
New York Prosecutor Calls for Law to Fight Apple Data Encryption - declan
http://www.bloomberg.com/news/2015-01-06/new-york-prosecutor-calls-for-law-to-fight-apple-data-encryption.html
======
declan
This is not the first time such a law has been proposed. In 1997, a House of
Representatives committee approved a ban on domestic encryption without
backdoors for .gov access. Here's an excerpt from the SAFE Act, as it was
called back then:

 _`Whoever, after January 31, 2000, sells in interstate or foreign commerce
any encryption product that does not include features or functions permitting
duly authorized persons immediate access to plaintext or immediate decryption
capabilities shall be imprisoned for not more than 5 years, fined under this
title, or both...

After January 31, 2000, it shall be unlawful for any person to manufacture for
distribution, distribute, or import encryption products intended for sale or
use in the United States, unless that product [...] permits immediate
decryption of the encrypted data, including communications, upon the receipt
of decryption information by an authorized party in possession of a facially
valid order [and] allows the decryption of encrypted data, including
communications, without the knowledge or cooperation of the person being
investigated..._ [http://thomas.loc.gov/cgi-
bin/cpquery/T?&report=hr108p4&dbna...](http://thomas.loc.gov/cgi-
bin/cpquery/T?&report=hr108p4&dbname=105&)

Think of how that would have affected Linux (Android uses dm-crypt for FDE),
open source, Github, etc.

That 1997 bill is remarkably similar to what the FBI and its law enforcement
allies, including the district attorney quoted in the linked article, want
today. And remember that bill was not theoretical. It was approved and sent to
the House floor for a vote -- and was defeated only because of a hastily-
assembled alliance of tech firms and privacy groups.

I disclosed in a 2012 article for CNET, before I left to found
[http://recent.io/](http://recent.io/), that FBI general counsel's office has
drafted related legislation mandating backdoors even before the current flap
over Android and iOS FDE.

 _" If you create a service, product, or app that allows a user to
communicate, you get the privilege of adding that extra coding," an industry
representative who has reviewed the FBI's draft legislation told CNET._
[http://www.cnet.com/news/fbi-we-need-wiretap-ready-web-
sites...](http://www.cnet.com/news/fbi-we-need-wiretap-ready-web-sites-now/)

HN readers may want to pay attention...

~~~
Nanzikambe
> Think of how that would have affected Linux (Android uses dm-crypt for FDE),
> open source, Github, etc

A concern of mine is that unlike the others you mention, Apples software isn't
open - we have no ability to check there aren't already backdoors resulting
from secret court orders.

Perhaps going forward 2015 going "open" will be the only way to build trust
with a client is offer an open or reproducible means to replicate any claims
made about suitability of encryption and lack of a backdoor both on client and
server.

~~~
sjwright
You can't really check Android binary distributions either.

~~~
Nanzikambe
Indeed not and there're also other concerns in that sphere (baseband and the
underlying network/protocols, SS7 etc).

But there's some movement in the right direction (Cyanogen, F-droid and the
various open phone hardware projects)

------
lifeisstillgood
Greenyoda's comment that "speaking a language the police don't understand
should be a crime by this logic" is I think the neatest encapsulation of the
issues. It gets around all the technical issues and worries and strikes at the
heart of the problem - the police should and can put away criminals without
needing access to the private conversations the criminals have. Fingerprints,
CCTV, loot stashed under the bed have all been good enough for a long time
now.

The crimes that are committed solely online are few and mostly fraud by
deception. There are clear issues with deceiving people in a language they
don't understand.

So I like the metaphor (or analogy I'm not sure)

~~~
sarciszewski
Totally agree.

Most peoples' eyes glaze over when you talk about things like Shannon's Law,
cipher strength, entropy, backdoors, authentication vs encryption, trust
models, metadata (which IS data, goddammit), and threat models.

This avoids all the complexity without losing the core issue.

------
greenyoda
_" Federal and state governments should consider passing laws that forbid
smartphones, tablets and other such devices from being 'sealed off from law
enforcement,' Manhattan District Attorney Cyrus Vance said today..."_

If they ever pass these laws, the next step would be to outlaw encrypting the
hard drive on your laptop or using PGP to encrypt your e-mail. Also, speaking
on the phone in a language that the police don't understand could be made a
crime.

~~~
nasmorn
The Language thing is unnecessary. Since they record all calls they can find
someone to translate later. But maybe you're right and that is too much
trouble for them.

~~~
wnevets
or you could make up your own language, maybe should sort of encrypted speech.

~~~
belovedeagle
This is the problem I see with outlawing encryption entirely. At what point
does something become "encrypted" w/r/t the law? This may seem like a silly
question, but I think it's a real concern:

Is rot13 encryption? (No, of course not!, you say.)

How about a shift cipher with an unknown distance? (Well... it's just as
trivially breakable as rot13..., you say.)

How about a book cipher? This one I particularly like, being quite amenable to
your idea of "encrypted speech": does reading out a book cipher over the phone
constitute "encryption" in some sense? And I also considered it for the
lavabit case: if the gov't has a wiretap warrant for your phone, under their
reasoning in lavabit, couldn't they compel you to disclose the key to the book
cipher in that case? That seems to be crossing the 5th amendment line there,
to me; toeing the line of the 1st and 4th as well. And so, I thought at the
time, it seems pretty obvious that the "assistance" clause of the wiretap law
did /not/ compel revealing the key any more than it would compel revealing the
key of the spoken book cipher.

~~~
gizmo686
This type of ambiguity is not uncommon in law. My guess would be that they
would look at intent (ie, did you manipulate the message to make it difficult
for a third party to understand), as well as defectiveness (ie, rot26 is so
stupid that we will only charge you with attempted encryption).

------
throwaway1856
This is really about law enforcement being too lazy to do their own jobs
properly. Here's a story:

I run a dating website and was contacted by law enforcement to provide contact
information for a user suspected of soliciting sex from a minor. The
information was forwarded to police on behalf of the parent of the minor. As
per our privacy policy, we informed the police that we will need a court
authorized subpoena before handing over details about one of our users. They
also informed me NOT to ban the user or otherwise disrupt his account in any
way until they receive the evidence they need from me.

Weeks passed, then months, and finally I had our attorney reach out and
contacted them again to ask what happened with the case, and it turns out the
subpoena was blocked on some kind of administrative issue. They didn't bother
telling us so that we could ban the suspect from the site sooner. In addition,
they could have easily gotten the information they were looking for by using
the dating site to act as a minor and get the information themselves directly
from the suspect (they had the username). Our attorney told us that never once
did the investigator log onto the site themselves.

This is one small story, but just goes to show you the extent of the laziness
that pervades law enforcement today.

~~~
nernst
Perhaps lazy, perhaps working 20 other cases, or just lacking technical
sophistication. If it was me it would be much simpler to issue a subpoena then
engage in some sort of sting operation where things could go wrong.

------
amirmc
_“They’ve eliminated accessibility in order to market the product. Now that
means we have to figure out how to solve a problem that we didn’t create.”_

Ermm ... I'd argue that dragnet mass surveillance is exactly one of the
causes. Good security should be the default position. That we've had poor
security to date should be the considered the real aberration.

~~~
Fuxy
This is all bull. There are skilled IT forensics people who can access these
devices without the permission of the owner as long as they seize them on.

As far as I know the key needs to be kept in ram which means it is vulnerable
while the device is on.

This only prevents dragnet surveillance; nothing more.

~~~
pgeorgi
There are proof of concepts to keep the key in registers, for example
[http://www1.informatik.uni-erlangen.de/tresor](http://www1.informatik.uni-
erlangen.de/tresor)

That prevents coldboot attacks and other means of reading the key out of
memory.

------
ObviousScience
> Earlier today Vance gave the keynote speech at the conference, hosted by the
> Federal Bureau of Investigation, saying he was going “rouge” by speaking out
> on the matter. He made an emotional plea that police might not be able to
> stop crimes against children or solve murders without access to the data.

They somehow solved these crimes before the advent of these devices.

Also, I personally regard stopping the NSA from spying on Americans - all
Americans - without cause to be stopping a bigger, and more important, crime
than stopping the number of crimes that the encryption would stop them from
solving. It's stopping a crime against millions of people that corrupt
government officials have not only refused to properly investigate and
prosecute, but have shielded for personal gain, knowing that they were
circumventing the law of the land.

Stopping rampant corruption is a good thing, and it's sad that it's fallen to
public companies rather than government prosecutors.

~~~
SG-
I wonder why they quoted "rouge" (red), did his slide/presentation include the
typo?

~~~
Ntrails
Typically when quoting a typo a journalist writes [sic] to highlight that it
isn't their error.

Honestly it just brought back memories of WoW and "Rouge LF guild" spam

------
Cthulhu_
So they're saying companies should force consumers to forfeit their right to
privacy? If a prosecutor wants access to a person's encrypted data, they
should go after that person, not the company providing the encryption - they
might as well ban HTTPS if they're really going in this direction.

~~~
higherpurpose
Exactly. The rise of the "cloud" just happens to provide them a nice little
loophole that goes around individual's 4th and 5th amendment rights

------
spiralpolitik
If only there was a law whereby if they could they could describe what they
were looking for on the device and demonstrate why they needed access to the
device to a sufficent standard that they can then get access. Maybe that would
solve their problem ?

Oh wait...

~~~
rayiner
But there isn't. If police go to a judge and show probable cause, they can get
a warrant and break into that locked shed they think had evidence. A warrant
doesn't help against an encrypted phone. Not that I agree with Vances position
mind you.

~~~
spiralpolitik
If the police can describe what they are looking for on the encrypted volume
and get a warrant for it then as per the fourth you provide the item or go to
jail for contempt. ("We want the spreadsheet describing the fraudulent
transactions") There was a case recently that ruled this way.

If they can't do that then it's a fishing expedition and you can't be
compelled to decrypt the volume. There was another case that ruled this way.

Both are completely in line with the fourth amendment and IMHO correct.

Both are being appealed so things could change.

No new laws needed.

~~~
farmdawgnation
However, I think that in the case of a password or passphrase (e.g. something
that you know) that would trigger decryption of such a spreadsheet you can
refuse to give that up under the Fifth Amendment under current caselaw.

With a physical key, you couldn't do that.

~~~
spiralpolitik
I think that part is up in the air and will probably be decided by the supreme
court sometime in the next few years.

Encryption on a per file basis is somewhat interesting. You've provided the
item requested but do you have to provide it in an understandable format ? An
interesting analogy would be if you had a document written in a language (say
shorthand) only you could understand, could you be compelled to provide a
translation ?

------
venomsnake
Dear Apple and Google, please do our job for us because we are understaffed
and underfunded.

Signed,

All the LEO that grew fat on anti-terror and surveillance money.

~~~
pmorici
"understaffed and underfunded"

More like lazy and unwilling to learn. You have to wonder if the guy saying
this has even made a cursory effort to investigate the issue of if he is just
doing the only thing he know how to do, run his mouth.

~~~
venomsnake
I was sarcastic. Obviously he didn't. But he thinks of the children. After all
the cases when a children is kidnapped, we have a suspect and his phone in
custody, but we are not able to see the data inside (metadata about his
movements we have though) which is critical to finding it are so prevalent ...

------
rdl
This is the best advertising possible for strong crypto. It raises awareness,
and then shows crypto is a useful tool against these adversaries.

I can't see a law like this standing on 1A grounds even if passed.

------
sarciszewski
> at a cybersecurity conference in New York

Anyone know which conference they're talking about? I'm surprised they didn't
name it. (Probably one that the public doesn't know about?)

~~~
deathhand
No, It was public and hosted by Fordham University. It did have
'authoritarian' sponsorship though by the FBI and Deloitte.
[http://iccs.fordham.edu/program/iccs2015/](http://iccs.fordham.edu/program/iccs2015/)

~~~
sarciszewski
Oh hey, James Clapper is going to be there at 9. What a great opportunity to
indict him for perjury.

[http://www.hasjamesclapperbeenindictedyet.com/](http://www.hasjamesclapperbeenindictedyet.com/)

------
tempodox
Quote from the article:

 _Now that means we have to figure out how to solve a problem that we didn’t
create._

Bummer. If all you had to do is solve the problems you created yourself, I
would propose not creating the problem in the first place.

I understand the jam law enforcement is in but the arguments of Cyrus Vance
seem disingenuous. In my eyes, he does a disservice to the cause.

(Edit: Formatting)

------
Zigurd
There is something about technology that gives law enforcement a tingle. Look
at Vance's high profile cases [http://manhattanda.org/press-
release](http://manhattanda.org/press-release) : arson, multiple cases of
embezzlement, securities fraud, sexual assault... Not one case that needs to
break encryption to convict.

The lesson is that as soon as they realize they can't do anything about it, it
will cease to be a hot button issue. Just like the rest of the limitations on
law enforcement. Encryption should be pervasive and routine. Then it will be
ignored.

------
chrismcb
Is Vance really doing his job? The article says "“It’s developed into a sort
of high-stakes game,” Vance said. “They’ve eliminated accessibility in order
to market the product. " this implies it is something the average consumer
wants (there aren't enough criminals to make it marketable) again, this is
something the consumers want. Vance should not be trying to prevent it from
happening, just because it might save the children. Crimes were solved before,
and they will continue to be solved. And people like Vance need to be fired
for not doing there job.

------
xacaxulu
"He made an emotional plea that police might not be able to stop crimes
against children or solve murders without access to the data." It's FOR THE
CHILDREN! Of course.

~~~
lovelettr
Frontline has a great 2-part documentary on the NSA mass-surveillance program
called "United States of Secrets" [1]. (It is available on Netflix)

One of the striking things I took away from that documentary was the rhetoric
used to disuade would-be leakers, whistle-blowers, and media outlets that had
learned about "the program". In almost every case they would be brought into
the White House and briefed in an effort to convince them to keep their
silence. The common refrain that was related by all the different parties was
the White House (both administrations) would consistently tell the leakers: If
you do this the blood will be on your hands for the next terrorist attack.

Sadly this sort of rhetoric really work(ed/s) on people.

[1] [http://www.pbs.org/wgbh/pages/frontline/united-states-of-
sec...](http://www.pbs.org/wgbh/pages/frontline/united-states-of-secrets/)

------
tracker1
I love this quote... "Now that means we have to figure out how to solve a
problem that we didn’t create."

But they did create the problem via excessive blind collection of data,
illegal warrantless searches. Falsified investigation trails and a number of
other issues not-withstanding...

It'd be like telling safe manufacturers that they have to design in a trivial
bypass for their safes so that law enforcement can get in easier... it
wouldn't fly.

~~~
CWuestefeld
Well, more strongly than that, I don't see where there's any "problem". Police
agencies can now issue warrants to force someone holding encrypted data to
decrypt it. I've not seen anyone seriously claiming that there's a problem
with people opening data that's been requested in this legal manner.

They're trying to solve a problem that doesn't exist, and paying for their
solution with our privacy.

------
Shivetya
So my question would be, if we see this coming down the road can we prevent
our phones from being updated and losing the protection we have?

~~~
snowwrestler
If you see this coming down the road, the way to stop it is through political
grassroots action.

And before the cynics chime with all the reasons that can't work, consider
that it DID work when this exact same issue came before Congress in the late
1990s.

[http://en.wikipedia.org/wiki/Crypto_wars](http://en.wikipedia.org/wiki/Crypto_wars)

------
golemotron
I wonder whether there is any legal basis for idea that technologies should be
circumventable by law enforcement. I'm not talking about particular laws but
rationales - something in judicial decision or common law.

I also wonder whether safe manufacturers ever were obligated to make safes
that were accessible by law enforcement.

------
kjs3
I wonder if they'll make it illegal to install a door that can't be kicked in?

~~~
voxic11
Actually in many states fortifying your home is already a crime.

~~~
darkarmani
"Actually in many states fortifying your home is already a crime."

In what way? Plenty of people have steel security doors. What exactly do you
mean by fortifying and what law?

