Friday, May 19, 2017

ICMC17: Encryption and Cybersecurity Policy Under the New Administration

Neema Singh Gulani, Legislative Counsel (Privacy and Technology), ACLU

We still don't know what the policies are going to be, yet, but she's here to give us her understanding of where we are and where she thinks we're going.

Why should you care, if you're not a lawyer? Look at lavabit - a company that offered an encrypted email service. All was well and good until it was discovered that Edward Snowden used their service. The US Government requested their encryption keys (under a gag order, so they could not tell their users). Judge ordered them to give up their keys. Not just the keys that protected Snowden's mail, but to everyone's. The company shut down, because they no longer felt they could protect their users.

Right now we are seeing a very divided government, polar opposites on a lot of issues - but they will work together on preventing NSA surveillance and protecting encryption keys.

Obama administration considered various technical options to get around the "going dark" problem - so law enforcement could access information they had before encryption became more pervasive. Several things like backdoors, remote access, forced updates, etc - and the administration decided to work with the commercial providers of the products, as opposed to building legislation.

We don't know clearly where the Trump administration stands, we know that Trump was critical about Apple not wanting to give a back door to law enforcement to get into an iPhone. Jeff Sessions noted once that he was in favor of encryption, but that criminal investigators need to be able to"overcome" encryption.

There is proposed legislation from Burr/Feinstein that requires manufactures provide data in "intelligible forms" (covers software and device manufacturers.).  The ACLU is not in favor of this bill. It has been called  "technically tone deaf".

We know that under the Obama Administration had an interagency process run out of the White HOuse that didn't have any "hard and fast rules" on vulnerability disclosure.  It was used to balance risk with intelligence needs.   NSA said most vulnerabilities are disclosed.  Is that good enough to protect users of tech?

NSA surveillance: Section 702. This targets 106,000 foreign targets where they collect over 250 million internet transactions annually, about 50% of that information is about a U.S. resident. This is up for review again this year in congress.

Because of Trump's accusations of wire tapping, this may be an opportunity to reform Section 702.

Right now, based on a 6th circuit court decision from 2010, most US companies require a warrant before they will provide content to the FBI or other law enforcement.

An email privacy act was passed by congress 419-0, but the bill got stuck in the senate where too many unrelated thongs were added.

Many users would be surprised at the low bar required to hand over their data to the FBI or local law enforcement, or that they also would not necessarily be notified when it happens.

If you're building products for the government, think about how the product will be used and can you audit that it's being used as intended?

Look to see what lobbyists your employer is backing and see if it lines up with their public press releases - if not, say something.  Consider also direct lobbying - there is a dearth of technical knowledge in Capital Hill - they need your knowledge!