Thursday, January 28, 2016

2018 gubernatorial candidate Gavin Newsom “has not taken a position” on AB 1681

In an e-mailed response to Etopia News’ inquiry regarding current Lt. Gov. and 2018 gubernatorial candidate Gavin Newsom’s position on AB 1681, which would prohibit the sale of smartphones capable of protecting user data from law enforcement, even with a proper warrant, his Chief of Staff, Rhys Williams replied:

“Has not taken a position.”

His Chief of Staff is a wunderkind, a prodigy with vast experience of government  Read about it in the link to his LinkedIn profile above, if you haven't already.

Tuesday, January 26, 2016

Assemblymember Cooper’s Legislative Director Discusses AB 1681

In an exclusive phone interview with Etopia News, Roy Sianez, Legislative Director for California Assemblymember Jim Cooper, author of AB 1681, today said that the bill will be modified to remove all liability from sellers and lessors of prohibited smartphones and put it solely on the manufacturers of the operating systems employed to deliver unbreakable encryption to end users.

He said the changes would be made as soon as the bill was heard in committee.  He said he wasn’t sure which committee that would be, but thought it might be the Assembly Committee on Privacy and Consumer Protection.

He was following up on an earlier e-mailed statement from Cooper’s Communications Director, Skyler Wonnacott, who wrote to Etopia News saying, “(d) (2) will be removed to eliminate the liability completely from the seller or lessor.  Instead the bill will limit liability to the manufacturer of the operating system of the smartphone.”

These manufacturers of operating systems, Sianez said, would, under AB 1681, be prohibited from providing software that generates encrypted data that they cannot make “accessible by law enforcement with a search warrant.”

He said that before Apple released iOS 8, law enforcement could and would ship a smartphone with encrypted data along with the appropriate warrant to Apple and get back the cleartext they had been authorized to access.  Since the advent of iOS 8, however, only the end users of devices running that operating system can access their data, not Apple, even with a warrant.

Here’s what Apple says about security on its page touting the virtues of iOS 9:

“Improved security.

“Keeping your devices and Apple ID secure is essential to protecting your personal information — like photos, documents, messages, email, and so much more. iOS 9 advances security by strengthening the passcode that protects your devices, and by making it harder for others to get unauthorized access to your Apple ID account. These new security features are easy for you to use. But they make it much harder for anyone else to access your personal information.”

Sianez said that the purpose of AB 1681 was to make Apple “change it back” to the days when data on pre-iOS 8 devices could be retrieved by Apple itself.  When told that iOS8-based systems cannot be decrypted by Apple, but only by the end user, warrant or no warrant, he said he wanted to “restore the ability” that Apple phones once had to have their data decrypted by the manufacturer.

He said this was “a public safety issue.” Asked if the bill’s passage would mean that Apple “can’t offer an operating system that leaves control in the hands of the user,” Sianez said that Apple could still sell such devices, but that there would be a financial penalty of $2,500 for each such device they make and sell. 

“Nobody goes to jail for this,” he said.  “Fined, but no time” served is how he put it.

“We’ve seen and read” that there is opposition to the bill, he added, saying that what was involved with AB 1681 was a national and indeed global issue.  “California is the world’s eighth largest economy; we have 38 million people, as well as Apple and Google.”  He thought California would therefore be a good place to address this issue.

Asked who would be liable for modified versions of Android capable of “full disk encryption” running on specific OEM devices, Sianez said that if the OEM “changed it to be inaccessible,” then they would be liable.

Despite the inability of the manufacturer of the operating system, be it Google, Apple, or another party, to decrypt data stored under a passcode solely controlled by the user, the legislative director responsible for the bill re-iterated that the goal of the legislation was to make user data “accessible by law enforcement with a search warrant.”


Statement on Assemblymember Cooper’s AB 1681 from EFF Staff Attorney Andrew Crocker in which he calls it a “terrible policy”

California Assemblymember Jim Cooper has introduced a bill, AB 1681, which says:  “A smartphone that is manufactured on or after January 1, 2017, and sold or leased in California, shall be capable of being decrypted and unlocked by its manufacturer or its operating system provider.”

Electronic Frontier Foundation Staff Attorney Andrew Crocker this afternoon provided the following statement about AB 1681 to Etopia News:

 “Under the Constitution, I don't think it's within the state's power to legislate this. Regardless, it would be entirely ineffective since the rule wouldn't reach phones sold just across the border. Clearly California hopes to change national policy by forcing Apple et al to comply, but that's why the states are limited in their power to burden interstate commerce in this way.

“This is terrible policy that is entirely infeasible from a technical perspective. There is no way to ensure that phones can be decrypted by the police and not the ‘bad guys.’ It's not about privacy but security--the security of innocent people's devices against hackers, thieves and others. It could well be unconstitutional under the First Amendment as well.

“No matter how terrible the crime, we don't allow the police to disregard other important values like privacy and security, and this is a law that would make us all less secure. Meanwhile the police have access to lots of other tools to get at this evidence, from hacking or brute forcing the device to getting cloud backups to forcing the owner to unlock the phone. Moreover the sophisticated bad guys will resort to third party tools to cover their tracks.”

Thursday, January 21, 2016

Making the establishment of a Federal Security and Technology Commission an issue

On December 27, 2015, Texas Congressman Mike McCaul and Virginia Senator Mark Warner, a Republican and a Democrat, respectively, proposed the creation of a Federal Security and Technology Commission (FSTC), here.

They wrote:  “…we are proposing a national commission on security and technology challenges in the digital age.”

It has proven exceptionally difficult to get anyone in Washington D.C. or the presidential campaign trail to express support or opposition to this proposal.

The creation of this new panel is closely linked to a resolution of the issue of “exceptional access mechanisms” (EAMs) (i.e., “back-doors”) as discussed and opposed by a large and especially-distinguished group of cryptographers, in a July 9, 2015, post entitled “The Risks of Mandating Backdoors in Encryption Products.”

No one seems to want to oppose or support such EAMs, either.

But one member of the U.S. Senate has now stepped forward to help crystallize the establishment of a Federal Security and Technology Commission as a bona fide political issue.   

The second-most-senior Democrat on the United States Senate Select Committee on Intelligence (SSCI), Senator Ron Wyden has officially made the establishment of the FSTC an “issue” by acknowledging that it is something he hasn’t taken a position on yet, but that he might take a position on in the future.

According to an e-mail received this afternoon by Etopia News from his Portland-based press secretary, “The senator hasn’t taken a position on this idea. Will let you know if that changes.”

This is almost-irrefutable evidence that at least one U.S. Senator besides proposal co-author Mark Warner has considered this issue.

Senator Wyden is a co-member with Senator Warner on the United States Senate Select Committee on Intelligence, chaired by Republican Senator Richard Burr of North Carolina, whose remarks on “end-to-end” encryption, along with those of vice chairman Senator Diane Feinstein of California, can be found in a previous Etopia News article here.

Senator Burr has become better known in the last few hours due to a report, which he is vehemently denying that he said he would ”vote for liberal Sen. Bernie Sanders for president before [Ted] Cruz.”

Wednesday, January 20, 2016

Representative McCaul and Senator Warner seek to establish a Federal Security and Technology Commission; Intelligence Committee members queried

In a December 27, 2015, op-ed in the Washington Post, U.S. Representative Mike McCaul (R-TX) and U.S. Senator Mark Warner (D-VA) called for the creation of a Federal Security and Technology Commission (FSTC), writing, bi-partisanly:

“That is why we are proposing a national commission on security and technology challenges in the digital age.”

A core issue for consideration by the putative FSTC would certainly be the question of whether law enforcement and federal surveillance agencies should have access, however fettered, to materials encrypted by users of powerful “end-to-end” and on-device encryption.

This is a another way of saying that the FSTC  might be called upon to decide if vendors could offer such “end-to-end” and on-device encryption systems only if they build in a “back-door” key and give it to the government.

Richard Burr is the Republican Chair, and Diane Feinstein, and Ron Wyden are influential Democratic members of the United States Senate Select Commission on Intelligence (SSCI), which oversees the nation’s surveillance agencies. 

Etopia News has reached out to each of these senators, asking their views on the establishment of a Federal Security and Technology Commission and on whether “end-to-end” and on-device encryption should be prohibited unless the government is given “back-door” access.  Similar questions have also been posed to Democratic presidential candidates Senator Bernie Sanders and former Secretary of State Hillary Clinton.

Etopia News will report their comments as they come in.

For a compendium of comments by Senator Feinstein, who is the Vice Chair of the SSCI, and Senator Burr, regarding “end-to-end encryption” in the immediate aftermath of the November terrorist attack in Paris, click here.

Tuesday, January 19, 2016

Senators Burr and Feinstein on “end-to-end” encryption and national security

A big question is haunting national anti-terrorism efforts:

Should Federal Government surveillance agencies and law enforcement at all levels have access to cleartext versions of everyone’s and anyone’s personal electronic communications, even if they are deeply encrypted and beyond the reach of curious officials’ technical capabilities?

Or, put another way, should the government be able to prohibit the sale and use of “unbreakable,” end-to-end encryption, unless it comes with a “back-door” that enable government to decrypt the encrypted messages it collects?

Tim Cook, CEO of Apple, says the answer is an emphatic "No."

Four days after the terrorist attacks in Paris, on November 17, 2015, after being briefed by Obama Administration officials including Assistant Secretary of State Victoria Nuland on the U.S. role in the aftermath of these attacks, Richard Burr (R-NC), Chair of the U.S. Senate Intelligence Committee, and Vice-Chair Diane Feinstein (D-CA) spoke to reporters.  They addressed the issue of end-to-end encryption several times in their remarks. 

Their approaches spanned a range between looking into the question and forcing private companies that provide these powerful encryption technologies “to change their business models.”

Here’s more of what they had to say:

Senator Burr:
“There’s a likelihood that this attack was ISIL-directed. It is likely that encryption, end-to-end encryption was used to communicate between those individuals in Belgium, in France and in Syria. It’s a wake-up call for America and our global partners that globally we need to begin the debate on what we do on encrypted networks, because it makes us blind to communications and to the actions of potential adversaries. The vice chairman and I committed to our membership that we would start this debate sooner rather than later and I think this is not just a debate to happen within the United States, this is a debate we will have with our international partners.”

Senator Feinstein:
“…it’s causing a great deal of alarm among people who want their government to keep people safe and we want to keep people safe. And only good intelligence is going to keep people safe. So as the chairman pointed out, a lot of the communication between these networks is encrypted. Even simple commercial products that you can buy encrypt the conversation and some of them encrypt it in a way that even with a court order, you can’t break into it. So good intelligence from people in communities all over, I think is extremely important."

Senator Burr:
“… It still happened and it happened while the entire world’s intelligence communities looked for it. Though we don’t have the answer today, we will work aggressively to try and figure out where we might have picked this up and if we couldn’t, what tools we need to provide to intelligence here and abroad that would allow us to detect any indications in the future."

“On the encryption question, what steps will Congress take in addressing that and will it play into this unfinished cybersecurity process?”

Senator Burr:
“I think it’s way too early for us to comment, look at both us, look at our age. This is a very difficult thing for us to understand because I won’t tell you that we’re steeped in technology where we’ve got generations below us where this is an everyday process for them. There’s not an app that you buy that potentially doesn’t have the communication capability today, and that communication capability whether they sell it that way or not, it’s likely encrypted. So facing realities, we know we can’t go forward unless we work with intelligence communities and whether we work with our partners above to figure out what the way forward is."

“Vice Chairman, you mentioned you’re working some proposals to possibly bring forward, could those include proposals on encryption or anything—“

Senator Feinstein:
“I don’t think it makes sense to speculate. The chairman has said what he’d really like the committee to do and I really agree with this; we need to sit down and we need to go over things. We need to look at a number of different things; we need to look at how much the visa waiver program plays into this. How much encryption plays into it. We know of certain equipment and certain games that are encrypted that can be used.  We need to figure what can and should be done about that if anything.

“The important thing is that it is a committee-wide effort and once we agree we’re able to move forward on a bipartisan basis.”
“Senators, in terms of the ISIL threat to Europe and the homeland, could you paint a little more of a picture on what you are learning. Is there an external operations cell? And do we know who those people are, are they in Raqqa and what do you think the U.S. government should do about those people?"

Senator Burr:
“… It may fly under the radar screen and I think that’s one of the realities that I think we’re faced with and that’s why Dianne and I have committed to challenge our staffs to do an overall review from a standpoint of what are the things we need to look at that we aren’t currently focused on, what tools we might provide that at least provide an opportunity of a better outcome for our intelligence community. 

“Quite frankly, we’re going to have to think differently, because our adversaries are thinking differently now.”

Senator Feinstein:
“And if I might add to the Chairman, ISIL is different. ISIL isn’t al Qaeda. Al Qaeda was away and removed and a small group of people and they put together very precise operations. This is big. ISIL has 30,000 fighters. France, 2,000 people have gone from France to Syria to fight. We’ve had about 150 go from our country to fight. They are expanding. They are creating the caliphate in different countries, wherever they can. Safe harbors in some countries wherever they possibly can. As the Chairman pointed out, the number of countries they’re in, is close to 30 today, one way or another. So it’s an expanding model and that model puts forward a new plan and that is as was said, that you have one person in Syria, directing through Belgium, to France, that could be here too. Just like that, all encrypted. So it’s a problem and of course they have a video out that makes the statement. So that’s a concern to all of us."

“Chairman Burr, you talked about end-to-end encryption. What platform were they using and what evidence is there?"

“We can’t tell you today specifically that they were using a specific encrypted platform. We think that that’s a likely because we didn’t pick up any direct communication. I think it’s safe to say that there are probably 30 end-to-end encrypted software packages that you can download for free. Given the fact that between iTunes and PlayStation, the number of apps that are added on a weekly, monthly, yearly basis and I think we anticipate that everything from this point forward will have encryption communications to it, now’s the time to act.”

“What legislation is possible to address this?”

Senator Burr:
“I wouldn’t dare even make you remotely believe that we’re on a legislative route. We’re on an exploratory route, trying to figure out what options we have and from those options to determine what the best course, short, medium and long term is.”

“And as you explore, what cooperation are you getting from companies in Silicon Valley?  What would your message be to those companies?”

Senator Feinstein:
“Well if we get the same cooperation we did with cyber, it won’t be very much. The reality is that we don’t expect this to be received extremely well from companies that market their products based upon the fact that they have end-to-end encryption. We don’t have a responsibility to sell their products; we have a responsibility to keep America safe. This committee is going to stay focused with our intelligence community and our law enforcement to do exactly that. If it means that people are going to have to change their business models, then so be it, but at the end of the day, America’s safety is the absolute number one issue."

For a discussion of novelist Dan Brown's prescient acknowledgement of the risks posed by "unbreakable" encryption as far back at 1998, click here.