It doesn’t matter that much that Apple and Google encrypts your phone

Apple’s and Google’s announcements that they will encrypt information on your phone are nice, but won’t help much. Most data is in the cloud, these days; and your protections in the cloud are governed by laws of numerous countries, almost all of which have quite large exceptions.

CybercrimeAt the Internet Engineering Task Force we have taken a very strong stand that pervasive surveillance is a form of attack.  This is not a matter of lack of trust of any one organization, but rather a statement that if one organization can snoop on your information, others will be able to do so as well, and they may not be so nice as the NSA.  The worst you can say about the NSA is that a few analysts got carried away and spied on their partners.  With real criminals it’s another matter.  As we have seen with Target, other large department stores, and now JP Morgan, theirs is a business, and you are their commodity, in the form of private information and credit card numbers.

So now here comes Apple, saying that they will protect you from the government.  Like all technology, this “advance” has its pluses and minuses.  To paraphrase a leader in the law enforcement community, everyone wants their privacy until it’s their child at risk.  However, in the United States, at least, we have a standard that the director of the FBI seems to have forgotten- it’s called probable cause.  It’s based on a dingy pesky old amendment to the Constitution which states:

The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no warrants shall issue, but upon probable cause, supported by oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.

So what happens if one does have probable cause?  This is where things get interesting.  If one has probable cause to believe that there is an imminent threat to life or property and they can’t break into a phone, then something bad may happen.  Someone could get hurt, for instance.  Is that Apple’s fault?  And who has the right to interpret and enforce the fourth amendment?  If Apple has a right to do so, then do I have the right to interpret what laws I will?  On the other hand, Apple might respond that it has no responsibility to provide law enforcement anything, and all it is doing is exercising the right of free speech to deliver a product that others use to communicate with.  Cryptographer and Professor Daniel Bernstein successfully argued this case in the 9th Circuit in the 1990s.  And he was right to do so, because going back to the beginning of this polemic, even if you believe your government to be benevolent, if it can access your information, so can a bad guy, and there are far more bad guys out there.

Apple hasn’t simply made this change because it doesn’t like the government.  Rather, the company has recognized that for consumers to put private information into their phone, they must trust the device to not be mishandled by others.  At the same time, Apple has said through their public statements that information that goes into their cloud is still subject to lawful seizure.  And this brings us back to the point that President Obama made at the beginning of the year: government risk isn’t the only form of risk.  The risk remains that private aggregators of information – like Apple and Google or worse, Facebook– will continue to use your information for whatever purposes they see fit.  If you don’t think this is the case, ask how much you pay for their services?

And since most of the data about your or that you own is either in the cloud or heading to the cloud, you might want to worry less about the phone or tablet, and more about where your data actually resides.  If you’re really concerned about governments, then you might also want to ask this question:  which governments can seize your data?  The answer to that question is not straight forward, but there are three major factors:

  1. Where the data resides;
  2. Where you reside;
  3. Where the company that controls the data resides.

For instance, If you reside in the European Union, then nominally you should receive some protection from the Data Privacy Directive.  Any company that serves European residents has to respect the rights specified in that.  On the other hand, there are of course exceptions for law enforcement.  If a server resides in some random country, however, like the Duchy of Grand Fenwick, perhaps there is a secret law that states that operators must provide the government all sorts of data and must not tell anyone they are doing so.  That’s really not so far from what the U.S. government did with National Security Letters.There’s a new service that Cisco has rolled out, called the Intercloud that neatly addresses this matter for large enterprises, providing a framework to keep some data local, and some data in the cloud, and the enterprise has some control over which.  Whether that benefit will extend to consumers is unclear.In the end I conclude that people who are truly worried about their data need to consider what online services they use, including Facebook, this blog you are reading right now, Google, Amazon, or anyone else.  They also have to consider how if at all they are using the cloud.  I personally think they have to worry less about physical devices, and that largely speaking Apple’s announcement is but a modest improvement in overall security.  The same could be said for IETF efforts.

How do you deal with a bully?

Over the past year this blog has been quiet.  I cannot, however, remain quiet any longer about the situation in Russia.  Even back in 2008 I wrote that Vladimir Putin was trouble, that the Cold War was back on, and that President Bush stood idly by.  It would be bad enough to say that nothing has changed, but since then, things have gotten worse, and for the Ukraine, a lot worse.

Once again the world stands at the brink of war with a maniac, and we wonder how to avoid it.  Those Russians who resist the kook are subject to harassment or arrest.  The casual relationship Mr. Putin has with the truth makes negotiations  impossible.  It would be bad enough if it were just the Ukraine that was put through this nightmare.  But Estonia has suffered cyberattacks from Russia, and it is a sure bet that the rest of the world has suffered them as well.

All of this because the Ukraine dared enforce their democracy to establish stronger economic ties with the European Union, against their neighbor’s will.  And when it was shown that threatening to turn off the gas was not enough to dissuade Ukrainians, Mr. Putin invaded.

There are very few steps between where we are now and opened armed conflict beyond the Ukraine.  Knowing this, rather than seeking peaceful resolution to the situation, Mr. Putin rattled his large nuclear sword, like bullies flex their muscles.

But there are a few.

Europe took additional steps this week to attempt to restrain this great bear, and one knows that Russia has transgressed when the leaders of the EU can agree on something.  Whether it is enough to keep the peace in the Ukraine and to keep Russia’s domineering presence at bay is a question only Mr. Putin can answer.

Europe ought not stand alone when dealing with this threat.  The United States has a role to play by supporting Europe in arranging for alternative sources of fuel.  Other leaders need to stand up and say that this is not a way for a superpower to behave.

How to speak the truth and yet lie? Ask General Alexander

Old joke in the industry: the difference between a sales person and marketing person is that the marketing person knows when he’s lying.  Which is General Alexander?

Let’s appreciate that the head of a spying agency is in a tough spot.  Allies and citizens of the U.S. alike are outraged, making an actual dialog difficult.  Leaders, however, must address hard issues head on and truthfully; and they must demonstrate command of the subject matter, or we waste our time.

Let’s go through some of the General’s statements:

“the assertions… that NSA collected tens of millions of phone calls [in Europe] are completely false”.

– From a BBC article

Maybe, but he and the president have in the past made the distinction between so-called “meta-data” (which the rest of us just call “data”).  And so maybe the NSA doesn’t have access to the calls, but he has not denied that they have access to who people called, the time and date they called, and for how long.  What is the truth?

Yesterday The Washington Post dropped another Snowden bombshell, indicating that the NSA was intercepting Google customer traffic by tapping into their communications lines.  The Guardian had previously reported that GCHQ was tapping fiber cables.  Alexander’s response, this time?

This is not NSA breaking into any databases. It would be illegal for us to do that. So, I don’t know what the report is. But I can tell you factually we do not have access to Google servers, Yahoo servers. We go through a court order.–From CNN

Except in this case, the NSA is not accused of breaking into servers, but rather tapping communications off of fiber cables.  By answering a charge that wasn’t made, either general doesn’t understand the issue and therefore cannot meaningfully inform the President or the public, or he does understand the truth and is intentionally prevaricating to the public.  What is necessary is a public debate over the policy issues relating to surveillance, and when it should and should not be authorized.  The people leading that dialog should be truthful and informed.

I’m sure the general is aware that everyone has their day of reckoning.  It’s time for his.  The president needs to find a new director of the NSA who can intelligently advance an honest discourse.

Q: When do principles cost too much?

A: when they’re the wrong principles and the money could be spent educating students instead.

USA Today/Ganette is reporting that The Easton, PA school district is appealing a federal appeals court decision that allowed two girls to wear bracelets that say, “I (heart) Boobies”.  The bracelets are part of a breast cancer awareness campaign.  Easton’s argument is that the bracelets are lewd.

I grew up in a town that had a track record of going to the Supreme Court for stupid reasons.  The first case involved trying to claim that English as a Second Language Teachers weren’t actually teachers, despite their qualifications and the fact that they were in fact teaching.  They lost.  In a separate case, they went to the Supreme Court over having searched a girl’s locker and having had her arrested.  The Court dismissed the notion that they were entitled to act in loca parentis, under the theory that few parents would have their children arrested.  Both of these cases cost the tax payers millions of dollars.

Easton, PA is not a rich town.  The district does okay with what they have (about the middle of the pack in PA).  Still, their money is being wasted by a case of very questionable merit, where even a positive result will not help a single student.  So why sue?  Because the superintendent wanted to be the ultimate source of authority in his district for what is and is not appropriate for students to wear.  Guess what?  He’s a public servant, applying the rules of our society.  He doesn’t get the final say.  And he’s wasting a lot of money finding out.  Oh and their lawyer story claims that the appeal will cost $2,000-$3,000.  Horse hockey!

Snowden disclosures reveal NSA abuse

I had no knowledge of the NSA’s programs, but I’m not surprised by most of it.  James Bamford articulated in The Puzzle Palace in 1980 what the NSA was capable of, and it has always been clear to me that they would establish whatever intelligence capabilities they could in order to carry out their mission.  There are several areas that raise substantial concerns:

1.  NSA’s own documents indicate that they intended to interfere with and degrade crypto standards.  That on its own has caused the agency substantial harm to its reputation that will take decades to recover from.  But they haven’t just sullied their own reputation but that of the National Institutes of Standards and Technology (NIST) who are a true braintrust.  Furthermore, they’ve caused the discounting in the discourse of anyone who is technology knowledgeable who have either recently held or currently hold government posts.  I will come back to this issue below.

2.  It is clear that the FISA mechanism just broke down, and that its oversight entirely failed.  Neither Congress nor the Supreme Court took its role seriously.  They all gave so much deference to the executive because of that bugaboo word “terrorism” that they failed to safeguard our way of life.  That to me is unforgivable and I blame both parties for it.  In fact I wrote about this risk on September 12, 2001.  I wrote then:

I am equally concerned about Congress or the President taking liberties with our liberties beyond what is called for. Already, millions of people are stranded away from their loved ones, and commerce has come to a halt. Let’s not do what the terrorists could not, by shrinking in fear in the face of aggression, nor should we surrender our freedom.

Sadly, here we are.

3. There are reports about law enforcement taking intelligence information and scrubbing the origin.  Where I come from we call that tampering with evidence in an egregious attempt to get around those pesky 4th and 5th amendments.

4. The NSA’s activities have caused great harm to U.S. services industry because other nations and their citizens have no notion as to when their information will be shared.  This is keenly true for companies such as Google and Microsoft who, it is reported, were ordered to reveal information.  The great Tip O’Neill said that all politics is local.  That may be true, but in a global market place, all sales are local.

It would be wrong to simply lay blame on the NSA.  They were following their mission.  Their oversight simply failed.  Congress needs oversight.  That is our responsibility.