California this week became the second state to consider legislation banning the sale of encrypted smartphones that can’t be unlocked by their manufacturers, joining New York.
The California bill, AB 1681, introduced this week by assembly member Jim Cooper, proposes legislation similar to that proposed in New York, which targets devices that cannot be unlocked or decrypted by the manufacturer or operating system developer; New York’s bill, A08093, is still being considered by the state’s Committee on Consumer Affairs and Protection. Under the proposed California law, the sale of smartphones in the state would be prohibited unless they can be decrypted by the phone seller or manufacturer, and imposes a “civil penalty of $2,500 for each smartphone sold or leased” that can’t be decrypted — the same penalty imposed in the New York bill.
“You can get a warrant for pretty much anything and everything, but not for a phone or an iPad?” Cooper said at the Human Trafficking Evidentiary Access Legislation press conference at the California Capitol in Sacramento. “That’s just mind-boggling that you can’t do that.”
In his memo in support of the legislation, Matthew Titone, sponsor of the New York bill, raised the specter of criminals using smartphone encryption to get away with crimes, including kidnapping, fraud and terrorism.
In California, Cooper positioned his proposed legislation as being invaluable in battling human trafficking, while also downplaying privacy issues by stating that “99% of the public will never have their phone searched with a court order.”
The proposed state legislation comes at a time when U.S. government officials, law enforcement agencies and politicians continue to debate over what to do about the issue, initially raised when Apple and Google started deploying smartphones with strong encryption that cannot be opened by their manufacturers
European encryption backdoors
Meanwhile, early this week came news that the French government would not seek mandatory smartphone encryption backdoors. Calling encryption backdoors “vulnerability by design,” Axelle Lemaire, France’s digital affairs minister, spoke out on behalf of the government against proposed legislation that would require smartphone encryption backdoors.
“This is not the right solution,” she said, noting that while the aim of giving police greater power to monitor bad actors was laudable, the backdoors could be subverted by bad actors, as well as harm the entire community.
And in the U.K., the Home Office — the government department responsible for counterterrorism and the police — responded to a petition that requested the government to “abandon all ideas of trying to ban strong encryption,” with what seemed to be strong denial that was even what they wanted.
“The Government is not seeking to ban or limit encryption. The Government recognizes the important role that encryption plays in keeping people’s personal data and intellectual property safe online. The Government does not require the provision of a backdoor key or support arbitrarily weakening the security of Internet services,” read the Home Office’s response. “Clearly, as technology evolves at an ever-increasing rate, it is only right that we make sure we keep up, to keep our citizens safe. There shouldn’t be a guaranteed safe space for terrorists, criminals and pedophiles to operate beyond the reach of law.”
It may not matter whether the U.K. legislates backdoors or other mass surveillance tools, in light of a recently decided court case, SzabĂł and Vissy v. Hungary. The decision by the European Court of Human Rights (ECHR) last week found in favor of two Hungarian nationals who argued in court “that they could potentially be subjected to unjustified and disproportionately intrusive measures” under Hungary’s National Security Act. SzabĂł and Vissy claimed that Hungary’s Anti-Terrorism Task Force was granted “sweeping prerogatives” that “infringed their constitutional right to privacy.” They successfully argued that “legislation on secret surveillance measures for national security purposes provided fewer safeguards for the protection of the right to privacy than the provision on secret surveillance linked to the investigation of particular crimes.”
The result may render the U.K. mass surveillance effort moot, according to The Register. The ECHR found that mass surveillance violated Article 8, the right to privacy, of the European Convention on Human Rights. The judgment isn’t sufficient to stop the U.K. from passing a law allowing mass surveillance, but it could mean that immediately after being enacted, any such law would be challenged — probably successfully — in the European Union courts, The Register reported.
More on EU privacy rights
Speaking of privacy, the EU wants to limit power of U.S. authorities to obtain information on EU citizens, according to Reuters. Specifically, the EU wants guarantees of limits on the powers of authorities in the U.S. to demand personal information incorporated into the replacement for the recently overturned Safe Harbor data transfer pact.
“We need guarantees that there is effective judicial control of public authorities’ access to data for national security, law enforcement and public interest purposes,” EU Justice Commissioner Vera Jourova said at a conference in Brussels this week.
While talks have been ongoing, there is a greater sense of urgency for coming to an agreement since the overturn of the Safe Harbor agreement last year. EU data protection authorities have set a deadline of Jan. 31, 2016, for the U.S. and the EU to come to an agreement on a new framework for data protection. If the two sides fail to come to an agreement by then, U.S. companies may face enforcement action from the EU.
Key escrow, 2016 style
The official voice encryption protocol of Government Communications Headquarters in the U.K., MIKEY-SAKKE, turns out to be “actively harmful for security,” according to Steven J. Murdoch, a Royal Society University Research Fellow in the Information Security Research Group of University College London. MIKEY-SAKKE is “actively harmful for security,” according to Murdoch’s report. “MIKEY-SAKKE is designed to offer minimal security, while allowing undetectable mass surveillance though key escrow, not to provide effective security.”
Comparing the MIKEY-SAKKE protocol to the ill-starred Clipper chip key escrow scheme that was approved by the U.S. Department of Commerce in 1994, Murdoch wrote, “With Clipper, a normal key exchange algorithm would be performed, but the resulting session key would also be encrypted under a separate escrow key held by a special department of the U.S. government (the escrow agent). A third-party wishing to listen to an eavesdropped encrypted call would request that the escrow agent decrypt the escrowed session key, and so allow the call to be decrypted.” Clipper was eventually dropped after strong opposition from privacy activists, politicians and computer scientists.
“The design of MIKEY-SAKKE is motivated by the desire to allow undetectable and unauditable mass surveillance, which may be a requirement in exceptional scenarios, such as within government departments processing classified information,” Murdoch said. “However, in the vast majority of cases, the properties that MIKEY-SAKKE offers are actively harmful for security. It creates a vulnerable single point of failure, which would require huge effort, skill and cost to secure — requiring resource beyond the capability of most companies.”
In other news
- When Otku Sen published open source ransomware Hidden Tear on GitHub last summer, his intention was to educate people to battle ransomware — and, reportedly, to create “a honeypot for script kiddies” — not to help people to use it as ransomware. However, that didn’t work out so well, as Trend Micro reported last week that the Hidden Tear code was being used for malicious purposes. And in the meantime, Sen told Security Week that he’d broken the encryption of the misused, educational malware. Sen explained his scheme for the honey pot, as well as how he broke the encryption, this week in his blog.
- Symantec has given a discount to The Carlyle Group on its Veritas purchase, according to a Symantec press release, after the sale price of the storage software company was dropped to approximately $1 billion. According to Symantec, the discounted price of $7.4 billion came “after uncertainties developed regarding the transaction.” Neither Symantec nor the Carlyle Group specified what the uncertainties were, but both parties appear satisfied with the result, and the transaction is scheduled to be completed on Jan. 29, 2016.
- Bot click fraud could cost advertisers $7.2 billion globally in 2016, according to research conducted by the Association of National Advertisers and White Ops, an antibot and malware fraud security firm. “The level of criminal, nonhuman traffic literally robbing marketers’ brand-building investments is a travesty,” said Bob Liodice, ANA president and CEO, in a press statement. While the study revealed that “fraud levels are relatively unchanged compared to the results of a similar study conducted a year ago,” the estimated global losses to ad fraud have risen, because digital advertising spending has increased.
Learn more about the “going dark” debate and public safety costs of end-to-end encryption.