A few months ago Apple and the FBI seemed to be locked in a fight to the death over a request to unlock a phone belonging to the now dead San Bernadino shooter. The FBi attempted to use the 18th century All Writs Act to get Apple to write new software that undermined the security of their old software. While the FBI said it would be used only once, New York City District Attorney Cyrus Vance said he had over a hundred phones that he wanted to use it on. There are a lot of legal nuances regarding the All Writs Act, but one of them is that the government should have no other reasonable options before demanding that companies do whatever they were asking them to do. Before the courts could settle this matter, the FBI discovered a hack that allowed them to unlock the phone and the case was withdrawn.
This hack, and a lot of others, is enabled by the fact that people don’t like long passwords. In the case of the San Bernadino shooter, he used a 4 character PIN, meaning there were only 10,000 possible guesses. Whether that was done via humans or computers, the time to figure that out is pretty short. On the other hand, if the user had an 8 character alphanumeric password instead, there would be, at least, 2.8 trillion choices, meaning that it would take quite a while to guess all the possibilities. However, since users don’t like to work, we can assume that 4 character passwords like 1234 are still common.
Moving forward, Open Whisper Systems, the maker of the Signal messaging app, received a subpoena as part of an investigation, for some subscriber information. Signal, you may know, is a well respected, encrypted messaging app. It was designed by a team headed by Moxie Marlinspike, a well know security software architect and developer and a white hat hacker, with the intention to be secure.
The subpoena had a one year gag clause – many of the subpoenas have an infinite gag clause. but that gag order was partially lifted after a lawsuit by the ACLU.
While some redacted documents were released, Signal is still not allowed to tell the users that the feds took their information.
While many people are OK with the government doing this – at least to other people’s information – many are not fond of the government doing this. However, it is a by-product of the cloud. If you use a cloud based service – whether it is Apple or Flickr or anything else, if the company is given a subpoena, they will likely have to turn over your information and also likely, not be able to tell you – maybe ever.
One legal subtlety is that they were asking for this data under a subpoena and not a search warrant. The requirements for obtaining a warrant are tighter than for a subpoena. For one thing, a warrant has to be signed by a judge – one whom the prosecutor has convinced of the appropriateness of the request. The Subpoena may be authorized by an attorney working for the FBI.
In this case, the subpoena asked for subscriber details, address, telephone numbers, email addresses and method of payment along with internet addresses, browsers and internet providers the account holder may have used.
Signal/ Open Whisper Systems very intentionally does not collect any of that information. They do have a phone number, the time the account was created and the time the user last connected.
Did the government not understand that Signal doesn’t collect any of the information they were asking for? More likely the subpoena was a standard form document and they were fishing for anything that Signal might possess. The government got dramatically less than they were asking for.
The FBI is again considering asking Apple to unlock another iPhone. This time it was the guy who stabbed a bunch of people in a Minnesota mall. In this case, the FBI has already retrieved almost a terabyte of data from the attacker’s devices. The police shot and killed the suspect, so they cannot ask him to unlock the phone.
Depending on the device and the operating system, the manufacturer may be able, by writing new software, to circumvent the security, but equally possibly it might not be able to do that.
Russia passed a law called the Yarovaya package, which requires Internet Providers to retain every byte of data they transmit, including video, phone calls, text messages and email for 6 months. Metadata must be kept for between 1 and 3 years depending. Government access to this data does not require a warrant.
Putin has asked for a list of services that must hand over their keys. The interesting question is whether service providers will turn over their keys or opt to stop doing business in Russia. Stay tuned for details.
Since it is impossible for providers to comply with this law and stay in business -it would be too hard and too expensive – this turns providers into criminals, allowing the Russian secret police to extort other information from those providers to stay out of jail.
One VPN provider, Private Internet Access, has already said they will be no longer doing business in Russia. it will be interesting what other providers choose to do. What Microsoft and Google are doing is a mystery.
What is scary is that many providers will not announce what they are doing, so we really don’t know which providers are secure and which ones are not secure.
From a security conscious user’s standpoint, the only real option is to manage their encryption keys themselves for anything that they need to make sure remains private. In that case, the government will either have to figure out how to crack the encryption or come to either the sender or receiver to get them to unlock the phone.
One other option for the FBI is to hack into your computer – what they call a network investigative technique – and just steal your data.
So the battle between a government’s desire to snoop and a citizen’s desire to keep private things private continues. It is not likely to end any time soon.