Tag Archives: Wired

The Senate’s Draft Encryption Bill Is ‘Ludicrous, Dangerous, Technically Illiterate' - Wired 20160408

The Senate’s Draft Encryption Bill Is ‘Ludicrous, Dangerous, Technically Illiterate' - Wired 20160408

AS APPLE BATTLED the FBI for the last two months over the agency’s demands that Apple help crack its own encryption, both the tech community and law enforcement hoped that Congress would weigh in with some sort of compromise solution. Now Congress has spoken on crypto, and privacy advocates say its “solution” is the most extreme stance on encryption yet.

On Thursday evening, the draft text of a bill called the “Compliance with Court Orders Act of 2016,” authored by offices of Senators Diane Feinstein and Richard Burr, was published online by the Hill.1 It’s a nine-page piece of legislation that would require people to comply with any authorized court order for data—and if that data is “unintelligible,” the legislation would demand that it be rendered “intelligible.” In other words, the bill would make illegal the sort of user-controlled encryption that’s in every modern iPhone, in all billion devices that run Whatsapp’s messaging service, and in dozens of other tech products. “This basically outlaws end-to-end encryption,” says Joseph Lorenzo Hall, chief technologist at the Center for Democracy and Technology. “It’s effectively the most anti-crypto bill of all anti-crypto bills.”

It's effectively the most anti-crypto bill of all anti-crypto bills.

Kevin Bankston, the director of the New America Foundation’s Open Technology Institute, goes even further: “I gotta say in my nearly 20 years of work in tech policy this is easily the most ludicrous, dangerous, technically illiterate proposal I’ve ever seen,” he says.

The bill, Hall and Bankston point out, doesn’t specifically suggest any sort of backdoored encryption or other means to even attempt to balance privacy and encryption, and actually claims to not require any particular design limitations on products. Instead, it states only that communications firms must provide unencrypted data to law enforcement or the means for law enforcement to grab that data themselves. “To uphold the rule of law and protect the security and interests of the United States, all persons receiving an authorized judicial order for information or data must provide, in a timely manner, responsive and intelligible information or data, or appropriate technical assistance to obtain such information or data.”

Hall describes that as a “performance standard. You have to provide this stuff, and we’re not going to tell you how to do it,” he says. George Washington Law School professor Orin Kerr points out on Twitter that the text doesn’t even limit tech firms’ obligations to “reasonable assistance” but rather “assistance as is necessary,” a term that means the bill goes beyond current laws that the government has used to try to compel tech firms to help with data access such as the All Writs Act.

Even more extreme, the draft bill also includes the requirement that “license distributors” ensure all “products, services, applications or software” they distribute provide that same easy access for law enforcement. “Apple’s app store, Google’s play store, any platform for software applications somehow has to vet every app to ensure they have backdoored or little enough security to comply,” says Bankston. That means, he says, that this would “seem to also be a massive internet censorship bill.”

I could spend all night listing the various ways that Feinstein-Burr is flawed & dangerous. But let's just say, "in every way possible."

— matt blaze (@mattblaze) April 8, 2016

If Grandpa Simpson was a Senator who was afraid of and confused by encryption, I think he'd write something like the Feinstein/Burr bill.

— Kevin Bankston (@KevinBankston) April 8, 2016

It's not hard to see why the White House declined to endorse Feinstein-Burr. They took a complex issue, arrived at the most naive solution.

— Matthew Green (@matthew_d_green) April 8, 2016

Burr and Feinstein’s bill disappoints its privacy critics in part because it seems to entirely ignore the points already made in a debate that’s raged for well over a year, and has its roots in the crytpo wars of the 1990s. Last summer, for instance, more than a dozen of the world’s top cryptographers published a paper warning of the dangers of weakening encryption on behalf of law enforcement. They cautioned that any backdoor created to give law enforcement access to encrypted communications would inevitably be used by sophisticated hackers and foreign cyberspies. And privacy advocates have also pointed out that any attempt to ban strong encryption in American products would only force people seeking law-enforcement-proof data protection to use encryption software created outside the U.S., of which there is plenty to choose from. Apple, in its lengthy, detailed arguments with the FBI in front of Congress and in legal filings, has called that weakening of Americans’ security a “unilateral disarmament” in its endless war with hackers to protect its users’ privacy.

White House Silence on an Anti-Encryption Bill Means Nothing
White House Silence on an Anti-Encryption Bill Means Nothing
Forget Apple vs. the FBI: WhatsApp Just Switched on Encryption for a Billion People
Forget Apple vs. the FBI: WhatsApp Just Switched on Encryption for a Billion People
The Apple-FBI Battle Is Over, But the New Crypto Wars Have Just Begun
Proposed State Bans on Phone Encryption Make Zero Sense
Proposed State Bans on Phone Encryption Make Zero Sense
Tom Mentzer, a spokesman for Senator Feinstein, told WIRED in a statement on behalf of both bill sponsors that “we’re still working on finalizing a discussion draft and as a result can’t comment on language in specific versions of the bill. However, the underlying goal is simple: when there’s a court order to render technical assistance to law enforcement or provide decrypted information, that court order is carried out. No individual or company is above the law. We’re still in the process of soliciting input from stakeholders and hope to have final language ready soon.”

The Burr/Feinstein draft text may in fact be so bad for privacy that it’s good for privacy: Privacy advocates point out that it has almost zero likelihood of making it into law in its current form. The White House has already declined to publicly support the bill. And Adam Schiff, the top Democratic congressman on the House of Representatives’ intelligence committee, gave WIRED a similarly ambivalent comment on the upcoming legislation yesterday. “I don’t think Congress is anywhere near a consensus on the issue,” Schiff said, “given how difficult it was to legislate the relatively easy [Cyber Information Sharing Act], and this is comparatively far more difficult and consequential.”

Bankston puts it more simply. “The CCOA is DOA,” he says, coining an acronym for the draft bill. But he warns that privacy activists and tech firms should be careful nonetheless not to underestimate the threat it represents. “We have to take this seriously,” he says. “If this is the level of nuance and understanding with which our policymakers are viewing technical issues we’re in a profoundly worrisome place.”

1Correction 4/8/2016 1:00pm EST: A previous version of this story stated that the draft bill text had been released by the senators, which a spokesperson for Senator Burr has since said in a statement to WIRED she didn’t “believe was consistent with the facts.”

The Feds Have Let the Cyber World Burn. Let’s Put the Fire Out - Wired 20160301

IMAGINE, ALL ACROSS America, our homes and businesses regularly going up in flames. Firefighters would be deployed en masse to stop the fires from spreading. Law enforcement would hunt the arsonists and bring them to justice. Engineers would learn to design structures far more resistant to flames.

Our government would respond to this obvious national emergency with force, competence, and leadership. And it certainly would not persecute the firefighters.

Yet the United States government is doing just that as it struggles with a choice: Necessary security for all versus the desired insecurity of some. No less integral to civilization at this point than the roofs over our heads, the information technology that connects us to one another is increasingly connecting hackers to our daily lives. Every month, more devices go online: Cars,thermostats, and baby monitors, all troublingly exposed.

A hospital is forced to pay a ransom to keep treating patients. A small business goes under, its entire payroll account emptied in a weekend. Millions of consumers lose access to their credit cards over Christmas. Multi-billion dollar international corporations watch their digital infrastructure burn to the ground in the blink of an eye, perhaps as extortion, perhaps for fun. A quarter million citizens of the Ukraine have theirpower disrupted by hackers. And all those who ever sought the trust and confidence of our government must now fearidentity theft for the rest of their lives.

A Fireproof Future

But there is hope. Our technology companies, literally the most valuable in the world, have made dramatic strides toward building devices that cannot be hacked. If your iPhone is stolen, it is unlikely that the thief will be apprehended. But he will access no emails, view no photos, take no money, steal no secrets—not from you, not from your employer. There will be no breach to report, no loss to incur, no job to lose. You were protected from risk, and nothing was asked of you but a passcode or thumbprint.

Strong cybersecurity delivers the digital world that does not burn.

Instead of helping put out fires, though, the FBI is “concerned.” A world where not everything can be hacked is a world where it can’t necessarily hack everything. And so, in a case where the FBI has enjoyed almost complete cooperation with Apple, it is demanding more: The engineering authority to require a “backdoor,” making the extraction of data from any device trivial, and setting the dangerous precedent that the government can turn any or all of the technology in our lives against us.

The FBI’s argument against Apple seems almost reasonable at first glance. There’s an extraordinary crime, there’s a secret we as a society want. Why not hack this one device, just this once? Because it’s not just this once. Not only are there other cases in the courts where the government is asking for access to iPhones, the real point is precedent. The problem is that for every one device we want to hack, there are tens of thousands we need to protect. Do we leave every device vulnerable just so the next one can be hacked?

As a lifelong hacker committed to protecting the Internet—I found a core vulnerability in the Internet’s design, which led to what became its largest synchronized fix ever—I can tell you that we are suffering the largest crime wave in human history, and it is built on a foundation of failed cybersecurity.

The FBI’s actions against Apple seek to maintain and enshrine this cracked foundation. Apple CEO Tim Cook isfighting back, and our nation must support him.

The moral, economic, strategic, and technical leadership of the United States is at stake here. If Americans are not allowed to repair cybersecurity, somebody else will, and the damage to our interests will be incalculable and self-inflicted. Whoever masters making a secure digital world not just possible, but practical, will own the next Silicon Valley. There are at least 865 products from 55 countries with encryption, the vast majority from outside the US. Our companies have the head start in this coming space race. But there is a small team at Apple that just became an enormous liability for their company. They did world-class work to protect you, and now untold billions are at stake. If only they hadn’t done quite so good a job, or left a couple convenient flaws. If only their managers hadn’t hired people quite so passionate. As it happens, Cook is standing up for his team.

But Cook, and the enormous resources at his disposal, cannot be everywhere. By trying to set the precedent that it’s OK for the government to intentionally undermine Internet security, the FBI has placed all of America’s cybersecurity engineers on notice: Don’t do too good a job now. Let it burn, or we’ll burn you.

Our Nation Is Capable of So Much More

We must repair the Internet. Too much is broken and taking years or even decades to fix. Our failures are not for lack of trying, but they might be for lack of staffing. I am a proud member of what might be called the Internet’s community of “volunteer firefighters,” but there is something to be said for professionals in numbers with infrastructure and a mandate. Our society doesn’t have just “The Guy Who Works On Cancer;” we build institutes. So let’s find and fix these flaws, faster and better. Let’s collaborate, systematically, comprehensively. Engineers should have the data, based on real world experimentation, about how to build the future securely, and practically.

Millions are learning to code; how do we ensure that the next generation of innovation is not even more fragile than this one? There are solutions that work, but are impractical. There are solutions that are practical, but do not work. Chief information security officers are flooded with noise regarding magic solutions that will fix all their problems. It’s not all snake oil.

A “CyberUL”, similar to the system that tells us which hoverboards might set our homes on fire (apparently all of them), would be helpful. It could allow us to understand what security technologies to invest in, and what systems need protection. Even when it comes to the bugs we’re already finding, nobody quite knows the global severity of a particular flaw. Who’s at risk? What should we prioritize?

The FBI publishes crime statistics for a reason.

There will need to be a bureaucratic firewall in place, for these efforts to be credible. Those defending and repairing the Internet must be separated from those with offensive cyber missions, no matter how legitimate. “Dual Missions”—playing defense and offense, fixing infrastructure one day and exploiting it the next, are a lie and everybody knows it.

It has been said that our nation needs a Manhattan Project for cybersecurity. What we need is a project to protectManhattan, and San Francisco, and Seattle, and Chicago. Each of these cities suffered enormous fires once upon a time (Manhattan three times!). Our nation came together and fixed that. These very cities are guaranteed to be under cyberattack tomorrow. We can protect them, but only if we back Tim Cook in his profound belief that the Internet is not secure enough.

Snowden's Chronicler Reveals Her Own Life Under Surveillance - Wired 20160204

Snowden's Chronicler Reveals Her Own Life Under Surveillance - Wired 20160204

Laura Poitras has a talent for disappearing. In her early documentaries like My Country, My Country and The Oath, her camera seems to float invisibly in rooms where subjects carry on intimate conversations as if they’re not being observed. Even in Citizenfour, the Oscar-winning film that tracks her personal journey from first contact with Edward Snowden to releasing his top secret NSA leaks to the world, she rarely offers a word of narration. She appears in that film exactly once, caught as if by accident in the mirror of Snowden’s Hong Kong hotel room.

Now, with the opening of her multi-media solo exhibit, Astro Noise, at New York’s Whitney Museum of American Art this week, Snowden’s chronicler has finally turned her lens onto herself. And she’s given us a glimpse into one of the darkest stretches of her life, when she wasn’t yet the revelator of modern American surveillance but instead its target.

The exhibit is vast and unsettling, ranging from films to documents that can be viewed only through wooden slits to a video expanse of Yemeni sky which visitors are invited to lie beneath. But the most personal parts of the show are documents that lay bare how excruciating life was for Poitras as a target of government surveillance—and how her subsequent paranoia made her the ideal collaborator in Snowden’s mission to expose America’s surveillance state. First, she’s installed a wall of papers that she received in response to an ongoing Freedom of Information lawsuit the Electronic Frontier Foundation filed on her behalf against the FBI. The documents definitively show why Poitras was tracked and repeatedly searched at the US border for years, and even that she was the subject of a grand jury investigation. And second, a book she’s publishing to accompany the exhibit includes her journal from the height of that surveillance, recording her first-person experience of becoming a spying subject, along with her inner monologue as she first corresponded with the secret NSA leaker she then knew only as “Citizenfour.”

Poitras says she initially intended to use only a few quotes from her journal in that book. But as she was transcribing it, she “realized that it was a primary source document about navigating a certain reality,” she says. The finished book, which includes a biographical piece by Guantanamo detainee Lakhdar Boumediene, a photo collection from Ai Weiwei, and a short essay by Snowden on using radio waves from stars to generate random data for encryption, is subtitled “A Survival Guide for Living Under Total Surveillance.” It will be published widely on February 23.

“I’ve asked people for a long time to reveal a lot in my films,” Poitras says. But telling her own story, even in limited glimpses, “provides a concrete example of how the process works we don’t usually see.”

That process, for Poitras, is the experience of being unwittingly ingested into the American surveillance system.

On the Government’s Radar
Poitras has long suspected that her targeting began after she filmed an Iraqi family in Baghdad for the documentary My Country, My Country. Now she’s sure, because the documents released by her Freedom of Information Act request prove it. During a 2004 ambush by Iraqi insurgents in which an American soldier died and several others were injured, she came out onto the roof of the family’s home to film them as they watched events unfolding on the street below. She shot for a total of eight minutes and 16 seconds. The resulting footage, which she shows in the Whitney exhibit, reveals nothing related to either American or insurgent military positions.

“Those eight minutes changed my life, though I didn’t know it at the time,” she says in an audio narration that plays around the documents in her exhibition. “After returning to the United States I was placed on a government watchlist and detained and searched every time I crossed the US border. It took me ten years to find out why.”

A Whitney Museum visitor looking at a selection of Poitras’ FOIAed documents framed in a collection of light boxes. ANDY GREENBERG
The heavily redacted documents show that the US Army Criminal Investigation Command requested in 2006 that the FBI investigate Poitras as a possible “U.S. media representative … involved with anti-coalition forces.” According to the FBI file, a member of the Oregon National Guard serving in Iraq identified Poitras and “a local [Iraqi] leader”—the father of the family that would become the subject of her film. The soldier, whose name was redacted, questioned Poitras at the time, and reported that she “became significantly nervous” and denied filming from the roof. He later told the Army investigators that he “strongly believed”—but without apparent evidence—“POITRAS had prior knowledge of the ambush and had the means to report it to U.S. Forces; however, she purposely did not report it so she could film the attack for her documentary.”

One page shown in the Whitney exhibit reveals that the New York field office of the FBI was tracking Poitras’ home addresses, and Poitras believes the reference to a “detective” working with the FBI indicates the New York Police Department may have also been involved. By 2007, the documents reveal that there was a grand jury investigation proceeding on whether to indict her for unnamed crimes—multiple subpoenas sought information about her from redacted sources. (Poitras says that the twelve pages she published in the Whitney exhibition are only a selection of 800 documents she’s received in her FOIA lawsuit, which is ongoing.)

Being Constantly Watched

Private as ever, Poitras declined to detail to WIRED exactly how she experienced that federal investigation in the years that followed. But flash forward to late 2012, and the surveillance targeting Poitras had transformed her into a nervous wreck. In the book, she shares a diary she kept during her time living in Berlin, in which she describes feeling constantly watched, entirely robbed of privacy. “I haven’t written in over a year for fear these words are not private,” are the journal’s first words. “That nothing in my life can be kept private.”

She sleeps badly, plagued with nightmares about the American government. She reads Cory Doctorow’s Homeland and re-reads 1984, finding too many parallels with her own life. She notes her computer glitching and “going pink” during her interviews with NSA whistleblower William Binney, and that it tells her its hard drive is full despite seeming to have 16 gigabytes free. Eventually she moves to a new apartment that she attempts to keep “off the radar” by avoiding all cell phones and only accessing the Internet over the anonymity software Tor.

When Snowden contacts her in January of 2013, Poitras has lived with the specter of spying long enough that she initially wonders if he might be part of a plan to entrap her or her contacts like Julian Assange or Jacob Appelbaum, an activist and Tor developer. “Is C4 a trap?” she asks herself, using an abbreviation of Snowden’s codename. “Will he put me in prison?”

Even once she decides he’s a legitimate source, the pressure threatens to overwhelm her. The stress becomes visceral: She writes that she feels like she’s “underwater” and that she can hear the blood rushing through her body. “I am battling with my nervous system,” she writes. “It doesn’t let me rest or sleep. Eye twitches, clenched throat, and now literally waiting to be raided.”

Finally she decides to meet Snowden and to publish his top secret leaks, despite her fears of both the risks to him and to herself. Both the journal and the documents she obtained from the government show how her own targeting helped to galvanize her resolve to expose the apparatus of surveillance. “He is prepared for the consequences of the disclosure,” she writes, then admits: “I really don’t want to become the story.”

In the end, Poitras has not only escaped the arrest or indictment she feared, but has become a kind of privacy folk hero: Her work has helped to noticeably shift the world’s view of government spying, led to legislation, and won both a Pulitzer and an Academy Award. But if her ultimate fear was to “become the story,” her latest revelations show that’s a fate she can no longer escape–and one she’s come to accept.

Poitras’ Astro Noise exhibit runs from February 5 until May 1 at the Whitney Museum of American Art, and the accompanying book will be published on February 23.