Police radios in a large swath of Denvers southeast metro area went dark this week as law enforcement in Douglas and Elbert counties encrypted their radio systems to block public access to the transmissions, which have for decades provided the public with live information on police activity.

The Douglas County Sheriffs Office, all law enforcement and firefighters in Elbert County who are dispatched by Douglas County, as well as the police departments in Lone Tree, Parker and Castle Rock all encrypted their radio traffic on Dec. 2, according to the sheriffs office.

The Arapahoe County Sheriffs Office plans to encrypt its traffic in January, along with the departments it dispatches for such as Sheridan, Cherry Hills and Cherry Creek State Park. Police in Littleton, Englewood and Greenwood Village also are joining the encryption trend.

Officials at the agencies cited concerns about officer safety, citizen privacy and the need to communicate with other encrypted departments as reasons for shielding the radio traffic from public listening.

There is a lot of information that is not public and shouldnt be public that is transmitted over the radio, said Josh Hans, spokesman for the Parker Police Department.

Its just for the safety and security of our deputies, said Deputy Cocha Heyden at the Douglas County Sheriffs Office

We need to be able to communicate without the bad guys listening in on us and knowing what were doing, said Littleton police Cmdr. Trent Cooper.

Joe Amon, The Denver Post

The departments are following a statewide trend many local agencies have already encrypted their traffic, including Denver, Thornton,Arvada, Aurora, Lakewood, Westminster, Greeley, Longmont and Fort Collins but the move continues to raise concerns among advocates for police and government transparency, who say encrypting radio traffic shuts down a key avenue of public information for both citizens and the news media.

When everybody is trying to say they are transparent, this is one of the least transparent things you can do, said Chris Vanderveen, 9NEWS director of reporting. Police radio traffic for decades has allowed journalists to know when police are responding to major incidents, and has provided key context for reporting on such incidents, Vanderveen said, like when a man shot at cars from a Denver parking garage in November.

When the guy was downtown taking shots at cars, the only word we got initially was Active shooter downtown, he said. And thats all we had. Before, we would listen to the scanner and it would give us a sense of, Is this a really hot area we are potentially going into, is this something the police are treatingseriously? Do we need to have our crews back off? We are now sending our crews into situations blindly; and that deeply concerns me.

Jeff Roberts, executive director of the Colorado Freedom of Information Coalition, said police radio traffic also allows reporters to get to the scene and interview witnesses accounts that can later confirm or cast doubt on information released by the police department.

Government doesnt always tell you everything, and there needs to be a watchdog on that, he said.

The Douglas County Sheriffs Office will grant some news media access to its encrypted radio traffic if the news organizations agree to several conditions set by the sheriffs office in a memorandum of understanding, and if the news outlet is determined to be legitimate a decision left to the sheriffs discretion.

Heyden said the goal of the agreement is to formalize what has in the past been an unwritten understanding that journalists would not report information heard on the scanner without first verifying it. Thats already a normal standard at reputable news organizations.

We felt this would be a good step to show that the issue of us encrypting didnt have anything to do with the media, it had to do with safety and security reasons, she said.

So far, one news station in Colorado Springs has signed the agreement, Heyden said.

Ginger Delgado, a spokeswoman for the Arapahoe County Sheriffs Office, said they will also offer media access to encrypted radio traffic on the condition of a signed memorandum of understanding when the county moves to encryption early next year.

Such agreements have at times been cumbersome, Roberts said. In Denver, police offered news media access to its encrypted radio, but only if the news organizations agreed to cover the citys legal costs in the event of legal action stemming from information gathered from police radio transmissions (unless the claim was because of the sole negligence or willful misconduct of the city). The city also wanted to be able to examine news organizations books, documents, papers and records related to the use of the city-issued scanner.

The Denver Post and all local TV stations declined to accept those conditions and have not been granted access to the citys encrypted traffic.

We will not agree to anything that would compromise what we believe to be good journalism, Vanderveen said. He added that police promises to put information out on social media and in press releases have fallen short.

All the police departments have taken this approach of, Oh we will give out information in time. All of them have shown theyre not, he said. And I dont think its devious, its just a logistical impracticality. Its not practical because they cant distribute that information quickly enough via Twitter.

Roberts said some cities have encrypted traffic yet still found ways to ensure access for the public and media, either by providing media with access to radio traffic without setting any conditions or in some cases by continuing to let the public listen in, but on a 10-minute delay.

Officials at eight law enforcement agencies who are planning to encrypt their radio traffic were hard pressed to cite specific examples in which suspects used scanner traffic to thwart police, but all were certain it presented a potential safety risk.

Our investigators do remember several different times when it happened, Delgado said. About two years ago, there was active surveillance being done by our task forces, and there was someone who was actively listening to our radio traffic and feeding information to the target.

Another time, she said, officers responding to a shooting were approached by a woman who had been listening to the call on her phone.

Its so easy now to download an app on your phone, so thats a huge safety issue too, she said.

Although state legislators have twice considered bills that would prohibit or regulate police radio encryption, both bills failed to pass, Roberts said. Police radio encryption continues to be adopted across Colorado.

This looks like an unstoppable trend, he said.

Continued here:
Police radios blocked from the public in southeast Denver metro area - The Denver Post

Labor home affairs spokeswoman Kristina Keneally said on Tuesday Labor had backed the bill based on the government's commitment it would be refined this year, acting on the recommendations of the Parliamentary Joint Committee on Intelligence and Security (PJCIS).

"[Government Senate leader] Mathias Cormann did not hold true to his word. The government did not hold true to their word. And those amendments, the government has refused now for 12 months to bring back to the Parliament," Senator Keneally said.

"The private senator's bill that we will introduce will include all of the amendments the government has previously agreed to, as well as the judicial authorisation for some of the actions that some of the encryption legislation authorises."

A spokeswoman for Home Affairs Minister Peter Dutton called Labor's move a "political stunt".Credit:Alex Ellinghausen

A spokeswoman for Home Affairs Minister Peter Dutton pushed back against Labor's "political stunt", saying the legislation was being reviewed by the Independent National Security Legislation Monitor (INSLM) and the intelligence and security committee.

"Labor is asking for amendments while the PJCIS and the INSLM are still conducting their reviews the government has agreed to the PJCIS' request to allow PJCIS and INSLM more time to review this important legislation," the spokeswoman said.

Loading

Reviewing the legislation after it had been enacted was among the 17 recommendations made by the intelligence committee in December 2018. Other recommendations were amendments to restrict and clarify the new powers laid out in the legislation.

Last year, Senator Cormann said the government would consider amendments in 2019 and supported "in principle, all amendments that are consistent with the [PJCIS] recommendations in relation to this bill".

Sunita Bose, managing director of tech industry body DIGI, expressed strong support for the CLOUD Act and backed amendments to make sure Australia complied with it.

"We have supported reviews by the INSLM and PJCIS into the Assistance and Access law, and encouraged amendments that provide judicial oversight, more robust definitions and stronger protections for journalists," she said.

The encryption legislation is part of a global push by law enforcement to confront the growing challenge of suspects "going dark", with their data encrypted and out of reach to investigators.

Fergus Hunter is an education and communications reporter for The Sydney Morning Herald and The Age.

Read more:
'Government broke their promise': Labor seeks to amend encryption legislation - Sydney Morning Herald

The news that Interpol is about to condemn the spread of strong encryption is just the latest salvo in the crypto wars, a decades-long controversy between proponents of strong encryption, law enforcement and investigative bodies over the widespread use of encryption by technology companies. The central tenet of the law enforcement argument is that strong end-to-end encryption hinders the investigation and prosecution of crimes when suspects use it on their personal devices. For their part, privacy and human rights advocates contend that there is no mechanism that (both) protects the security and privacy of communications and allows access for law enforcement.

Encryption is the encoding of information such that only authorized parties may access it at the messages final destination. One of the earliest examples of encryption and the most cited in literature on the subject is the Caesar cipher, a substitution cipher where each letter of a message is shifted 3 characters.

The Caesar cipher relied more on the secrecy of the method of encryption rather than the key, and can easily be cracked by observing the frequency of the letters.

In the 20th century, notable uses of encryption and - more pertinently - codebreaking have had major historical impacts. This includes the Zimmerman telegram of World War I, in which Germany urged Mexico to invade the United States if Washington were to join the war against it. The ability of the British to break the German code and the leaking of the contents of the telegram was instrumental in turning American public opinion against Germany and lead to the US entering the war on the side of the Allies.

Later, during World War Two, a British team led by mathematician Alan Turing broke Germany's Enigma code. By some estimates this shortened the war by two years and saved 12 million lives.

While all encryption methods used up until the Enigma machine relied on the concept of security through obscurity, modern cryptography is based on the opposite: security through transparency.

The plans for Enigma were very well concealed and breaking it was not easy. Marian Rejewski at Polands Cipher Bureau and later Alan Turing and his team at Bletchley Park had to build a computer to help break the codes at scale. Modern cryptographic methods are based on well-known mathematical theorems that are practically unbreakable with current technologies.

For instance, multiplying two prime numbers together is an easy problem. The result is what is called a semi-prime number. Now finding out which two prime numbers were multiplied in the first place to achieve a semi-prime number is computationally difficult: the only way for the current generation of computers is a trial and error process that can take centuries, depending on the length of the semi-prime number. The widely used RSA 2048 encryption method, for example, would take a classical computer 300 trillion years to crack (although quantum computers may one day do the job a lot faster).

Facebook Messenger, WhatsApp and other communication apps use an implementation of public key cryptography called end-to-end encryption. Only the end users have access to the decrypted data; the service provider, like Facebook, doesnt. As such, it is theoretically impossible for the company to hand over decrypted data to the authorities.

This is the crux of the debate. It is what has led law enforcement to ask that end-to-end encryption not be rolled out by Facebook, or that 'backdoors' be introduced to aid in surveillance or data recovery.

A first example of this was the San Bernardino terrorist attack of 2015, in which the FBI wanted Apples assistance to open one of the assailants phones. Apples refusal led the FBI to file a case with the US District Court for the Central District of California to compel Apple to aid FBI efforts. The request was eventually withdrawn when an Israeli company found and exploited a vulnerability in the phone to decrypt the data on behalf of the Bureau. While the data revealed nothing about the plot, the case brought widespread criticism of the company for profiting from vulnerabilities in its phone operating system that cybercriminals, terrorists and rogue nations can buy, find and exploit too. Best practice in the cybersecurity industry is for researchers to report these vulnerabilities to the software editor or device manufacturer; this is called responsible disclosure.

A second example of this was this years "Ghost protocol" proposed by UK intelligence agency GCHQ to avoid weakening encryption, which revolved around transferring messages sent by a suspect over WhatsApp or iMessage to a law enforcement agent without notifying the suspect. This was met with vigorous opposition from tech firms.

Privacy advocates do not argue the need for law enforcement to be able to investigate crimes such as child exploitation and terrorism. The general objection from them and other parties interested in keeping messages private is that any weakening of encryption for the benefit of investigators also benefits those with more nefarious intent. They argue that 'backdoor' or exceptional access by law enforcement amounts to the introduction of a weakness to security systems that can be exploited by criminals. This unintended consequence of the desire to provide better protection to, for instance, exploited children, victims of terrorism or human trafficking also exposes regular users to exploitation from cybercriminals by giving these groups a built-in way to access their information.

In 2015 at a talk at West Point, then Vice-Chairman of the US Joint Chiefs of Staff, Admiral James A. Winnefeld, said: I think we would all win if our networks were more secure. And I think I would rather live on the side of secure networks and a harder problem for Mike [then NSA Director Mike Rogers] on the intelligence side than very vulnerable networks and an easy problem for Mike.

The World Economic Forum Platform for Shaping the Future of Cybersecurity and Digital Trust aims to spearhead global cooperation and collective responses to growing cyber challenges, ultimately to harness and safeguard the full benefits of the Fourth Industrial Revolution. The platform seeks to deliver impact through facilitating the creation of security-by-design and security-by-default solutions across industry sectors, developing policy frameworks where needed; encouraging broader cooperative arrangements and shaping global governance; building communities to successfully tackle cyber challenges across the public and private sectors; and impacting agenda setting, to elevate some of the most pressing issues.

Platform activities focus on three main challenges:

Strengthening Global Cooperation for Digital Trust and Security - to increase global cooperation between the public and private sectors in addressing key challenges to security and trust posed by a digital landscape currently lacking effective cooperation at legal and policy levels, effective market incentives, and cooperation between stakeholders at the operational level across the ecosystem.Securing Future Digital Networks and Technology - to identify cybersecurity challenges and opportunities posed by new technologies and accelerate solutions and incentives to ensure digital trust in the Fourth Industrial Revolution.Building Skills and Capabilities for the Digital Future - to coordinate and promote initiatives to address the global deficit in professional skills, effective leadership and adequate capabilities in the cyber domain.

The platform is working on a number of ongoing activities to meet these challenges. Current initiatives include our successful work with a range of public- and private-sector partners to develop a clear and coherent cybersecurity vision for the electricity industry in the form of Board Principles for managing cyber risk in the electricity ecosystem and a complete framework, created in collaboration with the Forums investment community, enabling investors to assess the security preparedness of target companies, contributing to raising internal cybersecurity awareness.

For more information, please contact info@c4c-weforum.org.

In Europe, the EU Cybersecurity Agency and Europol issued a joint statement on this topic, recognizing the hurdles of strong encryption in police work, but also acknowledging that weakening encryption technologies for everyone was not the way forward. Rather, they called for research and development efforts to find technical solutions to decrypt communication, all under judiciary oversight.

As the crypto wars continue to seek to strike the correct balance between the needs of law enforcement for access to information to conduct investigations and the need for vulnerable populations to free speech and the general public to have financial and personal information protected, the ultimate decisions will be weighed by those with a view of the entire ecosystem.

License and Republishing

World Economic Forum articles may be republished in accordance with our Terms of Use.

Written by

Adrien Oge, Project Lead, Cyber Resilience, World Economic Forum

Marco Pineda, Head of Security and Innovation, Centre for Cybersecurity, World Economic Forum

The views expressed in this article are those of the author alone and not the World Economic Forum.

See the rest here:
Privacy vs public safety - the pros and cons of encryption - World Economic Forum

Enlarge / All scammers, all the time: my Keybase message inbox.

Keybase started off as co-founder and developer Max Krohn's "hobby project"a way for people to share PGP keys with a simple username-based lookup. Then Chris Coyne (who also was cofounder of OkCupid and SparkNotes) got involved and along came $10.8 million in funding from a group of investors led by Andreesen Horowitz. And then things got increasingly more complicated. Keybase aims to make public-key encryption accessible to everyone, for everything from messaging to file sharing to throwing a few crypto-coins someone's way.

But because of that level of accessibility, Keybase faces a very OkCupid kind of problem: after drawing in people interested in easy public-key crypto-based communications and then drawing in blockchain lovers with its partnership with (and funding from) Stellar.org, Keybase has also drawn in spammers and scammers. And that has brought a host of alerts and messages that have made what was once a fairly clear communications channel into one clogged with unwanted alerts, messages, and other unpleasantryraising a chorus of complaints in Keybase's open chat channel.

It turns out there's a reason spell check keeps wanting to tell me that Keybase should be spelled "debase."

Full disclosure: I have been a Keybase user for several years, and fellow Ars editor Lee Hutchinson and I had experimented with using Keybase as a potential way of securing some of our workflow. Not needing anyone to host (and therefore own) our data seemed like a good thing. But Lee recently canceled his Keybase account and says he wont be back because of how annoying it is.

Keybase's leadership is promising to do something to fix the spam problemor at least make it easier to report and block abusers. In a blog post, Krohn and Coynes wrote, "To be clear, the current spam volume isn't dire, YET. Keybase still works great. But we should act quickly."

But the measures promised by Keybase won't completely eliminate the issue. And Keybase execs have no interest in getting involved with additional steps that they see as censorship. "Keybase is a private company and we do retain our rights to kick people out," the co-founders said in the blog post. "That hammer will not be used because someone is mostly disliked, as long as they're playing nicely on Keybase."

Part of the attraction of Keybase is that it allows hassle-free access from the Tor anonymizing network, as well as from VPNswhich makes it harder to track down the source of abusive traffic through the service. But much of the spam traffic is over unobfuscated network connections, and while some of it is coming from Europe and North America, most is coming from Russian and Nigerian IP addresses.

Other platforms have seen the same sort of problem. Romance scammers got their start on instant messaging platforms and quickly moved on to dating apps. Earlier this decade, OkCupid became a den for these scamswhere someone (often in Nigeria) poses as someone looking for love, and then moves the conversation toward pleas for financial support, calling cards, or other investments. And as I've reported earlier this year, these and other scams have taken hold on Twitter.

Right now, it's possible (with some navigation) to block someone from messaging you on Keybase and hiding messages they send. But there's no effective way to report them for abuse other than reaching out to administrators directly. And there's no way to completely filter out the requests in the first place, as anyone can create a Keybase account and send a message to you.

A romance scammer hits me up.

I'm sure this is legit.

Sure you are.

This profile uses a Twitter account to verify, but...

That Twitter account sure is convincing.

As part of the changes to Keybase being pushed out in an upcoming release, users will now be able to report spam or abusive messages straight from Keybase's chat interfaceblocking that user with a click or tap, with the option of reporting the user to Keybase administrators. The report allows for quick classification of the message as spam, harassment, "obscene material," or "other," with a field for additional details. "You'll also be able to send Keybase admins the transcript of your chatsomething we obviously don't normally have access to, sinceKeybase is end-to-end encrypted," Keybase execs explained in their post.

Another measureKeybase calls the "nuclear option" is also in the works. Similar to Twitter's protected account capabilities, it allows users to select a set of rules that determine who can follow or message thembased on whether theyre already connected in some way." These options will create a custom walled-garden experience," the Keybase execs explained. "It won't be necessary for most people -- especially after the blocking features launch -- but it will 100% shut down all unwanted contact."

More fixes are promised in the future. Considering that Keybase already provides ways for people to attest to their identities to provide trust in communications, it would be conceivable that you could filter requests based on the quality and number of those attestationsconfirmations made by posting messages to social media accounts, GitHub accounts, and other accounts that are connected to online identity (mine is tied to Twitter, GitHub, Hacker News, Reddit, and a personal domain name as well as my PGP key). Most fraudulent accounts don't bother with anything more than the free Stellar wallet address, and those that do often attach a fake Twitter account.

None of this is going to bring Lee Hutchinson back. "When a tool that I dont need or think about very often starts spamming me and requires I dig up documentation to make the spamming stop," Lee said, "Im not going to take time out of my [redacted] day to read the docs and screw around with privacy settings. Im just going to delete the tool. Which I did."

Read the rest here:
Keybase moves to stop onslaught of spammers on encrypted message platform - Ars Technica

A staggering amount of data is stored in the cloud. According to IDC, data stored in the cloud is projected togrow from 33 ZB in 2018 to 175 ZB by 2025. The cloud is now home to massive amounts of data as organizations migrate their modern business applications. But studies show that less than ten percent of cloud providers are encrypting their data once it is stored at rest, leaving sensitive corporate and personal data vulnerable to unauthorized access and data breaches as well as exposing companies to hefty fines as the US and EU ramp up enforcement of privacy regulations.

In a move to address todays major problem behind privacy, making encryption usable, StrongSalt, an encryption platform as a service startup,announced the first Open Privacy API for searching and sharing encrypted data in cloud services and enterprise applications. With the new API, companies can now build data protection into any application or workflow, allowing both security and usability to co-exist in a privacy-focused world.

By introducing the ability to search and use data while it remains encrypted, without exposing it to risk, StrongSalt opens the potential for mass adoption of encryption, allowing both security and accessibility to co-exist in a privacy focused world.

Founded in 2015 by Ed Yu, the former founding engineer of publicly traded cybersecurity company, FireEye, the San Francisco,CA-based StrongSalt is an encryption platform as a service to help build a new privacy infrastructure for the internet. StrongSalt is solving the fundamental problem of data privacy by building the worlds first always-on searchable encryption infrastructure through APIs that are simple enough for any developer to use, yet secure enough to power the worlds most demanding applications.

Starting January 2020, any organization that suffers a reportable breach affecting the information of California consumers will face potentially enormous class action litigation costs under CCPA and StrongSalts approach is the only get out of jail free card, said Lydia de la Torre, a practice lead at global law firm of Squire Patton Boggs who provides strategic privacy compliance advice related to US and EU privacy, including data protection and cybersecurity law, GDPR, CCPA, other states privacy and cyber laws, US financial privacy laws.

StrongSalts encryption as a service (EaaS) API makes it easy for developers to build data protection into any application or workflow.

Read the original:
This startup just solves the data privacy problem by making it possible to search encrypted data in the cloud - TechStartups.com