US Secretly Acting Like China Does in Public
As this ZDNet article notes, some of the Snowden disclosures revealed that NSA had asked for the source code of various tech companies (though it links to a Jake Appelbaum article that I believe to be sourced to someone else). What is new in its report of US government demands for source code, however, is how the government is getting it: through secret civil or FISA orders.
The government has demanded source code in civil cases filed under seal but also by seeking clandestine rulings authorized under the secretive Foreign Intelligence Surveillance Act (FISA), a person with direct knowledge of these demands told ZDNet. We’re not naming the person as they relayed information that is likely classified.
With these hearings held in secret and away from the public gaze, the person said that the tech companies hit by these demands are losing “most of the time.”
When asked, a spokesperson for the Justice Dept. acknowledged that the department has demanded source code and private encryption keys before.
That is, at a time when we condemn public Chinese demands to be able to review source code of companies doing business in China, the US has been doing the same thing, albeit without the reputational hit of doing so publicly.
All of which makes the point I made here — that the government is fairly explicitly threatening to demand source code from Apple — all the more significant, in part for an issue I’ve been meaning to return to.
Contrary to popular belief, the FISA Court does not operate in complete isolation from traditional courts. On several known issues — notably, the access to location data and the collection of Post Cut Through Direct Dial numbers — FISC has taken notice of public magistrate’s opinions and used that to inform, though not necessary dictate, FISC practice. As I have noted, at least until 2014, the FISC used the highest common denominator from criminal case law with respect to location data, meaning it requires the equivalent of a probable cause warrant for prospective (though not historic) data. And FISC first seemed to start tracking such orders during the magistrate’s revolt of 2005-6. That’s an area where FISC seems to have followed criminal case law. By contrast, FISC permits the government to collect, then minimize, PCTDD, though it appears to have revisited whether the government’s current minimization procedures meet the law, the most recent known moment of which was 2009.
In other words, this Apple fight (as well as magistrate James Orenstein’s order) may affect what FISC will approve — or has already approved in secret — for other tech companies (or even for Apple), something the tech companies that submitted amicus briefs likely know. That makes FBI’s decision to hold this fight in public, which Apple preferred not to do, all the more significant. Because if Apple prevails, it will make it a lot harder to secretly jurisdiction shop anywhere in the US, whether in a secret magistrate’s proceeding or an even more secret FISC one.
In the future, the only relatively secure programs will be those that have open-sourced their code. Closed-source programs used to run routers and switches come to mind as some of the most vulnerable to being “analyzed” by three-letter agencies as the benefits of being able to hack them are simply too great to ignore. Note that the FCC is already effectively causing the door to close on open-source router software such as DD-WRT and OpenWRT, as noted in an Ars Technica article entitled “TP-Link blocks open source router firmware to comply with new FCC rule,” published on 11 March 2016.
Effectively, in the future, if it’s not open-sourced, then by definition it can only be assumed to be compromised.
Wow. Just yesterday I argued that the FBI was seeking this fight so that they could then go to the FISA and demand things secretly. Clearly I vastly underestimated their … brass. And vastly overestimated the quality of the FISA court.
So what’s DoJ motivation, to extend secret rulings to all public venues? If it’s good enough for the FBI at FISC it should be good enough for deputy dawgs everywhere maybe. That seemed to be Comey’s testimony a couple of weeks ago to the effect that encryption was mostly a law enforcement problem.
When my electronic devices are payed for 100% by the entities who want to access them, incl. any connection fees, they can have it. Until then, I could care less the outcome as this data wil remain mine period. Encryption needs to be the std across all devices all the time. Govt employees, and/or employess who are issued devices, are the freebies here. They can monitor that all they like. This fight will change nothing.