In Bizarre Move, Dianne Feinstein Attacks Tech Companies for Profiting Off Spying on Their Customers

/9 Comments/in , /by

Dianne Feinstein attacked PRISM providers’ use of encryption in yesterday’s Senate Judiciary Committee hearing with Loretta Lynch in really bizarre fashion.

Feinstein: Google, Microsoft, Dropbox, and other email and cloud servers use forms of encryption to protect customer data. Their encryption techniques are strong and that makes them relatively well protected against outside attack. But the reality is that many companies only protect data like your email in ways that they can still use it themselves, and profit from it. I believe that the amount of personal information in the hands of private corporations and what some of those corporations are doing with that data is concerning. Isn’t it true that private companies can encrypt data so that it is protected from outsiders but at the same time those same companies can use our personal content data to target advertisements?

Attorney General Lynch: Thank you Senator for raising this important issue. It certainly is the case that many companies — those that you mentioned and others — have strong encryption, which we think is a very positive thing, and yet retain the ability to use the data that is transmitted along their systems, both for security purposes  as well as for marketing purposes. And so it is certainly the case, as we have seen in our talks with various companies, that strong encryption can be accompanied with the ability to still access the data and use the data in relevant ways. And we think that this is something that’s part of the overall debate on this important issue as we all consider — as you have also noted — how much personal information we willingly turn over to private companies and how we want that information handled. And certainly as we continue to discuss this issues I thank you for raising them and making them part of the debate.

Feinstein: Well, thank you very much because with my own devices, and I’m not the most “hep” person when it comes to all of this [raising phone] I’ve been amazed to learn what I can’t control. And my understanding is that it’s private information like web browsing history, email content, geolocation information, even when encrypted on smart phones. So I think it is an area of concern as companies want to defy a probable cause warrant, that they can use this data for their own profit making motives, and that’s of concern.

First, let me remind you: this woman represents Silicon Valley! And yet it’s not clear precisely what she means here.

Don’t get me wrong: I’d love to have a service with the facility of Google but without all the snooping on content and location. It concerns me that Google keeps much of that information even if you opt out of most data sharing.

But why is the Ranking Member of the Collect It All Committee raising these concerns — aside from maybe just now learning how much companies have on her? Indeed, it seems there are at least three reasons why a Collect It All fan should prefer this option:

  • The proprietary information these companies collect — at least the cookies and location data — is available both with a subpoena and under PRISM. Indeed, it should provide some of the most interesting information about intelligence and law enforcement targets.
  • DiFi has just championed a bill that makes the packet sniffing DiFi claims to be concerned about — which allows Google to target us for advertising — more useful for government cybersecurity purposes, too, as Google can not only sniff for their own security purposes, but also share what they find with the government.
  • The Administration is in the middle of a campaign — successful with at least Facebook and probably with some services on Google as well — to ask tech companies to use their marketing algorithm function to disfavor ISIS propaganda and favor counter-propaganda.

In other words, DiFi should love this state of affairs!

The only explanation (aside from some recent discovery of how much of her own data these companies have) I can think of is that DiFi has learned how little data iMessage and Signal collect on people, and was supposed to complain that she is furious that companies that, by collecting so little, limit how cooperative they can be in cases of legal requests, also offer security for their customers. But she appeared to be reading from a written statement, so that doesn’t make sense either.

The only other possibility I can imagine is that the government is trying to expand its access to this proprietary information under PRISM, and providers are balking. Which would be rather interesting.

Thursday Morning: Things Are Gonna’ Change

/19 Comments/in , , , /by

After Tuesday’s primaries and last night’s Democratic candidates’ debate, surely something will change in messaging and outreach.

And surely something will change on the other side of the aisle given the continued rampage of ‘Someone With Tiny Hands.”

Calls to mind an animated movie popular with my kids a few years ago.

Moving on…

Volkswagen and the Terrible, Horrible, No Good, Very Bad Week

  • USDOJ subpoenaed VW under recent banking law (CNBC) — This is the first such application of the Financial Institutions Reform, Recovery and Enforcement Act (Firrea) since it was signed into law in 1989 in response to the savings and loan scandal. The law was used to target bank fraud in subprime mortgages after the 2008 financial crisis. (Caveat: that link at CNBC autoplays video. Bad practice, CNBC very bad.)
  • VW’s US CEO Michael Horn departs with marked haste (Bloomberg) — Huh. Interesting timing, that. A subpoena and an exit inside 48 hours? The phrases “mutual agreement” and “leave to pursue other opportunities” are very telling. IMO, Volkswagen Group’s response to the scandal has been lackluster to obstructionist, and Horn might not want to be the automaker’s sin eater here in the U.S.
  • Not looking good in Germany for VW, either, as prosecutors expand their investigation (Business Insider) — 17 employees now under scrutiny, up from six.
  • VW’s South Korean offices raided (Reuters) — Wondered when South Korea would catch up after all the recenty happy-happy about clean diesel passenger vehicle sales.

I feel like I’m telling a child Santa Claus is a lie and the Easter Bunny doesn’t exist, but it’s important to this scandal to grasp this point: There is no clean diesel technology. There is no clean diesel technology coming any time soon. Invoke a little Marcus Aurelius here and look at this situation and its essential nature, by asking why VW cheated and lied and did so for so long.

Because there is no clean diesel technology.

And the clock is tick-tick-ticking — the court case in California gave VW 30 days to come up with a technical solution. Mark your calendar for March 24, people.

A – Apple, B – Bollocks, C – Cannot…

Panopticonic POV

  • Defense Department used surveillance drones over U.S. for a decade (USA Today) — All legit, though, nothing to see here, move along. Disregard the incomplete list of flights, just trust.
  • What will happen when your neighbors can buy a StingRay on the cheap to listen in on your cellphone calls? (Bloomberg) — Worse thought: what if they’ve already built one?
  • If you’re a commercial trucker, chances are anybody can track you (Naked Security) — Read this, especially the pointers at the bottom of the article. (Personal tip from me: If you’re a female trucker, use a gender neutral name or initials in the workplace. Insist your employer respects this practice.)

That’s enough damage for one day. Things have got to change.

On Jim Comey’s Attempts to Force Apple to Change Its Business Model

/4 Comments/in /by

As he has said repeatedly in Congressional testimony, FBI Director Jim Comey wants to change Apple’s business model.

The former General Counsel for defense contractor Lockheed and hedge fund Bridgewater Associates has never, that I’ve seen, explained what he thought Apple’s business model should be, or how much he wants to change it, or how the FBI Director put himself in charge of dictating what business models were good for America and what weren’t and why we’re even asking that in an age of multinational corporate structures.

It seems there are three possible business models Comey might have in mind for Apple:

  • The AT&T (or Lockheed) model, in which a provider treats federal business as a significant (in Lockheed’s case, the only meaningful) market, and therefore treats federal requests, even national security ones, as a primary market driver; in this case, the Feds are your customer
  • The Google model, in which a provider sees the user’s data as the product, rather than the user herself, and therefore builds all systems so as to capture and use the maximal amount of data
  • A different model, in which Apple can continue to sell what I call a walled garden to customers, still treating customers as the primary market, but with limits on how much of a walled garden it can offer

I raise these models, in part, because I got into a conversation on Twitter about what the value of encryption on handsets really is. The conversation suffered, I think, from presuming that iPhones and Android phones have the same business model, and therefore one could calculate the value of the encryption offered on an iPhone the same way one would calculate the value of encryption on an Android phone. They’re not.

Even aside from the current difference between Google’s business model (the data model at the software level, the licensing model at the handset level) versus Apple’s model, in Apple’s model, the customer is the customer, and she pays a premium for an idyllic walled garden that includes many features she may not use.

I learned this visiting recently with a blind friend of mine, whom I used to read for on research in college, who therefore introduced me to adaptive technologies circa 1990 (which were pretty cutting edge at the time). I asked her what adaptive technologies she currently uses, thinking that as happened with the 90s stuff the same technology might then be rolled out for a wider audience in a slightly different application. She said, the iPhone, the iPhone, and the iPhone. Not only are there a slew of apps available for iPhone that provide adaptive technologies. Not only does the iPhone offer the ability to access recorded versions of the news and the like. But all this comes standard in every iPhone (along with other adaptive technologies that wouldn’t be used by a blind person any more than most sighted ones). All iPhone users pay for those adaptive technologies as part of their walled garden, even though even fewer realize they’re there than they realize their phone has great encryption. But because they pay more for their phone, they’re effectively ensuring those who need adaptive technologies can have them, and on the market leader in handsets. Adaptive technologies, like online security, are part of the idyllic culture offered within Apple’s walled garden.

The notion that you can assign a value to Apple’s encryption, independent of the larger walled garden model, seems mistaken. Encryption is a part of having a walled garden, especially when the whole point of a walled garden is creating a space where it is safe and easy to live online.

Plus, it seems law enforcement in this country is absolutely obtuse that the walled garden does provide law enforcement access in the Cloud, and they ought to be thrilled that the best encryption product in the world entails making metadata — and for users using default settings, as even Syed Rizwan Farook seems to have been — content readily available to both PRISM and (Admiral Rogers made clear) USA Freedom Act. That is, Apple’s walled garden does not preclude law enforcement from patrolling parts of the garden. On the contrary, it happens to ensure that American officials have the easiest ability to do so, within limits that otherwise ensure the security of the walled garden in ways our national security elite have been both unwilling and even less able to do.

But there’s one more big problem with the fanciful notion you can build a business model that doesn’t allow for encryption: Signal is free. The best app for encrypted calls and texts, Signal, is available free of charge, and via open source software (so it could be made available overseas if Jim Comey decided it, too, needed to adopt a different business model). The attempt to measure in value what value encryption adds to a handset is limited, because someone can always add on top of it their own product, so any marginal value of encryption on a handset would have to make default encrypted device storage of additional marginal value over what is available for free (note, there is a clear distinction between encrypting data at rest and in motion, but the latter would be more important for anyone conducting nefarious actions with a phone).

Finally, there’s one other huge problem with Comey’s presumption that he should be able to dictate business models.

Even according to this year’s threat assessment, the threat from hacking is still a greater threat to the country than terrorism. Apple’s business model, both by collecting less unnecessary data on users and by aspiring to creating a safe walled garden, offers a far safer model to disincent attacks (indeed, by defaulting on encryption, Apple also made iPhone theft and identity via device theft far harder). Comey is, effectively, trying to squelch one of the market efforts doing the most to make end users more resilient to hackers.

The only model left–that could offer a safer default environment–would effectively be an AT&T model pushed to its limits: government ownership of telecoms, what much of the world had before Reagan pushed privatization (and in doing so, presumably made the rest of the world a lot easier for America to spy on). Not only would that devastate one of the brightest spots in America’s economy, but it would represents a pretty alarming move toward explicit total control (from what it tacit control now).

Is that what former Hedgie Jim Comey is really looking to do?

One final point. While I think it is hard to measure marginal value of encryption, the recent kerfuffle over Kindle makes clear that the market does assign value to it. Amazon dropped support for encryption on some of its devices last fall, which became clear as people were no longer able to upgrade. When they complained in response, it became clear they were using Kindles beyond what use Amazon envisioned for them. But by taking away encryption users had already had, Amazon not only made existing devices less usable, but raised real questions about the CIA contractor’s intent. Pretty quickly after the move got widespread attention, Amazon reversed course.

Even with a company as untrustworthy and data hungry as Amazon, removing encryption will elicit immediate distrust. Which apparently is not sustainable from a business perspective.

Tuesday Morning: Some Kind of Freak

/17 Comments/in , , , /by

Today’s the intersection of my Gwen Stefani jag and International Women’s Day 2016. Need some more estrogen-powered music to celebrate IWD? Try this list — note and compare Lesley Gore’s You Don’t Own Me and Nancy Sinatra’s These Boots Are Made for Walking against more recent tunes like No Doubt’s Just A Girl.

Let’s roll…

Volkswagen shocked, SHOCKED! the EPA went public on the diesel emissions standards cheat
But by the time the EPA made public statements regarding VW, the German automaker had already known about the International Council on Clean Transportation’s research results for a year and had yet to reveal to shareholders the risk of prosecution and penalties. VW’s leadership hoped for a mild and quiet slap on the hands and enough time for a technical solution before the EPA’s disclosure:

“In the past, even in the case of so-called ‘defeat device’ infringements, a settlement was reached with other carmakers involving a manageable fine without the breach being made public,” VW argued. “And in this case, the employees of Volkswagen of America had the impression on the basis of constructive talks with the EPA that the diesel issue would not be made public unilaterally but that negotiations would continue.”

Hope somebody is looking at insider trading for any sign that VW executives were unloading stock in the period between September 2014 when ICCT’s results were published, and when the EPA went public in 2015. Wonder what penalties there are under German/EU laws for this?

USDOJ appealed last week’s ruling in Brooklyn iPhone 5S case
At the heart of this appeal is Apple’s past cooperative actions when federal law enforcement asked for assistance in unlocking iPhones. Apple, however, said past acquiescence is not consent. USDOJ has now asked for review of Judge Orenstein’s ruling.

Apple co-founder Steve Wozniak appeared on Conan, sided unsurprisingly with Apple
Woz admitted to having tried his hand at writing viruses for Mac, but the entire premise terrified him, compelling him to destroyed his efforts. Video of his appearance included at this link.

France to punish phonemakers for encryption, while UK’s GCHQ says it should get around encryption
A narrow body of water, a different language, and a recent terrorist attack make for very different reactions to encrypted communications. France’s Parliament voted yesterday to punish phonemakers which do not cooperate with law enforcement on unencrypting data; the bill is not yet law, subject to further parliamentary process. Meanwhile, Britain’s spy chief said he hopes methods can be developed to get around encryption without building backdoors.

Drive-by quickies

And it’s Presidential Primary Day in Michigan, Mississippi, Idaho, Hawaii. I may avoid social media for most of the day for this reason. Hasta pasta!

Amid an Inconclusive Answer on Encryption, Hillary Reveals She Doesn’t Understand How Metadata Works

/14 Comments/in /by

Less than a mile from my house (at a small local tech firm called Atomic Object), Hillary Clinton got asked a question about encryption. After talking about the role of encryption in Atomic Object’s own work, one of the women asked (after 14:00; recording cuts out during her question),

What steps do you think government needs to take to make sure that the companies who build these,  create these products, keep our data secure. And also looking at the controversy between Apple and the FBI about encr–

After describing Healthcare.gov as the biggest tech failure in government because “it just didn’t really gel and there wasn’t enough testing,” Hillary admitted (in an apparent non sequitur) the government doesn’t do a good enough job protecting its own data.

We are woefully behind in the government in even protecting our own stuff. And so we’ve got to do a better job if we’re going to be a good partner with businesses to try to maintain privacy of data, whether it’s just customer data or whether it has real public consequences.

She then pivoted from what (I thought) was a project management issue, not a security one, to a long answer on the Apple v FBI that basically admitting not knowing (or being willing to say) what the right answer was.

With respect to the current legal controversy, between Apple and the FBI, I am someone who is just feeling like I am in the middle of the worst dilemma ever. I mean, think about it. Because there’s got to be some way to protect the privacy of data information. There’s got to be some way to avoid breaking encryption, however you describe it, and opening the door to a lot of bad actors. But there also has to be some way to follow up on criminal activity and prevent both crimes and terrorism. You guys are the experts on this. I don’t know enough about it to tell you how to do it. But I think that the real mistrust between the tech companies and the government right now is a serious problem that has to be, somehow, worked through.

I keep saying, you know, we have a lot of smart people in this country. You know, we invented the Internet, we invented, you know, the Internet of Things, we’ve invented all of this. Isn’t there some way without opening the door and causing even, you know, more and worse consequences to figure out how you get information?

Because I’m also very understanding of the position that law enforcement finds itself and and if any one of you were working at Quantico in the FBI lab, and you know, you had this phone that one of the terrorists in San Bernardino did and you wanted to find out who they communicated with and you know that could trace us back to somebody in this country, it could trace us back more clearly to somebody directing it overseas. You’d want to know that too.

So that’s what we need help on, so that we don’t make a grave error that affects our ability to maintain privacy and to protect encryption, but we also don’t open the door — because we know what happens, is these guys that are on the other side of us now, with ISIS and the like, they are really smart. A lot of them are well-educated. They’re not the image of just some poor guy coming to be a Jihadist. They are educated, they are increasingly computer literate, they are wanting to wage as much war and violence on Europe, the United States, as they can. They have learned, so they’re now using encrypted devices, why wouldn’t they? You know why would they be so stupid to continue to allow us to monitor where they are and what they’re doing? This is a problem. And it’s a problem we’ve got to come up with some way to solve. But I certainly am not expert in any way to tell you how to do it.

Right in the middle, however, Hillary reveals not understanding a key part of this controversy. To the extent Syed Rizwan Farook used the Apple software on his work phone to communicate with accomplices, we know who he communicated with, because we have that metadata (as Admiral Mike Rogers recently confirmed). We just don’t know what he said.

We wouldn’t necessarily know who he talked to if he used an App for which metadata was more transient, like Signal. But if so, that’s not an Apple problem.

Moreover, if ISIS recruits are — as Hillary said — smart, then they definitely wouldn’t (and in fact generally don’t) use Apple products, because they’d know that would make their communications easily accessible under the PRISM or USA Freedom programs.

This response is not really any different from what we’re getting from other to Obama officials. But it does come with some indication of the misunderstandings about the problem before us.

Monday Morning: Put Your Pom-poms Down

/4 Comments/in , , /by

A certain state governor (or his PR team) tweeted a bunch of smack last night during the Democratic presidential candidates’ debate. Like this:

RSnyder_tweet_06MAR2016

It is to laugh. Every decision made by this administration about Flint has been about money, not about the right thing, and not even about the legal thing.

He put his pom-poms down last week long enough to lawyer up, though. Mm-hmm.

By the way, that’s the NSFW version – here’s the language-sanitized clean version of that video for your office space. Crank the volume and bring it.

All around Apple town

  • Email provider Lavabit filed an amicus brief in #AppleVsFBI, arguing the FBI’s demands could have adverse affects on businesses:

    Such precedence would likely result in many businesses moving their operations offshore, therefore, making it more difficult for law enforcement to obtain even ordinary assistance from such companies…

    Wow, sounds familiar, huh? Brief’s worth a read (pdf).

  • Apple VP of software engineering Craig Federighi wrote an op-ed for yesterday’s WaPo, restating an opinion Apple and many of its supporters already expressed:

    “…it’s so disappointing that the FBI, Justice Department and others in law enforcement are pressing us to turn back the clock to a less-secure time and less-secure technologies. …”

  • The stakes get higher in #AppleVsFBI as Apple prepares to launch several new iPhones and an iPad on March 21. We all know a decision by Judge Pym will affect these devices in the future, not just the San Bernardino shooter’s iPhone 5C.
  • And just to keep Apple users even more on their toes, there’s now Apple ransomware on the loose. So far only Mac devices have been targeted, but it’s only a matter of time before other Apple devices are similarly affected. I’d put my money on higher profile users or those using iPhones to remotely control costly systems.

Quickety-lickety

And on this day in 1876, U.S. Patent 174,465 for Improvement in Telegraphy was granted to Alexander Graham Bell.

What will they write about this day in another 140 years? Do something worth writing about.

Friday Morning: The Political is Musical

/22 Comments/in , /by

It’s Friday, and that means more jazz. Today’s genre is Afrobeat, which emerged in the late 1960s/early 1970s.

Nigerian musician Fela Kuti is credited as the genre’s progenitor, though Fela maintained drummer Tony Allen was essential to style, saying, “[w]ithout Tony Allen, there would be no Afrobeat.”

Afrobeat fuses a number of different types of music with jazz, including funk, highlife, rock, and folk music from West African cultures. In this video, Beasts of No Nation, it’s easy to hear the different styles of music added as layers underpinned and unified by drums.

The lyrics of many Afrobeat tunes are very political; the album of the same name, Beasts of No Nation, was an anti-apartheid statement released in 1989.

Recommended read to accompany today’s musical selection: The Wealth of Nations by Emmanuel Iduma (Guernica magazine).

Let’s move…

Not far from the Apple tree
Lots of developments yesterday in the  #AppleVsFBI story.

  • In support of Apple, big names in tech file amicus briefs to meet deadline. The two most powerful briefs constituted a who’s who of Silicon Valley. Amazon, Box, Cisco, Dropbox, Evernote, Facebook, Google, Microsoft, Mozilla, Nest, Pinterest, Slack, Snapchat, WhatsApp, and Yahoo filed one joint brief. AirbNb, atlassian, Automattic, Cloudflare, EBay, Github, Kickstarter, LinkedIN, Mapbox, Medium, Meetup, Reddit, Square, SquareSpace, Twilio, Twitter, Wickr filed the second. There were several other pro-Apple briefs filed, but none with the economic clout of these two briefs.
  • Cato’s Julian Sanchez may have the best take on yesterday’s filings.
  • UN’s High Commissioner for Refugees Zeid Ra’ad Al Hussein said forcing Apple to write code for the FBI “could have extremely damaging implications for the human rights of many millions of people, including their physical and financial security,” constituting a “a gift to authoritarian regimes.”
  • Michael Ramos, the San Bernardino County DA, exposed his lack of technology prowess in an ex parte application to participate as Amicus Curiae.

    “The iPhone is a county owned telephone that may have connected to the San Bernardino County computer network. The seized iPhone may contain evidence that can only be found on the seized phone that it was used as a weapon to introduce a lying dormant cyber pathogen that endangers San Bernardino’s infrastructure…”

    Emphasis mine. WHAT. EVEN. Dude just screwed law enforcement, making the case (using a made-up term) for the iPhone to never be opened.

Brazil’s former president Lula held for questioning as home raided
The investigation into state-run oil company Petrobras now reaches deeply into the highest levels of Brazil’s government. Investigators are looking into former president Luiz Inacio Lula da Silva’s role in Petrobras’ corruption, including kickbacks and influence peddling. The investigation’s discoveries threaten the viability of current president Dilma Rousseff’s ruling coalition. Wonder if the NSA was following this when they were spying on Petrobras?

Quick licks

  • Absolute insanity: Amazon’s Kindle devices no longer encrypted (Motherboard) — Well, nobody in this household is getting a Kindle any time soon.
  • Nope, not hackers, not squirrels: bird droppings suspected in shutdown of Indian Point nuke plant last December (Phys.org)
  • Joint US-UK college hacking competition this weekend (Phys.org) — Wanna’ bet some of these students will be asked about hacking Apple iPhones?
  • Connecticut wants to ban weaponization of drones, thanks to stupid teenager’s home project (Naked Security) — Seems like a federal issue, IMO, but let me guess the gun lobby will step and whine about gun-enabled drones as a Second Amendment right. Surely our forefathers anticipated flying, cellphone-controlled privately-owned gun drones.

Ugh. That’s a wrap on this week, stopping now before this really devolves though I can’t see any distance between here and absolute bottom. Have a good weekend!

Husband of San Bernardino Victim Agrees: Farook’s Phone Unlikely to Yield Useful Information

/6 Comments/in /by

Even before the government obtained an All Writs Act ordering Apple to help back door Syed Rezwan Farook’s phone, it had arranged with a former judge to submit a brief on behalf of the victims of the attack, supporting the government’s demand. Yet not all victims agree. The husband of a woman shot three times in the attack, Salihin Kondoker, has submitted his own letter to the court in support of Apple’s stance. In it, he provides support for a point I was among the first to make: that the phone isn’t going to provide much information about the attack, in large part because it was a work phone Farook would have known was being surveilled.

In my opinion it is unlikely there is any valuable information on this phone. This was a work phone. My wife also had an iPhone issued by the County and she did not use it for any personal communication. San Bernardino is one of the largest Counties in the country. They can track the phone on GPS in case they needed to determine where people were. Second, both the iCloud account and carrier account were controlled by the county so they could track any communications. This was common knowledge among my wife and other employees. Why then would someone store vital contacts related to an attack on a phone they knew the county had access to? They destroyed their personal phones after the attack. And I believe they did that for a reason.

It’s a question no one asked Jim Comey earlier this week when he testified before the House Judiciary Committee.

Curiously, Kondoker (who explains he has attended briefings the FBI has held for victims) alludes to information the FBI is currently ignoring.

In the weeks and months since the attack I have been to the FBI briefings that were held for victims and their families. I have joined others in asking many questions about how this happened and why we don’t have more answers. I too have been frustrated there isn’t more information. But I don’t believe that a company is the reason for this.

[snip]

In the wake of this terrible attack, I believe strongly we need stronger gun laws. It was guns that killed innocent people, not technology. I also believe the FBI had and still has access to a lot of information which they have ignored and I’m very disappointed in the way they’ve handled this investigation.

I’m really curious what that is — and why Jim Comey, who promises he would never ignore a lead, isn’t ensuring it gets chased down?

Wednesday Morning: All the Range from Sublime to Silly

/17 Comments/in , , /by

We start with the sublime, welcoming astronaut Scott Kelly back to earth after nearly a year in space — 340 days all told. Wouldn’t you like to know how these first hours and days will feel to Kelly as he regains his earth legs?

And then we have the silly…

Apple’s General Counsel Sewell and FBI Director Comey appeared before House Judiciary Committee
You’d think a Congressional hearing about FBI’s demand to crack open Apple iPhone would be far from silly, but yesterday’s hearing on Apple iPhone encryption…Jim Comey likened the iPhone 5C’s passcode protection to “a guard dog,” told Apple its business model wasn’t public safety, fretted about “warrant-proof spaces” and indulged in a thought exercise by wondering what would happen if Apple engineers were kidnapped and forced to write code.

What. The. Feck.

I think I’ll read about this hearing in French news outlets as it somehow sounds more rational: iPhone verrouillé: le patron du FBI sur le gril face au Congrès américain (iPhone locked: FBI boss grilled by US Congress – Le Monde). Other kickers in Comey’s testimony: an admission that a “mistake was made” (oh, the tell-tale passive voice here) in handling the San Bernardino shooter’s phone, the implication that the NSA couldn’t (wouldn’t?) backdoor the iPhone in question, and that obtaining the code demanded from Apple would set precedent applicable to other cases.

Predictably, Apple’s Bruce Sewell explained that “Building that software tool would not affect just one iPhone. It would weaken the security for all of them.” In other words, FBI’s demand that Apple writes new code to crack the iPhone 5C’s locking mechanism is a direct threat to Apple’s business model, based on secure electronic devices.

Catch the video of the entire hearing on C-SPAN.

Facebook’s Latin American VP arrested after resisting release of WhatsApp data
Here’s another legal precedent, set in another country, where a government made incorrect assumptions about technology. Brazilian law enforcement and courts believed WhatsApp stored data it maintains it doesn’t have, forcing the issue by arresting a Facebook executive though WhatsApp is a separate legal entity in Brazil. Imagine what could happen in Brazil if law enforcement wanted an Apple iPhone 5C unlocked. The executive will be released today, according to recent reports. The underlying case involved the use of WhatsApp messaging by drug traffickers.

USAO-EDNY subpoenaed Citigroup in FIFA bribery, corruption and money laundering allegations
In a financial filing, Citigroup advised it had been subpoenaed by the U.S. Attorney’s office. HSBC advised last week it had been contacted by U.S. law enforcement about its role. No word yet as to whether JPMorgan Chase and Bank of America have been likewise subpoenaed though they were used by FIFA officials. Amazing. We might see banksters perp-walked over a fútbol scandal before we see any prosecuted for events leading to the 2008 financial crisis.

Quick hits

I’m out of here, need to dig out after another winter storm dumped nearly a foot of the fluffy stuff yesterday. I’m open to volunteers, but I don’t expect many snow shovel-armed takers.

James Orenstein’s Order Sets Up Congressional Hearing

/9 Comments/in /by

As Rayne noted this morning, yesterday James Orenstein released his order stating that the government can’t use the All Writs Act to force Apple to unlock the phone of a meth dealer, Jun Feng, who has already pled guilty. My favorite part of the order comes in the middle where he argues that those who passed the All Writs Act in 1789 were substantially the same people who wrote the Constitution guaranteeing Congress the right to legislate. He argued it would be unlikely that those same men would so quickly hand off that authority to the courts.

It is wholly implausible to suppose that with so many of the newly-adopted Constitution’s drafters and ratifiers in the legislature, the First Congress would so thoroughly trample on that document’s very first substantive mandate: “All legislative Powers herein granted shall be vested in a Congress of the United States[.]” U.S. Const. Art. I, § 1. And yet that is precisely the reading the government proposes when it insists that a court may empower the executive to exercise power that the legislature has considered yet declined to allow.

I’m sad that that argument, which is probably the first in a series of court rulings that will end up at SCOTUS, won’t have Scalia there to enjoy it.

Ultimately, though, Orenstein makes the very same argument he made back in October when he asked Apple to weigh in on this issue, updated with the point that I made — the same day the government asked for this order Jim Comey told Congress they don’t need legislation to get the same result.

It is also clear that the government has made the considered decision that it is better off securing such crypto-legislative authority from the courts (in proceedings that had always been, at thetime it filed the instant Application, shielded from public scrutiny) rather than taking the chance thatopen legislative debate might produce a result less to its liking. Indeed, on the very same day that thegovernment filed the ex parte Application in this case (as well as a similar application in the SouthernDistrict of New York, see DE 27 at 2), it made a public announcement that after months of discussionabout the need to update CALEA to provide the kind of authority it seeks here, it would not seek suchlegislation. See James B. Comey, “Statement Before the Senate Committee on Homeland Security andGovernmental Affairs,” (Oct. 8, 2015), https://www.fbi.gov/news/testimony/threats-to-the-homeland (“The United States government is actively engaged with private companies to ensure theyunderstand the public safety and national security risks that result from malicious actors’ use of theirencrypted products and services. However, the administration is not seeking legislation at this time.”).

Whether because it knew it would lose (and had lost), or because it wanted to pretend it respected encryption when in fact it did not, the Obama Administration adopted a strategy by which it told Congress it didn’t need new legislation, all while asking the courts to rewrite CALEA in secret.

Whether accidentally or not (I suspect it is no accident), Orenstein’s order comes at a particularly useful time, hours before the House Judiciary Committee will have what will be one of the more important hearings on this debate, featuring Jim Comey first, and then NY District Attorney Cy Vance, Apple’s General Counsel Bruce Sewell, and rock star academic Susan Landau. It is likely to be the one hearing to which Apple will willingly provide a witness, and the committee is made up of a mix of former US Attorneys, shills for law enforcement, but also defenders of privacy and online security.

In his testimony for the hearing, Sewell said much the same thing Orenstein did:

The American people deserve an honest conversation around the important questions stemming from the FBI’s current demand:

Do we want to put a limit on the technology that protects our data, and therefore our privacy and our safety, in the face of increasingly sophisticated cyber attacks? Should the FBI be allowed to stop Apple, or any company, from offering the American people the safest and most secure product it can make?

Should the FBI have the right to compel a company to produce a product it doesn’t already make, to the FBI’s exact specifications and for the FBI’s use?

We believe that each of these questions deserves a healthy discussion, and any decision should be made after a thoughtful and honest consideration of the facts.

Most importantly, the decisions should be made by you and your colleagues as representatives of the people, rather than through a warrant request based on a 220 year old-statute.

For years, the government has stopped short of demanding legislation, presumably because they knew they wouldn’t get what they wanted. They’re finally being called on it.