What would the world look like if encryption were outlawed? If three Republican senators get their way, it might just happen.
Under the guise of national security, the Senate Judiciary Committee pushed through a draft bill that would end “warrant-proof” encryption — that is strong, near-impossible to break encryption that lets only the device owner unlock their data and nobody else. Silicon Valley quickly embraced this approach, not least because it cuts even the tech giants out of the loop so that the feds can’t demand they hand over their users’ data.
Except that didn’t happen. The opposite happened. The FBI cried foul, as did the Justice Department, claiming it makes it harder to solve crimes, while conveniently neglecting to mention its vast array of hacking tools that also makes it easier than ever to get the data that prosecutors seek.
Now a legislative fix to the government’s near-nonexistent problem. The bill, if passed, would create a “backdoor mandate” that would force tech companies to build in “backdoors” to let police, with a warrant, access an encrypted device’s photos, messages, files and more. The same would apply to data “in motion” as it traverses the internet, undermining the security that keeps our emails safe and our online banking secure, and effectively banning end-to-end messaging apps like Signal, WhatsApp and Facebook Messenger.
Experts decried the bill, as expected, and as they have done with every other attempt to undermine the security of the internet. Their argument is simple, and mathematically irrefutable: If police can get a backdoor, so can hackers. There’s no secure way to give one access and not the other.
Lawmakers seem set on changing the law of the land, but they can’t change the laws of mathematics.
More on that in this week’s Decrypted.
THE BIG PICTURE
‘BlueLeaks’ dumps data on decades of police files
Hacking collective Anonymous crashed onto the internet a decade ago by publishing reams of secret files and stolen data from governments and corporations. Last week the collective emerged after a long hiatus, returning with a massive trove of data obtained from hundreds of U.S. police departments in an operation dubbed BlueLeaks.
The data was published by Distributed Denial of Secrets, an alternative to WikiLeaks that’s dedicated to publishing files in the public interest. The data contains a decade’s worth of police training materials and other internal law enforcement data, like protest containment strategies, which have come under fire after tactics used against protesters in the wake of George Floyd’s death.
The group said the data contained “hundreds of thousands of documents … police and FBI reports, bulletins, guides and more.” The data also contains personally identifiable data, according to one memo from an association representing police officers.
But, Twitter quickly banned the group’s handle, @DDoSecrets, and prevented others from posting links to the group’s website.
The social media giant said the group violated its rules on disseminating hacked data, a fate that well-known security expert Micah Lee blasted for Twitter not applying the same policy to other leak groups, notably WikiLeaks.
Apple lets users put the brakes on targeted advertising
iPhone users scored a major privacy win this week after Apple announced it would let users reject in-app web tracking that makes it easier for ad giants to collect data about you as you browse the web and target you with ads.
iOS 14 will prompt users to “allow tracking” or opt-out altogether. It’s not a death knell to online tracking but, given Apple’s dominance in the mobile ad market, giving users the option to opt out will vastly reduce the amount of data that these ad giants collect on millions without their explicit and direct consent.
The move is Apple’s latest assault on the ad industry as part of its effort to uphold its privacy-conscious mantra.
Once criticized for its own ad campaign, “What happens on your iPhone, stays on your iPhone,” for being simply untrue — largely in part to the amount of ad tracking on each user’s phone, Apple is one step closer to making the claim a reality.
MOVERS AND SHAKERS
“With so many people now working, studying and doing many other life activities online thanks to pandemic-induced shutdowns, now is really the absolute worst possible time to attack encryption and undermine cybersecurity.”
That’s the view from Riana Pfefferkorn, an associate director at the Stanford Center for Internet and Society and ardent encryption defender. Pfefferkorn is no stranger to anti-encryption legislation. For years, the U.S. and Silicon Valley have danced around encryption backdoors. The closest the government came was when it sued Apple to force the tech giant to backdoor a terrorist’s iPhone. Apple called it a “dangerous precedent,” even as the case fell through.
Just last month she wrote about the Earn-It Act, a similar if not more covert legislative effort that would pull crucial legal protections that shield tech giants from what their users post on their platforms in exchange for aggressively clamping down on online child abuse. To do that, the tech giants would need visibility, and they can’t if their platforms are encrypted.
Pfefferkorn, like other experts, civil liberties groups and the tech giants themselves, is urging lawmakers to vote down both bills.
“The lesser of two evils is still evil,” she wrote. “With so many people now working, studying and doing many other life activities online thanks to pandemic-induced shutdowns, now is really the absolute worst possible time to attack encryption and undermine cybersecurity.”
$ECURITY $TARTUPS
After an investment from Salesforce of about $100 million, security company Tanium said it’s now valued at about $9 billion, making it one of the biggest private security companies in the industry. To date, Tanium has taken in $900 million in funding. Tanium is an endpoint security company that detects anomalous activity.
In other news, privacy assistant Jumbo has raised $8 million in a Series A round. Jumbo makes it not just possible but actively easy to adjust your online privacy settings. TechCrunch’s Romain Dillet has more.
After weeks of waiting, Microsoft finally confirmed it has acquired Israeli cybersecurity startup CyberX. The tech giant didn’t offer a price, but sources say it’s still in the region of $165 million. CyberX, which specializes in Internet of Things security, will be added to Microsoft’s Azure cloud service for smart devices.
Send tips securely over Signal and WhatsApp to +1 646-755-8849.