Cy Vance Still Arguing For Mandated Encryption Backdoors; Believes Third Party Doctrine Supports His Theory

from the a-bunch-of-bad-ideas,-all-wrapped-up-in-self-righteousness dept

The United States Senate Committee on Armed Services held a hearing about the coming darkness cellphone encryption Friday morning. There was almost no attempt made to address both sides of the issue, most likely because Senator John McCain -- who headed up the "discussion" -- has already made up his mind on how this problem should be handled.

Testimony -- all from government officials -- was presented, with Manhattan DA Cyrus Vance leading off. Vance's tune hasn't changed. Encryption is still (apparently) an insurmountable problem and the only "answer" runs directly through Congress. Vance spent most of his speaking time [PDF] criticizing Apple and suggesting its decision to provide encryption by default on its phones was done purely to spite him and the government.

Given Apple’s own statements about the security of iOS 7, shortly after Apple’s reengineering of its phones to prevent search warrant access by law enforcement, I asked it in a letter dated March 2015, whether there was a bona fide security reason to make its new operating system, iOS 8, warrant-proof. Apple chose not to answer me, but in March of this year, the House Judiciary Committee compelled Apple to answer the same question. That Committee asked Apple the following question, in writing, “Was the technology you possessed to decrypt these phones”—and the clear reference is iOS7 phones and their predecessors—“ever compromised?” Apple’s written response was: “The process Apple used to extract data from locked iPhones running iOS 7 or earlier operating systems was not, to our knowledge, compromised.” (Emphasis added.)

Apple’s answer to this crucial question shows what we have long suspected: That Apple’s method of data extraction under iOS 7 posed no documented security problems. That being so, then there should be no unreasonable security risk going forward if we return to the procedure where court-ordered warrants can be honored by extracting responsive data off of smartphones.

In Vance's view, encryption protocols should not be altered until they've been compromised -- a view that aligns nicely with his presumption that the government should always have access to phone contents but runs counter to good security practices. Vance wants Apple to go back to holding the encryption keys and be on hand to unlock the door whenever the government asks.

Vance is still pushing his "encryption is a godsend to criminals" narrative -- based on little more than same single recorded prison phone call he referenced months ago. Vance may have a pile of cellphones law enforcement can't break into, but that hardly suggests a majority of criminals are gravitating towards encrypted services. The rise in the number of encrypted communications methods will benefit some criminals, but even high-profile terrorist attacks have been coordinated and planned using methods still open to interception and investigation.

The solution is legislation, according to the DA. Vance provides a list of prior legislation crafted to aid law enforcement as support for his theory the government should be allowed access to phone contents. However, his list covers only records collected and stored by third parties -- not the content and communications he's seeking access to.

Federal regulation is already important in the communications industry. When telephone companies went from using copper wires to using fiber optics and digital signals, the police could no longer use their old techniques of executing wiretap orders, and so Congress passed the Communications Assistance for Law Enforcement Act (CALEA), mandating that telecom providers build into their systems mechanisms for law enforcement to install court-ordered wiretaps. CALEA has worked. It has saved lives, and it has withstood Constitutional challenge. It has not stifled innovation, as its opponents feared…

[...]

Here are a few other examples: DEA regulations require all U.S. pharmacies to maintain paper and electronic prescriptions bearing the name of the patient and prescriber, drugs dispensed, and dates filled. FTC regulations require any business that checks a customer’s identification to maintain and provide victims and law enforcement with transaction records relating to identity theft. State regulations require private schools to maintain student data records, including records of attendance and suspected child abuse. I could go on.

The point is that companies in nearly every industry are required by law to maintain voluminous customer records and produce criminal evidence when they receive a court order. When your introduction of goods and services into the stream of commerce overlaps with public safety, this is the price of doing business in the United States.

In other words: the government should have access to iPhone contents because it has access to other stuff. It's a clumsy comparison at best. At worst, it's a blueprint for unprecedented government intrusion. Vance may be trying to demonstrate that the government has historically had access to a wealth of information thanks to regulators and the Third Party Doctrine and should continue to be granted access, but this inept analogy is worse than apples-to-oranges. Connecting Vance's dots suggests he views personal data and communications as just another set of records "collected" by cellphone providers. He may not openly suggest these are nothing more than "third party" records, but he obviously believes private corporations "owe" this sort of access to the government.

Vance says he doesn't want a legislated encryption backdoor, but his solution is basically a legislated encryption backdoor.

My Office’s proposed solution is to enact a federal statute providing that data on any smartphone made or sold in the United States must be accessible—not by law enforcement, but by the maker of the smartphone’s operating system—when the company is served with a valid search warrant. And if a person or entity such as Apple offers encryption software, it has to have the ability to provide data in response to a judicial order.

The backdoor may be located at the company's headquarters, but it's a backdoor all the same.

His testimony also suggests more legislation might be needed to further subvert encryption. Like James Comey, Vance suggests harder nerding will make the impossible possible.

This solution is limited to data at rest on smartphones. It would not affect encryption of data in motion. I cannot at this time offer a technical fix to address data in motion. I am confident, however, that engineers from industry and government, working together in good faith, can find one.

"Good faith." That's hilarous. The only time law enforcement is interested in a "good faith" discussion is when it's trying to salvage an illegal search.

Vance -- like Comey -- believes all concessions must come from the private sector. That's how he defines "working together." He's also concerned a 12-month study from a Congressional committee won't address the issue fast enough.

Twelve months of taking testimony resulting in non-binding recommendations in a report will not adequately address the urgency of the problem that local law enforcement faces. Time is not a luxury that local law enforcement, crime victims, or communities can afford.

With a nod to civil liberties:

Our laws require speedy trials. Victims require justice. And criminals must be held accountable before they can reoffend.

I would think that if you don't have the evidence -- if it's on phones that can't be broken into -- you just don't have the evidence. I sincerely hope people aren't being locked up until Congress creates the backdoor Vance is looking for. Of course, we know that is happening, but hopefully not on the scale Vance suggests with his list of police-resistant devices still being held by law enforcement agencies (who assume they contain evidence of criminal activity).

The end result of the encryption study can't be determined at this point. But given the nature of this committee -- and its decision to only present one side of the issue -- it appears its greatest purpose may be nothing more than buying time until backdoor/ban legislation is reintroduced.

Vance's side hasn't budged an inch. While deference is continually paid to the "smart people" at tech companies, it's only done so under the assumption that they're just holding out on the government. The solution Vance, et al want is supposedly possible, even if it isn't. Any arguments to the contrary are continually treated as deliberate antagonism, rather than basic facts. Backdoored encryption -- no matter who holds the keys -- is a security problem. And it's not going to go away, no matter how many times the same arguments are repeated.


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • icon
    aerinai (profile), 18 Jul 2016 @ 7:10am

    It worked so well for Russia...

    Dear Vance and McCain,

    Why do you want to turn us into Russia? They have already created these laws in the ham-fisted way you are proposing (just ban it and figure it out later).

    Just wait and see how well it works out for Russia and its tech sector. I swear, you guys won't be happy until every civilian has to have a body cam strapped to them at all times and it is a felony to turn it off even in the most intimate and private of settings...because... children!

    You never have had a full picture of every bad thing a person does... why do you think you are entitled to it now?

    Sincerely,
    All Tech Professionals

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 18 Jul 2016 @ 8:53am

      Re: It worked so well for Russia...

      "Just wait and see how well it works out for Russia and its tech sector. I swear, you guys won't be happy until every civilian has to have a body cam strapped to them at all times and it is a felony to turn it off even in the most intimate and private of settings...because... children!"

      Even if everyone had a chip implanted into the brain at birth as in the film "The Final Cut" that automatically records everything the person sees and hears those guys in the FBI/NSA etc were still demand even more tougher action to be taken because of terrorism etc.

      reply to this | link to this | view in chronology ]

  • icon
    aerinai (profile), 18 Jul 2016 @ 7:10am

    It worked so well for Russia...

    Dear Vance and McCain,

    Why do you want to turn us into Russia? They have already created these laws in the ham-fisted way you are proposing (just ban it and figure it out later).

    Just wait and see how well it works out for Russia and its tech sector. I swear, you guys won't be happy until every civilian has to have a body cam strapped to them at all times and it is a felony to turn it off even in the most intimate and private of settings...because... children!

    You never have had a full picture of every bad thing a person does... why do you think you are entitled to it now?

    Sincerely,
    All Tech Professionals

    reply to this | link to this | view in chronology ]

  • identicon
    I.T. Guy, 18 Jul 2016 @ 8:39am

    Ya know... instead of crying about what they don't have... They need to work with what they DO have... which is more than any previous point in history.

    reply to this | link to this | view in chronology ]

    • icon
      That One Guy (profile), 18 Jul 2016 @ 9:01am

      Re:

      Until and unless they have the equivalent of instant, no-restrictions access to anything said, written or typed by anyone, it still won't be enough. And if they do manage the impossible and attain the above it will only be 'enough' for about a week or so at most, because when you're dealing with egomaniacal voyeurs like this the idea that anything might be beyond their reach is simply unacceptable.

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 18 Jul 2016 @ 8:54am

    Vance is so full of bad reasoning and terrible comparisons.

    "DEA regulations require all U.S. pharmacies to maintain paper and electronic prescriptions bearing the name of the patient and prescriber, drugs dispensed, and dates filled."

    ...Because drugs are regulated substances that could kill people if abused. Aside from talking to my aunt about her neighbor for three hours, what phone calls are likely to kill people?

    "FTC regulations require any business that checks a customer’s identification to maintain and provide victims and law enforcement with transaction records relating to identity theft."

    This is about protecting the customers from crime, not breaking into their personal communications, you 4th amendment-hating idiot.

    "State regulations require private schools to maintain student data records, including records of attendance and suspected child abuse."

    Again, this is for the protection of the students. Do you not understand the difference between keeping records to keep people safe and getting access to information that violates their privacy and constitutional rights? No? Then you shouldn't have your job.

    I could go on.

    reply to this | link to this | view in chronology ]

    • icon
      Seegras (profile), 19 Jul 2016 @ 8:38am

      Re:

      Yes, and he got it completely backwards:
      But smartphone encryption, one of the great public safety
      challenges of our time, remains almost entirely self-regulated.

      Encryption is the safety-measure here, it protects billions of people from identity theft, stalking, fraud and other crimes.

      If you want to increase security and safety, you need to outlaw non-encrypted phones and any kind of law-enforcement access or other backdoor.

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 18 Jul 2016 @ 9:11am

    Third Party Doctrine and required Data Collecting

    I'm a bit surprised to see someone in Law Enforcement openly acknowledge how much third party data we supposedly "voluntarily" turn over is actually required by the government to be collected and stored.

    Quite the convenient gig and a point I'm surprised isn't raised more often on the problems with the third party doctrine.

    "I'd like this data and like to get it without a warrant" So rather than outright saying it must be provided (although they're going for that as best they can) it's require the data to be collected, then assert 3rd party to get it without a warrant.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 18 Jul 2016 @ 9:16am

    How quickly Blackberry is forgotten

    Wasn't too long ago, news was released on how the RCMP had had the backdoor key for years. It sure didn't stay at headquarters very long.

    reply to this | link to this | view in chronology ]

  • icon
    TheResidentSkeptic (profile), 18 Jul 2016 @ 9:31am

    And on the other side...

    No wonder they need a backdoor:

    https://www.digicert.com/TimeTravel

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 18 Jul 2016 @ 9:36am

    damn. we have not-yet-quite-dead dinosaurs telling rabbits how to hop.

    reply to this | link to this | view in chronology ]

  • icon
    That One Guy (profile), 18 Jul 2016 @ 9:39am

    Privacy, it's a thing

    Here are a few other examples: DEA regulations require all U.S. pharmacies to maintain paper and electronic prescriptions bearing the name of the patient and prescriber, drugs dispensed, and dates filled. FTC regulations require any business that checks a customer’s identification to maintain and provide victims and law enforcement with transaction records relating to identity theft. State regulations require private schools to maintain student data records, including records of attendance and suspected child abuse. I could go on.

    Notably missing to the best of my knowledge:

    Lockmakers are not required to provide a master key to any government agency.

    Companies that make and/or sell webcams are not required to include and provide the password for the device such that any government agency/agent can access the camera at their whim.

    Companies that make and/or sell computers are not(yet) required to install and provide the password for a keylogger to any government agency in case they want to know what someone types.

    Beyond the above there's also the fact that the examples he provides are intended to be to protect the public, whereas undermining encryption will cause vastly more harm than it could ever possibly prevent, meaning you've essentially got someone arguing directly against public safety and security, simply to make his own job easier.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 18 Jul 2016 @ 9:54am

    "...was not, to our knowledge, compromised....That being so, then there should be no unreasonable security risk going forward"

    So basically he's saying that until a theoretical vulnerability is realized and exploited, there's no problem and we shouldn't make any changes. By that logic, all bugs with security implications should not be patched when discovered, they should be left in place until the theoretical vulnerabilities are turned into actual exploits used by criminals and hostile foreign powers.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 18 Jul 2016 @ 9:59am

      Re:

      Who needs criminals and foreign powers?

      When my government wants warrantless access to the google searches I do for the location of the nearest Starbucks or instructions on how to install the hardware I just bought at the store, that government seems pretty damn hostile and foreign to me.

      reply to this | link to this | view in chronology ]

    • icon
      That One Guy (profile), 18 Jul 2016 @ 10:14am

      Re:

      Expanding on the idiocy, a few more examples following that 'logic' come to mind...

      No house that hasn't been broken into previously should have locks on the doors, because clearly the fact that it hasn't been broken into means it won't be, ever.

      No bank that hasn't been robbed in the past should have any locks or other security features, because if it hasn't happened before then it won't happen in the future.

      No car that hasn't been in an accident should have seat-belts or any other safety features as obviously they're unnecessary costs.

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 18 Jul 2016 @ 11:18am

        Re: Re:

        "Expanding on the idiocy, a few more examples following that 'logic' come to mind..."

        All letters addressed to houses occupied by residents who have not been crime victims must be opened by the USPS, contents scanned and retained, and then nailed to public noticeboards. An open postcard will be mailed to the addressee ordering them to report to the noticeboard to collect their credit card bills, healthcare bills, bank statements etc. Since they have never been the victim of a mail delivery or USPS employee there is obviously no risk. The postcards are to be thrown onto the addressee's front yard or street, under no circumstances should they be concealed in a mailbox (all of which will be confiscated so that no criminal evidence may be concealed therein).

        reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 18 Jul 2016 @ 10:11am

    Foregone conclusions, eh?

    'companies in nearly every industry are required by law to ... produce *criminal evidence* when they receive a court order'

    In case you wondered what the findings would be, he explains it all pretty clearly.

    reply to this | link to this | view in chronology ]

  • identicon
    Chris Brand, 18 Jul 2016 @ 11:13am

    CALEA

    CALEA is absolutely the model they want to use. Of course what happened in Greece is the textbook example of why the "smart people" are saying "building in backdoors decreases security".

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 18 Jul 2016 @ 11:54am

    It should be noted that this was a Congressional hearing that Tim Cook was strongly encouraged to come to by Senator McCain, but Tim Cook declined the invitation. Not that I blame Cook for declining a non-mandatory invitation to attend a panel and be abused.

    reply to this | link to this | view in chronology ]

    • icon
      Jeffrey Nonken (profile), 19 Jul 2016 @ 8:27am

      Response to: Anonymous Coward on Jul 18th, 2016 @ 11:54am

      The difference in outcome is that Mr. Cook would have been abused in person instead of angrily snarked at in absentia. Your point?

      reply to this | link to this | view in chronology ]

  • identicon
    Phils, 18 Jul 2016 @ 12:42pm

    Vance's phone

    Wonder what Vance would say if someone hacked his cellphone??

    reply to this | link to this | view in chronology ]

  • identicon
    Norahc, 18 Jul 2016 @ 2:35pm

    About time

    Guess it's about time we started sending each other a few kb of random ascii characters. Not only is it warrant proof, it can't be deciphered by anybody including the NSA. That ought to be enough to give Vance and co coniptions.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 18 Jul 2016 @ 5:30pm

    Get him his teeth and glasses, put batteries in his hearing aid, and change his dirty diaper, he will be alright. Let us wait and see how this nonsense works out for comrade Putin comrade Vance.

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Use markdown for basic formatting. HTML is no longer supported.
  Save me a cookie
Follow Techdirt
Techdirt Gear
Show Now: Copymouse
Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.