The US Army has banned the use of popular Chinese social media video app TikTok, with Military.com first reporting it was due to security concerns. The US Navy have followed suit.
It is considered a cyber threat, a US Army spokesperson told
Military.com . We do not allow it on government phones.
The ban comes in the wake of Democrat Senator Charles Schumer and Republican Senator Tom Cotton writing a letter to US Director of National Intelligence Joseph Maguire insisting an
investigation into TikTok would be necessary to determine whether the Chinese-owned social media video app poses a risk to national security.
Given these concerns, we ask that the Intelligence Community conduct an assessment of the national
security risks posed by TikTok and other China-based content platforms operating in the US and brief Congress on these findings, the letter said.
Yesterday the US Senate Judiciary Committee held a hearing on encryption and lawful access. That's the fanciful idea that encryption providers can somehow allow law enforcement access to users' encrypted data while otherwise preventing the bad guys
from accessing this very same data.
But the hearing was not inspired by some new engineering breakthrough that might make it possible for Apple or Facebook to build a secure law enforcement backdoor into their encrypted devices
and messaging applications. Instead, it followed speeches, open letters, and other public pressure by law enforcement officials in the U.S. and elsewhere to prevent Facebook from encrypting its messaging applications, and more generally to portray
encryption as a tool used in serious crimes, including child exploitation. Facebook has signaled it won't bow to that pressure. And more than 100 organizations including EFF have called on these law enforcement officials to reverse course and avoid
gutting one of the most powerful privacy and security tools available to users in an increasingly insecure world.
Many of the committee members seemed to arrive at the hearing convinced that they could legislate secure backdoors.
Among others, Senators Graham and Feinstein told representatives from Apple and Facebook that they had a responsibility to find a solution to enable government access to encrypted data. Senator Graham commented:
advice to you is to get on with it, because this time next year, if we haven't found a way that you can live with, we will impose our will on you.
But when it came to questioning witnesses, the senators had trouble
establishing the need for or the feasibility of blanket law enforcement access to encrypted data. As all of the witnesses pointed out, even a basic discussion of encryption requires differentiating between encrypting data on a smartphone, also called
encryption at rest, and end-to-end encryption of private chats, for example.
As a result, the committee's questioning actually revealed several points that undercut the apocalyptic vision painted by law enforcement officials in
recent months. Here are some of our takeaways:
There's No Such Thing As an Unhackable Phone
The first witness was Manhattan District Attorney Cyrus Vance, Jr., who has called for Apple and Google to
roll back encryption in their mobile operating systems. Yet by his own statistics, the DA's office is able to access the contents of a majority of devices it encounters in its investigations each year. Even for those phones that are locked and encrypted,
Vance reported that half could be accessed using in-house forensic tools or services from outside vendors. Although he stressed both the high cost and the uncertainty of these tools, the fact remains that device encryption is far from an insurmountable
barrier to law enforcement.
As we saw when the FBI dramatically lowered its own estimate of unhackable phones in 2017, the level of security of these devices is not static. Even as Apple and Google patch vulnerabilities that might
allow access, vendors like Cellebrite and Grayshift discover new means of bypassing security features in mobile operating systems. Of course, no investigative technique will be completely effective, which is why law enforcement has always worked every
angle it can. The cost of forensic tools may be a concern, but they are clearly part of a variety of tools law enforcement use to successfully pursue investigations in a world with widespread encryption.
Lawful Access to
Encrypted Phones Would Take Us Back to the Bad Old Days
Meanwhile, even as Vance focused on the cost of forensic tools to access encrypted phones, he repeatedly ignored why companies like Apple began fully encrypting their
devices in their first place. In a colloquy with Senator Mike Lee, Apple's manager of user privacy Erik Neuenschwander explained that the company's introduction of full disk encryption in iOS in 2014 was a response to threats from hackers and criminals
who could otherwise access a wealth of sensitive, unencrypted data on users' phones. On this point, Neuenschwander explained that Vance was simply misinformed: Apple has never held a key capable of decrypting encrypted data on users' phones.
Neuenschwander explained that he could think of only two approaches to accomplishing Vance's call for lawful access, both of which would dramatically increase the risks to consumers. Either Apple could simply roll back encryption on
its devices, leaving users exposed to increasingly sophisticated threats from bad actors, or it could attempt to engineer a system where it did hold a master key to every iPhone in the world. Regarding the second approach, Neuenschwander said as a
technologist, I am extremely fearful of the security properties of such a system. His fear is well-founded; years of research by technologists and cryptographers confirm that key escrow and related systems are highly insecure at the scale and complexity
of Apple's mobile ecosystem.
End-to-End Encryption Is Here to Stay
Finally, despite the heated rhetoric directed by Attorney General Barr and others at end-to-end encryption in messaging
applications, the committee found little consensus. Both Vance and Professor Matt Tait suggested that they did not believe that Congress should mandate backdoors in end-to-end encrypted messaging platforms. Meanwhile, Senators Coons, Cornyn, and others
expressed concerns that doing so would simply push bad actors to applications hosted outside of the United States, and also aid authoritarian states who want to spy on Facebook users within their own borders. Facebook's director for messaging privacy Jay
Sullivan discussed ways that the company will root out abuse on its platforms while removing its own ability to read users' messages. As we've written before, an encrypted Facebook Messenger is a good thing , but the proof will be in the pudding.
Ultimately, while the Senate Judiciary Committee hearing offered worrying posturing on the necessity of backdoors, we're hopeful that Congress will recognize what a dangerous idea legislation would be in this area.
Comment: Open Rights Group joins international outcry over UK government calls to access private messages
Open Rights Group has joined dozens of other organizations signing an open letter to the UK government to express significant concerns raised by their recent statements against encryption.
The UK Home Secretary, Priti Patel,
has joined her US counterparts in demanding weaker encryption and asking i nternet companies to design digital back doors into their messaging services. The UK government suggests stronger capabilities to monitor private messages will aid inf fighting
terrorism and child abuse. ORG disagrees, arguing that alternative approaches must be used as the proposed measures will weaken the security of every internet user.
ORG is concerned that this attack on encryption forms a pattern
of attacks on digital privacy and security by the UK government. Only last week leaked documents showed that the UK wants to give the US access to NHS records and other personal information, in a free flow of data between the two countries.
The open letter was also addressed to US and Australian authorities, and was coordinated by the US-based Open Technology Institute and was signed, among others, by Amnesty International, Article 19, Index on Censorship, Privacy
International and Reporters Without Borders.
Javier Ruiz Diaz, Policy Director for Open Rights Group, said:
The Home Secretary wants to be able to access our private messages in WhatsApp and
similar apps, demanding that companies remove the technical protections that keep out fraudsters and other criminals. This is wrong and will make the internet less safe. Surveillance measures should be targeted and not built into the apps used by
millions of people to talk to their friends and family.
Comment: Facebook has also responded to UK/US/Australian government calls for back doors
As the Heads of WhatsApp and Messenger, we are writing in response to your public letter addressing our plans to strengthen private messaging for our customers. You have raised important issues that could impact the future of free societies in the
digital age and we are grateful for the opportunity to explain our view.
We all want people to have the ability to communicate privately and safely, without harm or abuse from hackers, criminals or repressive regimes. Every day,
billions of people around the world use encrypted messages to stay in touch with their family and friends, run their small businesses, and advocate for important causes. In these messages they share private information that they only want the person they
message to see. And it is the fact that these messages are encrypted that forms the first line of defense, as it keeps them safe from cyber attacks and protected from falling into the hands of criminals. The core principle behind end-to-end encryption is
that only the sender and recipient of a message have the keys to unlock and read what is sent. No one can intercept and read these messages - not us, not governments, not hackers or criminals.
We believe that people have a right
to expect this level of security, wherever they live. As a company that supports 2.7 billion users around the world, it is our responsibility to use the very best technology available to protect their privacy. Encrypted messaging is the leading form of
online communication and the vast majority of the billions of online messages that are sent daily, including on WhatsApp, iMessage, and Signal, are already protected with end-to-end encryption.
Cybersecurity experts have
repeatedly proven that when you weaken any part of an encrypted system, you weaken it for everyone, everywhere. The backdoor access you are demanding for law enforcement would be a gift to criminals, hackers and repressive regimes, creating a way for
them to enter our systems and leaving every person on our platforms more vulnerable to real-life harm. It is simply impossible to create such a backdoor for one purpose and not expect others to try and open it. People's private messages would be less
secure and the real winners would be anyone seeking to take advantage of that weakened security. That is not something we are prepared to do.
Last week, US Attorney General William Barr and FBI Director Christopher Wray chose to spend some of their time giving speeches demonizing encryption and calling for the creation of backdoors to allow the government access to encrypted data. You
should not spend any of your time listening to them.
Don't be mistaken; the threat to encryption remains high . Australia and the United Kingdom already have laws in place that can enable those governments to undermine encryption,
while other countries may follow. And it's definitely dangerous when senior U.S. law enforcement officials talk about encryption the way Barr and Wray did.
The reason to ignore these speeches is that DOJ and FBI have not proven
themselves credible on this issue. Instead, they have a long track record of exaggeration and even false statements in support of their position. That should be a bar to convincing anyone--especially Congress--that government backdoors are a good idea.
Barr expressed confidence in the tech sector's ingenuity to design a backdoor for law enforcement that will stand up to any unauthorized access, paying no mind to the broad technical and academic consensus in the field that this
risk is unavoidable. As the prominent cryptographer and Johns Hopkins University computer science professor Matt Green pointed out on Twitter , the Attorney General made sweeping, impossible-to-support claims that digital security would be largely
unaffected by introducing new backdoors. Although Barr paid the barest lip service to the benefits of encryption--two sentences in a 4,000 word speech--he ignored numerous ways encryption protects us all, including preserving not just digital but
physical security for the most vulnerable users.
For all of Barr and Wray's insistence that encryption poses a challenge to law enforcement, you might expect that that would be the one area where they'd have hard facts and
statistics to back up their claims, but you'd be wrong. Both officials asserted it's a massive problem, but they largely relied on impossible-to-fact-check stories and counterfactuals. If the problem is truly as big as they say, why can't they provide
more evidence? One answer is that prior attempts at proof just haven't held up.
Some prime examples of the government's false claims about encryption arose out of the 2016 legal confrontation between Apple and the FBI following
the San Bernardino attack. Then-FBI Director James Comey and others portrayed the encryption on Apple devices as an unbreakable lock that stood in the way of public safety and national security. In court and in Congress, these officials said they had no
means of accessing an encrypted iPhone short of compelling Apple to reengineer its operating system to bypass key security features. But a later special inquiry by the DOJ Office of the Inspector General revealed that technical divisions within the FBI
were already working with an outside vendor to unlock the phone even as the government pursued its legal battle with Apple. In other words, Comey's statements to Congress and the press about the case--as well as sworn court declarations by other FBI
officials--were untrue at the time they were made .
Wray, Comey's successor as FBI Director, has also engaged in considerable overstatement about law enforcement's troubles with encryption. In congressional testimony and public
speeches, Wray repeatedly pointed to almost 8,000 encrypted phones that he said were inaccessible to the FBI in 2017 alone. Last year, the Washington Post reported that this number was inflated due to a programming error. EFF filed a Freedom of
Information Act request, seeking to understand the true nature of the hindrance encryption posed in these cases, but the government refused to produce any records.
But in their speeches last week, neither Barr nor Wray
acknowledged the government's failure of candor during the Apple case or its aftermath. They didn't mention the case at all. Instead, they ask us to turn the page and trust anew. You should refuse. Let's hope Congress does too.
In Saturday's edition of the New York Times, Matt Apuzzo reports that the Department of Justice is locked in a prolonged standoff with WhatsApp. The government is frustrated by its lack of real-time access to messages protected by the company's
end-to-end encryption . The story may represent a disturbing preview of the next front in the FBI's war against encryption.
It appears that the Department of Justice is considering pursuing another, similarly dangerous legal
attack on encryption. The fact that the government is even considering such an action proves that our worst fears were right.
This time they're targeting WhatsApp, the Facebook-owned messaging app which started adding strong
end-to-end encryption in 2014 . According to the New York Times, the government has obtained a wiretap order, authorizing real time acquisition of the WhatsApp messages (probably text chats rather than voice calls, but that's unclear at this stage) in an
ongoing criminal investigation. WhatsApp is, of course, unable to provide decrypted text in response to the wiretap order, just as it was unable to comply with a similar order by a Brazilian court earlier this month. The whole point of end-to-end
encryption is that no one but the intended recipient of a message is able to decipher it.
From the New York Times' reporting, it looks like the government has so far only obtained an initial wiretap order--demanding WhatsApp to
turn over message content it can't access. The Department of Justice has not yet decided whether to ask the court for a follow-on order that would compel WhatsApp to decrypt the messages. Presumably, that second order would look similar to the San
Bernardino order and direct WhatsApp to write code that would break its own encryption and allow it to provide plain text in response to the wiretap order.
If the government decides to seek that second order against WhatsApp, it
would almost certainly be grounded, not in the All Writs Act but in the technical assistance provision of the Wiretap Act . So while the result of the All Writs Act litigation in San Bernardino wouldn't directly control the outcome of any Wiretap
Act case against WhatsApp, courts apply similar tests in the two contexts. In both All Writs and Wiretap Act cases, courts evaluate whether compliance with an order would constitute an undue burden. Therefore all the rather convincing arguments
Apple has made in San Bernardino would be available to WhatsApp as well.
As of now, we're unable to find any additional publicly available information regarding the order against WhatsApp. The New York Times reports that, unlike
in the San Bernardino case, the WhatsApp litigation is being kept under seal. We'll keep an eye out for any additional documents, and will continue to blog as more becomes public. For now however, we applaud WhatsApp (and Facebook) for standing strong in
the face of orders, whether Brazilian or American, to do the impossible or to compromise our security for the sake of enabling click-of-the-mouse surveillance.