The FBI really hates data security and privacy. I mean HATES it.
In a speech before the Brookings Institution last week, FBI Director Jim Comey called for a “legislative or regulatory fix” to the “problem” that third-party custodians of records, or providers of hardware or software make their products or services secure for their customers. Of course, he didn’t put it that way, but that’s exactly what he means.
Just so we are clear. The FBI wants companies like Apple, Google, and others to not protect the data of their clients and customers, and to not permit their clients and customers to protect their OWN data, just in case the FBI gets a warrant for that data, and wants the COMPANY to produce the data without the client or customer’s knowledge or participation.
With Apple and Android, what we are talking about is whether Apple or Google should be forced, as a matter of law, NOT to encrypt the contents of the customer’s cell phone with a key that permits the CUSTOMER to have access to the data, but not a third party. And by third party, we mean Apple, Google, hackers or the FBI.
Just so we are even clearer. This has nothing to do with data sent to, received from, downloaded to or uploaded from phones. The FBI, with some kind of court order (or surreptitious recording device) would retain full access to the unencrypted contents of every call, every SMS, every e-mail, every webpage visited, every photograph sent, every Instagram, every Snapchat (if it’s still there), every app, every bit of metadata sent over the web, every page you are on in your Kindle app, every song streamed over Pandora, your location and proximity data, and even the data synched from your Fitbit or other Bluetooth device.
It could get this data from Apple, from the provider, or from the app developer. It could also lawfully install malware or key logger software to capture even more data from handheld devices. It’s not like the FBI is powerless here.
The actions of companies like Apple and Google to protect their customer’s data (or more accurately, give their customers the ability to protect their own data) applies only to a very small set of data under limited circumstances.
IF the FBI seizes the actual device from the customer (the iPhone or Android device) AND they have a warrant for the data, AND the device is locked or otherwise password protected, AND the customer refuses to unlock it, AND the Court is unwilling to compel the customer to unlock it, AND the government can demonstrate probable cause to believe a crime has been committed and that there is evidence of that crime on the device, the government wants the ability to compel Apple and Google to decrypt the contents of the device for them.
To solve that “problem,” Director Comey is essentially proposing a CALEA for the Internet, for Mobility, for Cloud and for hardware and software manufacturers.
Presumably, all cloud providers, all data storage facilities, all third party transmitters, all hardware and software manufacturers would be required by law to create a process by which they could decrypt the contents of their customers’ data in the event that the government obtained a court order for that data.
Thus, Amazon would have to be able to produce the contents of their customers’ data unencrypted, and Microsoft would have to build in a back door to its whole disk encryption scheme.
Remember, this is not about Apple producing its OWN records, or even the records of its customers. It’s about Apple giving the government a key to all Apple devices.
Actually, it’s worse than the “Clipper Chip” debates of three decades ago where the government wanted a “back door” to all crypto that only they knew (well, that only they knew that they knew.. the hackers would have it too inevitably.)
It’s worse because it’s not even a “back door” but vulnerability. Customers would be prohibited from encrypting their own data unless they did so in an ineffective way.
Remember, the same crypto that protects terrorists protects my health records. Sauce for the goose.
CALEA required telephone companies to engineer their systems so that data travelling over them was accessible to law enforcement – in other words to spend billions of dollars (at taxpayer expense) to make their products and services less secure.
This is the model that Director Comey is calling for the rest of the Internet, and for the Cloud and the Internet of Things. Let’s weaken security for all.
Remember, we are talking about subpoenas and search warrants directed NOT at the criminals and bad guys. They can still probably be compelled to produce their own records. If they can’t be so compelled it would be because a court found that they have a constitutional protection (say self-incrimination) against being compelled to decrypt files.
These legislative remedies are directed at third parties whose hardware or software are used by others. Apple would be precluded from selling phones if those phones allowed customers to secure their data. Dell would go to jail if their computers could be secured against third party (including FBI) access. Any hardware or software, which would enable someone to secure his or her OWN data, would be in violation of this statute.
A monumentally bad idea.
Making EVERYTHING insecure, forcing everyone to use foreign products and services for those infinitesimally few cases where the government has a device from a bad guy but can’t decrypt it.
The FBI again raises the specter of child abductions and pornography in support of its proposal. But again, there are no cases where the government obtained someone’s physical iPhone or Android device during the course of a child abduction case, and the ability to decrypt the actual device is what prevented a child abduction.
It’s just not true. Sure, having security inhibits the ability of the FBI to see what’s happening. So does having walls, shades and curtains. And constitutional rights.
Imagine a law that said that people couldn’t lock their doors, just in case the government got a warrant to search their house. Would you feel more secure or less? And in the end, isn’t it about making everyone more secure?