Everyone assumes that technology companies like Apple, Facebook, and Google don't care that their customers are being spied on. I don't believe that’s true.
On the very day the media dropped detailed documents on the NSA's X-Keyscore collection program, the Facebook engineering team published a blog post stating that all access to Facebook via apps and web browsers was now SSL encrypted. Given X-Keyscore was a program primarily designed to intercept unencrypted internet traffic, you could be forgiven for interpreting Facebook's post as a middle finger pointed in NSA's direction. (Sources inside Facebook say it is a coincidence, and indeed the company had been in the process of enabling this across-the-board for years. But still. The timing.)
>You want us to execute that warrant for you? Ok, sure, but the user will get a nice big popup warning telling them that their messages are likely being intercepted!
There are new interception hurdles everywhere you look. Even plain old SSL encryption is becoming more difficult to snoop on. Previously, governments could rely on complicit or compromised certificate authorities to provide them with the means to intercept encrypted traffic. Thanks to the Iranian government's overly enthusiastic use of this technique, Google made changes to the Chrome browser to neuter the practice. Similar updates are expected soon in Internet Explorer. There goes another interception technique for law enforcement!
And it's only going to get worse for the poor ole G-Men. Technology companies are enabling security features that make certain types of government surveillance extremely difficult, and it's a trend that's set to continue. That's why the U.S. government has long wanted laws that force tech companies to make their products wiretap friendly.
It's not just web providers that are making life more difficult for government intercepts. It would take Apple, for example, a negligible amount of development time to introduce the cryptographic anti-snooping features of OTR -- a form of instant messaging encryption and authentication -- into a protocol like iMessage. At the moment authorities can get in the middle of the keying process at Cupertino and read user content, if they show a warrant. But one simple iOS update and they won't be able to do that anymore without setting off alarm bells: You want us to execute that warrant for you? Ok, sure, but the user will get a nice big popup warning telling them that their messages are likely being intercepted! (Still want us to proceed? Didn't think so.)
There’s the rub. Currently, there's no law stopping companies like Apple, Facebook, and Google from introducing such security changes or forcing them to build in backdoors. Why would Apple want its users migrating to cross-platform, anti-snooping messaging apps like Hemlis (by the founders of The Pirate Bay)? Especially when the company could push itself out of the surveillance business with its own technical tweaks before federal regulations force them to become key players in warrant execution.
In fact, advancements in the usability of cryptographic protocols have made anti-surveillance features relatively simple for technology companies to bake into their communications products. And public demand for greater security and privacy in the wake of Edward Snowden's revelations may make it virtually obligatory for them to do so before new wiretapping laws can be introduced.
This heralds a looming standoff between technology companies and government … even though much of the focus until now has portrayed the two as being in the same camp.
B.S. (Before Snowden) and A.S. (After Snowden)
[#contributor: /contributors/59331f304cd5ce6f96c0c61e]|||An Australian analyst, speaker, and commentator on information security, Patrick Gray has been covering the infosec space for over a decade. He produces and presents [Risky Business](http://risky.biz/), an information security podcast that has won four Lizzies (Australia's premier IT journalism awards) -- including Best Audio Program and Best Technology Title. Follow him on Twitter [@riskybusiness](https://twitter.com/riskybusiness).|||
Before the Snowden leaks, it was hard to imagine the Tea Party and Occupy movements skipping together through meadows holding identical placards.
Not anymore.
Today, an attempt to introduce laws that would heavily fine software and internet companies for failing to make their products wiretap-friendly would be met by a full-scale revolt by the commentariat -- and by the noisy political fringe on the left and the right.
President Obama was reportedly on the verge of backing the new wiretapping plan as recently as May this year. Only the "Snowden files" hit the press one month later, and surveillance became a hot-button issue. These laws seemingly dropped off the agenda.
For now.
Before Snowden, the proposed law would have been a mildly controversial but grudgingly accepted compliance regime for technology companies. The blowback might have been limited to a few angry Reddit threads and Anonymous denial-of-service attacks against government websites.
Now, it would become a serious political liability for the Obama administration -- as well as a public relations and commercial disaster for the technology industry.
This World War May Have Started in India
The FBI’s proposed regulations were first publicly mooted in 2010. But it was arguably the 2008 terrorist attacks halfway across the world -- in Mumbai, India -- that first set tech companies on a collision course with the state. Because the attackers reportedly used BlackBerry devices when conducting the attack to successfully avoid eavesdropping by India's security services.
Intelligence services around the world noticed. Here was a simple consumer device that terrorists used for secure communications in organizing and conducting their strike.
A year and a half after the Mumbai attacks, the Indian government's message for BlackBerry maker RIM was clear: Help us intercept your users' communications or get out of our country. (The message was the same for Skype and Google.) Tense negotiations followed and were apparently resolved later when interception capabilities were demonstrated to government officials.
>Before, blowback would have been limited to a few angry Reddit threads and Anonymous denial-of-service attacks against government websites. Now, it would become a serious liability.
Indian Department of Telecommunications (DoT) documents leaked to The Times of India this month show RIM worked with Indian telcos to make it possible to execute warrants against "regular" BlackBerry users. However, RIM could not assist in intercepting messages between two users of the same BlackBerry Enterprise Server (BES).
It wasn't an outright win for the Indian government, but without the threat of regulation it's unlikely the government would have even gotten that far.
And before people start screaming that RIM's decision favors corporate users over consumers, it’s important to understand that intercepting messages from one BES user to another is a technical pain-in-the-ass of the highest order. Short of backdooring their products, there's not much RIM can do about it.
But building in a backdoor is just what the previously proposed U.S. laws would make RIM do in America.
Months after the India showdown, at the urging of the FBI, the U.S. government threatened technology companies with similar actions. You've written an encrypted messaging app? Great! Except we'll fine you $25,000 a day if you can't execute our warrants and give us access to your users' communications.
So What Next?
The FBI has legitimate reasons to want these laws. Violating the civil rights of the general population isn't its core business; wiretaps are vital to many legitimate investigations into awful crimes. Technology has changed enough over the past 30 years to believe that some communications legitimately targeted by the FBI and other agencies are "going dark". (Even unencrypted internet-based messages are complicated to intercept. If the target of a warrant uses the in-game chat feature in Pokemon for Nintendo DS to communicate with a co-conspirator, forget about fancy encryption -- how the hell are they going to decode that?)
Only the government didn't expect the Snowden twist. And so, contrary to popular discourse about tech companies actively participating in surveillance, the technology industry is naturally moving towards making its products harder to eavesdrop on.
>It's one thing to prevent software companies from implementing security features. But it’s quite another to strip existing security measures from users' devices.
Here's a fresh political consideration: It's one thing to establish a legal framework that would prevent software companies from implementing certain security features in the future. But it’s quite another to establish a law that would strip existing security measures from users' devices.
Since Snowden's leaks have bolstered consumers’ desire for greater privacy from government interception and have almost certainly delayed the introduction of U.S. lawmakers’ legislation, we now find ourselves in a not-so-comfortable status quo. What's going to give? Will Congress still legislate to force those wiretap capabilities? Or will the tech companies say "screw you" and start rolling out decent security features to their users? And how will agencies like the NSA get around these types of problems?
Tech companies now have the motivation to introduce such changes, and the opportunity. The only thing lacking might be the intestinal fortitude to follow through. This window of opportunity won't be open forever.
My guess is the de facto interception technique of the future will involve targeting users' endpoints (phone, computer, tablet, whatever) instead of trying to intercept communications in transit. That will work for targeted interception, but knocks out a lot of the dragnet stuff. Sounds like a win to me. But only time, and perhaps some further revelations, will tell.
Editor: Sonal Chokshi @smc90
