By William GallagherSaturday, February 01, 2020, 01:35 pm PT (04:35 pm ET)

Republican Senator Lindsey Graham is behind a draft bipartisan bill called the 'Eliminating Abusive and Rampant Neglect of Interactive Technologies Act of 2019'' or EARN IT. Its stated aims are to "develop recommended best practices... regarding the prevention of online child exploitation." However, the methods Graham proposes would effectively ban all end-to-end encryption.

"The absolute worst-case scenario could easily become reality," think tank TechFreedom president Berin Szoka told Bloomberg. "DOJ could effectively ban end-to-end encryption."

The act would introduce a National Commission on Online Child Exploitation Prevention "and for other purposes." Senator Graham's draft bill proposes a structure for the Commission, which would comprise 15 people including the US Attorney General.

The greater part of Senator Graham's proposals outline creating and enforcing age limits for online material, plus a rating system to categorize images by severity.

At no point does the draft bill mention encryption, however its requirements cannot be complied with if end-to-end encryption is used. Companies with any public or private online discussion areas, such as Whatsapp and Facebook, would be required to divulge user details to law enforcement.

"[Best practices] shall include... coordinating with law enforcement agencies and other industry participants to preserve, remove from view, and report material relating to child exploitation or child sexual abuse," says the draft bill.

"[Also] retention of evidence and attribution or user identification data relating to child exploitation or child sexual abuse, including such retention by subcontractors," it continues.

Senator Graham's proposals explicitly state that the result will be changes to the Communications Decency Act of 1934, which currently allows online services to shield themselves from lawsuits over such materials.

Neither Apple nor any online companies have publicly responded to the proposals yet. However, Apple has and continues to be a strong and vocal proponent of the necessity for end-to-end encryption and the dangers of removing it.

There is currently no date for when the draft bill will proceed further toward legislation.

However, it comes after FBI officials have reportedly been concerned over US Attorney General William Barr's pressures to weaken or remove end-to-end encryption.

Most recently, Apple's senior director of global privacy, Jane Horvath, spoke at CES in January about the company's position on weakening encryption to help combat crime.

"Building back doors into encryption is not the way we are going to solve those issues," she said.

Continue reading here:
Apple's end-to-end encryption threatened by new proposed bill - AppleInsider

A new bill would reduce legal protections for apps and websites, potentially jeopardizing online encryption. The draft bill would form a National Commission on Online Child Exploitation Prevention to establish rules for finding and removing child exploitation content. If companies dont follow these rules, they could lose some protection under Section 230 of the Communications Decency Act, which largely shields companies from liability over users posts.

Reports from Bloomberg and The Information say that Sen. Lindsey Graham (R-SC) is behind the bill, currently dubbed the Eliminating Abusive and Rampant Neglect of Interactive Technologies (or EARN IT) Act. It would amend Section 230 to make companies liable for state prosecution and civil lawsuits over child abuse and exploitation-related material, unless they follow the committees best practices. They wouldnt lose Section 230 protections for other content like defamation and threats.

The bill doesnt lay out specific rules. But the committee which would be chaired by the Attorney General is likely to limit how companies encrypt users data. Large web companies have moved toward end-to-end encryption (which keeps data encrypted for anyone outside a conversation, including the companies themselves) in recent years. Facebook has added end-to-end encryption to apps like Messenger and Whatsapp, for example, and its reportedly pushing it for other services as well. US Attorney General William Barr has condemned the move, saying it would prevent law enforcement from finding criminals, but Facebook isnt required to comply. Under the EARN IT Act, though, a committee could require Facebook and other companies to add a backdoor for law enforcement.

Riana Pfefferkorn, a member of the Stanford Law Schools Center for Internet and Society, wrote a detailed critique of the draft. She points out that the committee would have little oversight, and the Attorney General could also unilaterally modify the rules. The Justice Department has pushed encryption backdoors for years, citing threats like terrorism, but they havent gotten legal traction. Now, encryption opponents are riding the coattails of the backlash against big tech platforms and fears about child exploitation online.

Techdirt founder Mike Masnick also notes that Section 230 doesnt cover federal crimes so the Justice Department could already prosecute companies if theyre enabling abuse. This bill would just let it write a new set of rules by threatening much broader liability.

A spokesperson for Grahams Senate Judiciary Committee emphasized to Bloomberg that the bill isnt final. And the Justice Department is taking a closer look at Section 230 next month, holding a public workshop to discuss potential changes.

Read more:
A new bill could punish web platforms for using end-to-end encryption - The Verge

Under the guise of fighting against online child pornography, American politicians are trying to effectively ban end-to-end encryption on all communication technology platforms for everyone. Newly proposed legislation could force companies like Apple, Google and Facebook to create back doors on their services to make sure law enforcement can easily monitor everything they want or potentially face prosecution for negligently enabling child abuse.

Also Read: Court Orders Telegram to Hand Russia Its Encryption Keys

A planned bipartisan measure in the U.S. Senate could stop all messaging services, such as the crypto communitys favorite Telegram and Facebook controlled Whatsapp, from offering end-to-end encryption for users. Under this plan, companies could be forced to engineer back doors into their networks, for government agencies to be able to peer into private communications. Besides the obvious privacy concerns, such back doors could eventually fall into the wrong hands and be exploited by hackers to steal sensitive information, as other back doors have in the past.

The Eliminating Abusive and Rampant Neglect of Interactive Technologies (EARN IT) Act is presented as a tool to stop the spread of child sex abuse material (CSAM). Currently, internet companies simply have a degree of protection against lawsuits in the case that some of their users transmitted online child pornography. However, the EARN IT Act will force platforms to earn it. And the way to earn this protection is by complying with requirements set by the government, which will include banning end-to-end encryption.

This plan will curb the power of Section 230 of the Communications Decency Act of 1996, a piece of U.S. legislation which provides immunity from liability for providers of an interactive computer service who publish information provided by users. Without this legal shield, companies can face immense challenges to operate as they could be dragged to court for the actions of their users. It is considered to be a critical part of making the U.S. a receptive home for the tech industry to grow as rapidly as it did since it was enacted.

Even before knowledge about the EARN IT Act leaked out to the public, there was already evidence that U.S.-based tech companies feel pressured by the government to hurt their users privacy. About two weeks ago it was widely reported that Apple has abandoned plans for end-to-end encryption of their devices cloud backups after the FBI complained that the move would hamper its investigations.

The absolute worst-case scenario could easily become reality: DOJ could effectively ban end-to-end encryption, explained Berin Szoka, president of the libertarian think tank Tech Freedom. Signal, Telegram and Whatsapp all could no longer exist in their current form. All would be required to build in backdoors for law enforcement because all could be accused of recklessly designing their products to make it impossible for the operators or law enforcement to stop CSAM sharing. The same could happen for age verification mechanisms. Its the worst kind of indirect regulation. And because of the crazy way its done, it could be hard to challenge in court.

Once considered to be champions of innovation and even freedom, the big tech monopolies have come under a lot of criticism in recent years over various aspects of their operations around the world. In the U.S. this can been seen to draw the attention of politicians from both the Left and the Right, with Republican President Donald Trump accusing big tech of collusion with his rivals at the Democratic party and Democrat presidential contender Elizabeth Warren calling to break up Americas biggest tech companies.

The main issue that most gains public attention these days is collecting and selling users personal data. Other controversial topics include stifling competition, addicting users to notifications, enabling election hacking or manipulation with fake news and of course employing unwarranted censorship.

Instead of trying to remain unbiased platforms used by everyone, regardless of usage as long as its legal, some big tech companies are actively censoring what users can say. Google, Twitter, Facebook, Reddit, and others have all banned accounts of individuals or media companies for somehow violating their terms of service while not actually breaking the law. While the companies probably hoped this will lower the attacks on them, it mostly had the opposite effect with those pushing for more censorship increasing their demands and some of those objecting to it taking a less libertarian approach to what these supposedly private companies can do with their platforms.

The cryptocurrency ecosystem has been a repeated victim of censoring by big tech monopolies too, with the latest example coming in the form of the Youtube Christmas Purge of 2019. Many channels that discussed crypto matters were kicked off the Google-owned video platform without warning, before some were eventually reinstated. This also led video creators and crypto influencers to try and migrate to more decentralized and censorship-resistant platforms. Now the politicians are trying to exploit the anger all these controversial policies created against big tech to crack down on their users privacy.

Years of imbibing a concentrated font of human venality every time we open our phones, coupled with the metastatic growth of surveillance capitalism, have birthed the current, bipartisan techlash. The techlash is taking several forms, among them the growing zeal for amending or outright repealing Section 230, explained Riana Pfefferkorn, the Associate Director of Surveillance and Cybersecurity at Stanford Universitys Center for Internet and Society. The idea is that Section 230 is no longer needed; its served its original purpose, if anything it was too successful, and now U.S. tech companies have outgrown it and grown too big for their britches, period.

What do you think about American politicians trying to ban end-to-end encryption? Share your thoughts in the comments section below.

Images courtesy of Shutterstock.

Verify and track bitcoin cash transactions on our BCH Block Explorer, the best of its kind anywhere in the world. Also, keep up with your holdings, BCH, and other coins, on our market charts at Bitcoin.com Markets, another original and free service from Bitcoin.com.

Avi Mizrahi is an economist and entrepreneur who has been covering Bitcoin as a journalist since 2013. He has spoken about the promise of cryptocurrency and blockchain technology at numerous financial conferences around the world, from London to Hong-Kong.

Read the original here:
US Politicians Want to Ban End-to-End Encryption on Messaging Services like Telegram and Whatsapp - Bitcoin News

The United States government, as well as US law enforcement agencies, care a lot about iOS and Android encryption. Smartphone data can reveal a lot about terrorists, people who conduct mass shootings, and even general criminals. If officials conduct investigations properly, that data can be used in court as evidence.

Thats why there have been lots of headlines recently about the US government trying to convince companies such as Apple to hand over so-called backdoor access to our smartphone data.

However, critics argue that the government having easy access to your private data pretty much defeats the purpose of encrypted data in the first place, and Apple (among other companies) have mostly refused to cooperate. According to a new expos from Vice, though, the government appears to be doing fine with cracking smartphone encryption, with or without help from the smartphones creators.

At least, thats the case when it comes to most iPhones. When it comes to Android encryption, the job is reportedly getting increasingly more difficult for investigators.

Detective Rex Kiser, who conducts digital forensic examinations for the Fort Worth Police Department, had this to say toVice: A year ago we couldnt get into iPhones, but we could get into all the Androids. Now we cant get into a lot of the Androids.

Vices investigation into the matter shows that Cellebrite one of the most prominent companies that government agencies hire to crack smartphones has a cracking tool that can break into any iPhone made up to and including the iPhone X. The tool pulls data such as GPS records, messages, call logs, contacts, and even data from specific apps such as Instagram, Twitter, LinkedIn, etc., all of which could be incredibly helpful in prosecuting criminals.

However, that same Cellebrite cracking tool is much less successful with Android encryption on prominent handsets. For example, the tool could not extract any social media, internet browsing, or GPS data from devices such as the Google Pixel 2 and Samsung Galaxy S9. In the case of the Huawei P20 Pro, the cracking software literally got nothing.

Some of the newer operating systems are harder to get data from than others, Kiser toldVice. I think a lot of these [phone] companies are just trying to make it harder for law enforcement to get data from these phones under the guise of consumer privacy.

If you own one of those Android phones just mentioned or even newer phones from those same companies, dont think that your phone is uncrackable. Just because Cellebrites tool doesnt work doesnt mean investigators cant extract the data they need. The process just becomes more labor-intensive and takes more time and resources. Even a brand new phone, such as the iPhone 11 Pro Max, can be cracked, according toVices sources. It just isnt as easy as hooking it up to a cracking tool and watching the data flow.

Related:How does encryption work? Gary explains!

Either way,Vices article heavily suggests that Android phones are the safer alternative as compared to iPhones if your main concern is security and privacy. After all, law enforcement organizations arent the only people after your data: criminal enterprises could use the same tools to get your information illegally. For now, this article makes it seem that Android encryption is the way to go to best avoid those situations.

Excerpt from:
Forensics detective says Android phones are now harder to crack than iPhones - Android Authority

If you follow security on the Internet, you may have seen articles warning you to beware of public Wi-Fi networks" in cafes, airports, hotels, and other public places. But now, due to the widespread deployment of HTTPS encryption on most popular websites, advice to avoid public Wi-Fi is mostly out of date and applicable to a lot fewer people than it once was.

The advice stems from the early days of the Internet, when most communication was not encrypted. At that time, if someone could snoop on your network communicationsfor instance by sniffing packets from unencrypted Wi-Fi or by being the NSAthey could read your email. They could also steal your passwords or your login cookies and impersonate you on your favorite sites. This was widely accepted as a risk of using the Internet. Sites that used HTTPS on all pages were safe, but such sites were vanishingly rare.However, starting in 2010 that all changed. Eric Butler released Firesheep, an easy-to-use demonstration of sniffing insecure HTTP to take over peoples accounts. Site owners started to take note and realized they needed to implement HTTPS (the more secure, encrypted version of HTTP) for every page on their site. The timing was good: earlier that year, Google had turned on HTTPS by default for all Gmail users and reported that the costs to do so were quite low. Hardware and software had advanced to the point where encrypting web browsing was easy and cheap.

However, practical deployment of HTTPS across the whole web took a long time. One big obstacle was the difficulty for webmasters and site administrators of buying and installing a certificate (a small file required in order to set up HTTPS). EFF helped launch Lets Encrypt, which makes certificates available for free, and we wrote Certbot, the easiest way to get a free certificate from Lets Encrypt and install it.

Meanwhile, lots of site owners were changing their software and HTML in order to make the switch to HTTPS. Theres been tremendous progress, and now 92% of web page loads from the United States use HTTPS. In other countries the percentage is somewhat lower80% in India, for examplebut HTTPS still protects the large majority of pages visited. Sites with logins or sensitive data have been among the first to upgrade, so the vast majority of commercial, social networking, and other popular websites are now protected with HTTPS.

There are still a few small information leaks: HTTPS protects the content of your communications, but not the metadata. So when you visit HTTPS sites, anyone along the communication pathfrom your ISP to the Internet backbone provider to the sites hosting providercan see their domain names (e.g. wikipedia.org) and when you visit them. But these parties cant see the pages you visit on those sites (e.g. wikipedia.org/controversial-topic), your login name, or messages you send. They can see the sizes of pages you visit and the sizes of files you download or upload. When you use a public Wi-Fi network, people within range of it could choose to listen in. Theyd be able to see that metadata, just as your ISP could see when you browse at home. If this is an acceptable risk for you, then you shouldnt worry about using public Wi-Fi.

Similarly, if there is software with known security bugs on your computer or phone, and those bugs are specifically exploitable only on the local network, you might be at somewhat increased risk. The best defense is to always keep your software up-to-date so it has the latest bug fixes.

What about the risk of governments scooping up signals from open public Wi-Fi that has no password? Governments that surveill people on the Internet often do it by listening in on upstream data, at the core routers of broadband providers and mobile phone companies. If thats the case, it means the same information is commonly visible to the government whether they sniff it from the air or from the wires.

In general, using public Wi-Fi is a lot safer than it was in the early days of the Internet. With the widespread adoption of HTTPS, most major websites will be protected by the same encryption regardless of how you connect to them.

There are plenty of things in life to worry about. You can cross public Wi-Fi off your list.

Excerpt from:
Why Public Wi-Fi is a Lot Safer Than You Think - EFF

Todays era of entertainment and the media has become completely digital. With every major cable TV provider now rushing to release its own streaming platform, the fight to gain customer confidence in choosing the new streaming service is becoming more aggressive both at home and abroad.

As a result, not all streaming opportunities are created equal. For those residing abroad, the ability to stream certain content is not the same as living in the United States. In addition, 2020 is the year of accountability for our tech giants who own the most valuable assets in the world.

In todays era of data breaches and security exploits, personal security and privacy is all the more necessary, especially when online content is streaming. For this reason, it is important for people living abroad and / or traveling frequently internationally to consider using a VPN provider or Virtual Private Network.

A VPN is a service that allows you to access the Internet as if you were connected to a private network anonymously and from any site. So, to bring the idea home if you live in an area where your internet content is restricted, a VPN essentially allows you to bypass that particular area-specific content (cough, china, cough) on the Internet. So yes, you can watch Schitts Creek all the way from India or Russia if you choose.

When you enable or disable your VPN, it creates an encrypted tunnel between your computer and a server operated by the VPN company. By streamlining all your internet traffic through this tunnel, it effectively hides your IP address (your computers social security number) and shows you that your traffic is coming from your VPN (geographically outdated) server and not your computer may be subject to restriction of content restriction. This essentially makes it more difficult for third party advertisers or others to monitor your online activities.

It also helps minimize and / or almost completely the ability of ISPs to sell your anonymous data for profit.

If you are one of these people who flows online through an Amazon Firestick, which is known to allow open source / third party option (assuming you understand that you accept the risk of anything that may happen or result from these downloads), you should probably use a VPN, no matter where you live.

Source: Surfshark

Just last week, CNET released its list of Best VPN Services in 2020, which includes well-known VPN networks such as ExpressVPN, IPVanish VPN, NordVPN and many more.

However, one VPN that we believe is up-and-coming and is completely new is Surfshark.

The most appealing about Surfshark is the ability to add an unlimited number of devices to an account while most of these other VPN networks are cut after a certain number of connections (usually five). But why is that?

The company offers over 1000 servers, while others such as ExpressVPN and NordVPN range from 3,000 to 5,200. However, it is important to note that most servers do not necessarily equal performance the number of servers simply reflects the number of subscribers serving a company.

Geographical location is an important factor to consider as Surfshark currently covers 61 countries exceeding the average in countries such as South America (often overlooked by other providers), Africa, Israel, Japan, Chile, and South Korea to name a few.

As mentioned, no matter where you are (at home or abroad), it is never a good idea in todays digital age to connect directly to the Internet. And the data breaches surrounding Avast and NordVPN antigen and security giant are proof of that.

Last year, antivirus and security giant Avast and NordVPN revealed monthly intrusions that shared a common cause, according to Brian Krebs forgotten or unknown user accounts that gave remote access to internal systems with little more than one password.

The NordVPN data breach, which occurred in March 2018, was unfortunately downgraded by the company, stating that while attackers could use private keys to track and track traffic for some of their customers traffic, monitoring communications routing through one of the companys more than 3,000 servers.

NordVPN blog report on data breach:

The server itself does not contain any user activity logs. None of our applications send user-created credentials for authentication, so usernames and passwords could not be withheld. With the same note, the only possible way to abuse site traffic was to perform a personalized and complex human attack in the middle to keep a single link trying to gain access. silver in NordVPN .

But why wait so long to report the invasion?

When we found out about the vulnerability the data center had a few months ago, we immediately terminated the contract with the server provider and broke all the servers we had rented from them, the company said. We did not disclose the exploitation right away because we needed to ensure that none of our infrastructure could be prone to such issues. This could not be done quickly because of the huge volume of servers and the complexity of our infrastructure.

This brings us back to the important issue of encryption and encryption. In cryptography, a code is an algorithm for performing encryption or decryption. For more information on cryptographers, you can read more here.

Surfshark uses AES-256-GCM, the fastest and most modern encryption method available today. For the unspecified, the AES-GCM over the AES-CBC concludes how secure its cryptography is.

AES is NIST-certified and used by the US government to protect secure data, and many have therefore adopted AES as the standard symmetrical selection cycle. It is an open standard that is free to use for any public, private, commercial or non-commercial use. AES is a symmetric key encryption key, the same key used to encrypt data is also used to decrypt it.

In cryptography, GCM or Galois / Counter Mode is a mode of operation for widely used cryptographic symmetric key cryptographic blocks. For more information on this, you can see an analysis of how encryption blocks work and how GCM plays here.

With Surfshark incorporating this level of encryption, it enables peer-to-peer (P2P) transactions, including BitTorrent, along with its own in-house ad blocker tool, called CleanWeb.

One feature we havent seen much with other providers, which many of our staff uses, is Multihop, a tunnel splitting tool that adds even more security to your connection. With this feature enabled, a VPN connection to one server and then your Internet traffic jumps to a second VPN server for even greater security.

At the end of the day, you want to make sure that you are always connected to the Internet safely and anonymously because black hackers are looking for new ways on your computer. So dont give them.

For more information about Surfshark, you can sign up for a free trial here.

See more here:
With Streaming Becoming More Prevalent in 2020, it would be better to connect to the Internet with a VPN - gotech daily

Its a long-simmering disagreement that shows no sign of reaching a conclusion: law enforcement wants access to encrypted devices and messaging apps to fight crime. Tech companies say any system that allows for lawful access would instantly be attacked and put legitimate users in danger.

The latest spat between the FBI and Apple was over the locked devices of Mohammed Saeed Alshamrani, who was suspected of killing three people and injuring eight in a shooting spree on a Navy base in Pensacola, Florida on December 6, may have escalated the conflict, but it's unlikely to break the deadlock.

While the debate has been framed as a battle between privacy and security, the reason for the stalemate is that the conversation between law enforcement and tech firms has largely focused on one solution. With tech firms moving to stronger security and end-to-end encryption across messaging apps, the US Justice Department along with the UK and Australia - has asked companies to create a key or backdoor into the design of their products that would allow law enforcement to unlock the phones of criminal suspects and access data a move that Facebook says is impossible without weakening the strength of its encryption.

Surprisingly little thought, however, has been given to alternative ways of handling the challenge of thwarting criminals who hide behind encryption, while also preserving the privacy of legitimate users. So what are the alternatives, and is there a possibility that both sides could agree a middle ground?

Facebook has offered its own solution. Anxious to avoida scenario where unbreakable encryption would effectively become illegal,Facebook says it should still be able to provide some critical location and account information.

This is because end-to-end encryption hides all content, but not all metadata of the conversation taking place.We are building tools to look for signals and patterns of suspicious activity so that we can stop abusers from reaching potential victims, Facebooks Jay Sullivan told the Judiciary Committee last month.

The big fear, however, is that 12 million referrals of child sexual abuse - currently flagged by tech giants - would be lost annually if Facebook implements its plans. Stronger encryption would limit the chances of identifying the abusers and rescuing the victims.

Then there is the argument that Facebook cannot be trusted, with critics pointing to numerous security breaches and the mass collection of users personal data for financial gain.

Anotheroption, put forward by the Carnegie Endowment for International Peace in a new paper calledMoving the Encryption Policy Conversation Forward, attempts to find some middle ground by separating data at rest and data in motion. It would prevent police from being able to carry out live surveillance of discussions that are in progress, but allow them with a court-ordered search warrant to see data at rest on mobile phones.This would include photos and messages that are already held on suspects mobile phones, laptops and in cloud storage.

Exploring mobile phone data at rest seems to be an area most likely to kick start the debate.New York County District Attorney Cyrus Vance is among supporters of this approach and wants federal legislative action to push it through.His frustration stems from Apples refusal to provide access to the phone of the San Bernardino shooter following the 2015 massacre.

Even so,many in the computer security community are skeptical, and the approach rigorous testing and debate to see if its viable.

A third option isnt so much a backdoor, more an emergency entrance. Here the government, the tech company and a neutral third party, such as a court, would each keep a fragment of a cryptographic key. Authorities would get sanctioned and pre-agreed access to messaging data a bit like a bank safe deposit box which can only be opened if the bank and the customer are present.

According to Andersen Cheng, CEO of Post-Quantum, this scenario option would significantly limit the ability of rogue actors to get access because it means no one authority has a master key to unlock millions of accounts. Any concerns over government control can be allayed because the key management could be hosted by the social media companies, he says.

The only problem and its a big one - is that no one appears to have any idea how to create such a thing at scale that will remain secret. Tech companies are likely to rail against any technical steps that would fundamentally weaken communications.

Then, theres the current solution. Each year,US police districts give millions of dollars to third-party commercial developers to access data saved to the cloud. As we know from recent scandals, undetectable spyware exploits vulnerabilities in software, allowing the buyer to access a device to read texts, pilfer address books, remotely switch on microphones and track the location of their target. There is no shortage of commercial surveillance companies that offer these services, and police reportedly used similar tools to access the phone of the San Bernardino shooter when Apple wouldnt help.

This kind of technology is playing an increasing part in helping government agencies all over the world prevent and investigate terrorism and crime and save lives: almost 50% of police investigations now involve cloud data.

Controversial Israeli firm NSO Group was involved in the capture notorious drug lord El Chapo, and recently police in Western Europe said that NSO spyware was helping them track a terror suspect they feared was plotting an attack during Christmas.

Despite this, encrypted devices and messaging platforms continue to complicate crime investigations, not least becausecritical evidence is often only available on the device itself, not in the cloud. The tools provided by commercial companies can also be expensive, with police claiming that justice is sometimes unattainable for crime victims in areas where police departments do not have the means to decrypt phones.

Campaigners also point to potential abuses and a lack of transparency over new forms of surveillance being used, and a more widespread adoption of this approach will mean that governments will have to impose careful controls to prevent misuse and enforce oversight.

Whatever the solution to the current debate over encryption, its unlikely to perfectly suit everyone. As the Carnegie Endowment report points out,cybersecurity advocates may have to accept some level of increased security risk, just as law enforcement advocates may not be able to access all the data they seek.

The first step, however, is recognizing that, with the lives and safety of so many at stake, lawmakers and tech firms should investigate every option.

Read more:
Options to End the End to End Encryption Debate - Infosecurity Magazine

Enigma More than a quarter century after its introduction, the failed rollout of hardware deliberately backdoored by the NSA is still having an impact on the modern encryption debate.

Known as Clipper, the encryption chipset developed and championed by the US government only lasted a few years, from 1993 to 1996. However, the project remains a cautionary tale for security professionals and some policy-makers. In the latter case, however, the lessons appear to have been forgotten, Matt Blaze, McDevitt Professor of Computer Science and Law at Georgetown University in the US, told the USENIX Enigma security conference today in San Francisco.

In short, Clipper was an effort by the NSA to create a secure encryption system, aimed at telephones and other gear, that could be cracked by investigators if needed. It boiled down to a microchip that contained an 80-bit key burned in during fabrication, with a copy of the key held in escrow for g-men to use with proper clearance. Thus, any data encrypted by the chip could be decrypted as needed by the government. The Diffie-Hellman key exchange algorithm was used to exchange data securely between devices.

Any key escrow mechanism is going to be designed from the same position of ignorance that Clipper was designed with in the 1990s

Not surprisingly, the project met stiff resistance from security and privacy advocates who, even in the early days of the worldwide web, saw the massive risk posed by the chipset: for one thing, if someone outside the US government was able to get hold of the keys or deduce them, Clipper-secured devices would be vulnerable to eavesdropping. The implementation was also buggy and lacking. Some of the people on the Clipper team were so alarmed they secretly briefed opponents of the project, alerting them to insecurities in the design, The Register understands.

Blaze, meanwhile, recounted how Clipper was doomed from the start, in part because of a hardware-based approach that was expensive and inconvenient to implement, and because technical vulnerabilities in the encryption and escrow method would be difficult to fix. Each chip cost about $30 when programmed, we note, and the relatively short keys could be broken by future computers.

In the years following Clipper's unveiling, a period dubbed the "first crypto wars," Blaze said, the chipset was snubbed and faded into obscurity while software-based encryption rose and led to the loosening of government restrictions on its sale and use. It helped that Blaze revealed in 1994 a major vulnerability [PDF] in the design of Clipper's escrow design, sealing its fate.

It is important to note, said Blaze, that the pace of innovation and unpredictability of how technologies will develop makes it incredibly difficult to legislate an approach to encryption and backdoors. In other words, security mechanisms made mandatory today, such as another escrow system, could be broken within a few years, by force or by exploiting flaws, leading to disaster.

This unpredictability in technological development, said Blaze, thus undercuts the entire concept of backdoors and key escrow. The FBI and Trump administration (and the Obama one before that) pushed hard for such a system but need to learn the lessons of history, Blaze opined.

"The FBI is the only organization on Earth complaining that computer security is too good," the Georgetown prof quipped.

"Any key escrow mechanism is going to be designed from the same position of ignorance that Clipper was designed with in the 1990s. We are going to be looking back at those engineering decisions ten years from now as being equally laughably wrong."

Daniel Weitzner, founding director of the MIT Internet Policy Research Initiative, said this problem is not lost on all governments trying to work out new encryption laws and policies in the 21st century. He sees a number of administrations trying to address the issue by bringing developers and telcos in on the process.

"What the legislators hear is a complicated problem that they don't know how to resolve," Weitzner noted. "Moving the debate to experts on one hand gets you down to details, but it is not necessarily easy."

Sponsored: Detecting cyber attacks as a small to medium business

More here:
Remember the Clipper chip? NSA's botched backdoor-for-Feds from 1993 still influences today's encryption debates - The Register

from the this-makes-no-sense dept

Last month, we noted that Attorney General William Barr was making a bizarre attack on Section 230 of the Communications Decency Act, claiming that the DOJ was "studying Section 230 and its scope" and arguing -- without evidence -- that 230 might be contributing to "unlawful behavior" online. As we noted at the time, Section 230 explicitly exempts federal criminal charges from what it applies to, meaning that it literally cannot interfere with any DOJ prosecution. So it's truly bizarre to see the DOJ concerned about the issue.

But Barr has continued to push forward with this anti-230 kick, and is going to host a "workshop" about 230 in a few weeks.

The U.S. Justice Department is hosting a workshop next month seeking a wide diversity of viewpoints on Section 230 of the Communications Decency Act, the federal statute that, with few exceptions, protections major internet companies and private website owners from liability when it comes to the posts and comments generated by users.

While the DOJ claims that this workshop will have that "diversity of viewpoints," as we've seen in other contexts with the DOJ, that this is rarely the actual case. It may offer up a sacrificial lamb in support of 230, but it is likely to stack the deck against 230. This is the same thing that the DOJ has done, repeatedly, with regard to the encryption debate and questions around "going dark." Indeed, we've noted before the similarities between the government's efforts to attack encryption and the playbook that was used to attack Section 230 in 2018. In fact, we've heard that the very same former Hollywood lobbyist is a key player in both efforts.

Given the similarities in the playbook, and the fact that the DOJ is not hindered at all by 230, it makes you wonder if Barr and the DOJ are playing this anti-230 card simply as a method of punishing the internet industry for opposing his desire to gut encryption? The whole thing seems to be little more than an abuse of DOJ power to intimidate and threaten an entire industry for daring to support online security and free speech online against a government which would prefer neither thing be enabled.

Filed Under: cda 230, doj, encryption, section 230, william barr

See the original post here:
Is William Barr's Latest Attack On Section 230 Simply An Effort To Harm Tech Companies For Blocking His Desire To Kill Encryption? - Techdirt

While the fallout from the LifeLabs privacy breach continues to reverberate in the form of proposed class action lawsuits and patients still trying to determine if their personal medical information was accessed, the Office of the Information and Privacy Commission of B.C. has confirmed there is no legislation that mandates private information held by a company be encrypted.

Neither the Freedom of Information and Protection of Personal Information Act (FIPPA), which applies to public bodies, nor the Personal Information Protection Act, (PIPA), which applies to private organizations, specifically mention encryption, the Information and Privacy Commission confirmed in an email response to a query from KTW.

Personal information of up to 15-million LifeLabs patients, primarily in B.C. and Ontario, may have been accessed during a cyberattack on the companys computer systems in October. LifeLabs reported it to authorities on Nov. 1, but the breach was not made public until mid-December.

LifeLabs said it retained outside cybersecurity consultants to investigate and assist with restoring the security of its data.

While LifeLabs states on its website that its patient information is encrypted, company CEO Charles Brown told the CBCs Early Edition on Dec. 18 that he did not know if the information hacked was, indeed, encrypted.

Here is the text that can be found on the Life Labs website: Our security practices are designed to protect your personal information and prevent unauthorized access. Only authorized employees are permitted to access personal information and only when the access is necessary. Your information is protected using industry best practices, and all information is transmitted over secure, encrypted channels.

Section 30 of the Freedom of Information and Protection of Personal Information Act states: A public body must protect personal information in its custody or under its control by making reasonable security arrangements against such risks as unauthorized access, collection, use, disclosure or disposal.

Section S.34 of the Personal Information Protection Act states: An organization must protect personal information in its custody or under its control by making reasonable security arrangements to prevent unauthorized access, collection, use, disclosure, copying, modification or disposal or similar risks.

Noel Boivin, senior communications officer for the Office of the Information and Privacy Commission of B.C., said the department has the authority to issue legally binding orders to ensure organizations comply with those requirements.

Decisions such as these are made based on the unique facts of each case, Boivin said. Based on these requirements in both pieces of legislation, our office recommends encryption as a best practice.

The Office of the Information and Privacy Commission recommends organizations implement technical safeguards, including ensuring computers and networks are secure from intrusion by using firewalls, intrusion-detection software and antivirus software and by encrypting personal information.

Boivin noted findings from previous investigation reports call for organizations to encrypt data on personal storage devices.

Our guidance is that personal information should be encrypted in transit and at rest in order to protect against unauthorized access, said Caitlin Lemiski, the Office of the Information and Privacy Commissions director of policy.

The encryption, and key management, should be based on current industry-accepted standards for protecting data and should be reviewed regularly.

LifeLabs has four clinics in Kamloops two downtown, one in Aberdeen and one in North Kamloops.

According to the company, hackers gained access to the computer system that held customer information from 2016 and earlier that could include names, addresses, email addresses, login user names and passwords, dates of birth, health card numbers and lab test results.

The access was accompanied by a ransom demand, which LifeLabs paid.

LifeLabs set up a dedicated phone line and information on its website for those affected by the breach. To find out more, the public should go online tocustomernotice.lifelabs.comor contact LifeLabs at 1-888-918-0467.

In January 2013, patient information for 16,100 Kamloops-area residents was on a computer hard drive that went missing as it was being transferred by LifeLabs to Burnaby from Kamloops.

Read the original here:
There is no legislation mandating encryption of private information - Kamloops This Week