Category Archives: Encryption
If youre looking for a secure external drive that meets both US military and government security standards, there are a number of encrypted external SSD options around. I reviewed one approach a couple of years ago, the iStorage diskAshur 2, which has a built-in PIN pad for entering a seven- to 15-digit code to unlock the drive.
The SecureDrive BT is a similar idea, but instead of a PIN pad, you unlock it via Bluetooth. Specifically, when you plug the drive into your Mac, you can use Face ID on your iPhone to unlock it
The drive is available in both spinning metal and SSD variants, in capacities ranging from 250 GB to 8 TB. Pricing for SSDs ranges from $262 (250GB) to $3,309 (8TB). I tested the 1TB SSD model at $458.80.
The drive can be used with Mac, Windows, and Linux, and the companion app is available on both iOS and Android.
The drive looks much like any other external drive. It has a blue anodized aluminum body with black plastic endcaps. On the front is a Secure Drive Bluetooth name, and on the back a somewhat unsightly mix of barcode, website, and various standards compliance logos.
One thing to watch for: SecureDrive tells me its available with both USB-A and USB-C cables. The drive I got had a USB-A cable, so needed an adapter to connect it to my MacBook Pro.
SecureDrive BT uses the same AES256-bit XTS hardware encryption as the iStorage drive. Often referred to as military-grade encryption, this is certified by the Institute of Electrical and Electronics Engineers (IEEE) as standard P1619 and is indeed approved for US military use.
The encrypted external SSD is also FIPS 140-3 certified. This is the Federal Information Processing Standards certification, which allows it to be used for the storage of US government Top Secret documents.
Inside, the chips are encased in epoxy resin, meaning its not possible to extract the SSD chips from the rest of the hardware.
The app lets you set a password in the 7- to 15-character range, and you can then choose to toggle on Face ID, Apple Watch unlock, or both. The drive offers remote-wipe capabilities, and can be set to automatically wipe if 10 incorrect passwords are entered.
Other security features available:
Incidentally, Apples FileVault also offers the same AES256-bit XTS standard, but defaults to the weaker 128-bit version for performance reasons. Disk Utility does, however, give you the option of formatting with full 256-bit AES.
Running Blackmagic, I saw write speeds of around 310MB/s, and read speeds of around 325MB/s.
These are, of course, low numbers compared to the very fast external SSDs available now, and there are two reasons for that. First, the interface is USB 3.1. Second, the AES256-bit XTS encryption does significantly slow things down, which is the reason Apple defaults to 128-bit with FileVault.
The bottom line here is that youre probably not going to want to use this as a working drive for demanding applications like video editing though it will cope with HD video.
Thats not to say its aslow drive in SSD form, but its still about half to two-thirds the speed of an equivalent unencrypted drive.
Mostly, though, this is a drive youre going to use to store commercially sensitive documents, like product designs, in-progress apps, marketing materials for unannounced products, customer databases, and similar.
Once the SecureDrive BT is unlocked, it works just like any other drive. So the in use section of the review is really about the unlocking experience and here theres good news and bad.
The bad news is that its a little less convenient than a drive with a keypad. To unlock it, you have to open the companion app and tap the drive name. At that point, Face ID will unlock it. But if you keep the app on your homescreen, unlocking is about as fast as using a keypad.
The good news is that youre trading off a slight inconvenience for more security. A keypad limits you to a numeric passcode; with this drive, you can have an alphanumeric password, including all special characters.
Plus, its not obvious that its a secure drive. If someone sees a drive with a keypad used in public, it draws attention to itself. This one, however, looks no different to any other external drive, and using your phone isnt going to be associated with unlocking the drive. So its the more discreet option, as well as the more secure. SecureDrive does make a keypad version, too, if you prefer that.
As I said about the diskAshur 2, whether or not the SecureDrive BT is right for you really depends on whether you have a need for the security:
The real question is whether you need this level of security. For the average consumer, its overkill, but I could definitely see some professional users appreciating it. Carrying around external drives with commercially sensitive materials on them is always a little nerve-wracking. There have been all kinds of reports of drives being left in embarrassing places like bars and trains.
For a startup, the peace of mind could well be worth the relatively small premium youre paying for heavy-duty security. For professional freelancers, it could even be turned into a selling point for clients. So if you need an external SSD and could use the reassurance this one brings, it could be very good value.
If you do need the security, or can use it as a selling tool, then the drive justifies itself. If you dont, you can get faster performance at a significantly lower price in unencrypted form. For example, the equivalent Western Digital My Passport 1TB SSD is about 50% faster and has a list price of $340 against just over $500 for the SecureDrive BT (and the WD drive is available for much less on Amazon). So, if you need this, it will be worth the price; if you dont, it wont.
The Secure Drive BT encrypted external SSD is available from Amazon in both spinning metal and SSD variants, in capacities ranging from 250GB to 8TB. I tested the 1TB SSD model at $458.80. The equivalent spinning metal version costs $238.
FTC: We use income earning auto affiliate links. More.
Check out 9to5Mac on YouTube for more Apple news:
EncryptOnClick is a freeware tool that you can use to encrypt files and folders. The application offers an extra layer of security to protect data and uses military grade 256-bit AES encryption for protection.
The program's interface is very simple as it displays a handful of buttons only. It lists two encrypt actions and decrypt actions which can be run on files or folders.
Let's encrypt some files. Click on the File button and it will open an "Encrypt Password" window. You are prompted to enter a password and confirm it. Optionally, you can add a comment thought I didn't see any being displayed while decrypting the files.
Important: Don't forget the password, as there is no way to recover it.
Before clicking on the Ok button, decide if you wish to encrypt the filenames and enable the option, or skip it. This depends on how you're using the data, and how sensitive it is. If you select to encrypt the filename, it is modified so that it is no longer possible to get information just by looking at it.
Warning: If you are just testing the program, make sure to check the box next to the "Do not delete file after encrypting" option.
Hit Ok and the encryption process will begin. The time it takes for this depends on the size of the files that you're encrypting. The files are saved in the EOC format (named after the program). Okay, so if we remove the EOC from the name, will the file be readable? Of course not. You may have noticed that the encrypted file is smaller than the source file's size, that's because EncryptOnClick compresses the files while encrypting them. This is quite handy in case you want to email the files to your contact. When the file is decrypted, it will be restored to its original state and size.
Note: If you select the "Folders" option, the program will encrypt the files inside the folder, not the folder itself.
There are two ways to decrypt the contents. Either use the program and select the Decrypt option (Files or Folders), or just try opening the files (if the program is installed) and it should ask for the password. Once again, remember to check the "Do not delete file after decrypting" option, else the encrypted copy will be deleted. Regardless of the option, the uncompressed file will be saved in the same folder, so it's not a real loss.
The program doesn't have a portable archive ready to download, but you can create a portable version by copying three files from the installation directory: EncryptOnClick.exe, EncryptOnClick.exe.manifest and XceedZip.dll to a memory stick and use it anywhere. I tested this as well, and it works perfectly.
Do I need EncryptOnClick installed to open the files? Yes, according to the documentation, or WinZip 9 or above. The portable version works fine too. Since I'm a 7-Zip user, I wanted to check if it can decrypt it, and I can confirm that it works. This screenshot is from a friend's computer whom I sent the encrypted file to, he was able to open it with 7z.
Note: You can rename the extension of the encrypted files to anything you want, you can still decrypt it. It can be a good way to prevent others from opening your files.
EncryptOnClick can be very useful for protecting financial documents, personal data, pictures, etc. The simplicity of the program makes it suitable for people of all skill levels.
For all the public sparring between the two inflated egos known as Donald Trump and James Comey, the president and the former FBI director have some important commonalities. For starters, they both hate it when the common people keep secrets from the ruling class of which they represent competing factions.
The point of agreement between the two political antagonists became clear on January 14, when President Trump complained that Apple executives "refuse to unlock phones used by killers, drug dealers and other violent criminal elements." Some of us poked at our ears, wondering if we were hearing echoes. After all, not so long ago, as head of the FBI, Comey tried to force Apple to unlock encrypted cell phones and raged that Apple, Google, and other companies "market something expressly to allow people to place themselves beyond the law."
Trump agreed with Comey back then, too, by the way; in 2016, he called for a boycott of Apple until such time as the company helped the FBI break iPhone security.
Apparently, not as much divides these two men as they like to let on.
In public, Trump calls Comey a "disgrace" and Comey fires back at a man he calls a "strange and slightly sad old guy." Butaside from the fact that they're both correct about each other's flawsthat's intramural combat between power addicts over who should wield the power. That the public should be poked, prodded, and intruded upon is a given for Comey and Trump. And it's a sentiment that binds so many of our would-be lords and masters in public office.
The shared nature of official nosiness becomes clear when you remember last November's bipartisan vote to extend the Patriot Act, a measure that the Electronic Frontier Foundation says "broadly expands law enforcement's surveillance and investigative powers and represents one of the most significant threats to civil liberties, privacy, and democratic traditions in US history." Even as Democrats debated impeaching Donald Trumpa move they later approvedthey overwhelmingly joined with the Trump administration to support the surveillance bill's extension.
Trans-partisan hand-holding on surveillance state measures is certainly nothing new among the political class. The Patriot Act originally passed during the presidency of Republican President George W. Bush, but with plenty of cross-aisle support.
"I drafted a terrorism bill after the Oklahoma City bombing," senator and current leading Democratic presidential wannabe Joe Biden boasted to The New Republic after the Patriot Act's passage. "And the bill John Ashcroft sent up was my bill."
Biden's anti-privacy efforts extend back so far that he inspired Phil Zimmermann to complete the development of PGP encryption software.
Later, as vice president, Biden threatened countries that considered offering asylum to surveillance whistleblower Edward Snowden.
Sen. Elizabeth Warren (D-Mass.), another leading contender for the Democratic presidential nomination, frets that the data encrypted communications will "allow companies to hide from 'government spying'such as text messages and chatroom transcriptshave proven to be 'key evidence' in previous regulatory and compliance cases."
It seems Trump and Comey are in good company on the issue. Well, good-ishfor a certain D.C.-centric value of the word.
"Lawmakers are giving big tech firms an ultimatum: Give police access to encrypted communications or we'll force you," The Washington Post reported last month.
"It ain't complicated for me," Senate Judiciary Committee Chairman Lindsey Graham (R-S.C.) told representatives from Facebook and Apple at a Capitol Hill hearing in December. "You're going to find a way to do this or we're going to do it for you."
"You all have got to get your act together or we will gladly get your act together for you," said Sen. Marsha Blackburn (R-Tenn.), who also sits on the judiciary committee.
Ranking Democratic member Dianne Feinstein (Calif.), meanwhile, said she is "determined to see that there is a way that phones can be unlocked when major crimes are committed," whether tech companies like it or not.
And so on. Trump and Comey's frenemy act opposing communications privacy for people who don't draw government paychecks is the rule, not the exception.
Sure, there are some surveillance skeptics and privacy advocates among the political class. But they're rare, and except for a very few civil liberties-oriented and government-skeptic types who are usually on the outs with the real powerbrokers, they're awfully unreliable on the issue.
The problem is that the Trumps, Comeys, Grahams, Bidens, Feinsteins, Blackburns, and Warrens of the world largely agree that the government that defines their lives and gives them importance should be vastly powerful. The rationales they come up with depend on the specific priorities of the politician in question, the cultural moment, and the audience, but they're forever arguing in favor of an intrusive state from which we can keep no secrets.
"It had become clear, to me at least, that the repeated evocations of terror by the political class were not a response to any specific threat or concern but a cynical attempt to turn terror into a permanent danger that required permanent vigilance enforced by unquestionable authority," whistleblower Edward Snowden wrote of his growing awareness of what lay behind the surveillance state in Permanent Record, his 2019 memoir.
Substitute "violent criminal elements" or "criminal action by Wall Street" or "child abusers" or any other justification politicians might come up with if you wish, but it all leads in the same direction. Ultimately, the members of the political class may fight tooth and nail, but it's not over whether Leviathan should paw through our communications. They just disagree over who should be in charge of the pawing.
Here is the original post:
Trump and Comey Are United Against Encrypted Communications - Reason
Technology that allows police officers to gather data from digital devices without the need for a password is to be rolled out from next week.
Police Scotland confirmed on Tuesday that the so-called cyber kiosks - digital triage devices - will be given to officers on January 20.
The kiosks are laptop-sized machines that enable the user to override encryption on devices such as mobile phones and tablets.
Technology was due to be deployed earlier but the roll-out was hit by delays as MSPs called for greater clarity over the legal framework for their use.
A total of 14 kiosks have already been bought by Police Scotland and will be located across all policing divisions.
It is expected all of the kiosks will be operational before May 1.
Police Scotland believe having the kiosks will allow lines of inquiry to be progressed at a faster pace, with officers being able to return mobile devices to their owners when they are having to assess them for potential evidence.
Officers will only examine the device of an individual when there is a legal basis and it is "necessary, justified and proportionate" to the crime under investigation.
They will not be enabled to store data from any devices and when an examination is complete all data will be securely deleted.
Deputy Chief Constable Malcolm Graham said having the ability to quickly assess which devices either do or do not contain evidence on them will minimise the intrusion into people's lives.
"We are committed to providing the best possible service to victims and witnesses of crime," he said.
"This means we must keep pace with society. People of all ages now lead a significant part of their lives online and this is reflected in how we investigate crime and the evidence we present to courts.
"Many online offences disproportionately affect the most vulnerable people in our society, such as children at risk of sexual abuse, and our priority is to protect those people."
He added: "Increases in the involvement of digital devices in investigations and the ever-expanding capabilities of these devices mean that demand on digital forensic examinations is higher than ever.
"Current limitations, however, mean the devices of victims, witnesses and suspects can be taken for months at a time, even if it later transpires that there is no worthwhile evidence on them.
"By quickly identifying devices which do and do not contain evidence, we can minimise the intrusion on people's lives and provide a better service to the public."
Have you downloaded the new and improved Glasgow Live app? Get all the latest news and events at the touch of a button on Android and Apple .
See the article here:
Police Scotland to roll out encryption bypass technology - Glasgow Live
(Representational photo)  |  Photo Credit: IANS
Apple and the US government are at loggerheads for the second time in four years over unlocking iPhones connected to a mass shooting, reviving debate over law enforcement access to encrypted devices.
Attorney General Bill Barr said Monday that Apple failed to provide "substantive assistance" in unlocking two iPhones in the investigation into the December shooting deaths of three US sailors at a Florida naval station, which he called an "act of terrorism."
Apple disputed Barr's claim, while arguing against the idea of "backdoors" for law enforcement to access its encrypted smartphones.
"We reject the characterization that Apple has not provided substantive assistance in the Pensacola investigation," the company said in a statement.
"Our responses to their many requests since the attack have been timely, thorough and are ongoing."
Late on Tuesday, President Donald Trump weighed in on Twitter, saying the government was helping Apple on trade issues "yet they refuse to unlock phones used by killers, drug dealers and other violent criminal elements."
"They will have to step up to the plate and help our great Country, NOW!" he added.
The standoff highlighted the debate between law enforcement and the tech sector about encryption -- a key way to protect the privacy of digital communications, but which can also make investigations difficult, even with a court order.
The latest battle is similar to the dispute between Apple and the US Justice Department after the December 2015 mass shooting in San Bernardino, California, when the iPhone maker rejected a request to develop software to break into the shooter's iPhone.
That fight ended in 2016 when the government paid an outside party a reported $1 million for a tool that circumvented Apple's iPhone encryption.
Barr last year called on Facebook to allow authorities to circumvent encryption to fight extremism, child pornography and other crimes. The social network has said it would move ahead with strong encryption for its messaging applications.
Digital rights activists argue that any privileged access for law enforcement would weaken security and make it easier for hackers and authoritarian governments to intercept messages.
"We have always maintained there is no such thing as a backdoor just for the good guys," Apple's statement said.
"Backdoors can also be exploited by those who threaten our national security and the data security of our customers."
Apple and others argue that digital "breadcrumbs" make it increasingly easy to track people, even without breaking into personal devices.
The government's latest demand "is dangerous and unconstitutional, and would weaken the security of millions of iPhones," Jennifer Granick of the American Civil Liberties Union said in a statement.
"Strong encryption enables religious minorities facing genocide, like the Uighurs in China, and journalists investigating powerful drug cartels in Mexico, to communicate safely."
Granick added that Apple cannot allow the FBI access to encrypted communications "without also providing it to authoritarian foreign governments and weakening our defenses against criminals and hackers."
Kurt Opsahl of the Electronic Frontier Foundation echoed that sentiment, saying Apple "is right to provide strong security" for its devices.
"The AG (attorney general) requesting Apple re-engineer its phones to break that security is a poor security trade-off, and imperils millions of innocent people around the globe," Opsahl tweeted.
James Lewis of the Center for Strategic and International Studies, a Washington think tank, said he believes it's possible to allow law enforcement access without sacrificing encryption.
"You're not weakening encryption, you're making it so it's not end-to-end," Lewis told AFP.
"It means that there's a third party who can look at it under appropriate authority."
But Lewis said he does not expect either side to come out a winner in the battle, and that US officials will likely find another outside party to crack the two iPhones belonging to the shooter, Royal Saudi Air Force 2nd Lieutenant Mohammed Saeed Alshamran, who died in the attack.
"It's a repeat of the movie we saw in San Bernardino," he said.
"It's going to be harder because Apple probably fixed the trick that worked in San Bernardino."
Hardware Encryption Market Set To Register A CAGR Growth Of XX% Over The Forecast Period 2017 2025 – Fusion Science Academy
Study on the Global Hardware Encryption Market
A recent market study published by TMRR provides resourceful business insights pertaining to the growth prospects of the Hardware Encryption market during the considered forecast period, 2019-2029. According to the report, owing to the growing demand for product 1 and product 2 from region 1 and region 2, significant advances in Hardware Encryption technology, and growing investment for research and development activities, the Hardware Encryption market is projected to grow at CAGR of XX% through the forecast period.
The data collected by our analysts from credible primary and secondary sources provides answers to some top queries related to the global Hardware Encryption market.
Request For Discount On This Report @ https://www.tmrresearch.com/sample/sample?flag=D&rep_id=647&source=atm
Some of the questions related to the Hardware Encryption market addressed in the report are:
in the current Hardware Encryption market?
The market study bifurcates the global Hardware Encryption market on the basis of product type, regions, application, and end use industry. The insights are backed by accurate and easy to understand graphs, tables, and figures.
segmentation, applications, technological advancements, and the regional segments of the global hardware encryption market. In addition, the limitations and challenges that are being faced by the prominent players in the overall market have been discussed in the research study.
Global Hardware Encryption Market: Drivers and Restraints
The rising concerns related to the privacy of data and data security and tremendous expansion of the digital content are anticipated to encourage the growth of the global hardware encryption market throughout the forecast period. In addition, several advantages offered by hardware encryption in comparison with software encryption technology and the rising need of regulatory framework are some of the other factors estimated to accelerate the growth of the overall market in the near future.
On the contrary, the need for high capital investment and the lack of awareness among consumers reading the benefits of hardware encryption technology are projected to restrict the growth of the global hardware encryption market in the next few years. Nevertheless, the emergence of economical and compact hardware encryption technique and the rising adoption of cloud computing are expected to offer promising opportunities for market players in the coming years.
Global Hardware Encryption Market: Region-wise Outlook
The global market for hardware encryption has been divided on the basis of geography into Europe, the Middle East and Africa, North America, Latin America, and Asia Pacific. The research study has provided a detailed analysis of the leading regional segment, highlighting the market share and anticipated growth rate. In addition, the key factors that are encouraging the growth of these segments have been discussed in the scope of the research study.
According to the research study, Asia Pacific is anticipated to witness strong growth throughout the forecast period, owing to the robust development of the IT industry. In addition, a substantial contribution from China, India, Malaysia, and South Korea is expected to accelerate the growth of the hardware encryption market in Asia Pacific throughout the forecast period. Furthermore, with the presence of a large number of established hardware encryption manufacturing companies, North America is anticipated to witness healthy growth in the next few years.
Key Players Mentioned in the Research Report are:
The global hardware encryption market is projected to witness a high level of competition in the coming few years. The leading players in the market are focusing on offering new products to consumers in order to enhance their market penetration and maintain their dominant position throughout the forecast period. Some of the prominent players operating in the hardware encryption market across the market are Netapp, Maxim Integrated Products, Inc., Toshiba Corp., Gemalto NV., Micron Technology, Inc., Samsung Electronics Co. Ltd., Kanguru Solutions, Thales (E-Security), Winmagic Inc., Kingston Technology Corp., Western Digital Corp., and Seagate Technology PLC.
Furthermore, the research study has provided a detailed analysis of the competitive landscape of the global hardware encryption market. An in-depth overview of company profiles and their financial overview have been discussed at length in the scope of the research study. Additionally, the business strategies, SWOT analysis, and the recent developments have been included to offer a clear understanding of the overall market.
Request Sample Report @ https://www.tmrresearch.com/sample/sample?flag=B&rep_id=647&source=atm
The competitive outlook segment tracks the activities of the leading market players operating in the global Hardware Encryption market. In addition, the report provides an extensive analysis of the product portfolio and marketing strategies adopted by each market players in the Hardware Encryption market.
Key findings included in the report:
Customize This Report @ https://www.tmrresearch.com/sample/sample?flag=CR&rep_id=647&source=atm
Malware is complex and meant to confuse. Many computer users think malware is just another word for virus when a virus is actually a type of malware. And in addition to viruses, malware includes all sorts of malicious and unwanted code, including spyware, adware, Trojans and worms. Malware has been known to shut down power grids, steal identities and hold government secrets for ransom.
The swift detection and extraction of malware is always called for, but malware isnt going to make it easy. Malware is mischievous and slippery, using tricks like obfuscation, encoding and encryption to evade detection.
Understanding obfuscation is easier than pronouncing it. Malware obfuscation makes data unreadable. Nearly every piece of malware uses it.
The incomprehensible data usually contains important words, called strings. Some strings hold identifiers like the malware programmers name or the URL from which the destructive code is pulled. Most malware has obfuscated strings that hide the instructions that tell the infected machine what to do and when to do it.
Obfuscation conceals the malware data so well that static code analyzers simply pass by. Only when the malware is executed is the true code revealed.
Simple malware obfuscation techniques like exclusive OR (XOR), Base64, ROT13 and codepacking are commonly used. These techniques are easy to implement and even easier to overlook. Obfuscation can be as simple as interposed text or extra padding within a string. Even trained eyes often miss obfuscated code.
The malware mimics everyday use cases until it is executed. Upon execution, the malicious code is revealed, spreading rapidly through the system.
Next-level malware obfuscation is active and evasive. Advanced malware techniques, like environmental awareness, confusing automated tools, timing-based evasion, and obfuscating internal data, allow (Read more...)
See original here:
Malware Obfuscation, Encoding and Encryption - Security Boulevard
As Apple squares off for another encryption fight, Microsoft CEO Satya Nadella offered mixed messages on the encryption question. In a Monday meeting with reporters in New York, Nadella reiterated the companys opposition to encryption backdoors, but expressed tentative support for legal and technical solutions in the future.
I do think backdoors are a terrible idea, that is not the way to go about this, Nadella said. Weve always said we care about these two things: privacy and public safety. We need some legal and technical solution in our democracy to have both of those be priorities.
Along those lines, Nadella expressed support for key escrow systems, versions of which have been proposed by researchers in the past.
Apples device encryption systems first became a point of controversy after a 2016 shooting in San Bernardino, which led to a heated legal push to force Apple to unlock the phone. That fight ultimately ended in a stalemate, but many have seen the recent shooting at a naval base in Pensacola as a potential place to restart the fight. Committed by a Saudi national undergoing flight training with the US Navy, the shooting has already been labeled a terrorist act by the FBI, and resulted in 21 other Saudi trainees being disenrolled from the program. Two phones linked to the assailant are still subject to Apples device encryption, and remain inaccessible to investigators.
But Nadella stopped short of simply saying companies could never provide data under such circumstances, or that Apple shouldnt provide a jailbroken iOS modification under the circumstances. We cant take hard positions on all sides... [but if theyre] asking me for a backdoor, Ill say no. Nadella continued, My hope is that in our democracy these are the things that arrive at legislative solutions.
Thats a significantly milder tone than Microsoft took during the San Bernardino case in 2016. At the time, Microsoft expressed wholehearted support for Apples position in the case, and joined Apple in opposing some of the encryption bills pushed in the wake of the trial.
Correction 9:43PM ET: Due to a transcription error, Nadellas two priorities were listed as privacy and national security. He said they were privacy and public safety. This has been corrected.
Expect the U.S. Department of Justice and officials from allied countries to push harder for large technology companies to give them access to customers' encrypted communications, and expect the tech companies to continue to resist.
The current push for tech companies to provide encryption backdoors started back in 2014, when then-FBI Director James Comey complained about law enforcement agencies "going dark" because of a lack of access to encrypted email, texts, and other communications. But current Attorney General William Barr and allies in the United Kingdom and other countries have stepped up the pressure on tech companies in recent months.
Encryption has "empowered criminals" as terrorists, human traffickers, and sexual predators shield their activities from police, Barr said in a speech in October. "As we work to secure our data and communications from hackers, we must recognize that our citizens face a far broader array of threats," he said. "While we should not hesitate to deploy encryption to protect ourselves from cybercriminals, this should not be done in a way that eviscerates society's ability to defend itself against other types of criminal threats."
The debate shifted into high gear in December. On Dec. 9, Facebook sent a letter to U.S., U.K., and Australian officials, rejecting their request that the company scrap its plans to offer end-to-end encryption across messaging services.
"We all want people to have the ability to communicate privately and safely, without harm or abuse from hackers, criminals, or repressive regimes," the letter said. "Every day, billions of people around the world use encrypted messages to stay in touch with their family and friends, run their small businesses, and advocate for important causes. In these messages, they share private information that they only want the person they message to see."
A day later, in a Senate Judiciary Committee hearing, Chairman Lindsey Graham threatened Facebook and Apple officials with legislation if they didn't give law enforcement encryption back doors.
"You're going to find a way to do this, or we're going to go do it for you," said Graham, a Republican from South Carolina. "We're not going to live in a world where a bunch of child abusers have a safe haven to practice their craft. Period. End of discussion."
Many cybersecurity experts, however, have warned against the push for encryption back doors.
If law enforcement agencies get access to encrypted communications, it's only a matter of time before criminals figure it out, said Michael Frederick, CEO of software development firm Flatirons Development. There is no "middle ground" compromise to the encryption debate, he added.
"Any back door that is open to law enforcement to allow them to access encrypted materials will inevitably be discovered and abused by those with malicious intentions," he said. "That could be hackers in the U.S., or it could be overseas governments taking advantage of the loophole, presenting a risk to our national security."
When the loophole is discovered and shut down, "we will start this conversation over again," he predicted.
It's "impossible" to allow law enforcement access without also risking hacker access to encrypted communications, added Daniel Goldberg, security researcher at Guardicore, a cloud and data center security vendor.
"Regardless of the method, whether its key escrow or weakened access or any other buzzword of the month, encryption only works if it's total," he said. "If we go down this path, not far is the day when criminal groups or nation-states will have easy access to all private communications of common citizens."
Nevertheless, the push for access isn't all "fear, uncertainty, and doubt," Goldberg added. "By choosing privacy for all citizens, we also allow privacy to criminals," he said. "Law enforcement today relies on a hodgepodge of methods that try to go around end-to-end encryption, allowing sophisticated criminals freedom of action."
Meanwhile, security experts were split in their predictions on whether Congress would act to require law enforcement access. Some saw too much disagreement in Congress to move forward, while others predicted eventual action to require some type of access.
"Unfortunately, I can see Congress, in light of a national emergency or threat, taking action to weaken individual access to encryption technology," said Llewellyn Gibbons, a cyberlaw professor at the University of Toledo College of Law. "I doubt that Congress will take action on this as part of a reasoned debate that considers the commercial as well as individual privacy concerns."
Congressional action would be a significant change in U.S. government policy related to the internet, Gibbons added. "Such a change would be a dramatic shift from the self-government model that the U.S. government has encouraged on the internet."
Over two dozen encryption experts call on India to rethink changes to its intermediary liability rules – TechCrunch
Security and encryption experts from around the world are joining a number of organizations to call on India to reconsider its proposed amendments to local intermediary liability rules.
In an open letter to Indias IT Minister Ravi Shankar Prasad on Thursday, 27 security and cryptography experts warned the Indian government that if it goes ahead with its originally proposed changes to the law, it could weaken security and limit the use of strong encryption on the internet.
The Indian government proposed(PDF) a series of changes to its intermediary liability rules in late December 2018 that, if enforced, would require millions of services operated by anyone from small and medium businesses to large corporate giants such as Facebook and Google to make significant changes.
The originally proposed rules say that intermediaries which the government defines as those services that facilitate communication between two or more users and have five million or more users in India will have to proactively monitor and filter their users content and be able to trace the originator of questionable content to avoid assuming full liability for their users actions.
By tying intermediaries protection from liability to their ability to monitor communications being sent across their platforms or systems, the amendments would limit the use of end-to-end encryption and encourage others to weaken existing security measures, the experts wrote in the letter, coordinated by the Internet Society .
With end-to-end encryption, there is no way for the service provider to access its users decrypted content, they said. Some of these experts include individuals who work at Google, Twitter, Access Now, Tor Project and World Wide Web Consortium.
This means that services using end-to-end encryption cannot provide the level of monitoring required in the proposed amendments. Whether its through putting a backdoor in an encryption protocol, storing cryptographic keys in escrow, adding silent users to group messages, or some other method, there is no way to create exceptional access for some without weakening the security of the system for all, they added.
Technology giants have so far enjoyed what is known as safe harbor laws. The laws, currently applicable in the U.S. under the Communications Decency Act and India under its 2000 Information Technology Act, say that tech platforms wont be held liable for the things their users share on the platform.
Many organizations have expressed in recent days their reservations about the proposed changes to the law. Earlier this week, Mozilla, GitHub and Cloudflare requested the Indian government to be transparent about the proposalsthat they have made to the intermediary liability rules. Nobody outside the Indian government has seen the current draft of the proposal, which it plans to submit to Indias Supreme Court for approval by January 15.
Among the concerns raised by some is the vague definition of intermediary itself. Critics say the last publicly known version of the draft had an extremely broad definition of the term intermediary, that would be applicable to a wide-range of service providers, including popular instant messaging clients, internet service providers, cyber cafes and even Wikipedia.
Amanda Keton, general counsel of Wikimedia Foundation, requested the Indian government late last month to rethink the requirement to bring traceability on online communication, as doing so, she warned, would interfere with the ability of Wikipedia contributors to freely participate in the project.
A senior executive with an American technology company, who requested anonymity, told TechCrunch on Wednesday that even as the proposed changes to the intermediary guidelines need major changes, it is high time that the Indian government decided to look into this at all.
Action on social media platforms, and instant communications services is causing damage in the real world. Spread of hoax has cost us more than at least 30 lives. If tomorrow, someones sensitive photos and messages leak on the internet, there is currently little they can expect from their service providers. We need a law to deal with the modern internets challenges, he said.