Politics, Privacy, and CryptologyBy
Within one month, two of the largest computer companies, Apple and Microsoft, found themselves locking horns with the U.S. Justice Department over privacy issues on iPhones and Microsoft e-mail services, respectively. On the sidelines sat millions of customers and companies wondering what it would all mean to them.
Then they, too, were tossed into the swamp when the April 17 60 Minutes television program did a segment on the security flaws in the global network SS7. All a hacker needs is your smartphone number to take over your device, listen in, and even record encrypted calls and texts to be decrypted later.
Apple’s legal problem involved a locked iPhone owned by the shooter in the San Bernardino terror attack. The government wanted the company to create a software back door or a hardware hack that would bypass the four-digit entry code for iPhones. Those are the four numbers you choose as a password to keep others out. Actually, because the key is so short—four digits—the FBI would only need 26 minutes to solve your password with a brute force attack. With imperceptible speed, the program would blaze through all possible permutations until it hit the correct four numbers. The Apple engineers, however, anticipated that hack and built in a simple solution. After 10 incorrect guesses, the phone stops responding to the search attack and wipes its own memory. The information is gone.
The Apple attorneys decided that the request was unconstitutional. Computer code is speech, they argued, and the government didn’t have the right to order the company to write code that would disable the privacy restraints on their flagship product. Those in marketing agreed that, indeed, it would be difficult to sell a hackable iPhone.
The San Bernardino problem was solved, sort of, when the FBI hired a hacker who got past the numerical code on the phone. But the legal battle continued as the Justice Department demanded that Apple and other tech companies assist in opening an iPhone that was involved in a New York drug case.
As Apple was lining up other computer giants like Intel, Google, Facebook, Twitter, LinkedIn, and eBay to begin writing briefs supporting its position on privacy, Microsoft launched its own lawsuit against the government regarding the same issue. On April 14, the software giant requested that a federal court invalidate part of the 1986 Electronic Communications Privacy Act (ECPA) that forces e-mail, Internet, and cloud service providers to turn over data in criminal investigations. The company accepted the general premise of the law but objected strongly to what were becoming routine gag orders that accompanied the request for data.
Chief legal council for Microsoft, Brad Smith, explained, “We believe that with rare exceptions consumers and businesses have a right to know when the government accesses their e-mails or records.” On a company blog post he wrote, “It’s becoming routine for the U.S. government to issue orders that require e-mail providers to keep these types of legal demands secret. Over the past 18 months, the U.S. government has required that we maintain secrecy regarding 2,576 legal demands, effectively silencing Microsoft from speaking to customers about warrants or other legal process.” Smith explained that 68% of those demands had gag orders with no fixed end date.
As both of these legal battles were gaining more public visibility, and many of the more alert users were checking Google for information on encrypting their e-mail, bank, and health records, 60 Minutes aired one of its more explosive did-you-know pieces.
It wasn’t breaking news. The security flaws in the SS7 (Signaling System 7) global network that enables routing traffic of the cellular carriers of the world was being discussed in papers like The Washington Post back in December 2014. The global network was described as “riddled with serious vulnerabilities that undermine the privacy of the world’s billions of cellular customers.” The German researchers who discovered the flaws said the vulnerabilities were actually functions built into the network “that hackers can repurpose for surveillance because of lax security on the network.” It’s assumed that those taking advantage are hackers, spies, criminals, and intelligence agencies such as the National Security Agency and Britain’s Government Communications Headquarters.
The demonstration on 60 Minutes was disturbing. A congressman with a degree in computer science was given a smartphone and told about the test. Then he was presented with recordings of his phone conversations captured by hackers. The conclusion was obvious. Do whatever you can to avoid malware that’s delivered by e-mail, keep your information close, and use a provider that has hardened its own systems against attack, and your voice, texts, and e-mails still go out onto the SS7 network. Tobias Engel, a German researcher quoted in The Washington Post article said, “It’s like you secure the front door of the house, but the back door is wide open.”
Overall, not a good month for companies or consumers.