This Week, “Freedom isn’t free”
Our Consolation must be this, my dear, that Cities may be rebuilt, and a People reduced to Poverty, may acquire fresh Property: But a Constitution of Government once changed from Freedom, can never be restored. Liberty once lost is lost forever. When the People once surrender their share in the Legislature, and their Right of defending the Limitations upon the Government, and of resisting every Encroachment upon them, they can never regain it.
The SafeView Research Report is intended to give you a snapshot of technology risk management issues. Airius Internet Solutions manages SafeView data and provides strategic, tactical and emergency risk management consulting. If you have any technology risk issues, please contact Airius with your questions at firstname.lastname@example.org
The tree of liberty must be refreshed from time to time with the blood of patriots and tyrants. President Thomas Jefferson, 1787
Read the timeline here.
Since the FBI and San Bernardino County officials reset the password of an iPhone 5c, they have been building a case for the government to claim the right to monitor EVERYTHING. Encryption is a mechanism used to protect data. We depend on encryption to connect to the internet, do business, check our bank balance, buy things from eBay and listen to music from iTunes.
Encryption is secure by design, and keeps getting more secure each day. Technology forces encryption to stay on the move, slightly ahead of the technology used to decrypt. If encryption is engineered with a weakness, it is rapidly exploited, and such exploit is available to anyone, even commercially.
Numerous companies sell products that can crack cell phone security and decrypt protections. The commercial solutions are typically a version or two back from current models. Every cell phone – Blackberry, Android and Apple – can be cracked, given enough time and resources. People are the biggest threat to security. Companies adopted encryption and security measures that were within the limitations of the hardware and within the limitations of users.
The FBI did the greatest service to privacy and the willingness of people to use difficult passwords by trying to bypass security by design. People are starting to realize that this has little to do with crime, and everything to do with privacy. Once we surrender our rights for security, we get neither (loosely paraphrased from Ben Franklin). A right surrendered is never returned.
The cell phone, a work phone, in question was likely not used for crime. The suspects had private phones which were destroyed. These were work phones. Verizon provided all the communications – voice, data, text – to the government. There is no reasonable belief that this phone is pivotal to the discovery of terrorist activities, and even if it could, that does not in any way justify giving up the right to protect our privacy from all, our government, and bad guys, included.
What Does The Fourth Amendment Mean?
The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated…. Fourth Amendment of the US Constitution, September 25, 1789
“The house of every one is to him as his castle and fortress, as well for his defence against injury and violence as for his repose.” Sir Edward Coke, Attorney General of England, 1604 in the Semayne’s Case (The eminent English jurist; born in Norfolk, 1552; educated at Cambridge; solicitor-general, 1592; attorney-general, 1594; speaker of the House of Commons, 1593; chief-justice of the common pleas, 1606, and of the King’s Bench, 1613, from which he was removed by James I., 1616; opposed the court party from that time until 1628, when he produced his commentary upon Littleton; died 1633.)
The holding of the case can best be summed by Coke’s words,
“ In all cases when the King is party, the sheriff may break the party’s house, either to arrest him, or to do other execution of the K[ing]’s process, if otherwise he cannot enter. But before he breaks it, he ought to signify the cause of his coming, and to make request to open doors…”
The government wants to protect us by being able to monitor everything, at the cost of our privacy.
The King’s local forces in the colonies asserted their rights to unwarranted searches, kicking doors from hinges prior to 1775. No warning was required, no disclosure or supporting evidence. The government could use the threat of a search as extortion, and colonists had no defenses, since the locals were acting supposedly on behalf of the King.
We don’t have a king. We have a representative government that should act for us. Is the government acting for us by legislating technology? Are we collectively safer? The UK government is moving to require encryption keys to be provided to the government. This does not stop encryption. This only gives government the ability to claim encryption keys for those services where the keys are stored by a hosting provider.
Anyone familiar with encryption realizes that this will only affect cloud solutions with cloud provider stored keys. Therefore, new iPhones, new Android devices, OpenPGP encrypted files and email, all unaffected. So, does the government gain anything other than sound bytes and media attention if their real goal is stopping terrorists? Keys that you create are protected by both 4th amendment protection – where the key is a thing, and 5th amendment – where the key is something you know. The government is trying to establish precedence to bypass Constitutional protections afforded to individuals by forcing technology companies to be complicit in mass spying.
Encryption has become the technological concealed weapon. The government doesn’t want us to have it. They will use laws to make encryption criminal, and accept no responsibility when data protection is circumvented as a result. Like concealed handguns, encryption laws only influence those that abide to laws in the first place.
Government has not proven that they can keep their information secure. How can they be the custodians of encryption keys and tools that give them backdoor access to every online service (and grant the same access to a criminal) without any trace?
The USA Patriot Act 1 & 2
The USA PATRIOT Act is an Act of Congress that was signed into law by President George W. Bush on October 26, 2001. Its title is a ten-letter backronym (U.S.A. P.A.T.R.I.O.T.) that stands for “Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001”.
On May 26, 2011, President Barack Obama signed the PATRIOT Sunsets Extension Act of 2011, a four-year extension of three key provisions in the USA PATRIOT Act: roving wiretaps, searches of business records, and conducting surveillance of “lone wolves”—individuals suspected of terrorist-related activities not linked to terrorist groups.
Following a lack of Congressional approval, parts of the Patriot Act expired on June 1, 2015. With the passage of theUSA Freedom Act on June 2, 2015 the expired parts were restored and renewed through 2019. However, Section 215 of the law was amended to stop the National Security Agency from continuing its mass phone data collection program. Instead, phone companies will retain the data and the NSA can obtain information about targeted individuals with permission from a federal court.
This is a U.S. law enacted on June 2, 2015 that restored in modified form several provisions of the Patriot Act, which had expired the day before. The act imposes some new limits on the bulk collection of telecommunication metadata on U.S. citizens by American intelligence agencies, including the National Security Agency. It also restores authorization for roving wiretaps and tracking lone wolf terrorists. The title of the act originally was a ten-letter backronym (USA FREEDOM) that stood for “Uniting and Strengthening America by Fulfilling Rights and Ending Eavesdropping, Dragnet-collection and Online Monitoring Act.“.
The Cybersecurity Information Sharing Act (CISA S. 2588 [113th Congress], S. 754 [114th Congress]) is a United States federal law designed to “improve cybersecurity in the United States through enhanced sharing of information about cybersecurity threats, and for other purposes”. The law allows the sharing of Internet traffic information between the U.S. government and technology and manufacturing companies. The bill was introduced in the U.S. Senate on July 10, 2014, and passed in the Senate October 27, 2015. Opponents question CISA’s value, believing it will move responsibility from private business to the government, thereby increasing vulnerability of personal private information, as well as dispersing personal private information across seven government agencies, including the NSA and local police.
The King and his representatives meant well. They had the people in mind, but had over centuries pushed the bounds of protections versus privacy too many times. The courts repeatedly defended the rights of individual privacy over the rights of the government to conduct warrantless surveillance. The government wont ask us for our keys, and we wont offer them. The technology industry is actually being asked to redesign security in such a way that back doors are impossible, given current technology. Providers will implement encryption in a way that it is solely in control of the consumer. In the long run, the government is making noise, protecting no one (criminals are not stopped by laws), and getting spin for coming out against encryption. We need encryption if we need to use technology. It is as important to the function of our current technology as electricity.
Immediately, switch to OpenPGP, Mailvelope, Signal for iPhone, Android and Desktop. Take the responsibility for protecting your own information so that technology companies are not pressured by government. They cannot share what they don’t have.