THE KEY

It’s official: The encryption debate is back on. 

The Manhattan district attorney, one of the most vocal foes of strong encryption, plans to accuse Facebook, Apple, Google and other tech companies of valuing profits above public safety at a high-profile Senate hearing today. 

Cyrus Vance will go so far as to call iPhone encryption a “gift to sex traffickers...from Apple.”

It's a sign both opponents and defenders of encryption are gearing up for a drag-out fight more than two years after the issue seemed ready to fade from public view. 

And there are no holds barred: Vance's accusation reflects a recent shift in strategy from the Justice Department to focus on how expanding encryption across messaging services will make it harder for police to stop child sexual abuse and trafficking.

Attorney General William Barr sent an open letter in October to Facebook chief executive Mark Zuckerberg warning of these dangers, whereas government officials’ earlier unsuccessful assaults on encryption tended to focus on terrorists using it to recruit and plan operations. 

Critics, however, called that argument an unfair effort to change the public narrative — and to use people's revulsion at child abuse to convince them to weaken their own security and privacy. 

In advance of the fireworks at the Senate Judiciary committee today, more than 100 privacy organizations, industry groups and prominent individuals released an open letter slamming the Justice Department for its efforts to rein in encryption, saying that could “endanger the security and privacy of billions of internet users around the world.” 

The letter also hammers on ways that weakening encryption could jeopardize the safety of vulnerable people, for example by making it easier for stalkers and jealous partners to track their victims. 

At the hearing, Facebook’s Product Management Director for Privacy Jay Sullivan meanwhile is set to defend the company’s decision to expand encryption so strong even the company can't view it. 

While it's true the advanced but increasingly common form of encryption called end-to-end makes it impossible for police to access the content of encrypted communications with a warrant, it also better shields those communications from hackers. 

Facebook declined to share Sullivan’s testimony but a spokesman said the privacy leader will argue there’s no safe way to weaken encryption for criminals without weakening it for everyone else. Sullivan will also describe ways the company is trying to ensure encrypted communications are nevertheless safe. 

In the past, Facebook officials have described using unencrypted information, such as the size and character of digital files, to spot when users are sharing child pornography and other illegal items. 

Yet Vance will argue that public discontent with big tech firms following a spate of privacy and security scandals has “created a climate that will support a legislative solution” for encryption. 

Prosecutors in Vance's office receive about 800 Apple devices as evidence each year, about 82 percent of which are difficult to probe because of encryption, he plans to say. 

You can expect defenders of encryption to seize on this nugget, though, to bolster their case that the onus is on law enforcement and not tech companies to make changes: In some cases, Vance will say, the office has been able to hack into the phones and bypass encryption with the help of contractors. 

The hearing marks the highest-profile legislative action on encryption since 2016 and suggests the Justice Department push has returned the topic to Congress's front burner. 

The high-profile battle would have been unthinkable just a couple of years ago when an earlier FBI effort to rein in encryption had hit a brick wall in Congress and a bipartisan coalition of lawmakers was urging the bureau to look for other solutions. 

Indeed, between 2017 and 2018, Congress paid only passing attention to the debate and the FBI mostly played defense after one internal watchdog report found it exaggerated encryptions’ dangers and another found it rushed into a legal battle with Apple over the protection without examining other options. 

An official from Apple and cybersecurity researcher Matt Tait, a senior cybersecurity fellow at the University of Texas at Austin, will also be testifying. Tait is one of the few cybersecurity researchers who has said he’s open to compromising on encryption protections. 

PINGED, PATCHED, PWNED

PINGED: The FBI has “no information that indicates that Ukraine interfered with the 2016 presidential election,” Director Chris Wray told ABC News yesterday, contradicting claims by President Trump and his congressional allies who’ve pushed the unfounded claims as a defense in the House impeachment inquiry. 

Wray stopped short of criticizing the president's and lawmakers' comments, though, saying only, “There's all kinds of people saying all kinds of things out there,” and “it's important for the American people to be thoughtful consumers of information.”

Sen. Ted Cruz (R-Tex.) was the most recent prominent GOP lawmaker to push the Ukraine claims when he cited “considerable evidence” that Ukraine interfered in the 2016 election in a Meet The Press interview on Sunday. Cruz went on to accuse the media of “deliberately LYING” and ignoring “significant evidence of Ukrainian corruption,” in a Twitter thread.

PATCHED: A cyberattack forced the Florida city of Pensacola to disconnect its network over the weekend, impairing functions including city emails, some city phones and online payments to energy and sanitation services. Federal authorities are investigating the attack, which is the latest in a growing number of cyberattacks against American cities in the past year.

It’s not clear whether the incident is related to an attack on Friday on a nearby naval air station by a Saudi flight student in which three sailors were killed and eight others were wounded, Mayor Grover Robinson said, Bobby Caina Calvan at the Associated Press reports.

That was backed up by the FBI's Jacksonville field office on Twitter:

Robinson declined to tell local news station WEAR whether the hackers demanded a ransom or whether there was another apparent motive for the attack.

PWNED: A company left more than 752,000 applications for copies of birth certificates containing sensitive information unprotected online, Zack Whittaker at TechCrunch reports. The applications date back to late 2017 and contain the applicant's name, birth date, current address, phone number and email address among other information. 

The documents were stored without a password on a cloud storage system owned by Amazon, which means anyone who knew the “easy-to-guess Web address” could access the data. The company in question did not respond to several emails from TechCrunch, but Amazon said it would inform the company about the security lapse. Amazon CEO Jeff Bezos owns The Washington Post.

It's unclear whether any hackers accessed the unprotected documents. 

PUBLIC KEY

— Cybersecurity news from the public sector:

Technology
TikTok chief Alex Zhu has canceled a scheduled trip to Washington to meet with members of Congress, lawmakers said, a move that stoked fresh criticism of the social-media app at a moment when it’s trying to repair its relationships with U.S. officials.
Tony Romm
National Security
The report found no bias among the bureau’s former leaders but said officials played down evidence potentially favorable to Trump’s claim his campaign did not conspire with Russia.
Devlin Barrett, Matt Zapotosky, Karoun Demirjian and Ellen Nakashima
The National Infrastructure Advisory Council (NIAC) published a draft report addressed to President Trump this week that found cyber threats to critical infrastructure pose an “existential threat” to national security and recommended “bo
The Hill
Business
Amazon Web Services unveiled its complaint Monday in a closely watched Court of Federal Claims case that has pitted it against the Defense Department and Microsoft.
Aaron Gregg and Jay Greene

PRIVATE KEY

— Cybersecurity news from the private sector:

As reporters raced this summer to bring new details of Ring’s law enforcement contracts to light, the home security company, acquired last year by Amazon for a whopping $1 billion, strove to underscore the privacy it had pledged to provide users.
Gizmodo
Avast sells user data but says there's no privacy risk, according to the newly appointed CEO.
Forbes
NortonLifeLock, the $16 billion consumer-software company, has attracted deal interest from a handful of companies including rival McAfee, people familiar with the matter said.
iPRSoftware exposed data on 477,000 media contacts, including 35,000 user password hashes, to the public internet via an Amazon Web Services repository.
CyberScoop

THE NEW WILD WEST

— Cybersecurity news from abroad:

A senior United Nations official urged Ethiopia on Monday to stop shutting off the internet without legal basis and revise a draft law meant to curb hate speech to ensure it protects freedom of speech.
Reuters
The company, STCS, uploaded a constantly updating list of GPS coordinates in Saudi Arabia, China, and west Africa.
Vice

ZERO DAYBOOK

— Today:

  • The Senate Judiciary Committee will host a hearing, “Encryption and Lawful Access: Evaluating Benefits and Risks to Public Safety and Privacy,” at 10 a.m.

— Coming up:

  • Dartmouth College and Durham University will host a forum on A.I., machine learning and the future cybersecurity landscape for organizations and governments at Carnegie Institution of Washington on Wednesday from 10 a.m. to 5 p.m.