Manhattan District Attorney Ratchets Up The 'Going Dark' FUD; Leaves Out Its Connection To Shady Hacking Team
from the because-those-little-details-aren't-important dept
After the FBI’s James Comey, it seems that the biggest proponent of backdooring encryption for law enforcement has been Manhattan District Attorney Cyrus Vance, who has now penned a ridiculous fear-mongering opinion piece for the NY Times (along with City of London Police Commissioner Adrian Leppard, Paris Chief Prosecutor Francois Molins and Spanish chief prosecutor Javier Zaragoza). Vance has been whining about encryption for a while. And Leppard, you may recall, is the guy who recently claimed “the tor” is 90% of the internet and a “risk to society.” He’s not exactly credible on technology or encryption issues. But, still… he gets to team up on a NYT op-ed about encryption.
While Comey has been struggling to find a dead child to use as the literal poster child of his campaign to weaken encryption, these prosecutors are now parading out a few stories, starting with a murder in Evanston, Illinois (note: not anywhere near Manhattan, Paris, London or Madrid):
In June, a father of six was shot dead on a Monday afternoon in Evanston, Ill., a suburb 10 miles north of Chicago. The Evanston police believe that the victim, Ray C. Owens, had also been robbed. There were no witnesses to his killing, and no surveillance footage either.
With a killer on the loose and few leads at their disposal, investigators in Cook County, which includes Evanston, were encouraged when they found two smartphones alongside the body of the deceased: an iPhone 6 running on Apple?s iOS 8 operating system, and a Samsung Galaxy S6 Edge running on Google?s Android operating system. Both devices were passcode protected.
An Illinois state judge issued a warrant ordering Apple and Google to unlock the phones and share with authorities any data therein that could potentially solve the murder. Apple and Google replied, in essence, that they could not ? because they did not know the user?s passcode.
The homicide remains unsolved. The killer remains at large.
Cool story. Totally bogus, but cool story. There are all sorts of problems with it starting with the fact that, as of last check Samsung is not requiring encryption by default, because of performance issues. Thus, if it’s true that the phone was encrypted, that’s not an issue with Google/Android, but the user setting up something himself — something that anyone has been able to do for ages and has nothing to do with recent moves by Google (and it’s not even entirely clear from the description by Vance if the phones were actually encrypted or just had a passcode/lockscreen).
More importantly, the idea that this is why the murder “remains unsolved” and “the killer remains at large” is ridiculous. It’s not even clear why the smartphones are all that relevant in this case. But nothing in having a passcode on the phones would stop police from figuring out the phone numbers, contacting service providers for information or issuing perfectly working warrants for communications data (remember, the only issue with encryption would be stored data at rest on the phone). Indeed, the Evanston police did obtain call records related to the phone, but they didn’t help the investigation. In fact, the Commander of the Evanston Police Department told The Intercept that while accessing the phones might provide some useful clues he’s not sure if it would actually help solve the case — just as the call records did not.
In other words, this is nothing but blatant factually challenged fear mongering.
And it goes on:
Between October and June, 74 iPhones running the iOS 8 operating system could not be accessed by investigators for the Manhattan district attorney?s office ? despite judicial warrants to search the devices. The investigations that were disrupted include the attempted murder of three individuals, the repeated sexual abuse of a child, a continuing sex trafficking ring and numerous assaults and robberies.
This is the first time anyone has actually given numbers of the times law enforcement was “stymied,” but notice that none of these cases, including the “attempted murder of three individuals, the repeated sexual abuse of a child or the continuing sex trafficking ring” were described in any more detail to explain how the encrypted phones were the real problem (again: remember there is nothing stopping the police from getting other data, including communications data or any of the data backed up in the cloud, as most data on iPhones is).
Oh, and then there’s this: As Kade Crockford highlights, Muckrock recently noted that the leaked emails from the Hacking Team showed that the Manhattan DA’s office was a potential client of the Hacking Team, meaning that it would have had access to plenty of tools on hand to break into phones — even those that make use of encryption.
As recently as this past May, Hacking Team and an assistant district attorney with the Manhattan District Attorney?s Office emailed back and forth about a potential software ?solution.? Hacking Team sales staff fielded questions about jailbreaking iPhones remotely, and discussed among themselves about how high a price to quote.
Hacking Team hosted a spyware demo in September 2013 for Manhattan district attorney staff, and again in February 2015. When the assistant DA requested a price estimate, a Hacking Team operations manager suggested a starting ask of $3 million.
“If it’s totally out of budget, we can come up with a special ‘deal’ for them and the usual accommodations,” wrote Hacking Team?s Daniele Milan on an internal email thread about discussions with the DA.
The DA?s office confirmed that it has met with Hacking Team to review their products.
“In order to keep pace with rapid developments in the private sector, we invite groups to demo various emerging technologies,” wrote Joan Vollero, Manhattan DA spokeswoman, in an emailed statement.
The Vance op-ed also completely misrepresents things, arguing that because some criminals falsely believe that everything is now encrypted, it means they are:
Criminal defendants have caught on. Recently, a suspect in a Manhattan felony, speaking on a recorded jailhouse call, noted that ?Apple and Google came out with these softwares? that the police cannot easily unlock.
Except, Google and Apple have long offered the software, and (again) it’s not yet default on Android phones and it only protects stored data on the phones — while most people will likely (falsely) assume that it also protects communications data or backed up data.
The op-ed also ignores the valid reasons for protecting your own privacy, or what happens when malicious actors use backdoors to get into your data. Or how foreign states, such as China and Russia will also demand backdoors. Instead, it pretends the only criticism of backdoors is because of worries about government surveillance. This is wrong. The article falsely argues that full disk encryption only provides “marginal” benefits to users, and shouldn’t be allowed because what prosecutors want to do is different than the NSA’s mass surveillance efforts. Once again, this misstates the reasons for full-disk encryption and completely ignores the dangers of backdoors.
We had hoped the ridiculousness over the whole “going dark” hysteria would start to die down by now, but apparently that was being optimistic. One wonders if Cyrus Vance, Francois Molins, Adrian Leppard and Javier Zaragoza also bemoan the act that criminals can speak to each other in person and no warrant will ever reveal what they said.
Filed Under: adrian leppard, cyrus vance, encryption, fud, going dark, mobile encryption
Comments on “Manhattan District Attorney Ratchets Up The 'Going Dark' FUD; Leaves Out Its Connection To Shady Hacking Team”
Instead, it pretends the only criticism of backdoors is because of worries about government surveillance.
Which still would be justified and all that’s needed to oppose weakening encryption.
Indeed. In fact, government and corporate surveillance are my primary concerns.
“or any of the data backed up in the cloud, as most data on iPhones is).”
Small tech note, Apple actually does encrypt data in iCloud now. Link: https://support.apple.com/en-us/HT202303
Here’s the relevant part:
iCloud Keychain encryption keys are created on your devices, and Apple can’t access those keys. Only encrypted keychain data passes through Apple’s servers, and Apple can’t access any of the key material that could be used to decrypt that data.
Only trusted devices that you approved can access your iCloud Keychain.
Advanced settings allow you to choose an iCloud Security Code longer than four digits or have your device generate one for you.
You can choose to disable keychain recovery, which means that iCloud Keychain is kept up to date across your approved devices, but the encrypted data is not stored with Apple and cannot be recovered if all of your devices are lost.
I think this started being implemented after the fappening deal.
Anyone that has done any research on encryption knows that a backdoor or a ‘golden key’ is a poor idea. After educating ones self on the subject and *still* deciding that it’s a good idea, one must either be a fool or be forced to hold on to that idea by their job.
encryption is supposed to disrupt whoever isn’t the person that created the data, THATS THE POINT. This stupid op ed is so heavily weighted on the false impression that the case would be solved if they had access to that phone which is not even probable.
Trading that security for EVERYONE on this planet that encryption provides for making lazy leos easier (in rare cases) is the worst possible trade imaginable.
In the same vein of absurdness I propose that LE not be able to get warrants anymore at all, because it sometimes disrupts the citizenry in their daily lives and work. /facepalm
Investigators in Cook County…were encouraged when they found two smartphones alongside the body of the deceased…
…but given how it turns out the whole notions of Crime Scene Investigation and Good Old Fashioned Detective Work are Hollywood fairy tales, investigators are therefore completely baffled due to the encryption on the phones.
Mission Impossible ?
I’m a big advocate for making things as secure as possible, but this article strikes me as a little unfair to the other point of view. You demand proof that this capability is needed, but then set an impossible standard for that proof – show us a case where you couldn’t break the encryption on a phone, but whatever was on the phone was vital to solving the case.
Obviously in order to know that the data on the phone was vital to the case, the perpetrator had to be caught after the data was accessed, in which case the encryption had to be broken … in which case you would argue that “you’ve shown that you already have all the powers you need”.
I’d like to see some acknowledgement that yes, they do seem to have finally provided an example where they *might* be right that the encryption on the phone is preventing access to some vital clue that could crack the case, but that (obviously) we can’t know for sure either way. Then we discuss whether the costs of the powers they’re asking for are worth the benefit, i.e. whether it’s better to let the occasional bad guy get away with it or to make it easier for criminals, hackers, terrorists, and the like to get at everyone’s private information.
Re: "they do seem to have finally provided an example where they *might* be right"
That’s an awful lot of might. It’s pretty dubious that they’ll likely catch the killer once they decrypt the phones.
But more likely they’ll be able to pin some innocuous crime on the alleged owners of the phones and give them prison time, and then be satisfied that justice was done.
Pardon me for being skeptical, but recent history has shown plenty of good cause to be skeptical.
Re: Mission Impossible ?
Even if there is a case where encryption prevents authorities from solving a crime it still should not be banned or backdoored. But honestly if proper investigative work is done the results should be the same: if the criminal got in touch with the victims and harassed them asking for the calls, footage of cameras nearby, witnesses and so on will confirm. If the criminal acted out of his/her own twisted mind you just can’t get any communications but there are plenty of alternatives to try.
Re: Re: Mission Impossible ?
I’d rather look at the 1 in a million chance that a abductor leaves clues on a phone, than have my kids monitored by the government 24/7. If they have a “back door” they WILL use it.
Re: Not At All Impossible
It’s quite easy to construct a scenario that would provide evidence for the government’s position:
1. Government agents find encrypted smartphone.
2. Investigation flails around in circles for a while.
3. Smartphone owner or friend thereof steps forward, “Oh, yeah, the password is….”
4. Evidence on smartphone cracks case open.
Get back to us when something like that actually happens.
Re: Mission Impossible ?
“You demand proof that this capability is needed, but then set an impossible standard for that proof – show us a case where you couldn’t break the encryption on a phone, but whatever was on the phone was vital to solving the case.”
Fair enough, let’s flip it around. Law enforcement keep banging on as if they’re losing something important to them, but this is a fairly recent change from Apple and Google so there must be a history they can present where having access to phones solved lots of horrible crimes. But I don’t see any of those stories being talked about. Instead we get weak hypothetical scenarios that are easily shot down. Doesn’t seem like they have a strong case at all.
The article falsely argues that full disk encryption only provides “marginal” benefits to users
You know, this crusade against encryption is so full of bullshit that they often put their own arguments against each other. If the benefit is so marginal then it shouldn’t be an issue for law enforcement of the alleged most powerful nation in the world.
One wonders if Cyrus Vance, Francois Molins, Adrian Leppard and Javier Zaragoza also bemoan the act that criminals can speak to each other in person and no warrant will ever reveal what they said.
Cameras with ambient mics everywhere? Don’t underestimate these people.
Yet another article that firmly places NYT into the category of State Propaganda
Maybe it’s a good source for reassurance you shouldn’t worry your pretty little heads about privilege abuse or jurisdiction overreach.
And your recently SWATted neighbor had it coming.
There's also this other tidbit:
People having their lives ruined by killers and kidnappers who leave encrypted phones as the one vital clue is rare
People having their lives ruined by police illegally searching for cause to ruin their lives is commonplace.
A Particularly Blatant Bit Of Nonsense
This is a piece of brazen misrepresentation on a par with the “increase” of the chocolate ration to twenty grams (from a previous thirty) in 1984. Obviously, the new system (in which Apple or Google do not have access to the user’s passcode) protects the user from institutional data breaches, since no data breach can expose data that the target does not possess.
I notice that this editorial, unlike most of the others, has no comment section. It’s a damning admission that Vance et al know perfectly well that they have nothing but easily refuted lies and bullshit.
Claiming the high ground
Truth be told it doesn’t matter one iota if the facts are true, false or just plain fiction. In this game by getting out their first and claiming the high ground it is almost impossible to regain that ground with the truth.
These lies become the truth sufficiently enough to win the argument. Sadly it is endemic in our world today.
were encouraged when they found two smartphones alongside the body of the deceased
Those phones contained two pieces of valuable information. Unfortunately, due to the incredibly complex and sophisticated pass code protection known as the “4 Digit PIN” (that has nothing to do with encryption at all), we can only guess at the last words of the perpetrator and his victim.
“Google, tomorrow at 2 pm remind me to kill the guy that just spilled his drink on me.”
“Siri help me, that crazy guy from the bar last night is @#$% shooting at me!”
I wonder if mssrs Vance and Leppard are aware that when out of earshot from those two, the others are likely using encryption to communicate, namely French and Spanish. The former would be at the mercy of a decryption expert (translator) to even interpret said communications into their English equivalent.
The way this is beginning to sound, you can’t solve a crime without a cell phone. That’s a poor assumption to begin with. What did all the 18th and early 19th century cops do to solve crimes without a cell phone to worry over?
In that case, I must be a hardened criminal cause I don’t want a cell phone. Don’t have to worry about encryption nor data on the damn thing. Break that data storage!
…you can’t solve a crime without a cell phone. That’s a poor assumption to begin with…
It is a poor assumption, but not impossible. At one time Japan had a television show that solved mysteries on the basis of train schedules. When I first heard that I thought it was nuts. Then I found out Japan’s rail system is far more efficient and far more on-time accurate than anything the US has or ever had. Their on-time accuracy sometimes beats the airlines. So while the idea sounds outlandish it’s still probable.
But you bring up a valid question: are there any crimes that can only be solved by looking at the data on a cel phone? AFAIK such data makes solving quicker or adds to the evidence.
Re: Re: Re:
It is a poor assumption, but not impossible.
An obviously true statement. Failure to come up with a crime that can only be solved by “x” is a statement about the limits of your creativity. And yet, at no time has “no physical law prevents the existence of a crime that we cannot solve without x” ever been considered as reason for x.
Because if that argument was true, then it would be necessary to have cameras everywhere. In your house, your car, every few feet along roads, in the forests, on your clothes. The internet would have to be permanently shut down, phones eliminated, ability to travel at all severely curtailed if not eliminated completely, language redesigned to prevent even the ability to communicate in the terms needed to plan a crime. And of course, your Japanese television show would need to be wiped from historical records. Among other things.
But we don’t do any of this. Because the question we actually ask is simple: are the crimes that can only be solved using x common enough and severe enough to overcome the benefits derived from x?
And considering that crimes achieved through a failure to properly secure electronics, networks etc. are both more common and capable of greater overall damage, and especially in light of the fact that nobody can find a crime that would have been solved with backdoors (rather than might have been)…
The real reason this crime remains unsolved is because law ‘enforcement’ would rather witter on about them being locked instead of taking the simple step of simultaneously pressing and holding volume up, home, and power on the Samsung, or even just opening it and removing the SD card to see what’s on it.
Re: You can encrypt the SD card as well in Lollipop
And it takes about half a day to permanently encrypt your Android phone (and it’s a thing you choose to do after setting a minimum-six-character password).
For phones that are simply locked, most municipal precincts have a software kit to unlock them and sift through the onboard data including recent phone calls and SMS. I assume that gives access to passwords to web services such as email, calendar and contacts.
Re: Re: You can encrypt the SD card as well in Lollipop
BTW, Calendar and Contacts aren’t web services. They can be connected to and utilised by web services, but they’re not web services themselves.
Re: Re: Re: "web services"
That may be a terminology failure on my part. By web services I mean personal databases that can be accessed with a web browser, an account name and a password.
Re: Re: Re:2 "web services"
Personally, I believe web services to be either on the Web or dependent on it. If something can be connected to the Web, but doesn’t rely on it for functionality, then it’s a web-connected service.
How many devices are actually running Lollipop? With the disaster that was KitKat…
Re: Lollipop devices
Mine are, including a 2-year-old Sony phone. Its been around long enough that pda.net supports it.
Dunno the rate of adoption by Android end users though.
As of July 1, 12.4% of all Android devices were running lollipop. The majority of Android devices are running KitKat.
Chasing the Wet Dream
Comey and every other law enforcement agency should spend more time honestly fulfilling the oaths they swore to, instead of chasing their wet dream fantasies of them having encryption only and not the rest of us.
Just A Thought...
The Evanston police believe that the victim, Ray C. Owens, had also been robbed…
…were encouraged when they found two smartphones alongside the body of the deceased: an iPhone 6 running on Apple’s iOS 8 operating system, and a Samsung Galaxy S6 Edge running on Google’s Android operating system.
Maybe robbery wasn’t the motive.
Wondering . . .
Do you think the district attorney uses encryption on his own phone? Of coarse that a completely different thing because his information is worthy of protection, right?
Metadata is more useful than content 99% of the time. The detectives should have been requesting cellular location data and call logs from AT&T and Verizon. What a bunch of noobs, no wonder the purps got away.
Here is a good parody of this story:
To The New York Crimes - Op Ed Dept.
Methinks techdirt should start sending the “rebuttals” to these phony “op-ed” pieces, directly to the NYT, and see just how the obviously truth-free press company responds to actual factual and verifiable information.
I’m betting the response would be hugely informative, and probably quite entertaining. 🙂