121 posts categorized "Surveillance" Feed

Senate Narrowly Rejected Bill To Expand Government Surveillance

While consumers may have been distracted with votes in the U.S. Senate about gun reform or the sit-in within the U.S. House, a key vote also happened last week regarding government surveillance. The U.S. Senate narrowly voted down a bill to grant expanded surveillance powers to the Federal Bureau of Investigation.

According to Reuters, the legislation sought to:

"... broaden the type of telephone and internet records the FBI could request from companies such as the Google unit of Alphabet Inc and Verizon Communications Inc without a warrant... filed as an amendment to a criminal justice funding bill, would widen the FBI’s authority to use so-called National Security Letters, which do not require a warrant and whose very existence is usually a secret. Such letters can compel a company to hand over a user's phone billing records. Under the Senate's change, the FBI would be able to demand electronic communications transaction records such as time stamps of emails and the emails' senders and recipients, in addition to some information about websites a person visits and social media log-in data. It would not enable the FBI to use national security letters to obtain the actual content of electronic communications."

Perhaps, more importantly the bill would have made:

"... permanent a provision of the USA Patriot Act that lets the intelligence community conduct surveillance on “lone wolf” suspects who do not have confirmed ties to a foreign terrorist group. That provision, which the Justice Department said last year had never been used, expires in December 2019."

Senate Amendment 4787 was introduced by Senators John McCain and Richard Burr. It failed by two votes: 58-38. Before the vote on Wednesday, Senator Ron Wyden (Dem.-Oregon) had warned:

"If this proposal passes, FBI agents will be able to demand the records of what websites you look at online, who you email and chat with, and your text message logs, with no judicial oversight whatsoever. The reality is the FBI already has the power to demand these electronic records with a court order under the Patriot Act. In emergencies the FBI can even obtain the records right away and go to a judge after the fact. This isn’t about giving law-enforcement new tools, it’s about the FBI not wanting to do paperwork.”

Yep. That rejected bill sounds like an erosion of privacy rights. Senate Majority Leader Mitch McConnell (Rep.-Kentucky) has already filed a motion to reconsider the amendment.


The Third Anniversary of Leaks About NSA Surveillance Programs

Three years ago today, the public learned about extensive surveillance by the U.S. National Security Agency (NSA). Back then, the Guardian UK newspaper reported about a court order allowing the NSA to spy on U.S. citizens. The Electronic Frontier Foundation (EFF) summarized events from 2013:

"It started with a secret order written by the FISA court authorizing the mass surveillance of Verizon Business telephone records—an order that members of Congress quickly confirmed was similar to orders that had been issued every 3 months for years. Over the next year, we saw a steady drumbeat of damning evidence, creating a detailed, horrifying picture of an intelligence agency unrestrained by Congress and shielded from public oversight by a broken classification system. The leaks were thanks in large part to whistleblower Edward Snowden, who has been living in Russia for the last three years, unable to return to the United States for fear of spending his life behind bars..."

Since then, we've learned plenty about how extensive the government surveillance apparatus is and the lack of oversight. We've also learned about NSA code inserted in Android operating system software, the FISA Court and how it undermines the public's trust, the importance of metadata and how much it reveals about you (despite some politicians' claims otherwise), the unintended consequences from broad NSA surveillance, U.S. government spy agencies' goal to break all encryption methods, warrantless searches of U.S. citizens' phone calls and e-mail messages, the NSA's facial image data collection program, the data collection programs included ordinary (e.g., innocent) citizens besides legal targets, and while most hi-tech and telecommunications companies assisted the government with its spy programs, AT&T was probably the best collaborator. A scary, extensive list, eh?

Would the public have learned about all of this without the Snowden leaks? I doubt it. So, thanks to Edward Snowden.

And, this list doesn't include the attempt by the Justice Department to force a hi-tech company to build a "back door" into its products to break encryption. It's been a busy three years. The EFF concluded:

"The Snowden leaks caused a sea change in the policy landscape related to surveillance. EFF worked with dozens of coalition partners across the political spectrum to pass the USA Freedom Act, the first piece of legislation to rein in NSA spying in over thirty years—a bill that would have been unthinkable without the Snowden leaks. They also set the stage for a major showdown in Congress over Section 702 of the FISA Amendments Act, the controversial section of law set to expire in 2017 that the government claims authorizes much of the NSA’s Internet surveillance... Perhaps most importantly, the Snowden leaks published over the last three years have helped to realign a broken relationship between the intelligence community and the public. Whistleblowers often serve as a last-resort failsafe when there are no other methods of bringing accountability to secretive processes. The Snowden leaks have helped illuminate how the NSA was operating outside the law with near impunity, and this in turn drove an international conversation about the dangers of near-omniscient surveillance of our digital communications."

It's not over. The EFF compiled a list of 65 things we know thanks to the Snowden leaks, and a timeline of NSA domestic surveillance. And, Vice News has uncovered some of the documents that highlight the discussions among NSA and government officials about the privacy and Constitutional issues Mr. Snowden raised at the agency before the leaks:

"What's remarkable about this FOIA release, however, is that the NSA has admitted that it altered emails related to its discussions about Snowden. In a letter disclosed to VICE News Friday morning, Justice Department attorney Brigham Bowen said, "Due to a technical flaw in an operating system, some timestamps in email headers were unavoidably altered. Another artifact from this technical flaw is that the organizational designators for records from that system have been unavoidably altered to show the current organizations for the individuals in the To/From/CC lines of the header for the overall email, instead of the organizational designators correct at the time the email was sent."

Because none of the people interviewed by the NSA in the wake of the leaks said that "Snowden mentioned a specific NSA program," and "many" of the people interviewed "affirmed that he never complained about any NSA program," the NSA's counterintelligence chief concluded that these conversations about the Constitution and privacy did not amount to raising concerns about the NSA's spying activities. That was the basis for the agency's public assertions... In April 2014, the month after he testified before the European Parliament, Snowden again challenged the NSA's public narrative about his failure to raise concerns at the agency. In advance of the publication of the Vanity Fair story, the magazine posted a preview online on April 8. "The NSA... not only knows I raised complaints, but that there is evidence that I made my concerns known to the NSA's lawyers, because I did some of it through e-mail," he said."

The Vice News article also discussed the lack of whistle-blower protections for contractors like Mr. Snowden.

Citizens give their government certain powers to act on their behalf. Implicit in that decision is trust. Entrusted with those powers, a government (in a democracy) has an obligation to be transparent with its citizens.


Pending Rule 41 Changes Facilitate Government Spying, So Senators Introduce Legislation To Protect Citizens

Late last week, MacDailyNews reported (links added):

"U.S. Senators Ron Wyden, D-Ore., and Rand Paul, R-Ky., yesterday introduced the Stopping Mass Hacking (SMH) Act to protect millions of law-abiding Americans from government hacking. The Stopping Mass Hacking (SMH) Act prevents recently approved changes to Rule 41 from going into effect. The changes would allow the government to get a single warrant to hack an unlimited number of Americans’ computers if their computers had been affected by criminals, possibly without notifying the victims."

This news story caught my attention because you don't often see Senators Wyden and Paul working together. It raises several questions: what is so important? What is going on?

Last summer, this blog briefly discussed Rule 41 changes the U.S. Justice Department (DOJ) sought. The rule governs how search, seizure, and arrest warrants are obtained by prosecutors for criminal cases. Given sophisticated computer viruses (e.g., malware) that can take over multiple computers in multiple areas and coordinate attacks by those infected computers (a/k/a botnets), the DOJ sought changes where judges could approve warrants where the botnet location is unknown or located in another area, state, or jurisdiction. The Tech Dirt blog covered this well on April 29:

"The DOJ is one step closer to being allowed to remotely access computers anywhere in the world using a normal search warrant issued by a magistrate judge. The proposed amendments to Rule 41 remove jurisdiction limitations, which would allow the FBI to obtain a search warrant in, say, Virginia, and use it to "search" computers across the nation using Network Investigative Techniques (NITs)."

The Tech Dirt blog post also published the relevant section of the pending Rule 41changes approved by the U.S. Supreme Court (SCOTUS):

"Rule 41. Search and Seizure

(b) Venue for a Warrant Application. At the request of a federal law enforcement officer or an attorney for the government:

(6) a magistrate judge with authority in any district where activities related to a crime may have occurred has authority to issue a warrant to use remote access to search electronic storage media and to seize or copy electronically stored information located within or outside that district if:

(A) the district where the media or information is located has been concealed through technological means; or

(B) in an investigation of a violation of 18 U.S.C. § 1030(a)(5), the media are protected computers that have been damaged without authorization and are located in five or more districts.
"

The document also says the following about electronic searches:

"(f) Executing and Returning the Warrant.
(1) Warrant to Search for and Seize a Person or Property.
* * * * *
(C) Receipt. The officer executing the warrant must give a copy of the warrant and a receipt for the property taken to the person from whom, or from whose premises, the property was taken or leave a copy of the warrant and receipt at the place where the officer took the property. For a warrant to use remote access to search electronic storage media and seize or copy electronically stored information, the officer must make reasonable efforts to serve a copy of the warrant and receipt on the person whose property was searched or who possessed the information that was seized or copied. Service may be accomplished by any means, including electronic means, reasonably calculated to reach that person."

So, the remote, electronic searching of computers doesn't target only the computers of the defendant suspected of committing a crime, but it also targets innocent people whose computers may or may not have been infected by the computer virus or botnet. How? Government prosecutors can easily craft broad warrants, and/or computer-illiterate judges can approve them.

And, innocent people won't necessarily receive any notice (e.g., the "reasonable efforts") about remote electronic searches of their devices (e.g., desktops, laptops, phones or tablets) located inside or outside their homes. And, that notice might be after the remote electronic searches were completed. Huh? When the government performs broad searches like this, that is called surveillance... spying.

Were you aware of Rule 41? Of the pending changes? Probably not. And, you'd probably agree that innocent persons' computers shouldn't be searched; and if so, advance notice should be provided. This troubles me and I hope that it troubles you, too.

I also find it troubling that the proposed Rule 41 changes weren't discussed nor debated publicly in Congress. Using the proposed Rule 41 changes, the government has found slick, stealth way to gain broader powers to spy on U.S. citizens while conveniently ignoring the Fourth Amendment of the U.S. Constitution.

Senator Paul said in a statement:

"The Fourth Amendment wisely rejected general warrants and requires individualized suspicion before the government can forcibly search private information. I fear this rule change will make it easier for the government to search innocent Americans’ computers and undermine the requirement for individual suspicion..."

Senator Wyden said in a statement:

"This is a dramatic expansion of the government’s hacking and surveillance authority. Such a substantive change with an enormous impact on Americans’ constitutional rights should be debated by Congress, not maneuvered through an obscure bureaucratic process... Unless Congress acts before December 1, Americans’ security and privacy will be thrown out the window and hacking victims will find themselves hacked again - this time by their own government."

Proponents of the Rule 41 changes will often argue that the changes are needed to fight child predators and terrorists. A wise person once told me, "you can't just run away from the Fourth Amendment." The ends don't justify the means.

The Computer & Communications Industry Association (CCIA) said:

"The proposed rule change has gone largely unnoticed by the public via a behind-the-scenes process usually reserved for procedural updates. The CCIA has voiced its concern about the government’s requested change for the past two years and we invite other technology advocates to join us in supporting this important legislation... We welcome Senators Wyden and Paul’s efforts to prevent this highly controversial rule change from taking effect. They recognize that the far-reaching implications of the government’s proposed changes merit the full attention of their colleagues in Congress. There are Constitutional, international, and technological questions that ought to be addressed transparently... The government’s proposal is a substantive expansion of its ability to conduct electronic searches, and it deserves a public debate in Congress..."

Peter Goldberger, the Co-Chair of Committee on Rules of Procedure at the National Association of Criminal Defense Lawyers (NACDL) said:

"This is a significant and substantive change to the law masquerading as a procedural rule change.. While it is surely possible to craft a constitutional procedure for digital searches, the rule making process is not sufficient for addressing such fundamental constitutional questions. Only a comprehensive legislative approach, crafted after full public hearings, could possibly deal with all the complex aspects of this issue."

You can read the Stopping Mass hacking Act (Adobe PDF) text. It's short. I wish that it went further and, a) cited prior legal cases to prevent the remote electronic searches of innocent persons' devices, b) included stronger language to prevent innocent persons from the burden of responding to court orders, subpoenas, and searches, and c) prevent the government from hiring a third-party to perform the remote electronic searches.

So, now you know. Thankfully, Senators Wyden and Paul are paying attention and have decided to work together. The seriousness demands such. Senators Tammy Baldwin (D-Wisconsin), Steve Daines (R-Montana), and Jon Tester (D-Montana) are co-sponsors of the Senate bill. Contact your Senator and ask why he/she does not support the Stopping Mass Hacking (SMH) Act. Then, contact your Representative and demand that he/she support a similar bill in the House of Representatives. Tell them that rules changes should not masquerade as changes in laws.

Opinions? Comments?


Surveillance Capitalism: A Profitable Business Google And Microsoft Agree About

Google logo The Guardian reported a major shift at both Google and Microsoft. The tech giants have agreed not to sue each other and to focus upon competing in the marketplace:

"This is a gentleman’s agreement. The specifics are secret, but the message on both sides is that the deal reflects a change in management philosophy. Microsoft’s new chief Satya Nadella is eager to push the vision of a dynamic, collaborative Microsoft, partnering with everyone from Apple to Salesforce."

Microsoft logo Microsoft wants to operate in the marketplace that Google already operates in:

"... Microsoft today is facing a very different business ecosystem to the one it dominated in the 1990s. It needs to adapt... what Satya Nadella describes as “systems of intelligence”... cloud-enabled digital feedback loops. They rely on the continuous flow of data from people, places and things, connected to a web of activity. And they promise unprecedented power to reason, predict and gain insight..."

How this relates to "surveillance capitalism":

"For emeritus Harvard Business School professor Shoshana Zuboff, this gets to the core of the Google-Microsoft deal. Zuboff is a leading critic of what she calls “surveillance capitalism”, the monetization of free behavioral data acquired through surveillance and sold on to entities with an interest in your future behavior..."

Whether you call it -- "systems of intelligence" or "surveillance capitalism" -- it shouldn't be a surprise. There has been government surveillance for intelligence and security applications, and for political control. It is more than technologies such asn e-mail trackers, canvass fingerprinting, voice-activated interfaces, and target advertising (a/k/a behavioral advertising). It is more than companies collaborating with government. It is more than smart meters that automatically collect and transmit via wireless your water, gas, and electric utility consumption.

This latest news makes things a lot clearer how companies plan to use the combination of cloud computing services and Internet-of-Things devices installed in smart homes and public spaces.


The Information The FBI Found After Unlocking The San Bernardino Attacker's iPhone

Federal Bureau of Investigation logo Remember the Federal Bureau of Investigation (FBI) lawsuit using a 227-year-old-law to force Apple Inc. to build "back door" software to unlock an iPhone in California? The FBI said it couldn't unlock the phone, claimed the iPhone had important information on it, but later withdrew its lawsuit after it hired an unnamed third party to hack the iPhone. All of of this, you're probably wondering what information the FBI found on that unlocked iPhone.

Guess what they found? Nothing. Nadda. Zilch. Zip. Squat. CNN reported:

"Hacking the San Bernardino terrorist's iPhone has produced data the FBI didn't have before and has helped the investigators answer some remaining questions in the ongoing probe, U.S. law enforcement officials say... Investigators are now more confident that terrorist Syed Farook didn't make contact with another plotter during an 18-minute gap that the FBI said was missing from their time line of the attackers' whereabouts after the mass shooting... The phone didn't contain evidence of contacts with other ISIS supporters or the use of encrypted communications during the period the FBI was concerned about."

More confident? Either you're confident or you aren't. That's like being pregnant. You can't be more pregnant. But hey... you gotta love those unnamed sources. Sometimes they're accurate, and other times not.

Let's translate this into plain English. The attacker's phone contained nothing, which the FBI spun as valuable. Wow! That's like saying the bulk collection (e.g., spying) of all U.S. citizens' phone calls and emails was valuable because not finding anything proved they were not doing anything criminal.

Wow! The arrogance. The waste of time, money, and resources. It takes a brass set of balls to spin crap like this and keep a straight face.

Yet, the legal wrangling ain't over. An FBI versus Apple lawsuit in Brooklyn continues. And, as CNN reported:

"Apple and the FBI are squaring off again Tuesday in testimony at a House hearing on encryption..."

Yesterday's blog post discussed everything that is wrong With the Burr-Feinstein draft anti-encryption proposal circulating the U.S. Senate. The FBI must be feeling pretty cocky, since two Senators have its back while ignoring the consequences.

What are your opinions?


5 Things Wrong With the Burr-Feinstein Anti-Encryption Bill

If you haven't heard, two U.S. Senators proposed a bill that forces technology companies to assist law enforcement and break the encryption built into their products and services. The Just Security blog analyzed the proposed bill, called the Compliance with Court Orders Act of 2016 (CCOA).

The CCOA draft was written by Senators Richard Burr (R-NC) and Dianne Feinstein (D-Calif.), leaders of the Senate Intelligence Committee. It's chief provisions:

"Upon receipt of a court order or warrant for “information or data” sought by a federal, state, local, or tribal government in specific types of investigations or prosecutions, the CCOA requires covered entities to give the government the information or data in an “intelligible” (i.e., unencrypted) format, or to provide any “necessary” technical assistance to render it intelligible. The CCOA only kicks in if the data is “unintelligible” (i.e., encrypted) due to “a feature, product, or service” that is “owned, controlled, created, or provided” by the entity (or by a third party on its behalf). The bill says that no government officer can dictate or prohibit specific design requirements to comply with the law."

Covered entities include tech companies: software developers, device manufacturers, communications providers (wired and wireless), and "remote computing services (RCS)." There are several major things wrong with this proposed legislation:

"In short, the bill prohibits covered entities from designing encryption and other security features so encrypted data is accessible only to the user, not law enforcement nor the entity itself. This is what I would call “effective encryption,” but law enforcement derisively calls “warrant-proof” encryption."

Effective encryption makes sense. It is precisely what is needed by both consumers and businesses to protect and keep private sensitive information, proprietary information, and banking transactions. The Burr-Feinstein proposed bill forces tech companies to build products and services with weaker security:

"...The CCOA would prohibit covered entities in the US from implementing state-of-the-art data security in their products and services... effectively outlaw such cornerstone security concepts as end-to-end encryption, forward secrecy, and HTTPS, which encrypts web traffic against hackers, state-sponsored attackers, and other snoops... It makes covered “license distributors” responsible for the compliance of the software being distributed, meaning Apple’s and Google’s app stores would be on the hook for ensuring every app on offer has weak enough security to meet government standards. It would chill innovation by rendering it largely pointless to work on making software and hardware more secure, because only CCOA-compliant security architectures would be legal."

Think of CCOA-compliant security architectures as GovtOS. The government is forcing tech companies to build a GovtOS. That's wrong. Some of the things wrong with the CCOA:

"2. It can’t stop terrorists and criminals from hiding their activities. The joke in the infosec community used to be that “when crypto is outlawed, only outlaws will use crypto.” The joke’s on Burr and Feinstein... Not only are effective encryption offerings readily available from entities based outside the US, there are already millions upon millions of devices, apps, and software programs presently in use that employ the encryption to be banned going forward. The crypto cat is out of the bag, as New America’s Open Technology Institute put it, and law enforcement’s alarmist and unsupported “going dark” rhetoric can’t hide that fact."

"3. There is no “middle ground” on encryption. This one-sided bill tries to hold itself out as the “middle ground” on encryption... But as cryptography experts have repeatedly explained over the last two decades, there is no middle ground on this issue. Mandating a means of access for law enforcement simply isn’t “appropriate” data security. It is a vulnerability, whose use can’t be limited to “good guys” bearing a court order. This was true 20 years ago and it’s still true today."

That's why many security experts call the CCOA an "anti-encryption" proposal. There's plenty more that's wrong with the CCOA. Read the entire Just Security article.

The CCOA is myopic and wrong. It forces tech companies to build inferior products and services with weaker security; and places U.S.-based tech companies at a disadvantage in the world market. It forces tech companies to do, for free, the investigative work law enforcement should do themselves. The CCOA forces tech companies to build GovtOS, regardless of the negative economic consequences to industry and jobs.

If the CCOA bothers you (and I sincerely hope that it does), tell your elected representatives.


FBI Bought Tool To Hack San Bernardino Attacker's iPhone. Plans Brooklyn Court Action To Force Apple To Unlock iPhone

Federal Bureau of Investigation logo A previous blog post discussed the assistance the U.S. Federal Bureau of Investigation (FBI) has received from an undisclosed company after abandoning its lawsuit against Apple, Inc. regarding the San Bernardino attackers. There have been two important developments this week.

First, CNN reported on Thursday about the hacking method:

"FBI Director James Comey said Wednesday that the government had purchased "a tool" from a private party in order to unlock the iPhone used by one of the San Bernardino shooters... FBI Director James Comey said Wednesday that the government had purchased "a tool" from a private party in order to unlock the iPhone used by one of the San Bernardino shooters."

FBI Director James Comey did not disclose the name of the tool nor the company's name. The CNN news story also discussed whether or not the government will inform Apple about the hacking method:

"Comey said the government was currently considering whether to tell Apple how it pulled off the hack. "We tell Apple, then they're going to fix it, then we're back where we started from," he said. "We may end up there, we just haven't decided yet."

Second, NBC News reported today that the government plans legal action in Brooklyn to force Apple to unlock an iPhone:

"The Justice Department notified a federal judge Friday that it intends to pursue a lawsuit in Brooklyn against Apple, seeking to force the company to open the iPhone of a convicted New York drug dealer. In February, the judge denied the FBI's request to force Apple to open the New York phone, but the Justice Department appealed that ruling... The method a third party provided to open the San Bernardino phone won't work on the Brooklyn phone, federal officials said. "

So the legal fight will continue to force a tech company to build "back door" software into its product. Three things seem clear: a) the FBI wants an updated legal precedent (rather than a 227-year-old law) to force any tech company to build "back door" software into its products and services; b) the FBI believes that it has a stronger case in Brooklyn. Having hacked an iPhone in California, it can argue with more credibility in court why it needs Apple's help in Brooklyn; and c) if successful in court in Brooklyn, the FBI gets investigative tools for free rather than having to pay.

Obviously, news about this story will continue to break. There is so much unknown and undisclosed.


Why iPhones Are Now Less Secure, And How This Affects Everyone

Federal Bureau of Investigation logo Tuesday's blog post discussed the announcement by the U.S. Department of Justice (DOJ) that it had withdrawn its lawsuit against Apple, Inc. because the Federal Bureau of Investigation (FBI), with the help of an unnamed third party, had successfully unlocked the San Bernardino attacker's iPhone and accessed the information in the device. That blog post also discussed several related issues and implications. The government did not disclose the exact method it used to unlock the iPhone.

Today's blog post explores another related issue: whether the government will inform Apple of the vulnerability. With information about the vulnerability, Apple can improve the security of its iPhones. That will help all iPhone users better protect their privacy. The Washington Post reported:

"The FBI plans to classify this access method and to use it to break into other phones in other criminal investigations."

The article described how security research usually works. When security engineers find a vulnerability, they inform the developer so a fix can be quickly built and distributed to users. Also, other developers learn:

"Vulnerabilities are found, fixed, then published. The entire security community is able to learn from the research, and — more important — everyone is more secure as a result of the work. The FBI is doing the exact opposite... All of our iPhones remain vulnerable to this exploit."

No doubt, the FBI and other U.S. government law enforcement (and spy) agencies will use the vulnerability to unlock more iPhones. People forget that iPhones are used by:

"... elected officials and federal workers and the phones used by people who protect our nation’s critical infrastructure and carry out other law enforcement duties, including lots of FBI agents... The problem with computer vulnerabilities is that they’re general. There’s no such thing as a vulnerability that affects only one device. If it affects one copy of an application, operating system or piece of hardware, then it affects all identical copies..."

The worst case scenario: by withholding vulnerability information, the government fosters a situation where Apple products are less secure than other brands developed abroad, whose governments freely shares vulnerability information. That could negatively affect the tech company's revenues and profitability... meaning lost jobs here.

There is one tiny bit of good news in this mess (bold added):

"The FBI did the right thing by using an existing vulnerability rather than forcing Apple to create a new one, but it should be disclosed to Apple and patched immediately."

So now, the bad guys - criminals, hackers, other governments' spy agencies -- know for sure that a vulnerability exists in newer iPhones. If they look hard enough and long enough, they can find it, too. (Many of the bad guys hire skilled, experienced engineers, too.) Once found, they too can use the vulnerability to hack iPhones.

The government's decision to classify the vulnerability seems myopic at best, and at worse extremely unfriendly to users and business. This weakens our defenses. It does not make our defenses stronger.

The government's approach seems to be surveillance trumps privacy. You could say: surveillance by any means necessary (sorry, Malcolm) and damn the consequences. Damn the collateral damage.

Is this wise? Ethical? Is this how you want your government to operate? Was there a debate about this? Did you provide any input to your elected officials? Have they listened?


Justice Department Withdraws Lawsuit Against Apple. Confirms Third Party Successfully Unlocked Attacker's iPhone

Federal Bureau of Investigation logo The U.S. Justice Department (DOJ) announced on Monday its decision to withdraw its lawsuit to force Apple, Inc. to unlock an iPhone used by one of the San Bernardino attackers. U.S. Attorney Eileen M. Decker, of the Central District in California, made the two-paragraph announcement:

"The government has asked a United States Magistrate Judge in Riverside, California to vacate her order compelling Apple to assist the FBI in unlocking the iPhone that was used by one of the terrorists who murdered 14 innocent Americans in San Bernardino on December 2nd of last year. Our decision to conclude the litigation was based solely on the fact that, with the recent assistance of a third party, we are now able to unlock that iPhone without compromising any information on the phone.

We sought an order compelling Apple to help unlock the phone to fulfill a solemn commitment to the victims of the San Bernardino shooting – that we will not rest until we have fully pursued every investigative lead related to the vicious attack. Although this step in the investigation is now complete, we will continue to explore every lead, and seek any appropriate legal process, to ensure our investigation collects all of the evidence related to this terrorist attack. The San Bernardino victims deserve nothing less."

The announcement confirmed that a undisclosed third party had successfully unlocked the attacker's newer model iPhone and retrieved information from it without triggering the auto-erase security feature. Rumors have speculated that Israel-based Cellebrite is the third party assisting the Federal Bureau of Investigation (FBI). There also was speculation that the National Security Agency (NSA) assisted the FBI.

After a cancelled March 22 court hearing, the government had an April 5 deadline to provide a status to the court. In its original complaint, the government used a 227-year-old law to force the tech company to build software to unlock the newer model iPhone and bypass its security features. The judge agreed and Apple appealed the decision.

The announcement did not mention what, if any, useful information the phone revealed. The government had suspected the device may contain information about other persons working with the attackers.

The legal fight between the FBI and Apple probably is not over. The New York Times reported:

"... what happened in the San Bernardino case doesn’t mean the fight is over,” said Esha Bhandari, a staff lawyer at the American Civil Liberties Union. She notes that the government generally goes through a process whereby it decides whether to disclose information about certain vulnerabilities so that manufacturers can patch them. “I would hope they would give that information to Apple so that it can patch any weaknesses,” she said, “but if the government classifies the tool, that suggests it may not.”

Apple released a brief statement yesterday:

"From the beginning, we objected to the FBI’s demand that Apple build a backdoor into the iPhone because we believed it was wrong and would set a dangerous precedent. As a result of the government’s dismissal, neither of these occurred. This case should never have been brought.

We will continue to help law enforcement with their investigations, as we have done all along, and we will continue to increase the security of our products as the threats and attacks on our data become more frequent and more sophisticated. Apple believes deeply that people in the United States and around the world deserve data protection, security and privacy. Sacrificing one for the other only puts people and countries at greater risk..."

At least for now, engineers at Apple can refocus on improving the device's security without being forced to do investigative work the government should have done. According to TechCrunch:

"... the Department of Justice said the method only works on this phone in particular. But it’s hard to believe this argument as there’s no reason the FBI wouldn’t be able to unlock other iPhones 5c running the same version of iOS 9. Moreover, if the FBI found a software exploit, this exploit should work with all iPhones running on this version of iOS 9 (and most likely the current version of iOS, iOS 9.3)..."

What to make of these events?

If the government didn't find any useful information on the attacker's phone, then this court case has been a huge waste of time and taxpayer's money. There was speculation that the government's strategy was to gain broader legal powers to force tech companies to help it break into encrypted devices. (Reread Decker's announcement above, including "... seek any appropriate legal process...") It didn't get that legal precedent by abandoning the case.

However, two U.S. Senators have drafted proposed legislation giving federal judges such broader powers. The latest proposal was drafted by Senators Richard Burr (Rep.-North Carolina) and Dianne Feinstein (Dem.-California), leading members of the Senate Intelligence Committee. Will this proposal continue now that the government has withdrawn its lawsuit? Should this proposal continue? If it does, that bears watching. I guess the DOJ didn't want to wait for a gridlocked Congress to act next year after elections.

What are your opinions of these events?


FBI vs. Apple: Cancelled Hearing, Draft Legislation, New Decryption Capabilities, And An Outside Party

Federal Bureau of Investigation logo A lot happened this week. A lot. Below is a recap of key headlines and events involving Apple, Inc. and the U.S. Federal Bureau of Investigation (FBI).

Late during the day on Monday, the government's lawyers got U.S. Magistrate Sheri Pym to cancel a Tuesday March 22 hearing between Apple and the FBI about an earlier court decision forcing Apple to unlock the iPhone used by one of the San Bernardino attackers. Apple did not object to the cancelled hearing. The FBI was ordered to file a status by April 5, 2016. The government filed court papers on Monday explaining why:

"On Sunday, March 20, 2016, an outside party demonstrated to the FBI a possible method for unlocking Farook's iPhone. Testing is required whether it is a viable method that will not compromise data on Farook's iPhone. If the method is viable, it should eliminate the need for assistance from Apple Inc. set forth in the All Writs Act Order in this case."

So, on or before April 5 we will learn if this outside party successfully demonstrated the ability to unlock and decrypt information stored on this newer model iPhone without any loss of damage to the information stored on it.

Are these decryption capabilities a good thing? Ars Technica reported:

"Jennifer Granick, the director of civil liberties at the Stanford Center for Internet and Society, said that these new government decryption capabilities are not good for privacy and ever-expanding government surveillance. "The DOJ doesn't want bad precedent, and I think Apple had the better side in this argument," she told Ars. "Being able to hack helps DOJ for a while. Apple could upgrade beyond the capability..."

Meanwhile, two U.S. Senators have drafted proposed legislation giving federal judges broad powers to force technology companies like Apple to help law enforcement break into encrypted devices. Prior proposals died in Congress. The latest proposal was drafted by Senators Richard Burr (Rep.-North Carolina) and Dianne Feinstein (Dem.-California), leading members of the Senate Intelligence Committee.

Apple Inc. logo Who is this mysterious outside party helping the FBI unlock and decrypt information on newer model iPhones? There has been speculation that the National Security Agency (NSA) was helping the FBI. One would expect the NSA to have the decryption capabilities. BGR explored this on March 4:

"... the NSA can hack into the device but that it doesn’t want to tell that to the FBI because it never likes to reveal what it’s capable of doing. If that were the case, however, why wouldn’t the NSA help the FBI behind the scenes before the FBI went public with its request for Apple’s assistance? And besides, as The Intercept notes, “courts have affirmed the NSA’s legal right to keep its investigative methods secret.” In fact, security experts explained to Wired earlier this week that the FBI could recruit the NSA to connect the iPhone 5c to a Stingray-like rogue cellular network as it’s booting up, which could give the agency the ability to control the device before it even gets to the unlock screen..."

However, Inverse reported on Thursday who else it might be and why:

"Sun Corporation, the company currently getting rich off public speculation that it can help the FBI break into the notorious San Bernardino iPhone was not always such a fierce competitor. While it’s seen the value of its stock rise 36 percent since Reuters reported that the FBI had enlisted its subsidiary, an Israeli-firm called Cellebrite, to unlock the iPhone..."

NPR reported that it might be a publicity stunt by Cellebrite. Will the FBI meet its April 5 deadline? The NPR report discussed a possible decryption approach:

"Computer forensics researcher Jonathan Zdziarski argues that because the FBI has asked courts for only two weeks to test the viability of the new method, it's likely not highly experimental. It's also likely not something destructive, like the "decapping" method that relies on physically shaving off tiny layers of the microprocessor inside the phone to reveal a special code that would let investigators move the data and crack the passcode. The idea that's garnering the most focus is something called chip cloning, or mirroring or transplantation..."

During a press conference on Friday, FBI Director James Comey wouldn't disclose the name of the outside party. USA Today also reported:

"Law enforcement officials Thursday threw cold water on two recent theories on how the FBI was attempting to hack into an iPhone used by one of the San Bernardino terrorists... FBI Director James Comey, in response to a reporter's question at a briefing, said making a copy of the iPhone’s chip in an effort to circumvent the password lockout “doesn’t work”... A widely discussed scenario in the security world, put forward by a staff technologist at the ACLU, has been that the FBI had found a way to remove crucial chips from the iPhone, make digital copies of them and then run multiple passcode attempts against the digital copies, while keeping the phone's software itself untouched. That would avoid tripping the self-erase program built into the iPhone..."

So, who is helping the FBI -- Cellebrite, the NSA, or both? Or another entity?

Another line of speculation is that the FBI has received assistance from the NSA and has decided to use Cellebrite as a false front. Why might this be true? It allows the FBI to reveal (some) investigation methods without revealing the NSA's real methods. I'm no legal expert, but if this is true, I can't see any judge being pleased about being lied to.

We shall see on or before April 5. What are your opinions? Speculation?


Apple Engineers Consider Their Options, The FBI's Goals, And 'Warrant-Proof Phones' Spin

Apple Inc. logo The encryption engineers at Apple are considering their options, if the U.S. Federal Bureau of Investigation (FBI) is successful at forcing their employer to build back doors into one or several iPhones. The New York Times reported: that

"Apple employees are already discussing what they will do if ordered to help law enforcement authorities. Some say they may balk at the work, while others may even quit their high-paying jobs rather than undermine the security of the software they have already created, according to more than a half-dozen current and former Apple employees. Among those interviewed were Apple engineers who are involved in the development of mobile products and security, as well as former security engineers and executives."

One explanation for this:

“It’s an independent culture and a rebellious one,” said Jean-Louis Gassée, a venture capitalist who was once an engineering manager at Apple. “If the government tries to compel testimony or action from these engineers, good luck with that.”

The tech company estimated it would take 10 engineers about a month to develop the back-door software, some have called, "GovtOS." That estimate assumed the encryption engineers would be on staff and available. Security experts have warned that more court orders to unlock iPhones will likely follow, if the FBI is successful with forcing Apple to unlock the San Bernardino attacker's phone. 

Since the "back doors" are really software, that software must be developed, debugged, tested, and documented like any other. Those tasks require a broader team across multiple disciplines; all of which could be working (instead) on other projects that generate revenue. Then, multiply this by multiple unlock demands. Will the government reimburse Apple for the new, broader project team it creates to build back-door software? Will the government reimburse Apple for the opportunity cost from lost projects and revenues the team members could have completed instead? Will the government reimburse Apple for the costs of hiring engineers and workers to replace those who quit? It will be interesting to see how the financial markets evaluate all of this, if the FBI successfully forces Apple to unlock iPhones.

By using a 227-year-old law, it seems that the FBI and Director James Comey want to direct the development work of private companies to do tasks they should do themselves, while ignoring the unintended consequences to business and jobs. (Remember, experts warned in 2014 that NSA spying could cost the tech industry billions of dollars.) Has the government really thought this through? It seems like they haven't.

Federal Bureau of Investigation logo What are the FBI's goals? An article in Quartz suggested that the FBI is:

"... worried about is the fast-approaching future when its best hackers will be stymied by powerful corporate encryption and security systems. Federal law, in its current state, is of little help. There is no precedent that will allow the government to force a private company to change its security systems so that the FBI can get inside and take a peek. In fact, the Communications Assistance for Law Enforcement Act (CALEA) could be interpreted to restrict the government from doing so. The FBI has apparently decided that it’s time for federal law to change. So its officials have been searching for a particular case that would give them a shot at changing the established legal precedent.."

Learn more about CALEA and the FBI's attempts since 2010 to expand it. An MIT Technology Review article debunked the government's spin and fear-mongering claims of a new period of "warrant-proof phones" (e.g., newer iPhones) and "going dark." There have always been warrant-proof products and services because these (analog or paper-based) items historically didn't archive or store information. So, historical government surveillance was always "dark." While law enforcement may lose some information surveillance sources in the future due to encryption, the multitude of new technologies, products, services, companies, web sites, and mobile apps during the past few years have provided it with far more sources with far more detailed information than it ever had. The old saying seems to apply: can't see the forest for the trees.

I agree. We definitely live in the golden age of surveillance.

The government's argument is weak also because it ignores the option that the well-funded bad guys, such as drug cartels and terrorist networks, can, a) purchase encrypted communications products and services elsewhere outside the USA, and b) hire engineers and programs to maintain their own encrypted systems.

What are your opinions?


John Oliver's Awesome Fake Apple Ad About Encryption, Privacy And iPhones

With the ongoing legal battle about encryption between Apple and the Federal Bureau of Investigation (FBI), John Oliver, the host of the "Last Week Tonight" show, presented a satirical advertisement for Apple to help consumers understand encryption. The segment is worth watching.

First, some background. The FBI used a 227-year-old law to force Apple to build a "back door" into an iPhone used by one of the San Bernardino attackers, who killed 14 persons. The FBI believes that there may be information on that phone that could lead to other persons involved. Apple has appealed the court decision, citing several security and privacy issues. The back doors, really software, can be stolen and/or modified to make all iPhones vulnerable.

Legal experts warned that the 227-year-old All Writs Act is too broad, and Congress should act to clarify the law. Since then, we've learned that the FBI made access to the phone more difficult after a failed attempt to hack the attacker's iCloud account. Experts also warned that if Apple is forced to build a back there may be unintended consequences, including tech companies moving their operations and jobs offshore to avoid heavy-handed government surveillance and intrusions. And, if the government weakens encryption and security in products made by U.S. tech companies, then users (both good guys and bad guys) will simply shop elsewhere since many security products are already made abroad.

This week, we learned that Apple said the government is lying when it claimed that the company produced advertisements stating that encryption keeps out law enforcement. No doubt, there will be more disclosures and revelations. This latest claim makes the fake ad even more timely. No doubt, the final outcome of the Apple versus FBI court case will affect everyone.

The entire 18-minute segment is a good, funny, entertaining primer about encryption. The about-face by technophobe and U.S. Senator Lindsey Graham (R-South Carolina) is priceless. The fake ad appears in the last two minutes:


Apple News: eBook Price Fixing, Brooklyn, And San Bernardino

Apple Inc. logo Apple, Inc. Has been in the news a lot recently. So, it can be a little confusing to keep track of events. Below is a brief summary of three separate court cases.

First, the U.S. Supreme Court (SCOTUS) declined to hear an appeal by the tech giant about ebook price-fixing with book publishers. The U.S. Justice Department had sued Apple and several book publishers in April, 2012. A lower court decision in 2013 found Apple guilty. Since the SCOTUS declined to hear the appeal, then the lower court decision stands, and Apple must pay a $450 million class-action settlement. Fortune Magazine reported:

"The publishers—Hachette, Penguin, Simon & Schuster, HarperCollins and Macmillan—promptly settled the case, but Apple chose to fight the charges in court. This led to a highly publicized trial in which U.S. District Judge Denise Cote issued a lengthy ruling that Apple had clearly violated Section 1 of the Sherman Act... The price-fixing case, which transfixed the publishing industry, began in 2010 when Apple’s late CEO, Steve Jobs, persuaded five major publishers to sell books on the iPod. Under the arrangement, which was designed to wrest pricing power from Amazon, the publishers shifted to a so-called “agency pricing” model in which they set the price and passed along a commission to Apple."

Second, in California Apple has appealed a lower court's decision forcing it to unlock an iPhone (running iOS 9) used by one of the San Bernardino attackers. A decision in that appeal is pending. The Federal Bureau of Investigation (FBI) admitted during testimony before Congress that it had erred when it reset the associated iCloud password, making it more difficult to access the attacker's iPhone.

Third, a court in Brooklyn (New York) ruled late in February that Apple did not have to unlock a Brooklyn drug dealer's iPhone running the iOS 7 operating system.The tech giant had initially agreed to unlock the phone, but then declined when the court demanded first more information before issuing a search warrant. Bloomberg Business reported:

"When the government first contacted Apple about the drug dealer’s phone, an Apple “data extraction specialist” said it could find data on pre-iOS 8 phones after receiving a search warrant. The next day, the government sought a warrant from [Judge] Orenstein..."

Federal Bureau of Investigation logo Prosecutors have used the All Writs Act in both the Brooklyn and San Bernardino cases. Bloomberg Business reported that prosecutors In the Brooklyn case argued:

That Apple routinely extracted data from such devices shows the government’s request is not “burdensome” and doesn’t violate the All Writs Act, a 1789 law that prosecutors used to demand that Apple help access data on locked phones, the U.S. said. In refusing the government, Orenstein sided with the company’s claim that prosecutors were taking the law too far. He said Congress should resolve the issue. In their appeal, prosecutors said the All Writs Act authorizes courts to issue such warrants and that Orenstein’s “analysis goes far afield of the circumstances of this case and sets forth an unprecedented limitation of federal courts’ authority.”

Bloomberg Business also reported:

"Apple helped the government access data on at least 70 iPhones before it stopped cooperating, according to prosecutors. For phones using older operating systems, the company can extract data from locked devices at its headquarters, according to a guide it produced for law enforcement..."


Apple vs. FBI: "Extraordinary" Government Actions May Cause U.S. Companies To Move Offshore

Apple Inc. logo There may be unintended consequences of the Federal Bureau of Investigation (FBI) is successful with forcing Apple, Inc. to build back doors into its iPhones. What might some of those unintended consequences be? TechCrunch reported that Lavabit filed an amicus brief supporting Apple. Never heard of Lavabit? Forgot about Lavabit? You may remember:

"... Lavabit, a technology company that previously judged it necessary to shutter its own service after receiving similarly “extraordinary” government demands for assistance to access user data, in the wake of the 2013 disclosures by NSA whistleblower Edward Snowden... the FBI sought the private encryption key used by Lavabit to protect the Secure Socket Layer (“SSL”) and Transport Layer Security (“TLS”) connections to their servers. With the SSL/TLS private key in hand, the FBI would be able to impersonate Lavabit on the Internet. This would allow them to intercept, decrypt, inspect, and modify (either with intent, or by accident) all of the connections between Lavabit and the outside world..."

Federal Bureau of Investigation logo In its brief, Lavabit argues that by being forced to build back doors into its devices. not only would Apple's brand be tarnished, but that the ability of iPhone users to receive reliable and secure operating-system security updates would be degraded. Some updates might include malware. If users' trust decreases and they choose to stop receiving security updates, then their devices become more vulnerable than otherwise. That's not good. And, if people blame government for starting this security mess, then that's not good either since it would erode trust in government.

Would companies relocate out of the United States due to privacy and surveillance concerns? Consider:

"... Silent Circle, moved its global headquarters from the Caribbean to Switzerland back in May 2014 — citing the latter’s “strong privacy laws” as one of the reasons to headquarter its business in Europe. Various other pro-encryption startups, including ProtonMail and Tutanota, have also chosen to locate their businesses in countries in Europe that have a reputation for protecting privacy."

Plus, there are money concerns. Since 1982, at least 51 companies completed tax inversions: moved their headquarters (and sometimes some employees) out of the United States to another country to enjoy lower taxes. So, Burger King is now a Canadian company. Pfizer is now an Irish company. And, lower tax payments by companies make government deficits (federal, state, local) worse. The bottom line: profitability matters. When companies suffer lower profitability -- as tarnished brands often do -- their executives take actions to improve profits. It's what they do.

Want to learn more about Lavabit? At about the two-thirds mark in the film "CitizenFour," Lavabit founder Ladar Levison shares some of his experiences.


Why The FBI Can't Access The San Bernardino Attacker's iPhone

Federal Bureau of Investigation logo On Tuesday, the head of the Federal Bureau of Investigation (FBI) admitted during House Judiciary Committee hearings that his agency lost an opportunity to access the San Bernardino attacker's iPhone when it reset the password to the iCloud account associated with the phone. The New York Times reported:

"There was a mistake made in the 24 hours after the attack,” James B. Comey Jr., the director of the F.B.I., told lawmakers at a hearing on the government’s attempt to force Apple to help “unlock” the iPhone. F.B.I. personnel apparently believed that by resetting the iCloud password, they could get access to information stored on the iPhone. Instead, the change had the opposite effect — locking them out and eliminating other means of getting in."

A Federal Court judge had ruled last month in favor of the FBI, and ordered Apple to develop the software to unlock the attacker's phone. Apple is appealing the ruling. FBI officials have claimed that the phone may contain information about what the attacker and his wife did before the attack, and who they communicated with. More details emerged during the hearing:

"When the dispute over Mr. Farook’s iPhone erupted two weeks ago, the Justice Department blamed technicians at San Bernardino County, which employed Mr. Farook as an environmental health specialist and which owned the phone he used. But county officials said their technicians had changed the password only “at the F.B.I.’s request.” Mr. Comey acknowledged at the hearing that the F.B.I. had directed the county to change the password."

Apple Inc. logo Bruce Sewell, the general counsel at Apple, also spoke at the hearing on Tuesday. He warned:

"... the F.B.I.’s demand for technical help to unlock Mr. Farook’s iPhone 5c “would set a dangerous precedent for government intrusion on the privacy and safety of its citizens.” Apple has said that in many cases investigators have other means to gain access to crucial information, and in some instances it has turned over data stored in iCloud."

Mr. Sewell also said:

"... before F.B.I. officials ordered the password reset, Apple first wanted them to try to connect the phone to a “known” Wi-Fi connection that Mr. Farook had used. Doing so might have recovered information saved to the phone since October, when it was last connected to iCloud. “The very information that the F.B.I. is seeking would have been available, and we could have pulled it down from the cloud..."

So, the FBI has only itself to blame for the current mess, and for making access to the attacker's iPhone more difficult.


Government Uses 227-Year-Old Law To Force Apple To Unlock Terrorist's iPhone

Federal Bureau of Investigation logo The U.S. Department government has used a law created in the 1700's to force Apple Computer to break into an iPhone used by a terrorist last year. The New York Times reported that on Tuesday:

"... Magistrate Judge Sheri Pym of the Federal District Court for the District of Central California ordered Apple to bypass security functions on an iPhone 5c used by Syed Rizwan Farook, who was killed by the police along with his wife, Tashfeen Malik, after they attacked Mr. Farook’s co-workers at a holiday gathering. Judge Pym ordered Apple to build special software that would essentially act as a skeleton key capable of unlocking the phone... The Justice Department had secured a search warrant for the phone, owned by Mr. Farook’s former employer, the San Bernardino County Department of Public Health, which consented to the search... the F.B.I., instead of asking Congress to pass legislation resolving the encryption fight, has proposed what appears to be a novel reading of the All Writs Act of 1789... The government says the law gives broad latitude to judges to require “third parties” to execute court orders. It has cited, among other cases, a 1977 ruling requiring phone companies to help set up a pen register, a device that records all numbers called from a particular phone line..."

Apple Inc. logo So far, Apple has refused to comply. Excerpts from a statement by Apple:

"The United States government has demanded that Apple take an unprecedented step which threatens the security of our customers. We oppose this order, which has implications far beyond the legal case at hand. This moment calls for public discussion, and we want our customers and people around the country to understand what is at stake... Compromising the security of our personal information can ultimately put our personal safety at risk. That is why encryption has become so important to all of us. For many years, we have used encryption to protect our customers’ personal data because we believe it’s the only way to keep their information safe... But now the U.S. government has asked us for something we simply do not have, and something we consider too dangerous to create. They have asked us to build a backdoor to the iPhone. Specifically, the FBI wants us to make a new version of the iPhone operating system, circumventing several important security features, and install it on an iPhone recovered during the investigation. In the wrong hands, this software — which does not exist today — would have the potential to unlock any iPhone in someone’s physical possession. The FBI may use different words to describe this tool, but make no mistake: Building a version of iOS that bypasses security in this way would undeniably create a backdoor. And while the government may argue that its use would be limited to this case, there is no way to guarantee such control... The government is asking Apple to hack our own users and undermine decades of security advancements that protect our customers — including tens of millions of American citizens — from sophisticated hackers and cybercriminals. The same engineers who built strong encryption into the iPhone to protect our users would, ironically, be ordered to weaken those protections and make our users less safe. We can find no precedent for an American company being forced to expose its customers to a greater risk of attack. For years, cryptologists and national security experts have been warning against weakening encryption. Doing so would hurt only the well-meaning and law-abiding citizens who rely on companies like Apple to protect their data."

This is not the first use of the All Writs Act against Apple. NPR reported:

"Last fall, the Justice Department, using the All Writs Act, tried to force Apple to unlock an iPhone running iOS 7 in a case involving a suspected methamphetamine dealer. Apple responded that it might be technically capable of unlocking that phone (since iOS 7 has fewer security features than later operating systems) but said the cost to the company's reputation — and resulting harm to its business — would pose an "undue burden." That case is still pending.."

The NPR news story also mentioned:

"In 2014, at the Justice Department's request, a federal court in New York used the law to order a phone-maker to unlock a password-protected device. The Justice Department says various other companies have been ordered under the All Writs Act to provide otherwise inaccessible information to investigators."

This is huge news. It highlights several privacy issues:

  1. Has the government over-reached by using a 1789 law?
  2. How can the government force a company to build something -- software, malware -- that doesn't exist? This Atlantic article describes the coercion slippery slope.
  3. Can Apple successfully build a back door for a single iPhone?
  4. If #3 is not technically impossible, does the back door place all iPhones at risk?
  5. Are back doors the best way to fight terrorism? Like you, terrorists read the news and will simply switch to other products without built-in back doors.
  6. Are back doors really needed? The law enforcement community is split over this.
  7. Are back doors a benefit or a risk?
  8. How does the government ensure that criminals, terrorists, and other governments' hackers don't use the same "back doors" it uses? After all, the Federal government has had massive data breaches.
  9. Do "back doors" prevent businesses from adequately protecting their proprietary trade secrets, processes, and private information?
  10. Why haven't other technology companies resisted the government's demands for back doors, as Apple has? This Wired article discusses why Apple's position (including encryption and strong privacy protections) is good for business.
  11. What does this mean for consumers' privacy? Some iPhone users have already built a website for protests.

Regarding item #1, the American Civil Liberties Union (ACLU) wrote in December 2015:

"The All Writs Act permits a court to issue an order to give effect to a prior lawful order or an existing grant of authority, and has been used for such things as ordering a prisoner be brought before a court. The Act does not allow a court to invest law enforcement with investigative tools that Congress has not authorized — like the extraordinary and unconstitutional conscription of a third party into obtaining information the third party does not possess or control... it’s even more troubling to consider that the government, by its own admission, has invoked it successfully in at least 70 cases."

The ACLU, the ACLU of Northern California, and the Center for Internet and Society (CIS) at Stanford Law Scvhool, filed a Freedom of Information Act (FOIA) request in December to understand the government’s use of the All Writs Act to force device manufacturers to unlock devices. It is important to known the full scope of the government’s use of a 227-year-old law. The Electronic Frontier Foundation (EFF) announced that it will file an amicus brief supporting Apple.

Center for Internet and Society at Stanford law School logo The CIS responded to the recent court decision:

"The text of the court order is here. Although it does not direct Apple to break the encryption per se, it asks the company to disable features that make it more difficult to brute force the device security capabilities -- such as the function that disables (er, self-destricts) the device after multiple attempts to enter a PIN number. While that sounds innocuous enough, it is likely such access cannot be granted on a device-by-device basis upon demand by law enforcement, although some technologists believe it possible. Rather, unless Apple demonstrates the technical, economical, or temporal infeasability of complying with the judge's order or gets the order lifted, the consequence may well be an update/patch to IOS that would implement that proverbial "backdoor" feature that certain law enforcement officials -- specifically, FBI Director James Comey -- allege is needed to protect the country, citizens, and (think of the) children from Any Number of Evil-Sounding Things That May or May Not Be True(tm). By contrast, NSA Director Admiral Mike Rogers has already stated publicly there is no need for such back doors or law enforcement access, and that strong Internet security features are more of a benefit than risk to society -- despite that perennial and selectively sensational hand-wringing by prominent law enforcement and/or intelligence officials..."

The privacy-friendly DuckDuckGo.com search engine posted this tweet on Wednesday:

Tweet by DuckDuckGo.com search engine about Apple iPhone privacy and government back door demand

And former N.S.A. contractor Ed Snowden posted:

Tweet by former NSA contractor ed Snowden about the FBI demand for Apple to unlock an iPhone


New York Civil Liberties Union Reports 'Stingray' Usage By New York City Police

After several freedom-of-information requests, the New York Civil Liberties Union (NYCLU) announced yesterday:

"In response to an NYCLU FOIL request, the NYPD disclosed it used Stingrays nearly 1,016 times between 2008 and May of 2015 without a written policy and following a practice of obtaining only lower-level court orders rather than warrants. This is the first time the extent of the use of Stingrays by the NYPD has been made public... Authorities are able to conduct this surveillance without the involvement of cell phone companies... The NYPD also disclosed that it has no written policy for the use of Stingrays but that, except in emergencies..."

Stingrays are devices that simulate real cellular phone towers in order to track and collect data about phone users. Your phone cannot distinguish between a real and simulated cellular tower. The data collection affects many people besides the persons being tracked:

"... in some configurations, [stingrays] collect the phone numbers that a person has been texting and calling and intercept the contents of communications. Stingrays also sweep up information from nearby bystander cell phones even when used to target specific phones..."

So, you can be completely innocent, and still be tracked. Not good. The U.S. Justice department implemented a new policy in September 2015 requiring probable-cause warrants for some usage. Stingrays are used by federal, state, and local law enforcement in at least 18 states. Stingrays are used far beyond New York City:

"Last April, the NYCLU released records showing the Erie County Sheriff’s Office had used Stingrays 47 times in the last four years and only once indicated obtaining a pen register order before doing so... In May, NYCLU FOIL requests also revealed that the New York State Police spent hundreds of thousands of taxpayer dollars on Stingrays and related equipment."

The NYCLU is an affiliate of the American Civil Liberties Union (ACLU). Read this to learn more about stingray usage by law enforcement.


Blocking The Ad Blockers

The digital advertising arms race is well underway. Since many consumers have installed ad blocking software on their computing devices for privacy and a better online experience, some publishers have responded by blocking those online users... or at least those users' web browsers.

While attempting to stream the latest episode of a popular television show, I encountered the message below, which is an extremely poor implementation. It suggested that i disable all ad blocking software. A better, responsible implementation would include messaging about the specific advertising mechanism:

Blocked ad blocker at CBS website. Click to view larger image

Have you encountered any similar messages at other sites?


You've Got Email Trackers: A Tool Marketers Use To Spy On Consumers

The New York Times told the story of an executive who received a call at 10:30 pm on his smartphone from a marketer, minutes after opening an e-mail message from the same marketer. Coincidence? The executive didn't think so, and after some investigation found that the marketer had planted a tracking mechanism in the e-mail message.

This marketer took e-mail marketing to the creepy zone. The marketer arrogantly assumed the executive, a) wouldn't mind the tracking and privacy invasion; and b) was agreeable to receiving a late-night phone call. Inappropriate. If the executive was driving his car, the late-night call could have created a distracted driving risk. Dangerous.

This marketer isn't alone. According to The New York Times:

"The trackers are traditionally offered by email marketing services like GetResponse and MailChimp. They have a legitimate use: to help commercial entities send messages tailored for specific types of customers. The New York Times, too, uses email trackers in its newsletters. The Electronic Frontier Foundation, a nonprofit that focuses on digital rights, estimates that practically every marketing email now contains some form of a tracker."

The e-mail tracking is possible because most users view HTML e-mail messages. One e-mail vendor's website home page highlights the industry's position:

Image of Sidekick home page. Click to view larger version.

Marketers want to know when, where, what device you use, and what link(s) you click on with their e-mails and advertisements. Yes, marketers should be able to evaluate their e-mail and marketing programs. At the same time, consumers have valid needs, often including privacy and the desire not to be tracked.

According to Pew Research, consumers perform a variety of tasks to thwart online tracking and data collection: delete browser cookies or browser history (59 percent), refuse to provide personal information irrelevant to the transaction (57 percent), set their browser to disable or turn off browser cookies (34 percent), and more. 86% of internet users have taken steps online to remove or mask their digital footprints. Plus, the growth in usage of ad-blockers by consumers highlights the desire not to be tracked (since many advertising networks contain tracking mechanisms):

"Between 15 to 17% of the U.S. population reportedly use ad blockers, and the number is double that for millennials. The numbers are even higher in Europe, and up to 80-90% in the case of specialty tech and gaming sites."

So, balance and respect are key. If marketers and advertisers are going to plant trackers in e-mail messages, then be honest and transparent: say so. Notify consumers. Provide opt-in mechanisms for consumers that don't mind the tracking.

Don't be that creepy marketer.

Will marketers act with respect and not go to the creepy, dark side? History suggests otherwise, given the litany of covert technologies marketers and advertisers have used to track consumers online: browser cookies, zombie cookies, zombie e-tags, Flash cookies to regenerate browser cookies users have deleted, super cookiescanvas finger-printing, and more recently cross-device tracking.

Aware consumers realize that surveillance isn't performed only by government spy agencies. Private-sector corporate marketers and advertisers do it, too. The New York Times article discussed one of the e-mail trackers used:

"... MailTrack, which is a plug-in for Google’s Chrome browser that can quickly insert a hidden tracking pixel into a message..."

Unfortunately, both the good guys and bad guys (e.g., spammers, phishers) use e-mail trackers. Experts advise consumers to expect trackers planted in messages, and:

"A basic method for thwarting some email trackers involves disabling emails from automatically loading images, including invisible tracking pixels. But that doesn’t defeat all trackers, which are also hiding in other places like fonts and web links."

Ugly Email and Trackbuster, are tools consumers can use to detect trackers embedded in e-mail messages. The former is a Gmail plug-in.

What are your opinions of e-mail trackers? What software do you use to detect e-mail trackers?

[Editor's Note: an earlier version of this post linked the "cross-device tracking" text to a CBS News article. That link was updated to a more descriptive article at Ars Technica.]


ESPN Report Links Spygate To Deflategate. Chronicles Decisions By NFL

National Football League logo If you haven't read it, there is a very interesting article at ESPN about the National Football League (NFL) and the New England Patriots team. After reading this ESPN article, it seems that the NFL has a gigantic mess on its hands. If the article is accurate, and it's accuracy is questionable given ESPN's erroneous reporting previously of the number of deflated footballs, then the punishment by NFL Commissioner Roger Goodell for deflategate was linked to spygate.

A better-written ESPN would have included embedded text links, for fans to read more and verify certain statements. Also, the article reads like a hit job on the Patriots... to tarnish the team’s brand and its value, thereby hurting Kraft in the wallet since QB Tom Brady won in court the first round against the league. At the same time, Goodell’s decision to destroy spygate evidence tarnishes the league’s credibility. Hence, huge mess. Some gems from the article:

“To many owners and coaches, the expediency of the NFL's [2008 spygate] investigation -- and the Patriots' and Goodell's insistence that no games were tilted by the spying -- seemed dubious. It reminded them of something they had seen before from the league and Patriots: At least two teams had caught New England videotaping their coaches' signals in 2006, yet the league did nothing. Further, NFL competition committee members had, over the years, fielded numerous allegations about New England breaking an array of rules. Still nothing. Now the stakes had gotten much higher: Spygate's unanswered questions and destroyed evidence had managed to seize the attention of a hard-charging U.S. senator, Arlen Specter of Pennsylvania, who was threatening a congressional investigation. This would put everyone -- players, coaches, owners and the commissioner -- under oath, a prospect that some in that room at The Breakers believed could threaten the foundation of the NFL.”

The supposed linkages between spygate and deflategate:

“Interviews by ESPN The Magazine and Outside the Lines with more than 90 league officials, owners, team executives and coaches, current and former Patriots coaches, staffers and players, and reviews of previously undisclosed private notes from key meetings, show that Spygate is the centerpiece of a long, secret history between Goodell's NFL, which declined comment for this story, and Kraft's Patriots. The diametrically opposed way the inquiries were managed by Goodell -- and, more importantly, perceived by his bosses -- reveals much about how and why NFL punishment is often dispensed. The widespread perception that Goodell gave the Patriots a break on Spygate, followed by the NFL's stonewalling of a potential congressional investigation into the matter, shaped owners' expectations of what needed to be done by 345 Park Ave. on Deflategate.”

And:

“... many former New England coaches and employees insist that the taping of signals wasn't even the most effective cheating method the Patriots deployed in that era. Several of them acknowledge that during pregame warm-ups, a low-level Patriots employee would sneak into the visiting locker room and steal the play sheet, listing the first 20 or so scripted calls for the opposing team's offense.”

A Patriots employee was caught filming in the Jets stadium during a 2007 game, and his camera confiscated. Goodell’s decision to destroy this video evidence in 2008:

“During the first half, Jets security monitored Estrella, who held a camera and wore a polo shirt with a taped-over Patriots logo under a red media vest that said: NFL PHOTOGRAPHER 138. With the backing of Jets owner Woody Johnson and Tannenbaum, Jets security alerted NFL security, a step Mangini acknowledged publicly later that he never wanted. Shortly before halftime, security encircled and then confronted Estrella. He said he was with "Kraft Productions." They took him into a small room off the stadium's tunnel, confiscated his camera and tape, and made him wait... On Monday morning, Estrella's camera and the spy tape were at NFL headquarters on Park Avenue... Belichick explained that he had misinterpreted a rule, which the commissioner did not believe to be true, sources say, and that he had been engaged in the practice of taping signals for "some time." The coach explained that "at the most, he might gain a little intelligence," Goodell would later recall, according to notes. Belichick didn't volunteer the total number of games at which the Patriots had recorded signals, sources say, and the commissioner didn't ask... The next day, the league announced its historic punishment against the Patriots, including an NFL maximum fine for Belichick. Goodell and league executives hoped Spygate would be over... When Estrella's confiscated tape was leaked to Fox's Jay Glazer a week after Estrella was caught, the blowback was so great that the league dispatched three of its executives -- general counsel Jeff Pash, Anderson and VP of football operations Ron Hill -- to Foxborough on Sept. 18. What happened next has never been made public: The league officials interviewed Belichick, Adams and Dee, says Glaser, the Patriots' club counsel. Once again, nobody asked how many games had been recorded or attempted to determine whether a game was ever swayed by the spying, sources say. The Patriots staffers insisted that the spying had a limited impact on games. Then the Patriots told the league officials they possessed eight tapes containing game footage along with a half-inch-thick stack of notes of signals and other scouting information belonging to Adams, Glaser says. The league officials watched portions of the tapes. Goodell was contacted, and he ordered the tapes and notes to be destroyed, but the Patriots didn't want any of it to leave the building, arguing that some of it was obtained legally and thus was proprietary. So in a stadium conference room, Pash and the other NFL executives stomped the videotapes into small pieces and fed Adams' notes into a shredder...”

The articled is filled with interviews with people who claimed this or that. No hard evidence. I guess this is how an oligopoly approaches investigations and “justice.” Lots of allegations, rumors, no proof, destruction of what little evidence existed, lots of fines (like big banks), and never true honesty with fans by telling fans everything.

Does your favorite NFL team cheat? Yes, according to the Your Team Cheats site.

Like I said, it’s a big mess. I'm glad I stopped watching the NFL back in 2013.