Posts

On the Apple Back Door Rumors … Remember Lavabit

During the July 1 Senate Judiciary Committee hearing on back doors, Deputy Attorney General Sally Yates claimed that the government doesn’t want the government to have back doors into encrypted communications. Rather, they wanted corporations to retain the back doors to be able to access communications if the government had legal process to do so. (After 1:43.)

We’re not going to ask the companies for any keys to the data. Instead, what we’re going to ask is that the companies have an ability to access it and then with lawful process we be able to get the information. That’s very different from what some other countries — other repressive regimes — from the way that they’re trying to get access to the information.

The claim was bizarre enough, especially as she went on to talk about other countries not having the same lawful process we have (as if that makes a difference to software code).

More importantly, that’s not true.

Remember what happened with Lavabit, when the FBI was in search of what is presumed to be Edward Snowden’s email. Lavabit owner Ladar Levison had a discussion with FBI about whether it was technically feasible to put a pen register on the targeted account. After which the FBI got a court order to do it. Levison tried to get the government to let him write a script that would provide them access to just the targeted account or, barring that, provide for some kind of audit to ensure the government wasn’t obtaining other customer data.

The unsealed documents describe a meeting on June 28th between the F.B.I. and Levison at Levison’s home in Dallas. There, according to the documents, Levison told the F.B.I. that he would not comply with the pen-register order and wanted to speak to an attorney. As the U.S. Attorney for the Eastern District of Virginia, Neil MacBride, described it, “It was unclear whether Mr. Levison would not comply with the order because it was technically not feasible or difficult, or because it was not consistent with his business practice in providing secure, encrypted e-mail service for his customers.” The meeting must have gone poorly for the F.B.I. because McBride filed a motion to compel Lavabit to comply with the pen-register and trap-and-trace order that very same day.

Magistrate Judge Theresa Carroll Buchanan granted the motion, inserting in her own handwriting that Lavabit was subject to “the possibility of criminal contempt of Court” if it failed to comply. When Levison didn’t comply, the government issued a summons, “United States of America v. Ladar Levison,” ordering him to explain himself on July 16th. The newly unsealed documents reveal tense talks between Levison and the F.B.I. in July. Levison wanted additional assurances that any device installed in the Lavabit system would capture only narrowly targeted data, and no more. He refused to provide real-time access to Lavabit data; he refused to go to court unless the government paid for his travel; and he refused to work with the F.B.I.’s technology unless the government paid him for “developmental time and equipment.” He instead offered to write an intercept code for the account’s metadata—for thirty-five hundred dollars. He asked Judge Hilton whether there could be “some sort of external audit” to make sure that the government did not take additional data. (The government plan did not include any oversight to which Levison would have access, he said.)

Most important, he refused to turn over the S.S.L. encryption keys that scrambled the messages of Lavabit’s customers, and which prevent third parties from reading them even if they obtain the messages.

The discussions disintegrated because the FBI refused to let Levison do what Yates now says they want to do: ensure that providers can hand over the data tailored to meet a specific request. That’s when Levison tried to give FBI his key in what it claimed (even though it has done the same for FOIAs and/or criminal discovery) was in a type too small to read.

On August 1st, Lavabit’s counsel, Jesse Binnall, reiterated Levison’s proposal that the government engage Levison to extract the information from the account himself rather than force him to turn over the S.S.L. keys.

THE COURT: You want to do it in a way that the government has to trust you—
BINNALL: Yes, Your Honor.
THE COURT: —to come up with the right data.
BINNALL: That’s correct, Your Honor.
THE COURT: And you won’t trust the government. So why would the government trust you?
Ultimately, the court ordered Levison to turn over the encryption key within twenty-four hours. Had the government taken Levison up on his offer, he may have provided it with Snowden’s data. Instead, by demanding the keys that unlocked all of Lavabit, the government provoked Levison to make a last stand. According to the U.S. Attorney MacBride’s motion for sanctions,
At approximately 1:30 p.m. CDT on August 2, 2013, Mr. Levison gave the F.B.I. a printout of what he represented to be the encryption keys needed to operate the pen register. This printout, in what appears to be four-point type, consists of eleven pages of largely illegible characters. To make use of these keys, the F.B.I. would have to manually input all two thousand five hundred and sixty characters, and one incorrect keystroke in this laborious process would render the F.B.I. collection system incapable of collecting decrypted data.
The U.S. Attorneys’ office called Lavabit’s lawyer, who responded that Levison “thinks” he could have an electronic version of the keys produced by August 5th.

Levison came away from the debacle believing that the FBI didn’t understand what it was asking for when they asked for his keys.

One result of this newfound expertise, however, is that Levison believes there is a knowledge gap between the Department of Justice and law-enforcement agencies; the former did not grasp the implications of what the F.B.I. was asking for when it demanded his S.S.L. keys.

I raise all this because of the rumor — which Bruce Schneier inserted into his excerpt of this Nicholas Weaver post — that FBI is already fighting before FISC with Apple for a back door.

There’s a persistent rumor going around that Apple is in the secret FISA Court, fighting a government order to make its platform more surveillance-friendly — and they’re losing. This might explain Apple CEO Tim Cook’s somewhat sudden vehemence about privacy. I have not found any confirmation of the rumor.

Weaver’s post describes how, because of the need to allow users to access their iMessage account from multiple devices (think desktop, laptop, iPad, and phone), Apple technically could give FBI a key.

In iMessage, each device has its own key, but its important that the sent messages also show up on all of Alice’s devices.  The process of Alice requesting her own keys also acts as a way for Alice’s phone to discover that there are new devices associated with Alice, effectively enabling Alice to check that her keys are correct and nobody has compromised her iCloud account to surreptitiously add another device.

But there remains a critical flaw: there is no user interface for Alice to discover (and therefore independently confirm) Bob’s keys.  Without this feature, there is no way for Alice to detect that an Apple keyserver gave her a different set of keys for Bob.  Without such an interface, iMessage is “backdoor enabled” by design: the keyserver itself provides the backdoor.

So to tap Alice, it is straightforward to modify the keyserver to present an additional FBI key for Alice to everyone but Alice.  Now the FBI (but not Apple) can decrypt all iMessages sent to Alice in the future.

Admittedly, as heroic as Levison’s decision to shut down Lavabit rather than renege on a promise he made to his customers, Apple has a lot more to lose here strictly because of the scale involved. And in spite of the heated rhetoric, FBI likely still trusts Apple more than they trusted Levison.

Still, it’s worth noting that Yates’ claim that FBI doesn’t want keys to communications isn’t true — or at least wasn’t before her tenure at DAG. Because a provider, Levison, insisted on providing his customers what he had promised, the FBI grew so distrustful of him they did demand a key.

The Schneier Briefing: Some Observations

6 Congresspersons and a security researcher walk into an unsecure room. … And that’s the best briefing they can get on some of the things NSA might be doing.

This morning I spent an hour in a closed room with six Members of Congress: Rep. Logfren, Rep. Sensenbrenner, Rep. [Bobby] Scott, Rep. Goodlate, Rep [Mike] Thompson, and Rep. Amash. No staffers, no public: just them. Lofgren asked me to brief her and a few Representatives on the NSA. She said that the NSA wasn’t forthcoming about their activities, and they wanted me — as someone with access to the Snowden documents — to explain to them what the NSA was doing. Of course I’m not going to give details on the meeting, except to say that it was candid and interesting. And that it’s extremely freaky that Congress has such a difficult time getting information out of the NSA that they have to ask me. I really want oversight to work better in this country.

I’m as intrigued by the make-up of the group as I am by the fact they needed to do this.

Schneier makes it clear that Lofgren — who is not only a strong supporter of civil liberties, but also happens to represent Silicon Valley — set up the briefing. In addition to her House Judiciary Committee colleagues Sensenbrenner, Scott, and Goodlatte, she invited Amash (who’s not on the Committee but a loud defender of civil liberties — thanks, my Rep!), and N and E Bay Area Republican Democratic colleague Mike Thompson, who’s not a member of the Committee either, but is a member of the Intelligence Committee.

As I’ve noted, Goodlatte is not a named sponsor of USA Freedom; neither is Thompson (though Schneier describes them as all people who want to “rein in the NSA”).

And yet these are the individuals whom Lofgren chose to bring to this briefing.

Schneier, of course, is not focused on the actual spying that NSA is doing, but on the corruption of encryption, a threat to the business model of Lofgren’s district. [See Saul’s well-take correction here.]

Also note, while I’ve got real worries about some opponents to reining in the NSA in the Senate, I do think people are not considering the significance of the House Judiciary Chair, who voted against Amash-Conyers, increasingly complaining about the NSA.

I’m not sure what the best way to stop the NSA from making us all less safe (especially since NSA has apparently not even told HPSCI members what they’re doing). But I gather than Lofgren is trying to figure out a way to do so.

TSA’s Legal Justification for Gate Grope

The Electronic Privacy Information Center has been suing the Department of Homeland Security because it refused to engage in the public rule-making process before it adopted RapeAScan machines as part of the primary screening at airports. DHS responded to EPIC’s suit the other day. While I think their response will be largely successful as written, they’re playing games with the timing of EPIC’s suit so as to avoid doing any discussion or even administrative privacy assessment of giving passengers a choice between being photographed nude or having their genitalia fondled.

The key to this is that EPIC first requested a request for review of whether DHS should have engaged in rule-making on May 28, 2010, before TSA changed pat-down procedures. It then submitted its brief on November 1, 2010, after the enhanced pat-downs were being rolled out. But the issue still focuses on the machines and not the machines in tandem with the invasive pat-downs. So a central part of DHS’ argument is that passengers are given an alternative to the RapeAScan machines: pat-downs. But its filing never deals with the possibility that pat-downs are more invasive than even the RapeAScan machines.

TSA communicates and provides a meaningful alternative to AIT screening. TSA posts signs at security checkpoints clearly stating that AIT screening is optional, and TSA includes the same information on its website. AR 071.003. Those travelers who opt out of AIT screening must undergo an equal level of screening, consisting of a physical pat-down to check for metallic and nonmetallic weapons or devices. Ibid.

A physical pat-down is currently the only effective alternative method for screening individuals for both metallic and nonmetallic objects that might be concealed under layers of clothing. The physical pat-down given to passengers who opt out of AIT screening is the same as the pat-down given to passengers who trigger an alarm on a walk-through metal detector or register an anomaly during AIT screening. Passengers may request that physical pat-downs be conducted by same gender officers. AR 132.001. Additionally, all passengers have the right to request a private screening. Ibid. More than 98% of passengers selected for AIT screening proceed with it rather than opting out. AR 071.003.

And by focusing on this alternative with no real discussion of what it currently entails, DHS dodges the question of whether the two screening techniques together–RapeAScans and enhanced pat-downs–violate passengers’ privacy. Note, for example, how the filing boasts of two Privacy Impact Assessments TSA’s privacy officer did (plus an update just as EPIC was last complaining about this technology).

Pursuant to 6 U.S.C. § 142, DHS conducted Privacy Impact Assessments (“PIAs”) dated January 2, 2008, and October 17, 2008, to ensure that the use of AIT does not erode privacy protections. AR 011.001-.009, 025.001-.010. The second PIA was updated on July 23, 2009 and lays out several privacy safeguards tied to TSA’s use of AIT. AR 043.001-010.

Now, as a threshold matter, there’s something odd about DHS citing 6 U.S.C. § 142 here. Its requirement for PIAs reads:

The Secretary shall appoint a senior official in the Department to assume primary responsibility for privacy policy, including – (1) assuring that the use of technologies sustain, and do not erode, privacy protections relating to the use, collection, and disclosure of personal information; (2) assuring that personal information contained in Privacy Act systems of records is handled in full compliance with fair information practices as set out in the Privacy Act of 1974 [5 U.S.C. 552a]; (3) evaluating legislative and regulatory proposals involving collection, use, and disclosure of personal information by the Federal Government; (4) conducting a privacy impact assessment of proposed rules of the Department or that of the Department on the privacy of personal information, including the type of personal information collected and the number of people affected; and (5) preparing a report to Congress on an annual basis on activities of the Department that affect privacy, including complaints of privacy violations, implementation of the Privacy Act of 1974 [5 U.S.C. 552a], internal controls, and other matters. [my emphasis]

See how it says the department has to do PIAs “of proposed rules”? That suggests the Privacy Officer treated the plan to use RapeAScans as a rule and did a PIA accordingly. But this entire filing–which explains why DHS refused to accede to EPIC’s request to conduct public rule-making on the use of RapeAScans–argues that the implementation of the machines did not constitute a rule. But they did a PIA as if it was a rule!

But there’s another thing this filing doesn’t say about PIAs: that Congress demanded TSA publish a PIA on the enhanced pat-downs.

In the absence of an Executive branch level Privacy and Civil Liberties Oversight Board that would evaluate decisions such as this, it was crucial that the Department of Homeland Security’s Privacy Officer and Office for Civil Rights and Civil Liberties thoroughly evaluate and publish written assessments on how this decision affects the privacy and civil rights of the traveling public. To date, the Department has not published either a Privacy Impact Assessment (PIA) nor a Civil Liberties Impact Assessment (CLIA) on the enhanced pat down procedures. Without a published PIA or CLIA, we cannot ascertain the extent to which TSA has considered how these procedures should be implemented with respect to certain populations such as children, people with disabilities, and the elderly. By not issuing these assessments, the traveling public has no assurance that these procedures have been thoroughly evaluated for constitutionality.

So while DHS boasts that it did PIAs on the RapeAScans before it rolled them out, it still does not appear to have done a PIA on the groping that serves as DHS’ much touted alternative to RapeAScans, much less a PIA on the two techniques offered together.

Now, DHS is using procedural complaints to object to EPIC’s inclusion of Nadhira Al-Khalili on the complaint, a lawyer with ties to the Muslim community. But their response to EPIC’s freedom of religion complaint seems to suggest they recognize they are vulnerable: suggesting that if a Muslim (or anyone else with documented reason to be opposed to having nude pictures taken and/or their genitalia groped by strangers) were to sue, the procedures would not hold up.

But for now, DHS is treating the RapeAScans separately from the groping so as to be able to argue that in conjunction with the “choice” of being groped, the RapeAScans present no big privacy problem.