The FBI and Department of Justice on Wednesday targeted a new set of threats to national security and law enforcement: not ISIS, or pedophiles, but Apple and Google.
Those companies and others that provide or will soon provide end-to-end encryption make it impossible to read intercepted digital messages — and without naming names, FBI Director James Comey and Deputy Attorney General Sally Quillian Yates said that they will “work with” those companies to ensure access to their customers’ communications.
In a Senate Judiciary hearing Wednesday morning, Yates and Comey said companies that “do not retain access” to consumers’ information can complicate authorized criminal and national security investigations.
Google and Apple, in response to demands from consumers who request higher levels of privacy and security, have been slowly rolling out stronger end-to-end encryption on their devices and services such as Gmail and iPhones.
When messages are encrypted end-to-end, only the sender and the recipient have access to those messages, which are decrypted by means of specific “keys.” Without those keys, the messages look like “gobbledygook,” as Comey put it during the hearing.
“We want to work with the communications providers to find a way with them to get access to the information we need … while protecting privacy.” Yates said. “We want to have each provider think about and work out a way where they will find a way to respond to these requests.”
What Yates really meant was that she wants companies to stop providing end-to-end encryption, or find ways to circumvent it. Comey and Yates insisted that there must be some new technology that Silicon Valley could develop that would give them the access they want without risking strong encryption. But privacy and cryptology experts have insisted for years that this would be impossible without compromising overall security and opening holes for criminals to exploit.
Yates and Comey both insisted that they would prefer not to force compliance through a legislative mandate. “The approach of the administration,” Yates said, “is not to have a one size fits all legislative solution at this point.” However, she noted that a mandate “may ultimately be necessary” to force companies to comply. Several senators, including Sen. Thom Tillis, R-N.C., agreed.
“Maybe no one will be creative enough” to solve the problem, Comey said, “unless you force them to.”
Sen. John Cornyn, R-Texas, wondered aloud whether companies that “intentionally design a product in a way that prevents you from complying with a lawful court order” are the equivalent of a citizen who refuses to answer questions in court, and is subsequently held in contempt.
Despite the FBI and DOJ’s insistence that end-to-end encryption is a danger, Yates refused to provide data on the number of cases in which encryption has posed an insurmountable barrier. She told the committee that she sees the problem “every day,” but does not keep track of cases in which encryption has stopped the department from monitoring communications. Her explanation was that the DOJ, when presented with instances of encryption, no longer even tries to secure a wiretap order. “Being able to give you hard numbers on the number of cases that have been impacted is impossible,” she told Sen. Al Franken, D-Minn., who looked unconvinced.
A Federal Courts report on wiretapping in 2014 released last week disclosed that federal and state law enforcement personnel at all levels encountered only four cases all year in which wiretaps were thwarted because of encryption.
And, as Comey himself reminded the committee, without going into any detail, the FBI and DOJ have other methods of tracking and monitoring criminals and their communications.
Franken pointed to the recent Office of Personnel Management breaches as evidence that government itself couldn’t be trusted to safeguard its own data, and as reason for companies to continue seeking improvement in encryption. “With each new story about a cyberattack,” he noted, “we learn that we should have strong encryption.”
But as they made clear, law enforcement officials are instead ramping up efforts to target the companies who are leading the effort toward safer and more secure communication.
(This post is from our blog: Unofficial Sources.)
Photo: FBI Director James Comey and Deputy Attorney General Sally Quillian Yates testify before the Senate Judiciary Committee about encryption on July 8, 2015. (Carolyn Kaster, AP)
Change Apple’s headquarters country. Not that big of a deal.
Steve
Sent from my IPhone
Sen. John Cornyn, R-Texas, wondered aloud whether companies that “intentionally design a product in a way that prevents you from complying with a lawful court order” are the equivalent of a citizen who refuses to answer questions in court, and is subsequently held in contempt.
A silly comment considering it comes from a former Texas judge and AG who was, and probably remains in, the well-monied pockets of the corrupt financial services industry. Bureaucrat lawyers like Cornyn and Comey have proven themselves incompetent in securing “secret” information entrusted to their governmental organs–allowing through incompetence or malice it to used by private corporate interests for private financial gain, and simultaneously evading citizens FOIA right-to-know. An open-records policy at the Federal Blackhole of Information (FBI) would do more to serve the general welfare and interest in combating terrorist (as the FBI failed to do prior to 9-11-2001) and combating public corruption (https://www.scribd.com/doc/221876320/FBI-FOIA-Request-Judge-Barbara-M-G-Lynn) by the same judges the FBI’s secrecy policies shield from impeachment and prosecution, apparently as quid pro quo for the judges’ honest services frauds in granting court orders they know violate unconstitutional blanket surveillance of the phone records honest citizens. The “national security” bureaucracies old line that “you have nothing to fear from its mass-surveillance of your affairs, if you are doing nothing “wrong” cuts both ways: The FBI has nothing to fear from opening its records to the public marketplace of investigative capabilities, if it has been doing a competent job of preventing terrorism and public corruption by judges with which FBI lawyers are bedded.
Use TOR encryption. ..
Tor isn’t encryption. But you (hopefully) knew that.
I do now.
Two computers can directly communicate with each other securely if they know their mutual IP addresses, which they can share through non-secured emails or phone calls. They can then open up ports for each other and connect just long enough to exchange encrypted messages, after which they can disconnect from the network. That way no email company gets involved. I have tested it and it works.
No.
It would work if you could do it without an ISP. Perhaps you avoid having your email sitting on a server, but then you’ve already encrypted it, so who cares?
Basically you need to avoid the Internet entirely, because that’s where NSA lives (like a troll under a bridge).
Correct me if I’m wrong, Useful. (Do you go by “useful” or Idiots”?)
Something like a high-tech brushpass with a portable throwaway short-range wifi device hidden somewhere that only acts as a local network, but I wouldn’t put much faith in that (certainly not for more than one or two goes). That so-called “Russian Spy Ring” in NY a few years back used a somewhat similar method involving device to device transfer.
The problem with all of this is, of course, having to intrinsically trust (a) in the person who you’re exchanging comms with and (b) in the tech you’re both on. Once someone knows what to look for, it doesn’t hide you, it makes you stick out more.
Again it’s a threat model thing. A lot of people are just fine ssh’ing into machines (preferably with keys and passphrases, with the port only open at a list of predetermined (non-static) times, and on non-standard (ie, not port 22) ports — the cron can be done away with if need be — and using the local mail facility on the box. But again, you’re still trusting the machine. And if those machines are on the net, *especially* if they’re running other software or are just a VPS — then you’re basically just taking a gamble — that the box isn’t owned, that the datacenter isn’t owned, that your friend isn’t owned — that your friend can be trusted to not screw up, that you can trust either of you not to make mistakes… And let’s not forget connection audit trails (both on the box, and over the wire) if someone cares enough to try to trace that back. That’s not so say they will. They usually won’t. Not unless you’re a pretty big ‘enemy’.
All that said, if noone really knows they’re supposed to be interested in your communications, then the more strange stuff you do, the more attention you can wind up drawing to yourself. This isn’t really opsec, and it’s even less opsec once it’s public. At some point all opsec too easily can make you look more suspicious not less.
If you’re sharing the IP information through unsecured mail, then you’re sort of defeating the point, anyway.
Not exhaustive, not very organised, just some thoughts.
(I don’t really go by either, so anything is fine. I’ve no attachment to this username at all. UI’s easiest to type, probably)
Right, and when the government not only quits its secrecy thing, but says that government secrecy is wrong for democracy and the citizens…will I even think about the stupidity and ignorance of this request! ‘BIG BROTHER’ is actually asking for permission to destroy what little privacy I have left? This is a ‘THREAT’ about the kind of ‘law breaking’ the government thinks it can do to go after criminals and terrorists! They are saying that the government ‘THEY’ represent is above the laws of the land that previous administrations/governments had to comply with or be criminal in their execution of duty ! This is ‘prima facie’ evidence of TYRANNY! Just because it is a certain group of idiots up there, they must OBEY our laws instead of changing them to make themselves kings! I am ready to do one hell of a lot more than protest!
http://arstechnica.com/security/2015/07/massive-leak-reveals-hacking-teams-most-private-moments-in-messy-detail/
“Security researchers have also scoured leaked Hacking Team source code for suspicious behavior. Among the findings, the embedding of references to CHILD PORN CODE related to the Galileo.”
https://cdn.arstechnica.net/wp-content/uploads/2015/07/hacking-team-code.png
The Intercept pls do piece on CIA / FBI COINTELPRO domestic surveillance and “no-touch torture” program.
I didn’t find the word ‘warrant’ once in this article in context of Comey’s discussion; which is concerning.
I had to explain this mess to a friend of mine today who is not technical. I summed it like this: the 3-Letter agencies want to put a holistic ban on encryption; which would be like asking the fashion world to put a ban on undergarments. To make a grosser comparison, it would be like the NSA asking all of us to run around buck naked or just let them keep their perverse universal X-ray goggles.
Now, just sit there and think of what a world without underpants looks like to a guy like, Mike Rogers!
There’s no legislative mandate for an America without underwear and we don’t owe them anything without a warrant.
They have to get a search warrant.
I work for a software company that sells encryption software. The federal government and most financial institutions never buy encryption software because they have decided they would rather ask for forgiveness and blame the hacker than protect our data. When is enough, enough? They are just as responsible as the hacker since they are not encrypting our data. If a company is hacked, it is their fault for not providing adequate security and encrypting the data so even if stolen, the data is not useable. When are we going to start holding the companies with little or no security responsible?
“when presented with instances of encryption, no longer even tries to secure a wiretap order. ”
How do they know that encryption is in use without a wiretap order? Occam suggests that they use illegal wiretaps first and only get the order after the fact.
Comey, mind your own business and STFU. Stop being a serial cyber stalker, you no good commie lovin traitor.
Spying on dissenters is the primary reason the FBI wants backdoor access. It is not for the rare terrorism attacks or the sometimes drug deals. The largest number of people covering a large geographical area will be citizens protesting the corporate-government of America and fighting to restore democracy. That is the most serious threat to the plutocracy.
The FBI is intimately tied to the corporatists through numerous arrangements such as DSAC, eGuardian, Fusion Centers, Infragard, and probably others.
PlutoC’s comment gives the real reason that the FBI wants a backdoor. J. Edgar would be proud.
InFAGard = FBI
Basically these evil bastards are invading our privacy, undermining the Constitution and creating this nightmarish surveillance state to stop people from getting intoxicated. It’s sickening.
The fbi and doj have otherways of monitoring,
Like italien software.
Fucking burocratic instigator.
so i just happened to turn to CNN as i was opening this article. the first thing i see is coverage of the wall street/airline outages. they go straight from “the DHS says there’s no evidence this was a hack” to some FBI stenographer disguised as a reporter whining about not only encryption but throwing ISIS into it. wow. “even though the DHS ‘says’ [he really put some stink on that one] this wasn’t a hack, the FBI still say use of encryption by ISIS is a threat”.
wow.
I’m pretty sure ISIS uses their own encryption software, rather than relying on Google. Anyway, Comey is living in a fantasy world where the US is the only legal authority than can order the release of escrow keys. That worked so well in the cell phone world, why not apply the same joke security to your bank account or SCADA network.
I wrote this 17 years ago and its as relevant now as it was then:
“Mary had a crypto key, she kept it in escrow,
and everything that Mary said, the Feds were sure to know.”
Back doors, escrow, short keys, deliberately weak encryption all sounds great to the NSA and FBI, I’m sure….Its a shame they don’t spend more time trying to secure systems rather than decrease the security of everyone else…And its only a matter of time that federals systems are directly impacted by the weak crypto they are pushing on industry.
Can we just level with each other? What these agencies want is highly inappropriate in civil society. They don’t need it. Their demands for this suggest a certain depravity.
Strong Encryption + Back Door = No Security
Simple as that, you cannot have your cake and eat it too.
‘Strong encryption’ — ‘strong’ cannot coexist with ‘backdoor’. I’d maybe strike ‘strong’, then the arithmetic holds better.
IMO, you should’ve linked/discussed the paper several security/crypto experts have written about ‘exceptional access’ to law enforcement agencies:
http://dspace.mit.edu/bitstream/handle/1721.1/97690/MIT-CSAIL-TR-2015-026.pdf
Good interview on Democracy Now! with one of the authors of this paper, Bruce Schneier.
If the FBI or DOJ wants the information, they need to get a warrant, otherwise they should be given the one FINGER salute and told to sit on it and rotate ! ! !
Get a warrant for what, exactly? End-to-end encryption means that the service provider itself has no access to the message information and cannot give it to the government. This is exactly the way it should be. Let law enforcement do its job and then get warrants for the criminal’s digital devices once it has a crime to investigate and has identified suspects.
Agree no general warrants, back doors, or access to keys .
They are trying to eliminate due process . The FBI & the DOJ are not the courts & are trying to over step their authority !
Nah, they’re just offering to not violate 5th Amendment rights to not incriminate oneself by making self-incrimination via disclosing passphrases unnecessary.
It’s a public service.
Public Service my ass, its a classic power grab designed to reduce our civil liberties .
Clearly I went a bit too subtle with my sarcasm vis-a-vis making it handy to bypass 5th Amendment rights. A winkie after ‘public service’ may have been needed.
I’m providing “Rationalisations” to ‘get around’ that pesky 5th Amendment. It goes down easier for most people than just removing it from the Bill of Rights. Anyway, it’s not like any of those protect anybody but (and barely nominally) Americans. But America wants to bypass EVERYBODY’S encryption.
And well he should. Legislation should be considered only when there is an identified and justified need, as well as a strong presumption that the SC would find it constitutional. If they do not want to make a case, then they do not have one, and are presumed to be acting in an unethical manner.
Why in the world did Comey just tell the world that we really CAN’T break the encryption that ISIS is using?
Why did the NSA say they would not share information on pending terrorist attacks with Germany, if Germany continued to investigate the NSA?
Don’t both of these actions side with the terrorists? Don’t both of these items profit the terrorists, while simultaneously consolidating power with U.S. eavesdopping?
U.S. eavesdroppers do not see terrorists as the biggest threat. It’s time to admit the biggest threat to U.S. politicians is a U.S. citizenry with the 1st and 4th amendments to the Constitution.
How does Comey continue to press this issue against extremely powerful companies such as Google and Apple? Doesn’t he need the support of people higher up, to do that? It shouldn’t be a question of national security to ask if the President is driving, or supporting, this campaign.
Finally, is it a coincidence that we are seeing this renewed campaign against encryption, simultaneous with Wikileaks almost daily leaking the secrets of the most powerful countries in the world (U.S., U.K., Saudi Arabia, Germany, France)? Wikileaks obtains their information via encryption.
Again, the target is not the terrorists.
Well, of course they side with the terrorists, just as the CIA, DIA and FBI either aided, abetted and colluded with the terrorists for 9/11, or else they were all guilty of the most criminal dereliction of duty America has ever witnessed!
The after-action reports on 9/11 from congress explain this all very well:
The Intelligence Community’s Knowledge of the September 11 Hijackers Prior to Sept. 11, 2001 [dated 2002, House Permanent Select Committee on Intelligence]
A Review of the FBI’s Handling of Intelligence Information Related to the September 11 Attacks [dated 2004, DOJ/IG]
The question is why in Hell is the FBI still in business, and why oh why would even a proven neocon such as President Obama appoint the ultra-neocon, James Comey, to be FBI director?
I mean, I realize Comey was responsible, when in he was with the DoJ during Bush’s time, in bringing to justice that notorious super-criminal, Martha Stewart, but look at his background with Gibson, Dunn & Crutcher, interning with Judge Walker (of the Bush-Walker Crime Family), legal counsel for Lockheed Martin, employed with the largest hedge fund in existence, and once a director at the National Chamber Litigation Center, the legal arm of the incredibly notorious US Chamber of Commerce?
Only a true neocon could ever appoint such a swine!
https://www.muckrock.com/news/archives/2015/jun/23/cia-can-give-specialized-equipment-other-agencies-/
Under EO 12333, the CIA may provide “specialized equipment, technical knowledge, or assistance of expert personnel” to other federal agencies. In emergency cases when lives are endangered, the order authorizes the CIA to give the same assistance to local law enforcement agencies.
As a public executive order, the text of EO 12333 has been public since its signing. But the order requires intelligence agencies to develop more specific implementation procedures, which are approved by the Attorney General. Until their release under the FOIA lawsuit, the CIA’s implementation procedures for EO 12333 remained secret.
https://www.aclu.org/blog/speak-freely/new-docs-raise-questions-about-cia-spying-here-home
A key CIA regulation — titled “AR 2-2″ — governs the conduct of the CIA’s activities, which include domestic intelligence collection. AR 2-2, which has never been publicly released before, includes rules governing a wide range of activities, including surveillance of U.S. persons, human experimentation, contracts with academic institutions, relations with journalists and staff of U.S. news media, and relations with clergy and missionaries.
*cough* PRISM *cough*
Luckily, as of 2015, general-purpose computers are still available. And with them comes the freedom to run software that is not touched by mega corporations. Otherwise, you’ll be in the same boat as a modern-day Winston Smith, scribbling in his electronic diary while wondering whether surreptitious packets are escaping via the network port to betray all inner thoughts.
Keep an eye on BIOS and UEFI, Dorothy. Sorry for the bad joke, but you’re not in the Kansas you might think you’re in, and the *bridge line, among other processor lines, is getting more and more ominously restrictive, you know, in the interest of ‘security’. I won’t speculate on the state of the code itself here, but as a less technical example, I especially enjoy the 32 bit UEFI baked into a lot of the recent 64-bit processors making it almost impossible to get away from Windows. Win10, supposedly, is going to be even worse.
“She told the committee that she sees the problem ‘every day,’ but does not keep track of cases in which encryption has stopped the department from monitoring communications. Her explanation was that the DOJ, when presented with instances of encryption, no longer even tries to secure a wiretap order.”
This is a very interesting position for her to take, considering that except in foreign intelligence cases, there should be no way to tell that the communication is encrypted until *after* they have the wiretap order.
Of course this was related to all the international data they snoop on ;-)
Because snooping on american data would be illegal, right ?
Same illegal like killing people with drones in other countries without warrant, or snooping on other governments/institutions who have nothing to do with terrorism (like france, germany, brazil,…) or killing unarmed black people on the streets without reason…
RIGHT ???
/irony off
dronesR4cowards
Black Lives do matter!
Obama / Bushy Boy Corrupt Police state. …..
Mike, I thought FISA existed to issue warrants in foreign intelligence cases. IIRC, the objection to applying for a warrant to search Moussaoui’s computer was that he wasn’t seen as an agent of a foreign power.