Microsoft, Google, Facebook to U.K.: Don’t weaken encryption

Microsoft, Google, Facebook to U.K.: Don’t weaken encryption

Microsoft, Google and Facebook are urging U.K. officials not to undermine encryption as they work on laws that would authorize forcing communications service providers to decrypt customer traffic.

In a joint written submission to the U.K. Parliament the three U.S.-based companies lay down several areas of concern, which, if not addressed, they say could damage their businesses and leave them caught in legal crossfires among the many countries where they do business.

The companies say they don’t want the U.K. to impose restrictions and apply them to foreign service providers such as themselves because, if other countries followed suit, it would lead to a morass of laws impossible to navigate. “Conflicts of laws create an increasingly chaotic legal environment for providers, restricting the free flow of information and leaving private companies to decide whose laws to violate,” the submission says.

They staunchly support encryption without backdoors. “The companies believe that encryption is a fundamental security tool, important to the security of the digital economy as well as crucial to ensuring the safety of web users worldwide,” they write. “We reject any proposals that would require companies to deliberately weaken the security of their products via backdoors, forced decryption, or any other means.”

Despite what the U.K.’s Home Secretary Theresa May has said about not seeking encryption backdoors, they want it in writing. “We appreciate the statements in the Bill and by the Home Secretary that the Bill is not intended to weaken the use of encryption, and suggest that the Bill expressly state that nothing in the Bill should be construed to require a company to weaken or defeat its security measures.”

The Parliament is considering bills that would give government agencies access to communications across service provider networks with proper legal authorization, which would affect Microsoft, Google and Facebook, all of which operate globally and face compliance with laws in many countries.

As the U.K. is considering such laws, the Netherlands have rejected forcing providers to break encryption on demand. In the U.S., Congress has held hearings in which members say they will propose legislation to require providing cleartext versions of encrypted traffic when presented with a judge’s order.

The three companies ask that if the U.K. does create lawful access to encrypted communications, companies based outside the U.K. would not be required to comply if that would go against laws it has to follow in other countries.

They urge an international agreement on how the lawful-access laws of individual countries should be observed in other countries to remove ambiguities that might prevent them from complying with all of them.

The companies want to protect customer privacy by requiring notification of those whose communications are intercepted. “While it may be appropriate to withhold or delay notice in exceptional cases, in those cases the burden should be on the Government to demonstrate that there is an overriding need to protect public safety or preserve the integrity of a criminal investigation,” they say.

They also seek to protect data stored in the cloud the same way it is protected in private data centers. The government should go to a business if it is seeking a business’s data, just as it did before cloud services existed. “This is an area where the UK can lead the rest of the world, promoting cloud adoption, protecting law enforcement’s investigative needs, and resolving jurisdictional challenges without acting extraterritorially,” they say.

They note that the draft lacks requirements for agencies to tell the providers if they know of vulnerabilities in their networks that could be exploited, and that any authorized actions agencies take don’t introduce new vulnerabilities.

Microsoft, Google and Facebook seem concerned that agencies granted legal access to their networks might alter them lest that have a negative effect on the services they deliver over those networks. “The clearest example is the authority to engage in computer network exploitation, or equipment interference,” they say. “To the extent this could involve the introduction of risks or vulnerabilities into products or services, it would be a very dangerous precedent to set, and we would urge your Government to reconsider.”

The companies want protections for their executives located within the U.K. They want warrants, when they have to be served on communications companies, to be served to officers of the companies who are located at the companies’ headquarters, not to employees of the companies located in the U.K. “We have collective experience around the world of personnel who have nothing to do with the data sought being arrested or intimidated in an attempt to force an overseas corporation to disclose user information,” they write. “We do not believe that the UK wants to legitimize this lawless and heavy-handed practice.”

They don’t want to be forced to create and retain data about customers that they don’t already in the normal course of business. “Some language under the retention part of the Bill suggests that a company could be required to generate data – and perhaps even reconfigure their networks or services to generate data – for the purposes of retention,” they write.

The companies think whatever judicial approvals are required to issue warrants to decrypt communications ought to apply to other U.K. orders issued to communications providers by the U.K.’s Defense Intelligence and other intelligence services. These other orders include national security notices, maintenance of technical capability orders, and modifications to equipment interference warrants.

They want the law to narrowly define bulk collection of data so it doesn’t include all traffic on a given channel, but rather is restricted to traffic specified by specific indicators such as source and destination, for example. The law should allow only necessary and proportionate amounts of data be analyzed and retained, and the rest be destroyed, they say.

Service providers should be allowed to hire attorneys and protest warrants without running the risk of violating disclosure laws or acknowledging that they actually are subject to the law, they write.

They take exception to a single word – urgent – not being defined in drafts of the law where it says requiring decryption of communications in urgent cases. “Clarity on this term – which other countries may seek to emulate and even abuse – is important,” they say.

Microsoft may have your encryption key:here’s how to take it back

Microsoft may have your encryption key; here’s how to take it back

As happens from time to time, somebody hasspotted a feature in Windows 10 that isn’t actually new and has largely denounced it as a great privacy violation.

The Intercept has written that if you have bought a Windows PC recently then Microsoft probably has your encryption key. This is a reference to Windows’ device encryption feature. We wrote about this feature when it was new, back when Microsoft introduced it in Windows 8.1 in 2013 (and before that, in Windows RT.

Device encryption is a simplified version of the BitLocker drive encryption that made its debut in Windows Vista in 2006. The full BitLocker requires a Pro or Enterprise edition of Windows, and includes options such as integration with Active Directory, support for encrypting removable media, and the use of passwords or USB keys to unlock the encrypted disk. Device encryption is more restricted. It only supports internal system drives, and it requires the use of Secure Boot, Trusted Platform Module 2.0 (TPM), and Connected Standby-capable hardware. This is because Device encryption is designed to be automatic; it uses the TPM to store the password used to decrypt the disk, and it uses Secure Boot to ensure that nothing has tampered with the system to compromise that password.

The final constraint for Device encryption is that you must sign in to Windows with a Microsoft account or a Windows domain account to turn it on. This is because full disk encryption opens the door to all kinds of new data loss opportunities. If, for example, you have your system’s motherboard replaced due to a hardware problem, then you will lose access to the disk, because the decryption keys needed to read the disk are stored in the motherboard-mounted TPM. Some disk encryption users may feel that this is a price worth paying for security, but for an automatic feature such as device encryption, it’s an undesirable risk.

To combat that, device encryption stores a recovery key. For domain accounts, the recovery key is stored in Active Directory, but in the common consumer case, using a Microsoft account, it is instead stored in OneDrive. This recovery key can be used after, say, a motherboard replacement or when trying to recover data from a different Windows installation.

While device encryption is available in all versions of Windows 10, it has a particular significance in the Home version, where the full BitLocker isn’t available. Windows 10 Home also can’t use domain accounts. This means that if you enable device encryption (and on new systems that are set up to use Microsoft accounts, it may well be enabled by default) then the recovery key is necessarily stored on OneDrive.

Microsoft releases encryption tech for bioinformatics

Microsoft releases encryption tech for bioinformatics

Allows researchers to work on data securely.

Microsoft has released tools that allow bioinformatics researchers to work on genome data sets securely to protect privacy.

Genomic data is becoming available in increasing amounts as gene sequencing becomes easier, cheaper and faster, and is used for several new applicaitons such as predicting the occurrence and survival of cardiovascular disease.

Hospitals, clinics, companies and other insitutions are faced with handling large amounts of such data securely, to ensure the privacy of subjects, but this carries risks.

Storing the data in a cloud is one solution to handle large amounts of information, but this is subject to legal orders, data misuse, theft and insider attacks, a team of six Microsoft researchers said.

Homomorphic encryption can protect people’s sensitive genetic information and still allow researchers to work with the data.

The technique allows an unlimited amount of two operations, addition and multiplication, on the scrambled material.

This means researchers are able to work on the data in encrypted form without having to decrypt it or have access to decryption keys.

Traditional encryption, in comparison, locks down data, making it impossible to use or compute on without decoding it first.

The Microsoft team of researchers have written a manual for how to use their homomorphic encryption solution, as a guide to using the technique for bioinformatics and genomic computations.

Along with the manual, Microsoft will also release the SEAL (simple encrypted arithmetic library) as a free download, to be used for experimentation and research purposes.

Argument over strong encryption reaches boiling point as Apple, Microsoft rebuff court orders for data access

A long-running debate concerning recent advances in consumer data encryption came to a head this summer when Apple rebuffed a Justice Department court order demanding access to iMessage transcripts, causing some in the law enforcement community to call for legal action against the company.

Argument over strong encryption reaches boiling point as Apple, Microsoft rebuff court orders for data access

Over the summer Apple was asked to furnish real-time iMessage communications sent between two suspects in an investigation involving guns and drugs, reports The New York Times. The company said it was unable to provide such access as iMessage is protected by end-to-end encryption, a stance taken in similar cases that have over the past few months punctuated a strained relationship between the tech sector and U.S. law enforcement agencies.

Sources said a court action is not in the cards for Apple just yet, but another case involving Microsoft could set precedent for future cases involving strong encryption. Microsoft is due to argue its case in a New York appellate court on Wednesday after being taken to task for refusing to serve up emails belonging to a drug trafficking suspect. As the digital correspondence was housed in servers located in Dublin, Ireland, the company said it would relinquish the emails only after U.S. authorities obtained proper documentation from an Irish court.

Government agencies have posed hypothetical scenarios in which strong encryption systems, while good for the consumer, hinder or thwart time-sensitive criminal investigations. It appears those theories are being borne out in the real world.

Further confusing matters is a seemingly non-committed White House that has yet to decide on the topic either way. Apple and other tech companies are pressing hard to stop the Obama administration from agreeing to policy that would, in their eyes, degrade the effectiveness of existing data encryption technologies.

As for Apple, while some DOJ and FBI personnel are advocating to take the company to court, other officials argue that such an action would only serve to undermine the potential for compromise. Apple and other tech firms have privately voiced interest in finding a common ground, The Times reports. To that end, the publication notes Apple did indeed hand over a limited number of messages stored in iCloud pertaining to this summer’s investigation.

For its part, Apple is standing firm against government overtures calling for it to relinquish data stored on its servers. CEO Tim Cook outlined his thoughts on data privacy in an open letter to customers last year and came down hard on unlawful government snooping earlier this year.