The FBI asking Apple to Backdoor an iPhone is a Rubicon for Privacy

The US District Court of California has asked Apple to backdoor a locked iPhone for the FBI. This isn’t a request to unlock a single phone, this is a request for Apple to build a tool that lets the FBI circumvent the security on the iPhone… as in basically all iPhones, which will then set a precedent for all smart phones.

“Make no mistake: This is unprecedented, and the situation was deliberately engineered by the FBI and Department of Justice to force a showdown that could define limits our civil rights for generations to come. This is an issue with far-reaching implications well beyond a single phone, a single case, or even Apple itself.”

In case this is your first time reading about why government mandated back doors are a universally bad idea, here is the quick list:

  1. A digital backdoor, much like a real back door, can be used by anyone, not just those authorized to access it. Back doors make excellent targets for criminals, spies, and other bad actors. These things get discovered, and then they get misused. If you are a criminal, and you are looking to steal data, knowing that there is a backdoor in a system lets you focus your cracking efforts.
  2. Encryption is only good when it’s secure. Insecure crypto is worse than useless because it creates a false sense of safety and control. This is why Digital Rights Management technologies never work. No matter how you slice it, a purpose built entry point is a vulnerability. Once you introduce a back door, or a “Golden Key” it invalidates the security (and value) of the entire system (see point 1). An insecure phone just isn’t worth as much as a secure one.
  3. The bad guys you are trying to catch are bad guys. They don’t give a single runny shit about government regulations. This means that the bad guys who use crypto will simply switch to new illegal tools that don’t have back doors. When the SOPA bill threatened to block DNS for sites accused of piracy, tools immediately began to surface that would defeat the blocks, before the bill was even voted on.
  4. In the case of criminals, government mandated back doors would create a market for secure tools. These tools wouldn’t be Made In America like the *iPhone. Back doors would devalue the iPhone (see point 3) and add value to technologies that aren’t made in the US. Meanwhile, Federal Law Enforcement still couldn’t access phones that belong to terrorists. All the damage done by this would be collateral because the only people affected by this mandate would be innocent bystanders.

There are *tons* of other reasons why back doors are bad, but those are the top 4. Cory Doctorow sums the argument against back doors fairly succinctly in an article in The Guardian:

That’s really the argument in a nutshell. Oh, we can talk about whether the danger is as grave as the law enforcement people say it is, point out that only a tiny number of criminal investigations run up against cryptography, and when they do, these investigations always find another way to proceed. We can talk about the fact that a ban in the US or UK wouldn’t stop the “bad guys” from getting perfect crypto from one of the nations that would be able to profit (while US and UK business suffered) by selling these useful tools to all comers. But that’s missing the point: even if every crook was using crypto with perfect operational security, the proposal to back-door everything would still be madness.

The Law Enforcement community declares war on crypto in one form or another once or twice a decade. Every time they do, we as digital citizens need to stand up and say “NO!” They will keep trying, and we have to keep fighting, every time. It really is that important.

*The iPhone isn’t made in America either, but Apple does employ Americans around the country. Russian mobsters or Romanian cyber-criminals presumably don’t employ many Americans.

Advertisements

The Paris attacks and the Intelligence Community’s Renewed Attack On Internet Crypto

There are a number of stories circulating about calls from the intelligence community to backdoor encrypted communications in the wake of the Paris terrorist attacks by ISIS. Some of these stories personally blame Edward Snowden for these attacks.

The desire for the powers that be to have access to all means of communications is not new. In fact, government surveillance of telecommunications without a warrant dates back to the telegraph.

Wanting to monitor enemy communications makes sense from a tactical standpoint. Knowing what your enemy is communicating gives you a tremendous advantage on the battlefield. The problem with monitoring everything is that it violates the rights to privacy of literally everyone. That means that in the war on terror, everyone’s 4th  and 5th Amendment rights are collateral damage.nsa_taoSignals Intelligence is important, make no mistake. It can also be a boondoggle. Like computer forensics, intelligence offers you a tremendous number of tools that you can employ to gather all manner of information, but if you are looking in the wrong place, you can end up allocating a lot of resources and end up with not much in terms of useful or actionable information. Case in point, the East German Stasi who spied on so many of its own citizens and missed the warning signs that the Berlin Wall was going to come down.

One notable bit of info from these stories is that there could be some sort of ISIS help desk available 24×7 to assist with subverting American surveillance, which I think is pretty funny. It conjures to my mind the image of a young jihadist wearing a headset and being yelled at by a heavily armed cleric who is insisting that “I don’t need to turn it off and on again!” Finally there is a tech support job that must suck even more than working for doctors 🙂

The Culture of the Intelligence Community and the Chelsea Manning Debacle

This video is an interesting take on the Manning/Snowden leaks by Joshua Foust. Foust says that Manning’s actions jeopardized a number of diplomatic and military undertakings. It sounds very well reasoned.

Whenever the criticism of Chelsea Manning’s actions flows, the first question that I ask is “What operations were compromised?” followed up by “Tell me just one person, by name, who was put at risk.” I ask this because the leaked materials were 6 or more months old, and Wikileaks states that steps were taken to not endanger people.

I also ask what was compromised because most who criticize the leaks aren’t familiar enough with the materials to have a an answer (certainly not me). I am also fairly confident that no one except for a few high ranking members of the intelligence community can actually answer that question definitively, and those few are not authorized to answer. Such is the nature of state secrets. The logic of our government and military is that we should just take their word for it that they have to operate in secrecy and with impunity because it’s for our own good. This is the crux of the issue: with no sharing of information, how are we to verify these claims? This is also why a national dialog cannot be had on the subject. The Executive Branch is simply unable to level with the American people about the things that they do to keep us safe, and about the things that they keep us safe from.

We, the American people are worried about our Constitutional rights to privacy, to free speech, our rights to due process under the rule of law, and in the case of Muslim Americans, our freedom of religion. The Executive Branch has been steadily over reaching and possibly abusing its power to surveil and detain, and thereby eroding our Constitutional rights under the guise of national security.

Having heard countless talks by federal types at places like Defcon, I have heard over and over again that our concerns are unfounded. The gist of most of it is that there are countless active threats, of a non-specific nature, that cannot be named. While I don’t think that the Executive Branch is lying to us so that it can hurt us, it would be very naive to say that there aren’t budgetary, political, and career management pressures on it to exaggerate the scale of the threats that we face. It is also naive to think that while the Executive Branch means well, there are those within it who would abuse these powers. This is why leaks and whistle blowing are so important, because the military, the intelligence community, and federal law enforcement agencies are bound by law to not discuss these matters.

My argument isn’t that there should be no such thing as national security. Of course there should be. My argument is also not that state secrets are by nature evil. Of course they aren’t. My argument is that there are laws in place to support the mandates for secrecy by the Executive Branch. These laws make a candid and honest discussion about what they are doing and why impossible. The act of facilitating an this sort of discussion is, by design, against the law.

Just because the conversation is illegal, doesn’t mean that it’s not still the right thing to do. Obviously the laws that prevent the conversation have to change, but some of those laws, particularly those that govern surveillance, are actually state secrets as well. If the laws themselves are secret, how are We The People supposed to work to change it?

This is why leaked documents and whistle blowing are important. I call it the “Watchmen’s Dilemma.” In business, there is a phenomenon called the “Innovator’s Dilemma” where a new idea will make a current product or business model obsolete, and so established businesses and markets have make a tough choice: do they endanger their established and profitable businesses with a new innovation, or do they keep doing what works for them, only to lose their share of the new market?

When it comes to national security, the culture of secrecy creates a similar dilemma. Should the Executive Branch (the watchmen) continue to keep the American people in the dark, thereby increasing the public’s mistrust? Or, does the Executive Branch level with the American People, and sacrifice some or possibly all of its advantage when it comes to protecting American interests? It’s a tough decision.

At one point in the video, Foust talks about how the NSA doesn’t have access to the content of our telephone calls, and then sort of glosses over the intelligence significance of mobile phone metadata. Faust is ex-military intelligence and has probably heard of traffic analysis. As a hacker and veteran who served with military intelligence my entire active duty career, I know a little about traffic analysis, but I am including a video of someone who knows significantly more about it than I do, particularly with regards to intelligence services and mobile phones. The video tells the story of how American operatives took a Muslim cleric captive, most likely as an extraordinary rendition. When you consider how much of the story can be told with just mobile phone metadata cross referenced with a paper trail, it makes me want to get a tinfoil hat and become Amish.