The “manual” was “discovered” by analysts at the Combating Terrorism Center, based out of the US Military Academy at West Point. Thankfully, Buzzfeed has the details, noting that the guide, created by a cybersecurity firm in Kuwait, named Cyberkov, is actually a guide for journalists and activists to protect their communications from oppressive governments. And there’s nothing particularly secret about it, as apparently it’s basically just repurposed stuff from the EFF’s website
Encryption is not the refuge of scoundrels, as Obama administration law-enforcement officials loudly proclaim – it is an essential tool needed to protect the right of freedom of opinion and expression in the digital age, a new United Nations report concludes.
Encryption that makes a communication unintelligible to anyone but the intended recipient creates “a zone of privacy to protect opinion and belief,” says the report from David Kaye, who as Special Rapporteur on the promotion and protection of the right to freedom of opinion and expression is essentially the U.N.’s free speech watchdog.
The significance of encryption extends well beyond political speech, Kaye writes. “The ability to search the web, develop ideas and communicate securely may be the only way in which many can explore basic aspects of identity, such as one’s gender, religion, ethnicity, national origin or sexuality.”
Encryption, like anonymity, is essential to artists, journalists, whistleblowers, and many other classes of people, the report says.
And far from banning or weakening encryption, governments should embrace and strengthen it, Kaye writes. He specifically urges the U.S. Congress to “prohibit the Government from requiring companies to weaken product security or insert back-door access measures.”
Obama administration officials have been advocating for encryption with some sort of built-in measure that law enforcement could circumvent, either an intentional weakness that creates a “back door,” or some sort of split “master key”.
Newly-installed Attorney General Loretta Lynch on Wednesday became the latest to engage in fear-mongering, saying she had “grave concerns” about encryption’s use by “people whose sworn duty is to harm Americans here and abroad.”
National Security Agency director Mike Rogers took a slightly more nuanced view on Wednesday, ZDNet reported. “You’re not going to hear me say that encryption is a bad thing. I don’t think it is a bad thing. Encryption is not bad. Encryption is a fundamental part of the future; I think it would be ridiculous to pretend otherwise,” Rogers told a cyberwarfare conference in Estonia.
But he expressed his desire for a legal framework that would give law enforcement access, asking: “Can we create some mechanism where within this legal framework there’s a means to access information that directly relates to the security of our respective nations, even as at the same time we are mindful we have got to protect the rights of our individual citizens?”
Kaye’s answer is: No. He concludes from his research that “compromised encryption cannot be kept secret from those with the skill to find and exploit the weak points, whether State or non-State, legitimate or criminal.” Thus: “In the contemporary technological environment, intentionally compromising encryption, even for arguably legitimate purposes, weakens everyone’s security online.”
And Kaye points out that law enforcement officials “have not demonstrated that criminal or terrorist use of encryption serves as an insuperable barrier to law enforcement objectives.”
Indeed, FBI Director James Comey gave a much-quoted speech last fall about how increasingly common cell-phone encryption could lead law enforcement to a “very dark place” where it “misses out” on crucial evidence to nail criminals. But the examples he then gave failed the laugh test.
The United Nation’s Office of the High Commissioner for Human Rights appoints expert “special rapporteurs” to be their eyes and ears when it comes to key human rights issues. Kaye, a law professor at the University of California, Irvine, began his three-year term as the rapporteur for freedom of opinion and expression in August 2014.
His report also warns that state prohibitions of anonymity online – such as required real-name registration for online activity, SIM card registration, or banning of anonymity tools such as Tor — interfere with the right to freedom of expression.
Encryption advocates hailed the report. “This landmark report shows how fundamental — and necessary — encryption is for exercising freedom of expression,” said Access Senior Policy Counsel Peter Micek. “It’s a sober rebuke of baseless fear-mongering from those who say encryption only helps criminals and terrorists.”
Europe’s top cop has taken to the BBC to once again slam encryption as the biggest threat to counter-terrorism and law enforcement.
Europol Director Rob Wainright said encrypted communications gave plods across the continent the biggest headaches, and his main gripe was with the IT companies that provide them.
“We are disappointed by the position taken by these tech firms and it only adds to our problems in getting to the communications of the most dangerous people that are abusing the internet,” he said.
He told the civil liberties committee of the European Parliament the same thing last November. Now he says there is “a significant capability gap” that must be closed.
“It’s changed the very nature of counter-terrorist work from one that has been traditionally reliant on having good monitoring capability of communications to one that essentially doesn’t provide that anymore,” he told the Beeb.
However, Wainright himself will not get his hands on any of that “capability”. According to Europol’s website, the organisation itself “has neither the technical equipment nor the legal authorisation to wiretap or monitor members of the public by any technological means”.
“Any information being analysed by Europol is provided directly by the co-operating law enforcement agencies. Europol’s principal role is to gather, analyse and re-distribute data,” he said in the interview.
That hasn’t stopped EU countries beefing up Europol with a new European Internet Referral Unit to find, identify and potentially remove websites used by terrorist groups.
National leaders across the EU have been calling for increased access to private communications since the Charlie Hebdo attacks in Paris. The European Council hopes the new unit will be up and running by June.
Meanwhile, tech companies will continue to boost end-to-end encryption after the Snowden revelations created a business case, as consumers demanded their communications be secured.
Dutch MEP Sophie In’t Veld said she found his comments (which echo those of UK PM David Cameron) extremely worrying. “What is next? Having a lock on the front door of your home being a criminal offence? Banning people from protecting their private communications is unacceptable in a democratic society. We are really on a slippery slope here.”
“Not only individual citizens have a right to privacy, but journalists, politicians, lawyers, whistleblowers, NGOs, etc must be able to communicate freely, safely and knowing they are unobserved,” she added.
“There seems to be no limit to the appetite of secret services to know EVERYTHING about us, without being subject to any meaningful kind of oversight or bound by laws,” continued In’t Veld.
“He believes all of this is caused by the ‘revelations’ on NSA mass surveillance. “One would think it was the secret and illegal mass surveillance itself, not the fact it was revealed, that has breached trust,” said In’t Veld.
Here’s a suggestion: if you’re a Congressional Representative whose job it is to regulate all sorts of important things, and you state in a hearing “I don’t know anything about this stuff” before spouting off on your crazy opinions about how something must be done… maybe, just maybe educate yourself before confirming to the world that you’re ignorant of the very thing you’re regulating. We famously saw this during the SOPA debate, where Representatives seemed proud of their own ignorance. As we noted at the time, it’s simply not okay for Congress to be proud of their own ignorance of technology, especially when they’re in charge of regulating it. But things have not changed all that much apparently.
We already wrote about FBI Director James Comey’s bizarre Congressional hearing earlier this week, in which he warned those in attendance about the horrible world that faced us when the FBI couldn’t spy on absolutely everything. But the folks holding the hearing were suckers for this, and none more so than Rep. John Carter. The ACLU’s Chris Soghoian alerts us to the following clip of Carter at that hearing, which he says “is going to be the new ‘The Internet is a Series of Tubes'” video. I would embed the video, but for reasons that are beyond me, C-SPAN doesn’t use HTTPS so an embed wouldn’t work here (randomly: Soghoian should offer CSPAN a bottle of whiskey to fix that…).
Here’s the basic transcript though:
Rep. John Carter: I’m chairman of Homeland Security Appropriations. I serve on Defense and Defense subcommittees. We have all the national defense issues with cyber. And now, sir, on this wonderful committee. So cyber is just pounding me from every direction. And every time I hear something, or something just pops in my head — because I don’t know anything about this stuff. If they can do that to a cell phone why can’t they do that to every computer in the country, and nobody can get into it? If that’s the case, then that’s the solution to the invaders from around the world who are trying to get in here. [Smug grin]
FBI Director Comey: [Chuckle and gives smug, knowing grin]
Carter: Then if that gets to be the wall, the stone wall, and even the law can’t penetrate it, then aren’t we creating an instrument [that] is the perfect tool for lawlessness. This is a very interesting conundrum that’s developing in the law. If they, at their own will at Microsoft can put something in a computer — or at Apple — can put something in thatcomputer [points on a smartphone], which it is, to where nobody but that owner can open it, then why can’t they put it in the big giant super computers, that nobody but that owner can open it. And everything gets locked away secretly. And that sounds like a solution to this great cyber attack problem, but in turn it allows those who would do us harm [chuckles] to have a tool to do a great deal of harm where law enforcement can’t reach them. This is a problem that’s gotta be solved.
Back in October, we highlighted the contradiction of FBI Director James Comey raging against encryption and demanding backdoors, while at the very same time the FBI’s own website wassuggesting mobile encryption as a way to stay safe. Sometime after that post went online, all of the information on that page about staying safe magically disappeared, though thankfully I screenshotted it at the time:
If you really want, you can still see that information over at the Internet Archive or in a separate press release the FBI apparently didn’t track down and memory hole yet. Still, it’s no surprise that the FBI quietly deleted that original page recommending that you encrypt your phones “to protect the user’s personal data,” because the big boss man is going around spreading a bunch of scare stories about how we’re all going to be dead or crying if people actually encrypted their phones:
Calling the use of encrypted phones and computers a “huge problem” and an affront to the “rule of law,” Comey, painted an apocalyptic picture of the world if the communications technology isn’t banned.
“We’re drifting to a place where a whole lot of people are going to look at us with tears in their eyes,” he told the House Appropriations Committee, describing a hypothetical in which a kidnapped young girl’s phone is discovered but can’t be unlocked.
So, until recently, the FBI was actively recommending you encrypt your data to protect your safety — and yet, today it’s “an affront to the rule of law.” Is this guy serious?
More directly, this should raise serious questions about what Comey thinks his role is at the FBI (or the FBI’s role is for the country)? Is it to keep Americans safe — or is it to undermine their privacy and security just so it can spy on everyone?
[the proposed law] wants to force intermediaries to “detect, using automatic processing, suspicious flows of connection data”. Internet service providers as well as platforms like Google, Facebook, Apple and Twitter would themselves have to identify suspicious behavior, according to instructions they have received, and pass the results to investigators. The text does not specify, but this could mean frequent connections to monitored pages.
As well as being extremely vague, none of this “automatic detection” will require a warrant, which means that the scope for abuse and errors will be huge. And then there’s this:
the Intelligence bill also addresses the obligations placed on operators and platforms “concerning the decryption of data.” More than ever, France is keen to have the [encryption] keys necessary to read intercepted conversations, even if they are protected.
As we’ve noted before, there is a global push to demonize encryption by presenting it as a “dark place” where bad people can safely hide. What’s particularly worrying is that the measures propposed by France are easy to circumvent using client-side encryption. The fear has to be that once the French government realizes that fact, it will then seek to control or ban this form too.
The world could really need a credible alternative to PayPal
There are way too many stories of Paypal unfairly and ridiculously cutting off services that rely on it as a payment mechanism, but here’s yet another one. Mega, the cloud storage provider that is perhaps well-known for being Kim Dotcom’s “comeback” act after the US government shut down Megaupload, has had its Paypal account cut off. The company claims that Paypal was pressured by Visa and Mastercard to cut it off:
Visa and MasterCard then pressured PayPal to cease providing payment services to MEGA.
MEGA provided extensive statistics and other evidence showing that MEGA’s business is legitimate and legally compliant. After discussions that appeared to satisfy PayPal’s queries, MEGA authorised PayPal to share that material with Visa and MasterCard. Eventually PayPal made a non-negotiable decision to immediately terminate services to MEGA. PayPal has apologised for this situation and confirmed that MEGA management are upstanding and acting in good faith. PayPal acknowledged that the business is legitimate, but advised that a key concern was that MEGA has a unique model with its end-to-end encryption which leads to “unknowability of what is on the platform”.
MEGA has demonstrated that it is as compliant with its legal obligations as USA cloud storage services operated by Google, Microsoft, Apple, Dropbox, Box, Spideroak etc, but PayPal has advised that MEGA’s “unique encryption model” presents an insurmountable difficulty.
Admiral Mike Rogers, the NSA Director, has barely been on the job for a year, and so far he’d mostly avoided making the same kinds of absolutely ridiculous statements that his predecessor General Keith Alexander was known for. Rogers had, at the very least, appeared slightly more thoughtful in his discussions about the surveillance state and his own role in it. However, Rogers ran into a bit of trouble at New America’s big cybersecurity event on Monday — in that there were actual cybersecurity folks in the audience and they weren’t accepting any of Rogers’ bullshit answers. The most notable exchange was clearly between Rogers and Alex Stamos, Yahoo’s chief security officer, and a well known privacy/cybersecurity advocate.
Alex Stamos (AS): “Thank you, Admiral. My name is Alex Stamos, I’m the CISO for Yahoo!. … So it sounds like you agree with Director Comey that we should be building defects into the encryption in our products so that the US government can decrypt…
Mike Rogers (MR): That would be your characterization. [laughing]
AS: No, I think Bruce Schneier and Ed Felton and all of the best public cryptographers in the world would agree that you can’t really build backdoors in crypto. That it’s like drilling a hole in the windshield.
MR: I’ve got a lot of world-class cryptographers at the National Security Agency.
AS: I’ve talked to some of those folks and some of them agree too, but…
MR: Oh, we agree that we don’t accept each others’ premise. [laughing]
AS: We’ll agree to disagree on that. So, if we’re going to build defects/backdoors or golden master keys for the US government, do you believe we should do so — we have about 1.3 billion users around the world — should we do for the Chinese government, the Russian government, the Saudi Arabian government, the Israeli government, the French government? Which of those countries should we give backdoors to?
MR: So, I’m not gonna… I mean, the way you framed the question isn’t designed to elicit a response.
AS: Well, do you believe we should build backdoors for other countries?
MR: My position is — hey look, I think that we’re lying that this isn’t technically feasible. Now, it needs to be done within a framework. I’m the first to acknowledge that. You don’t want the FBI and you don’t want the NSA unilaterally deciding, so, what are we going to access and what are we not going to access? That shouldn’t be for us. I just believe that this is achievable. We’ll have to work our way through it. And I’m the first to acknowledge there are international implications. I think we can work our way through this.
AS: So you do believe then, that we should build those for other countries if they pass laws?
MR: I think we can work our way through this.
AS: I’m sure the Chinese and Russians are going to have the same opinion.
MR: I said I think we can work through this.
AS: Okay, nice to meet you. Thanks.
MR: Thank you for asking the question. I mean, there are going to be some areas where we’re going to have different perspectives. That doesn’t bother me at all. One of the reasons why, quite frankly, I believe in doing things like this is that when I do that, I say, “Look, there are no restrictions on questions. You can ask me anything.” Because we have got to be willing as a nation to have a dialogue. This simplistic characterization of one-side-is-good and one-side-is-bad is a terrible place for us to be as a nation. We have got to come to grips with some really hard, fundamental questions. I’m watching risk and threat do this, while trust has done that. No matter what your view on the issue is, or issues, my only counter would be that that’s a terrible place for us to be as a country. We’ve got to figure out how we’re going to change that.
[Moderator Jim Sciutto]: For the less technologically knowledgeable, which would describe only me in this room today, just so we’re clear: You’re saying it’s your position that in encryption programs, there should be a backdoor to allow, within a legal framework approved by the Congress or some civilian body, the ability to go in a backdoor?
MR: So “backdoor” is not the context I would use. When I hear the phrase “backdoor,” I think, “well, this is kind of shady. Why would you want to go in the backdoor? It would be very public.” Again, my view is: We can create a legal framework for how we do this. It isn’t something we have to hide, per se. You don’t want us unilaterally making that decision, but I think we can do this.