Apple fights court imposed FBI backdoor order

Apple CEO Tim Cook has taken a very public stand against an FBI request and court order to create a backdoor into the Apple operating system.  This arose from the investigation into the San Bernardino mass shooting last December.

See this article on ZDNet for more details.  And Read Tim Cook’s customer letter posted on the Apple website for a more complete explanation of Apple’s position.

Kudos to Tim Cook and Apple for this.

Security and privacy experts continue to point out that backdoors are a bad idea that cause far more harm than good.

See, for example, this ZDNet article from yesterday about a new report saying “European cybersecurity agency ENISA has come down firmly against backdoors and encryption restrictions, arguing they only help criminals and terrorists while harming industry and society.”

Cross-posted to Slaw

Encryption = good : Backdoor = bad

Every time there is a tragic attack on people or property, there is a cry from various authorities or politicians for law enforcement to get unfettered access to all kinds of communication tools.

But that would cause far more harm than good, and is a really bad idea.

The argument goes something like this:

These bad actors hide behind encrypted communications to plan their evil deeds.  Therefore to stop them law enforcement needs to have access to all this.  Therefore we need to have backdoors built into all encryption that law enforcement can use.

This is flawed in many ways.

There is no evidence that unfettered access to communications helps.  Sometimes the information was actually available, but no one managed to put it together ahead of time to stop the evil deed.

There is no way that backdoors can be limited to use by law enforcement.  They will inevitably be discovered by others and used for evil, thus rendering encryption and all the protection it provides useless.

Bad actors will stay a step ahead.  If mainstream communications and encryption tools have backdoors, they will just create their own secure communications channels.

But don’t just take my word for this.  Read, for example, this article by security expert Bruce Schneier entitled Why we Encrypt.

And this article by Cory Doctorow on how ridiculous British Prime Minister David Cameron’s comments on the need to backdoor encryption are entitled What David Cameron just proposed would endanger every Briton and destroy the IT industry.

And this article by Mike Masnick of Techdirt entitled The Paris Attacks Were An Intelligence Community Failure, Not An ‘Encryption’ Problem.

Cross posted to Slaw

The Surveillance Society is already here

Canadians often look at intrusive, anti-privacy surveillance in other countries, and at things like the NSA and Patriot Act in the United States and think we are above that. But it is becoming apparent that Canada is just as bad. We need to do better than this and move the pendulum back towards individual rights and freedoms, and away from a surveillance society that does very little if anything to actually protect us.

For example, it recently came to light that the Communications Security Establishment, or CSE, Canada’s equivalent of the NSA, monitors and stores emails sent to Canadian government agencies.

This kind of surveillance is usually justified as being necessary to deal with terrorism and threats to national security, and its effects are downplayed by comments like its just metadata, or Canadians aren’t targeted. But there does not seem to be any evidence that all this surveillance and collection actually prevents anything bad from happening. Metadata is every bit as personal, private, and informative as the data itself. Who is targeted does not change the fact that personal information on citizens is being collected and retained, and that this information has the potential to be abused and used for undesirable purposes.

Mathew Ingram puts it well in an article in the Globe entitled We can’t accept Internet surveillance as the new normal.

The only good news is that the ongoing revelations about the nature and type of spying – largely because of Edward Snowden – are creating a growing public backlash, and tech companies are working to make it harder to intercept communications. Bill C-51, the anti-terrorism bill currently in the hearing stage is a case in point, which has attracted a huge amount of criticism – both over a lack of oversight, and as to the intrusiveness and potential abuse of authority that could result.

See, for example, this Huff Post article entitled Edward Snowden Warns Canadian To Be ‘Extraordinarily Cautious’ Over Anti-Terror Bill, and Michael Geist’s article entitled Why The Anti-Terrorism Bill is Really an Anti-Privacy Bill: Bill C-51′s Evisceration of Privacy Protection 

There is even a website dedicated to stopping the bill.

Cross-posted to Slaw.

NSA spying – musings about the surveillance state

Today’s Slaw post:

Much has been written about the NSA / Prism communications monitoring scandal over the last few days, including Simon’s recent post. Many things are unclear, and there are more questions than answers, but these things are clear to me.

Some people defend or trivialize it by saying that actual phone conversations and emails are not being monitored – just metadata. Metadata simply means data about data – it doesn’t mean that it is innocuous or public. The phone “just metadata” being tracked is equivalent to looking at one’s phone bill – numbers called, duration, etc. That definitely contains personal information which raises serious privacy issues. Reminds me of the “it’s just allergies” allergy medication ads.

Another comment that is supposed to make it better is that US citizens are not being targeted by the NSA. Who is targeted doesn’t change the fact that personal information on citizens is being collected and retained. And why is it somehow acceptable to spy on and violate the privacy of people in other countries?

Some ask why it is okay for Google to use knowledge it gains from searching your e-mails to sell advertising, but not okay for Google to pass it on to the government. There is a huge difference. Google serves up those ads without knowing or retaining the identity of the recipient. Privacy principles apply to contextual or behavioural advertising and contextual information (such as Google Now), and we can opt out of receiving it. Privacy obligations limit how long personal information is retained, who it can be disclosed to, and how it can be used. None of those concepts apply to NSA monitoring, and opting out is not an option. The devil is in the details when it comes to privacy, security and surveillance.

Edward Snowden, the person who leaked the information that started this, is apparently hiding in Hong Kong, and US authorities are eager to get him back to the US and charge him criminally. If he had done the same thing in certain countries in the Middle East or Asia, people in the US would be praise him as a hero and chastise the government for its retaliation against him. If those countries were doing the same surveillance as the NSA is, those in the US would demonize the state for its unacceptable assault on civil liberties and privacy.

I do not welcome the surveillance state.

Citizens recording police safe in Washington

For the London Free Press – August 27, 2012 – Read this on Canoe

In various countries, there has been a trend towards authorities stopping, questioning, intimidating, charging and even arresting people who are simply taking photographs of public places. These people might be videoing police in action, or may be just tourists taking pictures.

Police or security guards often insist that the photographer is breaking the law, and somehow think that taking photos equates to gathering information for terrorist purposes. There is also the belief that people are not allowed to use their cellphones, or other recording devices to record the actions of the police. In some cases this has resulted in arrests, and even seizing cellphones to delete the recordings.

Two years ago a Washington, D.C., citizen sued the city after he was told to stop taking pictures of a traffic stop in Georgetown. The court recently decided in his favour.

Police Chief Cathy Lanier has since adopted a policy making it clear that taking photos and recording videos is perfectly acceptable behaviour.

If an officer sees an individual recording his or her actions, the officer may not use that as a reason to ask the individual for ID, demand an explanation for the recording, deliberately obstruct the camera, or arrest them. Under no circumstances should the person be asked to stop recording. If an individual is in a position that interferes with the safety of police or their ability to perform their duties, the officer may ask the person to move out of the way.

Another scenario is when someone takes a photograph or recording that a police officer believes could be evidence of a crime. Under Lanier’s directive, an officer cannot take a recording device away from an individual without his or her consent. If the police officer believes the recording is needed for evidence but its owner is not willing to part with it, the officer is required to call a supervisor. The device or recording media can only be seized if the supervisor is present, only if there is probable cause to believe that the property holds evidence of a crime, and only if the circumstances demand it or some other recognized exception to the warrant requirement is present.

The policy instructs that police officers shall not delete any recorded images or sounds from any recording device. Recording devices that are in department custody should be preserved, so they can be returned to the owner with images or recordings undisturbed.

The example being set in Washington is a reasonable and refreshing approach. It is a model that should be followed everywhere.

NOTE:  Also see David Fraser’s post from last Thursday entitled Photographing and filming police officers in Canada

Lawful Access bill – a very bad idea

The Canadian federal government is re-introducing a “lawful access” bill that will give police the ability to get certain information about us from our Internet Service Providers without a warrant.  It will also require anyone who offers telecommunications services to build in a backdoor to give police access for wiretap purposes.

This bill is an affront to privacy and should not be passed.  For some insight into the details and why it is a bad idea, and links to other material take a look at:

And sign the online petition at Open

And by the way, I’m tired of the political rhetoric and hyperbole that surrounds so much proposed legislation.  Public Safety Minister Vic Toews has been widely quoted as responding to an opposition question on the bill by saying  “He can either stand with us or with the child pornographers”.    Really?  We deserve better than that.

The laws that govern us deserve rational debate and intelligent discussion about why they are needed, whether the proposals will help address that, what the collateral damage might be, whether the benefits are worth the costs, etc.  


Privacy Commissioner explains problems with proposed lawful access law

That’s the title of my Slaw post for today.  It reads as follows.

With Parliament back in session, we are seeing more attention on the proposed “lawful access” legislation. There is good reason for that. Many of us believe the proposed legislation is an affront to privacy, and gives law enforcement overly intrusive rights without court supervision that will in practice be no more than expensive, invasive, privacy offensive security theatre.

In this CBC interview, Ann Cavoukian, the Ontario Privacy Commissioner, does an excellent job of explaining the issue. Well worth investing 7 minutes to watch.

Surveillance society requires debate

That’s the title of my Slaw post for today.  It reads as follows.

There has been a lot written lately about the disturbing trend towards becoming a surveillance society. And the equally disturbing trend for governments to try to interfere with various kinds of communications to squash activity. Mathew Ingram has a good article about that on gigaom.

There is a great hue and cry about this when it occurs in countries that we feel suppress their people – but we are also seeing the trend in North America and Britain – such as the recent British riots and San Fransico’s Bart transit system shutdown of cell service.

And yet at the same time, authorities get upset at and try to stop people from photographing them doing their jobs – sometimes to the extent of trying to charge them with crimes such as wiretapping.

Along with that is the photographer as terrorist / criminal attitude that is seen far too often. That has been mentioned on Slaw before here and here. The latest example of that is a post on Techdirt that says police in Long Beach California have a policy that they can detain someone taking photos with “no apparent esthetic value”.

There is of course always some reason given for doing these things – but we can’t just let it be justified by some claim that it is necessary to stop violence or catch criminals. We have to consider many factors, including practical matters such as whether the actions are even effective to accomplish the stated goal, and how disruptive they are to others. We also need to think about issues like security vs privacy, and liberty vs control.

We need to think about these issues on matters such as the proposed lawful access laws.


Let’s just shut ‘er down

That’s the title of my Slaw post for today.  It reads as follows.

Apparently some of the British rioters have been communicating using Blackberrys. Which resulted in a suggestion that Blackberry should suspend its instant messaging service until things quiet down.

That kind of reaction never ceases to amaze me.

As if when that was shut down, the riots and destruction would stop because the malfeasants couldn’t communicate any more. And of course consider the effect on the average Blackberry user who is without service as a result. Attempts to shut the entire internet have not stopped people from doing what they are doing, let alone 1 mode of communication. That’s no different than trying to stop the use of any tool used by criminals. In most cases, people, like the internet, are good at working around outages.

Laws requiring data retention ill-advised

I’m not a fan of laws that require entities such as ISP’s to retain data about its customers so law enforcement can get to it.  To me, that flies in the face of privacy principles that say one should only retain personal information (both quantity and duration) to the extent it is required to fulfil the purpose of the services being offered.

I’m not convinced that the benefit to law enforcement outweighs the negative aspects of this – which range from costs to the entity retaining, the risk of abuse, and the risk of exposing it.   It is hard enough to protect the information that entities need, let alone information they don’t need.  And the more information you have, the more you are a target for malfeasers trying to get at it.

Mike Masnick of Techdirt has a post worth reading on the subject.  He refers to a researcher and author who says that a current US bill, the “Protecting Children from Internet Pornographers Act”  should be called the  “Forcing Your Internet Provider to Spy On You Just In Case You’re a Criminal Act of 2011”.

Unfortunately, we are heading down the same path here in Canada with the proposed lawful access statute.