There is no such thing as “information” security. Continue reading
A friend of mine asked a quick commentary about a Telegraph news about the European Court of Justice decision that bashed the British Data Retention and Investigatory Powers Act, forcing the ISPs to abid to a one-year Internet traffic data retention period.
Here is my answer:
It is clear that the EUCJ is following its political agenda.
As I said countless times, law enforcement and national security aren’t subjected to the might of the data-protection directive so this legal instrument can’t be enforced to rule investigative powers.
It is false that users are note informed about the retention. There is a law that set forth the duty, so the citizen are supposed to know about it (ignorantia legis non excusat.)
Again, the article and – I suppose – the EUCJ confuses fairly different things: GCHQ is intelligence and – as such – is well out of reach from the DP directive. Other public bodies have the right to perform their investigation to guarantee the respect of the law.
So, the actual problem is quis custodies ipsos custodies. In other words: I have no problem with an agency that accesses my data. But I do have the right to know in real time when it happens and why (or, if there is a secrecy issue, as soon as it is reasonable.)
As expected, Privacy Shield has been challenged in front of the EUCJ.
Before wasting time and money trying to comply with this DOA thing, it would be safe to wait for the judgement.
Phoneys is a software that allows a user to change the content of an Iphone chat thus altering the meaning of the conversation.While this is just an entertainment software, it might have some disturbing impacts on a possible criminal investigation.
Indeed, SMS, chat transcripts and messages are routinely used as a source of evidence by lawyers and prosecutors on the basis that if something is on a phone it can be hardly be faked. Of course, this is not always true, of course evidences must be corroborated by independent checks, of course the legal community is not that dumb to give face value to a text on a phone screen. But…
Phoneys allows a malicious person to create a prima facie deceiving fact, by exploiting the fact that a message has actually been sent, thus leading the investigator into thinking that a conversation took place with the intended correspondent. In an emergency context, the necessity of taking immediate action might push him to under evaluate what has been shown as “evidence”, thus jeopardizing the final result.
Maybe this is a either a minor or non-existent issue. But judicial reality has proven to be more surprising then legal-thriller. So, next time you’re confronted with a message as an evidence, why not double check?
Just in case…
According to a statement published on the Brazilian Policia Federal’s website, a criminal court issued a “mandado de prisão preventiva” (roughly, pre-emptive arrest order) against Facebook’s representative in Brazil, charged of not having cooperated in providing information about a Facebook page.
The Brazilian Court, unlike the San Bernardino’s one in the Apple case, chose to put its white gloves off and go straight for the jugular, leaving no doubt about the fact that cooperation with the public prosecutor is a mandatory duty for everybody, tech-companies included.
By comparing the Apple and the Facebook cases (and Google’s public position about the topic) a disturbing trend emerges: Internet companies (at least the so said “Over The Top” – OTT) “think different” about themselves. Why the OTT should be let alone, when an ISP is burdened (often for free, BTW), to provide a public prosecutor with wiretapping, data-retention, forensic support, and data-mining services? Like it or not, corporate criminal liability and obstruction to justice regulation still work for the OTT too, and the OTT must live with it.
This Facebook case further supports the opinion I’ve expressed about the true issue at stake: by one side, the lack of confidence is our social and legal system as a whole and thus the fact that you can’t actually trust a magistrate and a law enforcement agency; by the other side the “ubermensch” syndrome that affects (not only high-tech) companies and that leads them into thinking that they have the “right” (or the power) to part the right from wrong.
The US District Court for the Eastern District of New York Order that prevented the US Drug Enforcement Agency (DEA) to force Apple to provide support in bypassing the passcode security on an Apple device is another chapter of the “Should-we-allow-State-to-mess-with-our-intellectual-property” saga, starring Apple.
Now that another Court ruled in a different way than the previous one, the score is even: 1 for the “crack-the-iphone” team, 1 for the “don’t-even-think-about-it” Cupertino’s.
To me, this legal uncertainty shows the mistake underlying the whole issue.
A public prosecutor has the power to do whatever it takes to finalize an investigation, provided that his powers are scrutinized by a judge. This is the theory, and a fair compromise under the “check-and-balance” doctrine.
So, from a strictly legal point, Apple and the NY court are wrong, since the privacy threats and the possibility of abuse were still there with the wiretapping, remote surveillance and so on. The Iphone issue is just a variation of a known “breed”. We all know that the legal system is not “foolproof”, and that sometimes somebody abuses of his prerogatives, but
this is not a reason to stop allowing a law enforcement entity to do its job by way of technical means.
Again, the actual point is whether the private interests of a company can overrule the State duty to seek for justice.
And even if Apple were right, this would make things worser, because it would means that we live in a society that we ourselves don’t trust enough. And if so it is, obviously the problem is neither Apple nor the Iphone encryption…
Although PGP is widely spread and used since 25 years, after the first, early complaints nobody heard a single hiss from the FBI and its siblings about the IOS-like “problems”. Maybe this is because of the open source license attached to PGP that allows whoever has enough brain, power and money to find ways to crack it. In the past, for instance, the FBI has been able to crack a Truecrypt password belonging to a suspect.
To balance people rights with the needs of the investigation, Apple might just go open source or, at least, disclose to the law enforcement community the IOS source code, thus allowing the “good guys” to develop long-term tools for forensic purposes.
Of course, to Apple, this is an absolutely nonviable option, nevertheless the point stays: should a government be entitled to access each and every source code of critical software?
To put it short, the Apple vs FBI quarrel involves the role of proprietary copyright and has about nothing to do with the “we protect our customer rights” claim.
Apple’s CEO Tim Cook, talking about the request made by the law enforcement community to weakens IOS stated that to comply to what the FBI is asking, would mean write a software that is sort of the equivalent of cancer.
The statement is technically wrong , a slap in the face of the people who are plagued by this deadly disease and the evidence that talk is cheap.
First: cancer is an highly evolved entity (being around since 4 billions of years or so) made of mutated cells that have lost its “self-killing” mechanism, that keep mutating and growing and creating new forms of cancer elsewhere in the body once removed by surgery or other therapies. This has nothing to do with a piece of software kept under strict control by a private company.
Second: Mr. Cook is absolutely within his rights when he tries to defend his company’s Intellectual Property, but this time Apple’s spin doctors pushed the limits much too far when for the sake of the controversy they involved people that are meeting their fate in a dire straits.
Third, of all arguments that could have been exploited by Mr. Cook’s spin doctors, referring to such a dramatic disease shows a true lack of compassion toward our fellows human beings. Maybe this is not what Mr. Cook had in mind, but this is how his statement looks like.
Apple addressed in a letter to its customers the issues related to the FBI’s request to be provided with Iphone cracking tools.
Here is a detailed analysis of Apple’s statement.
Why is Apple objecting to the government’s order?
First, the government would have us write an entirely new operating system for their use … It would be wrong to intentionally weaken our products with a government-ordered backdoor. If we lose control of our data, we put both our privacy and our safety at risk. …
True, but fact is that by providing unbreakable security measures Apple doesn’t need to care about data protection and privacy laws. As soon as Apple is not able to access users’ data, it is not subjected to the costly burden to comply with an (admittedly) bureaucratic and demanding (European) regulation and reduces its chance to be challenged in Court for privacy infringements.
Second, the order would set a legal precedent that would expand the powers of the government and we simply don’t know where that would lead us. Should the government be allowed to order us to create other capabilities for surveillance purposes, such as recording conversations or location tracking? This would set a very dangerous precedent.
ISPs and carriers are already forced to use devices that eases the (court authorized) wiretappings. Why Apple should be granted an exemption?
Is it technically possible to do what the government has ordered?
Yes, it is certainly possible to create an entirely new operating system to undermine our security features as the government wants. But it’s something we believe is too dangerous to do. The only way to guarantee that such a powerful tool isn’t abused and doesn’t fall into the wrong hands is to never create it.
The easiest pun would be: how about nukes? But (dark) humour apart, a private company has no “jurisdiction” over policy issues and cannot supersede the will of the People. In other words: it is not Apple’s job to decide what is “safe” and what is not.
Could Apple build this operating system just once, for this iPhone, and never use it again?
The digital world is very different from the physical world. In the physical world you can destroy something and it’s gone. But in the digital world, the technique, once created, could be used over and over again, on any number of devices. … Law enforcement agents around the country have already said they have hundreds of iPhones they want Apple to unlock if the FBI wins this case.
So what? A criminal investigation has its needs and can’t be stopped by the business interests of a private company.
Has Apple unlocked iPhones for law enforcement in the past?
No. … We’ve built progressively stronger protections into our products with each new software release, including passcode-based data encryption, because cyberattacks have only become more frequent and more sophisticated. As a result of these stronger protections that require data encryption, we are no longer able to use the data extraction process on an iPhone running iOS 8 or later.
Well, this raises an interesting point. If my memory still works, when, back in the days, Napster got indicted by a New York Court, it has been because the client has been designed without taking into account the involved copyright issues. In other words, the judge punished the fact that Napster was “per se” able to ease the infringement of the law. A sort of “liability by design”. So, enforcing the very same principle to the Apple’s statement, the point is that as a matter of fact IOS is deliberately designed to prevent a forensic investigation. Is this a source of liability?
The government says your objection appears to be based on concern for your business model and marketing strategy. Is that true?
Absolutely not. Nothing could be further from the truth. This is and always has been about our customers. …
I wander what Apple’s CEO would say to its stakeholders should the stocks value fall because of this refusal to comply with the FBI request. A company, and its CEO, have a duty of protection toward the people who invested its money. Sure, Apple has a terrific customer support and is – IP protection apart – a fairly open company. But this doesn’t change the fact that the business impact of a strategy is the main drive to take a decision.
Is there any other way you can help the FBI?
We have done everything that’s both within our power and within the law to help in this case. As we’ve said, we have no sympathy for terrorists. …
I’m sure Apple did. But the point is that, as I said before, that by building an unbreakable IOS version, there is little that Apple could do…
What should happen from here?
Our country has always been strongest when we come together. We feel the best way forward would be for the government to withdraw its demands under the All Writs Act and, as some in Congress have proposed, form a commission or other panel of experts on intelligence, technology, and civil liberties to discuss the implications for law enforcement, national security, privacy, and personal freedoms. Apple would gladly participate in such an effort.
If the FBI’s request has been based upon a valid law there it must be acknowledged. Full stop. If the law is wrong then it will be amended or withdrawn, but until is valid, then dura lex, sed lex.
A final note.
There is an untold assumption in all these issues: that a public prosecutor is not free to investigate a crime and this is clearly not possible.
In Italy, if a prosecutor needs something like the FBI does, he has the power to order it, and the criminal corporate liability regulations punishes as a criminal offense obstructing the investigation.
There is a clear difference between the Apple refusal to comply (grounded on business concerns and not on protecting people’s rights) and the privacy talibans (who just unreasonably put privacy above everything else.)
The actual question is: why people do not trust the State and its law enforcement agencies?
If we could trust the powers-that-be, than we might accept to strike a deal with the devil for the sake of a “greater good”, but truth is that we can’t trust the Leviathan.
So, to put it short, I find both position in bad faith:)
The Iphone vs FBI quarrel about the “need” of Apple’s support to hack into an Iphone switches back the clock to 1991, when Phil Zimmermann gave PGP to the rest of the world, infringing the US veto on encryption export. So, this Apple vs FBI thing is actually nothing new since the position of the supporter for the two arguments is still the same.
But there is a new perspective, though, that worth to be considered and that wasn’t that spread at Zimmermann’s time: the role of non-for-profit, personal encryption.
A company, like Apple, sooner or later will comply with the disclose/hack support order by a court. It is just matter of finding a way to minimize the sales impact of such compliance.
Open-source, NGO, non-for-profit created encryption, on the contrary, has neither an “owner” nor a “CEO” who can be ordered to do something “nasty”. Furthermore, open-source based encryption already gives “the good guys” all the information they need to break the ciphers that endanger their investigation.
The point, though, is another: the FBI didn’t ask for the Iphone security’s blueprints. They just wanted a “tool” to exploit the gimmick, with no actual need to understand how would it works. And to me this is a nightmare scenario. I might trust a forensic expert who does his job in a lab, but I have some “problem” acknowledging the fact that every single law enforcement agent, with no actual competence, might have such a powerful tool to be used without actual supervision.
Again, we go back in time: who will watch the watchers?