How the US Secret Service Breaks into Smartphones
Here’s an article about the US Secret Service and their Cell Phone Forensics Facility in Tulsa.
I said it before and I’ll say it again: the FBI needs technical expertise, not backdoors.
Entries Tagged "national security policy"
Page 21 of 61
New Rules on Data Privacy for Non-US Citizens
Last week, President Trump signed an executive order affecting the privacy rights of non-US citizens with respect to data residing in the US.
Here’s the relevant text:
Privacy Act. Agencies shall, to the extent consistent with applicable law, ensure that their privacy policies exclude persons who are not United States citizens or lawful permanent residents from the protections of the Privacy Act regarding personally identifiable information.
At issue is the EU-US Privacy Shield, which is the voluntary agreement among the US government, US companies, and the EU that makes it possible for US companies to store Europeans’ data without having to follow all EU privacy requirements.
Interpretations of what this means are all over the place: from extremely serious, to more measured, to don’t worry and we still have PPD-28.
This is clearly still in flux. And, like pretty much everything so far in the Trump administration, we have no idea where this is headed.
Security Risks of the President's Android Phone
Reports are that President Trump is still using his old Android phone. There are security risks here, but they are not the obvious ones.
I’m not concerned about the data. Anything he reads on that screen is coming from the insecure network that we all use, and any e-mails, texts, Tweets, and whatever are going out to that same network. But this is a consumer device, and it’s going to have security vulnerabilities. He’s at risk from everybody, ranging from lone hackers to the better-funded intelligence agencies of the world. And while the risk of a forged e-mail is real—it could easily move the stock market—the bigger risk is eavesdropping. That Android has a microphone, which means that it can be turned into a room bug without anyone’s knowledge. That’s my real fear.
I commented in this story.
EDITED TO ADD (1/27): Nicholas Weaver comments.
Obama's Legacy in Internet Security
NextGov has a nice article summarizing President Obama’s accomplishments in Internet security: what he did, what he didn’t do, and how it turned out.
New White House Privacy Report
Two days ago, the White House released a report on privacy: “Privacy in our Digital Lives: Protecting Individuals and Promoting Innovation.” The report summarizes things the administration has done, and lists future challenges:
Areas for Further Attention
- Technology will pose new consumer privacy and security challenges.
- Emerging technology may simultaneously create new challenges and opportunities for law enforcement and national security.
- The digital economy is making privacy a global value.
- Consumers’ voices are being heard—and must continue to be heard—in the regulatory process.
- The Federal Government benefits from hiring more privacy professionals.
- Transparency is vital for earning and retaining public trust.
- Privacy is a bipartisan issue.
I especially like the framing of privacy as a right. From President Obama’s introduction:
Privacy is more than just, as Justice Brandeis famously proclaimed, the “right to be let alone.” It is the right to have our most personal information be kept safe by others we trust. It is the right to communicate freely and to do so without fear. It is the right to associate freely with others, regardless of the medium. In an age where so many of our thoughts, words, and movements are digitally recorded, privacy cannot simply be an abstract concept in our lives; privacy must be an embedded value.
The conclusion:
For the past 240 years, the core of our democracy—the values that have helped propel the United States of America—have remained largely the same. We are still a people founded on the beliefs of equality and economic prosperity for all. The fierce independence that encouraged us to break from an oppressive king is the same independence found in young women and men across the country who strive to make their own path in this world and create a life unique unto to themselves. So long as that independence is encouraged, so long as it is fostered by the ability to transcend past data points and by the ability to speak and create free from intrusion, the United States will continue to lead the world. Privacy is necessary to our economy, free expression, and the digital free flow of data because it is fundamental to ourselves.
Privacy, as a right that has been enjoyed by past generations, must be protected in our digital ecosystem so that future generations are given the same freedoms to engage, explore, and create the future we all seek.
I know; rhetoric is easy, policy is hard. But we can’t change policy without a changed rhetoric.
EDITED TO ADD: The document was originally on the whitehouse.gov website, but was deleted in the Trump transition. It’s now available at the Obama archives site.
A Comment on the Trump Dossier
Imagine that you are someone in the CIA, concerned about the future of America. You have this Russian dossier on Donald Trump, which you have some evidence might be true. The smartest thing you can do is to leak it to the public. By doing so, you are eliminating any leverage Russia has over Trump and probably reducing the effectiveness of any other blackmail material any government might have on Trump. I believe you do this regardless of whether you ultimately believe the document’s findings or not, and regardless of whether you support or oppose Trump. It’s simple game-theory.
This document is particularly safe to release. Because it’s not a classified report of the CIA, leaking it is not a crime. And you release it now, before Trump becomes president, because doing so afterwards becomes much more dangerous.
MODERATION NOTE: Please keep comments focused on this particular point. More general comments, especially uncivil comments, will be deleted.
Classifying Elections as "Critical Infrastructure"
I am co-author on a paper discussing whether elections be classified as “critical infrastructure” in the US, based on experiences in other countries:
Abstract: With the Russian government hack of the Democratic National Convention email servers, and further leaks expected over the coming months that could influence an election, the drama of the 2016 U.S. presidential race highlights an important point: Nefarious hackers do not just pose a risk to vulnerable companies, cyber attacks can potentially impact the trajectory of democracies. Yet, to date, a consensus has not been reached as to the desirability and feasibility of reclassifying elections, in particular voting machines, as critical infrastructure due in part to the long history of local and state control of voting procedures. This Article takes on the debate in the U.S. using the 2016 elections as a case study but puts the issue in a global context with in-depth case studies from South Africa, Estonia, Brazil, Germany, and India. Governance best practices are analyzed by reviewing these differing approaches to securing elections, including the extent to which trend lines are converging or diverging. This investigation will, in turn, help inform ongoing minilateral efforts at cybersecurity norm building in the critical infrastructure context, which are considered here for the first time in the literature through the lens of polycentric governance.
The paper was speculative, but now it’s official. The U.S. election has been classified as critical infrastructure. I am tentatively in favor of this, but what really matter is what happens now. What does this mean? What sorts of increased security will election systems get? Will we finally get rid of computerized touch-screen voting?
EDITED TO ADD (1/16): This is a good article.
Encryption Working Group Annual Report from the US House of Representatives
The Encryption Working Group of the House Judiciary Committee and the House Energy and Commerce Committee has released its annual report.
Observation #1: Any measure that weakens encryption works against the national interest.
Observation #2: Encryption technology is a global technology that is widely and increasingly available around the world.
Observation #3: The variety of stakeholders, technologies, and other factors create different and divergent challenges with respect to encryption and the “going dark” phenomenon, and therefore there is no one-size-fits-all solution to the encryption challenge.
Observation #4: Congress should foster cooperation between the law enforcement community and technology companies.
My Priorities for the Next Four Years
Like many, I was surprised and shocked by the election of Donald Trump as president. I believe his ideas, temperament, and inexperience represent a grave threat to our country and world. Suddenly, all the things I had planned to work on seemed trivial in comparison. Although Internet security and privacy are not the most important policy areas at risk, I believe he—and, more importantly, his cabinet, administration, and Congress—will have devastating effects in that area, both in the US and around the world.
The election was so close that I’ve come to see the result as a bad roll of the dice. A few minor tweaks here and there—a more enthusiastic Sanders endorsement, one fewer of Comey’s announcements, slightly less Russian involvement—and the country would be preparing for a Clinton presidency and discussing a very different social narrative. That alternative narrative would stress business as usual, and continue to obscure the deep social problems in our society. Those problems won’t go away on their own, and in this alternative future they would continue to fester under the surface, getting steadily worse. This election exposed those problems for everyone to see.
I spent the last month both coming to terms with this reality, and thinking about the future. Here is my new agenda for the next four years:
One, fight the fights. There will be more government surveillance and more corporate surveillance. I expect legislative and judicial battles along several lines: a renewed call from the FBI for backdoors into encryption, more leeway for government hacking without a warrant, no controls on corporate surveillance, and more secret government demands for that corporate data. I expect other countries to follow our lead. (The UK is already more extreme than us.) And if there’s a major terrorist attack under Trump’s watch, it’ll be open season on our liberties. We may lose a lot of these battles, but we need to lose as few as possible and as little of our existing liberties as possible.
Two, prepare for those fights. Much of the next four years will be reactive, but we can prepare somewhat. The more we can convince corporate America to delete their saved archives of surveillance data and to store only what they need for as long as they need it, the safer we’ll all be. We need to convince Internet giants like Google and Facebook to change their business models away from surveillance capitalism. It’s a hard sell, but maybe we can nibble around the edges. Similarly, we need to keep pushing the truism that privacy and security are not antagonistic, but rather are essential for each other.
Three, lay the groundwork for a better future. No matter how bad the next four years get, I don’t believe that a Trump administration will permanently end privacy, freedom, and liberty in the US. I don’t believe that it portends a radical change in our democracy. (Or if it does, we have bigger problems than a free and secure Internet.) It’s true that some of Trump’s institutional changes might take decades to undo. Even so, I am confident—optimistic even—that the US will eventually come around; and when that time comes, we need good ideas in place for people to come around to. This means proposals for non-surveillance-based Internet business models, research into effective law enforcement that preserves privacy, intelligent limits on how corporations can collect and exploit our data, and so on.
And four, continue to solve the actual problems. The serious security issues around cybercrime, cyber-espionage, cyberwar, the Internet of Things, algorithmic decision making, foreign interference in our elections, and so on aren’t going to disappear for four years while we’re busy fighting the excesses of Trump. We need to continue to work towards a more secure digital future. And to the extent that cybersecurity for our military networks and critical infrastructure allies with cybersecurity for everyone, we’ll probably have an ally in Trump.
Those are my four areas. Under a Clinton administration, my list would have looked much the same. Trump’s election just means the threats will be much greater, and the battles a lot harder to win. It’s more than I can possibly do on my own, and I am therefore substantially increasing my annual philanthropy to support organizations like EPIC, EFF, ACLU, and Access Now in continuing their work in these areas.
My agenda is necessarily focused entirely on my particular areas of concern. The risks of a Trump presidency are far more pernicious, but this is where I have expertise and influence.
Right now, we have a defeated majority. Many are scared, and many are motivated—and few of those are applying their motivation constructively. We need to harness that fear and energy to start fixing our society now, instead of waiting four or even eight years, at which point the problems would be worse and the solutions more extreme. I am choosing to proceed as if this were cowpox, not smallpox: fighting the more benign disease today will be much easier than subjecting ourselves to its more virulent form in the future. It’s going to be hard keeping the intensity up for the next four years, but we need to get to work. Let’s use Trump’s victory as the wake-up call and opportunity that it is.
Auditing Elections for Signs of Hacking
Excellent essay pointing out that election security is a national security issue, and that we need to perform random ballot audits on every future election:
The good news is that we know how to solve this problem. We need to audit computers by manually examining randomly selected paper ballots and comparing the results to machine results. Audits require a voter-verified paper ballot, which the voter inspects to confirm that his or her selections have been correctly and indelibly recorded. Since 2003, an active community of academics, lawyers, election officials and activists has urged states to adopt paper ballots and robust audit procedures. This campaign has had significant, but slow, success. As of now, about three quarters of U.S. voters vote on paper ballots. Twenty-six states do some type of manual audit, but none of their procedures are adequate. Auditing methods have recently been devised that are much more efficient than those used in any state. It is important that audits be performed on every contest in every election, so that citizens do not have to request manual recounts to feel confident about election results. With high-quality audits, it is very unlikely that election fraud will go undetected whether perpetrated by another country or a political party.
Another essay along similar lines.
Related: there is some information about Russian political hacking this election cycle that is classified. My guess is that it has nothing to do with hacking the voting machines—the NSA was on high alert for anything, and I have it on good authority that they found nothing—but something related to either the political-organization hacking, the propaganda machines, or something else before Election Day.
Sidebar photo of Bruce Schneier by Joe MacInnis.