The Washington PostDemocracy Dies in Darkness

The Cybersecurity 202: Apple's iPhone encryption is a 'gift to sex traffickers,' Manhattan DA to testify

with Tonya Riley


It’s official: The encryption debate is back on. 

The Manhattan district attorney, one of the most vocal foes of strong encryption, plans to accuse Facebook, Apple, Google and other tech companies of valuing profits above public safety at a high-profile Senate hearing today. 

Cyrus Vance will go so far as to call iPhone encryption a “gift to sex traffickers...from Apple.”

It's a sign both opponents and defenders of encryption are gearing up for a drag-out fight more than two years after the issue seemed ready to fade from public view. 

And there are no holds barred: Vance's accusation reflects a recent shift in strategy from the Justice Department to focus on how expanding encryption across messaging services will make it harder for police to stop child sexual abuse and trafficking.

Attorney General William Barr sent an open letter in October to Facebook chief executive Mark Zuckerberg warning of these dangers, whereas government officials’ earlier unsuccessful assaults on encryption tended to focus on terrorists using it to recruit and plan operations. 

Critics, however, called that argument an unfair effort to change the public narrative — and to use people's revulsion at child abuse to convince them to weaken their own security and privacy. 

In advance of the fireworks at the Senate Judiciary committee today, more than 100 privacy organizations, industry groups and prominent individuals released an open letter slamming the Justice Department for its efforts to rein in encryption, saying that could “endanger the security and privacy of billions of internet users around the world.” 

The letter also hammers on ways that weakening encryption could jeopardize the safety of vulnerable people, for example by making it easier for stalkers and jealous partners to track their victims. 

At the hearing, Facebook’s Product Management Director for Privacy Jay Sullivan meanwhile is set to defend the company’s decision to expand encryption so strong even the company can't view it. 

While it's true the advanced but increasingly common form of encryption called end-to-end makes it impossible for police to access the content of encrypted communications with a warrant, it also better shields those communications from hackers. 

Facebook declined to share Sullivan’s testimony but a spokesman said the privacy leader will argue there’s no safe way to weaken encryption for criminals without weakening it for everyone else. Sullivan will also describe ways the company is trying to ensure encrypted communications are nevertheless safe. 

In the past, Facebook officials have described using unencrypted information, such as the size and character of digital files, to spot when users are sharing child pornography and other illegal items. 

Yet Vance will argue that public discontent with big tech firms following a spate of privacy and security scandals has “created a climate that will support a legislative solution” for encryption. 

Prosecutors in Vance's office receive about 800 Apple devices as evidence each year, about 82 percent of which are difficult to probe because of encryption, he plans to say. 

You can expect defenders of encryption to seize on this nugget, though, to bolster their case that the onus is on law enforcement and not tech companies to make changes: In some cases, Vance will say, the office has been able to hack into the phones and bypass encryption with the help of contractors. 

The hearing marks the highest-profile legislative action on encryption since 2016 and suggests the Justice Department push has returned the topic to Congress's front burner. 

The high-profile battle would have been unthinkable just a couple of years ago when an earlier FBI effort to rein in encryption had hit a brick wall in Congress and a bipartisan coalition of lawmakers was urging the bureau to look for other solutions. 

Indeed, between 2017 and 2018, Congress paid only passing attention to the debate and the FBI mostly played defense after one internal watchdog report found it exaggerated encryptions’ dangers and another found it rushed into a legal battle with Apple over the protection without examining other options. 

An official from Apple and cybersecurity researcher Matt Tait, a senior cybersecurity fellow at the University of Texas at Austin, will also be testifying. Tait is one of the few cybersecurity researchers who has said he’s open to compromising on encryption protections. 


PINGED: The FBI has “no information that indicates that Ukraine interfered with the 2016 presidential election,” Director Chris Wray told ABC News yesterday, contradicting claims by President Trump and his congressional allies who’ve pushed the unfounded claims as a defense in the House impeachment inquiry. 

Wray stopped short of criticizing the president's and lawmakers' comments, though, saying only, “There's all kinds of people saying all kinds of things out there,” and “it's important for the American people to be thoughtful consumers of information.”

Sen. Ted Cruz (R-Tex.) was the most recent prominent GOP lawmaker to push the Ukraine claims when he cited “considerable evidence” that Ukraine interfered in the 2016 election in a Meet The Press interview on Sunday. Cruz went on to accuse the media of “deliberately LYING” and ignoring “significant evidence of Ukrainian corruption,” in a Twitter thread.

PATCHED: A cyberattack forced the Florida city of Pensacola to disconnect its network over the weekend, impairing functions including city emails, some city phones and online payments to energy and sanitation services. Federal authorities are investigating the attack, which is the latest in a growing number of cyberattacks against American cities in the past year.

It’s not clear whether the incident is related to an attack on Friday on a nearby naval air station by a Saudi flight student in which three sailors were killed and eight others were wounded, Mayor Grover Robinson said, Bobby Caina Calvan at the Associated Press reports.

That was backed up by the FBI's Jacksonville field office on Twitter:

Robinson declined to tell local news station WEAR whether the hackers demanded a ransom or whether there was another apparent motive for the attack.

PWNED: A company left more than 752,000 applications for copies of birth certificates containing sensitive information unprotected online, Zack Whittaker at TechCrunch reports. The applications date back to late 2017 and contain the applicant's name, birth date, current address, phone number and email address among other information. 

The documents were stored without a password on a cloud storage system owned by Amazon, which means anyone who knew the “easy-to-guess Web address” could access the data. The company in question did not respond to several emails from TechCrunch, but Amazon said it would inform the company about the security lapse. Amazon CEO Jeff Bezos owns The Washington Post.

It's unclear whether any hackers accessed the unprotected documents. 


— Cybersecurity news from the public sector:

TikTok leader postpones trip to Washington to meet with members of Congress (Tony Romm)

FBI was justified in opening Trump campaign probe, but case plagued by ‘serious failures,’ inspector general finds (Devlin Barrett, Matt Zapotosky, Karoun Demirjian and Ellen Nakashima)

Federal council to Trump: Cyber threats pose 'existential threat' to the nation (The Hill)

Trump used Pentagon budget for personal gain, Amazon alleges (Aaron Gregg and Jay Greene)


— Cybersecurity news from the private sector:

Ring’s Hidden Data Let Us Map Amazon's Sprawling Home Surveillance Network (Gizmodo)

Are You One Of Avast’s 400 Million Users? This Is Why It Collects And Sells Your Web Habits. (Forbes)

WSJ News Exclusive | McAfee Considering a Combination With NortonLifeLock

Exclusive: PR software firm exposes data on nearly 500k contacts (CyberScoop)


— Cybersecurity news from abroad:

U.N. expert urges Ethiopia to stop internet shutdowns, revise hate speech law (Reuters)

A Saudi Telecom Exposed a Streaming List of GPS Locations (Vice)


— Today:

  • The Senate Judiciary Committee will host a hearing, “Encryption and Lawful Access: Evaluating Benefits and Risks to Public Safety and Privacy,” at 10 a.m.

— Coming up:

  • Dartmouth College and Durham University will host a forum on A.I., machine learning and the future cybersecurity landscape for organizations and governments at Carnegie Institution of Washington on Wednesday from 10 a.m. to 5 p.m.