Has Nothing to Do With Apple

Today, several reports pointed out that Amazon’s Fire OS 5 does not support device encryption, drawing a connection between the company’s encryption retreat and the current Apple-FBI iPhone unlocking fracas. But Amazon’s decision to remove Fire OS 5’s onboard encryption is not a new development, and it’s not related to the iPhone fight. The real question at hand is why Amazon decided to roll back encryption protection for consumers all on its own.

Introduced last fall, Amazon’s Fire OS 5 featured a refreshing redesign that added several usability features. But Fire OS 5 also took away device encryption support, while still maintaining security features for communication between devices and Amazon’s cloud.

“In the fall when we released Fire OS 5, we removed some enterprise features that we found customers weren’t using,” Amazon spokesperson Robin Handaly told WIRED. “All Fire tablets’ communication with Amazon’s cloud meet our high standards for privacy and security, including appropriate use of encryption.”

We’ve reached out again for clarification as to what “appropriate use” of encryption entails in Amazon’s view.

To be clear, removing encryption protections of any kind from Fire tablets should be seen as a step back for consumers, and for security as a whole.

“Amazon’s decision is backward—it not only moves away from default device encryption, where other manufacturers are headed, but removes all choice by the end user to decide to encrypt it after purchase,” says Nathan White, Senior Legislative Manager at digital rights organization Access Now. “The devices themselves also become more attractive targets for thieves. Users should no longer trust these devices: If you wouldn’t post it to the internet publicly, don’t put it on a Fire Tablet.”

Further, Amazon’s insistence that it maintains a secure connection with the cloud doesn’t ease concerns over the data on the device itself that’s now vulnerable.

“Data encryption at rest and data encryption in motion are two completely different things,” says White. “They shouldn’t conflate two important issues by saying ‘we encrypt in motion, so data at rest doesn’t matter.’”

Even without the cloud connection, a device stores all sorts of personal information, from email credentials to credit card numbers to sensitive business information, if you happen to be an enterprise user. In fact, the lack of encryption means corporate customers aren’t able to use certain email clients on Fire tablets any longer.

Amazon’s move is a bad one. But it’s not a retreat in the face of Apple-FBI pressures. For better or worse (mostly worse), it’s been this way for months. As Handaly noted, Fire OS 5 came out last fall, on a suite of new Amazon devices. Amazon message board users have been commenting on, and complaining about, the absence of encryption since at least early January.

So why the sudden focus? Likely because of this tweet:

Amazon Dropping Fire Encryption Has Nothing to Do With Apple

People are talking about the lack of encryption today because the OS update is only now hitting older devices, like the fourth-generation Fire HD and Fire HDX 8.9. Despite how neatly the sudden forfeiture of encryption by a tech giant fits the Apple-FBI narrative, this encryption deprecation isn’t related to that battle. Instead, Amazon appears to have given up onboard encryption without any public fight at all.

“This move does not help users. It does not help corporate image. And it does not fit into industry trends,” says Amie Stepanovich, US Policy Manager at Access Now.

U.S.Defense Secretary Ashton Cater Doesn’t Believe in Encryption Backdoors

U.S.Defense Secretary Ashton Cater Doesn't Believe in Encryption Backdoors

Secretary of Defense Ashton Carter came out against supporting encryption back-doors at a conference panel on Wednesday.

At the RSA information security conference in San Francisco, Carter told a packed room that he supported strong encryption and thought back-door access to encrypted communication as unrealistic. During his talk on the Apple vs. FBI case, which he shied away from the details because it is a “law enforcement issue,” Carter received scattered applause from the crowd of security professionals after he said he supports strong encryption.

“I think first of all that for the Department of Defense, data security including encryption is absolutely essential to us. We are for strong encryption,” Carter says. “I’m not a believer in backdoors or a single technical approach. I don’t think it’s realistic.”

Carter joined Attorney General Loretta Lynch in supporting encryption at the RSA Conference this week. In a stage interview with Bloomberg at the Moscone Center on Tuesday, Lynch called for “a middle ground” between national security and privacy.

In the 50-odd minute talk with Ted Schlein, general partner for the influential venture capital firm Kleiner, Perkins, Caufield & Byers, Carter focused his talk on how to bridge the gap between the Pentagon and Silicon Valley.

Carter, who was appointed to the secretary position last February by President Barack Obama, spoke about two initiatives in particular: the Defense Innovation Unit-Experimental (DIUx) and the Defense Innovation Advisory Board. Both serve to make the department more agile and tech-savvy in the age of cyberwarfare with competitors like Russia and China, Carter says.

“DIUX is a place to connect. It is down the road [from Silicon Valley]. I’ve given it a very open charter,” Carter says. “We need to be very hawkish on the idea of reform.”

Earlier on Wednesday, the Defense Department announced that former Google CEO Eric Schmidt will chair the Defense Innovation Advisory Board. “There is going to be some technical minds who come in and giving me advice to be more innovative,” Carter says. “I am so grateful to Eric Schmidt for his willingness to do this. He’s the perfect chairman for this.”

He also announced a new competition called “Hack the Pentagon” where ethical, or white hat, hackers find vulnerabilities in the Pentagon’s systems and boost the overall cybersecurity of the department. “You would rather find the vulnerabilities in your networks that way than the other way of pilfering information,” Carter says. Hackers must be American citizens, Carter added.

While the Pentagon is bolstering its defenses in protecting its own data, it is also aggressively attacking ISIS, Carter says. Similar to the radio-jamming tactics during the Cold War, the Pentagon has been disrupting the terrorist group’s online channels of communications. “We will and must defeat ISIL. I’m looking for all the ways to accelerate that,” Carter says. “We are using cyber to disrupt communication and doubt the reliability of the comm. Now that enemies use cyber, that’s another way to shut them down.”