PC World reports:
The U.S. Federal Bureau of Investigation is concerned about moves by Apple and Google to include encryption on smartphones, the agency’s director said Thursday.
Quick law enforcement access to the contents of smartphones could save lives in some kidnapping and terrorism cases, FBI Director James Comey said in a briefing with some reporters. Comey said he’s concerned that smartphone companies are marketing “something expressly to allow people to place themselves beyond the law,” according to news reports.
An FBI spokesman confirmed the general direction of Comey’s remarks. The FBI has contacted Apple and Google about their encryption plans, Comey told a group of reporters who regularly cover his agency.
[Additional Coverage]:
http://www.theregister.co.uk/2014/09/25/fbi_boss_slams_google_apple_for_encryption_that_puts_users_above_law/
http://www.huffingtonpost.com/2014/09/25/james-comey-apple-encryption_n_5882874.html
Related Stories
Encryption-by-Default in Android 5.0 "Lollipop" Actually Optional
The Register and Ars Technica report that Google has backtracked on its promise that all Android Lollipop devices would feature full-disk encryption by default, due to differences in hardware:
For example, the Qualcomm Snapdragon 805 system-on-chip in the Motorola Nexus 6 will do AES encryption and decryption of data in hardware – which should be fast and power efficient. However, the driver for that feature is not available to the Android project, so Android 5 must do the file encryption and decryption in software, which is terribly slow – forcing people to switch it off. Some manufacturers may not bother turning encryption on in the first place if there's no acceleration available for whatever reason, and Google's allowing them to do just that. Meanwhile, the Google Nexus 9 fondleslab uses an Nvidia Tegra K1 processor with a 64-bit ARMv8-compatible processor. This architecture has standardized AES encryption/decryption instructions that can be used by Android 5 without a specialized driver. That means Lollipop happily encrypts-by-default on the Nexus 9. This whole mess will make Apple fans very smug. Apple has had a separate coprocessor for accelerating encryption for years, and as a result iOS encryption is a much easier process.
Google expects that "recommended" full-disk encryption will become a requirement in future versions of Android.
Previously, the FBI and Director James B. Comey have spoken out against encrypted devices.
XPosed Framework for Android Lollipop released
XPosed is a framework for modules that can be used to customise the behaviour of Android devices without needing to flash a custom ROM. There is a large selection of modules available for XPosed that do all kinds of nifty things like unlock using NFC tags, change the battery icon to something more informative, or even add advanced privacy and app controls.
This has been a godsend for those who like to retain a level of control over their devices. However, the change from the original Dalvik runtime system to ART starting with Android 5.0 (Lollipop) broke the XPosed framework, and it had taken some time for the developer to make the necessary changes to get XPosed to work with the new runtime system. That time has finally come. It's still considered alpha software however and there are some reports of incompatibilities and instability but it seems to be already usable.
James Comey has been asked by President Trump to stay on as Director of the Federal Bureau of Investigation. Comey is three years into a ten-year term.
News at NYT (which broke the story), USA Today, Washington Post, CNN, and The Hill.
Here's the bulk of our extensive past coverage of FBI Director Comey's career (oldest first):
2014:
FBI Director Concerned about Encryption on Smartphones
F.B.I. Director Calls "Dark" Devices a Hindrance to Crime Solving
To FBI Director Comey: You Reap What You Sow!
2015:
F.B.I. Has No Doubt that North Korea Attacked Sony, says Director
FBI Chief Links Video Scrutiny of Police to Rise in Violent Crime
2016:
Apple Ordered by Judge to Help Decrypt San Bernadino Shooter's phone
FBI Unable to Decrypt California Terrorists' Cell Phone
FBI vs. Apple Encryption Fight Continues
New York Judge Sides with Apple Rather than FBI in Dispute over a Locked iPhone
Apple Lawyer and FBI Director Appear Before Congress
FBI Error Locked San Bernardino Attacker's iPhone
FBI's iPhone Hack Only Works on 5C and Older
Washington Post: The FBI Paid "Gray Hat(s)", Not Cellebrite, for iPhone Unlock
FBI Director Blames 'Viral Video Effect' for Spike in Violent Crime
FBI Recommends No Prosecution for Clinton
FBI Chief Calls for National Talk Over Encryption vs. Safety
(Score: -1) by Anonymous Coward on Saturday September 27 2014, @12:13AM
Thought they would love the new excuse to create another facility.
More reasons to succor another budget increase.
More money, more profit!
What is there to be concerned about?
(Score: 2, Redundant) by meisterister on Saturday September 27 2014, @12:20AM
I'm just going to point this out here:
http://xkcd.com/538/ [xkcd.com]
Though something tells me that they'd find a way of making the wrench and the server cluster cost the same.
(May or may not have been) Posted from my K6-2, Athlon XP, or Pentium I/II/III.
(Score: 2) by Zz9zZ on Saturday September 27 2014, @12:33AM
Remember everyone, a wrench isn't always a wrench, sometimes its a threat of prison, financial sanctions, etc. If you're VERY unlucky the wrench becomes a marine outside of US jurisdiction
~Tilting at windmills~
(Score: 3) by gallondr00nk on Saturday September 27 2014, @02:56AM
The UK government found the wrench pretty quickly. A few years back, they made it expressly illegal to not give up an encryption passphrase or key.
(Score: 5, Insightful) by Horse With Stripes on Saturday September 27 2014, @12:21AM
... violate many people's Constitutional rights (just like they do now).
How on earth did law enforcement ever solve any crimes back when no one had cellphones?
(Score: 4, Insightful) by Anonymous Coward on Saturday September 27 2014, @02:31AM
Funny how the same law enforcement so worried about saving lives is more than happy to shoot you dead with the most trivial provocation.
(Score: 5, Interesting) by Zz9zZ on Saturday September 27 2014, @12:27AM
Does anyone else think this is a lot of fuss over nothing? With the "security" of these OSs it seems so far that any app can demand access to, well, anything! So once the user decrypts their device couldn't they siphon data at that point? Where was the fuss over encryption on the desktop?
This feels more like security theater to boost corporate PR (though it IS a legitimate security addition) and make people feel like they are safe and have privacy. Seems like a distraction from the fact that your messages, phone calls, meta data, are all being collected in transit and this encryption has no bearing on those anyway.
~Tilting at windmills~
(Score: 4, Interesting) by Yog-Yogguth on Saturday September 27 2014, @07:27AM
If I had mod points right now I'd mod you up instead of replying. Completely agree with you in general, one should treat it as plain misdirection/noise/chaff on their part (even if it should happen to be true which it most likely isn't) and it shouldn't be given any importance. Everything they do and say is meant to in some way benefit themselves in the end, that's all there is to it, everything else becomes kind of wasteful and fruitless academical discussions on nuances of propaganda stratagems and military tactics.
Still it's pretty funny to see that the FBI was chosen as the messenger to the public since it ironically is extremely proper and correct to use them rather than anybody else: they follow the rules when it doesn't matter lol :D
People should use the phones if they feel like it or want to but should not make the mistake of trusting the phones or anything else: trust is the opposite of security. Use encryption but don't trust it or any device.
Bite harder Ouroboros, bite! tails.boum.org/ linux USB CD secure desktop IRC *crypt tor (not endorsements (XKeyScore))
(Score: 2) by edIII on Monday September 29 2014, @05:17PM
Funny thing is, a number of people aren't treating it as misdirection.
I have had 2 people call me so far asking me my opinion on Google/Apple's new totally secure communications network. Wut?
Unless, I am missing a huge article where they rolled out end-to-end encryption for the phone calls, this does seem to be security theater. Acting more like PR though ;)
Technically, lunchtime is at any moment. It's just a wave function.
(Score: 2) by Yog-Yogguth on Wednesday October 01 2014, @09:45AM
As long as they called you and asked for your opinion I'll count that as two victories: they're both being more cautious than nearly everyone and suspect something might be up :)
Bite harder Ouroboros, bite! tails.boum.org/ linux USB CD secure desktop IRC *crypt tor (not endorsements (XKeyScore))
(Score: 3) by kaszz on Saturday September 27 2014, @12:36AM
If some other authorities did stay within reasonable moral bounds and the law took more consideration for that the law system do have flaws. Perhaps this arms race would not have so much fuel to run of. As it is now, it's more or less a war.
(Score: 5, Insightful) by mendax on Saturday September 27 2014, @01:26AM
Agreed. The federal government has lost all moral authority and cannot be trusted. Furthermore, police forces countrywide have also lost it because of abuse of power. And if that lost of trust means that the FBI will not be able to search phones on demand in order to solve some crimes, so be it. It is THEIR FAULT! PERIOD! Our system of constitutional government requires the possibility of people being hurt in order for everyone to have liberty.
It's really quite a simple choice: Life, Death, or Los Angeles.
(Score: 2) by edIII on Monday September 29 2014, @05:30PM
They should have never had it in the first place. Bill of Rights was the worst thing to have ever had happened to us period.
Ever since we got into the habit of explicitly enumerating and describing our rights, people (esp. current government) have been under the mistaken impression that any powers not explicitly given to the people remain with the government.
That's backwards. All Americans should have the absolute inviolable right to private communications as a fundamental human right . We would never have given the government the right to pierce private communications except in specific situations limited in scope.
We already know around here just how much of a tactical advantage anonymity and privacy really here in an information war, and if we are not in an information war... then what is an information war?
The real problem is that when LEO seizes a phone, they *ALWAYS* go on a *PERMANENT* fishing expedition with that current "snapshot" of your life. It stays on information systems where it's eventually cross-referenced with everything else as part of a big topological data project with the intelligence agencies.
There exists no judicial quarantine of seized information where strict regulations are in place as to how it can be searched, what can be copied out, etc. Once LEO has the information from the phone, it's a 100% breach of privacy against the entirety of that individual with everything on the phone.
If LEO was just a tad bit more reasonable, and more cooperative about ensuring due process, I might not be so hostile towards their advances to watch everything.
LEO is not just being unreasonable, but now you have their leaders effectively arguing that any efforts to thwart them (regardless of their own behavior) is anti-social, disruptive, unpatriotic, and deeply unsafe. It's strongly implied by the director that it should be stopped.
What I worry about is the day when they say it's not 100% legal to hide your activities from the government, even a phone call from a grocery store asking if you need to pick up milk. Or papers for joints. Whatever.
Technically, lunchtime is at any moment. It's just a wave function.
(Score: 2) by mendax on Monday September 29 2014, @07:47PM
Not really. All government's will walk over the rights of its citizens willy nilly unless there are clear protections written into law which are enforced by the courts, whose decisions are respected by the government. We have all of those, more or less here. Those clear protections are outlined in the Bill of Rights. Without the Bill of Rights, the NSA would have their nose of all of our asses by now and have required has to have implants put in our skulls.
A recent appellate court decision has just ruled this behavior to be unconstitutional. I have a suspicion that this will be upheld by the Supreme Court. The court's logic in its decision is very sound.
I keep a diary. It contains my deepest thoughts and it helps me stay sane. It has always been written on paper. So far, I know of no technological way of the government being able to hijack a fountain pen or a blank composition book. However, I do have some Twelve Step work I keep on a flash drive and it's encrypted. I will never surrender the password for that to law enforcement ever. There are some things the government need never know.
It's really quite a simple choice: Life, Death, or Los Angeles.
(Score: 1, Funny) by Anonymous Coward on Saturday September 27 2014, @01:00AM
so the government can protect us there!
(Score: 2, Funny) by Anonymous Coward on Saturday September 27 2014, @01:27AM
a tear for fear [wordpress.com]
(Score: 4, Interesting) by zeigerpuppy on Saturday September 27 2014, @04:18AM
We already know that the FBI/NSA/DEA and Google/Apple/Facebook are in cahoots (that statement would have sounded very tinfoil a few years ago but is now a matter of public record),
So anything these groups say about each other is simple misinformation. It's probably simpler to think of them as one conglomerate, with the dual aims of making money while controlling acts.
They do this by watching all of society's private goings on (including yours) and also skimming advantage for financial gain (stock trading), industrial espionage (first to file patents) and suppression of dissent (both within and outside government).
So client side encryption is essential and you can't trust Google nor Apple to do it for you.
Ps. James Comney: where does it state that it is illegal to encrypt data? and get off my lawn
It's quickly getting to the point when we can all be branded terrrrisrts just for having the opinion that our political leaders are puppets with a wad of cash shoved up their arse and a dirty picture in their faces to keep them oh so quiet about the systematic data rape of the populace.
(Score: 1, Interesting) by Anonymous Coward on Saturday September 27 2014, @05:07AM
I'd like to say "this" and reinforce the idea that there's no reason to trust the FBI director's protestations that smartphones are suddenly opaque to the same people who were just inconveniently shown to have far more access than they admitted previously. But, something deeper seems to be going on, and I can't quite get a finger on what piques my paranoia the most.
The Snowden revelations, including Apple's participation in intelligence gathering, hit a day or two before iOS7 and the iCloud Keychain announcement, which suddenly read like Apple getting caught in the act. Awful timing for Apple, and presumably the spies, it seemed: after all, who'd trust Apple's keychain when the NSA might just siphon off any passwords held in it?
The iCloud/Fappening nude photo scandal wasn't really new (the exploit at least wasn't), but it made the news just before iOS8 and the new iCloud Photo library were supposed to hit the news. It was exactly the story to sink the new photo system. The photo library got shoved aside very quickly, along with HealthKit. Eager supporters of Big Brother must've wept.
The timing is what sets my paranoia a-tingle. Yosemite comes out in late October. I wonder if there will be another leak just before that.
I'm starting to wonder if Apple isn't being pushed to do things in a way that actually does promote better encryption and make life harder on the three-letter-agencies.
(Score: 2) by anubi on Saturday September 27 2014, @07:32AM
I think a lot of people are barking up the wrong tree with encryption. The fact that encrypted communication is taking place at all is setting off red flags all over the place.
AFAIK, if one wants to stay alive ( reference xkcd above ), any communication needs to be covert. Steganographic. Something right out in everyone's face but only the intended recipient knows what to look for.
Moving quantities of obviously encrypted data is going to do nothing but arouse suspicion if anyone sees it, but what appears to be a poorly-done porn shoot might fly.
"Prove all things; hold fast that which is good." [KJV: I Thessalonians 5:21]
(Score: 1, Interesting) by Anonymous Coward on Saturday September 27 2014, @04:17PM
Encryption becomes more useful once everyone is using it. That's one thing that the three-letter-agencies might fear from Apple. Apple has a way of saying, "This is how things will be done," implementing it in the OS, and instantly converting a massive swath of the population to a new system. Apple could force the creation of personal encryption keys for SMIME mail and OTR chat, and suddenly a huge portion of the previously intelligible surveillance intercepts would be encrypted, with little clue as to what parts of it were useful to the agencies. Apple already baked disk encryption into OSX (albeit with a backdoor, namely key escrow, in the latest version). Apple could go all-in and fuck over the agencies by implementing strong security for users by default, but they won't because they don't to be Qwested for their lack of compliance.
(Score: 2, Informative) by Anonymous Coward on Sunday September 28 2014, @09:10AM
> Ps. James Comney: where does it state that it is illegal to encrypt data? and get off my lawn
Strong crypto is exempt from the First Amendment right of all American citizens to 'free speech' and the Fourth Amendment to be 'secure in their papers and effects' (even if they are electronic computer files?) on 'national security' grounds it seems.
:(
http://www.bis.doc.gov/index.php/policy-guidance/encryption [doc.gov]
The TL;DR version from the 'key document' dated December 7, 2012 -- yes, the SAME DAY that STAR TREK: THE MOTION PICTURE premiered in 1979 and, of course, the day Pearl Harbor was attacked by the Japanese millitary in 1941!
http://www.bis.doc.gov/index.php/forms-documents/doc_view/335-supplement-no-1-to-part-774-category-5-part-ii-information-security [doc.gov]
Emphasis mine.
Encryption is NOT ILLEGAL in the USA (yet).
STRONG encryption IS ILLEGAL in the USA if it exceeds the bit lengths above, leaves the contry and winds up in 'unapproved locations' on Planet Earth UNLESS you submit to the red tape [doc.gov] and pay any fees needed to 'avoid problems'.
Want to write crypto software in the USA without the ok of 'The Man'? Better make sure its weak as explained above or don't bother writing it/adding encryption or you could have problems like these two gentlemen had with the USA over encryption software they wrote....
http://en.wikipedia.org/wiki/Phil_Zimmermann [wikipedia.org]
http://en.wikipedia.org/wiki/Daniel_J._Bernstein [wikipedia.org]
This is why strong crypto software products are developed outside the USA. Strangely, it is OK to IMPORT strong crypto into the USA but not EXPORT it without a (paid) license/approval from the USA Government!
As long as you can GUARANTEE your crypto product WON'T leave the USA and CANADA, (basically) you can make it as strong as you want.
However, there is a (strange) loophole to the rules behind the quote above. Apparently, as long as the code is NOT 'machine readable' it is OK with the Feds. This is how Bruce Schneier's APPLIED CRYPTOGRAPHY was able to leave the USA and go overseas with a PRINTED copy its accompanying source code instead of a CD-ROM or floppy disk of same.
http://en.wikipedia.org/wiki/Bruce_Schneier [wikipedia.org]
Strangely, there is NO Wikipedia page for Schneier's landmark work on cryptography like there is for others at
http://en.wikipedia.org/wiki/Books_on_cryptography [wikipedia.org]
including Schneier's own
http://en.wikipedia.org/wiki/Beyond_Fear:_Thinking_Sensibly_about_Security_in_an_Uncertain_World [wikipedia.org]
I wonder if the Feds 'leaned' on the staff at Wikipedia [wikipedia.org] (probably did since Wikimedia [wikipedia.org] incorporated in the state of Florida in 2003 and would be subject to US laws) to not create a Wikipedia page for APPLIED CRYPTOGRAPHY. However, its contents are basically scattered through Wikipedia starting here:
http://en.wikipedia.org/wiki/Category:Cryptographic_algorithms [wikipedia.org]
And elsewhere
This also explains why the USA hasn't forced webmasters to take down DESCRIPTIONS of encryption algorithms--they aren't machine-readable like these gems:
http://fringe.davesource.com/Fringe/Crypt/RSA/Algorithm.html [davesource.com] (Original: http://world.std.com/~franl/crypto/rsa-guts.html [std.com])
The above link(s) were the GOLD STANDARD description of RSA until I recently found this wonderful, elegant description here:
http://www.iusmentis.com/technology/encryption/rsa/ [iusmentis.com]
http://www.di-mgt.com.au/crt_rsa.html [di-mgt.com.au] (This one is not in the USA and not subject to USA crypto laws but it is a GREAT description of the Chinese Remainder Theorem speedup technique for RSA decryption.)
http://www.47d.net/~seven/diffie.html [47d.net] (Brief, complete explanation of the Diffie-Hellman key exchange algorithm).
Cracking down on crypto in the USA is pretty much pointless if you can't suppress the KNOWLEDGE of how to do it after it has already been divulged. On top of that, only law-abiding USA citizens will heed these rules. The others will either just smuggle strong crypto out of the USA or simply develop it offshore in a crypto-friendly country (like France) and avoid prosecution and any subsequent jailtime inside the USA.