Yet Another FBI Proposal for Insecure Communications

Deputy Attorney General Rosenstein has given talks where he proposes that tech companies decrease their communications and device security for the benefit of the FBI. In a recent talk, his idea is that tech companies just save a copy of the plaintext: Law enforcement can also partner with private industry to address a problem we call "Going Dark." Technology increasingly…

Deputy Attorney General Rosenstein has given talks where he proposes that tech companies decrease their communications and device security for the benefit of the FBI. In a recent talk, his idea is that tech companies just save a copy of the plaintext:

Law enforcement can also partner with private industry to address a problem we call "Going Dark." Technology increasingly frustrates traditional law enforcement efforts to collect evidence needed to protect public safety and solve crime. For example, many instant-messaging services now encrypt messages by default. The prevent the police from reading those messages, even if an impartial judge approves their interception.

The problem is especially critical because electronic evidence is necessary for both the investigation of a cyber incident and the prosecution of the perpetrator. If we cannot access data even with lawful process, we are unable to do our job. Our ability to secure systems and prosecute criminals depends on our ability to gather evidence.

I encourage you to carefully consider your company's interests and how you can work cooperatively with us. Although encryption can help secure your data, it may also prevent law enforcement agencies from protecting your data.

Encryption serves a valuable purpose. It is a foundational element of data security and essential to safeguarding data against cyber-attacks. It is critical to the growth and flourishing of the digital economy, and we support it. I support strong and responsible encryption.

I simply maintain that companies should retain the capability to provide the government unencrypted copies of communications and data stored on devices, when a court orders them to do so.

Responsible encryption is effective secure encryption, coupled with access capabilities. We know encryption can include safeguards. For example, there are systems that include central management of security keys and operating system updates; scanning of content, like your e-mails, for advertising purposes; simulcast of messages to multiple destinations at once; and key recovery when a user forgets the password to decrypt a laptop. No one calls any of those functions a "backdoor." In fact, those very capabilities are marketed and sought out.

I do not believe that the government should mandate a specific means of ensuring access. The government does not need to micromanage the engineering.

The question is whether to require a particular goal: When a court issues a search warrant or wiretap order to collect evidence of crime, the company should be able to help. The government does not need to hold the key.

Rosenstein is right that many services like Gmail naturally keep plaintext in the cloud. This is something we pointed out in our 2016 paper: "Don't Panic." But forcing companies to build an alternate means to access the plaintext that the user can't control is an enormous vulnerability.

from https://www.schneier.com/blog/

Community Leader-Bring Back The Cops!

Police Officers Observations Will cops return to proactive policing? Is community support really there? Can trust be rebuilt? Why aren’t communities taking responsibility for their own safety? Stop asking cops to do the impossible. Author  Leonard Adam Sipes, Jr. Thirty-five years of speaking for national and state criminal justice agencies. Interviewed multiple times by every […]

Police Officers Observations Will cops return to proactive policing? Is community support really there? Can trust be rebuilt? Why aren’t communities taking responsibility for their own safety? Stop asking cops to do the impossible. Author  Leonard Adam Sipes, Jr. Thirty-five years of speaking for national and state criminal justice agencies. Interviewed multiple times by every […]

from https://www.crimeinamerica.net

Police Officer Deaths Decrease-Why?

Summary Are there fewer deaths of police officers due to cops being less aggressive? Officer deaths dropped to its lowest level in four years. Author Leonard Adam Sipes, Jr. Thirty-five years of speaking for national and state criminal justice agencies. Interviewed multiple times by every national news outlet. Former Senior Specialist for Crime Prevention for […]

Summary Are there fewer deaths of police officers due to cops being less aggressive? Officer deaths dropped to its lowest level in four years. Author Leonard Adam Sipes, Jr. Thirty-five years of speaking for national and state criminal justice agencies. Interviewed multiple times by every national news outlet. Former Senior Specialist for Crime Prevention for […]

from https://www.crimeinamerica.net

Technology and Law Enforcement-New DOJ Report

Observations Technology has not had a game-changing impact on policing in terms of dramatically altering the philosophies and strategies used for preventing crime, responding to crime, or improving public safety. The bottom line of technology? It’s very labor intensive for it to be effective. Author  Leonard Adam Sipes, Jr. Thirty-five years of speaking for national […]

Observations Technology has not had a game-changing impact on policing in terms of dramatically altering the philosophies and strategies used for preventing crime, responding to crime, or improving public safety. The bottom line of technology? It’s very labor intensive for it to be effective. Author  Leonard Adam Sipes, Jr. Thirty-five years of speaking for national […]

from https://www.crimeinamerica.net

Are Cops Holding Back? National Arrests Decrease for Most Categories

Observations Many of us from the former director of the FBI to data from Pew to research institutions to national law enforcement organizations suggest that the increase in violent crime in 2015 and 2016 is linked to cops holding back; they are not being proactive due to harsh publicity. There is a considerable decrease in national arrests […]

Observations Many of us from the former director of the FBI to data from Pew to research institutions to national law enforcement organizations suggest that the increase in violent crime in 2015 and 2016 is linked to cops holding back; they are not being proactive due to harsh publicity. There is a considerable decrease in national arrests […]

from https://www.crimeinamerica.net

Warrant Protections against Police Searches of Our Data

The cell phones we carry with us constantly are the most perfect surveillance device ever invented, and our laws haven’t caught up to that reality. That might change soon. This week, the Supreme Court will hear a case with profound implications on your security and privacy in the coming years. The Fourth Amendment’s prohibition of unlawful search and seizure is…

The cell phones we carry with us constantly are the most perfect surveillance device ever invented, and our laws haven't caught up to that reality. That might change soon.

This week, the Supreme Court will hear a case with profound implications on your security and privacy in the coming years. The Fourth Amendment's prohibition of unlawful search and seizure is a vital right that protects us all from police overreach, and the way the courts interpret it is increasingly nonsensical in our computerized and networked world. The Supreme Court can either update current law to reflect the world, or it can further solidify an unnecessary and dangerous police power.

The case centers on cell phone location data and whether the police need a warrant to get it, or if they can use a simple subpoena, which is easier to obtain. Current Fourth Amendment doctrine holds that you lose all privacy protections over any data you willingly share with a third party. Your cellular provider, under this interpretation, is a third party with whom you've willingly shared your movements, 24 hours a day, going back months -- even though you don't really have any choice about whether to share with them. So police can request records of where you've been from cell carriers without any judicial oversight. The case before the court, Carpenter v. United States, could change that.

Traditionally, information that was most precious to us was physically close to us. It was on our bodies, in our homes and offices, in our cars. Because of that, the courts gave that information extra protections. Information that we stored far away from us, or gave to other people, afforded fewer protections. Police searches have been governed by the "third-party doctrine," which explicitly says that information we share with others is not considered private.

The Internet has turned that thinking upside-down. Our cell phones know who we talk to and, if we're talking via text or e-mail, what we say. They track our location constantly, so they know where we live and work. Because they're the first and last thing we check every day, they know when we go to sleep and when we wake up. Because everyone has one, they know whom we sleep with. And because of how those phones work, all that information is naturally shared with third parties.

More generally, all our data is literally stored on computers belonging to other people. It's our e-mail, text messages, photos, Google docs, and more ­ all in the cloud. We store it there not because it's unimportant, but precisely because it is important. And as the Internet of Things computerizes the rest our lives, even more data will be collected by other people: data from our health trackers and medical devices, data from our home sensors and appliances, data from Internet-connected "listeners" like Alexa, Siri, and your voice-activated television.

All this data will be collected and saved by third parties, sometimes for years. The result is a detailed dossier of your activities more complete than any private investigator --­ or police officer --­ could possibly collect by following you around.

The issue here is not whether the police should be allowed to use that data to help solve crimes. Of course they should. The issue is whether that information should be protected by the warrant process that requires the police to have probable cause to investigate you and get approval by a court.

Warrants are a security mechanism. They prevent the police from abusing their authority to investigate someone they have no reason to suspect of a crime. They prevent the police from going on "fishing expeditions." They protect our rights and liberties, even as we willingly give up our privacy to the legitimate needs of law enforcement.

The third-party doctrine never made a lot of sense. Just because I share an intimate secret with my spouse, friend, or doctor doesn't mean that I no longer consider it private. It makes even less sense in today's hyper-connected world. It's long past time the Supreme Court recognized that a months'-long history of my movements is private, and my e-mails and other personal data deserve the same protections, whether they're on my laptop or on Google's servers.

This essay previously appeared in the Washington Post.

Details on the case. Two opinion pieces.

I signed on to two amicus briefs on the case.

EDITED TO ADD (12/1): Good commentary on the Supreme Court oral arguments.

from https://www.schneier.com/blog/

Dislike Cops? No Justice No Peace

Observation Is it time to consider that our approach to law enforcement has been dysfunctional to the point where cops have lost faith in the system? The bottom line is that many officers are stating that if there is no justice, there will be no peace. They will not risk their lives for an unappreciative […]

Observation Is it time to consider that our approach to law enforcement has been dysfunctional to the point where cops have lost faith in the system? The bottom line is that many officers are stating that if there is no justice, there will be no peace. They will not risk their lives for an unappreciative […]

from https://www.crimeinamerica.net

Police Strategies Reduce Crime-New Study

Observations The focus of this study is proactive policing (self-initiated efforts to reduce crime) versus traditional tactics such as responding to calls and routine patrol. The data indicate that most proactive police efforts reduce crime in the short run. Author  Leonard Adam Sipes, Jr. Thirty-five years of speaking for national and state criminal justice agencies. […]

Observations The focus of this study is proactive policing (self-initiated efforts to reduce crime) versus traditional tactics such as responding to calls and routine patrol. The data indicate that most proactive police efforts reduce crime in the short run. Author  Leonard Adam Sipes, Jr. Thirty-five years of speaking for national and state criminal justice agencies. […]

from https://www.crimeinamerica.net

Texas Shooter: Number of Accurate Criminal Records Is Staggeringly Low

Observations “According to the Department of Justice, the number of these records that are actually uploaded is staggeringly low…” ”Even the FBI acknowledges that its NCIC database is limited, noting that it contains only about 50 to 55 percent of all available criminal records…” Devin Kelley’s violent past went undocumented. He’s not the only one. […]

Observations “According to the Department of Justice, the number of these records that are actually uploaded is staggeringly low…” ”Even the FBI acknowledges that its NCIC database is limited, noting that it contains only about 50 to 55 percent of all available criminal records…” Devin Kelley’s violent past went undocumented. He’s not the only one. […]

from https://www.crimeinamerica.net

Daphne Caruana Galizia’s Murder and the Security of WhatsApp

Daphne Caruana Galizia was a Maltese journalist whose anti-corruption investigations exposed powerful people. She was murdered in October by a car bomb. Galizia used WhatsApp to communicate securely with her sources. Now that she is dead, the Maltese police want to break into her phone or the app, and find out who those sources were. One journalist reports: Part of…

Daphne Caruana Galizia was a Maltese journalist whose anti-corruption investigations exposed powerful people. She was murdered in October by a car bomb.

Galizia used WhatsApp to communicate securely with her sources. Now that she is dead, the Maltese police want to break into her phone or the app, and find out who those sources were.

One journalist reports:

Part of Daphne's destroyed smart phone was elevated from the scene.

Investigators say that Caruana Galizia had not taken her laptop with her on that particular trip. If she had done so, the forensic experts would have found evidence on the ground.

Her mobile phone is also being examined, as can be seen from her WhatsApp profile, which has registered activity since the murder. But it is understood that the data is safe.

Sources close to the newsroom said that as part of the investigation her sim card has been cloned. This is done with the help of mobile service providers in similar cases. Asked if her WhatsApp messages or any other messages that were stored in her phone will be retrieved, the source said that since the messaging application is encrypted, the messages cannot be seen. Therefore it is unlikely that any data can be retrieved.

I am less optimistic than that reporter. The FBI is providing "specific assistance." The article doesn't explain that, but I would not be surprised if they were helping crack the phone.

It will be interesting to see if WhatsApp's security survives this. My guess is that it depends on how much of the phone was recovered from the bombed car.

EDITED TO ADD (11/7): The court-appointed IT expert on the case has a criminal record in the UK for theft and forgery.

from https://www.schneier.com/blog/