The court battle reportedly brewing between the FBI and Facebook could have a bigger impact on the average smartphone user's privacy than the bureau's legal showdown with Apple posed in 2016.
Per Reuters, the FBI is asking a federal judge in California to force Facebook to break the encryption on its Messenger app so investigators can listen in on an alleged MS-13 gang member's voice conversations. The case, which remains under seal, raises some of the same privacy concerns as the FBI’s unsuccessful effort to force Apple to engineer a way into the encrypted iPhone of one of the San Bernardino mass shooters.
But the FBI’s request in the Facebook case could have a broader impact, since the bureau reportedly wants to intercept communications in real time. Rather than seeking access to a smartphone they’ve already seized, investigators reportedly want Facebook to help them wiretap a suspect just like a phone company would.
“It essentially applies to any smartphone user,” said John D. Villasenor, a professor of technology and public policy at the University of California at Los Angeles. “Most of us would be able to say our phones haven’t been in the custody of law enforcement, but we all use messaging platforms of one kind or another.”
“The Apple case, as important as it was, involved a physical device that the government already had possession of,” he told me, “whereas the Facebook matter involves communications between users and the question of what obligations companies like Facebook have with respect to communication services they offer.” The Apple case caused an uproar in the privacy community, and was seen as a proxy for the debate over whether companies should be forced to create built-in ways for law enforcement to bypass encryption in their products. (Ultimately, the FBI found an outside contractor to crack into the San Bernardino shooter's iPhone, putting the fight to rest.)
Although it's not entirely clear what each side is arguing in the Facebook case — again, the records are under seal and the only reporting on the matter has come from Reuters — experts agree that prosecutors are likely basing their case on a law called the Wiretap Act. Passed in 1968, it requires telephone companies to provide technical assistance to law enforcement in tapping a phone if they present a court order.
Whether that applies to Messenger is the key question — and the law might favor the feds, writes Russell Brandom of the Verge.
“Facebook’s biggest problem is the Wiretap Act,” Brandom writes. “The system was designed for companies like AT&T, and it’s relatively uncontroversial for the past 30 years, sometimes put forward as a model of how courts can hold otherwise-invasive surveillance techniques in check. There are ways to contest a given order, arguing it’s too disruptive to the service or otherwise burdensome — or simply that messaging services aren’t subject to the Wiretap Act — but the government’s argument is far more straightforward than what Apple faced.”
A ruling in the government’s favor probably wouldn’t stop with Facebook Messenger, Villasenor said. The government might seek to compel other messaging services such as WhatsApp to help the government listen in on voice conversations.
It could also reverberate outside the United States, he added. “Regardless of what one thinks of the U.S. government's assertions regarding a right to access the conversations in this particular case, if Facebook is forced to comply and shows that it is technically able to do so, other governments — including authoritarian governments — will take notice. That will put Facebook in a very challenging position when faced with requests in the future from governments in countries where there are far fewer privacy protections than we have in the U.S.”
Facebook is pushing back, saying a technical solution might be too onerous, according to Reuters. The company is arguing in court that Messenger voice calls “are encrypted end-to-end, meaning that only the two parties have access to the conversation,” Reuters reports. “Facebook says it can only comply with the government’s request if it rewrites the code relied upon by all its users to remove encryption or else hacks the government’s current target, according to the sources.”
|You are reading The Cybersecurity 202, our must-read newsletter on cybersecurity policy news.|
|Not a regular subscriber?|
PINGED: Recent announcements by major tech companies including Microsoft, Facebook and Google that they have taken action against hacking and disinformation operations contrast with the lack of coordinated response on the matter from federal authorities, The Washington Post's Craig Timberg, Ellen Nakashima, Elizabeth Dwoskin and Tony Romm reported on Friday. My colleagues wrote that experts, lawmakers and former U.S. officials “express frustration that a sophisticated, meticulously documented and allegedly criminal attack from Russia in 2016 has generated so little White House response, even as federal agencies are taking steps to forestall a repeat this year. They further wonder why — with the November midterm elections looming amid signs that Russia and other nations are ramping up their online interference campaigns — private companies have been left to take the most public roles in protecting the country from well-financed, hostile foreign government hackers and disinformation operatives.”
Moreover, President Trump, who has vacillated in his comments about Russian interference in the 2016 U.S. presidential election, has yet to speak out forcefully against online foreign threats. “A clear declaration from the president could galvanize the creation of a comprehensive strategy and prompt more coordinated action among government agencies and with the private sector, experts and current and former U.S. officials say,” Craig, Ellen, Elizabeth and Tony wrote. “Such a public statement also could put other nations on notice that there will be serious consequences for interfering in America’s democratic processes.”
PATCHED: The revelations last week that tech companies cracked down on online disinformation campaigns have also put the cybersecurity company FireEye in the spotlight. For instance, Nathaniel Gleicher, head of cybersecurity policy at Facebook, wrote in a blog post Tuesday that Facebook's investigation into Iran-linked disinformation efforts started after the social network received a tip from FireEye in July about a group called Liberty Front Press. “Lee Foster, manager of information operations analysis at FireEye, said his team works within the company’s intelligence outfit, which researches not only ‘info-ops’ — like the Iran-linked social media activity it recently uncovered — but espionage, financial crime and other forms of vulnerability and exploitation,” the Associated Press's Mae Anderson reported Friday. “Specialist teams at FireEye focus on particular areas of cyberthreats, each with their own expertise and language capabilities.”
Kevin Mandia, chief executive of FireEye, told the AP that the company steps in when a cyberattack has already passed the first lines of defense. “Mandia said that during the three months ended June 30, FireEye’s email security found 6 million spear-phishing attacks, a type of hacking, and its security products alerted companies of attempts to breach security 29 million times,” Anderson wrote. “That’s important, Mandia said, because most of FireEye’s products are deployed behind their client’s existing firewalls or antivirus software, so everything FireEye catches has already evaded other defenses, he said.”
PWNED: “In a Tuesday letter addressed to Attorney General Jeff Sessions, Sen. Ron Wyden (D-Ore.) asked the Department of Justice to be more forthcoming about the potentially disruptive nature of cell tower simulators — also known as IMSI Catchers or Stingrays — which law enforcement agencies and others use to covertly track suspects’ movements through their cellphones,” my colleague Aaron Gregg reported Friday. “Citing conversations with unnamed executives from Harris Corporation, a Florida-based government contractor that makes a widely used cell tower simulator, Wyden wrote that the devices ‘completely disrupt the communications of targeted phones for as long as the surveillance is ongoing.’ ” In particular, Wyden said cell tower simulators could interfere with 911 communications. (I wrote about concerns over those devices among lawmakers in June.)
Cooper Quintin, a technologist at the Electronic Frontier Foundation, told Aaron that Harris Corp. has not been transparent about the way cell tower simulators work. “Harris Corporation might claim that they’re not in fact blocking 911 calls,” Quintin said, as quoted by my colleague. “But it’s unknowable because thanks to Harris Corporation’s nondisclosure agreements and their corporate policy of silence, we have very little information about how [Stingrays] work and what implications they have.” Harris Corp. declined to answer Aaron's questions on whether the firm's cell tower simulators can interfere with 911 calls.
— The Department of Homeland Security, the FBI, Facebook and Microsoft on Friday briefed the National Association of Secretaries of State and the National Association of State Election Directors after the two tech companies announced last week that they uncovered online threats linked to Russia and Iran, according to a news release from DHS. “Facebook’s and Microsoft’s announcements continue to underscore the important role the private sector has in combating this threat,” Christopher C. Krebs, undersecretary for DHS's National Protection and Programs Directorate, said in a statement. “Like cybersecurity, countering foreign influence is a shared responsibility, and these calls are an important indicator of the level of cooperation between our public and private partners to share information and take action.”
— Google informed Sen. Patrick J. Toomey (R-Pa.) that “hackers from a nation state may have attempted to infiltrate specific email accounts associated with his campaign apparatus,” Steve Kelly, a spokesman for Toomey, said in a statement last week. Toomey is not up for reelection this year. “This underscores the cybersecurity threats our government, campaigns, and elections are currently facing,” Kelly said. “It is essential that Congress impose tough penalties on any entity that undermines our institutions.”
— “A Russian charged with hacking LinkedIn is of great interest in a U.S. probe of election meddling, according to a Justice Department official, even as his own lawyers complain he hasn’t cooperated with them since landing in a California jail in March,” Bloomberg News's Kartikay Mehrotra reported Friday. “The mystery around Yevgeniy Nikulin deepened Friday when a federal judge asked why his lawyers, who want him evaluated for possible mental illness, chose a San Francisco psychiatrist with a troubled past at California’s medical board. And Nikulin’s defense team — led by a New York-based attorney seasoned in representing Russians and Eastern Europeans charged with serious crimes in the U.S. — say Russian officials have shown unusually strong interest in his case, arranging at least once to visit him in jail when the attorneys weren’t present.”
— More cybersecurity news from the public sector:
— T-Mobile “said late Thursday that it had discovered a data breach potentially affecting some of its customers' account information,” my colleague Brian Fung reported. “No financial data was stolen in the incident, the company said, but some personal details such as customer names, email addresses, phone numbers and account numbers may have been compromised.”
— More news about cybersecurity vulnerabilities:
— "The Russian hackers indicted by the U.S. special prosecutor last month have spent years trying to steal the private correspondence of some of the world’s most senior Orthodox Christian figures, " according to an Associated Press investigation. "The targets included top aides to Ecumenical Patriarch Bartholomew I, who often is described as the first among equals of the world’s Eastern Orthodox Christian leaders."
— More cybersecurity news from abroad:
- Air Force Information Technology & Cyberpower Conference in Montgomery, Ala., through Aug. 29.
- Cyber Security Summit: Chicago on Aug. 29.
- North Carolina Digital Government Summit in Raleigh, N.C., on Aug. 29 and Aug. 30.
5 times John McCain was a maverick:
John McCain, in the words of his congressional colleagues:
John McCain to the class of 1993: “You will know where your duty lies”