Panel: U.S. government sending mixed encryption messages

Privacy professionals are saying the U.S. government is sending mixed encryption messages to technology companies. They build privacy and security by design in products and services, but leave them open to backdoor access by default. This issue became more prominent after an argument whether the Federal Bureau of Investigation (FBI) can force Apple, Inc. to unlock an iPhone used by one of the shooters involved in the San Bernardino terrorist attack.

On Feb. 16th, a federal judge ordered Apple to provide the FBI with software to disable the security feature that auto-erases the phone’s data after multiple incorrect attempts to enter the pass code. Demetrios Eleftheriou, Symantec Corp. global privacy director said, “It just seems like there’s a bit of an inconsistent message from the government. We have law enforcement on the one end saying you build back doors, they want broken by design.”  On the other end are “the regulators saying you have to incorporate security by default, privacy by default in the product,” he said.

Eleftheriou asserts that the U.S. government needs to consider if their ambivalent stance on consumer encryption is compatible with the new European Union General Data Protection Regulation requirements for privacy by design and security by default. “A weakness is a weakness. It can be exploited by anybody.”

Will DeVries, Google Inc. privacy counsel said companies “want the process to be really clear, really defined and based on principles that we can apply globally to our services that actually make sense and keep us all safe.”DeVries believes the argument against accessing a terrorist’s phone is just one “red herring”. “We’re actually worried about the precedent of saying can you ask a tech company to undermine the security of devices that’s out in the public, not just for the device they’re talking but a security flaw that then can be used on any device,” DeVries said.

Companies can be ordered to assist with law enforcement to get at some data, Chris Jay Hoofnagle, member of the advisory board of Bloomberg BNA’s Privacy & Data Security Law Report, said. “Obviously, what makes this situation so dangerous and difficult is that the work the government would like Apple to do could be used prospectively and could be used to erode privacy and security in devices generally,” Hoofnagle said. The technology industry is at this point in time now where the devices can outsmart these forensic appliances so whatever happens paves the way for the future of device security.

Hoofnagle sees that this tinkers with the Fourth Amendment. “We might come to a world in the U.S. where we basically have different Fourth Amendment standards for the terrorism case where maybe we do feel as though the phone should be unlocked versus other types of crimes that aren’t as serious.”

Article via Bloomberg BNA, February 19, 2016

Photo: System Lock via Yuri Samoilov


Nation divided over Apple decision

Apple’s decision to refuse the FBI order requiring the company to unlock a phone used by Syed Farook, one of the terrorists in the San Bernardino shooting, has divided the nation into two camps. Those who support the company believe that the FBI order jeopardizes individual privacy. Others argue that Apple’s challenge threatens national security.

In order to unlock Syed Farook’s iPhone, Apple would have to design a new software that would provide a backdoor through the phone’s security features. That software does not yet exist, and Apple argues it should stay that way.

“The government suggests this tool could only be used once, on one phone. But that’s simply not true. Once created, the technique could be used over and over again, on any number of devices,” states Tim Cook’s response posted on the Apple website.

The non-profit advocacy group Fight for the Future organized demonstrations across the nation following the Apple decision in order to show solidarity with the company. Evan Greer, the organization’s campaign director, spoke about the importance of encryption in protecting public facilities like hospitals and airports, as well as in assuring the safety of individuals.

“For myself as a member of the LGBT community, I know there are a lot of people that have heightened needs for security. A breach is not just inconvenient or embarrassing, but can put people in threat of physical violence,” Greer said.

Henry Nickel, a San Bernardino city councilman, has the opposing opinion that Apple’s decision is an obstruction of justice. He likens Apple’s refusal to access the contents of Farook’s phone to a landlord’s refusal to unlock a suspect’s door in the face of a search warrant.

“I do not feel that digital data is in any way subject to additional protection from search or seizure than any other aspects of our lives,” Nickel said. “Apple is simply wrong if it believes digital information is somehow more sacred than any other type of information.”

San Bernardino Mayor R. Carey Davis felt similarly. “The attacks on December 2nd was the deadliest terrorist attack in the US since 9/11, and law enforcement officials continue to follow up on leads related to the case… It is my hope that Apple cooperates given the circumstances of this investigation,” he said.

Article via: The Washington Post, 19 February, 2016

Photo: Laughing Squid iPhone Webclip Icon by Scott Beale [Creative Commons Attribution-NonCommercial-NoDerivs]


How encryption works

Internet security is an important topic to address for anyone who surfs the web. Many of us want to be sure that our private data is being handled securely. The most popular way to protect our data online is through encryption. Encryption of data simply means that the information is encoded so that it can only be read by a key used to decode it. It sounds like super spy stuff, and in a way it is (that is a German enigma machine pictured above). In this article, we will discuss some of the ways that encryption is used to protect our data on the internet.

Computer encryption is based on cryptography, the practice and study of techniques to secure information. If you have ever heard of the Caesar cipher, that is a form of encryption. In our modern era, computers are generating complex algorithms that are used as the ciphers that crack the code.

There are two main modes of encryption: symmetric key and public key.

Symmetric key encryption

Caesar_Cipher
Caesar Cipher by prize Lerthirunvibul

The Caesar cipher is a great example of this. A letter is written to a friend, but all the words are spelled out by rotating the letter in the alphabet 4 spaces. This makes the letter nonsensical to anyone who intercepts it. But the friend it was written to knows the code (shift 4 spaces) and can therefore decode the letter.

The same happens in computing. Each computer has a secret code. The is a packet of information that is transported between the two computers. Once the transfer is complete the second computer decodes the encrypted packet.

Examples of this type of encryption: Hard drives, Private networks

 

Public key encryption

public key encryption
PublicKeyEncryption by Kalani Hausman

Sometimes this is called asymmetric key encryption. The main difference here is that each party does not have the same code to encrypt the message. Instead this method uses two different keys at once, a public key and a private key. The private key is know only to your computer. While, the public key is given to any computer that may want to communicate with it.

To decode a message a computer must use the public key (provided by the computer that it is communicating with) and it’s own private key.

In the example, Sally wants to send Bill a message. To do that, Sally needs to use Bill’s public key which is available to anyone. When Sally uses the public key it encrypts the message so that no one can read it. The only way that Bill will be able to see the message is when he uses his private key, the one that only he has (and is the only way to decode the encryption).

The message is available to anyone because all you need is the public key to pick it up. But, you won’t be able to read that message without a private key. The keys are a long string of numbers, and since they are based only on prime numbers, it makes this system very secure.

Examples of this type of encryption: Digital banking, Secure websites(https, SSL)

Photo Caesar Cipher by prize Lerthirunvibul

Photo PublicKeyEncryption by Kalani Hausman

Photo: WW2 Encryption: Enigma German Machine – cover off by Anthony Catalano [Creative Commons Attribution-NonCommercial-NoDerivs]


Tech companies protect against government surveillance

The best protection against widespread government surveillance now comes from major tech companies, including those accused of collecting mass amounts of data to sell to other companies seeking targeted advertising.

The FBI has accused Apple of aiding criminals by offering default encryption in the new iPhones it sells. Government reproach is also directed towards Google, which is offering the same encryption for its new Android phones. However, the majority of Americans are grateful for the tech companies’ new developments; a recent Pew survey found that 65 percent of people believe that there aren’t enough limits on government surveillance.

Smartphone encryption is not the only guard against surveillance, either. Google and Yahoo announced that they’re both working on end-to-end encryption in email, and Facebook was established on a Tor hidden services site so that people with access to network traffic can’t access user data.

Encryption tools are generally difficult to operate, and thus only tech-savvy users have been able to achieve full privacy. As a result, anyone using encryption tools was unique and therefore suspicious to government officials. With new integrated encryption, privacy will be more universal, and those previously using encryption systems will be better camouflaged.

Articles: The Center for Internet and Society, September 9, 2015

Photo: DC Ralley Against Mass Surveillance via Susan Melkisethian [Creative Commons Attribution-NonCommercial-NoDerivs]