![NG-[C:G.Prom,B:TWTW15,Wk:5015,Dim:320X50]:12:12](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_tBzqe0kEJy-PdK6_KsFleWqfNq9ZjF3PNwVq2k8dyTlwRnvV-6lUjWX2SJ3IqAvgEQKpHzsFK3Rri9fPK9kgKyK9flOvTkHy5KJjN-gFgVNHCmJiNZnvQbTCUUaAaPvI1QAy2hpZM5c6ilQI-yhZqUjRuzgUBJR37mZf83Ai43SBlB_aGXFg=s0-d)
Security. It’s been
BlackBerry’s last strength, the one thing the company could argue it did
better than any other smartphone vendor in the market. BlackBerry knows
this, which is why so much of its discussions of the Priv focused on how the company had hardened the basic Android OS to make it more secure at every level. Even now, BlackBerry is banking on the Priv as a secure smartphone rather than simply making a play in the me-too Android space.
That’s why it’s so baffling to see BlackBerry’s CEO, John Chen, torpedoing his company’s reputation for building secure products in a blog post he appears to have written himself. After discussing the debate between the tech industry and government officials pleading for backdoors, even if this leads to weaker encryption standards, Chen drops the following bombshell:
Chen
goes on to note that BlackBerry rejects the notion that tech companies
should refuse “reasonable, lawful access requests,” but claims that they
should “reject attempts by federal agencies to overstep.” He claims
that BlackBerry has found the proper balance between these two problems,
and that the company is completely against any attempt to ban or limit
the use of encryption.
In an ideal world, this is precisely the stance we want companies to take: Work with the government to catch the really bad guys, stand up against prosecutorial overreach, and advocate for the rights of your users. Ever since Edward Snowden started leaking information about how the NSA and FBI conduct mass surveillance, however, it’s been impossible to pretend we live in anything like that ideal world.
Here are some of the major problems with Chen’s position, in no particular order:
Things have improved since then, slightly, in that companies and individuals have been granted some limited rights to acknowledge receiving an NSL. No one has suggested that they have the right to refuse to obey such orders, or that they can appeal such decisions to a meaningfully different body than the one that ruled in favor of them back in 2008.
We now know that the FBI has not only encouraged local police agencies to use stingrays in violation of a suspect’s 4th Amendment rights, it also told those police departments to refuse to turn over vital documents and information related to the use, capabilities, and function of that same hardware, all in the name of protecting NDAs with the Harris Corporation. We know that members of the NSA were not above spying on current and former lovers (jokingly referred to as LOVEINT within the organization).
Thanks to Snowden, we have information on how the NSA shared information with the DEA to help the latter conduct drug busts, even when it involved creating entirely new reasons for why certain vehicles were stopped (a practice referred to as “parallel construction”). Agents who engaged in this behavior were ordered not to disclose the source of their information.
By
2011, even the Fisa court was tired of the way the NSA was managing (or
mismanaging) its databases and illegally collecting information on
Americans without a warrant. The court noted in that ruling: “The court
is troubled that the government’s revelations regarding N.S.A.’s
acquisition of Internet transactions mark the third instance in less
than three years in which the government has disclosed a substantial
misrepresentation regarding the scope of a major collection program.”
The NSA and FBI have colluded with local police departments to misrepresent the nature and purpose of stingray equipment, to share evidence in ways that likely violated the 4th Amendment rights of the accused, and used their own databases of information in ways even the rubber-stamp court that approved their behaviors found troubling. Chen handwaves all of this.
We’ve seen all of this before. The idea that encryption can be both back-doored (or front-doored) and secured is ludicrous, and the government knew as much during the Clipper chip fiasco of 25 years ago. The reason Apple, Google, and other companies have taken drastic action to lock down user devices, even against themselves, is precisely because these companies do not trust the government to confine itself to reasonable requests. And the NSA obligingly demonstrated that it wasn’t interested in anything approaching “reasonable” when it hacked into Google’s international fiber connections so it could monitor the company’s unencrypted traffic.
The
NSA already had the legal authority to demand information from Google
on any user. Google had no authority to block that demand. Yet even this
wasn’t sufficient for the NSA,
which went behind the company’s back to seize additional data. Former
NSA head Keith Alexander made absolutely no effort to hide the fact that
he thought his organization should be sucking up every bit of
information that ever wandered online.
Chen’s heart is in the right place, but it’s apparently stuck in pre-9/11 thinking. And given the stance he’s taken on these topics, and the reality of US law, he’s just destroyed any actual expectation that BlackBerry will protect user data. It’ll be interesting to see how this plays out with the Priv, because Google’s Android 6.0 Marshmallow requires full disk encryption by default. If BlackBerry enables the functionality on Priv devices that upgrade to Android 6.0, it’ll say something about where the company’s priorities lie. If it doesn’t… well, that sends a message, too.
Once upon a time, security was the thing BlackBerry was known for above all else. Based on Chen’s most recent remarks, I’d be looking for another vendor. Apple and Google understand the risks far better than BlackBerry.
That’s why it’s so baffling to see BlackBerry’s CEO, John Chen, torpedoing his company’s reputation for building secure products in a blog post he appears to have written himself. After discussing the debate between the tech industry and government officials pleading for backdoors, even if this leads to weaker encryption standards, Chen drops the following bombshell:
“In
fact, one of the world’s most powerful tech companies [Apple] recently
refused a lawful access request in an investigation of a known drug
dealer because doing so would ‘substantially tarnish the brand’ of the
company. We are indeed in a dark place when companies put their
reputations above the greater good. At BlackBerry, we understand,
arguably more than any other large tech company, the importance of our
privacy commitment to product success and brand value: privacy and
security form the crux of everything we do. However, our privacy commitment does not extend to criminals.” (emphasis original)
In an ideal world, this is precisely the stance we want companies to take: Work with the government to catch the really bad guys, stand up against prosecutorial overreach, and advocate for the rights of your users. Ever since Edward Snowden started leaking information about how the NSA and FBI conduct mass surveillance, however, it’s been impossible to pretend we live in anything like that ideal world.
Here are some of the major problems with Chen’s position, in no particular order:
He assumes companies can challenge the government
One of the first things we learned from the Snowden leaks was just how powerless US corporations were to challenge the National Security Letters that the NSA and FBI levied against them. In 2007, Yahoo went all the way to FISC (Foreign Intelligence Surveillance Court) to challenge an order to produce user data. When it lost that case, it turned to the Court of Review, which oversees FISC decisions. It lost again. Yahoo was ordered to turn over all of the information the federal government wanted. It could not speak about the case or acknowledge having ever received an NSL.Things have improved since then, slightly, in that companies and individuals have been granted some limited rights to acknowledge receiving an NSL. No one has suggested that they have the right to refuse to obey such orders, or that they can appeal such decisions to a meaningfully different body than the one that ruled in favor of them back in 2008.
He assumes government targets are criminals
The second problem with Chen’s argument is that it explicitly relies on the idea that there are “good users” and “criminals,” and that BlackBerry can either determine who these individuals are or simply trust the government to have done the job for them. Again, Snowden’s leaks make this a highly suspect conclusion.We now know that the FBI has not only encouraged local police agencies to use stingrays in violation of a suspect’s 4th Amendment rights, it also told those police departments to refuse to turn over vital documents and information related to the use, capabilities, and function of that same hardware, all in the name of protecting NDAs with the Harris Corporation. We know that members of the NSA were not above spying on current and former lovers (jokingly referred to as LOVEINT within the organization).
Thanks to Snowden, we have information on how the NSA shared information with the DEA to help the latter conduct drug busts, even when it involved creating entirely new reasons for why certain vehicles were stopped (a practice referred to as “parallel construction”). Agents who engaged in this behavior were ordered not to disclose the source of their information.
How stingrays work
The NSA and FBI have colluded with local police departments to misrepresent the nature and purpose of stingray equipment, to share evidence in ways that likely violated the 4th Amendment rights of the accused, and used their own databases of information in ways even the rubber-stamp court that approved their behaviors found troubling. Chen handwaves all of this.
He assumes there’s still a tightrope to walk
Chen’s entire position is based on the idea that a company can walk a fine line between protecting users and aiding the government. There is no objective evidence to suggest this is the case. The lawmakers and elected officials that have protested the growing use of encryption claim to want to use this power solely to find the worst criminals and baddest of the bad guys, but the ways these technologies have been used to date imply something different.We’ve seen all of this before. The idea that encryption can be both back-doored (or front-doored) and secured is ludicrous, and the government knew as much during the Clipper chip fiasco of 25 years ago. The reason Apple, Google, and other companies have taken drastic action to lock down user devices, even against themselves, is precisely because these companies do not trust the government to confine itself to reasonable requests. And the NSA obligingly demonstrated that it wasn’t interested in anything approaching “reasonable” when it hacked into Google’s international fiber connections so it could monitor the company’s unencrypted traffic.
It’s the smiley face that kills me.
Chen’s heart is in the right place, but it’s apparently stuck in pre-9/11 thinking. And given the stance he’s taken on these topics, and the reality of US law, he’s just destroyed any actual expectation that BlackBerry will protect user data. It’ll be interesting to see how this plays out with the Priv, because Google’s Android 6.0 Marshmallow requires full disk encryption by default. If BlackBerry enables the functionality on Priv devices that upgrade to Android 6.0, it’ll say something about where the company’s priorities lie. If it doesn’t… well, that sends a message, too.
Once upon a time, security was the thing BlackBerry was known for above all else. Based on Chen’s most recent remarks, I’d be looking for another vendor. Apple and Google understand the risks far better than BlackBerry.
![NG-[C:G.Vide,B:Allbrand,Wk:5015,Dim:160X600]:Televisions](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_u_XcUewcY9x6DgXPqFrzgR6c1-NeiiDC191jp7EPa3QoLDGz3myRukMqZ5bgfk-7-W1PS1jsOwGMCBaSxIT3WE3mopKxAUaeacEneHho14U3RH_4mSFB4m5tUxNU4Hu1F-4MLWpMl_EXnIbxJ2pgDyVIsuq9Vn8O_gEYlgpaP6Zaajes2lxQ=s0-d)
![NG-[C:G.Comp,B:Allbrand,Wk:5015,Dim:336X280]:Tablets](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_sQpggDEhQ9kin-q7sxB9Mr4w-fFprD-LsN86FUz6Us-mY93UKlly5Fvwx8Zx60bG0joQRc2OA4qM8JhjzfC1zljSGfh9JD-GFmbiVqbuMkEPwRM9qglqpVzqzxBGcHxBnxaLi7kw4pr5Ut_z86UyjYLENN7OwVu09WC0U1TTKkpBgCkzGPUg=s0-d)
![NG-[C:G.Prom,B:Allbrand,Wk:4915,Dim:300X250]:Home_Page](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_t2LH0mOORNJ2Rnu8fd1AOWckdC2_TzryBd-_sHjNSCeGnwabKfX2IKPZ7VaMpzPLX0Vod2njXxKD_enHDPgi4t5Z77pBbM_Ks2D3i_mWCe94Lm6QGQFxW3pFQbnJreLwx-eVtqCmm8-2u4O1UTsG3a22Ihoqg4Lc5mEUmMxcGjYF9kxxPJNQ=s0-d)
0 comments:
Post a Comment