Cybersecurity experts are slamming the Justice Department's new focus on child exploitation as a reason to oppose strong encryption as misleading -- and worry it could lead the country to compromise security for all consumers.
The Justice Department got effectively nowhere in previous rounds in the encryption fight by arguing that warrant-proof encryption would allow terrorists to plan operations and recruit members outside law enforcement’s view. Experts say Attorney General William P. Barr and his lieutenants' shift to focus on how encryption could prevent police from tracking child sexual predators is a clear effort to change the public narrative -- and use people's revulsion at child abuse to build support for weakening their own security and privacy.
“This is a very calculated plan and it seems really clear this is the wedge issue they believe will ultimately get them closer to where they want to be than terrorism did because it’s: Are you with the children or are you against the children, and no one wants to be against the children,” Joe Hall, chief technologist at the Center for Democracy and Technology, told me.
While the spread of encryption has made it harder for police to track child predators online, allowing the government a way to access everyone's communications would cause far more damage, the experts argue.
“Encryption backdoors create insecurity for everyone in the world because those backdoors can be exploited by abusive stalkers, identity thieves, criminals and human rights abusing governments,” Jennifer Granick, cybersecurity counsel at the American Civil Liberties Union, told me.
The ACLU and CDT were among the more than 50 technology and civil liberties groups that are organizing a counterpush: They wrote to Facebook encouraging the company to proceed with its plans to expand encryption even after direct attacks from the Justice Department.
Barr last week penned an open letter to chief executive Mark Zuckerberg urging against the company's plans to expand end-to-end encryption on Facebook’s Messenger service, which shields people’s messages even from the company that provides the messaging service, as my colleagues Ellen Nakashima and Tony Romm reported. The letter, which was also signed by top law enforcement officials in England and Australia, warned that the new protections could allow predators to share explicit photos of children with impunity and to coerce children into meeting them in real life — and makes' law enforcement agents' warrants far less useful. Justice officials doubled down on this narrative during a half-day conference on Friday.
Facebook, which has been slower to adopt the advanced protection than other tech companies, was responsible for more than 18 million reports to the National Center for Missing & Exploited Children last year. With less communication visible to the company, Justice officials said that number could drop under the company’s new encryption plans.
Riana Pfefferkorn, associate director of surveillance and cybersecurity at Stanford University’s Center for Internet and Society, said the strategy provided a false choice. "There’s this fundamental gut-level disgust that basically everyone has for the abuse of children,” Pfefferkorn said. “So, you can paint people who are trying to protect security and enhance [digital] protections as unsympathetic to preventing child sex abuse. I think it’s extremely cynical.”
Senior Justice officials denied there was any strategy behind the messaging shift. “Messaging is not something I’m particularly good at. My focus is on ensuring that our public is safe,” one senior official said during a press briefing.
Zuckerberg, meanwhile, acknowledged that expanding encryption will make law enforcement’s work harder during a town hall with employees -- but said the increased security for users was worth it, my colleague Heather Kelly reported.
He also argued that law enforcement could still conduct investigations and glean useful information from non-encrypted information, such as the patterns of who’s messaging whom. Facebook-owned WhatsApp already offers end-to-end encryption.
The battle over encryption as a terrorist tool reached its peak during a 2015 knockdown legal fight in which the FBI tried unsuccessfully to force Apple to help break into an encrypted iPhone used by San Bernardino, Calif., shooter Syed Farook. But the issue had been at a low simmer before Barr reinvigorated it this summer. The FBI was generally in retreat after internal investigations showed it had inflated the threat posed by encryption and rushed into the legal fight with Apple without exploring other options.
Even Republican and Democratic lawmakers on the House Commerce and Judiciary committees reached a rare bipartisan consensus in warning against restricting encryption in a 2016 report.
PINGED: The Manhattan District Attorney's Office licensed encryption-cracking software from the Israeli digital forensics firm Cellebrite months before the company announced it would sell its products to local police departments, according to records obtained by Michael Hayes for OneZero, a publication funded by the blogging company Medium.
The Manhattan DA's office paid $200,000 over three years for a premium service that allowed investigators to “unlock and extract data from all iOS and high-end Android devices” using their own computers rather than shipping the devices to a lab in New Jersey.
But the office never publicly revealed it was using the technology, to the consternation of defense attorneys and privacy advocates, Hayes reports. “As someone concerned about the ever-growing surveillance state, it’s concerning for law enforcement to have this power,” Jerome Greco, a Legal Aid Society attorney who discovered prosecutors were using the technology after challenging a hack into his client's phone, told Hayes.
Cellebrite declined to discuss the details of its arrangement with the Manhattan DA or any other possible partnerships with local law enforcement.
PATCHED: A group of Republican senators wants the FBI to share classified information with companies demonstrating threats the Chinese telecommunications company Huawei poses to national security, they wrote in a letter to Microsoft President Brad Smith yesterday. The letter comes after Smith complained last month that the government needs to provide businesses with more evidence against Huawei so they can make their own decisions about working with the company.
“We believe the Federal Bureau of Investigation or the intelligence community could share more of this intelligence in an appropriate fashion to affected businesses,” Sens. Tom Cotton (R-Ark.), Marco Rubio (R-Fla.), Rick Scott (R-Fla.), Mike Braun (R-Ind.) and Josh Hawley (R-Mo.) wrote. “We would welcome further conversation with Microsoft and other businesses about coordinating such briefings.”
The letter also cites instances of alleged wrongdoing by the company based on media reports, private researchers and court proceedings, including the U.S. indictment of Huawei earlier this year for stealing advanced robotics technology from T-Mobile.
“This evidence, in conjunction with testimony from U.S. government officials and our allies, Britain, Japan, and Australia, makes a compelling case that Huawei serves as an intelligence-gathering apparatus for the Chinese state,” the senators wrote.
PWNED: Ransomware attacks are devastating small medical practices that make up a majority of U.S. medical service providers, Adam Janofsky at the Wall Street Journal reports.
Smaller health-care organizations, which account for over half of the medical practices in the United States, often lack dedicated cybersecurity staff and face a much higher risk of attack, Moody's analyst Jennifer Barr tells Adam. Adam identified at least two local practices that have shut down entirely in the past year after being hit with ransomware attacks.
In another case, Campbell County Health in Wyoming had to stop offering essential services including radiology and endocrinology after a ransomware attack and had to transfer patients to other providers as far away as South Dakota and Denver.
— Cybersecurity news from the public sector:
A new initiative led by IBM and McAfee aims to ensure the different cybersecurity tools businesses use automatically work together, the companies announced today. The new initiative, called the Open Cybersecurity Alliance, will develop common standards that make it easier for companies to integrate tools from different vendors and more quickly share and respond to threats. Other members include CyberArk, Cybereason and Fortinet.
— More cybersecurity news from the private sector:
— Cybersecurity news from abroad:
- BSA I The Software Alliance will host an event to discuss how Congress can build upon state and international privacy laws to develop federal legislation today at 2 p.m. in Senate Dirksen Building, Room G50.