Key battle looms in the war to protect privacy

User privacy is under attack from hackers, data miners, and the government, but the EFF and tech groups are fighting back

Key battle looms in the war to protect privacy

The evidence keeps mounting that the privacy of our mobile devices and our communications are under siege -- if not outright moribund. This series of onslaughts is coming from hackersdata mining companies, and especially, it seems, from our own government.

The Electronic Frontier Foundation, in an attempt to chip away at the continued intransparency that cloaks government snooping on U.S. citizens, sued the Justice Department this week. The group has been trying for more than a year to find out whether the government uses secret court orders to force companies like Apple and Google to assist it in carrying out surveillance. But its Freedom of Information Act (FOIA) requests have been rebuffed.

The EFF charges that the department has failed to turn over opinions from the Foreign Intelligence Surveillance Court (FISC) -- which operates mostly in secret and grants nearly all of the surveillance requests it receives -- even after they were declassified as part of surveillance reforms enacted in the USA Freedom Act.

Reports have circulated that the government has used FISC orders to force tech companies to decrypt users' communications and turn over source code so that government agents can find and exploit security vulnerabilities.

"The public has a right to know about those secret demands to compromise people's phones and computers," said EFF Senior Staff Attorney Nate Cardozo. "The government should not be able to conscript private companies into weakening the security of these devices, particularly via secret court orders."

Microsoft would agree. The company has been waging a drawn-out battle with the U.S. government over its desire to access customer data held in overseas data centers. And last week, Microsoft filed its own lawsuit over secret orders that prevent it from notifying customers when the government requests access to their data. The gag order violates customers' Fourth Amendment right to know if the government searches or seizes their property and violates Microsoft's First Amendment right to free speech, the suit alleges.

Tech companies have a long history of providing the government whatever it requests. Now reports from companies like Apple, Facebook, and Google about the data requests they are allowed to disclose show the number of these requests is exploding. Most are still granted, but companies are beginning to balk as they're asked more and more to function as deputy police.

Apple, with support from tech giants Facebook, Google, and Microsoft, drew a line in the sand in its very high-profile showdown with the FBI over the San Bernardino terrorist's iPhone. Apple had unlocked phones for authorities at least 70 times since 2008, but apparently enough was enough now that security is a selling point of newer devices. Apple is still fighting a dozen other requests to break into locked iPhones

It's not as if law enforcement doesn't already have access to a barge load of data on every one of us. How exposed are we? Last weekend's "60 Minutes" report on phone hacking was a rude awakening for many. Hackers demonstrated how security flaws in the network interchange service called Signaling System No. 7 (SS7) make it possible to remotely spy on anyone with a phone. All they needed was the cellphone's number in order to read texts (encrypted messaging services like WhatsApp are unaffected), listen to and record calls, and track phone users' locations.

California Congressman Ted Lieu, whose phone was hacked in the demonstration, told "60 Minutes" that "the vulnerability has serious ramifications not only for individual privacy, but also for American innovation, competitiveness and national security. Many innovations in digital security -- such as multifactor authentication using text messages -- may be rendered useless."

The vulnerability of SS7 is an open secret -- hackers first exposed the flaw in 2014 -- but it has never been fixed because security services like the NSA find it so useful for tracking and snooping on users.

Now Congress is prepared to go a step further to ensure the insecurity of our devices. Legislators have put forward a bill that would compel companies like Apple to break their own encryption -- a move that security experts argue is nothing more than legalizing backdoors into our devices to expose the wealth of sensitive data they contain.

To date, more than 65,000 people have signed a petition protesting the legislation. Now a coalition of four technology groups representing companies like Apple, Microsoft, Google, Facebook, Twitter, Amazon, Netflix, Samsung, and others has released a letter calling the proposal "unworkable."

"Any mandatory decryption requirement, such as that included in the discussion draft of the bill that you authored, will to lead to unintended consequences," the letter states. "We believe it is critical to the safety of the nation's, and the world's, information technology infrastructure for us all to avoid actions that will create government-mandated security vulnerabilities in our encryption systems."

Hacker John Hering told "60 Minutes": "We live in a world where we cannot trust the technology that we use."

Apparently our government likes it that way. It's sad, InfoWorld's Galen Gruman writes, "that corporations -- not the populace or their elected representatives -- have taken on that role" of defending us from these attacks on our security and privacy. Oh brave new world.

Copyright © 2016 IDG Communications, Inc.

How to choose a low-code development platform