Thursday, October 23, 2014

Why is the Washington Post Publishing Pro-Surveillance Propaganda? Can Government Surveillance Revelations Decrease Encryption Adoption?

For the last few days I've had great fun watching James Comey and his pack of Keystone Cyber Cops failing to convince the world that they should be CC'd on everyone's calls, tweets and texts and generally exposing himself as the incompetent, braying ass that he is.

James Comey, Braying Jackass, josh wieder
Keep in mind the camera adds 10 pounds
Dan Froomkin and Natasha Vargas-Cooper over at The Intercept exposing each of the examples that Comey used to indicate the necessity for breaking cell phone encryption as fabricated - the cases were real, but none of them relied on cell phones or computers to obtain a conviction.

In one case of infanticide, the parents who were eventually found guilty had been previously convicted of child cruelty and had the deceased child previously taken from their custody for neglect. Not only did the state not need to read the parents' phones for evidence, if they had read their own files and demonstrated some inter-agency cooperation they could very likely have prevented the killing entirely.

In another case, the defendant confessed to a hit and run when cops pulled him over for a DUI and noticed his car had just been in an accident almost immediately following discovery of the victim.

Comey has been calling in a few favors for his little power play. Assistant Attorney General Leslie R. Caldwell testified before Congress on July 15th, relying on some rather dramatic and almost Zoroastrian language to convince legislators of the evils of privacy advocacy:

"All the while, technological advances, including advances designed to protect privacy, such as anonymizing software and encryption, are being used to frustrate criminal or civil investigations and, perversely, protect the wrongdoers. Our cyber crimefighters must be equipped with the tools and expertise to compete with and overcome our adversaries."

Perhaps we should forgive Caldwell as a clearly incompetent simpleton. Its more difficult to understand what was going on over at the Washington Post when they published a now completely discredited op-ed in support of the Comey Conspiracy. 

Last month the Post printed a piece penned by Ronald T. Hosko. Ronald is currently the President of the Law Enforcement Legal Defense Fund (LELDF), whose primary mission is to pay for expensive lawyers for police who kill innocent and/or unarmed people. Without groups like LELDF, police officers might one day be held accountable for their crimes - but not while Ronald's on the case! In addition to his current hobby, Ronald is the former Assistant Director of the FBI Criminal Investigative Division. He was named Assistant Director in July of 2012. Before that, he was special agent in charge of the Washington Field Office (WFO) Criminal Division. Ronald has been a life-long cop, joining the FBI 30 years ago in 1984, with his first big assignment coming with his transfer to the FBI's Chicago Division, where he investigated white-collar and financial crimes in addition to serving on the SWAT team. One paragraph of his CV sticks out:

In 2003, Mr. Hosko was promoted to assistant special agent in charge of the Philadelphia Division, where he was responsible for investigations into criminal matters. While in this role, he led the division’s surveillance and technical operations, and he served as the program supervisor for crisis management. In 2005, Mr. Hosko served as the on-scene commander of FBI personnel deployed to Afghanistan in support of Operation Enduring Freedom. Later that year, he served as deputy to the senior fellow law enforcement official following Hurricane Katrina.

In other words, Ronald developed his surveillance bona-fides during the early years of the Bush Jr administration; an administration that is responsible for sparking he current FBI trend of creating fake terrorist plots to entrap young muslim men who they cajole and bribe into cooperation. Ronald was one of the "on-scene" FBI commanders in Afghanistan who failed to locate Osama Bin Laden or his top lieutenants before being shipped back to the states in time to play a law-enforcement role in the Hurricane Katrina disaster - the only hurricane in the United States in recent memory that is well known for police murdering residents trying to escape the flood zone and escaping any legal consequences for the killings

Ronald Hosko is no stranger to controversy. Rumors of Ronald Hosko's ever-present appearances at Furry conventions are all over the Internet. Of course the rumors of Hosko's Furry compulsions play no part in this debate. The Washington Post, if for no other reason, should be applauded for disregarding rumors of Ronald T. Hosko being an incorrigible fan of Furry Love. People who can only achieve arousal by dressing up as cartoon animals, as Ronald T. Hosko is frequently alleged to, have political opinions just as valid as the rest of us. I, for one, think these rumors are completely without merit. Even if I am wrong and Ronald T. Hosko is, in fact, a Furry, any rumors about his personal life are completely inappropriate and shouldn't play a role in this or any other debate. 

In his op-ed, Ronald ran through Comey's part line: The introduction of encryption in consumer devices are allowing violent criminals to walk free. Not all of the piece is bogus. Comey admits, for example that:

"Encrypting a phone doesn’t make it any harder to tap, or 'lawfully intercept' calls. But it does limit law enforcement’s access to a data, contacts, photos and email stored on the phone itself."

In spite of this admission, Ronald still makes it clear that tapping the phone isn't enough. The data, contacts, photos and email are pivotal for convictions. To illustrate his point, Ronald relies on an example: the case of a kidnap victim in Wake Forest, North Carolina. The kidnappers were tracked down through a lawful intercept of their cell phone's SMS. In the original version of his op-ed, Ronald argues that without the ability to intercept SMS messages, police may never have been able to to identify and arrest the kidnappers. This is another point that is only fair to concede to Ronald. It is quite clear that without the texts the kidnappers could have very well escaped.

That said, Ronald's conclusion is  that encryption would have prevented the police's ability to track the text messages, is completely fantastic. Even a basic understanding of mobile networks and SMS connections forces us to realize that encryption would play no role in the Wake Forest investigation. 

Let's consider how the police got the text messages and what they did with them. First and foremost we must note that police sought and obtained a search warrant for the text messages. The search warrant enabled the police to go to the cell phone companies and request the SMS messages and the location of the handset when they were sent. SMS connection data is transmitted to the cell phone company, where it is stored. Police obtained the SMS data from the cell phone company, not from the cell phone hand set. Remember: at the time the police requested the warrant, they had no idea where the hand set was. The encryption policy that Apple implemented that is the target of Comey and his buddies ire encrypts information stored on the phone hand set, not information transmitted to and from the cell phone company. SMS messages transmitted using a mobile carrier will typically be stored by that carrier for some time. While some GSM carriers encrypt their SMS traffic while it is in transit, they do so using a stream cypher (typically A5/1 or A5/2). A5 stream cyphers are instrinsically weak; Cryptanalysis work containing resource-conservative attacks are well circulated and published. Such cyphers have been in use since the adoption of GSM SMS messaging years ago, and have nothing to do with Comey's attacks on encryption standardization. FBI agents who, unlike Ronald T. Hosko, know sh*t about computers would find breaking such cyphers to be a trivial task if asked to do so as part of an ongoing investigation. 

But all that is a bit besides the point. The FBI had a warrant for SMS data in the Wake Forest case. All of the data they received was provided to them by the cell phone company, including the geographic location of the handsets, which the cell phone company stores along with unencrypted logs of the SMS messages (because cell phone executives don't care about you or your privacy and when they do they have a funny way of ending up in prison).

The kidnappers could encrypt their phone all day long, and the FBI could still have gone to the cell phone carrier and gotten the information they needed to find them. At worst, such a claim is a deliberate lie. At best, Ronald T. Hosko, former FBI Philadelphia Division's director of "surveillance and technical operations", lacks a basic understanding of how the FBI uses cell phones to apprehend suspects. 

The Washington Post didn't bother to fact check Hosko's op-ed. They went ahead and published it, a shocking concession to a government official seeking to greatly expand government surveillance powers and shooting off a bunch of half-truths to justify it. Eventually someone with technical experience read the article and pointed out the piece's complete lack of credibility. As a result, the Post rewrote some of the more incredulous claims and providing readers with this non-apology to its readers: 

* Editors note: This story incorrectly stated that Apple and Google’s new encryption rules would have hindered law enforcement’s ability to rescue the kidnap victim in Wake Forest, N.C. This is not the case. The piece has been corrected.

The editors note was placed below the fold, at the very end of the article. A more ethical correction would place the editors note above the fold, at the beginning of the article to ensure that readers are not mislead and that the large percentage of readers who do not read the entire piece understand what happened. 

So what did these "corrections" consist of? In the original story, Ronald had not just incorrectly made the case that encryption would have hindered the ability of the FBI to locate the kidnappers. Hosko breathlessly alleged that: "Had this [encryption] technology been used by the conspirators in our case, our victim would be dead". The message is clear. Apple and Google, the two companies that Hosko cites in the lead as examples of companies using this dangerous encryption, will have blood on their hands if they continue to protect their user's privacy. 

Here is the original graph compared next to the still-incorrect "corrected" graph, which online periodical Techdirt first pointed out on their coverage of this debacle: 
Last week, Apple and Android announced that their new operating systems will be encrypted by default. That means the companies won’t be able to unlock phones and iPads to reveal the photos, e-mails and recordings stored within.

It also means law enforcement officials won’t be able to look at the range of data stored on the device, even with a court-approved warrant. Had this technology been used by the conspirators in our case, our victim would be dead. The perpetrators would likely be freely plotting their next revenge attack.
 Thats the first version.
Last week, Apple and Google announced that their new operating systems will be encrypted by default. Encrypting a phone doesn’t make it any harder to tap, or “lawfully intercept” calls. But it does limit law enforcement’s access to a data, contacts, photos and email stored on the phone itself.

Had this technology been in place, we wouldn’t have been able to quickly identify which phone lines to tap. That delay would have cost us our victim his life.The perpetrators would likely be freely plotting their next revenge attack.
And that is the "corrected version". Note how the writer (at this point its unclear who wrote the corrected version, Hosko or a Post employee) *still* hangs on to the disproved claim that SMS data subpoena'd from a cell phone carrier has anything to do with an encrypted filesystem on a cell phone by saying that the FBI "wouldn’t have been able to quickly identify which phone lines to tap".

Its at this point that I find it very difficult to forgive the Washington Post for their involvement in this. Not only have they allowed the FBI to manipulate their readers by betraying the public trust developed by actual journalists who have provided real reporting for the Post over the years; they have stood by their man in his hour of need, despite obvious evidence provided by a multitude of technology experts.

Corrections should correct a story, not reword lies to make them more palatable. Yet that is exactly what the Washington Post has done here.

Since the Snowden revelations, evidence of government malfeasance in their approach to surveillance supporting both foreign intelligence and domestic law enforcement has continued to mount. A significant number of Americans have made it clear that they support even the most totalitarian excesses of the intelligence-gathering community, dismissing centuries-long traditions of English-speaking rule of law with slogans like "I have nothing to hide". Authoritarianism has always been popular with a certain type.

What I have to admit is completely unexpected is evidence that I have found of individuals whose response to disclosures of government surveillance have lead them to dismiss the use of encryption as untrustworthy.

In the comments section of the Washington Post story discussed above, for example, one user added the following to the fray: 

Washington Post, Josh Wieder, encryption, user comment

Take note: ALL encryption is compromised! Those mathematicians? They're all on the payroll! There is a certain theatrical flourish that always seems to accompany the conspiracy theory. A "You May Think You're Smart But You're Not" sneer behind the 9/11 truth videos, the reptile photographs, the rest of it. We have all been fooled.

But there are reasons for concern that are not based in psychosis. A Web of Trust; one of the original components of Phil Zimmerman's PGP, can be viewed as a proto social network. Police love Facebook because it shows the people you trust and communicate with. A public key Web of Trust provides all the same data to the state just as readily. Public Webs of Trust should only be used with great care; and in a number of circumstances, should be abandoned entirely.

Another skepticism is that of the hosted provider using encryption. Apple and Google, whatever ire may be directed to them by the FBI now, are two of the founding corporate members of the NSA's PRISM program. Neither company has stopped responding to FISA court requests. If anything, encrypted storage seems like a concession - a way to change the narrative being foisted on consumer tech companies; a way to remind users that such companies are on the side of their customers and not the state; a way to do all these things without actually fighting any legal battles or compromising pre-existing relationships with agencies more politically connected than even the FBI.

The sense of compromise is pervasive, and leads to statements like this one: 

Hacker News, Josh Wieder, Ycombinator, encryption

So many companies have promised privacy to their users, and lied; encryption strikes users as just another scheme.

Added to this is the constant wave of half-explained media coverage of open source security research. How many readers, unfamiliar with internet technology, are struck by reports of  the discovery of the Poodle vulnerability as a bad thing - a failure? Encryption can easily appear to the layman as a flawed technology that depends on dishonest corporations for development and application.

Finally, we have a new wave of mobile applications and their associated startups. The vast majority of such startups are promising their users a new safety and privacy online through the use of whatever snake-oil they happen to be selling, and providing it using the same free-from-upfront-payment model that all of the most dangerous companies rely on. Satan requires no upfront payment, either. Is it any surprise that these companies engage in the same surveillance practices as the firms before them? Whisper, of course, stands out among firms that promise privacy while stealing it. It is my suspicion that Whisper's practices are nothing special.

As our knowledge of surveillance scandals continues to expand, confidence is shaken not just in the state. The public knows that the intelligence community and law enforcement has established extra-legal partnerships in the business community, using their customers as pools of data. The public knows that the intelligence community and law enforcement recruits from the same universities that develop encryption algorithms, providing cryptographers with the highest-paying jobs in the field and generously financing research and handing out grants. 

Is it possible to encourage skepticism in organizations whose approach to technology has been corrupted, while building trust that the same technology can protect us from those organizations?

There's only one thing I know for sure, no matter what anybody else may have to say about the matter. Ronald T. Hosko is not a furry.

No comments:

Post a Comment