Winding up with the Defcon talk, Chris Soghoian highlights the merits of the companies that focus on user data security rather than usability only.
The FBI has this team of agents who are doing nothing but delivering malware to the computers of surveillance targets. We only have a couple of cases where these tools have come to light. There was a case in Texas this summer where the FBI sought a search warrant allowing them to target a computer and remotely enable the webcam, collect location data, collect emails.
In this case they went to what you could probably say is the most pro-privacy judge in the country in Texas, and he said “No,” he said they should get a wiretap and they only wanted to get a warrant. What’s clear is that if you have this capability, if you build this team that does nothing but developing malware, the first time you attempt to use the team you don’t go to the most pro-privacy judge in the country.And so, presumably, they have had this team for a while and they regularly use it to deploy malware.
So, on one hand we have the FBI basically being in the hacking business, and then yesterday I noticed that the FBI’s official Twitter account issued a warning saying: “Pirated software may contain malware, beware.” And so I guess we only have to worry about the malware made by other people, not the FBI’s malware.
Alright, so the government is using hacking tools, the government is trying to penetrate into people’s computers. They have tried and have up until now been unsuccessful in their attempts to obtain legislation allowing them to force tech companies to put backdoors in their products.
What are they going to do in the future? …Because hacking doesn’t scale. You can break into one person’s computer, you can break into a thousand people’s computers, but you cannot break into a billion computers without getting caught. You can do it temporarily but you will get caught, and the government doesn’t want their tools to get out.
So, what are they going to do in the future? What are they going to do when Silicon Valley companies actually start delivering end-to-end crypto. Not Google, not Facebook, but companies that actually sell services to users.Well, Microsoft owned one of those companies. For some time Skype was advertising itself as a service that didn’t have backdoors. They were advertising Skype as a service that couldn’t provide access to law enforcement agencies. But we learned last month that the government was able to go to Skype before Microsoft bought them and convince them to modify their products and provide access to the government. Quote from the Guardian story: “[Skype] was served with a directive to comply by the Attorney General.”
Now, we don’t know what kind of directive this was, we don’t know if they went to court, if Skype said “No” and they fought it, or if they did this because they could negotiate some better deal. We really know very little about the ins and outs of how companies can be compelled under existing law. But even so, Skype stopped bragging about their security several years ago. By the time Microsoft bought them all their claims of being wiretap proof had disappeared. Skype was no longer a service, even if it ever was, that advertised itself as the way to securely talk to your friends and family. Instead, Skype was a service that you used to talk to your friends and family to free.Skype is not the only company offering VoIP services or video. There are now companies that are selling services to users. One of them is a company called Silent Circle, co-founded by Phil Zimmermann, the guy behind PGP. And they charge 10-20 bucks a month for encrypted VoIP and text messages and video. Now, I am not telling you to go and use this company’s services, but they clearly said in their marketing materials: “We have no government-mandated backdoors.” I’ve spoken to the CEO of this company and he said: “If the government comes to us and tries to force us to put a backdoor on our product, we will close up and move to a different country.” The only reason you use their products is for the security. You are not using Silent Circle because it’s crystal clear audio or because it’s cheap and easy to use, you are using them because they are secure. Likewise, SpiderOak, which is a competitor to Dropbox – you only use SpiderOak and you only pay for their service because they provide encrypted backups with a key only known to the user. And, again, SpiderOak makes clear statements to users: “We’ve created a system that makes it impossible for us to reveal your data to anyone.” That’s it, the only reason you use these companies is to protect your data. And this is the only reason they are in business.
And so the question right now is, and I don’t have the answer to this: can the government force these companies to modify their products? Because if SpiderOak were forced to have a backdoor and it became known – they’d go bankrupt. The only reason you are using them is for the security.
There is this law, CALEA, and it’s normally thought of as a bad law; it’s called the Communications Assistance for Law Enforcement Act. CALEA is the law that forces telecommunications companies to put law enforcement interception interfaces into their networks. The reason that AT&T has very easy-to-use and fast wiretapping capabilities is because CALEA forced them to buy a bunch of equipment.
But CALEA has a provision in it that most folks don’t know about. And I am going to read it to you, it’s very short: “A telecommunications carrier shall not be responsible for decrypting, or ensuring the government’s ability to decrypt, any communication encrypted by a subscriber or customer, unless the encryption was provided by the carrier and the carrier possesses the information necessary to decrypt the communication.”
This little feature in CALEA, I think, and I am not a lawyer, is the thing that is standing between these companies and the government. This section of CALEA protects the right of companies that want to offer encrypted end-to-end services, with the key only known to the user, to the general public. And it is my belief that when the next crypto wars come, if they do come, and when they come, that this section of the law will be the thing that the government targets. I think that down the road we are going to see consumers using services that offer end-to-end crypto. I think we will see people paying for these services, and I do think that the government is going to target these, because without it they cannot engage in dragnet surveillance.
Thank you very much!