privacy

Scotland Yard Accuses Man of Terrorism; One Count for Using HTTPS on His Blog →

October 10, 2016 · 18:25

Metropolitan Police:

Count 3: Preparation for terrorism. Between 31 December 2015 and 22 September 2016 Samata Ullah, with the intention of assisting another or others to commit acts of terrorism, engaged in conduct in preparation for giving effect to his intention namely, by researching an encryption programme, developing an encrypted version of his blog site and publishing the instructions around the use of programme on his blog site. Contrary to section 5 Terrorism Act 2006.

I can understand the other charges, but how is using HTTPS a criminal offence?

Rick Falkvinge has a few interesting comments on the subject:

(…) four years ago, I predicted that the UK won’t just jail you for encryption, but for carrying astronomical noise, too. It’s already a crime to not give up keys to an encrypted document in the UK (effectively making encryption illegal), but it’s worse than that – it’s a five-years-in-prison offense to not give up the keys to something that appears encrypted to law enforcement, but may not actually be. In other words, carrying astronomical noise is a jailable offense, because it is indistinguishable from something encrypted, unless you can pull the documents the police claim are hidden in the radio noise from a magic hat. This case takes the UK significantly closer to such a reality, with charging a person for terrorism (!) merely for following privacy best practices.

NSA Contractor Arrested in Possible New Theft of Secrets →

October 6, 2016 · 10:49

Jo Becker, Adam Goldman, Michael S. Schmidt and Matt Apuzzo:

The F.B.I. secretly arrested a National Security Agency contractor in recent weeks and is investigating whether he stole and disclosed highly classified computer code developed to hack into the networks of foreign governments, according to several senior law enforcement and intelligence officials.

The theft raises the embarrassing prospect that for the second time in three years, an insider has managed to steal highly damaging secret information from the N.S.A. In 2013, Edward J. Snowden, who was also a contractor for the agency, took a vast trove of documents that were later passed to journalists, exposing N.S.A. surveillance programs in the United States and abroad.

What if Harold T. Martin III had also stolen the ‘golden keys’ to backdoors of various tech companies infrastructures? How long would it take for anyone and everyone in the world to get a peek into the lives of people using those services?

‘I Think We Can Work Our Way Through This’ →

October 6, 2016 · 10:46

Andrea Peterson for The Washington Post reporting on Stamos’ (Yahoo’s Chief Information Security Officer) and Rogers’ (director of the National Security Agency) debate:

“If we’re going to build defects/backdoors or golden master keys for the U.S. government, do you believe we should do so — we have about 1.3 billion users around the world — should we do for the Chinese government, the Russian government, the Saudi Arabian government, the Israeli government, the French government?” Stamos asked.

“So, I’m not gonna… I mean, the way you framed the question isn’t designed to elicit a response,” Rogers replied.

“Well, do you believe we should build backdoors for other countries?” Stamos asked again.

“My position is — hey look, I think that we’re lying that this isn’t technically feasible. Now, it needs to be done within a framework. I’m the first to acknowledge that. You don’t want the FBI and you don’t want the NSA unilaterally deciding, so, what are we going to access and what are we not going to access? That shouldn’t be for us. I just believe that this is achievable. We’ll have to work our way through it. And I’m the first to acknowledge there are international implications. I think we can work our way through this,” Rogers answered.

“So you do believe then, that we should build those for other countries if they pass laws?” Stamos asked a third time.

“I think we can work our way through this,” Rogers replied.

“I’m sure the Chinese and Russians are going to have the same opinion,” Stamos said.

I truly wonder what Rogers would think if he wasn’t the director of the NSA. Would he agree to all the snooping, reduced security, and compromised privacy, if he were just a civilian?

Yahoo Secretly Scanned Customer Emails for U.S. Intelligence →

October 6, 2016 · 10:40

Joseph Menn:

Yahoo Inc last year secretly built a custom software program to search all of its customers’ incoming emails for specific information provided by U.S. intelligence officials, according to people familiar with the matter.

The company complied with a classified U.S. government demand, scanning hundreds of millions of Yahoo Mail accounts at the behest of the National Security Agency or FBI, said three former employees and a fourth person apprised of the events.

Some surveillance experts said this represents the first case to surface of a U.S. Internet company agreeing to an intelligence agency’s request by searching all arriving messages, as opposed to examining stored messages or scanning a small number of accounts in real time.

While Apple, Google, and others want to fight these types of government demands, Yahoo rolls over and helps them out. Completely unacceptable.

How iMessage Distributes Security to Block “Phantom Devices” →

April 22, 2016 · 12:39

Securosis:

Overall it’s a solid balance of convenience and security. Especially when you consider there are a billion Apple devices out there. iMessage doesn’t eliminate the need for true zero-knowledge messaging systems, but it is extremely secure, especially when you consider that it’s basically a transparent replacement for text messaging.

This is a good read if you’re interested in the security of iMessage. It’s basically very secure, but I’m sure Apple will continue improving their standards.

New Bill Would Require Companies to Decrypt Data on Demand →

April 10, 2016 · 13:00

Russell Brandom:

If the bill becomes law, Apple and other companies will have a much harder time resisting similar legal demands. Essentially any hard encryption — that is, encryption that cannot be broken by the company providing it — would be in violation of the proposed measures, presenting a massive problem for a broad range of tech companies.

I did not expect to see a bill this quickly. Quite frankly, I expected people to be intelligent and not even try to pass this sort of garbage.

My bad.

WhatsApp Just Switched on Encryption →

April 6, 2016 · 21:24

Cade Metz:

This means that if any group of people uses the latest version of WhatsApp—whether that group spans two people or ten—the service will encrypt all messages, phone calls, photos, and videos moving among them. And that’s true on any phone that runs the app, from iPhones to Android phones to Windows phones to old school Nokia flip phones. With end-to-end encryption in place, not even WhatsApp’s employees can read the data that’s sent across its network. In other words, WhatsApp has no way of complying with a court order demanding access to the content of any message, phone call, photo, or video traveling through its service. Like Apple, WhatsApp is, in practice, stonewalling the federal government, but it’s doing so on a larger front—one that spans roughly a billion devices.

I can’t help but wonder if/when encryption will be illegal in the United States, UK, and France — these three countries seem to be the ones who want it gone most. It should of course never come to that. And I truly hope it doesn’t.

Also: Wired’s title is completely baffling. We should never forget about the Apple vs. FBI kerfuffle.

Apple’s Statement on Closing of the San Bernardino Case →

March 29, 2016 · 07:20

Rene Ritchie posted Apple’s statement on iMore:

From the beginning, we objected to the FBI’s demand that Apple build a backdoor into the iPhone because we believed it was wrong and would set a dangerous precedent. As a result of the government’s dismissal, neither of these occurred. This case should never have been brought.

We will continue to help law enforcement with their investigations, as we have done all along, and we will continue to increase the security of our products as the threats and attacks on our data become more frequent and more sophisticated.

Apple believes deeply that people in the United States and around the world deserve data protection, security and privacy. Sacrificing one for the other only puts people and countries at greater risk.

This case raised issues which deserve a national conversation about our civil liberties, and our collective security and privacy. Apple remains committed to participating in that discussion.

Though this particular case is over, the war goes on, and I’m certain this issue will appear in the news sooner or later.

Apple’s San Bernardino Fight Is Over as FBI Gains Access to iPhone →

March 29, 2016 · 05:52

Russell Brandom:

After months of work, the FBI finally has a way into the San Bernardino iPhone. In a court filing today, prosecutors told the court the new method for breaking into the phone is sound, and Apple’s assistance is no longer required. “The government has now successfully accessed the data stored on Farook’s iPhone,” the filing reads, “and therefore no longer requires assistance from Apple.” The filing provides no further details on the nature of the new method. Still, the result effectively finishes the court fight that has consumed Apple since February.

Question is: will they now go after Congress to ban encryption, or try to weaken it by law?

Apple to Hand iCloud Encryption Keys to Users →

March 18, 2016 · 19:12

Wayne Rash:

According to a number of press reports, Apple is in the process of revamping its iCloud storage service to increase security by divesting itself of the task of keeping users’ encryption keys.

Currently Apple keeps the keys to access iCloud accounts, which means, among other things, that Apple can provide information to authorities when presented with a warrant. The company provided such information from the iCloud account of Sayed Farook, the terrorist who killed 14 county employees late last year in in San Bernardino, Calif. Apparently that’s now about to change. If the reports are correct, Apple is planning to offload the storage of encryption keys so that users control their keys, and they’re accessible only through a password.

This way, even Apple cannot gain access to your encrypted data, no matter how much it may want to and no matter how many government subpoenas it receives. It can’t honor court orders to provide the data because the company has no way to decrypt it.

This is to be expected. I’d like to think that Apple would have gone down this route without the current FBI fiasco taking place, but perhaps the latest events have just accelerated their plans.

Apple Encryption Engineers, if Ordered to Unlock iPhone, Might Resist →

March 18, 2016 · 19:07

John Markoff, Katie Benner & Brian X. Chen:

Apple employees are already discussing what they will do if ordered to help law enforcement authorities. Some say they may balk at the work, while others may even quit their high-paying jobs rather than undermine the security of the software they have already created, according to more than a half-dozen current and former Apple employees.

Among those interviewed were Apple engineers who are involved in the development of mobile products and security, as well as former security engineers and executives.

I can’t help but wonder how far this will go.

Facebook, Google and WhatsApp Plan to Increase Encryption of User Data →

March 14, 2016 · 20:38

Danny Yadron:

Silicon Valley’s leading companies – including Facebook, Google and Snapchat – are working on their own increased privacy technology as Apple fights the US government over encryption, the Guardian has learned.

The projects could antagonize authorities just as much as Apple’s more secure iPhones, which are currently at the center of the San Bernardino shooting investigation. They also indicate the industry may be willing to back up their public support for Apple with concrete action.

Within weeks, Facebook’s messaging service WhatsApp plans to expand its secure messaging service so that voice calls are also encrypted, in addition to its existing privacy features. The service has some one billion monthly users. Facebook is also considering beefing up security of its own Messenger tool.

Snapchat, the popular ephemeral messaging service, is also working on a secure messaging system and Google is exploring extra uses for the technology behind a long-in-the-works encrypted email project.

At this point in time I would like to see more action from the other tech companies — this is obviously a delicate situation, but too much is at stake.

The Sequel to the Crypto Wars →

March 14, 2016 · 20:13

Steven Levy:

As with the first round of the crypto wars, the stakes could not be higher. Once again, the government is seeking to control that genie first released by Diffie and Hellman. But the physics of computer security have not changed. Last July, a panel of fifteen eminent security specialists and cryptographers — many of whom are veterans of the first crypto war — released a report confirming there was no way for the government to demand a means of bypassing encryption without a dire compromise of security. It just doesn’t work.

There is no middle ground.

Barack Obama: ‘Smartphones Can’t Be Allowed to Be Black Boxes’ →

March 13, 2016 · 10:38

Justin Sink:

President Barack Obama said Friday that smartphones — like the iPhone the FBI is trying to force Apple Inc. to help it hack — can’t be allowed to be “black boxes,” inaccessible to the government. The technology industry, he said, should work with the government instead of leaving the issue to Congress.

“You cannot take an absolutist view on this,” Obama said at the South by Southwest festival in Austin, Texas. “If your argument is strong encryption no matter what, and we can and should create black boxes, that I think does not strike the kind of balance we have lived with for 200, 300 years, and it’s fetishizing our phones above every other value.”

I’m disappointed in Obama. I also don’t think he knows exactly what he’s talking about.

WhatsApp Encryption Targeted by DOJ →

March 13, 2016 · 10:35

Matt Apuzzo:

But in late 2014, the company said that it would begin adding sophisticated encoding, known as end-to-end encryption, to its systems. Only the intended recipients would be able to read the messages.

“WhatsApp cannot provide information we do not have,” the company said this month when Brazilian police arrested a Facebook executive after the company failed to turn over information about a customer who was the subject of a drug trafficking investigation.

The iPhone case, which revolves around whether Apple can be forced to help the F.B.I. unlock a phone used by one of the killers in last year’s San Bernardino, Calif., massacre, has received worldwide attention for the precedent it might set. But to many in law enforcement, disputes like the one with WhatsApp are of far greater concern.

For more than a half-century, the Justice Department has relied on wiretaps as a fundamental crime-fighting tool. To some in law enforcement, if companies like WhatsApp, Signal and Telegram can design unbreakable encryption, then the future of wiretapping is in doubt.

Panic Privacy →

March 2, 2016 · 20:58

Panic:

We strongly believe you have the right to privacy when using our apps.

Our privacy policy is simple: your data is none of our business. To the extent that our apps can provide their functionality without doing so, we always prefer to avoid collecting any data from you. In the cases where we do collect data, we give you the ability to opt out whenever possible.

So, here’s some detail about what our apps do, and why.

I hate reading legal drivel. More companies and developers should imitate Panic’s approach.

Apple and Google Pressured for Encrypted Data Access →

November 19, 2015 · 12:39

Tiffany Kary and Chris Dolmetsch for Bloomberg:

“The line to protect the public should not be drawn by two companies who make smartphones,” Vance said Wednesday at a cybersecurity conference in New York where he unveiled a 42-page white paper on the issue. His plan would require companies to download data for investigators with a warrant, rather than providing the government with a “backdoor.”

I’m extremely proud of the companies who draw the aforementioned line in the sand. It will be a sad day when Apple, Google, and others, stop caring for their customer’s privacy—I truly hope it never comes to this.

Also, these requests seem especially absurd since the terrorists involved in the Paris attacks were using unencrypted methods of communication.