Spitfire List Web site and blog of anti-fascist researcher and radio personality Dave Emory.

News & Supplemental  

Knock, Knock? Who’s There? Either a Strongbox or a Wall Safe. It’s Undecided.

In this post we’re going to take a look at the recent Supreme Court ruling on 4th amendment rights and smartphones and how this ruling could impact the ongoing debate over NSA spying. We’re also going to look at the other side of the coin: the 5th Amendment right against self-incrimination during a time when encryption tools strong enough to thwart law enforcement and the NSA are becoming increasingly mainstream. Is encryption like a strongbox or a wall safe? You might be surprised by just how important that question has become.

————-

The Supreme Court made an important, and unanimous, ruling recently regarding the legality of law enforcement officers searching someone’s smartphones during an arrest. The ruling: Warrants are required. The reasoning: Smartphones contain so much information about people’s lives that you can potentially learn more about an individual by searching their smartphone than you would learn while searching their house:

Los Angeles Times
Supreme Court ruling affirms the astonishing power of smartphones

Robin Abcarian

June 25, 2014, 2:34 PM

Wednesday’s unanimous Supreme Court ruling – that officers must obtain warrants in order to search cellphones obtained during the course of arrests – shows the justices’ profound understanding of the way these ubiquitous little devices have practically become appendages of the human body.

Chief Justice John R. Roberts even got a little carried away with that metaphor when he wrote in his entertaining opinion that modern cellphones “are now such a pervasive and insistent part of daily life that the proverbial visitor from Mars might conclude they were an important feature of human anatomy.”

Giving police the ability to search a cellphone without a warrant, the court said, is as offensive as the intrusions that led the birth of this country and the creation of its Constitution.

The 4th Amendment, with its protection against unreasonable searches, Roberts said, “was the founding generation’s response to the reviled ‘general warrants’ and ‘writs of assistance’ of the colonial era, which allowed British officers to rummage through homes in an unrestrained search for evidence of criminal activity. Opposition to such searches was in fact one of the driving forces behind the Revolution itself.”

As the chief justice noted, today’s smartphones are not “just another technological convenience.” They are indispensable repositories for exceedingly private details about an individual’s life.

(How indispensable? He cited one poll in which 3/4 of phone owners said they were never more than five feet away from their devices, while 12% admitted bringing their phones into the shower with them. That is an image I could have done without.)

You can actually learn more about a person by examining their phone, Roberts said, than you can in “the most exhaustive search” of a house.

“A phone not only contains in digital form many sensitive records previously found in the home; it also contains a broad array of private information never found in a home in any form,” he wrote — unless a smartphone is also found in the home.

Giving police officers access to a person’s apps — Roberts said the average user has 33 — gives them the ability to create “a revealing montage” of a subject’s life.

The court recognized that its ruling may impose a burden on law enforcement officers at the time of an arrest. But, as Roberts pointed out, technological advances cut both ways.

In some jurisdictions, he said, police officers can email warrant requests to judges’ iPads, and judges, for their part, have been known to sign warrants and email them back to officers in less than 15 minutes.

Not surprisingly, the ruling has prompted a great deal of speculation over what it could mean for pending lawsuits against the NSA. But if you were expecting that this ruling suggests the the Supreme Court if poised to rule against, say, the NSA collection of metadata you might be disappointed:

Politico
SCOTUS cellphone ruling resonates in NSA fight

By JOSH GERSTEIN | 6/25/14 8:15 PM EDT

The Supreme Court’s blunt and unequivocal decision Wednesday giving Americans strong protection against arrest-related searches of their cell phones could also give a boost to lawsuits challenging the National Security Agency’s vast collection of phone call data.

Chief Justice John Roberts’s 28-page paean to digital privacy was like music to the ears of critics of the NSA’s metadata program, which sweeps up details on billions of calls and searches them for possible links to terrorist plots.

“This is a remarkably strong affirmation of privacy rights in a digital age,” said Marc Rotenberg of the Electronic Privacy Information Center. “The court found that digital data is different and that has constitutional significance, particularly in the realm of [the] Fourth Amendment…I think it also signals the end of the NSA program.”

For the NSA debate, the most significant idea in the court’s Wednesday opinion may be the notion that scale matters. Roberts and his colleagues soundly rejected arguments from the Obama administration that because police can search a few printed photographs found in someone’s wallet, officers were free to search thousands of images and the troves of other personal data contained on a typical smartphone.

“It’s very important that the court is recognizing that quantity matters,” said Georgia Tech professor Peter Swire, a privacy expert and member of a panel President Barack Obama set up to review the NSA’s call metadata program. “The court has said that quantity matters when it comes to the content of cell phones. And I believe the court will feel the same way when it comes to massive databases of telephone calls or computer communications.”

A former cybercrime prosecutor said the justices also seemed to recognize that scale of the collection not only gives the government more data, but also the ability to be much more intrusive than in earlier eras.

“The distinction here is more than just the capacity of the device to hold pictures,” said Alex Southwell, now with law firm Gibson, Dunn & Crutcher. “A cell phone is orders of magnitude different, not just in terms of numbers of items held but also in terms of the intrusiveness if searched. The mosaic of information available from seeing the whole of the data is transformative, just like the call records at issue in the NSA program.”

The Supreme Court’s ruling Wednesday in Riley v. California doesn’t say anything explicitly about the NSA’s metadata, nor did the justices mention national security concerns or intelligence gathering.

However, in one somewhat opaque footnote to Roberts’s majority opinion, the justices seem to be saying they are leaving the issue of bulk collection of data for another day. “These cases do not implicate the question whether [sic] the collection or inspection of aggregated digital information amounts to a search under other circumstances,” Roberts wrote.

Even if the justices were to deem the NSA program a warrantless search that goes well beyond tracing calls made on a specific phone line, that wouldn’t mean the terrorism-focused effort is unconstitutional. Instead, the court would have to consider whether the search is reasonable in light of the national security and public safety concerns involved — and justices are often extraordinary deferential to such arguments.

Analysts on both sides said the cell phone ruling is not a one-off, but seems to be part of a pattern of the court’s efforts to square privacy rights with the new challenges posed by emerging technology. Two years ago, in U.S. v. Jones, the justices rejected arguments that GPS tracking should not require a warrant because police have always been free to follow suspects around without getting one.

“What’s significant…is the justices, like the rest of us, are fully alive to the fact that technology is generating large quantities of data about us and putting it in places where it didn’t used to be,” Baker said.

President Barack Obama initially dismissed the privacy impact of the metadata program as “modest,” but in recent months he has acknowledged that it is troubling to many Americans. Earlier this year, he proposed shutting down the NSA program and replacing it with one in which telephone companies store the call information and make it readily available for the government to search. The president also implemented a procedure in which a judge approves most queries in advance, but the standard is lower than that for a search warrant.

The Obama administration has made much of safeguards it has imposed on the NSA program. However, the court’s cell phone search opinion suggests the justices might not find such self-regulation sufficient to address privacy concerns.

“The Government proposes that law enforcement agencies ‘develop protocols to address’ concerns raised by cloud computing,” the chief justice wrote. “Probably a good idea, but the Founders did not fight a revolution to gain the right to government agency protocols.”

As the article indicates, while it’s unclear how directly this ruling by the Supreme Court could impact rulings on bulk metadata collection, observers on all sides agree that this cell phone ruling “is not a one-off , but seems to be part of a pattern of the court’s efforts to square privacy rights with the new challenges posed by emerging technology“. And that’s good news because, at the end of the day, the only real solution to these increasingly difficult issues of balancing privacy and security in an ever changing technological landscape is a never ending cycle of court cases, legislation, and lots and lots of people spending time to really think thought the implications how we progress through the Information Age.

But as the article also highlights, it’s unclear from this ruling which way the court is leaning on the issue of bulk metadata collection because, as Chief Justice Roberts put it, “these cases do not implicate the question whether [sic] the collection or inspection of aggregated digital information amounts to a search under other circumstances,” while also asserting that “the Government proposes that law enforcement agencies ‘develop protocols to address’ concerns raised by cloud computing…Probably a good idea, but the Founders did not fight a revolution to gain the right to government agency protocols.“. What Chief Justice Roberts appears to be alluding to is the idea that addressing issues like this can’t be handled by self-regulations and protocols alone and that seems to suggest that Roberts is of the opinion that in order to balance the privacy and security (in a age where cell phones might hold more personal information about you than the contents of your home) we’re probably going to need a policy solutions and a technological solutions. And he’s quite right. When technology creates new legal conundrums, a look at changing the technology or changing how it’s used is clearly part of the solution.

What Would Snowden and the Cypherpunks Say?
But, of course, it’s also worth pointing out that simply saying “we need policy solutions and technology solutions” is a lot easier said than done. For instance, take Edward Snowden’s “policy + technology” solutions that he has consistently recommended to global audience. As Snowden puts it, we need policy solutions but we also need technology solutions like unbreakable end-to-end encryption and the use of systems like TOR to ensure that bulk data collection becomes impossible:

The Inquirer
Edward Snowden wants easy to use encryption everywhere
Community must do more
By Dave Neal
Mon Mar 10 2014, 18:0

SURVEILLANCE WHISTLEBLOWER Edward Snowden has taken part in a video conversation at the South By Southwest (SXSW) conference and called for more accessible encryption tools.

The subject of the conversation, which was hosted by the American Civil Liberties Union, was whether communications are secure and if they can be trusted. They can, said Snowden, but only with some third party help and the use of end to end, machine to machine encryption.

The use of strong encryption is key and the panel agreed that Snowden’s revelations have improved the security landscape. The whistleblower said that technology companies need to help make encryption more accessible and less complex. “Encryption does work,” he said, calling it “the defence against the dark arts for the digital realm.”

Snowden said that the US National Security Agency (NSA) has created an “adversarial internet”. He added that while policy changes are needed, technological changes will be the most effective.

“[We must] craft solutions that are safe”, he said. “End to end encryption makes bulk surveillance impossible. There is more oversight, and they won’t be able to pitch exploits at every computer in the world without getting caught.”

As Snowden said, “End to end encryption makes bulk surveillance impossible. There is more oversight, and they won’t be able to pitch exploits at every computer in the world without getting caught.” So, if Snowden is correct, we can simply develop easy-to-use unbreakable encryption technology and bulk surveillance will be made impossible and therefore all surveillance will be forced to shift towards targeted surveillance where “there is more oversight”. No more bulk surveillance but still room for targeted surveillance. Problem solved, right?

Well, if the elimination of bulk data collection is something that society wants to prioritize then, yes, strong end-to-end encryption and the use of tools like TOR (because strong encryption still won’t actually hide all the metadata, you’d need something like TOR) would indeed force surveillance to become much more targeted. Assuming a spywarepocalypse doesn’t take place.

But what about that targeted surveillance that Snowden claims to support? Will that still be possible once strong end-to-end encryption tools are made widely available? Well, here’s where it get messy in ways that Snowden and the Cypherpunks don’t like to talk about and in ways that relate to the Supreme Court’s recent cellphone ruling: Once you have easy-to-use strong encryption tools that make communications unbreakable, it’s probably not going to take too long before similar tools (or the very same tools) are also used make the local files on your computer strongly encrypted too. That means that when there’s a legitimate law enforcement or national security need to view the contents of someone’s computer or smartphone, a warrant won’t be enough. The person under investigation is simply going to have to decrypt the software or hand over a password under threat of contempt of court. And when law enforcement has to rely on the person being investigated to provide access to incriminating evidence, it means we might be seeing a lot more 5th amendment stories like this:

ExtremeTech
US Appeals court upholds Fifth Amendment right to not decrypt hard drives

By Joel Hruska on February 24, 2012 at 1:31 pm

The 11th Circuit Appeals Court has issued an important ruling on the question of whether or not a defendant can be forced to decrypt a hard drive when its contents could provide additional incriminating evidence. The case in question refers to the actions of a John Doe who was compelled to testify before a grand jury in exchange for immunity from prosecution. Doe was ordered to decrypt the contents of his laptop as part of that testimony, but was told that his immunity would not extend to the derivative use of such material as evidence against him. Doe refused to decrypt the TrueCrypt-locked drives, claiming that to do so would violate his Fifth Amendment right against self-incrimination.

Note that this case involves the use of TrueCrypt, one of the tools used by Snowden to encrypt his NSA documents that he strongly advocates (before it mysteriously shut down about a week before the Heartbleed revelations ). Not only can TrueCrypt encrypt data in ways that the NSA can’t break, but it also allows you to create hidden volumes within your encrypted volumes so if you are asked to hand over the password you can simply give the “fake” top-layer password that only decrypts the non-hidden folders.

Continuing…


The 11th Circuit’s ruling reverses the lower court’s decision to hold Doe in contempt and affirms that forcing him to decrypt the drives would be unlawful. It also states that the district court erred in limiting the immunity it granted Doe to only apply to grand jury testimony and not the derivative use of the evidence in question. The ruling on misapplied immunity means that the 11th Circuit could’ve punted on the Fifth Amendment issue, but the court opted not to do so.

The applicability of the Fifth Amendment rests on the question of what the government knew and how it knew it. Federal prosecutors admitted at trial that while the amount of storage encrypted exceeded 5TB, there was no way to determine what data was on the hard drive — indeed, if there was any data whatsoever. Plaintiffs were reduced to holding up numerical printouts of encryption code that they said “represented” the data they wanted, but were forced to admit that there was no way to differentiate what might be illegal material vs. legal.

The question at hand is whether or not decrypting the contents of a laptop drive is testimony or simply the transfer of existent information. The court acknowledges that the drive’s files are not testimony of themselves, but writes “What is at issue is whether the act of production may have some testimonial quality sufficient to trigger Fifth Amendment protection when the production explicitly or implicitly conveys some statement of fact.” (emphasis original)

Previous court cases have established that merely compelling a physical act, such as requiring a defendant to provide the key to a safe, is not testimonial. Actions are also non-testimonial if the government can invoke the “foregone conclusion” doctrine by showing with “reasonable particularity” that it already knew that certain materials or content existed.

By decrypting the drives, Doe is admitting “his knowledge of the existence and location of potentially incriminating files; of his possession, control, and access to the encrypted portions of the drives; and of his capability to decrypt the files.” The court dismisses the argument that the contents of Doe’s hard drives are a foregone conclusion, noting that “Nothing… reveals that the Government knew whether any files exist or the location of those files on the hard drives; what’s more, nothing in the record illustrates that the Government knew with reasonable particularity that Doe was even capable of accessing the encrypted portions of the drives.

“The Government has not shown, however, that the drives actually contain any files, nor has it shown which of the estimated twenty million files the drives are capable of holding may prove useful… we are not persuaded by the suggestion that simply because the devices were encrypted necessarily means that Doe was trying to hide something. Just as a vault is capable of storing mountains of incriminating documents, that alone does not mean that it contains incriminating documents, or anything at all.”

Not exactly carte blanche

The strength of this decision is the balance it strikes between the rights of the government and the individual. Rather than focusing on the nature of the pass phrase defendants are ordered to provide, it emphasizes the issue of what the prosecution knows and how it learned it. If the prosecutors had had sufficient data to indicate that illegal materials were pstored on Doe’s hard drives, forcing him to testify would’ve been valid under the foregone conclusion principle.

This decision doesn’t make it impossible for the government to use the contents of an encrypted drive, but it requires that the prosecution demonstrate a knowledge of the contents and data contained therein before being allowed to issue a blanket demand. It’s a fair call, and given the increasing number of similar cases, an important one.

There’s a lot to digest there: Ok, so it appears that “John Doe” was staying in a hotel room with an internet IP addressed that was caught accessing child porn over YouTube. But it wasn’t the only hotel room with that IP address so it couldn’t be specifically tied to his computer. The prosecutors offer him immunity for his testimony if he decrypts the TrueCrypt-encrypted files on his computer but they don’t offer him immunity for the “derivative use of such material as evidence against him”. So Doe refuses to decrypt the drive, citing the 5th amendment right against self incrimination. And 11th Circuit Appeals Court argued that:


By decrypting the drives, Doe is admitting “his knowledge of the existence and location of potentially incriminating files; of his possession, control, and access to the encrypted portions of the drives; and of his capability to decrypt the files.

The court dismisses the argument that the contents of Doe’s hard drives are a foregone conclusion, noting that “Nothing… reveals that the Government knew whether any files exist or the location of those files on the hard drives; what’s more, nothing in the record illustrates that the Government knew with reasonable particularity that Doe was even capable of accessing the encrypted portions of the drives.

In other words, the 11th Circuit appeals court ruled that providing the decryption key is basically a testimony that says “yes, I have access to those files” and thus constitutes a self-incriminating testimony when the government couldn’t actually provide evidence that they knew any incriminating evidence was on the drive (since multiple hotel rooms shared the same IP). If this seems like a stretch, keep in mind that it’s entirely possible for someone to possess a computer or smartphone that contains encrypted files that someone else put there and controls.

Is Encryption Like a Strongbox or a Wall Safe? Who Cares? The Courts
Also keep in mind that the Supreme Court has yet to rule on this case or similar cases, so a very big Supreme Court ruling on forced decryption is just a matter of time:

DuqCrim.com
Criminal Justice Program of Duqesne University School of Law

The catch 22 of forced decryption.
Posted by Frank Spinelli on May 7, 2014 at 7:14 AM

Should forced decryption of a hard drive be prohibited under the Fifth Amendment?

Some background: In cryptography, encryption is the process of encoding messages or information in such a way that only authorized parties can read it. Encryption has been around for a very long time, and has historically been used frequently during wartime.

Meanwhile, the Fifth Amendment states that no person, “shall be compelled in any criminal case to be a witness against himself.” The Fifth Amendment is designed to prevent the accused from being forced to divulge incriminating evidence from within his or her own mind, to be used against him or her self. A person may invoke the Fifth Amendment once three factor have been established: compulsion, a testimonial communication or act, and incrimination. The law also requires that the information sought still retain testimonial value, and consequently be worth being constitutionally protected. The information sought out cannot already be a forgone conclusion, which the Government already concretely knows, or has proven exists by independent means.

Compulsion, and incrimination are relatively straightforward where an accused is asked by a court to decrypt a hard drive.

The court is compelling the accused to divulge the contents that are encrypted in one of two ways. Firstly, by either decrypting the information by providing the password required to decrypt the information, enabling authorities to do just the same. Or, secondly, by providing the information sought, in a decrypted and intelligible form.

Incrimination merely refers to the fact that the information sought to be gained, and compelled to be revealed by the accused, is in fact incriminating.

The issue that is currently undecided is whether or not the act of production, or enabling the decrypting, is testimonial, and whether or not the testimonial status extends beyond the act of decrypting, to the actual contents revealed, or decrypted.l

The supreme court has yet to rule on this issue. The highest court to rule on the issue has provided some interesting insight regarding the issue. The Eleventh Circuit has held that an accused may not be forced to decrypt the files on an encrypted hard drive, due to the nature of encryption.

The court explained that whether an act is testimonial, and is covered by the protections of invoking the Fifth Amendment, or merely a compelled physical act, which remains unprotected by the Fifth amendment, can be best analogized to the difference between a strongbox and a wall safe. The court relied on previous Supreme Court decisions concerning the Fifth Amendment, pointing out that the forced production of a physical key to a strong box would not generally considered to be a testimonial act. Whereas, the forced production of a combination to a wall safe would be considered a protected testimonial communication or act, as it requires an accused to reveal a truth from within his or her mind. The revelation of which would lead to the production of incriminating evidence, from within the wall safe, or at least support a link in the chain of evidence, strengthening the case against the accused. Something that Fifth Amendment was specifically added to the bill of rights to protect against.

For example, in regards to the previously mentioned historical events, hypothetically, an accused person would be unable to invoke the Fifth Amendment in a case where a court issued a subpena forcing the production of an enigma machine to decrypt a file. This would be analogous to the physical key in the strongbox analogy, because the act of producing the enigma machine, would be requiring a physical act. However, if a court issued a subpoena forcing an accused person, fluent in Navajo and English, to reveal the contents of a file, written in Navajo, it would likely be considered to be a testimonial act, and protected under the invocation of the Fifth Amendment. The second subpoena requires the accused to reveal encrypted information by utilizing a mental skill, and essentially compel the production of encrypted, and incriminating evidence from within his or her mind.

Furthermore, because of the nature of encryption, the “foregone conclusion” doctrine is generally inapplicable to information sought, unless corroborated from other evidence, or non-encrypted data on the drive. This is simply because, as the court pointed out, until a hard drive is decrypted it is usually extremely difficult to tell what type of file, or files, if any, are being stored on a hard drive until it is decrypted. Consequently, it is generally not a “forgone conclusion,” since it is difficult to tell if an encrypted hard drive contains zero data, or is filled completely with encrypted data, as empty space and recorded data appear generally the same before decryption. The court therefore reasoned that the decrypted information should also be protected, not just the act of production of the password, but the decrypted data as well.

Consequently, a broader grant of immunity would have to be granted, one which extended the data eventually decrypted, not just the act of production, before a court may compel an accused to decrypt data.

The issue remains unclear for now in the other circuits, and most states, until the Supreme Court hears a case concerning this issue, and rules decisively on it.

“The issue remains unclear for now in the other circuits, and most states, until the Supreme Court hears a case concerning this issue, and rules decisively on it.” Yep, the issue does remain unclear. But if the Supreme Court is poised to issue a series of rulings on privacy-related issues it seems pretty likely that we’re going to see a ruling on this topic of forced decryption pretty soon because the growth in both the number and popularity of encryption tools means 5th amendment fights over forced decryption are only going become increasingly frequent. And that means the “Strongbox vs Wall safe” debate is going to become quite a hot topic because, as groups like the Cypherpunk-leaning Electronic Frontier Foundation (EFF) and the ACLU argued last October, if you’re ever forced to decrypt your data it is clearly a “wall safe” and not a “strongbox” scenario and therefore you should get blanket immunity for anything found:

Threatpost

EFF Makes Case That Fifth Amendment Protects Against Compelled Decryption
by Michael Mimoso
October 31, 2013 , 2:08 pm

With new leaks about the extent of U.S. government surveillance coming almost daily, one constant remains among all the deterrents to the NSA’s prying eyes: encryption technology works. As far as we know, the math behind encryption is solid, despite the specter of some unnamed breakthrough made by the spy agency some years ago.

Tangentially, the government continues to try to make a case for the ability to force someone alleged to have committed a crime to decrypt their hard drives and turn over evidence. On a number of previous occasions, the courts have upheld Fifth Amendment protections against self-incrimination in such cases.

In a case starting on Monday in Massachusetts Supreme Judicial Court, an appeal of a previous decision against Leon Gelfgatt, 49, of Marblehead, Mass., an attorney, was indicted in a mortgage fraud scam in which he is alleged to have stolen more than $1.3 million. The government, in trying to make its case against Gelfgatt, tried to compel him to decrypt his hard drive. The judge in the case, however, denied the request saying that such an action would violate the Fifth Amendment.

Digital advocacy group the Electronic Frontier Foundation, along with the American Civil Liberties Union, filed an amicus brief yesterday explaining the Fifth Amendment privilege against self-incrimination prohibits compelled decryption. Hanni Fakhoury, staff attorney with the EFF, wrote in a blogpost that the Fifth Amendment protects an individual from unveiling the “contents of his mind” and that the government through this action would be learning new facts in the case beyond the encryption key.

“By forcing Gelfgatt to translate the encrypted data it cannot read into a readable format, it would be learning what the unencrypted data was (and whether any data existed),” Fakhoury wrote. “Plus, the government would learn perhaps the most crucial of facts: that Gelfgatt had access to and dominion and control of files on the devices.”

The government’s argument is that the decryption is akin to providing the combination to unlock a safe, rather than compelling the production of decrypted files.

“That assertion is incorrect,” the brief says. “Just as encrypting a drive encrypts each and every one of its files, decrypting the drive makes available copies of all of its files.” The contention is that because the data is transformed and scrambled, decryption is more than a key, safe combination or password, the brief said.

“In the surveillance environment, the need for encryption is especially strong because it often seems that strong technology is our last refuge from the government’s prying eyes,” Fakhoury said. “We’ve seen in all the leaks the government’s effort to undermine web encryption and so we must make sure they can’t undermine the physical device encryption here.”

So in this case involving $1.3 million stolen through mortgage fraud, the government tried to compel the defendant to decrypt his data by arguing that decryption is analogous to a handing over a key to a strongbox. But the EFF and ACLU assert the opposite, that decryption is an act of revealing a piece of your inner mind and therefore protected by the 5th Amendment. So when the Supreme Court eventually rules in this topic, THAT’s one of the key legal distinctions it’s going to have to resolve: Is encryption like a strongbox or a wall safe? Welcome to the fun world of unbreakable encryption and legal right.

The Massachusetts Supreme Court Ruled on that $1.3 million mortgage fraud case just days ago. In that instance, the court found, the government could compel decryption. Why? Well, basically because the person under investigation told the police that he could indeed decrypt the data, but he won’t. So, in this case, court ordered forced decryption was deemed constitution. But that’s just for Massachusetts. Until the US Supreme Court rules on this topic, the constitutionality of forced decryption will depend on not only your legal circumstances, but also your locale:

Ars technica
Massachusetts high court orders suspect to decrypt his computers
Suspect told cops: “Everything is encrypted and no one is going to get to it.”

by Cyrus Farivar – June 25 2014, 7:00pm CST

Massachusetts’ top court ruled, in a 5-2 decision on Wednesday, that a criminal suspect can be ordered to decrypt his seized computer.

The Massachusetts Supreme Judicial Court (MSJC) ruling only applies to the state. Various other courts at the state and federal level have disagreed as to whether being forced to type in a decryption password is a violation of the Fifth Amendment right to protect against self-incrimination and its state equivalents (such as Article Twelve of the Massachusetts Declaration of Rights). For example, more than two years ago, the 11th Circuit Court of ruled ruled that a defendant was not obliged to decrypt his hard drive, as doing so would violate his Fifth Amendment rights. However, that ruling only took effect in the 11th Circuit, which covers parts of the southeastern United States. Just last year, a federal judge refused to force a Wisconsin child pornography suspect to decrypt his laptop. Overall, cases involving decryption are still relatively new and rare. The first known one only dates back to 2007.

Privacy advocates lamented the MSJC’s new ruling, disagreeing with the court’s judgment that an exception to the Fifth Amendment rule, such as a “foregone conclusion,” applies here.

“The defendant is only telling the government what it already knows”

horities that he was able to decrypt his computers but would not do so.

As the MSJC ruled:

During his postarrest interview with State police Trooper Patrick M. Johnson, the defendant stated that he had performed real estate work for Baylor Holdings, which he understood to be a financial services company. He explained that his communications with this company, which purportedly was owned by Russian individuals, were highly encrypted because, according to the defendant, “[that] is how Russians do business.” The defendant informed Trooper Johnson that he had more than one computer at his home, that the program for communicating with Baylor Holdings was installed on a laptop, and that “[e]verything is encrypted and no one is going to get to it.” The defendant acknowledged that he was able to perform decryption. Further, and most significantly, the defendant said that because of encryption, the police were “not going to get to any of [his] computers,” thereby implying that all of them were encrypted.

When considering the entirety of the defendant’s interview with Trooper Johnson, it is apparent that the defendant was engaged in real estate transactions involving Baylor Holdings, that he used his computers to allegedly communicate with its purported owners, that the information on all of his computers pertaining to these transactions was encrypted, and that he had the ability to decrypt the files and documents. The facts that would be conveyed by the defendant through his act of decryption—his ownership and control of the computers and their contents, knowledge of the fact of encryption, and knowledge of the encryption key—already are known to the government and, thus, are a “foregone conclusion.” The Commonwealth’s motion to compel decryption does not violate the defendant’s rights under the Fifth Amendment because the defendant is only telling the government what it already knows.

A step back for privacy

Because Gelfgatt already admitted to police that he owned and controlled the seized computers and had the ability to decrypt them, the court found that the act of decryption would not reveal anything new to the police. Therefore, the act of compelled decryption was not “testimonial.” Normally, the Fifth Amendment privilege prevents the government from forcing a witness to disclose incriminating information in his mind (like a password not written down anywhere else)—but only if that is information the police do not already know.

Jessie Rossman, an attorney with the American Civil Liberties Union of Massachusetts, told Ars that her organization is “disappointed in the decision.”

“For example, an individual can be forced to hand over a key to a locked safe if the government already knows that’s your safe—the documents in there have already been created,” she said.

“Your opening that safe, the documents are already there. That’s not new testimonial. But encrypted data needs to be transformed into something new when decrypted. A number of encrypted technology works such that when you look at [a hard drive] you can’t even tell what is empty space or what is not empty space. When you decrypt that computer it’s creating something new and if you didn’t have any knowledge, the act of decrypting tells you something you didn’t know beforehand. We believe that the Fifth Amendment and Article 12 needs to protect not only the act of entering a code but the act of producing decrypted files to the government.”

Fred Cate, a law professor at Indiana University, told Ars that this ruling could come with an unfortunate consequence. If someone admits to owning a computer and asserts that they possess the password, “its only likely effect is to encourage future defendants to be less forthcoming with police.”

“This seems to be an issue likely to head to the Supreme Court where, despitetoday’s sweeping 9-0 victory for privacy involving searches of cellphones, the outcome is not at all certain,” he added. “Historically, the high court has taken a dim view of efforts to expand the Fifth Amendment privilege against self-incrimination or to apply it in novel ways. In the meantime, we should expect to see both federal and state courts continuing to reach divergent results when faced with this important question.”

As suggested at the end, “this seems to be an issue likely to head to the Supreme Court where, despitetoday’s sweeping 9-0 victory for privacy involving searches of cellphones, the outcome is not at all certain.” Should that uncertainty be surprising? Well, we aren’t just looking at the emergence of a new technological phenomena (pocket-sized computers) requiring a review of 4th amendment right. We’re really looking at the intersection of two intertwined technologies. Until the last decade or so, you didn’t have people carrying around a home’s worth of personally revealing (and potentially incriminating) information in your pocket. And yet, as the article points out, pre-2007 we didn’t really see cases involve court-forced decryption where which is to be expected since strong encryption is notoriously non-user-friendly. And the Supreme Court’s recent ruling on the 4th Amendment didn’t really address the issue of forced decryption at all, so yes, quite a bit of uncertainty should be probably be expected in the area.

At the same time, notice the overwhelmingly negative responses to this Massachusetts Supreme Court ruling by groups like the ACLU and EFF even when the defendant basically tells the police that, yes, the encrypted drives are his and, yes, he can decrypt them. So one thing we can probably be pretty sure of is that this issue is going to be contentious for a long long time and the debate over forced encryption is only going to grow. In situations like this where there isn’t a clear ‘right’ and ‘wrong’ but instead a difficult balancing of priorities, a drawn out fight is pretty much guaranteed.

So get ready for more Supreme Court rulings on these topics. But also get ready for more confusing debates over “what did the government know and when did they know it” and a far more detailed examination of the distinctions between strongboxes and wall safes than you ever expected to endure. Is decryption “an act of production” warranting 5th Amendment protections or just “a physical act”? We’ll find out!

But the fact that these strangely nuanced legal distinction have to be made in the first place is actually a great example of the system working. Life is complex and the law should reflect that complexity. And as technology progresses those complexities are only going to grow so this is the kind of legal morass that we should be somewhat pleased to see emerging. That legal morass is a reflection of a reality morass and it has to be tackled. Tackled over and over as technology changes. But that legal morass is also a strong reminder that the privacy, security, and ever-changing technology is far more complex than the version of reality presented by Edward Snowden and his allies like the EFF.

Much of the accolades given to the Supreme Court’s recent ruling is about how it formalized a recognition that the scale of technology can qualitatively change its nature and necessitate a legal rebalancing of privacy and security. The simple cellphones of yesteryear are quite different from the smartphones of today. As the Supreme Court put it, searching someone’s cellphone might be more informative than searching their home. That’s an important recognition because if technology suddenly allows us all to walk around with a home’s worth of personal information in our pockets we probably don’t want to allow full access to that when someone is simply under arrest. But as we saw with tools like TrueCrypt, if our smartphones are homes, they’re increasingly homes that cannot be entered at all by law enforcement without the permission of the home owner regardless of circumstance because it will be mathematically impossible (and maybe physically impossible someday).

If a court issues a warrant to allow a search of your home, someone is going to search your home whether want to let them in or not. Physically impenetrable homes aren’t physically possible. But impenetrable smartphones via encryption, on the other hand, are now being aggressively developed and promoted (by Germany) in the post-Snowden era for use by the masses (although they’ll still presumably be hackable by the BND or whichever government sponsors them).

Sure, you can still be sent to jail for contempt of court if you refuse to comply with a valid court order to decrypt, but that just means that the jail time for contempt of court could now suddenly become a much more available legal option in a growing number of cases for people facing far more serious crimes. And don’t forget that people can be assigned the role of the data mule or data ‘fall guy’ in a larger criminal organization. That might be a lot easier to do going forward. We should still prioritize protecting our 4th Amendment rights, but we should also recognize the new real costs that arise when protecting them as we’re forced to adapt those legal protecting to changing technological landscapes. Strong encryption is an incredibly useful tool, for good or ill. And that means strong encryption is going to lead to new costs in protecting those rights at the same time that it’s being used in helpful ways. It is what it is.

Beware of Libertarians Bearing Non-Solutions
So let’s be relieved that the Supreme Court is intent on tacking the increasingly complex issues surrounding privacy, security, and technology because the legal ambiguity on these issues is only going to grow. Unbreakable encryption is just a matter of time because it already exists. Edward Snowden may have dramatically accelerated strong encryption’s adoption, but it was just a matter of time before some encryption “killer app” brought strong encryption for both data transmissions and local data storage to the masses. These super-encryption tools were already growing in popularity long before Snowden came along and turned the global focus onto them. Some sort of legal clarity was going to be necessary sooner or later.

And let’s also be relieved that the recent 4th amendment ruling signifies that the Supreme Court justices are keenly aware that changes in the scope and capacity of technology can necessitates significant rethinking in how society establishes the rules and safeguards for both the technology itself and that ever-changing technology interfaces with our never-changing human situation of all having to live together under uniform set of laws. It was a great ruling on the 4th that was overdue.

But with tools like TrueCrypt and Tor becoming increasingly popular, let’s not be relieved about the fact that folks like Edward Snowden, Julian Assange, Jacob Appelbaum, and the rest of Cypherpunk/Cyberlibertarian movement have largely seized control of the international debates over these issues. Balancing privacy, security, and technology is tough enough as is and it’s only going to get more and more complicated. That’s why you don’t want extremist ideologies dominating the debate. The Cypherpunks make many valid points when highlighting the dangers of a creeping technology-enabled surveillance states (it’s not hard). But Snowden and the Cypherpunks also casually dismiss or ignore the darker implications of the solutions they suggest.

If society wants to go down the path of adopting ubiquitous unbreakable encryption and tools that allow for layers and layers of “hidden volumes” along with generous 5th Amendments interpretations that give blanket immunity for forced decryption, well, ok, society should have the right to go down that path. And it might even be the best path overall. We’ll find out because it’s kind of inevitable that super encryption goes mainstream. But we should at least be trying to predict the negative implications that come with going down that path and you don’t see any real attempts to do that by the movements that are currently dominating the global debate. That’s precarious.

It’s true that Edward Snowden and the Cypherpunks says things like “not all spying is bad” and things like “we need both policy solutions and technical solution”, but that’s about it. The rest of what he’s been advocating is largely a Cyperpunk agenda that makes policy solutions moot. Let’s take another quick look at Snowden’s suggestions at the SXSW festival:

Wired
Edward Snowden Urges SXSW Crowd to Thwart NSA With Technology

By Kim Zetter
03.10.14 |
3:48 pm

With lawmakers slow to pass legislation curbing NSA surveillance, it’s up to the technology community to step in and devise solutions that will better protect online communications from snoops, said Edward Snowden, speaking today from Moscow at the South by Southwest conference in Austin.

“[T]he people who are in the room at Austin right now, they’re the folks who can really fix things, who can enforce our rights for technical standards even when Congress hasn’t yet gotten to the point of creating legislation that protect our rights in the same manner…,” he said. “There’s a policy response that needs to occur, but there’s also a technical response that needs to occur. And it’s the makers, the thinkers, the developing community that can really craft those solutions to make sure we’re safe.”

The massive surveillance being done by the NSA and other governments has created “an adversarial internet,” he said, “a sort of a global free-fire zone for governments, that’s nothing that we ever asked [for]; it’s not what we wanted. It’s something we need to protect against….

“[T]hey’re setting fire to the future of the internet. And the people who are in this room now, you guys are all the firefighters. And we need you to help us fix this.”

One solution he highlighted, that would make it more difficult for the U.S. and other governments to conduct passive surveillance, is the implementation of end-to-end encryption that would protect communications from user to user, rather than as it’s currently done by Google and other services, which only encrypt the communication from user to service, leaving it vulnerable to collection from the service provider.

“End-to-end encryption … makes mass surveillance impossible at the network level,” he says, and provides a more constitutionally protected model of surveillance, because it forces the government to target the endpoints — the individual users — through hacking, rather than conduct mass collection.

End-to-end encryption … makes mass surveillance impossible at the network level,” he says, and provides a more constitutionally protected model of surveillance, because it forces the government to target the endpoints — the individual users — through hacking, rather than conduct mass collection.

That’s the claim made over and over by Snowden: if we just all implement end-to-end strong encryption than the government will just target individual users “through hacking”. So it will be harder for the government to spy on individuals, but not impossible. But as we’ve seen, there’s really no way to “hack” strongly-encrypted locally stored data. Especially if it’s in a hidden volume that can’t be detected. And then there’s the fact that much of Snowden’s leaks have revealed have been targeted surveillance methods.

Snowden’s words have enormous influence on these topics and, unfortunately, that means the global policy debate that needs to emerge in response to ubiquitous super encryption technology is starting off in a warped manner. We get endless debates over whether or not metadata collection helps stop ‘terror’ and yet, as we also saw above, it wasn’t terrorism that people were using strong encryption to carry out. It was everyday crimes. This isn’t just about terrorism and the abuse of government power.

So we really have to keep asking ourselves if the anti-NSA backlash is going to used by folks with a libertarian agenda to weaken the government in ways that go far beyond bulk surveillance. If we accept the the libertarian assumption that government simply can’t work, the kind of balance eventually struck on issues like the 4th and 5th amendments may results in the kind of society where things like legitimate law enforcement increasingly can’t work too. Is that part of the agenda? It sure would fit the current anti-government fever afflicting an increasingly far-right GOP. Just imagine the kinds of corporate abuses that could be enabled with end-to-end encryption, “hidden volumes”, and the kind of 5th Amendment interpretation that basically views any forced decryption as a violation of the 5th Amendment.

These lurking dangers are one of the reasons why the Supreme Court’s 4th Amendment ruling was great but it was also only part of the overall solution to balancing privacy and security in this currently technological environment. Now that strong encryption for the masses is becoming a reality, a 5th Amendment ruling on forced decryption is going to be needed too before we can really assess to the new legal landscape. And as we saw above, that’s not an easy or obvious ruling…not nearly as easy as this 4th amendment case. In fact, it looks pretty difficult. Is encryption like a strongbox or wall safe? What a strange concept to have legal immunity hinge upon.

But another reason we need to be on guard against an anti-NSA backlash morphing into an attack on the legitimacy of government is because the ‘Little Brother’ surveillance state that everyone wants to live in – and it’s not just libertarians desire that – might require a ‘Big Helpful Brother’ government for fixing the kinds of big problems that don’t get fixed on their own or by “the market” or charity. And that means *gasp* building a government you can trust and that’s empowered to get things done! Not the libertarian vision of a government that you can trust because it’s been systematically disempowered, but a real democratically elected government that doesn’t accept poverty or oppression in any form and doesn’t simply wait for the private sector to fix those problems.

We can’t rely on technology as shield against bad policy or bad governments. If we’re going to get serious about addressing the weird and ever more exotic threats facing for society one of the most powerful tools for protecting our privacy is, quite simply, a highly competent society. Competent in the sense that it’s a society that is actively engaged in learning about the threats around it, emerging and existing threats, while also being sane enough to deal with these threats in a manner that doesn’t lead to some sort of nightmare situation. That’s how we protect our privacy most effectively: by identifying and solving the kinds of openly visible problems like poverty and oppression that encourage individuals to secretly engage in terrorism or harmful crimes. There’s simply going to be less danger to look out for the more we make a better world.

But we’re not going to be able to build that competent society capable of helping if the only governments we can trust are those without the power to harm. Government, it turns out, is a lot like technology: Governments with the power to help can also hurt, just like technology. Powerful government aren’t inherently a “good” or “bad” thing, as the libertarians assert. It depends on how you use it. If you have a weak government, it may not directly harm you but it’s not going to help either. Just like technology. This is why ensuring that we don’t protect our rights at the expense of a competent helpful government is going to be increasingly important and challenging going forward. The simple fact that few entities are more empowered by technology than a government creates impulse to disempower government as a form of civic self-defense. And that impulse is only going to grow with each technological advanced that enhances that power. How we strike that balance between privacy and security without turning governments into either a beast or a worthless joke isn’t obvious. Maybe empowering criminals with super encryption tools and 5th Amendment rights is a reasonable price to pay to avoid the costs associated it government abuse? Or maybe it’ll foster a crime explosion? Maybe both. No matter which path is chosen we’ll see the consequences. Eventually. But we’re not going to see all of the other optional paths forward if the Cypherpunk/Libertarian perspective continues to be dominant perspective on these kinds of issues.

Enough With the Insane Insanity. Sane Insanity is Required
To some extent, if we really want to get serious about grappling with these mutually contradictory issues we, by definition, need to go somewhat insane in terms of our worldview. Insane in the sense that we really do need to hold multiple, mutually contradictory ideas in our minds simultaneously in order to grapple with them individually. Sane insanity. In other words, you can’t simply be a “privacy advocate” without being a “security advocate”. Privacy and security are intertwined because our lives our intertwined. I have to care about your security too if I really want to protect my privacy and vice versa.

But you also can’t achieve that intertwined state by simply defining “privacy=security”, as we often hear from folks like Snowden or Assange. That just doesn’t make sense when “privacy” includes super encryption and “hidden volumes” and legal regimes that can potentially provide an incredible shield against legitimate law enforcement or national security tasks. At the same time, because reality is somewhat insane we can’t kid ourselves about the incredible dangers that could potentially arise from technologically enabled mass surveillance, especially crypto-mass surveillance (the Panopticon). Sane insanity is needed on a variety of topics and that need is only going to grow.

Terrified of a government with the power to track us all? Great. It’s a healthy sense of terror. Governments can become criminal. But also be terrified of a government that can’t really track or prosecute criminals, even when it’s important. So embrace the cognitive dissonance that comes with these issues. Embracing the technology-enhanced cognitive dissonance and lack of easy and obvious answers is the answer. That’s how the kinds of long-term solutions we need are going to be found and it’s a lot better than the alternative.

Discussion

18 comments for “Knock, Knock? Who’s There? Either a Strongbox or a Wall Safe. It’s Undecided.”

  1. This story is extremely complex. If I understand it correctly it boils down to; not every decision that sound good on its face is good. Also the powers that be are SOBs and the general public is screwed. I hope I am understanding correctly. Thank you.

    Posted by GK | July 4, 2014, 1:02 pm
  2. @GK: Hehe, yeah that’s the gist of it, but with the added caveats that 1. the powers that be are both public and private, and 2. should we find that the powers that be are indeed SOBs that pose an unreasonable threat to rights privacy, the best defense the public has against those SOBs is replacing the public SOBs with non-SOBs that that can keep the public and private SOBs from trampling everyone’s rights. But yeah, since some degree of human judgement by people in positions of power is required for a modern society to function, judicious use of our main TPTB SOB management tool (democracy) is required.

    Posted by Pterrafractyl | July 4, 2014, 5:03 pm
  3. @GK: Here’s another story that’s great example of an idea that might sound good on on face but may not be so great in practice: So Russia is following the recommendations by Germany’s and Brazil’s governments that they require companies like Google and Facebook to store their data locally. When it was Germany and Brazil making this pitch it was typically characterized as a way for those governments to protect their citizens from the prying eyes of the NSA. But when Russia actually passes such a law, we get reminded that data localization laws also make the data much more likely to get spied on by the local government and that might be a much bigger threat to your privacy the NSA. As is usual, the complexities of issues like this can remained obscured for a while but not necessarily forever:

    Russian lawmakers pass new bill restricting Internet

    By Maria ANTONOVA July 5, 2014

    Moscow (AFP) – Russia’s parliament passed a bill on Friday requiring Internet companies to store Russians’ personal data inside the country in an apparent move to pressure sites such as Facebook and Twitter into handing over user information.

    Introducing the bill to parliament this week, MP Vadim Dengin said “most Russians don’t want their data to leave Russia for the United States, where it can be hacked and given to criminals.”

    “Our entire lives are stored over there,” he said, adding that companies should build data centres in Russia.

    The bill would increase pressure on social networking services which do not have offices in Russia and have become a vital resource for anti-government groups.

    Just days before the bill was formally proposed last month, Twitter’s public policy chief Colin Crowell visited Russia to speak with media watchdog Roskomnadzor. Few details of the visit were publicised, but access to user data is thought to have been top of the list.

    Russia is also asking Twitter to open a local office, which the company has so far refused to do.

    “Nobody wants to relocate to Russia, but I am pessimistic. I think (the Russian authorities) will make them relocate the servers,” said Andrei Soldatov, a journalist who tracks Russia’s security services.

    “For the most part, this is directed against Gmail, Facebook, and Twitter,” he said.

    If passed, the rules will not take effect until September 2016 but will provide the government with grounds to block sites that do not comply.

    – ‘Iron curtain all over’ –

    Russia’s Association of Electronic Communication (RAEC), a group that lobbies on behalf of Internet companies and also helped organise Crowell’s visit, said the new measures would be detrimental to Internet users.

    “Many global Internet services would be impossible,” the group said earlier this week. “The bill takes the right of people over their own personal data away from them.”

    “They want the iron curtain all over again, with everything written on pieces of paper like in the Soviet Union,” Vladimir Kantorovich, vice president at the Russian Association of Tour Operators, told AFP.

    “I feel like the Duma wants to lock us in an armoured cell for our protection without asking if we need it.”

    The bill must still be approved by the upper chamber and President Vladimir Putin before it becomes law, but is only the latest in what appears as a concerted push by the government to crack down on Internet dissent.

    Lawmakers have already passed a slew of restrictions, including a requirement for bloggers to register as media if they have more than 3,000 followers and a law directed against “extremist” language that could see Russians go to jail for up to five years for retweeting offensive information.

    Conservative lawmakers are also discussing the possibility of widespread Internet filters that could only be lifted for people who hand over their passport information.

    Posted by Pterrafractyl | July 4, 2014, 6:03 pm
  4. This is interesting: Edward Snowden just endorsed a web service provider specifically because it doesn’t retain the capacity to decrypt your data even when provided with a valid warrant:

    Upstart
    July 18, 2014, 5:10pm EDT
    Edward Snowden gives little-known Spideroak his stamp of approval

    Michael del Castillo
    Upstart Business Journal Technology & Innovation Editor

    The UpTake: Edward Snowden currently live in exile in Russia. But his endorsement of a U.S. startup still has the power to draw attention from privacy-focused customers.

    Edward Snowden may be personona non grata in the United States, but in the burgeoning Anonymous Economy that sprung up after he leaked thousands of documents showing that the U.S. government was spying on citizens around the world and domestically, he is quite a hot commodity.

    So when he dissed Dropbox for being “hostile to privacy”—specifically citing the company’s appointment of former Secretary of State Condoleezza Rice to its board earlier this year—the Guardian took note. But for entrepreneurs looking to stay ahead of the curve, it’s who he endorsed as an alternative to Dropbox that’s particularly interesting.

    “Spideroak has structured their system in such a way you can store all of your information on them with the same sort of features that Dropbox does, but they literally had have no access to the content,” Snowden told the Gaurdian in a report published yesterday. “So while they can be compelled to turn it over, the law enforcement agencies still have to go to a judge and get a warrant to actually get your encryption key from you.

    Spideroak, an online tool for backing up, sharing, syncing, accessing and storing data, offers its users what they call “zero-knowledge privacy,” meaning, “the server never knows the plaintext contents of the data it is storing,” according to the site. “Therefore, the data is never at risk of being compromised or abused by either internal threats or external hackers.” A similar service to Kim Dotcom’s Mega, Spideroak encrypts users’ files before they are stored, preventing the company from knowing their contents.

    On the other hand, according to Snowden, Dropbox is a “wannabe PRISM partner,” referring to the project name associated with government spying using corporations. “They’re very hostile to privacy.”

    According to Dropbox’s site, while it does encrypt files, the privacy keys giving access to the data are generated by the company, and there are a “small number of employees who must be able to access user data.” For ” advanced” users though, Dropbox does allow for third party applications to provide additional encryption.

    Posted by Pterrafractyl | July 23, 2014, 12:27 pm
  5. Following the attacks on Charlie Hebdo’s Paris office, UK Prime Minister David Cameron drew a number of responses with his call for legislation to force UK internet service providers to make their encrypted customer data available to UK law enforcement. They tended to be rather negative responses, which is understandable given the controversial nature of the request. But they apparently weren’t all negative:

    EU Observer
    EU wants internet firms to hand over encryption keys

    By Nikolaj Nielsen
    BRUSSELS, 22. Jan, 09:30

    A top EU official wants internet and telecommunication companies to hand over encryption keys to police and spy agencies as part of a wider crackdown on terrorism.

    The EU’s counter-terrorism co-ordinator Gilles de Kerchove, in a document leaked by London-based civil liberties group Statewatch, says the European Commission should come up with rules that require the firms to help national governments snoop on possible suspects.

    “Since the Snowden revelations, internet and telecommunications companies have started to use often de-centralised encryption which increasingly makes lawful interception by the relevant national authorities technically difficult or even impossible,” notes de Kerchove in the document.

    Edward Snowden is a former US intelligence contractor who leaked files on how the US and UK intercept vast amounts of private data in the name of security.

    The de Kerchove proposal joins similar recent calls made by the US and UK governments to weaken or ban certain forms of encryption.

    UK prime minister David Cameron, in the aftermath of the Charlie Hebdo attack in Paris, said British intelligence agencies should have the legal ability to break the encrypted communications.

    His plea was later joined by Obama who said post-Snowden encryption technologies was making it more difficult for spy agencies to crack suspect communications.

    “If we find evidence of a terrorist plot … and despite having a phone number, despite having a social media address or email address, we can’t penetrate that, that’s a problem,” the US leader said.

    Fears are mounting such proposals could force companies to introduce backdoor entries that would allow governments to pierce encrypted emails and smartphone message apps.

    Meanwhile, the de Kerchove paper goes further.

    Last April, the Luxembourg-based European Court of Justice scrapped the EU data retention directive. But Kerchove wants the European Commission to come up with a new proposal.

    He also wants a new Internet monitoring unit set up inside the EU police agency, Europol.

    The unit would be tasked to comb the web for any illegal content and alert IT companies to remove it.

    Kerchove suggests the police agency should also better align itself with the EU’s intelligence analysis centre, IntCen.

    Wow, it sounds like the EU’s counter-terrorism chief is calling for pretty exactly what David Cameron wants, plus he’d like to see the EU remake the very same data-retention laws that the EU parliament scrapped last year. And a new EU internet monitoring unit.

    So it’ll be interesting to see how that proposal goes over well with the public. But it will also be interesting to see what Edwards Snowden has to say about these proposals. He’s obviously not going to be in favor of EU counter-terrorism chief’s recommendations, but he’s also on record saying things like “not all spying is bad”, so how harshly will he respond to the EU’s new plans? Might he call for the abolishment of intelligence agencies? It’s possible:

    Lawfare
    Did Edward Snowden Call for Abolishing the Intelligence Community?

    By Benjamin Wittes
    Wednesday, December 24, 2014 at 2:34 PM

    Forget North Korea. Forget the Islamic State. Forget the Iranian nuclear program. I want to tell you about my exchange with Edward Snowden—and the amazing things he seems to have said in it.

    The exchange took place a couple of weeks ago, when I appeared as a last-minute sub-in on a panel at the Cato Institute’s surveillance conference. I was there, as I jokingly told the audience at the outset of my remarks, to represent unprincipled statism—though I like to think that my statism is a principle. (Nobody even cracked a smile at this joke.) Specifically, I was there at the request of Cato’s excellent surveillance scholar, Julian Sanchez, to defend the notion that Congress should not—and probably cannot constitutionally—regulate by statute the universe of surveillance now conducted under Executive Order 12333. My remarks drew an interesting, and I think revealing, response from Snowden, who addressed the conference by video later in the day.

    To understand the radicalism of what Snowden was saying, you have to start with the comments I made. Previous speakers on the panel—Marcy Wheeler, John Napier Tye, and Laura Donohue—had all objected to the breadth of collection under 12333 and Donohue, in particular, had argued for bringing 12333 collection under the Foreign Intelligence Surveillance Act. I started my remarks (which run from roughly 47:30 to roughly 55:30 of the video below) by pointing out that at least some foreign collection against non-US persons does not make sense to treat under statutory law:

    There’s a temptation when we all sit here to think about the many ways that we can regulate the traditionally unregulated space of foreign espionage. And it’s worth just taking a step back, and a deep breath, and saying, “What should Congress have to say about the rules when Barack Obama wants to know what Vladimir Putin is talking about?” And if that question doesn’t give you any pause . . . then I lose and yes, you should regulate every component of every aspect of foreign collection.

    [But t]here is a limit to Congress’s authority to regulate some of this stuff. I think most people, going back to my Vladimir Putin question, would say that is actually an area of inherent presidential authority.

    [see video]
    My interlocutors on the panel objected that this example was—as one put it—a “straw man.” It’s actually not a straw man; if you’re going to regulate overseas collection against non-US persons, you have to ask if anyone lies outside of that regulation and, if so, whom. And to his credit, Snowden did not object on that basis. In his own comments, later in the day, he took on directly the implications of my hypothetical, and his answer is deeply revealing.

    He actually addressed my remarks twice. The first time (which begins at roughly 28:45), he actively embraced the idea of both public law concerning overseas surveillance targeting and judicial review of surveillance even of foreign heads of state:

    There are very few people who contest that we should not be able to pursue investigations using almost any authority against individuals where you can get a judge to sign a particularized warrant. Benjamin Wittes earlier, he basically argued that, should we have legislators involved? Should we have public rules about the way we apply our surveillance capabilities because Vladimir Putin might know about it? I say yes, because there is no court in the world—well, at least, no court outside Russia—who would not go, “This man is an agent of the foreign government. I mean, he’s the head of the government.” Of course, they will say, “this guy has access to some kind of foreign intelligence value. We’ll sign the warrant for him.” If we know about the authorities, if we know about how they are used, there’s no problem whether they are public or private, because he can’t elide them. He can’t hide in the noise. We know what his capabilities are.

    Snowden returned to my Putin example later in his comments (around 44:00) and went further, arguing that we don’t really need an intelligence community at all—much less a FISA process:

    Particularly in the context of state security agencies, spy agencies, do we really need them? Aren’t they a product of developing societies, developing governments, developing civilizations, that can be replaced by our methods of law enforcement? When we talked about, for example, earlier Ben Wittes’s reference to Vladimir Putin, do we really need the NSA and a secret court to say, “hey, we’re going to wiretap Putin”? or is it easy enough to get any judge to sign that warrant? I don’t think we need a special mechanism to provide for targeted wiretaps or targeted efforts to gain intelligence related to a particularized investigation. And it’s not a far leap to say we can provide for legislation that affords that outside of secret organizations that inevitably push the line beyond what the public would agree with.

    Snowden’s point is sufficiently opaque to me that I find responding a little difficult. First of all, Snowden is responding to a point I did not make: I was, in fact, not saying that the problem with public law and applying the FISA process to surveillance of Putin would be making legal authorities public that should be secret. My point was, rather, that there’s a constitutional limit on Congress’s authority to regulate foreign intelligence activity, and that one doesn’t have to be Dick Cheney to believe that there’s some zone of inherent presidential power to conduct foreign policy that would include the conduct of espionage against, say, a foreign head of state overseas. As I said in my remarks, I am not married at all to the idea that Congress has no authority to regulate in areas currently governed by 12333. But I do think there’s a core that Congress cannot constitutionally touch.

    But let’s leave aside the ships-passing-in-the-night quality of Snowden and my legal discussion and pause a moment to consider the policy ideas he advanced, of which there are two. First, Snowden proposes that all foreign intelligence gathering should be particularized and subject to individual judicial review—even against foreign hostile heads of state. Second, he proposes that we not really have an intelligence community and specialized judicial instruments to oversee it but use exclusively law enforcement and conventional judicial tools for foreign surveillance. In short, he’s proposing a revolution in the entire way the U.S. government operates overseas, organizes its security apparatus domestically, and treats conceptually foreign and domestic threats.

    I couldn’t tell from Snowden’s comments whether he even understands the magnitude of what he’s proposing here. A regular court supervising a regular law enforcement agency, after all, would not be able to authorize surveillance against Putin absent probable cause that he had committed a crime. Putin is a bad guy, but I’m not sure he’s rightly the subject of U.S. criminal investigations, and a great many lawful intelligence targets certainly are not. The sources of authority to conduct foreign espionage simply lie in a different place from the sources of authority to investigate criminal behavior, and the parameters of those authorities are very different from one another too.

    Well, that’s one way to prevent government spying: eliminate intelligence agencies altogether, because spying is something only developing countries engage in, and instead conduct any warrant-approved wiretapping through law enforcement agencies. The police can tap Putin’s phone after they get a warrant.

    This proposal raises a number of fascinating questions, including Snowden’s views on the militarization of law enforcement. But it’s also worth noting that the Snowden’s views on this topic sound somewhat similar to the proposals of prominant security expert Bruce Schneier’s views, but not excatly the same, so it would be very interesting to see where they diverge. Transferring all domestic intelligence gathering to the FBI was something Schneier recommended last year. At the same time, Scheier was also advocating that all foreign cyberattacks and targeting hacking be conducted by the military and foreign spying be officially considered an offensive military act:

    CNN
    It’s time to break up the NSA
    By Bruce Schneier
    updated 6:40 PM EST, Thu February 20, 2014

    (CNN) — The NSA has become too big and too powerful. What was supposed to be a single agency with a dual mission — protecting the security of U.S. communications and eavesdropping on the communications of our enemies — has become unbalanced in the post-Cold War, all-terrorism-all-the-time era.

    Putting the U.S. Cyber Command, the military’s cyberwar wing, in the same location and under the same commander, expanded the NSA’s power. The result is an agency that prioritizes intelligence gathering over security, and that’s increasingly putting us all at risk. It’s time we thought about breaking up the National Security Agency.

    Broadly speaking, three types of NSA surveillance programs were exposed by the documents released by Edward Snowden. And while the media tends to lump them together, understanding their differences is critical to understanding how to divide up the NSA’s missions.

    The first is targeted surveillance.

    This is best illustrated by the work of the NSA’s Tailored Access Operations (TAO) group, including its catalog of hardware and software “implants” designed to be surreptitiously installed onto the enemy’s computers. This sort of thing represents the best of the NSA and is exactly what we want it to do. That the United States has these capabilities, as scary as they might be, is cause for gratification.

    The second is bulk surveillance, the NSA’s collection of everything it can obtain on every communications channel to which it can get access. This includes things such as the NSA’s bulk collection of call records, location data, e-mail messages and text messages.

    This is where the NSA overreaches: collecting data on innocent Americans either incidentally or deliberately, and data on foreign citizens indiscriminately. It doesn’t make us any safer, and it is liable to be abused. Even the director of national intelligence, James Clapper, acknowledged that the collection and storage of data was kept a secret for too long.

    The third is the deliberate sabotaging of security. The primary example we have of this is the NSA’s BULLRUN program, which tries to “insert vulnerabilities into commercial encryption systems, IT systems, networks and endpoint communication devices.” This is the worst of the NSA’s excesses, because it destroys our trust in the Internet, weakens the security all of us rely on and makes us more vulnerable to attackers worldwide.

    Keep in mind that when Bruce Schneier describes the targetting of individuals by the “Tailor Access Oprations” (TAO) group as “the best of the NSA and is exactly what we want it to do”, that’s the opposite of what Wikileaks-hacker Jacob Appelbaum was suggesting during his keynote address to the 2013 Chaos Computing Convention. Appelbaum, who has a large cache of Snowden Documents himself and written extensively about it in Der Spiegel, spent the entire talk showing one example after another of the TAO’s tools and discussed how horrible it was the the NSA these tools at their disposal because their existence means anyone could potential have them used against them.

    This reflects a largely unspoken divide in the security community: Scheier seems to be acknowledging that targeted surveillance is fine, just not mass-surveillance. Appelbaum, on the other hand, appears to view targeted surveillance as effectively just as bad because, hey, they could target everyone, including the NSA’s capacity to arrange for computer manufacturers to target specific people’s computers with built in hardware or software changes to make only those computers vulnerable. Appelbaum is essentially a “no spying at all by governments or anyone” advocate.

    The intertwined nature of targeted surveillance techniques and mass-surveillance capabilities in a world where everyone is using the same technology platforms but from different locations using different hardware. For instance, if you’re targeting someone or some group, you might need to have the capacity to intercept and analyze, at least at a meta-data level, a flood of data in order to find your targets’ communications. Appelbaum would clearly prefer no communications get targeted ever. It’s unclear how Schneier would reconcile this inherent conflict with the potential use of mass-surveillance capabilities for the purpose of targeting people with a warrant if all non-targeted data was filtered out.

    Continuing…


    That’s the three: good, bad, very bad. Reorganizing the U.S. intelligence apparatus so it concentrates on our enemies requires breaking up the NSA along those functions.

    First, TAO and its targeted surveillance mission should be moved under the control of U.S. Cyber Command, and Cyber Command should be completely separated from the NSA. Actively attacking enemy networks is an offensive military operation, and should be part of an offensive military unit.

    Whatever rules of engagement Cyber Command operates under should apply equally to active operations such as sabotaging the Natanz nuclear enrichment facility in Iran and hacking a Belgian telephone company. If we’re going to attack the infrastructure of a foreign nation, let it be a clear military operation.

    Second, all surveillance of Americans should be moved to the FBI.

    The FBI is charged with counterterrorism in the United States, and it needs to play that role. Any operations focused against U.S. citizens need to be subject to U.S. law, and the FBI is the best place to apply that law. That the NSA can, in the view of many, do an end-run around congressional oversight, legal due process and domestic laws is an affront to our Constitution and a danger to our society. The NSA’s mission should be focused outside the United States — for real, not just for show.

    And third, the remainder of the NSA needs to be rebalanced so COMSEC (communications security) has priority over SIGINT (signals intelligence). Instead of working to deliberately weaken security for everyone, the NSA should work to improve security for everyone.

    Computer and network security is hard, and we need the NSA’s expertise to secure our social networks, business systems, computers, phones and critical infrastructure. Just recall the recent incidents of hacked accounts — from Target to Kickstarter. What once seemed occasional now seems routine. Any NSA work to secure our networks and infrastructure can be done openly — no secrecy required.

    This is a radical solution, but the NSA’s many harms require radical thinking. It’s not far off from what the President’s Review Group on Intelligence and Communications Technologies, charged with evaluating the NSA’s current programs, recommended. Its 24th recommendation was to put the NSA and U.S. Cyber Command under different generals, and the 29th recommendation was to put encryption ahead of exploitation.

    Ok, so according to one of the world’s most prominent security experts we should:
    1. Break up the NSA, end bulk-surveillance methods, and shift targeted surveillance missions and Cyberwarfare capabilities to US Cyber Command so that any stuxnet-like actions or things like hacking a Belgian Telephone Company are seen as offensive military actions.

    2. Shift all domestic surveillance to the FBI, presumably a reference the FBI’s warrantless wiretapping program started by George W. Bush in the wake of 9/11. This reform has already kind of but not really happened but, in principle, it’s certainly a worthy goal of trying to redraw the line between domestic and foreign surveillance, although given that much of the uproar over NSA spying has to do with the fact that you can’t really disentangle foreign and domestic communications given how the internet is structured, it’s unclear how successful this will be.

    3. Reprioritize the NSA so that, when the inevitable conflicts emerge in its mutually exclusive missions (securing networks while simultaneously trying to break them) the “securing the networks” priority wins. That’s, well, it’s ambitious. As the saying goes, “the best defense is a great offense”, but could the best defense actually be a great defense in the realm of national security when you have to not only protect your digital infrastructure but also spy on adversaries to learn about other stuff going on? That seems to be what Schneier is arguing.

    So suggestion 2, getting the NSA out of domestic surveillance, seems pretty reasonable, albeit technically challenging. But what about suggestions 1 and 3. Should government hacking of other nations’ telecom firms, which is ubiquitous these days, be considered an act of war? Is that going to lead to a safer world? It will place a different context on spying that gets publicly outed, but is that a better context? And what happens if other nations don’t all agree to this new approach? Should their hacks of US firms now also be considered military actions too? Schneier isn’t clear on that, although he has called for some sort of globally run anti-surveillance enforcement agency:

    The Atlantic
    How the NSA Threatens National Security
    Our choice isn’t between a digital world where the agency can eavesdrop and one where it cannot; our choice is between a digital world that is vulnerable to any attacker and one that is secure for all users.
    Bruce Schneier Jan 6 2014, 11:10 AM ET

    Secret NSA eavesdropping is still in the news. Details about once secret programs continue to leak. The Director of National Intelligence has recently declassified additional information, and the President’s Review Group has just released its report and recommendations.

    With all this going on, it’s easy to become inured to the breadth and depth of the NSA’s activities. But through the disclosures, we’ve learned an enormous amount about the agency’s capabilities, how it is failing to protect us, and what we need to do to regain security in the Information Age.

    The NSA’s collect-everything mentality is largely a hold-over from the Cold War, when a voyeuristic interest in the Soviet Union was the norm. Still, it is unclear how effective targeted surveillance against “enemy” countries really is. Even when we learn actual secrets, as we did regarding Syria’s use of chemical weapons earlier this year, we often can’t do anything with the information.

    Ubiquitous surveillance should have died with the fall of Communism, but it got a new—and even more dangerous—life with the intelligence community’s post-9/11 “never again” terrorism mission. This quixotic goal of preventing something from happening forces us to try to know everything that does happen. This pushes the NSA to eavesdrop on online gaming worlds and on every cell phone in the world. But it’s a fool’s errand; there are simply too many ways to communicate.

    Note that Scheier wrote that, “it is unclear how effective targeted surveillance against “enemy” countries really is. Even when we learn actual secrets, as we did regarding Syria’s use of chemical weapons earlier this year, we often can’t do anything with the information.” So it would appear, based on that statement, that Sheier is open to policies that effectively eliminate targeted surveillance in addition to bulk data-collection.

    Skipping down…

    It’s not just domestic abuse we have to worry about; it’s the rest of the world, too. The more we choose to eavesdrop on the Internet and other communications technologies, the less we are secure from eavesdropping by others. Our choice isn’t between a digital world where the NSA can eavesdrop and one where the NSA is prevented from eavesdropping; it’s between a digital world that is vulnerable to all attackers, and one that is secure for all users.

    Fixing this problem is going to be hard. We are long past the point where simple legal interventions can help. The bill in Congress to limit NSA surveillance won’t actually do much to limit NSA surveillance. Maybe the NSA will figure out an interpretation of the law that will allow it to do what it wants anyway. Maybe it’ll do it another way, using another justification. Maybe the FBI will do it and give it a copy. And when asked, it’ll lie about it.

    NSA-level surveillance is like the Maginot Line was in the years before World War II: ineffective and wasteful. We need to openly disclose what surveillance we have been doing, and the known insecurities that make it possible. We need to work toward security, even if other countries like China continue to use the Internet as a giant surveillance platform. We need to build a coalition of free-world nations dedicated to a secure global Internet, and we need to continually push back against bad actors—both state and non-state—that work against that goal.

    Securing the Internet requires both laws and technology. It requires Internet technology that secures data wherever it is and however it travels. It requires broad laws that put security ahead of both domestic and international surveillance. It requires additional technology to enforce those laws, and a worldwide enforcement regime to deal with bad actors. It’s not easy, and has all the problems that other international issues have: nuclear, chemical, and biological weapon non-proliferation; small arms trafficking; human trafficking; money laundering; intellectual property. Global information security and anti-surveillance needs to join those difficult global problems, so we can start making progress.

    The President’s Review Group recommendations are largely positive, but they don’t go nearly far enough. We need to recognize that security is more important than surveillance, and work towards that goal.

    There’s a lot to digest in that piece but note this part at the end:

    It requires additional technology to enforce those laws, and a worldwide enforcement regime to deal with bad actors. It’s not easy, and has all the problems that other international issues have: nuclear, chemical, and biological weapon non-proliferation; small arms trafficking; human trafficking; money laundering; intellectual property. Global information security and anti-surveillance needs to join those difficult global problems, so we can start making progress.

    Yes, in some senses surveillance abuses do share some of the challenges with nuclear, chemical, and biological weapon non-proliferation, small arms trafficking, human trafficking, etc. But isn’t surveillance, at least targeted surveillance, also part of the solution to nuclear, chemical, and biological weapon non-proliferation, small arms trafficking, human trafficking, etc?

    So do we break up the NSA and place all spying under the auspices of the FBI, even spying on foreign leaders? Should we instead transfer all domestic spying to the FBI and then declare all foreign surveillance a military act and regulated by “a coalition of free-world nations dedicated to a secure global Internet”? Or will we end up attempting to legislate backdoors and legal access like the EU’s counter-terrorism chief is calling for?

    These are just some of the issues swirling around the issue how to handle the roll out of ubiquitous, end-to-end strong-encryption. If you aren’t familiar with this emerging public debate yet, you will be eventually, because they aren’t going away any time soon. Untangling a global Mexican standoff that’s been going on since the dawn of civilization isn’t as easy as you might expect. It’s going to take a while.

    Posted by Pterrafractyl | January 27, 2015, 7:37 pm
  6. Marks Ames has a recent piece that points us towards a rule in the 1986 Electronic Communications Privacy Act that is both surprising and not surprising: It’s surprising because, wow, it’s kind of amazing that the US government has the rights to read your emails over 180 days old without a warrant and yet this fun fact really hasn’t made it into the national discourse over the nearly two years since the Snowden Affair started.

    At the same time, it shouldn’t really be surprising at since it’s been the law since 1986:

    Pando Daily

    Meet the serial failures in charge of protecting America’s online privacy

    By Mark Ames
    On February 15, 2015

    Earlier this week, McClatchey published an article reminding readers of something that can’t be repeated enough: Thanks to the 1986 Electronic Communications Privacy Act, the government can read all your emails over 180 days old without a warrant. That’s what the law says — and yet it remains obscure enough that every time some national media reminds us, it still shocks the senses.

    McClatchy writes:

    Little known to most Americans, ambiguous language in a communications law passed in 1986 extends Fourth Amendment protections against unreasonable search and seizure only to electronic communications sent or received fewer than 180 days ago.

    The language, known as the “180-day rule,” allows government officials to treat any emails, text messages or documents stored on remote servers – popularly known as the cloud – as “abandoned” and therefore accessible using administrative subpoena power, a tactic that critics say circumvents due process.

    As you rush to purge your Gmail and Dropbox accounts, however, be forewarned that even deleted files still could be fair game as long as copies exist on a third-party server somewhere.

    Unsurprisingly, there have been attempts over the years to reform the law, but so far they’ve all ended in failure. And it’s when we start to dig into the reason for those failures that things do get surprising.

    As it turns out, many of the “privacy activists” who are supposed to protect us from laws like this, and who are today leading the crusade against the 1986 ECPA law, are the same people and organizations who colluded with the government to put that law on the books in the first place.

    Today there’s a big push for a bill called, somewhat confusingly, the Electronic Communications Privacy Act Amendments Act Amendments Act that’s supposed to remedy this giant hole in online privacy. The bill is co-authored by progressive Democrat (and occasional Batman cameo) Sen. Patrick Leahy of Vermont, and Tea Party Republican Sen. Mike Lee of Utah. Perhaps more importantly, the ECPA Amendment Act — and its House version, the “Email Privacy Act” — has the support of both the Silicon Valley Establishment—Google, Apple, Facebook, Amazon et al—and the civil libertarian establishment: the ACLU, the Electronic Frontier Foundation, the Center for Democracy and Technology, and others.

    But as McClatchy notes, this “solution” to the earlier law’s problem turns out to create a brand new privacy problem: Under both Leahy’s Senate bill and the House “Email Privacy Act,” the same government snoops will still be able to access all email user metadata:

    In other words, the Email Privacy Act would not extend Fourth Amendment protections to “non-content” data. Even if the bill becomes law, customers’ names, locations, addresses, routing information and subscriber network addresses still could be subpoenaed without a warrant and without notice, although accessing the content of their conversations would require the authorization of a judicial magistrate or judge.

    As we learned from the Snowden secrets, government intelligence agencies like the NSA are at least as interested in collecting user metadata as they are in collecting content. Yet the wonderful solution, the Leahy-Lee bill, allows warrantless government surveillance of our email metadata:

    “the government may use an administrative or grand jury subpoena in order to obtain certain kinds of electronic communication records from a 1service provider, including customer name, address, session time records, length of service information, subscriber number and temporarily assigned network address, and means and source of payment information.”

    So that raises the question: Why are these leading civil libertarian/privacy advocates lobbying for a law that doesn’t protect our privacy or extend Fourth Amendment protections to our email metadata?

    To begin understanding that, you first have to look at the names of the folks pushing the Electronic Communications Privacy Act Amendment Act “fix” to the 1986 Electronic Communications Privacy Act, and then compare them to those involved in the 1986 law. Wouldn’t you know it: The 1986 law was co-sponsored by a younger Sen. Patrick Leahy, and came into being thanks to the lobbying efforts of the ACLU and its chief legislative counsel, Jerry Berman.

    In my last depressing story about how the ACLU colluded with the CIA to write the Reagan-era law that jailed CIA whistleblower John Kiriakou, I wrote about how Jerry Berman was one of the key ACLU collaborators in crafting that anti-whistleblower law with CIA director Bill Casey’s people. I also revealed Berman’s controversial role—as executive director of the Electronic Frontier Foundation— in collaborating with the FBI in passing the 1994 Digital Telephony Bill, which expanded FBI surveillance of the Internet.

    In 1986, Berman served as the ACLU’s chief legislative counsel in Washington DC, and he also led a new ACLU project focused on privacy and the new fast-growing technology sector: The ACLU Project on Privacy and Technology. In these capacities, Berman and the ACLU provided the necessary liberal cover to bring together industry and government surveillance interests to craft the new bill.

    As the New York Times reported in late 1986, in an article headlined “Tactical Alliances and the A.C.L.U.”:

    Michael F. Cavanagh, executive director of the Electronic Mail Association, a trade group, said the A.C.L.U. had “played a central role” in assembling the coalition that won approval for the Electronic Communications Privacy Act of 1986. The law updates Federal wiretap statutes to protect the privacy of cellular telephone calls, computer data communications and satellite television transmissions.

    In another article about the bill, the Times quotes Berman selling it on “philosophical” grounds rather than merely economic, deftly leveraging the ACLU’s progressive credibility:

    For the American Civil Liberties Union, a major force behind the bill, the commitment is philosophical rather than economic. “This is a very good bill,” said Jerry Berman, the head of the union’s Privacy Technology Project, who worked to bring the business groups together. “It demonstrates that you can put together a privacy coalition and make it work.”

    In 1992, Berman left the ACLU for the Electronic Frontier Foundation to take the Silicon Valley techno-libertarian revolution to Washington… bringing the EFF’s dual-purpose function as online privacy advocate, and lobby front for its Big Tech funders’ interests, into the lair of the federal leviathan. In 1994, Berman brought other key people from the ACLU’s Projects on Privacy and Technology into the Electronic Frontier Foundation with him—Janlori Goldman and Daniel Weitzner. Berman’s former ACLU team, now at the EFF, went to work in collaboration with the FBI and with—who else?—Sen. Patrick Leahy to draft the Digital Telephony Law that expanded FBI surveillance of the Internet, and nearly destroyed the EFF.

    The subtitle to an old Wired magazine article from 1994 shows just how silly (and stagnant) the EFF’s cyber-revolutionary expectations were—and how badly, in a familiar old-economy way, everything turned out when this same crowd led that reform bill:

    The Electronic Frontier Foundation went to Washington to “reverse-engineer government, hack politics down to its component parts, and fix it.” Then it helped pass the FBI’s loathsome “let’s-just-wiretap-everyone” Digital Telephony Bill. And discovered it was Washington that had reverse-engineered the EFF, driving it into dissension, debt, disgrace – and right out of town

    After that fiasco, Berman and his former ACLU Project on Privacy and Technology team left the EFF to found the Center for Democracy and Technology (CDT), which has remained a top DC lobby group for Big Tech ever since. (Meanwhile back at the ACLU, the Berman “privacy and technology” project reappeared under the similarly-named “ACLU Projects on Speech, Privacy and Technology” — led today by the ACLU’s Ben Wizner, Edward Snowden’s lawyer, along with online privacy celebrity-activist Chris Soghoian)

    Which brings us to today, in which we find ourselves dealing with the appalling consequences of the 1986 bill cobbled together by the ACLU, led by Jerry Berman, and co-sponsored by Patrick Leahy. First of all, why didn’t the ACLU, the EFF, the CDT or their crowd warn us all these decades? Why did it take them so goddamn long to tell us, “Oops! We screwed up! The bill we wrote to protect you actually allows the government total access to all your 180-plus-old email correspondences, we just forgot to scare you about it all these decades!”

    Well, in fact they still haven’t done that, because that would mean admitting they’re part of the problem. Instead, these same outfits are shaking their fists in righteous outrage over the law they helped pass. On the ACLU’s webpage attacking the 1986 ECTA, there’s not a single mention of the “central role” that the organization played in getting it passed.

    The same goes with the website for Digital Due Process the main lobby coalition fighting to replace bad ECPA with good, new & improved EPCA-Amendment Act. Digital Due Process was founded in 2010 by none other than Jerry Berman; it brings together all the big names in Silicon Valley—Google, Apple, Facebook—with all the big civil libertarian groups like the ACLU, EFF, CDT and so on: funders and funded, all working selflessly on our behalf to protect us, or so they tell us. And their lead man writing the badly flawed “amendment” law that’s supposed to solve the problem: Sen. Patrick Leahy.

    The same people and same civil libertarian groups that have failed us over and over are about to fail us all over again. Aren’t we lucky to have them onDigital Due Process our side?

    Well that was some fun history. And keep in mind that Patrick Leahy really is probably one of the most reliable defenders of civil liberties in the Senate so the 1986 Electronic Communications Privacy Act and 1994 Digital Telephony Bill would have probably both been a lot worse had it been someone else crafting the legislation and there. To put another way, the outcome of these bills has a lot more to do with the larger national security state and the immense influence it wields than any given Senator. It’s a harsh reality highlighted by the role played by both the ACLU and EFF in crafting and endorsing both bills. When two of the most prominent organizations associated with defending digital civil liberties turn out to have major corporate backers and helped write the laws that established warrantless access to old emails in 1986 and “let’s-just-wiretap-everyone” laws in 1994, it’s pretty clear that “digital due process” has been hasn’t been very likely to get the consideration its due for a long, long time.

    Also keep in mind that, although accessing emails older than 180 days may not require a warrant, the emails need to at least be associated with some sort of investigation. But the bar is still a lot lower than a warrant:

    ProPublica
    No Warrant, No Problem: How the Government Can Get Your Digital Data

    by Theodoric Meyer
    June 27, 2014, 9:29 a.m

    Update, June 27, 2014: This post has been updated. It was originally published on Dec. 4, 2012.

    The government isn’t allowed to wiretap American citizens without a warrant from a judge. But there are plenty of legal ways for law enforcement, from the local sheriff to the FBI to the Internal Revenue Service, to snoop on the digital trails you create every day. Authorities can often obtain your emails and texts by going to Google or AT&T with a court order that doesn’t require showing probable cause of a crime. These powers are entirely separate from the National Security Agency’s collection of Americans’ phone records en masse, which the House of Representatives voted to end last month.

    Here’s a look at what the government can get from you and the legal framework behind its power:

    How They Get It
    Listening to your phone calls without a judge’s warrant is illegal if you’re a U.S. citizen. But police don’t need a warrant — which requires showing “probable cause” of a crime— to monitor the numbers for incoming and outgoing calls in real time, as well as the duration of the calls. Instead, they can get a court to sign off on an order that only requires the data they’re after is “relevant to an ongoing criminal investigation— a lesser standard of evidence..The government can also get historical phone records with an administrative subpoena, which doesn’t require a judge’s approval.

    Many cell phone carriers provide authorities with a phone’s location and may charge a fee for doing so. Cell towers track where your phone is at any moment; so can the GPS features in some smartphones. In response to an inquiry by Sen. Edward J. Markey, a Massachusetts Democrat, Sprint reported that it provided location data to U.S. law enforcement 67,000 times in 2012. AT&T reported receiving 77,800 requests for location data in 2012. (AT&T also said that it charges $100 to start tracking a phone and $25 a day to keep tracking it.) Other carriers, including T-Mobile, U.S. Cellular and Verizon, didn’t specify the number of location data requests they had received or the number of times they’ve provided it. Internet service providers can also provide location data that tracks users via their computer’s IP address — a unique number assigned to each computer.

    The standard for IP addresses is the same as the one for phone records: Authorities can get a court order allowing real-time access as long the court approves that the records are relevant to an investigation. They can also get historical records of IP addresses with an administrative subpoena.

    Here’s where the rules get really complicated. Authorities need a warrant to get unopened emails that are less than 180 days old, but they can obtain opened email as well as unopened emails that are at least 180 days old with only a subpoena as long as they notify the customer whose email they’ve requested. The government can also get older unopened emails without notifying the customer if they get a court order that requires them to offer “specific and articulable facts showing that there are reasonable grounds to believe” the emails are “relevant and material to an ongoing criminal investigation” — a higher bar than a subpoena. How often does the government request emails? Google says it got 16,407 requests for data in total — including emails sent through its Gmail service — from U.S. law enforcement agencies in 2012, and an additional 10,918 requests in the first half of 2013. Microsoft, with its Outlook and Hotmail email services, says it received 11,073 requests from U.S. authorities in total in 2012, and an additional 7,014 in the first half of 2013. The company provided some customer data in 75.8 percent of the 2013 requests. (The figures don’t include requests for data from Skype, which Microsoft owns.) And Yahoo says it received 12,444 such requests in the first half of 2013, providing at least some customer data in 91.6 percent of them. (The Department of Justice requires providers to wait six months before releasing data on the requests.) A coalition of technology companies, including Apple, Google and AT&T, is lobbying to change the law to require a search warrant for email and other digital data stored remotely.

    Note that the coalition of technology companies mentioned in the article that are lobbying to change the law to require a search warrant is the same “Digital Due Process” organization Mark Ames discussed above that was started in 2010 by Jerry Berman (who helped write both the 1986 and 1994 laws). Also note that the “News” page for “Digital Due Process” hasn’t been update since April 2013, a month before the start of the Snowden Affair, which is kind of curious all things considered.

    So it’s pretty clear that, while warrants aren’t currently necessary for rummaging through your old emails and phone records, that might change if the new “Email Privacy Act” becomes law. And yet, as Mark Ames pointed out above, while the new “Email Privacy Act” bill being debated in congress would indeed require a warrant for accessing old emails, it still leaves metadata open to warrantless access and the bill .

    Now, putting aside the question of whether or not some government agencies should have warrantless access to metadata, it’s really quite remarkable that another industry-funded group led by the same man, Jerry Berman, is once again helping craft the laws that define our digital privacy rights. But it’s even more remarkable that this new “Email Privacy Act” is going to allow warrantless metadata access and there’s so little attention being paid to it, especially since the bill is endorsed by an array of industry-backed groups like the ACLU, EFF, and Digital Due Process. That seems like a big story!

    This is part of the reason it’s unfortunate that the post-Snowden debates are taking place in a larger political environment where there most interested parties aren’t really interested in a debate. For the most part, we hear from:
    1. National security hawks that view enhanced digital due process as a unaffordable luxury in an age of terrorist networks, rogues states and super weapons and see no reason for the public to be concerned about the potential abuses of vast and growing surveillance capabilities.

    or

    2. Libertarians and Cypherpunks that have already written off the possible of effective internal safeguards in government bureaucracies and see strongly encrypting everything as the only feasible solution to government surveillance abuses.

    The much less tantalizing discussions about how to create rules that both security hawks and privacy activists can live with in the event that Congress doesn’t live up to either side’s dreams and writes compromise legislation (like the Email Privacy Act) haven’t really taken place in the national dialogue. For issues like metadata collection the privacy activist community has focused on the development of technological platforms like Tor that make metadata collection impossible and improving security protocols to prevent government hacking whereas the security hawks see the whole issue as trivial.

    This dynamic of either dismissing privacy concerns outright or focusing on technology that blocks all surveillance completely, without much discussion of what parts of our digital selves should fall into the gray area of data that should be available, but only with a warrant or some other safeguard (and how to implement those safeguards effectively and transparently), is all part of the larger trend of the mainstreaming of Libertarian/pseudo-anarchist/anarcho-capitalist thinking that revolves around the abandonment of the idea that we can create a government by, of, and for the people that doesn’t proceed to abuse the people.

    It’s an unfortunate situation because now we appear to be facing a rewrite of the digital privacy laws that don’t extend 4th amendment rights to metadata and the robust debate over how to handle exactly this kind of situation hasn’t really happened. Instead, we get something like “If the government will not be stewards of our rights, we can encode our rights into our system.”:

    Pando Daily
    Snowden praised for fighting government surveillance… by group that LOVES corporate surveillance

    By Mark Ames
    On February 20, 2015
    Last Friday, NSA whistleblower Edward Snowden Skyped into a Washington DC Marriott Hotel conference hall to proudly accept “The Students For Liberty Alumnus of the Year Award.”

    The Students For Liberty describes itself as “a rapidly growing network of pro-liberty students from all over the world.” Their big award was given to Snowden for “initiating a global conversation on the balance of power between governments and peoples that has led to and continues to bring about meaningful reforms to intrusive, abusive, and unjust government surveillance programs.”

    If your award is concerned about how the government is using technology to surveil citizens then Edward Snowden is an uncontroversial winner. Not only did Snowden expose government surveillance but, as a former intelligence contractor, he exposed how much government surveillance is handled by private companies.

    In accepting his award, Snowden told the audience: “As they take the private records of all our lives, and they aggregate a dossier, how can that be said to be constitutional?”

    All of which makes it slightly shocking to discover the identity of another recent winner of Students For Liberty’s big award: Peter Thiel, the founder of one of the NSA’s biggest contractors, Palantir Technologies. If a government is trying to dig through private records and aggregate a dossier, Palantir is the company they call.

    Snowden’s nemesis, former NSA chief Keith Alexander, praised Palantir’s usefulness to the spy agency, for providing “a way of visualizing what’s going on in the networks.” Alexander was talking about networks of terrorists, but he was testifying because just one year before Students For Liberty awarded Thiel, Palantir was caught helping the US Chamber of Commerce visualize networks of its critics and of WikiLeaks’ circle of supporters — including Snowden’s closest journalism confidante, Glenn Greenwald. (Indeed Greenwald has characterized Pando’s criticism of him as a CIA plot hatched by Thiel, whose Founders Fund previously invested around $300k in Pando.)

    Students For Liberty honored Thiel just three years ago, so it’s not like a seasoned spy would have to research hard to find out with whom he now shares an “Alumnus of the Year Award.” In fact, the Palantir co-founder was the very first winner of the SFL “Alumnus of the Year” award back in 2012. A quick Google of the award brings up scores of links to Thiel addressing the Students For Liberty.

    In addition to praising Snowden at last week’s ceremony, Students For Liberty also awarded their “Event of the Year” to anti-Marxist libertarian students at Honduras’ National University for bravely collaborating with the university administration to successfully destroy a leftwing student protest campaign. Leftists and journalists in Honduras have been terrorized ever since a 2009 US-backed coup overthrew president Manuel Zelaya.

    Despite that, as Edward Snowden told the Marriott conference hall packed full of libertarian Tracy Flicks and budding Joe McCarthys, these Students For Liberty types are his kind of crowd:

    “I think many of the people in this room take a more pro-liberty pro-rights perspective than others in the U.S. political agreement.”

    Snowden also revealed himself as a budding Jeff Jarvis of government whistleblowers, parroting old cyberutopian platitudes:

    “If the government will not be stewards of our rights, we can encode our rights into our system.”

    It’s talk like that that gets Snowden invited to roomba around TED Talks stages.

    So what exactly is “Students For Liberty”? According to its website, “Students For Liberty has grown into the largest libertarian student organization in the world, with over 800 student leaders supporting over 1,350 student groups representing over 100,000 students on all inhabited continents.”

    Like most of the libertarian nomenklatura, this group gets most of its money from the Koch brothers. Google, another corporation which has worked closely with the US government, recently joined the list of big corporate sponsors. SFL’s Board of Advisors includes such heroes of freedom as “His Serene Highness Prince von Liechtenstein” — whose royal family rules over an exclusive offshore banking tax haven favored by global billionaires who think Switzerland is too transparent.

    That’s right, Students for Liberty’s backers aren’t limited to the Koch brothers, Google, and other big corporate sponsors. The Students for Liberty’s board of advisors includes Prince Michael of Liechtenstein. But note that he’s #38 in the line of succession, so he’s an everyman prince, not some highfalutin prince.

    Continuing…


    The group was formed in 2008 by Alexander McCobin, while he was working in the marketing department of the Cato Institute (neé “The Charles Koch Foundation”). The idea to form SFL came a year earlier in 2007, while McCobin was in the Charles G. Koch Summer Fellow Program at the Institute For Humane Studies, where Charles G. Koch serves as chairman of the board. (My editor Paul Carr is probably getting blisters jamming his forefinger on the “Koch Alarm” sound effect he plays on PandoLIVE whenever I mention the Kochs. But hey, don’t blame me for these two-legged DC caricatures, I just reports the facts.)

    In 2009, McCobin and his fiancée were sued by former colleagues at the University of Pennsylvania for allegedly misappropriating funds from a nonprofit to help high school students learn debating skills. McCobin was also the founder of Penn Libertarians.

    When McCobin’s group gave their award to Peter Thiel, their “west coast director” described Thiel on stage as a “personal role model of mine.”

    Indeed, Thiel’s presence was everywhere at the Students For Liberty schmoozer this year, even if the man himself was absent. After Snowden’s skyped appearance, libertarian celebrity Ron Paul took the stage with longtime Cato Institute board director and FoxNews truther Andrew Napolitano. Ron Paul’s 2012 campaign for president — supported by Snowden and Greenwald — was almost entirely funded by Peter Thiel.

    The following night, Students For Liberty featured Ron Paul’s stubby heir, Sen. Rand Paul — whose run for president in 2016 is being funded by Thiel’s co-founder at Palantir, Joe Lonsdale, who serves on Rand Paul’s finance team and co-hosted Silicon Valley fundraisers.

    In 2011, Palantir sponsored the Electronic Frontier Foundation’s Pioneer Awards, whose illustrious list of winners includes Glenn Greenwald and Laura Poitras, the Tor Project, and EFF co-founder Mitch Kapor as well as EFF Fellow Cory Doctorow.

    “When McCobin’s group gave their award to Peter Thiel, their “west coast director” described Thiel on stage as a “personal role model of mine.”

    Well, doesn’t “Students for Liberty” sound nice! Yes indeed:

    Like most of the libertarian nomenklatura, this group gets most of its money from the Koch brothers. Google, another corporation which has worked closely with the US government, recently joined the list of big corporate sponsors. “SFL’s Board of Advisors includes such heroes of freedom as “His Serene Highness Prince von Liechtenstein” — whose royal family rules over an exclusive offshore banking tax haven favored by global billionaires who think Switzerland is too transparent.”

    The group was formed in 2008 by Alexander McCobin, while he was working in the marketing department of the Cato Institute (neé “The Charles Koch Foundation”). The idea to form SFL came a year earlier in 2007, while McCobin was in the Charles G. Koch Summer Fellow Program at the Institute For Humane Studies, where Charles G. Koch serves as chairman of the board

    Yikes. Well, in defense of Students for Liberty, they could be debatably worse!

    Still, it’s pretty clear that when you ask the question “who does Students for Liberty fight for?” the answer is “the Koch brothers and other Libertarian oligarchs”. And that’s one of the nice things about a group like Students for Liberty: they’re pretty transparent. The corporate connections to organizations like the EFF and Digital Due Process, which are also heavily backed by Silicon Valley, aren’t nearly as obvious. And now we find ourselves in a situation where these industry-backed groups are pushing a major overhaul of digital privacy rules that it seems like they should be opposing based on their stated principles and goals.

    It’s all a reminder that, even to this day in the US, the biggest organizations fighting to protect your digital data from Big Government were, themselves, organized and financed by Big Tech…Big Tech that is increasingly interwoven into the military industrial complex. Might there be a conflict of interest here? It seems possible.

    Posted by Pterrafractyl | February 24, 2015, 8:23 pm
  7. Here’s another example of why future Supreme Court rulings on strong encryption and the 5th Amendment are going to be very closely watched cases:

    BoingBoing
    Report: During Canada tax raid, Uber “remotely encrypted corporate data”

    By Xeni Jardin at 6:58 am Fri, May 29, 2015

    An item in the French-language Canadian newspaper La Presse that has been making the English-language rounds this week, roughly translated here in part:

    “Uber Engineers in San Francisco tried to remotely encrypt data in Uber Canada computers during a search conducted by Revenu Québec in Montreal last week.

    “This is what Revenu Québec claims in a statement filed before Judge Jean-Pierre Braun last week, a copy of which La Presse has obtained. Uber sought to challenge this statement before the judge, but has not had the opportunity, we learn in the injunction Uber also presented in court last week.”

    “Search for Uber Canada offices: On May 14, fifteen Revenu Québec investigators conducted searches for computer data at the administrative offices of Uber Canada, Notre Dame. Investigators are looking for evidence to prove that Uber Canada violates Canadian tax law by not collecting GST and QST on behalf of its UberX drivers.”

    “Around 10:40, one of the investigators found that ‘mobile devices such as laptops, smart phones and tablets were restarted remotely’ during the seizure. Another investigator, who performed a second search in another office, experienced the same, also at 10:40am.”

    More trouble for Uber around the corner in Canada? We’ll see…

    Posted by Pterrafractyl | May 29, 2015, 6:08 pm
  8. Oh look, a consortium of 14 mega-banks have privately developed a special super-secure inter-bank messaging system that uses end-to-end strong encryption and permanently deletes data. It’s so super-secure
    financial regulators are wonder if they’ll actually have access to the data:

    Financial Times

    NY regulator sends message to Symphony

    Ben McLannahan in New York and Gina Chon in Washington
    Last updated: July 22, 2015 10:08 pm

    New York’s state banking regulator has fired a shot across the bows of Symphony, a messaging service about to be launched by a consortium of Wall Street banks and asset managers, by calling for information on how it manages — and deletes — customer data.

    In a letter on Wednesday to David Gurle, the chief executive of Symphony Communication Services, the New York Department of Financial Services asked it to clarify how its tool would allow firms to erase their data trails, potentially falling foul of laws on record-keeping.

    The letter, which was signed by acting superintendent Anthony Albanese and shared with the press, noted that chatroom transcripts had formed a critical part of authorities’ investigations into the rigging of markets for foreign exchange and interbank loans. It called for Symphony to spell out its document retention capabilities, policies and features, citing two specific areas of interest as “data deletion” and “end-to-end encryption”.

    The letter marks the first expression of concern from regulators over a new initiative that has set out to challenge the dominance of Bloomberg, whose 320,000-plus subscribers ping about 200m messages a day between terminals using its communication tools.

    People familiar with the matter described the inquiry as an information gathering exercise, which could conclude that Symphony is a perfectly legitimate enterprise.

    The NYDFS noted that Symphony’s marketing materials state that “Symphony has designed a specific set of procedures to guarantee that data deletion is permanent and fully documented. We also delete content on a regular basis in accordance with customer data retention policies.”

    Mr Albanese also wrote that he would follow up with four consortium members that the NYDFS regulates — Bank of New York Mellon, Credit Suisse, Deutsche Bank and Goldman Sachs — to ask them how they plan to use the new service, which will go live for big customers in the first week of August.

    The regulator said it was keen to find out how banks would ensure that messages created using Symphony would be retained, and “whether their use of Symphony’s encryption technology can be used to prevent review by compliance personnel or regulators”. It also flagged concerns over the open-source features of the product, wondering if they could be used to “circumvent” oversight.

    The other members of the consortium are Bank of America Merrill Lynch, BlackRock, Citadel, Citigroup, HSBC, Jefferies, JPMorgan, Maverick Capital, Morgan Stanley and Wells Fargo. Together they have chipped in about $70m to get Symphony started. Another San Francisco-based fund run by a former colleague of Mr Gurle’s, Merus Capital, has a 5 per cent interest.

    “Symphony is built on a foundation of security, compliance and privacy features that were built to enable our financial services and enterprise customers to meet their regulatory requirements,” said Mr Gurle. “We look forward to explaining the various aspects of our communications platform to the New York Department of Financial Services.”

    Yes, the usual suspects for financial high crimes have a brand new messaging system with a fun “permanent deletion” feature and end-to-end encryption that presumably no one can break. What could possibly go wrong? Well, according to Symphony’s backers, nothing could go wrong because all the information that banks are required to retain for regulatory purposes are indeed retained in the system. Whether or not regulator’s can actually access that retained data, however, appears to be more of an open question:

    New York Business Journal
    Symphony, the ‘WhatsApp for Wall Street,’ orchestrates a nuanced response to regulatory critics

    Michael del Castillo Technology & Innovation Editor, Upstart Business Journal
    Aug 13, 2015, 11:05am EDT

    Symphony is taking heat from some in Washington, D.C., D.C. for its WhatApp-like messaging service that promises to encrypt Wall Street’s messages from end to end. At the heart of the concern is whether or not the keys used to decrypt the messages will be made available to regulators, or if another form of back door access will be provided.

    Without such keys it would be immensely more difficult to retrace the steps of shady characters on Wall Street during regulatory investigations — an ability, which according to a New York Post report, has resulted $74 billion in fines over the past five years.

    So, earlier this week Symphony took to the blogosphere with a rather detailed explanation of its plans to be compliant with regulators. In spite of answering a lot of questions though, one key point was either deftly evaded, or overlooked.

    What Symphony does, according to the blog post:

    Symphony provides its customers with an innovative “end-to-end” secure messaging capability that protects communications in the cloud from cyber-threats and the risk of data breach, while safeguarding our customers’ ability to retain records of their messages. Symphony protects data, not only when it travels from “point-to-point” over network connections, but also the entire time the data is in the cloud.

    How it works:

    Large institutions using Symphony typically will store encryption keys using specialized hardware key management devices known as Hardware Security Modules (HSMs). These modules are installed in data centers and protect an organization’s keys, storing them within the secure protected memory of the HSM. Firms will use these keys to decrypt data and then feed the data into their record retention systems.

    The crux:

    Symphony is designed to interface with record retention systems commonly deployed in financial institutions. By helping organizations reliably store messages in a central archive, our platform facilitates the rapid and complete retrieval of records when needed. Symphony provides security while data travels through the cloud; firms then securely receive the data from Symphony, decrypt it and store it so they can meet their retention obligations.

    The potential to store every key-stroke of every employee behind an encrypted wall safe from malicious governments and other entities is one that should make Wall Streeters, and those dependent on Wall Street resources, sleep a bit better at night.

    But nowhere in Symphony’s blog post does it actually say that any of the 14 companies which have invested $70 million in the product, or any of the forthcoming customers who might sign up to use it, will actually share anything with regulators. Sure, it will retain all the information obliged by regulators, which in the right hands is equally useful to the companies. So there’s no surprise there.

    The closest we see to any actual assurance that the Silicon Valley-based company plans to share that information with regulators is that Symphony is “designed to interface with record retention systems commonly deployed in financial institutions.” Which theoretically, means the SEC, the DOJ, or any number of regulatory bodies could plug in, assuming they had access.

    So, the questions remain, will Symphony be building in some sort of back-door access for regulators? Or will it just be storing that information required of regulators, but for its clients’ use?

    “So, the questions remain, will Symphony be building in some sort of back-door access for regulators? Or will it just be storing that information required of regulators, but for its clients’ use?”
    As we can see, many regulatory questions remain. So let’s hope that includes questions like, “If the banks have an unbreakable inter-bank messaging system that regulators can’t access, aren’t they going to be able to do exactly what they did with the massive ‘LIBOR’-rigging conspiracy, but with no electronic paper trail?” It’s an important question:

    Bloomberg Business
    Secret Currency Traders’ Club Devised Biggest Market’s Rates
    Liam Vaughan Gavin Finch Bob Ivry
    December 19, 2013 — 10:19 AM CST

    Dec. 19 (Bloomberg) — It’s 20 minutes before 4 p.m. in London and currency traders’ screens are blinking red and green. Some dealers have as many as 50 chat rooms crowded onto four monitors arrayed in front of them like shields. Messages from salespeople and clients appear, get pushed up by new ones and vanish from view. Orders are barked through squawk boxes.

    This is the closing “fix,” the thin slice of the day when foreign-exchange traders buy and sell billions of dollars of currency in the largely unregulated $5.3-trillion-a-day foreign-exchange market, the biggest in the world by volume, according to the Bank for International Settlements. Their trades help set the benchmark WM/Reuters rates used to value more than $3.6 trillion of index funds held by pension holders, savers and money managers around the world.

    Now regulators from Bern to Washington are examining evidence first reported by Bloomberg News in June that a small group of senior traders at big banks had something else on their screens: details of each other’s client orders. Sharing that information may have helped dealers at firms, including JPMorgan Chase & Co., Citigroup Inc., UBS AG and Barclays Plc, manipulate prices to maximize their own profits, according to five people with knowledge of the probes.

    “This is a market where there is no law and people have turned a blind eye,” said former Senator Ted Kaufman, a Delaware Democrat who sponsored legislation in 2010 to shrink the largest U.S. banks. “We’ve been talking about banks being too big to fail. What’s almost as big a problem is banks too big to manage.”

    ‘Bandits’ Club’

    At the center of the inquiries are instant-message groups with names such as “The Cartel,” “The Bandits’ Club,” “One Team, One Dream” and “The Mafia,” in which dealers exchanged information on client orders and agreed how to trade at the fix, according to the people with knowledge of the investigations who asked not to be identified because the matter is pending. Some traders took part in multiple chat rooms, one of them said.

    The allegations of collusion undermine one of society’s fundamental principles — how money is valued. The possibility that a handful of traders clustered in a closed electronic network could skew the worth of global currencies for their own gain without detection points to a lack of oversight by employers and regulators. Since funds buy and sell billions of dollars of currency each month at the 4 p.m. WM/Reuters rates, which are determined by calculating the median of trades during a 60-second period, that means less money in the pension and savings accounts of investors around the world.

    ‘Collusive Practices’

    At stake is the integrity of a market that affects the daily valuations of private and public money alike, from the $261 billion Sacramento-based California Public Employees’ Retirement System to the $237 billion Scottish Widows Investment Partnership in Edinburgh, from the $4.1 trillion BlackRock Inc. in Manhattan, the world’s largest asset manager, to the $1.2 trillion Tokyo-based Government Pension Investment Fund, the biggest pension.

    “This is a market that is far more amenable to collusive practices than it is to competitive practices,” said Andre Spicer, a professor at the Cass Business School in London, who is researching the behavior of traders.

    ‘The Cartel’

    None of the traders or the banks they work for has been accused of wrongdoing.

    The investigations have had repercussions across the industry. UBS, RBS, Citigroup, Deutsche Bank, JPMorgan and Lloyds Banking Group Plc are banning traders from using multibank chat rooms, people at the firms said. Investors are breaking their orders into smaller units and using more banks to reduce the opportunity for front-running, one of Europe’s largest money managers said.

    One focus of the investigation is the relationship of three senior dealers who participated in “The Cartel” — JPMorgan’s Richard Usher, Citigroup’s Rohan Ramchandani and Matt Gardiner, who worked at Barclays and UBS — according to the people with knowledge of the probe. Their banks controlled more than 40 percent of the world’s currency trading last year, according to a May survey by Euromoney Institutional Investor Plc.

    Entry into the chat room was coveted by nonmembers interviewed by Bloomberg News, who said they saw it as a golden ticket because of the influence it exerted.

    Minimizing Losses

    Regulators are examining whether discussions among the traders amounted to collusion — if, with a few keystrokes, they were able to push around rates to boost bank profits and their own bonuses. Traders on the chat deny that, saying they were merely matching buyers and sellers ahead of the fix. That way they could minimize losses by avoiding trades at a time of day when prices typically fluctuate the most, they said.

    The men communicated via Instant Bloomberg, a messaging system available on terminals that Bloomberg LP, the parent of Bloomberg News, leases to financial firms, people with knowledge of the conversations said.

    The traders used jargon, cracked jokes and exchanged information in the chat rooms as if they didn’t imagine anyone outside their circle would read what they wrote, according to two people who have seen transcripts of the discussions.

    Usher, Ramchandani and Gardiner, along with at least two other dealers over the years, would discuss their customers’ trades and agree on exactly when they planned to execute them to maximize their chances of moving the 4 p.m. fix, two of the people said. When exchange rates moved their way, they would send written slaps on the back for a job well done.

    Entry into the chat room was coveted by nonmembers interviewed by Bloomberg News, who said they saw it as a golden ticket because of the influence it exerted.
    So it sounds like a big question going forward is whether or not Symphony is going to double as a super-secure ‘golden ticket’ trading platform too. Hmmm…how’s that going to work out…

    Posted by Pterrafractyl | August 13, 2015, 12:28 pm
  9. *gasp* You don’t say…:

    MarketWatch
    Wall Street’s new chat service is deleting problematic messaging
    By Francine McKenna

    Published: Aug 14, 2015 3:17 p.m. ET

    For start-up that says it’s focused on secure messaging, Symphony has been deleting a lot of its own messaging to the public about what it provides for its financial services clients. The firm has been editing out references on its website to data deletion and its ability to help banks keep their data away from the government.

    The New York Post has previously reported that Symphony deleted a video from its website that bragged its software could help banks avoid billions in fines by making data deletion easier. Continuing its efforts, Symphony has recently deleted a section about data security from its website and additional references that emphasize more privacy via data encryption and permanent data deletion capabilities.

    These were among the removed comments: “End-to-End Encryption: Symphony is completely private. Your data is 100% protected by encryption keys known only by you, never by us.”

    “Guaranteed Data Deletion: Symphony has designed a specific set of procedures to guarantee that data deletion is permanent and fully documented.”

    A blog post from July entitled, “To Encrypt, or Not to Encrypt?” is also now gone. That post included a passage touting its encryption capabilities as a way to protect firms’ privacy. “Our government officials are concerned that their inability to monitor end-to-end encrypted devices inhibits their role in keeping America safe. Conversely, Americans are concerned about preserving their right to Privacy, and encryption helps individuals enforce that right,” read that post.

    A Symphony spokeswoman responded that the website “was updated as part of our August 3rd product launch.”

    Symphony is no longer promoting messaging security features as a way to prevent the government from getting banks data. Instead, text describes “an ‘end-to-end’ security capability that protects communications from cyber-threats and the risk of a data breach—while safeguarding our customers’ ability to retain records of their messages.”

    The spokeswoman also said that “Symphony does not change regulators’ ability to obtain messages from our clients. Symphony delivers messages to its clients to download, decrypt, and archive, and they are able to provide those messages to regulators just as they would with other compliant messaging systems.”

    Symphony was formed when, in October of last year, fourteen of the world’s biggest financial-services firms, including Goldman Sachs, bought instant-messaging software company Perzo Inc and formed a new company funded by a consortium of financial firms that includes many big names —Goldman Sachs, Bank of America Corp., Bank of New York Mellon Corp, BlackRock Inc., Citadel LLC, Citigroup Inc., Credit Suisse Group AG, Deutsche Bank AG, J.P. Morgan Chase & Co., Jefferies LLC, Maverick Capital Ltd., Morgan Stanley, Nomura Holdings Inc. and Wells Fargo & Co.. Some of those banks have spent billions to settle investigations for interest-rate rigging and currency manipulation that rested on evidence of instant messages and other electronic communications between traders in the banks and between them that provided evidence of the alleged illegal activity. Those messages shocked the public and prosecutors and embarrassed the banks because of their blatant disregard of the law and their irreverence.

    Last year, while the firm was still called Perzo, Symphony CEO Gurle was interviewed and talked about its “zero knowledge” security capabilities.

    The industry-led effort to find a substitute for Bloomberg LP’s ubiquitous messaging system may be about control—Bloomberg saves the banks’ data and could be the target of a regulator’s subpoena— but may be more about money. A Bloomberg terminal costs $24,000 a year. Multiply that by the thousands of terminals on every trading floor, and its adds up to another big cost banks may be trying to erase. A Bloomberg LP spokesman declined comment.

    Note that when you read:


    The industry-led effort to find a substitute for Bloomberg LP’s ubiquitous messaging system may be about control—Bloomberg saves the banks’ data and could be the target of a regulator’s subpoena— but may be more about money. A Bloomberg terminal costs $24,000 a year. Multiply that by the thousands of terminals on every trading floor, and its adds up to another big cost banks may be trying to erase. A Bloomberg LP spokesman declined comment.

    that, yes, it’s certainly possible that reducing the costs of Bloomerberg’s messaging system could certainly be a factor in Wall Street’s decision to develop their own end-to-end encrypted messaging system that can delete data before the government can see it in addition to a desire to retain maximum control over their data. But also keep in mind the obvious: that the desire to maintain that control over data that regulators might be interested in reviewing is also all about the money:

    The New York Post
    Wall Street has found a new way to evade pesky probes

    By Kevin Dugan

    August 2, 2015 | 8:02pm

    Forget about Sen. Elizabeth Warren. The worst scourge on Wall Street is overly chatty traders.

    Since 2010, the world’s 13 biggest banks have shelled out more than $74 billion to settle probes, ranging from interest-rate rigging to currency manipulation, where incriminating exchanges between traders provided key evidence, according to a Post analysis of data compiled by the CCP Research Foundation.

    “Those crimes may not have been possible without electronic communication,” said Brandon Garrett, a professor at the University of Virginia School of Law.

    The eye-popping figure is a big reason why Wall Street is backing a new cutting-edge communications system.. Symphony promises to give its clients, including Goldman Sachs and JPMorgan Chase, greater control of their data — and save them “billions of dollars in fines,” according to a company pitch to clients.

    While banks are backing the system, regulators are wary. Last week, New York’s top financial regulator asked Symphony Communications to explain its encryption and record retention after the startup touted “guaranteed data deletion” in its marketing materials.

    Symphony removed a promotional video from its website touting the billions in savings, along with the reference to data deletion, after the Department of Financial Services’ acting superintendent, Anthony Albanese, sent a letter to Symphony Chief Executive David Gurle seeking more details.

    Another concern about Symphony — one that hasn’t been made public — is that it will make it harder for regulators to launch probes without tipping off the potential target, said current and former law enforcement officials.

    Symphony requires clients to store chats, emails and other data on their own servers rather than relying on a third party.

    This means when investigators subpoena records, they will — in many cases — have to get them from the firm that is being probed.

    Symphony said it encrypts and stores client data in “the cloud.” Once the client downloads its own data and has the encryption key, Symphony deletes the data from its own servers.

    The system allows banks to “safeguard their data from cyber-security threats, and help protect firms from data breaches,” the company said in response to questions from The Post.

    It also means investigators must get the encryption key from the company to decode it, sources said.

    Symphony also promises “real-time monitoring” of chat rooms — i.e., eavesdropping. Keyword filters allow compliance chiefs to pinpoint and stop problematic chats, CEO Gurle told The Post last year, although one law enforcement official said traders can easily get around it.

    Some of those chats have been downright damning.

    “If you ain’t cheating, you ain’t trying,” wrote one Barclays trader in a chat room that was at the center of the currency-rigging probe.

    As we can see, the new messaging system built by and for the industry with tens of billions of dollars in fines over the past five years and a proven track record of living by the “If you ain’t cheating, you ain’t trying”-philosophy will offer fun features like “real-time monitoring” of chat rooms — so it can presumably work with Wall Street’s new prole-precog systems that monitor the activities of employees and use artificial intelligence to sniff out wrongdoing from emails and chats (so regulators don’t have to be burdened with the task of regulating *wink*). Presumably we’re to assume that the banks’ compliance chiefs will actually end the illegal activities and not simply tell that employee to stop using language that sets off the AI and permanently delete those. Isn’t that helpful.

    And then there’s this helpful control-oriented feature:

    Another concern about Symphony — one that hasn’t been made public — is that it will make it harder for regulators to launch probes without tipping off the potential target, said current and former law enforcement officials.

    Symphony requires clients to store chats, emails and other data on their own servers rather than relying on a third party.

    This means when investigators subpoena records, they will — in many cases — have to get them from the firm that is being probed.

    *******
    -Knock, Knock

    -Who’s there?

    -A regulatory agency that would like to see your traders’ messaging activity, but who is totally not interesting in investigating wrongdoing at your financial institution so don’t, like, delete anything or something like that.

    -Oh, ok, let us get those messages for you. We have nothing to hide.

    -Thanks. Hey, why are so many of these messages deleted? Oh well, it looks like there definitely won’t be an investigation now.

    -Oh dear, we’re really sorry to hear that. LOL!

    ***
    Worst. Joke. Ever.

    Ok, that’s not true. Jokes can get far worse.

    Posted by Pterrafractyl | August 17, 2015, 5:40 pm
  10. Mark Ames has a new piece on the the federal bribery investigation involving Ron Paul’s 2012 campaign that’s threatening to implode Rand Paul’s flailing 2016 presidential ambitions: Two of Rand Paul’s top aides, Jesse Benton and John Tate, recently plead not guilty to bribing the influential former Iowa state senator Kent Sorenson GOP. So we’ll see how that investigation goes, but interestingly, the Paul team’s defense is getting some help from a rather unexpected source: Google. When federal investigators issued a warrant for Jesse Benton’s gmail account last year, Google notified Benton of the warrant, Benton’s lawyers appealed it, and Google has refused to turn the emails over until a court resolves the issue. This is Google’s standard practice so that, in and of itself, is not exactly suspicious. But as Ames points out, we are getting into rather interesting territory here since Google has been a major donor to both Ron and Rand Paul:

    Pando Daily
    Google’s lawyers, Ron Paul’s grandson, and the most depraved presidential campaign crime in decades

    By Mark Ames
    , written on
    August 21, 2015

    It is easily the most depraved little episode of presidential campaign crime in decades, worthy of Nixon’s CREEP or Boris Yeltsin’s goons, and it’s been almost totally ignored by the media—mainstream and otherwise.

    Ron and Rand Paul’s top campaign aides, led by the husband of Ron Paul’s granddaughter, bribing and extorting a crooked Tea Party Iowa politician to endorse the “Ron Paul rEVOLution”—which turns out to have been little more than a mirage built on fraud, oligarch cash, and the credulous fantasies of a few thousand pimply college-aged waffendweebs.

    And then there’s the specter of the world’s largest private surveillance apparatus, Google, looming over this story—playing a central role in the criminal investigation that is both deeply conflicted, and oddly conflicting.

    For over a year now, Google has refused to comply with federal warrants to hand over Gmail accounts of the three indicted Paul campaign managers and operators: Jesse Benton, John Tate, and Dimitrios Kesari, who all have held senior posts in Rand Paul’s various campaigns and PACs. (Many of the legal filings mentioned in this article are embedded below.)

    But it goes further: Ron Paul himself is named in a federal subpoena made public last year. Prosecutors want access to the libertarian hero’s emails, as he appears to be a person of interest in the criminal investigation, an investigation that Google has been hindering with legal roadblocks and distractions.

    The crimes are bad enough, and I’ll explain them in a minute—but when you have the most powerful Internet company in the world, and one of the largest corporate lobbyists in Washington DC, protecting indicted criminals who run presidential campaigns for politicians—Ron and Rand Paul—which Google has given thousands of dollars to in recent years, and whose libertarian ideology Google has supported in a number of ways and venues. . . . then we’re talking about potentially nightmare-scenario levels of conflicts-of-interest..

    Potentially—that’s the key here, because the real story of Google’s role in this sordid crime is a bit more complicated than that, and not entirely evil, much as that might frustrate me and many of our readers. Google’s problem in this case rests in its overwhelming monopoly power—it’s as if the Nixon Tapes were on Google’s servers, along with all of our own personal recordings, and Google had a policy of generally being a pain in the ass about handing over tape recordings so as to keep consumers lured into spending all their babbling moments babbling into their tape recording product…only in this case, Google is also a major campaign donor to Nixon and his political agenda. It’s very problematic, and I’ll save a deeper discussion of Google’s conflicts in fighting government warrants for Ron and Rand Paul’s indicted felons for another article…

    But first, the crime. Let’s start with Kent Sorenson, a mean, dumb, thumb-headed prairie bumpkin who so far stands as the only person convicted of a series of felonies involving the Ron Paul 2012 campaign, after Sorenson pled guilty last year to crimes—including filing falsified federal election reports, and obstruction of justice, crimes that could carry a maximum sentence of 25 years behind bars.

    Sorenson was, until recently, Iowa state Senator Sorenson, Iowa’s leading firebreathing Tea Party radical who vowed to “burn down” Des Moines when he won his seat in the state’s upper chamber in 2010. Sorenson talked the God-talk, bashed gays, the poor, drug users, and immigrants, which made him a darling among Tea Party libertarians like Ron Paul, who personally endorsed Sorsenson’s run for state senate in 2010.

    Among the bills Sorenson pushed—a state Constitutional amendment banning same-sex civil marriages; a “birther” law aimed at Obama, requiring presidential candidates to produce their birth certificates; a law forcing indigent welfare recipients to submit to random drug tests—and denial of benefits if they failed the tests.

    Naturally, it was later discovered—after he was elected— that Sorenson had been busted in 1992 delivering a baggie of weed and taking $30 cash from a drug informant, for which the Tea Party firebrand was convicted of an aggravated misdemeanor and sentenced to six months in county jail. He was 20 years old; he served five days. When the story came out in 2011, he blamed another guy and claimed to have mended his ways. But it was also discovered that he’d welched on his child support payments, had his wages garnished, was penalized again for failing again, was charged but cleared of domestic violence, and had declared bankruptcy on his mortgage and student loans debts, which he blamed on usurious interest rates. In other words, a typical mean dumb white lowlife.

    Last year, after Sorenson was first convicted of taking bribe money from Ron Paul and lying about it, he was subjected to mandatory drug tests of the sort he voted to impose on Iowa’s poorest residents—and yes, Sorenson failed his own drug tests — not once, but three times.

    And just last month, police arrested Sorenson again for allegedly beating his wife.

    But in our official narrative, as far as all the media harrumphers and pundits were concerned, Sorenson was a serious Tea Party evangelical, driven by conservative principles, no matter how much those principles might ruffle mainstream two-party Establishment feathers, by gum!—just like Ron Paul. In early 2011, Sorenson’s endorsement was something taken seriously, as a matter of weighty Tea Party principle—and he threw in early for Michele Bachmann. As it turns out, he endorsed her, and became her Iowa campaign co-chairman, on a more familiar principle: Payment in kind. In secret and in violation of Iowa Senate ethics (and federal laws, once those bribes became falsified reports), the Bachmann campaign paid Sen. Sorenson nearly $8,000 per month in a clunky scheme in which Bachmann funds went through a couple of dummy companies and into Sorenson’s pocket.

    This is how politics works, folks; it’s not what they teach you in middle school civics classes, but journalists should’ve gotten over that little shocker by now.

    In public, Sorenson said his endorsement of Michele Bachmann was all on account of shared deep Christian libertarian principles. Meanwhile, towards the end of 2011, as the Iowa caucuses were drawing near, Ron Paul’s grandson-by-marriage, Jesse Benton, and his fellow staffers, having learned Sorenson was for sale (apparently everyone but the media knew it), opened negotiations to buy Sen. Sorenson’s support by outbidding Bachmann. It helped that Ron Paul was raising money hand over fist compared to Bachmann, thanks to all the Silicon Valley and extraction industry billionaires who love Paul’s vision of government without taxation or regulation or welfare or help of any kind for anyone or anything, but their private property, which is always in need of armed protection…

    According to a recently unsealed indictment, in late October 2011, Benton — who also led his uncle Rand Paul’s SuperPAC until just recently, in case I haven’t made this family point clear enough — sent an email to Sorenson and Sorenson’s top aide offering to take over paying Sorenson’s $8,000/month bribes in return for Sorenson switching his allegiance from Bachmann to Dr. Paul. Both Sorenson and Dr. Paul’s people agreed to delay Sorenson’s switch until after a meeting of Iowa Republicans, where he’d strengthen his own position within the party, on the eve of the big caucasus, as a principled Tea Party Christian libertarian.

    Then from mid-November 2011 until late December, a Ron Paul operative, Dimitrios Kesari, made numerous calls to Sorenson to negotiate and lobby for the bribe-and-switch deal. A few days before the switch, around Christmas 2011, Sorenson agreed with Ron Paul’s campaign heads to write up a press release in-advance explaining how his Tea Party principles moved him to abandon Bachmann for Ron Paul. Sen. Sorenson then sent his draft statement to the Ron Paul 2012 campaign chiefs for editing—his granddaughter’s husband Jesse Benton, his family operative Kesari, and John Tate, the head of a Ron/Rand Paul libertarian organization called Campaign For Liberty, who also served as an officer in Rand Paul’s SuperPAC. And in case Sorenson double-crossed Ron Paul over his planned double-cross of Michelle Bachmann, Dr. Paul’s campaign chiefs had readied a plan to smear Sorenson and ruin his life by leaking select emails of their payoff negotiations.

    Sorenson agreed to switch to Ron Paul in exchange for being put on an $8,000 a month under-the-table salary, plus a $100,000 payoff to Sorenson’s personal PAC. Being a thumb-head, Sorenson demanded a $25,000 check, and Dr. Paul’s operative, Kesari, agreed, handing him a check in the name of Kesari’s wife’s jewelry company at an Iowa diner. But as soon as Sorenson got that big fat $25,000 check, he wasn’t sure what he should do with it. So he just held onto it, figuring it would be useful later (and it was useful—to federal prosecutors). Two days after getting the $25,000 check, on December 28, 2011, Sorenson appeared at an early afternoon rally for Bachmann at Pizza Ranch, still playing the role of her campaign’s co-chairman—but he kept silent throughout the Bachmann rally, claiming he couldn’t speak because he’d just had dental work done and his mouth was so numb “he was afraid he would drool on himself,” according to the Des Moines Register.

    After the Pizza Ranch rally for Bachmann, Sen. Sorenson skulked away in his car, and showed up to a Ron Paul 2012 rally (“Sorenson said he drove to Paul’s event, called a Paul staffer and asked: ‘Do you guys want me on board?’”—reported the Des Moines Register) and jumped on the stage in a fake-spontaneous Tea Party moment of libertarian passion, announcing that his conscience had compelled him, at the spur of the moment, to switch allegiance to the Ron Paul rEVOLution!

    Sorenson’s betrayal was meant to land as a punch to the gut, to shock and awe Bachmann into total submission, losing her co-chair like that. What the Ron Paul hicks didn’t expect was that Bachmann — a prairie hick of a different subspecies of mean-and-dumb, the kind of prairie hick that self-destructs unless under constant 24/7 watch from a slick political minder — would expose the whole scam. Bachmann went straight to the press and spilled the beans, that Sorenson had been bribed by Ron Paul’s campaign, and that Sorenson had even told her that they were going to bribe him. Which was true—Sorenson had been bargaining with her, trying to leverage the Paul campaign’s offer to squeeze a better counter-offer bribe out of Bachmann.

    Immediately after Bachmann’s suicidal statement, her top aides ran to the media and said no-no-no-, you know how crazy Michele is, cuckoo! cuckoo!… nothing of the sort was going on, we’re all honorable people here, Ron Paul’s family member included. Because, obviously, there was the fear that if anyone decided to look into the allegations, they’d find that Bachmann’s campaign was guilty of the same crime.

    And according to last year’s subpoena, the FBI wants access not only to Ron Paul’s and his campaign staffers’ emails, but to Bachmann’s and her staffers too.

    * * * *

    Bachmann’s statement about Paul’s bribes caused a brief controversy among the media, which didn’t want to believe such a thing could happen in America, and especially not from the campaign of that real-life 21st C Jimmy Stewart—albeit a hick-fascist Confederate Jimmy Stewart, but earnest and “authentic” all the same, according to the rubes in the media, pushing Paul as the perennial anti-establishment hero. Among the conspirators, however, it caused a real panic, and a brief change of plans.

    The next day, December 29, Benton & team had Sen. Sorenson issue a defiant statement that basically said, “You think I get paid for my principles? Wait till you see the FEC filings, then you’ll see that Bachmann is a liar and no one’s paying me anything, by gum!” And then Sorenson and the Paul capos proceeded to forge their FEC filings to funnel their payments to Sorenson through a pair of dummy front companies. Not exactly the sharpest conmen, but brains aren’t much of a requirement for success as a con artist. An empty conscience, some cunning, and the stupid sense that you and your testicles are smarter than everyone else—those are much more important qualities.

    CUT TO: September, 2013. One of Sorenson’s true-believer Christian aides couldn’t stomach the sleaze, spilled the beans and incriminating emails, and landed Sorenson in an ethics committee investigation that he couldn’t crawl out of. At this point, former Ron-now-Rand Paul operative Kesari jetted to neighboring flat state Nebraska so as to not look suspicious, and gunned it straight to Iowa to get that motherfucking $25,000 check from Sorenson that the lughead never cashed.

    According to a federal indictment,

    Kesari [the Paul operative] flew to Omaha, Nebraska, backtracked to Senator Sorenson’s home in Iowa, required that he and Senator Sorenson show each other that neither was wearing a recording device, and then asked that Senator Sorenson either return to Kesari or alter the $25,000 check that Kesari previously gave to Senator Sorenson…which Senator Sorenson refused to do.

    One thing Sen. Sorenson had some experience with was ratting out others. He ratted out the pot dealer he got busted with and got his sentence reduced to five days and probation, and later, in office, voted to turn up the heat in the War On Drugs (funny how this didn’t bother Ron Paul’s principled people); and last year, after FBI agents raided Sorenson’s home and took his and his family’s computers, Sorenson copped a plea. Now the feds have the very top people in both Ron and Rand Paul’s campaigns for president going back to 2007, campaigns heavily underwritten by Silicon Valley billionaires and true believers…

    This past week has been an active one in the government’s case against Jesse Benton, John Tate and Dimitrios Kesari—the Southern Iowa District Court ruled that they were such a risk for leaking confidential documents that they could only view government evidence on CDs stored in their lawyers’ offices.

    On Thursday of this week, Jesse Benton and John Tate appeared before the court and pled not guilty on a number counts that mirror the Watergate charges 40 years ago: conspiracy to “knowingly defraud the United States”; “knowingly and willfully falsify, conceal and cover up by a trick, scheme and device a material fact in a matter within the jurisdiction of the executive branch”; “knowingly cause the concealing, covering up, falsification…with the intent to impede obstruct, and influence the investigation…” and so on.

    Meanwhile, the Court just sided with Google that it still wasn’t required to comply with the FBI warrant just yet and allow access to all the Gmail accounts that the feds demanded last year. As Google was careful to point out in its filings, the company has made sure to preserve and protect all email communications from those listed on the warrant — including presumably Ron Paul’s emails — to prevent anyone from trying to scrub or alter them. So Google is essentially complying, and they’re going to eventually hand them over, in all likelihood, and it will be some very incriminating material that could drive a barbed stake in the heart of libertarianism’s First Family…

    The funny thing is that real libertarians don’t even necessarily believe that bribery and fraud are legitimate crimes, if carried out in self-interest. For the most part, even mainstream libertarians from the CATO Institute argue that bribery should be legal.

    And yet—because libertarians have paradoxically transformed in recent years into the most sanctimonious loud-mouthed whiners in the political arena, this is one of those ugly, sleazy, low-rent corruption scandals, going all the way into the Paul family gene pool, that won’t sit well with the young, credulous males who give the libertarian cult its energy.

    Most of all, however, this story finally answers the question that all the hundreds of quasi-grizzled, quasi-cynical campaign trail journalists failed to answer: What happened to Rand Paul’s presidential campaign, the most hyped-up, promoted candidacy of anyone’s over the past two years? The liberal media has been drooling over Rand Paul like he’s the second coming, the Confederate with the heart of gold that all middle-class liberals dream of. I heard a lot of suckers claim that the Koch brothers had suddenly decided, after all these years of supporting their pet Pauls, that Rand was not to their liking, too much of a lightweight, or something like that. Because you know the Kochs only go with Very Serious Gravitas-y Heavyweights—the Herman Cains, Michele Bachmanns, Scott Walkers…

    I’ve learned since coming back here that American political journalists mistake their sneering for cynicism. Cynicism is what you learn in a place like Russia, which isn’t as far from the US as one would think (or hope). It never crosses a smug sneery journalist’s mind that the politics they’re reporting on is as corrupt as a tinpot dictator’s, that all the cant about principles is capital to be cashed, and cash it they do. Because politics is about dividing up trillions of dollars in wealth and power and privilege, not about high-minded debates in three-pointed hats.

    Those campaign donations that all the boring, unreadable nonprofit watchdog sites report on—that’s the dull accounting stuff for public consumption. The real game is the payoff—the check cashed, the dummy company that gets the wire transfer. First you have to be willing to see that it’s there.

    “The next day, December 29, Benton & team had Sen. Sorenson issue a defiant statement that basically said, “You think I get paid for my principles? Wait till you see the FEC filings, then you’ll see that Bachmann is a liar and no one’s paying me anything, by gum!” And then Sorenson and the Paul capos proceeded to forge their FEC filings to funnel their payments to Sorenson through a pair of dummy front companies. Not exactly the sharpest conmen, but brains aren’t much of a requirement for success as a con artist. An empty conscience, some cunning, and the stupid sense that you and your testicles are smarter than everyone else—those are much more important qualities.”
    Well that explains a lot. And it also raises the question of just what the Paul team’s testicles are recommending at this point. Hmmm….how about trying to turn this investigation into a rallying cry of government overreach:

    Mother Jones
    Google Won’t Let the Government See the Emails of Rand Paul’s Aides.
    The internet giant is defending the right of an indicted Rand Paul aide to keep his emails out of government hands.

    —By Russ Choma
    | Wed Aug. 19, 2015 6:00 AM EDT

    The three Rand Paul aides who were indicted earlier this month are doing their best to turn the government case against them into an example of government overreach, and Google has taken their side in the fight.

    In the summer of 2014, federal investigators began probing whether Ron Paul’s 2012 presidential campaign had paid Iowa state Sen. Kent Sorenson for his endorsement. After Sorenson confessed, investigators focused on three other men, including current presidential candidate Rand Paul’s nephew-in-law, Jesse Benton, whose email account supposedly contained evidence.

    After a brief skirmish with Benton’s attorney about accessing Benton’s emails, FBI agents got a search warrant that entitled them to read the emails without Benton’s cooperation. But the plan did not go smoothly. Benton has a Gmail account, and Google’s policy is to notify users when their accounts have been hit with a search warrant. Benton’s attorney, Roscoe Howard, promptly filed a motion to block the search warrant, alleging that it was improper, and Google stopped cooperating with the FBI.

    That was almost a year ago. Two weeks ago, Benton and two other top Paul aides, John F. Tate and Dimitri Kesari, were indicted on federal charges, including conspiracy, campaign finance violations, and making false statements. Prosecutors accused the men of paying Sorenson more than $73,000, hiding the payments by funneling them through a third party, and lying on campaign finance filings to cover them up.

    The FBI still hasn’t gotten ahold of Benton’s emails. Last week, a judge ruled that the FBI had a right to the emails, but once again, Benton resisted and Google agreed.

    “Frighteningly, the government still maintains that it has the right to trample Mr. Benton’s privacy rights and look through every single one of Mr. Benton’s emails, just as if his email account were a warehouse full of documents,” Howard wrote. “The government’s statement underscores its true intent—to conduct a fishing expedition.”

    The government has now demanded that Google be held in contempt if the company doesn’t immediately turn over the emails, and it has argued that Benton and his attorney can raise their concerns at trial if they don’t like the way the search warrant was obtained. Most people don’t learn they’re the target of a search warrant until it has already been executed, which means they don’t have the opportunity to challenge the warrant until the evidence appears in court. But accessing emails is not like kicking down a door and finding a gun: Google controls access to the emails on its server, so the company’s refusal to comply with the FBI—and its willingness to tell Benton about the warrant—not only changes the dynamic in this particular case; it could also create a precedent for others.

    Hanni Fakhoury, a senior staff counsel with the Electronic Frontier Foundation, said courts have not yet settled the question of how specific or broad email search warrants should be, and this case is one of the most prominent illustrations of how users can fight back.

    “This case is smack in the middle of the debate,” Fakhoury says. “This is a very high-profile and dramatic example of it, because we’re talking about half a million emails.”

    Howard, Benton’s attorney, wrote in one filing that his client had cooperated fully with investigators and provided a 50,000-page list of all the emails in his account, which may contain as many as 500,000 emails. Howard argues that the government’s search warrant is simply too broad, and that Benton’s Gmail account contains both personal and political correspondence.

    Google has now officially joined the fight. Its lawyer, Guy Cook, told the court that the company will not turn over Benton’s emails.

    “Google cannot be held in contempt simply for allowing Mr. Benton to exercise his appellate rights and awaiting the district court’s ruling on the warrant’s validity,” Cook wrote. The company’s position is that it will release emails only after the conflict over the search warrant has been resolved in court.

    A Google spokeswoman declined to discuss the case specifically but said the company won’t comply with overly broad requests.

    “When we receive a subpoena or court order, we check to see if it meets both the letter and the spirit of the law before complying,” she said. “And if it doesn’t, we can object or ask that the request is narrowed. We have a track record of advocating on behalf of our users.”

    Fakhoury says Twitter and Facebook in the past have also notified their users about search warrants on their accounts, but that companies have become bolder in recent years.

    “What’s changed post-Snowden is that they are more outspoken about it, and they’re more willing to interject more directly in situations,” he says. If companies don’t cooperate with the government, as in Google’s case, they may be held in contempt; if they cooperate and the warrant later turns out to be invalid, they would face no legal penalty. But their clients—people with social media or email accounts—want protection if a search warrant is issued. Companies “go out on a limb like this because it’s a good business practice for them, to look like they stick up for users,” Fakhoury notes.

    The fight over Benton’s emails was kept secret for much of the past year, but it became public after the recent indictments. Benton’s attorney welcomed the increase in publicity, if only to attract attention to the battle. “This Court should unseal this matter so that the other Defendants can be a part of this discussion and so that the public can be aware of the government’s tactics,” he wrote last week.

    Howard’s legal filings are littered with references to the government’s intrusive desire to “trample” Benton’s rights. That may be part of a strategy to claim that the government is bullying political opponents—a potentially potent argument in the libertarian sphere of Rand Paul supporters where Benton and his codefendants have made their living.

    With a court recently ruling that the FBI could indeed search Benton’s gmail account, and Google continue to refuse access as a showcase of their dedication to their users’ privacy, it’s sure looking like we could see Google and Benton join hands in trying to spin this into a case of the government “trampling” Benton’s rights. And as Hanni Fakhoury with the Electronic Frontier Foundation points out, courts have not yet settled the question of how specific or broad email search warrants should be, and this case is one of the most prominent illustrations of how users can fight back:

    The government has now demanded that Google be held in contempt if the company doesn’t immediately turn over the emails, and it has argued that Benton and his attorney can raise their concerns at trial if they don’t like the way the search warrant was obtained. Most people don’t learn they’re the target of a search warrant until it has already been executed, which means they don’t have the opportunity to challenge the warrant until the evidence appears in court. But accessing emails is not like kicking down a door and finding a gun: Google controls access to the emails on its server, so the company’s refusal to comply with the FBI—and its willingness to tell Benton about the warrant—not only changes the dynamic in this particular case; it could also create a precedent for others.

    Hanni Fakhoury, a senior staff counsel with the Electronic Frontier Foundation, said courts have not yet settled the question of how specific or broad email search warrants should be, and this case is one of the most prominent illustrations of how users can fight back.

    “This case is smack in the middle of the debate,” Fakhoury says. “This is a very high-profile and dramatic example of it, because we’re talking about half a million emails.”

    A half a million emails is quite a large number, but then again, this is the email account of one of the key staffers for a presidential campaign. Plus, the emails are from 2011-2014, which make sense for an investigation for a bribery scandal involving a 2012 presidential campaign although it’s not unimaginable that a case could be made for narrowing that time-frame.

    It all raises a gut-wrenching possibility: On the one hand, if the FBI’s warrant really was overly broad and subsequent rulings agree that it was overly broad, Jesse Benton and the Pauls sort of get to claim victory and possibly kill the investigation, although its possible that the FBI could still narrow the search warrant and get the evidence it needs. On the other hand, if it turns out the FBI’s warrant really was overly broad but subsequent court rulings find otherwise, the case could set a precedent basically gives the government access to your entire email history for all sorts of other criminal cases that don’t involve sleazy pols bribing each other when even when that full email history isn’t remotely needed or relevant. So we really have to hope that the FBI was being aggressive (because these were sleazy pols bribing each other which is disgusting) but not too aggressive, because otherwise the Paul clan’s bribery scandal ends up becoming a case of ‘the little guy vs the Big Bad Government’ regardless of the outcome.

    It’s also a reminder that the array of new questions related to the 4th and 5th amendments and privacy rights aren’t limited to topics like whether or not Apple or Google can make smartphones with unbreakable encryption and under what conditions should someone be forced to hand over their password. In this case, the power to turn over that information isn’t in the hands of Benton or some unbreakable-encryption smartphone user that’s the only person with the password. It’s in the hands of Google, and now Google appears to be willing to defy court orders and risk contempt of court charges, possibly as some sort of corporate branding scheme. And until we get some sort of resolution on the case, it leaves open a number of legal questions over what happens if incriminating evidence is co-mingled with a massive amounts of personal data that almost assuredly has nothing to do with any investigation.

    So if you’re planning on bribing some politicians, keep in mine that it’s not yet clear whether or not you should be using an unbreakable super-encryption phone, where even Google or Apple can’t access the content and you might be able to plead the 5th Amendment, or just stick with Google services like gmail where, in the event of a warrant, Google’s corporate legal team suddenly becomes your legal team. Choosing the right smartphone package for your campaign’s political operatives just got a lot more complicated.

    Posted by Pterrafractyl | August 22, 2015, 4:38 pm
  11. It looks like Rand Paul’s campaign aid, Jesse Benton, who was under FBI investigation for bribing Iowa state senator Ken Sorenson in 2012 as part of Ron Paul’s presidential campaign, is out of options. A US District Judge just ruled that Google must turn over the emails and if Benton wants to appeal he can do it later. And Google is agree to comply with the ruling and turn over the emails:

    Associated Press
    Feds Win Fight for Access to Indicted Paul Aide’s Gmail
    DES MOINES, Iowa — Aug 28, 2015, 4:13 PM ET

    Federal prosecutors prevailed Friday in their yearlong fight to force Google Inc. to turn over the emails of an indicted Republican consultant with close ties to Ron and Rand Paul.

    U.S. District Judge John Jarvey rejected a request to quash a warrant ordering Google to give the FBI the contents of Jesse Benton’s Gmail account, which he used to work on Ron Paul’s 2012 presidential campaign and Senate Majority Leader Mitch McConnell’s 2014 re-election bid.

    Under Jarvey’s order, Google will be legally required to divulge tens of thousands of emails sent and received by Benton between March 2011 and July 2014.

    Guy Cook, a lawyer for Google, said Friday that the company would respect the order. Lawyers for Benton and the Justice Department declined to comment.

    Jarvey’s ruling appears to end a dispute that has gotten attention in libertarian and technology circles as a test of the government’s ability to broadly review email accounts during criminal investigations.

    Benton gave the FBI permission to search the account last year, but he withdrew it days later after investigators started combing through his email. An FBI agent then applied for a warrant to search and seize parts of the account, which a magistrate judge approved based on probable cause that a crime was committed.

    After Google received the warrant, the company told Benton that it intended to comply with the request unless he filed a legal challenge. Benton’s attorney filed a motion to quash the warrant, arguing that it was overly broad, violated his privacy rights and amounted to a fishing expedition.

    Prosecutors argued that the warrant was lawful and tailored to the evidence of wrongdoing they had uncovered related to improper payments to Sen. Kent Sorenson, who flipped from supporting Michele Bachmann to Ron Paul days before the 2012 caucuses.

    U.S. Magistrate Judge Helen Adams upheld the warrant Aug. 10. Google then sought to give Benton time to appeal the order, resisting the government’s request to immediately produce the emails.

    Adams last week put the ruling on hold so Benton could appeal to the district judge, Jarvey, who sided with the government in a terse order Friday. He said the law doesn’t give Benton the ability to challenge the execution of a search warrant beforehand. Instead, Benton could later seek to suppress any emails the government wants to use against him in the criminal case by arguing their seizure was unconstitutional.

    Prosecutors have said they will review the emails and seize only those that are relevant to their investigation. They pledge to filter out all others, including those protected by attorney-client privilege.

    Well, it’ll be interesting to see what they find.

    It’ll also be interesting to see if we don’t start seeing some of the contents of those emails showing up in the media as a result of leaks by Benton himself while this entire investigation is ongoing. Why? Because that’s sort of what they were planning on doing to the bribed Iowa state senator, Ken Sorenson, if he didn’t agree to accept the bribe. And it’s something government prosecutors are specifically worried about in their current investigation:

    Mother Jones
    Feds Say Rand and Ron Paul Aides Planned to Smear Local Pol If Payoff Failed

    The dirty politics case that has snared top advisers to Rand Paul gets dirtier.

    —By Russ Choma
    | Fri Aug. 14, 2015 2:04 PM EDT

    Since last week’s indictments of three top political aides to Ron and Rand Paul, new details have emerged about the Ron Paul campaign’s scheme in 2012 to buy the endorsement of Kent Sorenson, who was then an influential Republican state senator in Iowa. In the latest court filing, federal prosecutors assert that the Paul aides planned to smear Sorenson if he refused to accept a bribe. This case will likely continue to dog presidential candidate Rand Paul, who has at times employed all three men. Two of the indicted aides, Jesse Benton (who is married to Rand Paul’s niece) and John Tate, were running the main super-PAC supporting Rand Paul’s presidential campaign. Following the indictments, each of them took a leave of absence from the super-PAC.

    A federal grand jury charged Benton, Tate, and Dimitri Kesari with multiple felonies, accusing them of organizing a secret effort to pay Sorenson more than $73,000 just days before the Iowa caucuses to change his endorsement from Michele Bachmann to Ron Paul. Kesari is a longtime Paul family operative: He worked for Ron Paul’s presidential campaigns and Rand Paul’s 2010 Senate campaign, as well as Senate Majority Leader Mitch McConnell’s reelection effort last year.

    Prosecutors are generally required to share their evidence with a defendant to allow him or her to prepare for a trial. But on Thursday, Justice Department lawyers asked the federal judge in charge of the case for permission to withhold from these defendants copies of certain sensitive documents, such as the grand jury transcript and witness statements. The defendants will be allowed to review the information, but the prosecutors don’t want to hand over the material. They say they have reason to believe the defendants might leak sensitive documents to the media. During the pre-indictment inquiry, the prosecutors claim, investigators found emails showing that the three Paul aides were prepared to leak documents to harm Sorenson in 2012 if they couldn’t obtain his endorsement for Ron Paul.

    “Those communications show that the defendants, who are career political operatives, were willing to leak sensitive documents regarding Sorenson to the press to suit their own ends,” Raymond Hulser, chief of the Department of Justice’s public integrity division, stated. “That history gives the government concern as to what the defendants (as opposed to their counsel) might do with copies of interview reports and grand jury transcripts of Sorenson and the other witnesses in this case.”

    Benton’s attorney, Roscoe Howard, says he cannot comment because he’s preparing a response to file in court. But the revelation adds a new wrinkle to the case. leaked publicly by a former Ron Paul aide in 2013 indicate that Sorenson was approached by the Ron Paul campaign about his willingness to switch sides, and he responded with a lengthy list of demands that included a salary of $8,000 a month and a $100,000 donation to his political action committee.

    Under Iowa Senate ethics rules, a lawmaker cannot sell his endorsement to a presidential campaign. Following an Iowa Senate investigation that found Sorenson accepted payments from a company tied to the Ron Paul campaign, Sorenson resigned his seat in 2013. Last August, he pleaded guilty to campaign finance charges. Sorenson is currently awaiting sentencing.

    Update: The lawyer for Jesse Benton has responded to the government’s accusation that his client planned to leak documents to smear Sorenson if he did not agree to endorse Ron Paul. In a filing made to the federal court, Benton’s attorney, Roscoe Howard, said prosecutors are referring to an email Benton sent in late 2011, around the time Sorenson switched from endorsing the Bachmann campaign to endorsing the Paul campaign. In the email, Howard noted, Benton “threatened to expose Mr. Sorenson, believing that Mr. Sorenson was trying to blackmail the 2012 RP Campaign, if Mr. Sorenson did not make up his mind on whether to commit to the Ron Paul Campaign.”

    Howard wrote that it was a “a knee-jerk, emotional reaction” and pointed out that Benton never followed through.

    Yes, Benton was threatening to blackmail the guy he was bribing, but according to his lawyer it was just because Benton was was concerned that Sorenson was trying to blackmail Ron Paul’s campaign:


    Update: The lawyer for Jesse Benton has responded to the government’s accusation that his client planned to leak documents to smear Sorenson if he did not agree to endorse Ron Paul. In a filing made to the federal court, Benton’s attorney, Roscoe Howard, said prosecutors are referring to an email Benton sent in late 2011, around the time Sorenson switched from endorsing the Bachmann campaign to endorsing the Paul campaign. In the email, Howard noted, Benton “threatened to expose Mr. Sorenson, believing that Mr. Sorenson was trying to blackmail the 2012 RP Campaign, if Mr. Sorenson did not make up his mind on whether to commit to the Ron Paul Campaign.”

    Howard wrote that it was a “a knee-jerk, emotional reaction” and pointed out that Benton never followed through.

    They probably weren’t going to leak that email.

    Posted by Pterrafractyl | August 29, 2015, 5:16 pm
  12. It looks like Symphony, the new strongly-encrypted messaging system made by and for Wall Street’s ‘usual suspects’, has a strategy for assuaging its critics: turn this into a fight about Big Government and the invasion of privacy while touting how it will keep all those text messages nice and safe from hackers so regulators can access them when they request them:

    American Banker
    Note to Critics: Bank-Backed Message Service Not Backing Down
    Penny Crosman
    By Penny Crosman
    September 1, 2015

    For a relatively simple software product that has not been released yet, the instant messaging service Symphony — which is backed by fifteen large banks — has generated a remarkable amount of buzz.

    A lot of it has been negative, led by policymakers such as Senate Banking Committee member Elizabeth Warren, who says the encrypted service would compromise regulators’ ability to root out fraud in big banks like the Libor rate-rigging scandal.

    Symphony Communication Services’ chief executive, David Gurle, has held several meetings with regulators from various agencies. He insists that in spite of the controversy and regulators’ questioning, the service will launch Sept. 15 as planned.

    To succeed Gurle will have to focus the discussion on the merits of the system and privacy concerns and away from critics’ opinions about its users, one observer said.

    “These are shots across the bow at Symphony’s investors, whom they perceive as bad actors, not at Symphony itself,” said David Weiss, senior analyst at Aite Group. “There’s no regulatory oversight of Symphony as a company by any of these folks.”

    The case of the instant messaging service that banks love and regulators shake their head at raises broad questions about the best ways to secure data, protect data privacy and comply with regulatory mandates, as well as whether governments should be allowed to have “back doors” to industry data — questions that affect all banks and their vendors.

    Controversial Software
    Symphony started as an in-house messaging project at Goldman Sachs. The bank worked with Gurle, who then was running a secure instant messaging startup called Perzo, and formed a consortium that bought out Perzo and renamed it Symphony Communications LLP.

    The key difference between Symphony and the incumbents is its ability to not only encrypt every message, but to allow each bank to hold the encryption keys to its own communications archive. Instant Bloomberg does not have such encryption built in and regulators have been able to review bank messages without having to ask the bank for them.

    For banks that use Symphony, regulators would not have such “back-door” access to messages. To access records, they would need to subpoena a bank for them, which is the normal procedure.

    In July the New York State Department of Financial Services sent a letter to Symphony’s management, asking questions about how it encrypts data and stores messages; other regulatory agencies have followed suit. In August, Sen. Warren, D-Mass., sent letters to six bank regulatory agencies about it and was quoted in many publications warning that Symphony could be used to circumvent compliance and regulatory review.

    “The communications that Symphony will allow companies to hide from ‘government spying’ — such as text messages and chat-room transcripts — have proven to be key evidence in previous regulatory and compliance cases that have uncovered criminal action by Wall Street,” Warren wrote in a letter to the Consumer Financial Protection Bureau. “If banks are now making this information more difficult for regulators to obtain and interpret, it could prevent regulators from identifying and preventing future illegal behavior.”

    Gurle sees the issue of providing back doors to governments as part of the national privacy debate.

    “You have to take two steps back and look at this from the big picture,” he said. “On one side, there’s privacy which we do have to protect. That’s a right we’ve earned over the course of our history. On the other hand, there are people who have bad intentions who have a desire for privacy. This requires the government to find different ways of getting information.”

    If federal regulations were to require Symphony to change its encryption policy and store keys so that it could provide government agencies with access to messages, those rules would logically also apply to other messaging applications that use encryption, including WhatsApp, Facebook and Apple iMessage, Gurle said.

    “I’ll give you my dream scenario: [policymakers] do understand value in encryption, for their work they do in regulating the financial markets and for the people being regulated,” he said. “Encryption is the right technology going forward. I think we’ve solved the question of encryption and compliance in a way that’s satisfactory.”

    Built-In Safeguards
    Encrypted messages cannot be modified, for instance. And the same type of back door that lets a government agency view messages could potentially be accessed by a hacker, Gurle and others said.

    Regulators’ concerns are overblown, said a banker involved in the project who spoke off the record.

    “It’s not Symphony’s responsibility to make the data available — it’s the bank’s responsibility,” the banker said. “If the regulator needs to see information, they’ll need to go to the bank directly.”

    As for the type of collusion that occurred in the Libor rate-rigging case, Symphony would automatically block such behavior because no more than two banks can access a chat room at any one time, the banker said.

    Gurle said he has explained to several regulators that Symphony helps banks comply with regulations. “We’ve educated them about how our system works, how we protect our customers’ privacy, how we protect data manipulation so they can be sure that what’s being recorded is compliant with [New York state regulatory] standards,” he said. The talks are ongoing.

    What Banks Like
    The fifteen financial institutions behind Symphony — Goldman Sachs, Bank of America Merrill Lynch, JPMorgan Chase, Citigroup, Morgan Stanley, Wells Fargo, Bank of New York Mellon, BlackRock, Citadel, Credit Suisse, Deutsche Bank, HSBC, Jefferies, Maverick Capital and Nomura — first and foremost like the security features that would protect their proprietary communications.

    “Symphony is the safest way to chat in the market today,” said the executive who spoke off the record. “That’s a result of the encryption technology that’s been built into the platform. … You could potentially hack it and get a packet, and it would be meaningless to you.”

    At the same time, the banker said, the banks will be fully compliant with regulatory requirements.

    “We would have the keys and the capability to decode messages so regulators can see what they need to see,” the banker said. “We’re not hiding the messages, but keeping them from people who shouldn’t have access, like hackers.”

    The software also has certain compliance safeguards: for instance, it does not allow salespeople and research people to talk to each other, per the Chinese wall banks are supposed to observe.

    Symphony also provides “smart filters” to help users find useful information. “Say you’re a buy-side analyst, and you’re receiving lots of inbound information and you spend a lot of time skimming through that looking for things that matter to you and to your portfolio,” Gurle said. A smart filter could more quickly sift through messages, Twitter feeds and other sources for relevant information.

    Over time, the platform will take on added capabilities, such as email and video, the banker said. It also allows more filtering, to let banks identify any improper behavior more quickly.

    Yes, the CEO of Symphony really made this argument:


    Symphony Communication Services’ chief executive, David Gurle, has held several meetings with regulators from various agencies. He insists that in spite of the controversy and regulators’ questioning, the service will launch Sept. 15 as planned.

    To succeed Gurle will have to focus the discussion on the merits of the system and privacy concerns and away from critics’ opinions about its users, one observer said.

    “These are shots across the bow at Symphony’s investors, whom they perceive as bad actors, not at Symphony itself,” said David Weiss, senior analyst at Aite Group. There’s no regulatory oversight of Symphony as a company by any of these folks.

    So people are concerned about the banks they perceive as ‘bad actors’ using a systems that requires trust in those bad actors because it’s the bad actors, and not Symphony, that control access to the encypted messages, and the argument by Symphony is not to worry because the bad actors, that happen to be investors Symphony, don’t actually have any regulatory oversight over the company. Well that sure makes all those concerns just melt away!

    And, of course, as an anonymous banker involved in the project points out, “It’s not Symphony’s responsibility to make the data available — it’s the bank’s responsibility,” :


    Regulators’ concerns are overblown, said a banker involved in the project who spoke off the record.

    It’s not Symphony’s responsibility to make the data available — it’s the bank’s responsibility,” the banker said. “If the regulator needs to see information, they’ll need to go to the bank directly.”

    And that’s all part of why it’s going to be very interesting to see how much Wall Street attempts to turn this into a ‘private sectors vs Big Brother’ policy debate. Because if Wall Street’s ‘bad actors’ are the keepers of the keys, the best way to generate public support for that system is to make the entities that might want those keys (the government and hackers) seem even worse:


    Gurle sees the issue of providing back doors to governments as part of the national privacy debate.

    “You have to take two steps back and look at this from the big picture,” he said. “On one side, there’s privacy which we do have to protect. That’s a right we’ve earned over the course of our history. On the other hand, there are people who have bad intentions who have a desire for privacy. This requires the government to find different ways of getting information.”

    If federal regulations were to require Symphony to change its encryption policy and store keys so that it could provide government agencies with access to messages, those rules would logically also apply to other messaging applications that use encryption, including WhatsApp, Facebook and Apple iMessage, Gurle said.

    “I’ll give you my dream scenario: [policymakers] do understand value in encryption, for their work they do in regulating the financial markets and for the people being regulated,” he said. “Encryption is the right technology going forward. I think we’ve solved the question of encryption and compliance in a way that’s satisfactory.”

    “Symphony is the safest way to chat in the market today,” said the executive who spoke off the record. “That’s a result of the encryption technology that’s been built into the platform. … You could potentially hack it and get a packet, and it would be meaningless to you.”

    At the same time, the banker said, the banks will be fully compliant with regulatory requirements.

    “We would have the keys and the capability to decode messages so regulators can see what they need to see,” the banker said. “We’re not hiding the messages, but keeping them from people who shouldn’t have access, like hackers.”

    “If federal regulations were to require Symphony to change its encryption policy and store keys so that it could provide government agencies with access to messages, those rules would logically also apply to other messaging applications that use encryption, including WhatsApp, Facebook and Apple iMessage, Gurle said.”

    Wall Street’s love-hate relationship with the Cypherpunk revolution is about to get a lot more loving.

    Posted by Pterrafractyl | September 3, 2015, 11:03 am
  13. Symphony, Wall Street’s fancy new bank-to-bank messaging system that sports super-encryption even the government can’t break, just went live. And they did so only after coming to an agreement with the New York Department of Financial Services over concerns that Symphony’s clients were going to be hiding incriminating evidence from regulators: Symphony agrees to keep copies of client messages for seven years. Additionally, for four banks – Goldman Sachs, Deutsche Bank, Credit Suisse and Bank of New York Mellon – that are both investors in Symphony and, in most cases, perpetrators of the giant Libor-rigging cartel arranged via a chat system, they also have to give copies of their encryption keys to an independent custodian.

    So with those safeguards in place, Wall Street’s controlled information black hole is now a reality:

    Re/Code
    Messaging Service Symphony Dodges Regulatory Action Ahead of Launch

    By Arik Hesseldahl

    September 14, 2015, 6:59 PM PDT

    Symphony, the secure messaging company backed by 15 Wall Street banks, will launch on Tuesday after hammering out a deal with a regulatory agency that once threatened to shut down the first real challenge to the Bloomberg Terminal.

    Three years in the making, Symphony was born out of desperation among the world’s most powerful financial firms and investment houses to break free of Bloomberg’s stranglehold on financial software, data and news. Long before people used Facebook, MySpace, Twitter or AOL Instant Messenger, financial professionals depended on the terminal to chat with and keep track of one another. Today, the terminal confers status and privilege to the more than 325,000 financial pros who pay $24,000 a year to use it.

    Symphony’s cloud-based messaging service does two things: It uses advanced encryption techniques in order to keep sensitive messages — instant messages mostly — locked up and out of the hands of hackers. But since it’s designed for financial companies, which are required by law to keep copies of their messages for several years in case regulators or law enforcement ever needs them for an investigation, it has also been designed to work in concert with whatever compliance tools those companies have in place.

    So when the New York Department of Financial Services raised suspicions over the summer that banks might use Symphony’s encryption technology to avoid the prying eyes of regulators, it seemed plausible that the company could face restrictions on how it does business.

    That didn’t happen. Instead, on Monday Symphony announced a deal with the DFS under which it agreed to store for seven years copies of messages that its clients send on the service. Additionally, four banks (Goldman Sachs, Deutsche Bank, Credit Suisse and Bank of New York Mellon) which are both customers of and investors in Symphony agreed to turn over copies of their encryption keys to an independent custodian. When a regulator wants to review encrypted messages, they will be able to decrypt them upon request.

    “The agreement is another positive development on the eve of Symphony’s launch,” the company said in a statement emailed to Re/code. “Symphony’s platform safeguards against cyber-threats while strengthening customers’ compliance operations and facilitating their ability to meet their regulatory obligations. Symphony can store data securely for as long as its customers request, and its end-to-end encryption ensures messages are secure. Symphony provides state-of-the-art cyber-security for institutions operating in complex regulatory environments.”

    It’s not entirely the end of the regulatory road for Symphony: Over the summer Sen. Elizabeth Warren wrote a letter to federal regulators expressing worries similar to those of DFS, and there are questions pending too from international regulatory bodies. But none of them are especially worrying to CEO David Gurle.

    “We’ve engaged in a series of meetings with regulators where we demonstrate that we have capabilities that can be used by regulators to carry out any kind of investigation they may want to do,” he told Re/code in an interview earlier this month. “What we do enhances the ability of our clients to meet their legal and regulatory obligations, but it also gives them the added benefit of secure communications.”

    Note that, while this is certainly a major victory for the Symphony, it’s also is just the New York state financial regulator that gave Symphony the green light. Federal and international regulators have yet to weight in:


    It’s not entirely the end of the regulatory road for Symphony: Over the summer Sen. Elizabeth Warren wrote a letter to federal regulators expressing worries similar to those of DFS, and there are questions pending too from international regulatory bodies. But none of them are especially worrying to CEO David Gurle.

    Also note that, while four of Symphony’s investors have agreed to comply with additional rules mandating that copies of their encryption keys be kept with an independent entity, that still leaves ten other large financial entities (Bank of America, BlackRock, Citadel, Citigroup, Jefferies Group LLC, JPMorgan Chase & Co, Maverick Capital Ltd, Morgan Stanley, Nomura Holdings Inc and Wells Fargo & Co), many with highly questionable regulatory track records, that are presumably going to be using Symphony too, just not under the regulatory authority of the DFS.

    Will those other large firms also agree to additional scrutiny and oversight as Symphony’s debut gets underway? We’ll have to wait and see, but it’s worth noting that DFS “believes that the requirements included in today’s agreements should apply to all regulated financial institutions using Symphony in the future”:

    Financial Times
    Symphony reaches data deal with regulator.

    Gina Chon in Washington and Ben McLannahan in New York
    September 14, 2015 5:36 pm

    Goldman Sachs and Deutsche Bank are among four banks that have reached a record-keeping agreement with a New York regulator to settle concerns that some features of Symphony, the messaging tool, could hamper investigations.

    The Department of Financial Services, which has investigated the potential rigging of foreign exchange markets that involved chatroom messages, was concerned about the capabilities of Symphony, which is backed by some of Wall Street’s biggest institutions, including its “guaranteed data deletion” function.

    The DFS agreement, which also includes Credit Suisse and Bank of New York Mellon, takes some regulatory pressure off Symphony ahead of its launch Tuesday. The start up recently struck a deal with Dow Jones to offer news content in its service as it looks to battle Bloomberg, the market leader.

    As part of the agreement with DFS, Symphony for seven years will retain chatroom and other electronic communication sent through its platforms to or from the banks. The banks will also store duplicate copies of decryption keys for their messages with independent entities.

    In July, the DFS sent a letter to the banks under its jurisdiction asking for more information about Symphony’s features, such as “end-to-end encryption”.

    “We are pleased that these banks did the right thing by working cooperatively with us to help address our concerns about this new messaging platform,” said acting DFS superintendent Anthony Albanese. “This is a critical issue since chats and other electronic records have provided key evidence in investigations of wrongdoing on Wall Street.”

    It is unclear whether the 10 other financial institutions that back Symphony, but are not under DFS oversight, will agree to similar terms. The DFS said it “believes that the requirements included in today’s agreements should apply to all regulated financial institutions using Symphony in the future”.

    In August, Senator Elizabeth Warren sent a letter to six federal financial regulators raising concerns about Symphony, saying the service appears to “to put companies on notice — with a wink and a nod — that they can use Symphony to reduce compliance and enforcement concerns”.

    Symphony has since modified its website. It no longer refers to the “guaranteed data deletion” and states that Symphony can be configured to operate with a customer’s archiving system, including messages that can be decrypted.

    So it’s unclear whether or not those 10 other Symphony investors will comply with the additional encryption-key rules, but DFS certainly thinks they should and should also apply to all financials institutions using Symphony in the future. As Symphony ushers in the era of black hole digital record keeping for Wall Street this week, that gap between what regulators see as necessary and what Wall Street is actually doing is something worth keeping in mind.

    Posted by Pterrafractyl | September 15, 2015, 6:31 pm
  14. If you’re very patient and a fan of Tor but find it lacking in cryptographically-provable anonymity, it’s good you’re patient, because a much slower, but more secure, version of Tor is coming at some point:

    Vice
    Motherboard
    ‘Dissent,’ a New Type of Security Tool, Could Markedly Improve Online Anonymity

    Written by J.M. Porup

    September 16, 2015 // 04:00 AM EST

    Researchers at the Dissent Project are building a new kind of anonymity tool that, when used in conjunction with the Tor anonymity network, could significantly improve online anonymity.

    Unlike Tor’s onion routing architecture, which routes internet traffic through a series of “onion layers” to obscure your identity, Dissent implements a dining cryptographers network, or DC-net, which makes possible cryptographically-provable anonymity.

    The dining cryptographers problem was first proposed in 1988 by cryptographer David Chaum, and involves cryptographers trying to anonymously prove to each other whether or not the NSA paid their restaurant bill. (It’s a long story. You can read the paper here.)

    DC-nets are harder to conceptualize than onion-routing. The key takeaway is that, unlike onion routing, DC nets offer cryptographically provable anonymity—although at a much slower speed than Tor. For applications that do not require real-time interaction with another person or website, Dissent offers much stronger anonymity than Tor.

    “One of the most important things to understand about Dissent,” project lead Bryan Ford said over a Signal call, “is that it’s not going to be a drop-in replacement for Tor, at least not in its current form.”

    The problem is that achieving provable anonymity in a DC-net is that it’s slow—slower than Tor. “DC-nets work because everyone broadcasts all their packets to everyone else,” Ford explained. “This ensures that a small number of dishonest actors cannot de-anonymize the channel…but it also slows things down.”

    Rather, he explained, as a DC-net, Dissent offers a provably anonymous way to publish, well, dissent—broadcast communication such as blogging, microblogging (e.g. Twitter), or IRC.

    “If you use DC nets to try to handle 10,000 concurrent point-to-point unicast communication channels, which is what Tor normally does, it’s not going to scale very well,” Ford said.

    One potential use for Dissent that would bolster a weakness of Tor, he explained, would be to create a privacy-preserving wifi networking layer.

    “Think of it as an enhanced router that has local area anonymity built in,” Ford said. “Any time you’re using this router, you’re using dining cryptographers anonymity, and all the nodes around the base station are indistinguishable from each other.”

    The anonymous LAN could be a home or a neighborhood or a campus network or even a corporate network.

    This would protect users against one of Tor’s weaknesses: the entry guard.

    “If you’re using Tor to get anonymity,” Ford said, “you are very sensitive to any failure of the security of your entry guard—the first node that your connection is going to. If that node is compromised or out to get you, there’s not much you can do. An attacker is probably going to get you soon, if they don’t immediately.”

    Ford hopes to make Tor entry guards more robust by making them part of a local Dissent DC-net. “So even if the entry guard is compromised,” he said, “even if the whole Tor path is compromised, the entry guard would still not be able to de-anonymize you.”

    Roger Dingledine, co-founder of the Tor Project, is optimistic about the future of Dissent. “Bryan Ford’s stuff is good research, well respected in the field,” he wrote in an email. “His designs are more amenable to proofs of security than Tor (good), but the tradeoff is that they don’t scale as well (bad), and they’re not as resilient to real-world things like denial of service attacks. That doesn’t make them useless; it just means they’re far earlier in the development process than Tor is.”

    Ford and his team have been working on Dissent for more than four years. He has high confidence that Dissent is solid under the hood, but more application-layer software engineering is needed before it will be ready for public use. “The anonymity engine works, it’s available, you can download the code,” he said. End users wanting to take it for a spin may have to wait a while, though. He’s reluctant to name a date for application release, but hopes to have something for users to play with by early next year.

    Tor isn’t going away any time soon. But, as Dingledine emphasizes, more research into anonymous communication is needed.

    And in case you were curious if Dissent, like Tor, is funded by DARPA….and…*drum roll*…let’s take a look at the Dissent project acknowledgements:


    Acknowledgements
    This material is based upon work supported by the National Science Foundation under Grant No. CNS-0916413, and supported by the Defense Advanced Research Agency (DARPA) and SPAWAR Systems Center Pacific, Contract No. N66001-11-C-4018. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the National Science Foundation, the Defense Advanced Research Agency (DARPA), and SPAWAR Systems Center Pacific.

    Posted by Pterrafractyl | September 22, 2015, 9:15 pm
  15. Just FYI, if you can say you’ve never been a victim of some sort of ‘ransomware’ attack that’s great, but it’s going to be a lot harder to say that in the future once the ransomware bonanza begins now that it’s known that a single entity may be behind the massive $325 million Cryptowall 3.0 ransomware racket:

    The Register
    Lone wolves could be behind multi-million dollar Cryptowall ransomware racket
    Top tech firms say group is ‘immensely successful’

    30 Oct 2015 at 05:57, Darren Pauli

    A single group could be behind the monstrous Cryptowall 3.0 ransomware, widely considered to be one of the most menacing threats to end users that has fleeced victims of millions of dollars.

    Intel Security, Palo Alto Networks, Fortinet, and Symantec under the Cyber Threat Alliance have probed the net scourge revealing that the attackers are thought to be a single entity. That theory’s based on commonalities in the Bitcoin wallets they use to receive ransom payments.

    The findings are contained in the report Lucrative Ransomware Attacks (PDF). The document details the complexities of the ransomware menace that has forced users and businesses to pay criminals hundreds or thousands of dollars in individual ransoms for a key that can decrypt files.

    The authors assert that “… as a result of examining this financial network, it was discovered that a number of primary wallets were shared between campaigns, further supporting the notion that all of the campaigns, regardless of the campaign ID, are being operated by the same entity.”

    “When we examined the BTC (Bitcoin) transaction network stemming from the [ransom Bitcoin] wallets to what we considered to be final wallets, the financial impact was substantial.

    “A majority of these BTC addresses are used to launder the money into legal channels or to pay for services related to the campaigns, such as exploit kits or botnets used to send spam email.”

    The group runs a well-oiled machine that the top tech team says has been “immensely successful” in fleecing cash. Authorities said earlier this year that that CryptoWall had squeezed US$18 million from US victims alone in a little over a year.

    The encryption used by the malware is regarded as solid, with no known side-channel attacks through which less-professional and antiquated ransomware variants could be reversed without requiring payment.

    It is so professional that multiple security types and system administrators have told this reporter they recommend their clients and bosses just pay up.

    This week the FBI shocked no one in the security industry by recommending businesses just pay the criminals.

    Cryptowall ransom payments are also highly developed, with complex transaction flows that are hard to trace and span hundreds of Bitcoin addresses.

    About half of victims are based in the United States, however Australia is disproportionately represented in victim bases with at least 8000 infections hitting antipodean computers in the first six months of this year.

    So-called facilitators help petty criminals enter the game by pairing them with ransomware writers, illicit web traffic barons, and exploit kit delivery groups.

    “This week the FBI shocked no one in the security industry by recommending businesses just pay the criminals.”

    That’s the bad ransomware news this week. But there has been some recent good news. If you’re a victim the ‘CoinVault’ ransomware scam and you haven’t yet paid the ransom but would still like to decrypt your files, there’s a new free tool you should learn about:

    Security Week
    Group Behind CryptoWall 3.0 Made $325 Million: Report

    By Eduard Kovacs on October 30, 2015

    Researchers representing security companies that are part of the Cyber Threat Alliance have conducted an in-depth investigation into the cybercriminal operations leveraging CryptoWall 3.0 ransomware.

    While experts haven’t found a way to decrypt files encrypted by CryptoWall 3.0, not all ransomware is as efficient when it comes to holding files for ransom. Kaspersky announced this week that it has obtained all the decryption keys, roughly 14,000, needed to recover files encrypted by CoinVault and Bitcryptor ransomware.

    Kaspersky’s initiative was launched in April in collaboration with law enforcement authorities in the Netherlands. Victims of CoinVault and Bitcryptor are provided a free tool that they can use to decrypt their files.

    The announcement that all CoinVault encryption keys have been obtained comes after last month Dutch police reported arresting two individuals suspected of using this piece of ransomware to infect computers around the world.

    “The announcement that all CoinVault encryption keys have been obtained comes after last month Dutch police reported arresting two individuals suspected of using this piece of ransomware to infect computers around the world.”
    Yep, it appears that it was just two Dutch hackers behind the global CoinVault scam. Oops. But if they hadn’t, they would presumably still be out there ransoming people’s data.

    It’s all a reminder that the global nature if the internet, while awesome in many ways, also creates a rather tempting target for digital criminals since their potential list of crime victims now includes everyone on the planet with an internet connection.

    It’s also a reminder to not get to ‘click-happy’ with your email attachments.

    Posted by Pterrafractyl | October 31, 2015, 6:45 pm
  16. Digital communications technology, like all technology, is a double-edged sword. But here’s a reminder that digital communication technologies in particular is, somewhat ironically, a double-edged sword that society has a hard time actually talking about:

    The Los Angeles Times

    FBI can’t figure out how to unlock encrypted phone in San Bernardino investigation

    By Brian Bennett

    February 9, 2016, 2:45 PM

    FBI technicians have been unable to unlock encrypted data on a cellphone that belonged to the terrorist couple who killed 14 people in San Bernardino on Dec. 2, the FBI director said Tuesday.

    The failure, the second such case in recent months, has left investigators in the dark about at least some of the married couple’s communications before they were killed in a shootout with police.

    “We still have one of those killers’ phones that we haven’t been able to open,” FBI Director James B. Comey told the Senate Intelligence Committee. “It has been two months now and we are still working on it.”

    FBI investigators have struggled to retrace the movements and plans of Syed Rizwan Farook and his wife, Tashfeen Malik, before and after they attacked a holiday party at the Inland Regional Center.

    The encrypted data could shed light on why Farook left a bag with several homemade pipe bombs in the conference room, whether they considered additional attacks, or whether the couple was in communication with anyone about their plans before the attack.

    So far, the FBI has said that it has found no evidence indicating the couple had received any outside direction or support. Farook, a county health inspector, had become self-radicalized via the Internet and he and his wife pledged allegiance to Islamic State on the day of the mass shooting.

    Comey did not describe the phone’s model or say if it belonged to Farook or Malik.

    Several cellphone models, including Apple’s iPhone 6 and Samsung’s Galaxy S6, use advanced encryption algorithms that scramble all the data on the device when a pin code is set.

    Encrypted cellphones and text messaging apps have made it harder for investigators and intelligence services to track suspected plots in real time, or trace locations and connections once they acquire a suspect’s device, Comey said.

    In December, Comey said that one of two gunman who sought to attack a Muhammad cartoon contest in Garland, Texas, last May 3 had exchanged 109 electronic messages with “an overseas terrorist” that morning.

    “We have no idea what he said, because those messages were encrypted,” he told the Senate Judiciary Committee at the time.

    Law enforcement officials have warned for more than a year about their inability to access data on encrypted phones, even after a cellphone company or carrier is served with a warrant.

    Companies insist they don’t keep a separate, “back door” key to unscramble the device’s memory because that would weaken security and privacy.

    “I don’t want a back door. … I would like people to comply with court orders, and that is the conversation I am trying to have,” Comey said Tuesday.

    “I don’t want a back door. … I would like people to comply with court orders, and that is the conversation I am trying to have.”
    Keep in mind that FBI director Comey says:

    “I don’t want a back door. … I would like people to comply with court orders, and that is the conversation I am trying to have,”

    it’s basically a nonsense statement since the ability of companies to comply with those court orders would require the companies themselves to have a ‘back door’, which clearly isn’t the case when dealing with the types of phones used by the San Bernadino terrorists. But also keep in mind that Comey is using the same argument frequently used by privacy activists in defense of strong encryption without ‘back doors’ who proclaim that authorities should just get a warrant. It’s a reminder that there’s a LONG way to go before society arrives at some sort of consensus, even a temporary consensus, regarding the proper balance to strike with these types of technologies since the debate being fed to the public at large on all sides is still largely incoherent.

    With that in mind, here’s an article about a recent Harvard study that found that law enforcement’s claims that strong encryption is hindering their investigations are wildly overblown. While that might sound like the kind of findings that would please privacy activist, they probably won’t be super enthusiastic about the rest of the study’s findings:

    CNet
    Law enforcement’s encryption claims overblown, study finds

    The surge in Internet-connected devices will offer ample new surveillance opportunities, according to a Harvard study.

    February 1, 2016 5:00 PM PST

    by Steven Musil

    Encryption may not protect criminals as much as we have been led to believe.

    The FBI and other law enforcement authorities are exaggerating the extent that criminals are using encryption to avoid surveillance, or “go dark,” according to a study released Monday by Harvard. The study, which included participation from current and former intelligence officials, found that myriad new Internet-connected technologies such as smart-home products allow new opportunities for surveillance activities.

    “The ‘going dark’ metaphor does not fully describe the future of the government’s capacity to access the communications of suspected terrorists and criminals,” said the study (PDF), published by the Berkman Center for Internet and Society at Harvard.

    The report conceded that the increased availability of encryption products impedes government surveillance under certain circumstances. But it also concluded that the burgeoning market for Internet-connected devices will “likely fill some of these gaps and…ensure that the government will gain new opportunities to gather critical information from surveillance.”

    The study’s findings come amid a mounting war of words between tech companies and policy makers, who contend that terrorist groups are benefiting from encryption, the technology that jumbles communications and files so that only the intended recipient can read them. Tech companies have become increasingly diligent about including encryption in products and services in the wake of revelations about US government surveillance programs from documents leaked by former NSA contractor Edward Snowden.

    Apple’s iMessage text message program uses encryption, as does Facebook’s WhatsApp. Google, Yahoo and a bunch of other tech companies have begun scrambling information sent between their servers. These security features, which aim to keep prying eyes from seeing what’s going on inside, are often now turned on by default and easy to use.

    After deadly attacks in Paris late last year, questions arose about whether the technology industry has a duty to help the government view encrypted conversations in the name of stopping terrorism. Tech companies have countered that it’s impossible to let government agencies break encryption without letting criminals do the same.

    The Harvard study predicted that a host of Internet-connected devices, including TVs, cars, cameras, thermostats and even toasters, come packed with sensors and wireless connectivity that offer new opportunities for tracking suspects.

    “Law enforcement or intelligence agencies may start to seek orders compelling Samsung, Google, Mattel, Nest or vendors of other networked devices to push an update or flip a digital switch to intercept the ambient communications of a target,” the study said. “These are real products now.”

    The plethora of Internet-connected devises also raises difficult questions about consumer privacy that need to be addressed, the study suggested.

    “We should be thinking now about the responsibilities of companies building new technologies, about new operational procedures and rules to help the law enforcement and intelligence communities navigate the thicket of issues that will surely accompany these trends,” the study concluded.

    “The report conceded that the increased availability of encryption products impedes government surveillance under certain circumstances. But it also concluded that the burgeoning market for Internet-connected devices will “likely fill some of these gaps and…ensure that the government will gain new opportunities to gather critical information from surveillance.”
    That’s right, according to the study, the Internet of Things is going to fill our world with so many networked devices filled with all sorts of sensors that we basically don’t need to worry about strong encryption blocking investigations because there’s going to be so many surveillance alternatives that could also be used to spy on us beyond our personal computers and smartphones. Law enforcement is simply going to start turning the Internet of Things into a new spy network:

    The Harvard study predicted that a host of Internet-connected devices, including TVs, cars, cameras, thermostats and even toasters, come packed with sensors and wireless connectivity that offer new opportunities for tracking suspects.
    “Law enforcement or intelligence agencies may start to seek orders compelling Samsung, Google, Mattel, Nest or vendors of other networked devices to push an update or flip a digital switch to intercept the ambient communications of a target,” the study said. “These are real products now.”

    Now, it’s unclear if being able to turn internet connected refrigerators into a wifi spying devices would be of any help at all in the San Bernadino investigation. But it does highlight one of the disturbing aspects of the digital future: concerns over your personal digital privacy are going to be a lot harder to adequately address when we’re all immersed in a sea of potential spy devices. And if law enforcement can use this growing infrastructure, you can bet the personal data collection industries are going to be using those capabilities too.

    So the overall message of the study appears to be “strong encrypt without back doors all you want, you’re still going to be highly surveillable because there’s no possible way all these new devices are also going to strongly encrypted and unhackable too.” And that’s probably going to be the case for a large number of internet connected devices unless consumers are willing to pay extra to buy the hack-proof, strongly encrypted internet connected toaster.

    Still, that’s just the status of things today. As homes become “smart homes” and all our devices start getting hooked up together in one big network, your hackable toaster could end up being a gateway into the rest of your devices and be an avenue for serious damage (imagine devices that could be hacked to overheat and start a fire or something). So who knows, following a few Internet of Things mega-hacks that cause widespread physical damage, turning internet connected devices into untamperable and unhackable black boxes might be standard operating procedure. And given the way technology seems to develop, super-damaging Internet of Things mega-hacks seem like one of those events that’s basically an inevitability and probably a future New Normal.

    So enjoy the temporary quasi-mootness of the debates over strong encryption and ‘back doors’ while we enjoy the explosion of the Internet of Things. Let’s just hope that process involves mostly just spying and doesn’t include too many actual explosions.

    Posted by Pterrafractyl | February 10, 2016, 4:12 pm
  17. Reminiscent of Uber’s previous attempt to remotely encrypt corporate data before Canadian investigators to seize it, Uber just gave us another example of how encryption is going to help the companies that behave like Uber unfortunately continue behaving like Uber.

    How so? Well, in this case, Uber hired a private intelligence firm, Ergo, to investigate Andrew Schmidt, a labor lawyer suing them for anti-trust violations. And, as Uber is prone to do, the investigation was so over-the-top and bordering on fraud that a judge ruled that Uber has to turn over its communication with Ergo to the plaintiffs.

    But here’s the catch: those communications almost all took place via Wickr, an encrypted chat app that auto-deletes messages after a set period. So now there’s no way to establish whether or not Uber approved of Ergo’s illegal tactics. Oh well:

    The Verge

    How Uber secretly investigated its legal foes — and got caught

    Faced with a class action suit, the company hired a CIA-linked intelligence firm to look into the plaintiffs and their lawyer, but a judge says they may have gone too far

    By Russell Brandom and Andrew Hawkins on July 10, 2016 05:00 pm

    When a young labor lawyer named Andrew Schmidt first filed suit against Uber in December of last year, he couldn’t have predicted it would make him a target. Schmidt’s suit was a legal long shot, alleging that Uber CEO Travis Kalanick coordinated surge pricing in violation of anti-trust laws — but those legal arguments would soon be overshadowed by something much stranger.

    A few weeks after the case was filed, Schmidt found out he was being investigated. According to a court declaration made by Schmidt and his colleagues, someone had called one of Schmidt’s lawyer friends in Colorado to ask some strange questions, claiming it was for a project “profiling up-and-coming labor lawyers in the US.” What was the nature of his relationship with the plaintiff? Who was the driving force behind the lawsuit? Calls were also allegedly made to acquaintances of Schmidt’s client, Spencer Meyer, with a similar proposal to profile “up-and-coming researchers in environmental conservation.”

    Schmidt reached out to Kalanick’s lawyers, but they said Uber wasn’t involved, writing back, “Whoever is behind these calls, it is not us.”

    A month later, those same lawyers called back to admit that wasn’t strictly true. Schmidt and his client were being investigated by a secretive research firm, staffed by veterans from the CIA and the National Security Council, on behalf of Uber’s top executives. As soon as the lawsuit was filed, those executives took an interest in Schmidt and his client, sending out operatives to dig up what they could find on Uber’s new antagonists.

    That investigation has turned into a legal disaster for Uber, and the presiding judge has already ruled the evidence constitutes “a reasonable basis to suspect the perpetration of fraud.” The result is a rare window into how one of the most powerful and litigious companies in the world responds to a major class action lawsuit. As Uber continues to attract new lawsuits and accusations, the investigation into Schmidt and his colleagues shows just how far the company will go to defend its position, both inside and outside the courtroom.

    According to internal Uber emails, the investigation began with a note from Uber’s general counsel, Sallie Yoo. The day that Schmidt filed the complaint against Kalanick, Yoo sent an email to Uber’s chief security officer, saying, “Could we find out a little more about this plaintiff?” The request was forwarded to the company’s head of Global Threat Intelligence, Mathew Henley.

    By the end of the week, Henley was on the phone with a corporate research firm called Ergo, also known as Global Precision Research LLC, asking for help with “a sensitive, very under-the-radar investigation.” After a few emails, Henley worked out the terms of the deal with an Ergo executive named Todd Egeland. It would be a “level two” investigation, the middle of the three levels of work offered by Ergo. It would be drawn from seven source interviews conducted over the course of 10 days, for which Uber would pay $19,500. As with any Ergo investigation, the confidentiality of the client was paramount, and sources were never meant to know who was paying for the research. “We do quite a bit of this work for law firms,” Egeland reassured him. (Ergo did not respond to requests for comment.)

    There was one other wrinkle, expanding the scope beyond Schmidt’s client to Schmidt himself. “I suggest that you may also wish for some details on the plaintiff’s relationship with the lawyer,” Egeland wrote to Henley in one email. “They outwardly appear to be at least college, if not life-long, friends.”

    Henley approved the deal, writing back, “All looks good guys, thanks.”

    From there, the facts of the investigation become less clear. According to Schmidt and his team, Ergo contacted 28 different friends or co-workers of the plaintiff, each time claiming to be looking for information on “up-and-coming researchers in environmental conservation” or something similarly vague. The plaintiffs say those claims were false, and could be grounds for fraud.

    Uber was treading on dangerous ground by even commissioning the investigation, some experts say. “This is a very unusual situation and one that raises real risks,” says Michael Volkov of the Volkov Law Group, who has written extensively on third-party due diligence. “Going around and conducting interviews of people associated with the case, who may become witnesses, is really unseemly.”

    It’s not uncommon for firms to do basic background research on a plaintiff or opposing counsel. Facebook engaged in a similar investigation with a firm called Kroll a 2011 case contesting Zuckerberg’s ownership of the company,, although no impropriety by the investigators was ever alleged. But that research is typically conducted through online searches and public records requests, and anything involving direct contact with possible parties to the case is seen as far more delicate. “Commissioning the investigation without meaningful guidance on how it is conducted shows either naivete or that they just did not care about complying with appropriate restrictions on such investigations,” Volkov says.

    The judge hearing Uber’s case appears to have agreed. On June 7th, Judge Rakoff ruled that Schmidt and his colleagues had shown enough evidence to provide a reasonable perception of fraud, giving plaintiffs the right to examine emails and other documents exchanged between Uber and Ergo. According to the ruling, Ergo’s investigation was “raising a serious risk of perverting the process of justice before this court.” With that ruling, what began as an antitrust case has become a parallel case about exactly how far Ergo went, and how much Uber knew about it.

    The implications go far beyond a single case. Uber is currently litigating 70 different federal lawsuits, which range from accusations of wage theft to fundamental questions of worker classification. Any one of those cases could be a tempting target for third-party research firms like Ergo. According to a sworn deposition from an Ergo employee, this was the fourth time Uber hired the company for research, although it’s unclear whether the other cases involved an active trial. Given the volume of cases against Uber and the routine way in which the investigation was assigned, it’s plausible the company was contracting with other research firms.

    It’s not the first time Uber has shown an appetite for researching the company’s critics. In a private dinner in 2014, Uber executive Emil Michael outlined a plan to spend a million dollars collecting opposition research on journalists who cover Uber unfavorably, suggesting the company could investigate “your personal lives, your families.” Uber’s CEO later condemned the comments, and there’s no indication such a program was ever put into place.

    Founded in 2006, Ergo provides data analysis and business consulting for a range of private clients, according to its website, but its main goal is the delivery of “ground truth and actionable intelligence obtainable only from frontline sources.” It boasts of working on 800 projects in 120 countries, from searching for fraud in Iraqi shipping deals to advising on Ugandan oil contracts. It is headquartered in New York City, but has offices in Phoenix, Arizona and Yangon, Myanmar.

    The company’s founder, Randolph Post “R.P.” Eddy, has a long history of work in both counterterrorism and diplomacy. He served as director of counterterrorism at the White House National Security Council during the Clinton administration, chief of staff to US Ambassador to the United Nations Richard Holbrooke, and senior policy officer for UN Secretary-General Kofi Annan. Eddy helped found the New York Police Department’s counterterrorism center, serves on numerous boards and think tanks, and has appeared frequently on national television in his capacity as an expert on terrorism. Egeland, the firm’s managing director, testified that prior to working at Ergo, he served at the Central Intelligence Agency for 28 years.

    Uber communicated with Ergo largely over encrypted channels. Henley explained in one email that this was necessary to “avoid potential discovery issues.” (A subsequent Uber filing characterizes the reasoning differently, saying encryption was necessary “to protect against data breaches of Ergo’s mail servers.”) Initial emails were encrypted with PGP — specifically the Enigmail extension — but after a number of emails failed to decrypt, Henley suggested moving the conversation to the encrypted chat app Wickr, saying, “Nothing’s worse than the 30 years of attempted PGP mail client integrations.”

    Wickr automatically deletes messages after a preset period of time (typically 72 hours), and Uber executives have testified that it is a common tool for internal communications. After Henley’s suggestion, PGP emails dropped off entirely, except to transmit some preferred legal language three days later and submitting the final report 12 days after that.

    Presented with a court-mandated discovery order, Uber provided decrypted versions of the PGP emails, but the Wickr conversations have proven to be more of a challenge. Although email records show Henley exchanging Wickr screen names with Ergo executives, Henley denied directly communicating over the service in a sworn deposition. Given Wickr’s automatic deletion system, that claim is impossible to disprove.

    Uber says it initially reached out to Ergo to assess whether Meyer, the plaintiff, posed a direct threat to Kalanick. Joe Sullivan, Uber’s chief of security, testified that because Spencer Meyer’s antitrust suit specifically named Kalanick as the defendant, as opposed to the $62.5 billion company he runs, it was prudent to look into Meyer’s background to see if he “had it in for our CEO.”

    “I’m always on the lookout when situations arise that could be a cause for concern,” Sullivan said. “And I’m always careful to make sure that we do our diligence in those situations.”

    Sullivan also noted it was “an unusual situation” for Kalanick to be named specifically in the suit. However, Uber passengers are subject to user agreements that require them to resolve disputes through arbitration, and suing Kalanick may have been a way around that clause. Tellingly, Uber filed court documents July 8th that would compel Meyer to settle his case through arbitration.

    Despite Sullivan’s concerns, internal Ergo emails show more of an interest in reputational damage than physical threat. In one of the first available emails sent while compiling the report, a supervisor asks, “Do we have enough negative things said about Meyer [the plaintiff] to write a text box?” When those facts proved hard to come by, the primary investigator, Miguel Santos-Neves, eventually replied, “One did say that he was enamored with ideas and may be unfamiliar with the realities and demands of the real world.” The supervisor replied, “Perfect.”

    The final report notes that Meyer “may be particularly sensitive to any actions that tarnish his professional reputation.” Neither the report nor any of the available communications between Ergo and Uber make any reference to Meyer as a possible security threat to Kalanick.

    On March 22nd, as Schmidt and his colleagues were demanding answers on the scope of the investigation, Ergo arranged a private meeting with Uber’s global threat team. In the meeting, Ergo acknowledged that the investigation had gone beyond the appropriate scope, blaming the overreach on “an employee who had gone rogue” — apparently a reference to Santos-Neves.

    However, Santos-Neves testified that his supervisors never reprimanded him, nor gave any indication that his tactic of misrepresenting himself in interviews with Meyer’s acquaintances violated Ergo’s protocols. In fact, he implied that it was necessary in order to shield Uber’s involvement. “The confidentiality of our clients is of utmost importance,” Santos-Neves testified. “One of the ways that we maintain that confidentiality is by, as I said earlier, crafting questions that can, you know, maintain that confidentiality.” He added, “We can be sort of vague about our intentions.”

    In a filing last night, Uber pushed back against the allegations of fraud, arguing its contract with Ergo had specified that the investigation be both lawful and professional, and neither Kalanick nor Uber had any idea an investigator might stray beyond that. “Uber took reasonable steps to ensure that Ergo complied with the law,” the filing reads. “It is undisputed that Uber and Mr. Kalanick were unaware that Ergo would use misrepresentations during its investigation.”

    “The implications go far beyond a single case. Uber is currently litigating 70 different federal lawsuits, which range from accusations of wage theft to fundamental questions of worker classification. Any one of those cases could be a tempting target for third-party research firms like Ergo. According to a sworn deposition from an Ergo employee, this was the fourth time Uber hired the company for research, although it’s unclear whether the other cases involved an active trial. Given the volume of cases against Uber and the routine way in which the investigation was assigned, it’s plausible the company was contracting with other research firms.”

    Yeah, we probably shouldn’t be super shocking if it turns out that Uber’s been hiring Ergo to fraudulent dig up dirt on Uber’s many plaintiffs. Of course, given the apparent secrecy that’s involved in Uber’s communications with Ergo, we also shouldn’t be super shocked if we never find out about the targets of those other investigations or at least the content of what they investigated. Thanks to fun encrypted chat apps like Wickr that allowed Uber and Ergo to “avoid potential discovery issues”:

    Uber communicated with Ergo largely over encrypted channels. Henley explained in one email that this was necessary to “avoid potential discovery issues.” (A subsequent Uber filing characterizes the reasoning differently, saying encryption was necessary “to protect against data breaches of Ergo’s mail servers.”) Initial emails were encrypted with PGP — specifically the Enigmail extension — but after a number of emails failed to decrypt, Henley suggested moving the conversation to the encrypted chat app Wickr, saying, “Nothing’s worse than the 30 years of attempted PGP mail client integrations.”

    Wickr automatically deletes messages after a preset period of time (typically 72 hours), and Uber executives have testified that it is a common tool for internal communications. After Henley’s suggestion, PGP emails dropped off entirely, except to transmit some preferred legal language three days later and submitting the final report 12 days after that.

    Presented with a court-mandated discovery order, Uber provided decrypted versions of the PGP emails, but the Wickr conversations have proven to be more of a challenge. Although email records show Henley exchanging Wickr screen names with Ergo executives, Henley denied directly communicating over the service in a sworn deposition. Given Wickr’s automatic deletion system, that claim is impossible to disprove.

    “Presented with a court-mandated discovery order, Uber provided decrypted versions of the PGP emails, but the Wickr conversations have proven to be more of a challenge. Although email records show Henley exchanging Wickr screen names with Ergo executives, Henley denied directly communicating over the service in a sworn deposition. Given Wickr’s automatic deletion system, that claim is impossible to disprove.

    Self-deleting encrypted messaging services for corporate communications. That sure is conventient! And almost certainly the future. At least the future of corporate communications involving content that could raise “potential discovery issues”.

    We’ll see if Uber can use encryption to dodge another legal bullet. Either way, it seems like a given that corporate investigations are going to be less and less feasible as corporations learn more about all the great legal features that come with systems like Wickr and make a habit of using them.

    But at least now we know that if you file a lawsuit against Uber, you probably want to have a chat with your friends and colleagues about what they should say when they suddenly get random inquiries about you ‘for a project profiling up-and-coming lawyers in the US’. Having your friends and colleagues inform the mystery caller about the judge’s findings in this current case against Uber and the legal implications of fraudulently investigating a plaintiff is one possible approach. There are others…

    Posted by Pterrafractyl | July 14, 2016, 8:29 pm
  18. Here’s a new technological twist to the 5th Amendment conundrums raised by ubiquitous unbreakable encryption technology on ubiquitous personal information gathering devices (smartphones): a federal judge reportedly issued a secret order to a defendent accused of prostituting underage girls against their will to unlock his iPhone using his fingerprint. While the Supreme Court has yet to clarify the 5th amendment issues associated with ordering defendants to unlock devices using some sort of biometric method, that’s still assumed to be more likely to be constitutional than ordering someone to give their passcode (the “strong box with a key” vs “wall safe with a combination lock” legal scenarios). So this order may or may not be constitutional. A Super Court ruling is going to be required to settle the issue.

    But in this case, ordering the defendant to use his fingerprint to unlock the phone didn’t end up unlocking the phone. Why? Because iPhones set up to use fingerprint scans instead of a password automatically require a password if the phone hadn’t been unlocked for at least 48 hours. At that point, the phone effectively has a “strong box” and much more constitutionally protected “wall safe” protecting its contents.

    So while these secret court orders to use fingerprints to unlock a smartphone phone are relatively rare at this point, we probably shouldn’t be surprised if there’s a flurry of similar new court orders now that it’s clear that the “strong boxed” smartphones just might gain a “wall safe” in 48 hours or less:

    Ars Technica

    Apple’s Touch ID blocks feds—armed with warrant—from unlocking iPhone
    Supreme Court has not ruled about compelled unlocking of fingerprint-locked devices.

    David Kravets – 7/24/2016, 11:00 AM

    A Dallas, Texas man accused of prostituting underage girls was secretly ordered by a federal judge to unlock his iPhone using his fingerprint, according to federal court documents that are now unsealed.

    It’s rare that we see a case demanding that a phone be unlocked in that manner, but we should expect more as the mainstream public begins embracing fingerprint technology. Ever since 2013, when Apple popularized this form of unlocking technology, legal experts have predicted that these types of government demands would slowly become more common. Experts also warned these demands are probably not a breach of the Fifth Amendment right against compelled self-incrimination.

    As an aside, some courts don’t necessarily think that compelling a suspect to reveal their computer passcode is a constitutional violation. A Philadelphia man accused of possessing child pornography has been behind bars on a contempt charge for more than seven months for refusing to divulge his password.. The man’s attorney claims it’s a constitutional violation to compel his client to assist the authorities with their prosecution. A federal appeals court has tentatively agreed to hear the case in September as the suspect (who has not been charged with a crime) remains in prison.

    The Dallas fingerprinting issue involving Martavious Banks Keys was first unearthed by Forbes. The Keys prosecution paints a picture of greed and cruelty, but it also highlights how far the authorities are willing to go to obtain encrypted material on locked mobile phones.

    Even so, the government’s efforts in this instance were not successful, according to court documents. The authorities were unable to access the phone’s contents. The reason is most likely because, if a iPhone that has been fingerprint enabled has not been used for at least 48 hours, both the password and fingerprint are required to unlock it.

    “Unable to obtain forensic aquisition (sic) of the described device,” a federal agent wrote in a search warrant return that was recently unsealed.

    Here’s Magistrate Judge Irma Ramirez’s now-unsealed order demanding the defendant’s cooperation: “It is further ordered that Martavious Banks Keys shall cooperate with the Agent selected by the government in providing his fingerprints to aid in unlocking his Apple iPhone Model 5S, currently in the custody of the government.” The order was issued on May 26.

    Because the litigation over the defendant’s iPhone had been shrouded in secrecy, it is unclear whether the government has accessed the phone’s contents via another method. What’s more, it is not known whether the authorities have sought to compel the defendant to unlock his phone with his passcode in addition to his fingerprint. Keys remains behind bars, so he is unlikely to care if a judge holds him in contempt.

    Keys’ attorney is John Nicholson, a federal public defender in Dallas. Nicholson did not immediately respond for comment. Federal prosecutor Cara Foos Pierce also did not immediately respond for comment.

    The law on the topic is unsettled. Only a smattering of legal rulings have involved somebody being compelled to use their fingerprints or disclose a password. The Supreme Court has yet to rule on either of the hot-button topics.

    Many legal scholars, however, assert that forcing somebody to turn over a passcode is a constitutional violation because it requires somebody to use their mental state against them. But many scholars think differently when it comes to fingerprints.

    “But if we move toward authentication systems based solely on physical tokens or biometrics—things we have or things we are, rather than things we remember—the government could demand that we produce them without implicating anything we know. Which would make it less likely that a valid privilege against self-incrimination would apply,” Marcia Hoffman, a well-respected privacy attorney, wrote in 2013.

    “Even so, the government’s efforts in this instance were not successful, according to court documents. The authorities were unable to access the phone’s contents. The reason is most likely because, if a iPhone that has been fingerprint enabled has not been used for at least 48 hours, both the password and fingerprint are required to unlock it.”

    Part of what makes this technology that adds “wall safe” password only after an user-set period of time has passed is that it creates a situation where authorities could reasonable wonder, at the moment of arrest, just how much time is left before the 48 hours expires and the phone gets extra constitutional protection. Is there 48 hours left before the passcode requirement kicks in or 48 seconds? Unless you just saw the suspect talking on the phone that’s an open question. So with cases like this taking place while the “strongbox vs wallsafe” 5th Amendment issue is still heading towards the Supreme Court, it will be interesting to see if this “wall safe on a timer” technology ends up making it constitutionally easier for authorities to demand that suspects with fingerprint-protected iPhones immediately unlock their phones before the passcode requirement gets activated. That would be a bit ironic.

    Posted by Pterrafractyl | August 4, 2016, 9:33 pm

Post a comment