FBI double downing on encryption horrors

Last week I wrote about how the Washington Post was being irresponsible by arguing that phone encryption was a greater risk than a benefit for citizens. Because the BAD GUYS or evil people would take advantage of it. Only a few days ago the director of the FBI doubled down on these statements saying that “phone encryption will take us to a very dark place.” Furthermore, the scare mongering examples he provides, cell phone data provided no help nor would have encryption been any sort of hindrance in the investigation.

Phone encryption will more likely force governments and the police to actually get warrants to search phones. As with Passwords courts can order a suspect to hand over encryption keys, in cases where the police don’t have enough evidence to earn a court order they are expected to crack it on their own with their own computer experts. This will likely lead to something of an arms race between police and encryption writers, but that’s already been happening for years.

I think that this is about something bigger than phones though. Once your average computer user has been educated in encryption for phones and loses their fear of encryption, they will likely look into encrypting or expecting their computers to come encrypted. Since phones are fairly easy to hack it makes sense to start with those spaces. However, with the massive amounts of computer leaks at companies lately, it’s likely that Microsoft will begin to encrypt their operating system, eventually consumers will expect it on their personal computers. Laptops and tablets are extremely easy to steal. With encryption it makes the theft a lot less valuable as they have to completely wipe the computer and will be unable to extract any data that might be used for identity theft.

The final end effect might be that users will have true end to end encryption. Which will make it much more difficult for the FBI, CIA, and NSA to spy on ordinary Americans. The end result of phone encryption might actually be that overall Americans have dramatically improved privacy from other Americans, businesses, and governments (not just the American government).

This is why the FBI is terrified.

Phone Encryption

It’s been announced that both iOS and Android are going to have fully encryptable phones which will be a huge boon for our 4th amendment rights. As well as to protect us from more mundane things like theft or simply losing your phone. Our phones these days contain as much or more personal information as our computers do these days. The average person doesn’t have any sort of two step authentication on their personal accounts on their phones. In most case people do have some sort of password protection to get into the phone, but once in it’s fairly easy to get into many applications.

For end users there’s nothing better than having a stronger security measures as in many cases companies poorly manage their security. This can be highlighted from the past week of exploits and those celebrity pictures. Encrypting phones might not prevented the celebrity leak, but in many cases it could. It’s believed that some of the hacks of Paris Hilton years ago came from hacking her phone through a BlueTooth connection, so a fully encrypted phone may have protected her from that hack.

All these things are good, however, the Washington Post has decided that this encryption is a risk to public safety because it will help criminals. This is the exact same argument that people make against BitCoin and full disk encryption. BitCoin ended up spawning SilkRoad, which has been shut down and it’s more likely that more crime is committed with dollars rather than Bitcoin. Full Disk Encryption has been used by both criminals and the more technical savvy. With the recent changes where the government can simply take your laptop at boarder crossings without any sort of warrant. Which means anyone at anytime that could have been flagged by the NSA could have their computer searched at will.

It’s more likely that encryption will protect an average person from an arbitrary search than protect a criminal. It’s likely that without everyone being encrypted, having your computer or phone encrypted would have been a huge red flag, however, with these recent changes that can’t happen. Meaning the average person will be safer as well as the fully legal with nothing to hide security conscious individuals.

The Washington Post, FBI, and other agencies are wrong. Fully encryption on our phones protects our privacy, improves our fourth amendment, and give us more control over our own devices. If the FBI and the US government is successful in creating a backdoor the encryption will be worthless and the put us more at risk as we’ll have a false sense of security.

Retail and payment intermediaries

In recent months there have been multiple instances where a major retailer has had their data infrastructure breached. This has resulted in millions of customer’s credit card information being compromised and stolen by some variety of criminal organization. It’s likely that the organization used skilled computer experts to hack into the system in some fashion. I also would not be surprised if some type of social engineering was used to ease their access to the data systems. Furthermore, if their Point of Sales devices were not fully secure that information could be gathered using a credit card that could also read information from the system.

This is the problem that applications like Google Wallet and Paypal are trying to solve. They are trying to position themselves as an intermediary between the customer and the retailer to protect the consumer and provide a common transaction method for many platforms including in person point of sales. I think the fact that I’m just now thinking about this has really shown that companies like Google and Starbucks have failed at showing where the true value in their product is.

I didn’t come to this conclusion without help though. Truthfully, it’s because of PalPal ads that I’ve been seeing on Huluplus. This ad walks through how unsafe we are using our credit cards with online retailers and that they protect your creditcard and bank account information from ever being seen by the retailer. Which, is a really powerful argument to use their services. Of course, that’s if you trust PayPal as an organization.

Personally, I’m concerned about using PayPal as they’ve had their own networks hacked with some account information stolen. They aren’t perfect, and honestly it’s likely going to be impossible to maintain and prevent any data breaches, but a company like PayPal should have that as their goal.

With that in mind, it’s kind of helped me think of the true value of both cash and a BitCoin like solution. At this point, it’s pretty clear that BitCoin has been compromised at least on some level. It’s not truly anonymous any more. Cash is still though. It’s the best way to buy anything from a store. It also reduces the rate that you spend your money compared to buying everything with a card. As you actually see the money disappear. Although, some times it doesn’t feel that way, especially when you’re out drinking at a bar.

I’m not sure I truly trust any of the large companies that offer these intermediary services. PayPal, Google, Apple, Samsung, Starbucks, and etc… all have their own version and all of these companies make money by locking you into their services. Google, Apple, and Samsung have the most incentive and potentially access, as they are selling you the only other thing you’ll have with you besides your cards, your phone. Locking you into not just their device but payment methodology is powerful. Not because it keeps you on their network, but also because it provides them with a huge amount of information about the rest of your life. Google likely will already have a lot of it based on your search history, but they don’t know what you’re actually buying. At this point they don’t have the full data to connect search results to purchases. Using Google Wallet closed that gap and provides a really valuable set of data for their customers.

Intermediaries are going to be really important moving forward because they will help reduce customer risk. It’s going to be important to figure out how to balance the risk of not using an intermediary with using one and providing them with massive amounts of data as well as extremely personal data that if all your eggs in one basket could be devastating.

More than two sides, the complexity of a story

In a lot of my writing, I typically focus on one aspect of the story. For example, with my writing about Ferguson I really focused on the wrong that I believed the police were doing. I didn’t really touch on the violence that the protesters were doing to the community (contained to the first few days) or the violence they were committing on the police. I didn’t ignore it personally, or as I was thinking about the articles, I just didn’t want to discuss it because it didn’t fit with the story I was trying to outline. That’s perfectly fine. You can’t fit everything into any given story. However, that doesn’t mean that omission was support of the actions of the protesters. I abhor their behavior and I think that it really negatively impacted their message. 

The past few days, we’ve had some pretty serious leaks. Over 100 celebrities have had their nude images leaked. The suspected culprit is iCloud. The iPhone, like most Android phones have the option to automatically backup your photos to a storage unit online. Apparently, there was a vulnerability in an application called Find My Phone, which allowed a person to try as many times as they wanted to access an account. What this meant was that brute force methods for cracking a login for an account would work eventually. It might have taken days or longer for whatever algorithm was used to crack the logins, but eventually it would have worked. There’s no way for it not. Essentially, the approach would run through as many permutations as possible for the login. furthermore, it could have actually been run concurrently on multiple different systems to test in parallel. It’s pretty horrible that someone was able to sneak into iCloud and steal these pictures, however, it’s also incumbent on the users of these systems and the owners of the systems to ensure that these simple lapses don’t happen. 

The users of these services bare a responsibility for understanding what is happening to their data once it leaves their phones. This is a requirement for any user, not just the famous. The famous likely should have someone help them with their security features, as it’s unlikely that many of them have the desire or knowledge to do it on their own. Not that this is any different for much of the rest of the population. They are as vulnerable as the famous, but aren’t a target simply by being uninteresting. 

In both cases, it’s fully acceptable to be upset by both sides of the story. It’s not impossible to say that police violence and militarization is bad and that the criminal element of the Ferguson protests is bad too. It’s also fine to say that you shouldn’t hack and that the people that develop the systems and use the systems are accountable as well. In most of our stories, there are complexities that are withheld or ignored because there is an angle the writer is going for, the story would take too long, or the writer has a low opinion of the readers. In my case, I was going for a specific angle with the Ferguson stories, because I assumed that it was obvious to the reader that the violence committed by the protesters was both known and understood to be a terrible wrong. Not mentioning it did make the police seem less rational than they were behaving though.

In the case of the leaks, most of the attention has been put on the leaker and the people enjoying the leaks, however, it’s important that we keep in mind that there’s a responsibility of the companies to keep that data safe. 

Should we celebrate about Google joining net neutrality fight?

It’s time we be skeptical of high tech companies that support policies that we want. Today, a large number of tech companies came out against the FCC’s plan to allow internet fast lanes. They aren’t as bold as Mozilla in their claims, they don’t push for the most extreme best for the consumer perspective. We, as consumers, have to understand there’s a reason for this. These companies (and there are a lot) wrote the letter without stating what their position actually is, just that they are for a “free and open internet.” This is essentially a dream statement for a lawyer/lobbyist, because “free” and “open” can mean a variety of things based on that company’s perspective.

These companies are willing to push for a free/open internet insofar as it enables them to make money. We have to understand that. Many of these companies are looking to disrupt incumbent market players and are leveraging the internet to enable them to do that.

Normally, I’d be really excited about all these companies coming out in favor of net neutrality. However, because of their tepid support, their lack of recommendations of what to do to address the net neutrality issue, and tardiness to the conversation I’m concerned as to what their actual motives are for this debate. This is a very different discussion than SOPA, where just coming out against the bill was enough. In this case it’s not, we need them to provide clear direction on what the FCC SHOULD do instead. This provides the FCC a path forward and a way to drive the conversation. Without that, essentially there’s no clearly articulated alternative during THIS debate. Yes, they’ve made an argument before, but they aren’t this time.

I also am concerned by this turn of events because of the recent report that Google and the NSA had a very close relationship. In very strict version of net neutrality deep packet inspection wasn’t possible because there was no way to actually do it. The first step to packet discrimination is knowing what’s in the material. Truly end-to-end net neutrality precludes the ability to eavesdrop and snoop on content being passed along the IP backbone. Any sort of relationship between the NSA and arguably the largest internet company in the world necessarily limits the full extent that Net Neutrality can actually be implemented.

Furthermore, we also must remember that a large number of these companies that are now for Net Neutrality were also for CISPA which includes handing over data to the government. Which, based on Google’s relationship with the NSA, they essentially did anyway.

So, it’s a good thing that these companies came out for Net Neutrality because truly only the power of their lobbying can overcome the FCC’s proposal and push Comcast and Verizon into accept the new rules. I don’t think that we citizens could do it on our own.

(if you want to try to fight corruption that’s sort of on display here, check out Mayone.us)