Analysis | The Cybersecurity 202: Two new developments challenge Justice Department arguments on encryption
By Joseph Marks
Two new developments are complicating the roiling debate over whether law enforcement should have access to encrypted communications.
First, a blockbuster story from Vice’s Lorenzo Franceschi-Bicchierai’s details how Facebook — which the Justice Department has labeled public enemy No. 1 in its war against warrant-proof encryption — actually helped the FBI in 2017 to hack into the accounts of a notorious child predator and put him behind bars.
Second, Democrats in Congress are demanding information from Juniper Networks about an alleged backdoor in its encrypted products that might have been exploited by U.S. adversaries. That could shed light on the danger posed by such backdoors and how easy it is for bad guys to crack into them.
The pair of developments raise serious questions about when and how tech companies should voluntarily cooperate with law enforcement to gather evidence against their users and about their responsibility when those actions have unintended consequences.
In the first case, Facebook paid another company at least $100,000 to develop a never-before-seen hacking tool the FBI used to catch the predator, Buster Hernandez, who pleaded guilty to multiple crimes and was sentenced to up to 30 years in prison.
It’s a rare public example of how law enforcement can use lawful hacking to gather incriminating evidence. It also helps beat back claims that police need backdoor access to encrypted communications for that information, which cybersecurity pros say would make everyone more vulnerable to malicious hacking.
Attorney General William P. Barr announces results of an investigation of the shootings at the Pensacola Naval Air Station in Florida. (J. Scott Applewhite/AP)
The Facebook case is just the most recent example of innovative hacking delivering information otherwise shielded from police.The Justice Department has been arguing since 2014 that encryption and similar protections make it too easy for child predators and other criminals to hide online from law enforcement. They say government should compel companies to give them special access to those communications with a warrant.
More recently the Senate has begun considering a bill that might force tech companies to provide that access if they can’t find another way to turn over more evidence about who’s spreading child pornography online. An industry group including Facebook, Google and Microsoft unveiled a program this morning aimed at improving and standardizing disclosures about child exploitation in an effort to combat the push to limit encryption.
Cybersecurity pros and most tech companies, meanwhile, say any special access for police with a warrant could also be exploited by hackers and would make everyone else less secure. They also say police should embrace other methods to get the information.
Indeed, in two high-profile cases where Apple refused to help the FBI crack into encrypted iPhones, investigators ultimately gained access by working with secretive hacking tool brokers.
Those phones belonged to Syed Farook, who killed 14 people and injured others during a workplace shooting San Bernardino, Calif., in 2015 and Ahmed Mohammed al-Shamrani, who killed three people and injured eight others in a shooting at a Pensacola, Fla., military base in 2019. Information on the phone later linked him to the terrorist group al-Qaeda in the Arabian Peninsula.
In the San Bernardino case, then-FBI Director James B. Comey suggested the price tag for the access was more than $1 million.
The Facebook case would seem to bolster the idea police can secure most of the evidence they want provided they’re willing to pay big bucks for it. But those high price tags also mean it might be a solution that’s only available in the most prominent cases.
In the case of Juniper Networks, lawmakers who oppose weakening encryption want to gather information to show what happens when such protections are subverted.
The National Security Administration (NSA) campus in Fort Meade, Md. (Patrick Semansky/AP)
In other words, it looked like a spying tool created by the good guys might have been retooled and exploited by the bad guys — precisely the sort of attack opponents of encryption back doors warn about.
Juniper and the FBI both launched investigations but haven’t released any results. Sens. Ron Wyden (D-Ore.), Mike Lee (R-Utah) and other lawmakers wrote a letter demanding to know where that investigation stands and whether Juniper’s actions made it easier for foreign hackers to undermine the company’s security and spy on its customers.
“Congress and the American people must understand the serious national security risks associated with weakening the encryption that protects Americans’ personal data, as well as government and corporate systems,” Wyden told Reuters’s Joseph Menn.
Facebook’s action was a one-time operation launched against a user employees believed was reprehensible and might not get caught otherwise because he used strong security protections.
Facebook founder Mark Zuckerberg. (Photo by Andrew Caballero-Reynolds/AFP/Getty Images)
His crimes generally consisted of falsely telling dozens of underage girls on Facebook that he had nude photos of them and then blackmailing the victims to send him increasingly explicit photos and videos. He also threatened to kill and assault the victims and their families.
Hernandez hid his actions from investigators by using a privacy-enhanced operating system called Tails that’s popular among journalists and targets of surveillance. It automatically routes all Internet traffic through an anonymizing network called Tor so police can’t trace a computer’s IP address.
“The only acceptable outcome to us was Buster Hernandez facing accountability for his abuse of young girls,” a Facebook representative told Vice. “This was a unique case, because he was using such sophisticated methods to hide his identity, that we took the extraordinary steps of working with security experts to help the FBI bring him to justice.”
But the action also raised ethical concerns inside the company.Facebook contracted with another company that found a previously undiscovered bug in Tails’s software known as a “zero day.” It then shared the bug with the FBI, which used it to identify Hernandez’s and gather evidence against him. The FBI declined to comment on the story and Tails said it was not aware of Facebook’s actions, Vice reported.
Zero day bugs are highly valuable because the company whose technology is being hacked doesn’t know about them. That means hackers can use them freely until they’re discovered. Researchers who discover them often sell them for tens of thousands of dollars or more — either to the companies themselves so they can patch them or to intelligence agencies or criminals who plan to exploit them.
It’s rare for a company to learn about a zero day bug in another company’s technology and not alert them to it.
In this case, Facebook officials justified the move because they knew Tails was about to update its software in a way that would prevent the bug from being exploited long term, Vice reports.
“There was absolutely no risk to users other than this one person, for which there was much more than probable cause,” a former employee with knowledge of the case told the publication. “Since there were no other privacy risks, and the human impact was so large, I don’t feel like we had another choice.”
But the decision still worried some employees who feared the FBI might use the bug multiple times before it was patched or that it might be discovered and exploited by criminals or foreign intelligence agencies.
“The precedent of a private company buying a zero-day to go after a criminal…It’s sketchy as hell,” another source who was aware of the situation told Vice.
A bipartisan group of senators wants to devote $20 billion to competing with China on semiconductor manufacturing and research.
Sen. Mark R. Warner (D-Va.). (Andrew Harnik/Pool/AP)
While U.S. companies account for 47 percent of global computer chip sales, they represent only 12 percent of production. That's because chip manufacturing is often prohibitively expensive. The new legislation would reduce those costs with a tax credit for investors, a $10 billion fund to match state and local incentives and $12 billion in federal research funds.
“America’s innovation in semiconductors undergirds our entire innovation economy,” said Sen. Mark R. Warner (D-Va.), who introduced the bill with Sen. John Cornyn (R-Tex.) “Unfortunately, our complacency has allowed our competitors — including adversaries — to catch up. This bill reinvests in this national priority.”
Reps. Doris Matsui (D-Calif.) and Michael McCaul (R-Tex.) plan to introduce the legislation in the House on Thursday.
Drones deployed during recent protests weren’t used for surveillance, CBP says.
The remnants of buildings burned down during demonstrations. (Lucas Jackson/Reuters)
Democratic lawmakers have grilled the agency for more detailed answers on its use of drones during the protests following the police killing of George Floyd. Some have called for CBP and other agencies to immediately cease surveillance of peaceful protests.
The surveillance has troubled some conservatives, as well, the Wall Street Journal reports.
“It’s disturbing to see tools built to gather military intelligence being used to watch U.S. citizens,” Billy Easley II, a senior policy analyst at Americans for Prosperity, a conservative organization, told the Journal. “Drones should not be used by the government to monitor or collect data on First Amendment activity. ”
Hacktivists are spreading the personal information of law enforcement officers amid protests over police brutality.
Police officers are seen during a protest against racial inequality in Boston on Wednesday. (Brian Snyder/Reuters)
Some of the information may have been stolen from compromised email accounts, the report warns, though doxing often happens with information that’s already public but not readily available. The department is warning officers to use strong email security measures such as using multiple security checks before logging into accounts.
Democrats are raising concerns about the possible use of facial recognition technology during recent protests against police brutality.
Demonstrators wear masks during a protest against police brutality in Boston. (Steven Senne/AP)
They're asking for the dates and locations where facial recognition was used as well as what systems were deployed. The letter also requests answers about any personally identifiable information the agencies have gathered about protesters.
The letter comes as tech companies are reevaluating police use of their facial recognition technology. Amazon announced yesterday it would put a one-year moratorium on police use of its facial recognition software. The company has not clarified if the same restrictions will apply to federal law enforcement. IBM announced earlier this week it would stop all development and use of facial recognition. (Amazon chief executive Jeff Bezos owns The Washington Post.)
More government news:
Contact-tracing apps are at risk from malicious actors flooding them with fake reports.
A member of the internal medical team checks India's virus contact-tracing app on a mobile phone at the entrance of the Ahmedabad One Mall. (Sam Panthaky/AFP/Getty Images)
Users should also only install contact-tracing apps that are sanctioned by government agencies, researchers say. Scammers have been using fake contact-tracing apps to steal personal information including banking credentials, CyberScoop reports.
More cybersecurity and industry news:
- The House Administration Committee will hold a hearing on the impact of covid-19 on voting rights and election administration Thursday at 1 p.m.
- The House Financial Services committee will host a hearing on how cybercriminals are exploiting the covid-19 pandemic on June 16 at noon.