from the lawful-access-opens-a-door-that's-difficult-to-close dept
You may have heard, recently, that the guy who was apparently behind the celebrity nudes hacking scandal (sometimes called "Celebgate" in certain circles, and the much more terrible "The Fappening" in other circles) recently pled guilty to the hacks, admitting that he used phishing techniques to get passwords to their iCloud accounts. But... that's not all that he apparently used. He also used "lawful access" technologies to help him grab everything he could once he got in.
We keep hearing from people who think that just "giving law enforcement only" access to encrypted data is something that's easy to do. It's not. Over and over again, security experts keep explaining that opening up a hole for law enforcement means opening up a hole for many others as well, including those with malicious intent. ACLU technologist Chris Soghoian reminds us of this by pointing to an earlier article about how the guy used a "lawful access" forensics tool designed for police to get access to such data (warning, link may ask ask you to pay and/or disable adblocker):
On the web forum Anon-IB, one of the most popular anonymous image boards for posting stolen nude selfies, hackers openly discuss using a piece of software called EPPB or Elcomsoft Phone Password Breaker to download their victims’ data from iCloud backups. That software is sold by Moscow-based forensics firm Elcomsoft and intended for government agency customers. In combination with iCloud credentials obtained with iBrute, the password-cracking software for iCloud released on Github over the weekend, EPPB lets anyone impersonate a victim’s iPhone and download its full backup rather than the more limited data accessible on iCloud.com. And as of Tuesday, it was still being used to steal revealing photos and post them on Anon-IB’s forum.
Obviously, the situation with encryption on the iPhone is a bit different, but the same basic principle applies. Opening up a door is, by definition, opening up a vulnerability. And we should be very, very, very wary about opening up any kind of vulnerability. It's tough enough to find and close vulnerabilities. Deliberately opening one can be catastrophic.
We recently wrote about the hearing of Cecilia Malmström, likely to be the next trade commissioner for the European Union. On the same day, Günther Oettinger, the candidate for the post responsible for "digital economy and society," was also quizzed by members of the European Parliament. His replies were mostly pretty staid -- previously, he was the energy commissioner, and seemed more at home among gas and oil pipes than the series of tubes that go to make up the Internet -- but one comment has drawn much criticism, as the Guardian reports here:
Former EU energy commissioner Günther Oettinger, 61, is used to accusations that he is more digitally naïve than digitally native by now. But at a hearing in front of the European parliament, the EU’s next commissioner designate for digital economy and society raised some serious questions about his suitability.
During a three-hour grilling by MEPs in Brussels, Oettinger said it would not be his job to protect stars "stupid enough to take a nude photo of themselves and put it online” -- seemingly unaware that the recent leak of celebrities’ nude photographs had come about as a result of a targeted hacking attack.
Let's recap the incident he's referring to: Recently, private photos of female celebrities were published against their will. Far from what Oettinger is suggesting, they didn't "put the photos online". The most likely sources of the photos were cloud-based phone backups. The women might not even have been aware of the backups' existence, since they are created automatically in the background on many phones. It appears that attackers were able to break their encryption due to security failures, like a service allowing an unlimited number of different passwords to be tried out in rapid succession or granting access after posing "security questions" with guessable or obtainable answers. One of the victims was underage when the published photos were taken.
If you manage to look beyond the tabloid celebrity/sex angle, the statement is unbelievable: The person applying to be in charge of shoring up trust in the internet so that Europeans do more business online just victim-blamed people whose personal data was accessed and spread without authorization. He placed the moral blame for that crime squarely on the victims rather than the perpetrators.
Although that incident caught people's attention, there were plenty of other things to be worried about in Oettinger's replies. Aside from an evident lack of familiarity with the digital world -- something that can be rectified, one hopes, given time and good advisers -- there were indications that he is likely to see the Internet through an industrial prism, with its users little more than passive consumers of products sold by online businesses. Here, for example, is Euractiv's translation of his reply to a question about the major reform of copyright in the EU, which is one of the key tasks facing him if he is appointed:
"I stand for reliable protection of copyright," Oettinger said.
"We must adequately protect the creator, so these creators will still exist tomorrow. On the other hand, users in the digital world are interested in gaining access to all cultural products." This requires finding a delicate balance, Oettinger said.
"I will commit to working on a draft law, finding a balance for European copyright law in the context of the digital world," the Commissioner designate said.
Pretty generic stuff, with no hint that Internet users might themselves be creators of materials that they are happy to share, without needing to worry about "protection." That suggests Oettinger's idea of "balance" is likely to be skewed heavily in favor of the copyright industry. In other words, a rare opportunity to move on the debate about copyright in the digital world by looking at things from a fresh viewpoint, and trying out some new ideas, has almost certainly been squandered.
High school junior Kelsey Upton was puzzled. Why was a stranger from Iowa sending her a text message?
Her confusion turned to terror last fall when she learned that the person who had sent the message had plucked her personal information from a pornographic website. Without her knowledge, someone had placed her name and phone number on the site next to a photo of a naked woman, in an explicit position, who somewhat resembled her.
Her father, a federal investigator who previously worked for the Georgia Bureau of Investigation, traced the posting to a Citadel cadet, with the help of law enforcement officials. But to their dismay, Upton and her father learned that no crime was committed. Now Randy and Kelsey Upton, who live in Oxford, Ga., plan to meet with legislators and other public officials to try to make such actions a crime. "I want him arrested," said Kelsey Upton, now 17. "But if that won't happen, I want a law about this so someone doesn't just get a slap on the wrist."
Well, the Uptons are in luck. Sort of. The Agitator informs us that Georgia State Representative Pam Dickerson is looking to close this legal loophole by making it illegal to "intentionally cause an unknowing person wrongfully to be identified as the person in an obscene depiction in such a manner that a reasonable person would conclude that the image depicted was that of the person so wrongfully identified." This would include using a person's name, telephone number, address or email address.
However, Dickerson feels that isn't enough. She then adds:
"Such identification shall also include the electronic imposing of the facial image of a person onto an obscene depiction."
Now, rather than just closing an unfortunate hole in Georgia's libel laws, Dickerson is aiming to make a pastime as old as the internet itself, photoshopping celebrities' heads onto porn stars' bodies, a misdemeanor punishable by a year in jail or a $1,000 fine.
Now, I'm not here to suggest that the long and storied history of creating celebupr0n makes this a part of our rich cultural heritage and an unassailable act of free speech. What I am suggesting, however, is this:
2. Existing libel/defamation laws should already be handling Photoshopped head transfers. There's really no reason to take this from the civil arena and turn it into a criminal act.
3. It looks as if the Citadel is already planning on handling this internally as an issue between two cadets. Adding another law to the books is redundant at best and, at worst, is just encouraging people to holler for new laws every time they've been wronged.
4. If this law goes through, it will be subject to endless expansion, much in the way cyberbullying legislation has been stretched to cover such ridiculous acts as eye rolling and so-called "deliberate exclusion." Offended citizens who find themselves photoshopped into other (non-sexual) compromising positions, like say, having their male heads attached to clothed female bodies or made to appear as though they endorse businesses and lifestyles that they clearly don't, will feel the law doesn't go far enough. The internet is a very inventive place while most lawmakers are not.
5. It will be ridiculed mercilessly. See also this post (possibly NSFW) and this clip (possibly not safe for your brain):