Why the FBI vs. Apple Matters

iphone-6s-tear-downTo most Americans, Apple’s refusal to unlock the San Bernadino shooter’s iPhone seems an untenable position. After all, Farook is a known terrorist who committed a horrific crime. That a legal warrant should be issued to search his every sock drawer and hard drive to uncover links to other terrorists or plots is patently obvious. Clearly Apple should just give the FBI what they want. So why is Apple balking? And why does most of the tech community side with them?

The facts are a bit confusing to those outside the tech community. The average American doesn’t (and probably doesn’t want to) understand the intricacies of data encryption and security. With that in mind, I’m going to try to make a more real-world analogy that everyone can relate to, but still illustrates the problem at hand. To do that, let’s assume that this is the 1960s. “Ivan” has just committed an act of terror in the name of the USSR. He was killed in the event, but police suspect he may have had microfilmed plans and lists of other Soviet agents inside the US.

The FBI discovers Ivan has a safety deposit box at the local bank. They go to the court and get a warrant, present it to the bank, and the bank manager opens the box inside the vault and surrenders the contents inside to the authorities.

This situation is similar to requests Apple has responded to many times before. It is a request for something Apple has possession of (e.g. iMessage conversations on its servers) which are turned over willingly with the proper legal authorization. This is how most people seem to be thinking of the Farook iPhone case, but it is not similar to the current case at all.  For that, let’s move on to the next scenario.

Police then discover that Ivan has an ACME Self Destructing Safe in his basement. The feds know this safe is equipped with an acid release failsafe inside the unit such that if the wrong combination is tried too many times or they attempt to force open the safe, the acid is released and all contents of the safe are destroyed.

The FBI then goes to the ACME company and asks them to open the safe. But ACME explains that even they don’t have the combination. Only Ivan did, and he’s gone. ACME doesn’t own the safe or any of its contents. It just designed and built it. Then the FBI comes back to ACME with a new plan and a court order to make ACME implement it. They want ACME to build them a device that can neutralize the acid failsafe so that the police can then just crack the safe.

However, ACME is aware that this acid neutralizing device will actually work on any of their safes, not just Ivan’s. Further, they know their safes are the bane of the FBI, and that police have hundreds of these legally confiscated safes from other crimes stored in evidence lockers across the country. The FBI would love to open them all.

ACME is worried that eventually one of the neutralizing devices or the plans for one will get out in the public or on the black market, and once that horse is out of the barn, there’s no putting it back. They realize that what the FBI is asking them to do is effectively remove the acid failsafe as a security feature from everyone’s safe, not just Ivan’s. This compromises the safety of ACME’s many legitimate customers who have trusted them to secure their belongings.

Further, the security industry as a whole is worried that if ACME yields, it sets the precedent that no one can build and sell uncrackable safes or unbreakable locks. Every security system must be penetrable by the police without the owner’s cooperation. But such a built in weakness is also exploitable for nefarious purposes, both by corrupt government agents as well as theives and spies.

This is the situation Apple finds itself in with the locked iPhone. Once it builds the crack tool, there is no reality under which it would be used just once and destroyed. Even if that tool was safely destroyed, the FBI would be back next week with another warrant for another iPhone, and they would be forced to build it again. Eventually, it becomes impractical to destroy and rebuild the tool each time, so the issue becomes about controlling access to the tool.

Therein lies the weakness. In a world where horses don’t exist, no one has to worry about watching the barn door. But once you create a horse, then the door becomes a liability. And because horses are useful, eventually you have multiples… then multiple barns… and multiple doors. It’s only a matter of time before one gets loose. After all, no security system is perfect.


GOP senators to feds: Leave the Internet alone

12217_large_neutral-bits.pngIt’s this sort of thing that really pisses me off. The intention is exactly right. The Internet should be free of interference. It should continue to be accessible by anyone, empower content and service creators, and foster innovation. Yet excluding all government regulation of the Internet is exactly contrary to achieving that goal.

In fairness, the issue of Net Neutrality is a bit complicated.  Most people don’t know how the Internet works. And this leaves open the opportunity to exploit that lack of understanding through politi-speak gems like this

“There are exceptions of course, but far too often, when you hear someone say, ‘We need regulations to protect the Internet,’ what they’re actually saying is they don’t really trust the entrepreneurs and Internet technologists to create the economic growth and to increase public welfare.”

Net Neutrality regulations don’t stifle entrepreneurs and technologists. Rather, they keep the network available for them. Net Neutrality reigns in big ISPs from exploiting their effective monopolies for increased profit and offering preferential treatment for other large companies who can afford to pay to play. It protects the consumer and the entrepreneur from big business.

In a very real way, keeping the government from regulating the Internet is simply paving the way for a few large private business to regulate it. There’s no way that ends well for small businesses and consumers.

All regulations are restricting someone else’s freedom. That doesn’t make them all bad. Net Neutrality regulations are all about preserving the freedom of the Internet. If you would rather trust AT&T, Time Warner, Verizon, and Comcast to keep your network a free and open egalitarian network… you’re more than a little naive.


CISPA – Big Brother Never Sleeps

big-brother-posterIt’s likely you’ve never heard of the Cyber Intelligence Sharing and Protection Act, also known as CISPA.  It is the latest round in the never-ending litany of SOPA-like bills designed to clamp down on the scourge that is the Internet.  And it just cleared the House last week by a pretty comfortable margin.  Comfortable that is, unless you’re a user of the Internet.

Much like the Protecting Children From Internet Pornographers Act of 2011, CISPA cloaks itself with a title that’s hard to be opposed to.  Cyber-terrorism is a very real threat, and who in their right mind would be against a measure to protect us from a cyber-attack?  Ahhh… if only it actually achieved that goal.

What CISPA actually does is provide immunity to ISPs and online  service providers for responding to government requests for information about the cyber-activities of anyone related to cybersecurity, cyber crime, protecting people from harm, protecting children from exploitation, and national security.  Note that the bill does not compel companies to turn over such information, and because it’s a voluntary request, it requires no court approval or any other sort of burden of reasonable cause.  But keep in mind that during the post 9/11 illegal wiretapping scandals, AT&T, Verizon, and other companies were only too willing to hand over your data.  So much so that there were efforts to prosecute the telecom companies for violating citizen’s rights, which ultimately required that the telcos be granted immunity.  Under CISPA, they will have permanent immunity as CISPA explicitly states that companies may provide requested information “notwithstanding any other provision of law.”  In other words, CISPA trumps all other laws.

CISPA would “waive every single privacy law ever enacted in the name of cybersecurity,” Rep. Jared Polis, a Colorado Democrat and onetime Web entrepreneur, said during the House debate. “Allowing the military and NSA to spy on Americans on American soil goes against every principle this country was founded on.”

Yet all this begs the question, will it make us safer?  After all, in the last decade Americans have repeatedly shown that they are willing to sacrifice considerable freedoms in the interest of domestic security.

The fundamental issue would seem to be that this is a bill about cyber-security. Yet the allowances to deploy the law for purposes such as protecting children from exploitation seem pretty hard to defend as essential to preventing cyber-terrorism.  Still, it’s hard to argue that protecting children is a bad thing.

Moreover, the issue would seem to be the relative ease by which potential cyber-terrorists could thwart the efforts enabled by CISPA.  VPN tunnels and anonymous proxy services are well known technologies, and would make it impossible for anyone monitoring network traffic to even determine who was talking to whom, much less eavesdrop on the conversation.  You could certainly argue that the average citizen might not have the geeky skills to set up such a secure Internet connection.  But certainly anyone with the mad tech skills to conduct cyber-terrorism is going to be able to handle an encrypted network tunnel.  Don’tcha think?

So who are we catching here?  One possibility is that this is all just more security theater.  We’ll spend a lot of money and politicians will use CISPA as a campaign slogan, but it will have very little net impact on security.  Another possibility is that CISPA will be exploited for less noble purposes, unrelated to cyber-terrorism.  Instead of hunting down Chinese hackers, it will be used to hunt down your spouse streaming an illegally broadcast Celtics game on her laptop.

The bottom line is that this bill will not accomplish what it purports to.  The bill is highly focused on domestic surveillance, and there is no evidence that we are at risk of a domestic cyber-attack from citizens with poor tech skills.  Further, there are ample laws on the books now that allow the government a pretty wide berth to eavesdrop on citizens when they can show cause.  And those laws have already been routinely circumvented in the name of national security.  If anything, we need to be shoring up the Fourth Amendment, not tearing it to shreds.

Just because technology provides the means to unobtrusively invade our personal privacy does not mean we should be surrendering those rights.

Fortunately, while CISPA started out with bipartisan support, it has become a partisan issue.  It may have been passed by the House, but its chances of getting through the Senate are slim, and Obama has already threatened a veto.  Yet this is no time for complacency.  These sorts of bills just keep on coming, and sooner or later, one of them will slip through.

Be vigilant.


Big Brother Likes to Watch

big-brother-posterSOPA and PIPA may be dead, but the battle is far from over.  The dust had barely settled from the online community’s successful revolt against Hollywood’s attempt to toss out due process in an effort to protect it’s Luddite-like business model when Rep. Lamar Smith, SOPA’s author, introduced the Protecting Children From Internet Pornographers Act of 2011.

That doesn’t even sound related does it?  Further, it’s obviously about protecting children, and who could be against that? Well, that’s kind of the point. The problem is, this bill doesn’t really introduce any additional protections for children or make any bold new strides to stamp out child porn.  At least not directly.

What the bill does require is that your ISP maintain a record of what IP addresses are assigned to you for 18 months.  It is required to keep those records sealed, unless the government, and only the government, requests them.

Some sites are reporting the bill requires ISPs to keep a record of every site you visit.  That’s not true, unless you live in Hawaii, where a separate and unrelated state bill has been proposed requiring your ISP to keep tabs on your every YouTube view and Facebook stalking venture.  The federal bill makes no such requirement.

This means the Fed won’t have the ability under this bill to demand your Internet history as part of an investigation.  But, if it is monitoring network traffic or if it seizes a web server and the logs on that server, they can trace your activity back to your house.

So in theory, FBI agents bust a child porn provider, find out that someone at the address 123.123.123.123 has been a heavy user, and grab the ISP records to find out that on the day in question, that address was assigned to your house.  Then you hear a knock on the door.  Okay, if you’re into child porn, then someone should knock at your door and haul your ass away.  But what if it wasn’t you?  What if your neighbor jacked your WiFi, and he’s the real pervert?  What if you own a coffee shop and provide free WiFi to your customers?  Are you now suspect because of their actions?

And you’d have to be completely naive to think this tactic only applies to child porn.  Gee, have you been to Megaupload or Pirate Bay lately?  And there’s the SOPA/PIPA tie in.  Once this data is being collected and is at the government’s disposal, it will be used for all manner of things.  This isn’t about protecting the children. That’s just the ruse to get the law passed.

And before someone argues that if you’ve got nothing to hide you shouldn’t be worried… that’s not the point.  The Forth Amendment guarantees a right to privacy.  The Supreme Court recently ruled that your car can’t be GPS tagged without a warrant.  This means the police can’t decide to electronically track and log wherever you go in the real world so that  just in case they uncover a crime, they can go back and see who was near the scene when it was committed.  The virtual world should not be different.

As ill-conceived as they were, SOPA and PIPA were at least upfront about their intentions and motivations.  Hiding behind the specter of child porn to erode constitutional rights is despicable.  The children deserve better.


SOPA on a Rope

SOPA-on-a-ropeThe current bill in Congress known as SOPA (Stop Online Piracy Act) or as it’s known in the Senate, PROTECT IP (Preventing Real Online Threats to Economic Creativity and Theft of Intellectual Property) is just beginning to get coverage in the non-technical press.  In draft, this was called the E-PARASITE Act (Enforcing and Protecting American Rights Against Sites Intent on Theft and Exploitation Act). Seriously, who names these things?

From the names, it all sounds like goodness right? Theft, exploitation, piracy, who wants that?  If only it were that simple.

The intent of the bill is to crack down on illegal online file sharing.  There’s ample room for debate about how damaging online piracy truly is, and whether or not it makes business sense for content providers to aggressively attack their customers, but that’s a topic for another day.  Even if we accept that online piracy threatens to destroy the music and movie industry (just like VHS tapes and writable CDs did), the proposed bill is absolutely not the way to go about preventing it.

There are lots of articles out there on why this is so.  You can read the bill yourself, or read others’ analyses here, here, or here.  However, let me try and boil down the basics for you.

The Great Firewall of the USA: Enforcement of SOPA will require the creation of a Internet filters by all domestic ISPs to control what sites you are allowed to visit. This may be well intentioned censorship, but it’s still censorship, and it puts the mechanisms in place for less benign intentions. Do we really want to head down that slippery slope?

Online Security: Let’s face it, once the firewall goes up, many of us will find ways around it. This will involve a combination of foreign or rogue DNS servers, proxies, or VPN services. It doesn’t take a lot of imagination to believe that once you start getting your Internet delivered through black market servers that your online security will be at greater risk.

No More Safe Harbors:  The current law allows web site owners some protection under the “safe harbor” clause.  That means that if you were to post a comment on this article containing some illegal content, the owner of the content could demand I take it down, and I would be obliged to do so. But if the owner wanted to sue for damages, he couldn’t sue me as the website owner.  Rather, he’d have to come after you as the one who posted it.  Under SOPA, that protection is gone.  If you upload a funny Big Bang Theory clip to Facebook, CBS can sue Mark Zuckerberg for damages. SOPA will undoubtedly result in far fewer sites taking on the risk of letting you post things on them. The web will become a lot less participatory.

Loss of Due Process:  This is perhaps the most egregious implication. Under SOPA, website owners are guilty until proven innocent.  Based only on an accusation of having illegal content on your site, anyone can demand that the ISPs block access to your site, and may further demand that all banks stop doing business with you.  Sure, you can appeal to the court, but that could take months or years to settle. In the meantime, you’re out of business.

As the major backer of SOPA, the entertainment industry is making lots of assurances that the provisions of SOPA would never be used for anything but the most noble of causes.  They are full of it.  These same people have already collaborated with the Department of Homeland Security and Immigration and Customs Enforcement to stretch the In Rem Forfeiture clause (allowing for the immediate seizure of property used in the commission of a crime) to include domain name seizures of websites with no warning or due process.  They are wielding this with a broad brush and have repeatedly seized domains eventually found legal by the courts, but by then put out of business.  Oops.

This whole SOPA mess has also created some strange bedfellows.  The tech community and most high tech companies have come out against it.  Along side them are Michele Bachmann and her Tea Party Coalition.  Ironically, the Tea Party and the Techies were on staunchly opposite sides of the Net Neutrality debate, so this is a somewhat uneasy alliance.

On the other side we find the Hollywood studios, music companies, and the organizations like RIAA and the MPAA that lobby for them.  We also find VP Joe Biden and several key Democratic legislators who have historically been supportive of anything Hollywood wants.  To her credit, Hillary Clinton has expressed some concerns about SOPA, and Obama claims to be on the fence.

To that end, Obama is currently taking input on the issue.  If you want to oppose the bill, go to the White House website and sign the online petition.  As of this writing, we are still a few thousand signatures short of the “pay attention to me” threshold.  Yes, you have to create a White House account to sign the thing, but it only takes a minute.

On the other hand, if you think SOPA sounds like a great idea and want to know how to support it, please write a long letter and mail it to your local animal shelter. They are always looking for material to line the bird cages with.