Apple again warns White House against policies fostering weak encryption

Posted:
in General Discussion edited June 2015
In a letter delivered to President Barack Obama on Monday, two trade groups comprised of some of the largest tech companies in the U.S. asked the White House to reject government policies designed to undermine encryption systems built to keep consumer data private.




Both the Information Technology Industry Council and the Software and Information Industry Association were signatories of the letter, reports Reuters. The groups represent a number of companies including Apple, Google, Facebook, Microsoft and IBM, among others.

"We are opposed to any policy actions or measures that would undermine encryption as an available and effective tool," the letter reads.

Today's correspondence echoes a note sent to Obama in May, in which Apple and a cadre of tech companies requested the White House reject proposals that would weaken encryption protocols built into consumer electronic operating systems.

Law enforcement officials, looking for access to data that could potentially help in criminal investigations, have repeatedly called on private sector firms to install backdoors into their existing security infrastructure. They argue technology companies like Apple are blocking access to information deemed vital to criminal investigations. Further, Apple is advertising the fact that iOS users are "above the law," officials said.

The issue has become increasingly contentious as Apple, Google and other mobile tech companies deploy high-security encryption protocols that are incredibly difficult to crack. For example, iOS 8 comes with a lockout mechanism so effective that Apple itself is technically incapable of decrypting user data, even with certified warrants for information.

For its part, industry representatives argue encryption is not merely a perk, but a necessity for many consumers. Some attribute the modern data privacy movement to revelations concerning the existence of government surveillance programs, as leaked by former NSA contractor Edward Snowden. The general public has since become hyper-sensitive to prying eyes, especially those attached to government bodies.

"Consumer trust in digital products and services is an essential component enabling continued economic growth of the online marketplace," according to Monday's letter.
«1

Comments

  • Reply 1 of 29

    Apple's new six-digit passcode for TouchID devices is another excellent move. And I want to see more teardowns of iOS 9 to see if the Rootless security rumors are true; if so, it'll be the most hardened OS of all time.

  • Reply 2 of 29
    rob53rob53 Posts: 3,311member
    The ironic thing about Apple's security is that it is required in order to be made available for US government users. Apple wasn't on par with Blackberry for mobile devices and until Filevault was released for OSX, it wasn't really allowed on government systems (classified and unclassified). Because of theft of government laptops, all laptops had to have full disk encryption before they could be taken outside the confines of the protected area. Some of this was to protect PPI (protected personal information) which was seen as a major issue several years ago when identity theft first started to become rampant. Now the government says it's too good and they want to weaken it. Looking at how far Apple has gone with desktop and mobile security, their devices should be the only ones allowed on government systems but they won't because the US government is extremely hypocritical when it comes to so many things. Security means so many different things and is constantly changing. What Apple is doing regarding security is good for this country, good for the rest of the world, and should be seen as such.
  • Reply 3 of 29
    prokipprokip Posts: 178member
    Some of us should have a good close look at what Snowden released. It is profoundly frightening. Some overzealous bureaucrat in the government security sector could make a mistake and the poor person affected would be toast!!
  • Reply 4 of 29
    sestewartsestewart Posts: 102member

    Yet iOS 8.4 beta has root certificates embedded in the OS for every government agency, giving them backdoor access.

     

    Smoke and mirrors. Apple is only "warning" the government because Apple doesn't want the flame storm coming once 8.4 goes live and people realize Apple caved in. 

  • Reply 5 of 29
    thewhitefalconthewhitefalcon Posts: 4,453member
    Quote:

    Originally Posted by sestewart View Post

     

    Yet iOS 8.4 beta has root certificates embedded in the OS for every government agency, giving them backdoor access.

     

    Smoke and mirrors. Apple is only "warning" the government because Apple doesn't want the flame storm coming once 8.4 goes live and people realize Apple caved in. 




    Proof, of course not, because the government would hunt you down or something. :no:

  • Reply 6 of 29
    jungmarkjungmark Posts: 6,927member
    sestewart wrote: »
    Yet iOS 8.4 beta has root certificates embedded in the OS for every government agency, giving them backdoor access.

    Smoke and mirrors. Apple is only "warning" the government because Apple doesn't want the flame storm coming once 8.4 goes live and people realize Apple caved in. 

    Smells like BS.

    Govt wants its hand on our info. Who does it think it is? Google?
  • Reply 7 of 29
    ajminnjajminnj Posts: 40member
    Quote:

    Originally Posted by sestewart View Post

     

    Yet iOS 8.4 beta has root certificates embedded in the OS for every government agency, giving them backdoor access.

     

    Smoke and mirrors. Apple is only "warning" the government because Apple doesn't want the flame storm coming once 8.4 goes live and people realize Apple caved in.


    Root certificates do not give back door acess.  What they do allow is for a computer to be linked up with a CAC card to access US Government systems or to verify that a website claiming to be run by the US Government actually is.  This is like claiming that having the Equifax Root Certificate pre-installed gives Equifax or Google a back door to your computer/phone.  This is just the top layer in a Certificate Chain.

  • Reply 8 of 29
    mscohenmscohen Posts: 24member
    Consider adding your voice here: https://www.whitehouse.gov/contact/submit-questions-and-comments

    ----------

    Dear Mr. President:

    I have recently become aware of a letter (https://static.newamerica.org/attachments/3138--113/Encryption_Letter_to_Obama_final_051915.pdf) sent to you by a large coalition of concerned groups and individuals regarding data encryption. It argues forcefully for you to maintain strong encryption technology in consumer products such as cell phones and computers.

    I wish to add my voice in support of this this for several reasons.

    First, while I understand the desire of law enforcement to be able to look at the conversational records of criminals and terrorists, I believe that this is outweighed by the threat (really the inevitability) of massive governmental intrusion on the privacy of all Americans. Agents of the government have repeatedly abused privacy rights, subjecting Americans to unwarranted losses of personal information.

    Secondly, the idea favored by FBI Director James B. Comey that the government should require a "backdoor" decryption key would expose us to even more privacy losses, as there is a high possibility that the government itself will suffer a data breach making these keys public. The recent release of personal tax information (http://www.nytimes.com/2015/05/27/business/breach-exposes-irs-tax-returns.html) emphasizes the practical inability of the government to protect our personal data. Repeated studies show that, like other workers, government employees continue to use trivial passwords on their work computers, rendering them - and our data - vulnerable to cyber attacks.

    Third, there are many corporate interests who seek access to what should be personal and private information. Such information can help them to target advertising, to select customers and to, in general, commodify the consumer. As a long term advocate or personal privacy, I utterly deplore such misuse of my information.

    Finally, the criminals and terrorists have many other options to encrypt their communication beyond what is offered by commercial consumer products. For example, they can encrypt their own information prior to sending, using their own private encryption key. While most citizens have little motivation to take this extra step, criminals do, and they are not stupid. Algorithms for strong encryption are well known, and public.

    It is worth emphasizing that we are talking here about information such as email. Eavesdropping on such conversation by law enforcement is the exact equivalent of Orwellian thought police. Further, our digital devices encrypt a host of other critical and personal information - our family photos, our health records, our finances - backdoors that Comey asks for would render these subject to governmental search as well.

    With all of this in mind, I urge you in the strongest terms to work to strengthen, rather than weaken, the privacy of the thoughts of American citizens.

    Yours sincerely,

    (please sign here)
  • Reply 9 of 29
    SpamSandwichSpamSandwich Posts: 33,407member
    mscohen wrote: »
    Consider adding your voice here: https://www.whitehouse.gov/contact/submit-questions-and-comments


    Dear Mr. President:

    I have recently become aware of a letter (https://static.newamerica.org/attachments/3138--113/Encryption_Letter_to_Obama_final_051915.pdf) sent to you by a large coalition of concerned groups and individuals regarding data encryption. It argues forcefully for you to maintain strong encryption technology in consumer products such as cell phones and computers.

    I wish to add my voice in support of this this for several reasons.

    First, while I understand the desire of law enforcement to be able to look at the conversational records of criminals and terrorists, I believe that this is outweighed by the threat (really the inevitability) of massive governmental intrusion on the privacy of all Americans. Agents of the government have repeatedly abused privacy rights, subjecting Americans to unwarranted losses of personal information.

    Secondly, the idea favored by FBI Director James B. Comey that the government should require a "backdoor" decryption key would expose us to even more privacy losses, as there is a high possibility that the government itself will suffer a data breach making these keys public. The recent release of personal tax information (http://www.nytimes.com/2015/05/27/business/breach-exposes-irs-tax-returns.html) emphasizes the practical inability of the government to protect our personal data. Repeated studies show that, like other workers, government employees continue to use trivial passwords on their work computers, rendering them - and our data - vulnerable to cyber attacks.

    Third, there are many corporate interests who seek access to what should be personal and private information. Such information can help them to target advertising, to select customers and to, in general, commodify the consumer. As a long term advocate or personal privacy, I utterly deplore such misuse of my information.

    Finally, the criminals and terrorists have many other options to encrypt their communication beyond what is offered by commercial consumer products. For example, they can encrypt their own information prior to sending, using their own private encryption key. While most citizens have little motivation to take this extra step, criminals do, and they are not stupid. Algorithms for strong encryption are well known, and public.

    It is worth emphasizing that we are talking here about information such as email. Eavesdropping on such conversation by law enforcement is the exact equivalent of Orwellian thought police. Further, our digital devices encrypt a host of other critical and personal information - our family photos, our health records, our finances - backdoors that Comey asks for would render these subject to governmental search as well.

    With all of this in mind, I urge you in the strongest terms to work to strengthen, rather than weaken, the privacy of the thoughts of American citizens.

    Yours sincerely,

    (please sign here)

    I hope you understand that those laws are the responsibility of Congress, not the president. Presidents don't have the constitutional authority.

    If anyone is under the impression that an Executive Order is the same thing as 'creating a law', you need to read this: http://en.m.wikipedia.org/wiki/Executive_order
  • Reply 10 of 29
    mscohenmscohen Posts: 24member
    Indeed, yet the letter I quoted was written to the President. He holds not only political and persuasive power, but veto authority. As commander in chief, he holds significant authority to enforce policy, and even to create policy and procedures held in secret.
  • Reply 11 of 29
    konqerrorkonqerror Posts: 685member
    Quote:
    Originally Posted by jungmark View Post



    Smells like BS.

     

     

    The Chinese Government (CNNIC) issued a backdoor certificate used for SSL MITM. Google and Mozilla delisted the entire CA. Microsoft blacklisted the backdoor certificates... Apple did absolutely nothing. Still trusted today. Wonder if this has anything to do with selling iPhones in China? Nah.

     

    Tim Cook can go write all the letters he wants, but when it comes down to the technical side, Apple is falling behind.

  • Reply 12 of 29
    gatorguygatorguy Posts: 24,651member
    konqerror wrote: »
    The Chinese Government (CNNIC) issued a backdoor certificate used for SSL MITM. Google and Mozilla delisted the entire CA. Microsoft blacklisted the backdoor certificates... Apple did absolutely nothing. Still trusted today. Wonder if this has anything to do with selling iPhones in China? Nah.
    is that true that Apple did nothing? Source?
  • Reply 14 of 29
    SpamSandwichSpamSandwich Posts: 33,407member
    mscohen wrote: »
    Indeed, yet the letter I quoted was written to the President. He holds not only political and persuasive power, but veto authority. As commander in chief, he holds significant authority to enforce policy, and even to create policy and procedures held in secret.

    That is not quite accurate. If the president issues an order in violation of the Constitution, it's the duty of Congress to impeach the president.
  • Reply 15 of 29
    magic_almagic_al Posts: 325member

    Mandating government backdoors for encryption would be a nightmare. Consider the globalization of the industry. If the U.S. requires products to have a backdoor key, of course other countries will want versions of the product that do NOT have the U.S. government backdoor but have a backdoor for their own government. How and where could products could be manufactured with trust intact for customers worldwide?

  • Reply 16 of 29
    jessijessi Posts: 302member
    Quote:

    Originally Posted by sestewart View Post

     

    Yet iOS 8.4 beta has root certificates embedded in the OS for every government agency, giving them backdoor access.


     

    Uh, that's not what root certificates do.

     

    They allow the creation of child certificates that can then be authenticated by the device (using the root certificate.)

     

    They have nothing to do with backdoors... and you should stop spreading this kind of claim when you don't understand the basics of the technology.

  • Reply 17 of 29
    jessijessi Posts: 302member



    Just because there is A root certificate from CNNIC does not mean its THE root certificate for which the unauthorized child certificates were issued.

     

    Need ti give the fingerprint of the bad cert, and evidence that this is the correct fingerprint.  Then we can see if that root cert is still in our system.   So no, just copying the current fingerprint and posting it here won't count.  Show us the bad certs for google domains that are signed with the bad root cert whose fingerprint you give-- we can then prove for ourselves whether you're telling the truth or not.

     

    This is why certificates work this way, by the way-- to prevent people from making stuff up and posting it on the net. 

  • Reply 18 of 29
    jungmarkjungmark Posts: 6,927member
    That is not quite accurate. If the president issues an order in violation of the Constitution, it's the duty of Congress to impeach the president.

    Impeachment occurs for high crimes. Any order that's unconstitutional can be reversed by SCOTUS and does not fall within that threshold.
  • Reply 19 of 29
    konqerrorkonqerror Posts: 685member
    Quote:
    Originally Posted by Jessi View Post



    Just because there is A root certificate from CNNIC does not mean its THE root certificate for which the unauthorized child certificates were issued.

     

    Need ti give the fingerprint of the bad cert, and evidence that this is the correct fingerprint.  Then we can see if that root cert is still in our system.


     

    Doesn't matter. There's only one CNNIC CA organization and one CNNIC CPS. There's nothing specific to the certificate, it's CNNIC's violation of their process and of their CPS.

  • Reply 20 of 29
    blake1blake1 Posts: 1member
    jessi wrote: »
    Uh, that's not what root certificates do.

    They allow the creation of child certificates that can then be authenticated by the device (using the root certificate.)

    They have nothing to do with backdoors... and you should stop spreading this kind of claim when you don't understand the basics of the technology.

    It does mean that any root certificate holder who can also control the DNS of a particular device (via the carrier if remote, or wifi if in the hand) can quite easily complete MITM and pose as Apple, if iCloud backups are enabled then they have a full copy of the data stored on the phone. Not exactly a back door but I wouldn't be surprised if this method is already being leveraged.
Sign In or Register to comment.