Panel: U.S. government sending mixed encryption messages

Privacy professionals are saying the U.S. government is sending mixed encryption messages to technology companies. They build privacy and security by design in products and services, but leave them open to backdoor access by default. This issue became more prominent after an argument whether the Federal Bureau of Investigation (FBI) can force Apple, Inc. to unlock an iPhone used by one of the shooters involved in the San Bernardino terrorist attack.

On Feb. 16th, a federal judge ordered Apple to provide the FBI with software to disable the security feature that auto-erases the phone’s data after multiple incorrect attempts to enter the pass code. Demetrios Eleftheriou, Symantec Corp. global privacy director said, “It just seems like there’s a bit of an inconsistent message from the government. We have law enforcement on the one end saying you build back doors, they want broken by design.”  On the other end are “the regulators saying you have to incorporate security by default, privacy by default in the product,” he said.

Eleftheriou asserts that the U.S. government needs to consider if their ambivalent stance on consumer encryption is compatible with the new European Union General Data Protection Regulation requirements for privacy by design and security by default. “A weakness is a weakness. It can be exploited by anybody.”

Will DeVries, Google Inc. privacy counsel said companies “want the process to be really clear, really defined and based on principles that we can apply globally to our services that actually make sense and keep us all safe.”DeVries believes the argument against accessing a terrorist’s phone is just one “red herring”. “We’re actually worried about the precedent of saying can you ask a tech company to undermine the security of devices that’s out in the public, not just for the device they’re talking but a security flaw that then can be used on any device,” DeVries said.

Companies can be ordered to assist with law enforcement to get at some data, Chris Jay Hoofnagle, member of the advisory board of Bloomberg BNA’s Privacy & Data Security Law Report, said. “Obviously, what makes this situation so dangerous and difficult is that the work the government would like Apple to do could be used prospectively and could be used to erode privacy and security in devices generally,” Hoofnagle said. The technology industry is at this point in time now where the devices can outsmart these forensic appliances so whatever happens paves the way for the future of device security.

Hoofnagle sees that this tinkers with the Fourth Amendment. “We might come to a world in the U.S. where we basically have different Fourth Amendment standards for the terrorism case where maybe we do feel as though the phone should be unlocked versus other types of crimes that aren’t as serious.”

Article via Bloomberg BNA, February 19, 2016

Photo: System Lock via Yuri Samoilov


Nation divided over Apple decision

Apple’s decision to refuse the FBI order requiring the company to unlock a phone used by Syed Farook, one of the terrorists in the San Bernardino shooting, has divided the nation into two camps. Those who support the company believe that the FBI order jeopardizes individual privacy. Others argue that Apple’s challenge threatens national security.

In order to unlock Syed Farook’s iPhone, Apple would have to design a new software that would provide a backdoor through the phone’s security features. That software does not yet exist, and Apple argues it should stay that way.

“The government suggests this tool could only be used once, on one phone. But that’s simply not true. Once created, the technique could be used over and over again, on any number of devices,” states Tim Cook’s response posted on the Apple website.

The non-profit advocacy group Fight for the Future organized demonstrations across the nation following the Apple decision in order to show solidarity with the company. Evan Greer, the organization’s campaign director, spoke about the importance of encryption in protecting public facilities like hospitals and airports, as well as in assuring the safety of individuals.

“For myself as a member of the LGBT community, I know there are a lot of people that have heightened needs for security. A breach is not just inconvenient or embarrassing, but can put people in threat of physical violence,” Greer said.

Henry Nickel, a San Bernardino city councilman, has the opposing opinion that Apple’s decision is an obstruction of justice. He likens Apple’s refusal to access the contents of Farook’s phone to a landlord’s refusal to unlock a suspect’s door in the face of a search warrant.

“I do not feel that digital data is in any way subject to additional protection from search or seizure than any other aspects of our lives,” Nickel said. “Apple is simply wrong if it believes digital information is somehow more sacred than any other type of information.”

San Bernardino Mayor R. Carey Davis felt similarly. “The attacks on December 2nd was the deadliest terrorist attack in the US since 9/11, and law enforcement officials continue to follow up on leads related to the case… It is my hope that Apple cooperates given the circumstances of this investigation,” he said.

Article via: The Washington Post, 19 February, 2016

Photo: Laughing Squid iPhone Webclip Icon by Scott Beale [Creative Commons Attribution-NonCommercial-NoDerivs]


EU to pass comprehensive privacy law

In June of 2012, the European Council approved the European Union’s General Data Protection Regulation draft. The soon-to-be-approved final law is an updated version of the EU’s 1995 data protection rules, intended to bolster online privacy rights. The EU’s effort to consolidate privacy laws stands in contrast to the U.S.’s consistent battles with mass data collection by big business and government agencies.

Privacy—a broad and nebulous term—is treated differently in the European Union than it is in the U.S. According to Brian Kudowitz, commercial product director for privacy and data security at Bloomberg Law, privacy is “essentially a human right” in the EU. Whereas the EU has comprehensive law protecting privacy in all its forms—especially with the GDPR initiative—the U.S. deals with the protection of information in a series of laws that regulate different sectors.

The EU’s focus on privacy can be explained in historical terms, Kudowitz added. “You go back to all of the different things that have occurred in Europe over the last 70 years, it’s very easy to see how that perspective developed.”

In a recent Eurobarometer survey, 67 percent of Europeans said they were concerned about not having control over what information was provided about them on the Internet, and 70 percent expressed concern about how companies used their information.

Beyond what everyday citizens think of privacy, businesses and government agencies operate differently in the U.S. than in the EU as well. Organizations protect data proactively in the EU, whereas breaches of privacy are dealt with retroactively in the U.S.

According to Phil Lee, a representative at the multinational law firm Fieldfisher, “[t]his is partially because class action regimes aren’t well developed in the EU. EU countries don’t have a concept of punitive damages in the same way that you do in the U.S.”

Article via Legaltech News, December 22, 2015

Photo: Croatia welcomed to the EU via European Parliament [Creative Commons Attribution-NonCommercial-NoDerivs]


Legal firms remain concerned about cloud privacy

Lawyers are a conservative group when it comes to adopting new technology. This continue to hold true for the ever popular cloud technologies. Concerns about privacy and security related to data breaches are holding some firms back from transitioning over to cloud storage and services. In a 2015 Cloud Security Survey released Netwrix reveals the concerns around cloud adoption among lawyers include: security and privacy of data (26 percent), migration costs (22 percent) and loss of physical controls (17 percent). Moreover, security risks include unauthorized access (32 percent), insider misuse (18 percent) and account hijacking (18 percent.)

Alex Vovk, CEO and co-founder of Netwrix, told Legaltech News “Legal departments will be reluctant to entrust their valuable data and customers’ sensitive information, until they are absolutely sure that cloud providers can offer better security than the company can ensure on-premises.” Although data security is a privacy issue for all industries, legal departments are less likely to adopt technologies that do not guarantee full protection for their data.

Law firms may be cautious, but that doesn’t mean that they are uninterested in cloud technologies. According to the survey, 44 percent of the respondents indicated they their firms were in a stage of evaluation and discovery concerning cloud services. “This indicates that [law firms] are potentially ready to invest more in additional cloud security and consider various cloud options,” Vovk said. In fact, when it comes to hybrid cloud models, legal entities have the same interest in making the transition as private companies. In addtion, 37 percent of those surveyed favor a private cloud model.

Vovk summed up by stating that “… as soon as cloud providers are ready to provide additional security measures and to some extent ease the compliance burden …lawyers would become less skeptic[al] about cloud adoption.”

Article via Legaltech News, 3 December 2015

Photo: Cloud Solutions via NEC Corporation of America [Creative Commons Attribution-NonCommercial-NoDerivs]


NSA ceases bulk data collection

The National Security Agency has been collecting metadata, which is information such as phone numbers and duration of calls, since shortly after the attacks of September 11. The collection of this metadata has ceased as of November 28th. So what changed?

There is a new law in place, known as the USA Freedom Act of 2015. This law is being seen as a victory for privacy activists and tech companies looking to protect their user data. The USA Freedom Act of 2015 came about as a response to the revelations of Edward Snowden, a former NSA contractor that revealed the deep surveillance of the NSA on the American people. This new law prohibits the bulk collection of phone data previously done by the NSA. Although the agency won’t keep the bulk data, investigators will still have access to these types of records when they are investigating a particular person, or targeting specific groups. The existing metadata that has been captured during the last 5 years will be kept until next February 29th in order to ensure a smooth transition.

National Security Council spokesperson Ned Price stated that this new law, “struck a reasonable compromise which allows us to protect the country while implementing various reforms”.

Some have concerns, since the new law is going into effect so soon after the terrorist attacks in Paris. At a time when America is scaling back its surveillance, countries like England and France are considering new bills to enhance surveillance. Since American companies like Verizon would be involved, it may mean the creation of new treaties between Great Britain and the United States.  It is likely that this type of confounding circumstance will present itself more in the future due to the international nature of terrorism.

Article via ABAJournal, 30 November 2015

Photo: National Security Agency Seal via Donkey Hotey [Creative Commons Attribution-NonCommercial-NoDerivs]


Blackberry takes stand for protecting user privacy

Finding the balance between data surveillance and protecting user privacy is an ongoing process, but Blackberry has just chosen to take a stand for the latter. The company has decided to pull operations from Pakistan after demands from their Telecommunications Authority for unrestricted access to Blackberry Enterprise Services. The Pakistani government was basically asking for a “backdoor” to access encrypted message and emails sent or received within Pakistan. Blackberry not only refused to cooperate with the demands in Pakistan but has also stated that they will not submit to any demands for unrestricted “backdoor” access in any country.

While protecting user privacy is important, ensuring safety of citizens sometimes requires governments to conduct data surveillance. Blackberry has stated that these demands from Pakistani government do not fall under the realm of public safety. Rather, “Pakistan was essentially demanding unfettered access to all of our BES customers’ information,” explained Chief Operating Officer Marty Beard. In the blog post Beard released explaining Blackberry’s withdrawal from Pakistan, he stated that while Blackberry is more than willing to assist with law enforcement’s investigations when a crime has been committed, it won’t grant companies “backdoor” access. This shouldn’t come as a shock; Blackberry has displayed that security is a main priority in their interactions with other governments and businesses.

Blackberry has now shown how they will react to requests for access to their customers’ digital data, but they won’t be the only company having to decide how to protect user privacy. As governments decide how important access to encrypted data is to national security, other companies may be faced with tough decisions concerning their positions in the surveillance versus privacy debate.

 

Article via CNET, November 30, 2015

Photo: Blackberry Bold via johncatral [Creative Commons Attribution-NonCommercial-NoDerivs]