Trump’s DOJ tries to rebrand weakened encryption as “responsible encryption”
DOJ rekindles fight with Apple, wants government access to encrypted devices.
Jon Brodkin – 10/10/2017, 5:50 PM
A high-ranking Department of Justice official took aim at encryption of consumer products today, saying that encryption creates “law-free zones” and should be scaled back by Apple and other tech companies. Instead of encryption that can’t be broken, tech companies should implement “responsible encryption” that allows law enforcement to access data, he said.
“Warrant-proof encryption defeats the constitutional balance by elevating privacy above public safety,” Deputy Attorney General Rod Rosenstein said in a speech at the US Naval Academy today (transcript). “Encrypted communications that cannot be intercepted and locked devices that cannot be opened are law-free zones that permit criminals and terrorists to operate without detection by police and without accountability by judges and juries.”
Rosenstein was nominated by President Donald Trump to be the DOJ’s second-highest-ranking official, after Attorney General Jeff Sessions. He was confirmed by the Senate in April.
Rekindling fight with Apple
Rosenstein’s speech makes several references to Apple, continuing a battle over encryption between Apple and the US government that goes back to the Obama administration. Last year, Apple refused to help the government unlock and decrypt the San Bernardino gunman’s iPhone, but the FBI ended up paying hackers for a vulnerability that it used to access data on the device.
“Fortunately, the government was able to access data on that iPhone without Apple’s assistance,” Rosenstein said. “But the problem persists. Today, thousands of seized devices sit in storage, impervious to search warrants.”
“If companies are permitted to create law-free zones for their customers, citizens should understand the consequences,” he also said. “When police cannot access evidence, crime cannot be solved. Criminals cannot be stopped and punished.”
We asked Apple for a response to Rosenstein’s speech and will update this story if we get one.
Separately, state lawmakers in New York and California have proposed legislation to prohibit the sale of smartphones with unbreakable encryption.
Despite his goal of giving law enforcement access to encrypted data on consumer products, Rosenstein acknowledged the importance of encryption to the security of computer users. He said that “encryption is a foundational element of data security and authentication,” that “it is essential to the growth and flourishing of the digital economy,” and that “we in law enforcement have no desire to undermine it.”
But Rosenstein complained that “mass-market products and services incorporating warrant-proof encryption are now the norm,” that instant-messaging service encryption cannot be broken by police, and that smartphone makers have “engineer[ed] away” the ability to give police access to data.
Apple CEO Tim Cook has argued in the past that the intentional inclusion of vulnerabilities in consumer products wouldn’t just help law enforcement solve crimes—it would also help criminals hack everyday people who rely on encryption to ensure their digital safety.
Rosenstein claimed that this problem can be solved with “responsible encryption.” He said:
Software produced by Microsoft Corp has been acquired by state organizations and firms in Russia and Crimea despite sanctions barring U.S-based companies from doing business with them, official documents show.
The acquisitions, registered on the Russian state procurement database, show the limitations in the way foreign governments and firms enforce the U.S. sanctions, imposed on Russia over its annexation of the Crimea peninsula from Ukraine in 2014. Some of the users gave Microsoft fictitious data about their identity, people involved in the transactions told Reuters, exploiting a gap in the U.S. company’s ability to keep its products out of their hands. The products in each case were sold via third parties and Reuters has no evidence that Microsoft sold products directly to entities hit by the sanctions.
October 10, 2017
U.S. Supreme Court declines to review computer hacking cases
WASHINGTON (Reuters) – The U.S. Supreme Court on Tuesday sidestepped a growing controversy over who can give permission to access a computer, a debate that goes to the core of what constitutes hacking in this era of widespread use of the internet and social media.
The justices turned away two cases over whether it is a violation of federal anti-hacking law for account holders to give a third party access to a computer system they do not own themselves. In doing so, they left in place a lower court ruling that went against a Cayman Islands company in a dispute with Facebook Inc (FB.O), and another against a California-based executive recruiter.
The San Francisco-based 9th U.S. Circuit Court of Appeals last year ruled in both cases that only computer system owners may grant authorization, and not account holders or employees with legitimate access credentials.
The defendants in these cases, as well as rights groups such as the Electronic Frontier Foundation, said innocuous acts such as sharing a bank website password with a spouse in order to pay a bill could now be held criminally liable because the bank prohibits password sharing.
October 10, 2017
Exclusive: Symantec CEO says source code reviews pose unacceptable risk
Dustin Volz, Joel Schectman
WASHINGTON (Reuters) – U.S.-based cyber firm Symantec (SYMC.O) is no longer allowing governments to review the source code of its software because of fears the agreements would compromise the security of its products, Symantec Chief Executive Greg Clark said in an interview with Reuters.
Tech companies have been under increasing pressure to allow the Russian government to examine source code, the closely guarded inner workings of software, in exchange for approvals to sell products in Russia.
Symantec’s decision highlights a growing tension for U.S. technology companies that must weigh their role as protectors of U.S. cybersecurity as they pursue business with some of Washington’s adversaries, including Russia and China, according to security experts.
While Symantec once allowed the reviews, Clark said that he now sees the security threats as too great. At a time of increased nation-state hacking, Symantec concluded the risk of losing customer confidence by allowing reviews was not worth the business the company could win, he said.
The company’s about-face, which came in the beginning of 2016, was reported by Reuters in June. Clark’s interview is the first detailed explanation a Symantec executive has given about the policy change.
In an hour-long interview, Clark said the firm was still willing to sell its products in any country. But, he added, “that is a different thing than saying, ‘Okay, we’re going to let people crack it open and grind all the way through it and see how it all works’.”
While Symantec had seen no “smoking gun” that foreign source code reviews had led to a cyberattack, Clark said he believed the process posed an unacceptable risk to Symantec customers.
“These are secrets, or things necessary to defend (software),” Clark said of source code. “It’s best kept that way.”
Because Symantec’s market share was still relatively small in Russia, the decision was easier than for competitors heavily invested in the country, Clark said.
“We’re in a great place that says, ‘You know what, we don’t see a lot of product over there’,” Clark said. “We don’t have to say yes.”
Symantec’s decision has been praised by some western cyber security experts, who said the company bucked a growing trend in recent years that has seen other companies accede to demands to share source code.
“They took a stand and they put security over sales,” said Frank Cilluffo, director of the Center for Cyber and Homeland Security at George Washington University and a former senior homeland security official to former President George W. Bush.
“Obviously source code could be used in ways that are inimical to our national interest,” Cilluffo said. “They took a principled stand, and that’s the right decision and a courageous one.”
Reuters last week reported that Hewlett Packard Enterprise (HPE) (HPE.N) allowed a Russian defense agency to review the inner workings of cyber defense software known as ArcSight that is used by the Pentagon to guard its computer networks.
HPE said such reviews have taken place for years and are conducted by a Russian government-accredited testing company at an HPE research and development center outside of Russia. The software maker said it closely supervises the process and that no code is allowed to leave the premises, ensuring it does not compromise the safety of its products. A spokeswoman said no current HPE products have undergone Russian source code reviews.
ArcSight was sold to British tech company Micro Focus International Plc (MCRO.L) in a sale completed in September.
On Monday, Micro Focus said the reviews were a common industry practice. But the company said it would restrict future reviews of source code in its products by “high-risk” governments, and that any review would require chief executive approval.
Earlier this year, Beijing enacted a cyber security law that foreign business groups have warned could adversely impact trade because of its data surveillance and storage requirements. The law has further fueled concern that companies increasingly need to choose between compromising security to protect business or risk losing out on potentially lucrative markets.
Clark said Symantec had not received any requests to review source code from the Chinese government, but indicated he would not comply if Beijing made such a demand.
“We just have taken a policy decision to say, ‘Any foreign government that wants to read our source code, the answer is no’,” Clark said.
The U.S. government does not generally require source code reviews before purchasing commercially available software, according to security experts.
“As a vendor here in the United States,” Clark said, “we are headquartered in a country where it is OK to say no.”
Some security experts fear heightened requests may further splinter the tech world, leading to an environment where consumers and governments only feel safe buying products made in their own countries.
“We are heading down a slippery slope where you are going to end up balkanizing (information technology), where U.S. companies will only be able to sell software to parts of Europe,” said Curtis Dukes, a former head of cyber defense at the National Security Agency now with the non-profit Center for Internet Security, “and Russia won’t be able to sell products in the U.S.”