Apple again warns White House against policies fostering weak encryption
In a letter delivered to President Barack Obama on Monday, two trade groups comprised of some of the largest tech companies in the U.S. asked the White House to reject government policies designed to undermine encryption systems built to keep consumer data private.
Both the Information Technology Industry Council and the Software and Information Industry Association were signatories of the letter, reports Reuters. The groups represent a number of companies including Apple, Google, Facebook, Microsoft and IBM, among others.
"We are opposed to any policy actions or measures that would undermine encryption as an available and effective tool," the letter reads.
Today's correspondence echoes a note sent to Obama in May, in which Apple and a cadre of tech companies requested the White House reject proposals that would weaken encryption protocols built into consumer electronic operating systems.
Law enforcement officials, looking for access to data that could potentially help in criminal investigations, have repeatedly called on private sector firms to install backdoors into their existing security infrastructure. They argue technology companies like Apple are blocking access to information deemed vital to criminal investigations. Further, Apple is advertising the fact that iOS users are "above the law," officials said.
The issue has become increasingly contentious as Apple, Google and other mobile tech companies deploy high-security encryption protocols that are incredibly difficult to crack. For example, iOS 8 comes with a lockout mechanism so effective that Apple itself is technically incapable of decrypting user data, even with certified warrants for information.
For its part, industry representatives argue encryption is not merely a perk, but a necessity for many consumers. Some attribute the modern data privacy movement to revelations concerning the existence of government surveillance programs, as leaked by former NSA contractor Edward Snowden. The general public has since become hyper-sensitive to prying eyes, especially those attached to government bodies.
"Consumer trust in digital products and services is an essential component enabling continued economic growth of the online marketplace," according to Monday's letter.
Both the Information Technology Industry Council and the Software and Information Industry Association were signatories of the letter, reports Reuters. The groups represent a number of companies including Apple, Google, Facebook, Microsoft and IBM, among others.
"We are opposed to any policy actions or measures that would undermine encryption as an available and effective tool," the letter reads.
Today's correspondence echoes a note sent to Obama in May, in which Apple and a cadre of tech companies requested the White House reject proposals that would weaken encryption protocols built into consumer electronic operating systems.
Law enforcement officials, looking for access to data that could potentially help in criminal investigations, have repeatedly called on private sector firms to install backdoors into their existing security infrastructure. They argue technology companies like Apple are blocking access to information deemed vital to criminal investigations. Further, Apple is advertising the fact that iOS users are "above the law," officials said.
The issue has become increasingly contentious as Apple, Google and other mobile tech companies deploy high-security encryption protocols that are incredibly difficult to crack. For example, iOS 8 comes with a lockout mechanism so effective that Apple itself is technically incapable of decrypting user data, even with certified warrants for information.
For its part, industry representatives argue encryption is not merely a perk, but a necessity for many consumers. Some attribute the modern data privacy movement to revelations concerning the existence of government surveillance programs, as leaked by former NSA contractor Edward Snowden. The general public has since become hyper-sensitive to prying eyes, especially those attached to government bodies.
"Consumer trust in digital products and services is an essential component enabling continued economic growth of the online marketplace," according to Monday's letter.
Comments
Apple's new six-digit passcode for TouchID devices is another excellent move. And I want to see more teardowns of iOS 9 to see if the Rootless security rumors are true; if so, it'll be the most hardened OS of all time.
Yet iOS 8.4 beta has root certificates embedded in the OS for every government agency, giving them backdoor access.
Smoke and mirrors. Apple is only "warning" the government because Apple doesn't want the flame storm coming once 8.4 goes live and people realize Apple caved in.
Yet iOS 8.4 beta has root certificates embedded in the OS for every government agency, giving them backdoor access.
Smoke and mirrors. Apple is only "warning" the government because Apple doesn't want the flame storm coming once 8.4 goes live and people realize Apple caved in.
Proof, of course not, because the government would hunt you down or something.
Smells like BS.
Govt wants its hand on our info. Who does it think it is? Google?
Yet iOS 8.4 beta has root certificates embedded in the OS for every government agency, giving them backdoor access.
Smoke and mirrors. Apple is only "warning" the government because Apple doesn't want the flame storm coming once 8.4 goes live and people realize Apple caved in.
Root certificates do not give back door acess. What they do allow is for a computer to be linked up with a CAC card to access US Government systems or to verify that a website claiming to be run by the US Government actually is. This is like claiming that having the Equifax Root Certificate pre-installed gives Equifax or Google a back door to your computer/phone. This is just the top layer in a Certificate Chain.
----------
Dear Mr. President:
I have recently become aware of a letter (https://static.newamerica.org/attachments/3138--113/Encryption_Letter_to_Obama_final_051915.pdf) sent to you by a large coalition of concerned groups and individuals regarding data encryption. It argues forcefully for you to maintain strong encryption technology in consumer products such as cell phones and computers.
I wish to add my voice in support of this this for several reasons.
First, while I understand the desire of law enforcement to be able to look at the conversational records of criminals and terrorists, I believe that this is outweighed by the threat (really the inevitability) of massive governmental intrusion on the privacy of all Americans. Agents of the government have repeatedly abused privacy rights, subjecting Americans to unwarranted losses of personal information.
Secondly, the idea favored by FBI Director James B. Comey that the government should require a "backdoor" decryption key would expose us to even more privacy losses, as there is a high possibility that the government itself will suffer a data breach making these keys public. The recent release of personal tax information (http://www.nytimes.com/2015/05/27/business/breach-exposes-irs-tax-returns.html) emphasizes the practical inability of the government to protect our personal data. Repeated studies show that, like other workers, government employees continue to use trivial passwords on their work computers, rendering them - and our data - vulnerable to cyber attacks.
Third, there are many corporate interests who seek access to what should be personal and private information. Such information can help them to target advertising, to select customers and to, in general, commodify the consumer. As a long term advocate or personal privacy, I utterly deplore such misuse of my information.
Finally, the criminals and terrorists have many other options to encrypt their communication beyond what is offered by commercial consumer products. For example, they can encrypt their own information prior to sending, using their own private encryption key. While most citizens have little motivation to take this extra step, criminals do, and they are not stupid. Algorithms for strong encryption are well known, and public.
It is worth emphasizing that we are talking here about information such as email. Eavesdropping on such conversation by law enforcement is the exact equivalent of Orwellian thought police. Further, our digital devices encrypt a host of other critical and personal information - our family photos, our health records, our finances - backdoors that Comey asks for would render these subject to governmental search as well.
With all of this in mind, I urge you in the strongest terms to work to strengthen, rather than weaken, the privacy of the thoughts of American citizens.
Yours sincerely,
(please sign here)
I hope you understand that those laws are the responsibility of Congress, not the president. Presidents don't have the constitutional authority.
If anyone is under the impression that an Executive Order is the same thing as 'creating a law', you need to read this: http://en.m.wikipedia.org/wiki/Executive_order
Smells like BS.
The Chinese Government (CNNIC) issued a backdoor certificate used for SSL MITM. Google and Mozilla delisted the entire CA. Microsoft blacklisted the backdoor certificates... Apple did absolutely nothing. Still trusted today. Wonder if this has anything to do with selling iPhones in China? Nah.
Tim Cook can go write all the letters he wants, but when it comes down to the technical side, Apple is falling behind.
is that true that Apple did nothing? Source?
https://threatpost.com/apple-leaves-cnnic-root-in-ios-osx-certificate-trust-lists/112086
https://www.securitygeneration.com/privacy/revoking-chinese-cnnic-root-certificate-in-mac-os-x/
http://www.cso.com.au/article/572255/apple-maintains-trust-cnnic-certificates-monster-ios-8-3-update/
https://support.apple.com/en-us/HT204132
https://support.apple.com/en-us/HT202858
Or check for yourself, open Keychain Access and search for CNNIC.
That is not quite accurate. If the president issues an order in violation of the Constitution, it's the duty of Congress to impeach the president.
Mandating government backdoors for encryption would be a nightmare. Consider the globalization of the industry. If the U.S. requires products to have a backdoor key, of course other countries will want versions of the product that do NOT have the U.S. government backdoor but have a backdoor for their own government. How and where could products could be manufactured with trust intact for customers worldwide?
Yet iOS 8.4 beta has root certificates embedded in the OS for every government agency, giving them backdoor access.
Uh, that's not what root certificates do.
They allow the creation of child certificates that can then be authenticated by the device (using the root certificate.)
They have nothing to do with backdoors... and you should stop spreading this kind of claim when you don't understand the basics of the technology.
https://threatpost.com/apple-leaves-cnnic-root-in-ios-osx-certificate-trust-lists/112086
https://www.securitygeneration.com/privacy/revoking-chinese-cnnic-root-certificate-in-mac-os-x/
http://www.cso.com.au/article/572255/apple-maintains-trust-cnnic-certificates-monster-ios-8-3-update/
https://support.apple.com/en-us/HT204132
https://support.apple.com/en-us/HT202858
Or check for yourself, open Keychain Access and search for CNNIC.
Just because there is A root certificate from CNNIC does not mean its THE root certificate for which the unauthorized child certificates were issued.
Need ti give the fingerprint of the bad cert, and evidence that this is the correct fingerprint. Then we can see if that root cert is still in our system. So no, just copying the current fingerprint and posting it here won't count. Show us the bad certs for google domains that are signed with the bad root cert whose fingerprint you give-- we can then prove for ourselves whether you're telling the truth or not.
This is why certificates work this way, by the way-- to prevent people from making stuff up and posting it on the net.
Impeachment occurs for high crimes. Any order that's unconstitutional can be reversed by SCOTUS and does not fall within that threshold.
Just because there is A root certificate from CNNIC does not mean its THE root certificate for which the unauthorized child certificates were issued.
Need ti give the fingerprint of the bad cert, and evidence that this is the correct fingerprint. Then we can see if that root cert is still in our system.
Doesn't matter. There's only one CNNIC CA organization and one CNNIC CPS. There's nothing specific to the certificate, it's CNNIC's violation of their process and of their CPS.
It does mean that any root certificate holder who can also control the DNS of a particular device (via the carrier if remote, or wifi if in the hand) can quite easily complete MITM and pose as Apple, if iCloud backups are enabled then they have a full copy of the data stored on the phone. Not exactly a back door but I wouldn't be surprised if this method is already being leveraged.