At the Symantec Government Symposium on Tuesday, FBI director James Comey said he “can’t resist talking about encryption and going dark”, and will continue an “adult” discussion into 2017. What’s stopping him now, seems to be the media attention on the presidential election. He continued “The challenge we face is that the advent of default, ubiquitous strong encryption is making more and more of the room we are charged to investigate dark”. Referring to device encryption on iPhones and Android phones, as well as Whatsapp, etc.
Meanwhile in Europe, French and German politicians have seized on the recent fear of violence to push similar rhetoric. Last week French Interior Minister Bernard Cazeneuve and German Interior Minister Thomas de Maizière said that “they will push for a Europe-wide law requiring tech companies to provide law enforcement agencies with access to encrypted messages when necessary”. Cazeneuve said, “We propose that the EU Commission studies the possibility of a legislative act introducing rights and obligations for operators to force them to remove illicit content or decrypt messages as part of investigations, whether or not they are based in Europe”. The “our law” should universal thinking, in other words.
The “crypto wars” are as hot as ever, and even though the latest communication technology offerings have made it easier for everybody to stay private, it is clear that the Western surveillance states will not give up without a fight.
CNET has an interesting article about how warrants to access suspects mobile phones are handled by two of the big mobile OS providers; Apple and Google. Focusing on Apple, the article mentions cases where the police has to wait for Apple to perform the unlocking, while Google “resets the password and further provides the reset password to law enforcement”.
From a technical perspective, it is not clear what kind of unlocking is performed; whether it is the SIM code, screen lock, or account password. It is interesting that the article mentions decryption, but it is probably a misunderstanding, or wrong wording: Android phones do not use encrypted storage by default, and in fact, if you have a model with a removable memory card, you can read that in any SD card reader. Accessing the embedded phone storage is also easy if it already unlocked (using fastboot / adb). iPhones does not use encrypted storage by default either, to be best of my knowledge. The article does indeed state that “It’s not clear whether that means Apple has created a backdoor for police [...] , or whether it simply is more skilled at using the same procedures available to the government.”.
From a privacy and security point of view, it is clear that it is irrelevant what the default security setting is. It can simply not be trusted to perform the task a user would expect. Rather, one should use take matters into own hands, and use software that has been proven to not contain backdoors for police or others. The only option is free and open source software, which has been vetted by security experts and the community.
In the wake of the recent internet traffic monitoring law passed in Sweden, it is highly overdue to get serious about encryption. First off, e-mail encryption, focusing on PGP/GPG. Below are a some useful links:
Enigmail: PGP/GPG extension for Mozilla Thunderbird.
FireGPG: GPG extension for Mozilla Firefox. Brings e-mail encryption to Gmail, and any other website with GPG content.
GpgOL is a plugin for Microsoft Outlook 2003, by the maintainers of GnuPG.
GPGoe is a GPG plug-in for the Microsoft Outlook Express.
For even more links about PGP/GPG and related tools, see Folkert van Heusden’s collection of information.