Apple v FBI – What supporters are saying

I’m a big fan of Techdirt, I think that they do some really great work in digging into the shit going on around technology, policy, and laws. They put together a nice read through of the amicus briefs supporting Apple in the case against the FBI. They read through the 20 briefs and pulled out some really interesting gems, such as the fact that this software the FBI is trying to force Apple to produce will likely be flawed and insecure because it won’t go through all the proper QA processes that normal software will go through. They will likely try to just break the part that the FBI is requesting without changing much else, which means they won’t really thoroughly test the impacts on other parts of the OS.

Techdirt also has looked through the briefs supporting the FBI. These ones actually undermine the FBI in a few ways. First, other law enforcement groups essentially throw out the illusion of one phone. In fact the Manhattan DA is planning on using the compromised iOS to get into something like 120 iPhones. They will likely use this precedent to force Apple to write comparable versions of the OS for the newer versions of iPhones that this break isn’t expected to work on.

The last brief is from the DA in San Bernardino which really shows that this truly is a fishing expedition. They are worried about a “cyber pathogen” which is pretty crazy, because there is no reason to really believe anything like that would even exist. The DA also raises the specter of a third shooter even though there no evidence of it and there’s clearly never been a third shooter. Simply speculating that these things are there and making up more reasons to break the encryption of the phone when there is no evidence to support any of these speculations doesn’t provide more weight to the argument. In fact, it likely casts further doubt on the likelihood of finding anything useful on the phone. Truly showing that this is a waste of time and effort.

 

Privacy, Government, and Business

This week there were two big moments for privacy. First, was a ruling by a court that Apple had to unlock in some manner, call it decrypt or creating a backdoor into this specific phone. Second, was the fact that Apple, and now Google, has given the state a big middle finger saying “No!” These are important because of the gravity of both of these. The FBI is using “The All Writs Act” something from the 18th century and definitely not written to support dealing with difficult technological issues on technology that would appear to be magic to the author’s of the act. This is definitely stretching this law to its limits and likely beyond what is realistic, but it sets a precedence which is dangerous. The second part is important as both of these companies have been working with the government to provide data to them in the past.

While both of these companies are standing up to the government is great, it’s not enough. With a limited number of powerful players, it’s only a matter of time before they lose to the government or be threatened in some way that will require them to play ball with the government. On the other hand, smaller companies won’t have the money to fight the government, so even if you want to support a smaller company with privacy as its core values, there is no guarantee that they will be able to follow through. Furthermore, if the government forces the company to re-write its operating system, like Apple effectively has to do, the company might go bankrupt. With a precedence set by the Apple decision, a small phone company like Silent Circle and their Blackphone, would be forced to capitulate unless they were able to show that this was unduly burdensome.

The other issues with this case is that businesses are only fighting for what is “right” here because it will help them improve their bottom line. Of course, they are also fighting for their own personal privacy as an employee of the company and consumer of its products, but the goal is to improve profitability. Across the world it has been shown that privacy and protection from agencies like the NSA (US) and GCHQ (UK) is something that people are willing to pay for. Apple learned this from Blackberry during the Arab Spring – they emulated the encryption of the Blackberry Messenger with their iMessage application. This help transition some of the last hold-outs to Apple and eventually spurred other similar apps.

I believe it is likely that the Electric Frontier Foundation will be a strong advocate for Apple, so if you want to support Apple in their battle with the government I recommend donating to the EFF, especially if you don’t support Apple for its other business practices. I know I will.

Privacy and Public Places

Privacy is a tricky thing, there’s privacy of your home, expectations of privacy around mail, privacy related to digital devices, privacy in your car, and privacy in even more public places – each one of them we have different understood or assumed levels of privacy. These maybe different from person to person, but generally we assume in certain places that we’re pretty safe from being eavesdropped on. Furthermore, even though we often talk or talk on our phones in public we expect them to be relatively safe from being overheard, because most people simply don’t care about what we’re saying.

In the public there are some clear rules about what is free for police to inspect and what is not public. For example a police officer can listen to your conversations if they have the right equipment. It is possible for the police to photograph you as well whenever you’re walking around in public. Another place that is mostly a public place is actually your car. If anything is clearly visible on the seats through the windows it’s considered public. However, if something would be in your trunk or glove box the police officer cannot search it unless you give them permission, they have probable cause, or they have some sort of a warrant.

Recently the police and FBI have been using something called a “sting ray” which is effectively a middle man attack between your cell phone and the cell phone provider. The FBI believe, according to recent filings, that a stingray is something that they should be able to use in public without requiring a warrant. They argue that since the person on the cell phone is speaking in public they should have no expectation of privacy.

I think that this raises a lot of concerns. First, even if the sting ray is deployed in a “public” place there are definitely places that you can expect privacy. For instance if you live above a series of bars the bulk of the people that would be hit by the sting ray would likely be in a public place. Even areas that are mostly park still have areas that are private or might even be residential. For this to be even close to realistic the FBI would have to 100% certain that ever person possibly impacted this is in a public place.

Personally, I don’t think that this argument will fly. I believe that this is very similar in terms of technology used and methodology as GPS trackers on cars or more similarly is the GPS information from cell phones. Even if you are using a third party application or technology you still have the expectation of privacy. I believe that this should hold in this instance as well. You’re expecting your communication to be secure between your phone and the cell phone provider without anyone listening in.

I seriously hope that the FBI loses this, because I find the fact that using a technology like this to intercept my cell phone calls from going to the cell provider to be terrifying and if a similar technology was used by any one other than the authorities, they would be on charges for computer fraud and likely put in jail for a very very long time.

FBI double downing on encryption horrors

Last week I wrote about how the Washington Post was being irresponsible by arguing that phone encryption was a greater risk than a benefit for citizens. Because the BAD GUYS or evil people would take advantage of it. Only a few days ago the director of the FBI doubled down on these statements saying that “phone encryption will take us to a very dark place.” Furthermore, the scare mongering examples he provides, cell phone data provided no help nor would have encryption been any sort of hindrance in the investigation.

Phone encryption will more likely force governments and the police to actually get warrants to search phones. As with Passwords courts can order a suspect to hand over encryption keys, in cases where the police don’t have enough evidence to earn a court order they are expected to crack it on their own with their own computer experts. This will likely lead to something of an arms race between police and encryption writers, but that’s already been happening for years.

I think that this is about something bigger than phones though. Once your average computer user has been educated in encryption for phones and loses their fear of encryption, they will likely look into encrypting or expecting their computers to come encrypted. Since phones are fairly easy to hack it makes sense to start with those spaces. However, with the massive amounts of computer leaks at companies lately, it’s likely that Microsoft will begin to encrypt their operating system, eventually consumers will expect it on their personal computers. Laptops and tablets are extremely easy to steal. With encryption it makes the theft a lot less valuable as they have to completely wipe the computer and will be unable to extract any data that might be used for identity theft.

The final end effect might be that users will have true end to end encryption. Which will make it much more difficult for the FBI, CIA, and NSA to spy on ordinary Americans. The end result of phone encryption might actually be that overall Americans have dramatically improved privacy from other Americans, businesses, and governments (not just the American government).

This is why the FBI is terrified.

Phone Encryption

It’s been announced that both iOS and Android are going to have fully encryptable phones which will be a huge boon for our 4th amendment rights. As well as to protect us from more mundane things like theft or simply losing your phone. Our phones these days contain as much or more personal information as our computers do these days. The average person doesn’t have any sort of two step authentication on their personal accounts on their phones. In most case people do have some sort of password protection to get into the phone, but once in it’s fairly easy to get into many applications.

For end users there’s nothing better than having a stronger security measures as in many cases companies poorly manage their security. This can be highlighted from the past week of exploits and those celebrity pictures. Encrypting phones might not prevented the celebrity leak, but in many cases it could. It’s believed that some of the hacks of Paris Hilton years ago came from hacking her phone through a BlueTooth connection, so a fully encrypted phone may have protected her from that hack.

All these things are good, however, the Washington Post has decided that this encryption is a risk to public safety because it will help criminals. This is the exact same argument that people make against BitCoin and full disk encryption. BitCoin ended up spawning SilkRoad, which has been shut down and it’s more likely that more crime is committed with dollars rather than Bitcoin. Full Disk Encryption has been used by both criminals and the more technical savvy. With the recent changes where the government can simply take your laptop at boarder crossings without any sort of warrant. Which means anyone at anytime that could have been flagged by the NSA could have their computer searched at will.

It’s more likely that encryption will protect an average person from an arbitrary search than protect a criminal. It’s likely that without everyone being encrypted, having your computer or phone encrypted would have been a huge red flag, however, with these recent changes that can’t happen. Meaning the average person will be safer as well as the fully legal with nothing to hide security conscious individuals.

The Washington Post, FBI, and other agencies are wrong. Fully encryption on our phones protects our privacy, improves our fourth amendment, and give us more control over our own devices. If the FBI and the US government is successful in creating a backdoor the encryption will be worthless and the put us more at risk as we’ll have a false sense of security.

Sponsored data and YOU!

This could be your lucky day, your cellular provider is going to start offering packages where certain content doesn’t cost you anything in your data cap. This is awesome. You can start streaming more and more video/music/whatever it is that you stream from your favorite services. However, not all of your favorite services will be free of data charge! So make sure that you tell your favorite service that YOU want THEM to sign up and make their content data cap free to you! All those service providers have to do is pay your cellular provider money to stop the data caps! No, seriously, AT&T wants to do this.

Is this a problem? I think it depends on who you are. For a consumer in some cases this is pretty awesome. Let’s say you love to watch video games being streamed on Twitch.tv by your buddies over at KBMOD and Twitch decides to pay money to prevent your data from being charged against your data cap. But you’re also a huge fan of MLG and MLG just decided to start their own Twitch competitor but they can’t afford to pay those same fees. Well, guess you’ll be only watching MLG from your PC or on wifi. Too bad your favorite shows are on while you’re not able to use Wifi though! O well, Twitch is there for you though!

This is a niche market obviously. Not everyone cares about watching someone play streaming video games or even streaming video games to your phone so you can keep playing a game you were playing from home. A lot of people care about TV and movies though. We can look at this as something that’s really analogous to what Comcast was trying to do to Netflix close to two years ago. In April of 2012 Comcast announced that its Xfinity streaming service would not be charged against your Comcast data caps while Netflix streaming service would be. Netflix’s CEO argued that this violated Net Neutrality because it provided preferential treatment to one source of data over another.

What is Net Neutrality? Well, there are two different arguments, which I discuss in a blog here, where one is saying everything must be treated equally, while the other one argues that there are nuances and we can treat data differently because we need to “Groom” our networks. Internet and network purists believe that you shouldn’t even be able to determine what the data is or what the source of that data is if you’re a point along the network, just where it most recently was and where it needs to go next. The only application that can read the data in the package is the application that requested it.

AT&T’s plan, similar to Comcast’s, is in violation of Net Neutrality and the FCC will step in to regulate this type of “service” because it’s, in the end, bad for the consumer. Unfortunately, there are limitations to what the FCC can do and even potentially what AT&T can do.

There has been much more of a push for encryption and it’s likely that these pushes may actually enable more of a return to the true meaning of Net Neutrality. If all of our data is fully encrypted, deep packet inspection tools (which tell if the data you’re getting is video, music, or whatever), won’t work very well as that information will be encrypted. Furthermore, if your application’s data is all encrypted and AT&T won’t be able to tell if your data is your data then there’s no value in paying for “privileged” data status from AT&T.

It’s one of the reasons why I’ll likely support company’s like Wickr, an encrypted Snapchat competitor, which told the FBI to screw itself when they were asked to put a backdoor into their encryption. It’s important that we work to protect our data and support companies that do so in terms of Net Neutrality and encryption.

What companies do you support that encrypt and fight for net neutrality?

Goofy Stock photos might not be so silly any more

Silly Stock photo

@NFEN and @Cheddarchezz having a conversation about “hacking”

I just saw a few people that I follow tweeting about trying to take over Youtube. There’s a Meme on Youtube right now that’s been going on for a while as a form of protest over some of the recent changes to the comment policy, copyright policy, integration with Google+ and probably a litany of other issues. To the gaming community Youtube is a dying platform.

What struck me about the conversation wasn’t really what they were talking about, but the stupid stock photos that are supposed to represent “hackers’ breaking into a network. For some absurd reason stock photography companies almost always put them in the same outfit they’d be wearing if they were breaking into a house, mugging someone, or doing some other nefarious activity. Clearly it’s just a ploy to help people understand that the person using the computer is up to no good, but it just looks ridiculous as almost no one wears any of those clothes while using the computer. So instead of making it look like a criminal it just make it look like an idiot. However, I think that with some recent revelations about the FBI and the hacking process called “RAT” these imagines are looking less absurd. Not that I’ll go out and buy clothes like this to work at my computer on.

One of the more recent Edward Snowden revelations has to do with breaking into personal computers by the US government. This isn’t really shocking, nor is what they do when they are on the computer. The FBI has admitted that they have the capabilities to hack into your computer and activate your webcam without turning on the indicator light. These capabilities aren’t new. In fact Ars Technica did a report on this in the kiddie hacker community called RAT. I imagine that some of the tools that my friends used to use while we were in highschool to remotely open a CD drive or type messages to each other operates in a similar fashion.

So, if you are hacking a computer does it make sense to take precautions against showing your face? It might or as the Ars article suggest, just cover up the camera.The difference is that you don’t know if you’re under surveillance or not. It’s also not clear if the FBI only means laptop webcams or if they are able to do the same to a smart phone or tablet. As the ACLU mentions in one article “we’ve never had discussion” about law enforcement hacking into computers. This is part of the reason there was a petition for We the People to update our privacy laws. Regular mail and packages are protected by the fourth amendment while email is not. Using a web cam with or without a web cam constitutes a much larger breach of privacy than just taking pictures through the camera. It’s likely that with access to the webcam the entire computer is open to the FBI, which means that a warrant for a web cam is a warrant for everything you do. If you have services that you’re always logged into like Drop Box or Tresorit those are also accessible through the computer you’re cam is being used on.

We need to have a conversation about the limits of searching and privacy. I don’t want to sit around in a ski mask or cover up my webcam. Users likely need to install firewalls, more passwords, and disconnect from services they aren’t actively using.