Democrats wants to balance liberty and security in encryption debate

In 2012, the Democratic party platform document (released every four years at the Democratic National Convention) made barely a mention of internet privacy and how it affects US citizens. But that was before Edward Snowden’s revelations. This year, as the DNC kicks off in Philadelphia, the new Democratic Party platform addresses the privacy concerns brought to light in 2013. It also gets into the recent battle over encryption that was highlighted by the FBI trying to force Apple to decrypt an iPhone connected to a murder suspect.

As President Obama said at SXSW this past March, the Democrats will “reject the false choice between privacy interests and keeping Americans safe.” The party’s position is that we can have security while still letting citizens keep a degree of privacy, but we’re still not hearing too much on how it’ll do that. It’s not wildly different than the Republican take on the debate — the party’s platform says it does not want the government to become a “meddlesome monitor” in the tech industry, but it still leaves the door open for accessing encrypted information.

Obama said it’ll take a public discourse to get to a comfortable place on encryption, and the Democratic platform calls for a national dialog on the issue. “We will support a national commission on digital security and encryption to bring together technology and public safety communities to address the needs of law enforcement, protect the privacy of Americans, assess how innovation might point to new policy approaches, and advance our larger national security and global competitiveness interests,” the platform states.

While the platform is light on specifics in regards to the party’s approach to encryption, there are more details on how it’ll keep rolling back the widespread surveillance that came to light thanks to Snowden. The party says it’ll “stand firm against the type of warrantless surveillance of American citizens that flourished during the Bush Administration” and also that it supports “recent reforms to government bulk data collection programs so the government is not collecting and holding millions of files on innocent Americans.” Of course, plenty of these surveillance tactics went on long into Obama’s presidency, but the Democrats aren’t going to mention that here.

Just as in the 2012 platform document, cybersecurity gets a prominent mention. But there’s not a lot of meat in terms of what the party will actually do to make our digital world more secure. The party wants to strengthen cybersecurity, punish those who violate laws and work to build international norms in how we deal with cybersecurity.

That’s not wildly different than the language used in the 2012 platform, but the new document also mentions building on President Obama’s Cybersecurity National Action Plan, which includes the appointment of a federal Chief Information Security Officer. The plan was introduced in February and seems unlikely to pass before the end of Obama’s term, but if elected Hillary Clinton would seek to push it forward.

Some of the plan’s key tenants include modernizing government IT, hiring the aforementioned information security officer, making citizens more aware of the various ways they can protect their online identities (like two-factor authentication) and investing $ 19 billion for cybersecurity in the 2017 budget. That would mark a 35 percent increase over 2016 budget allocation.

Both the 2012 and 2016 platforms make significant mention of the importance of high-speed internet, but the latest document contains a lot more buzzwords of the time: the dreaded Internet of Things and 5G. The platform states the intention to help widely deploy 5G wireless technology that “will not only bring faster internet connections to underserved areas, but will enable the Internet of Things and a host of transformative technologies.”

The party also intends to finish the work done by the Obama administration over the last eight years to “connect every household to high-speed broadband.” 2012’s document state the goal connecting 98 percent of US citizens to high-speed internet; now it seems the Democrats want to close the remaining gap as quickly as possible. These initiatives aren’t radically different than what the Republicans propose, but the Republican platform calls out the current administration for not doing enough to “advance our goal of universal broadband coverage.” That’s not an unreasonable shot: the US has often been criticized for lagging behind other countries in broadband penetration as well as overall speed.

Another place that the 2016 platform differs from the 2012 document is there’s now one lone mention of net neutrality, up from zero four years ago. It’s just one sentence, but at least it’s pretty unequivocal: “Democrats support a free and open internet at home and abroad, and will oppose any effort by Republicans to roll back the historic net neutrality rules that the Federal Communications Commission enacted last year.” Indeed, the Republican platform didn’t mention net neutrality once, not surprising considering the party strongly opposes the protections granted by the FCC under Obama’s watch. If net neutrality is important to you, it’s clear that with one simple sentence the Democrats come out ahead.

Source: 2016 Democratic party platform (PDF)

Engadget RSS Feed

Homeland Security’s big encryption report wasn’t fact-checked

If you watch Marvel’s Agents of S.H.I.E.L.D., Blacklist, or any other TV show with make-believe espionage, you probably hear the term “going dark” at least once a week.

In the real world, “going dark” has become FBI shorthand for when baddies can’t be spied on, or manage to vanish into thin internet, at the fault of encryption. And it’s at the heart of an oft-virulent tug-of-war between entities such as the FBI, Apple, civil liberties groups, conspiracy theorists, and lawmakers.

This past week, everyone’s been so focused on Hillary and Trump that few noticed that the Majority Staff of the House Homeland Security Committee finally released its encryption report — with some pretty big falsehoods in it. “Going Dark, Going Forward: A Primer on the Encryption Debate” is a guide for Congress and stakeholders that makes me wonder if we have a full-blown American hiring crisis for fact-checkers.

The report relied on more than “100 meetings with … experts from the technology industry, federal, state, and local law enforcement, privacy and civil liberties, computer science and cryptology, economics, law and academia, and the Intelligence Community.” And just a little bit of creative license.

The first line of the report is based on flat-out incorrect information.

“Public engagement on encryption issues surged following the 2015 terrorist attacks in Paris and San Bernardino, particularly when it became clear that the attackers used encrypted communications to evade detection — a phenomenon known as ‘going dark.'”

In the Paris attacks, they didn’t use encrypted apps, iPhones or encryption in general; the attackers used burner phones. Worse, the terrorists were known to French authorities before the tragedy. As you may recall, after the devastating attacks, US officials rushed to the press insisting that messaging apps using end-to-end encryption be “backdoored” for surveillance access — until the facts emerged, and they were called out for using scare tactics. All of which the “Going Dark” report seems to utterly ignore.

So clearly the problem here isn’t “going dark,” but rather a different kind of failure.

Similarly in San Bernardino. Encrypted communications or apps were not used by attacker Syed Farook; access to his work iPhone was what law enforcement screwed up, by fumbling around with an iCloud password reset and locking up the phone themselves. Then authorities made up crazy fantasies to other authorities and press, suggesting there was a “dormant cyber pathogen” on the phone and later retracting the false statement with an admission of guilt.

Clearly, the problems here aren’t about encrypted communications, or “going dark.” Rather, they are about law enforcement who themselves are in the dark about preventing and investigating digital crime scenes.

The same wee problems crop up when the guide attempts to explain how encryption has failed to protect healthcare data. We’re told that “since 2009, the Health Insurance Portability and Accountability Act (HIPAA) Breach Notification Rule has encouraged healthcare providers to secure their data through encryption by requiring those that suffer a data breach to notify their clients within 60 days.”

And this is true: It is encouraged. Just like it’s “encouraged” that people wear a helmet on their bike, but they technically don’t have to. Still, the “Going Dark” guide goes on, saying that, “despite this move, the American health system has fallen victim to a number of high-profile data breaches.”

Except there was no American healthcare “move” to encryption, even though there damn well should be. The HIPAA rule only suggests that healthcare institutions and providers use encryption — it is not required. The big-ass breaches this “ultimate guide to going dark” refers to have been happening at places that did not encrypt systems and files. Remember the Anthem hack? The records of 80 million people were snatched, and that data wasn’t encrypted. Many said that the disaster could have been mitigated had the data been encrypted. And in February, when the Hollywood Presbyterian Medical Center was famously held hostage by ransomware, its files were encrypted by the ransomware, not before.

Maybe what the report meant to say was that if everyone “went dark” with their data, our personal, private, and very sensitive records would be safe from attackers.

The 25-page guide put in a good effort. But thanks to its inaccuracies, I doubt it will do much to unite what have become diametrically opposed camps on the messy knot of encryption, security and public trust.

Right now the FBI, lawmakers and everyone with a horse in the encryption race seem to be wielding the term like a threat, in negative fantasies where all the terrorists (and only the terrorists) are using encrypted communications to hide, or “go dark.”

One side says it’s about preventing terrorism, another says it’s about privacy, and ultimately it’s about a security protocol that doesn’t have a “halfway” setting.

Like I’ve said before, regarding encryption in computer security: You either have it completely or you don’t. On some things, the room for passive-aggressive political maneuvers is effectively zero.

Worryingly, it’s hard to tell what lawmakers actually understand about the issue, especially when they seem to think everything around the issue is an equally black-or-white matter. On one hand, a bill called the ENCRYPT Act of 2016 (Rep. Ted Lieu, D-CA), in February, firmly proposed that no authorities should be able to prohibit the use of encryption or force it to be cracked.

The exact opposite was proposed in April, brought to us by the camp that basically thinks encryption is tech’s version of giving the middle finger to law enforcement. The Feinstein-Burr Compliance with Court Orders Act of 2016 would compel encryption to be crackable on demand, user privacy and security be damned.

For a work of historical fiction, the guide is fairly entertaining. But if these writers want to keep working, next time they should workshop the ending a bit before sending it off to the printer. Spoiler: It’s a cliffhanger.

At the end, we find out that the commission recommends … another commission.

“House Homeland Security Chairman Michael McCaul (R-TX) and Senator Mark Warner (D-VA) have proposed the formation of a National Commission on Security and Technology Challenges (hereinafter, ‘Digital Security Commission’) to bring these experts together to engage one another directly and, over the course of a year, develop policy and legislative recommendations to present to Congress.”

At least we have a guide to just how lost in the thicket of encryption and “going dark” our lawmakers really are.

Engadget RSS Feed

US wiretap operations encountering encryption fell in 2015

The US government has been very vocal recently about how the increase in encryption on user devices is hampering their investigations. The reality is that according to a report from the Administrative Office of U.S. Courts, law enforcement with court-ordered wiretaps encountered fewer encrypted devices in 2015 than in 2014.

In regards to encrypted devices, the reports states: “The number of state wiretaps in which encryption was encountered decreased from 22 in 2014 to seven in 2015. In all of these wiretaps, officials were unable to decipher the plain text of the messages. Six federal wiretaps were reported as being encrypted in 2015, of which four could not be decrypted.”

This is out of 2,745 state and 1,403 federal for a grand total of 4,148 wiretaps, an increase of 17 percent over 2014. So while surveillance increased, the amount of times law enforcement encountered encryption decreased.

Earlier this year the Department of Justice and FBI were locked in a court battle with Apple over an encrypted iPhone used by San Bernardino shooter Syed Rizwan Farook. The government eventually dropped the case after finding a third party to help it bypass the phone’s security.

But it started a national debate about personal devices and encryption. Tech companies want their customers to be secure while law enforcement want backdoors or keys to encrypted devices for investigations. But it looks like when it comes to wiretaps, encryption isn’t as big a problem as many would suspect.

Via: The Intercept

Source: Administrative Office of US Courts

Engadget RSS Feed