Wendy Knox Everette provides a summary of the history of encryption regulation and debates around law enforcement access to encrypted data. She discusses key cases like Bernstein v. United States and Apple v. FBI. Everette notes ongoing tensions between law enforcement desires for access and technology companies' stance that weakened encryption harms all users. Recent events like attempts to force Facebook to wiretap Messenger and Attorney General Barr's calls for lawful access are also summarized.
Presentation on Cyber Harassment at 2009 Georgetown Law Reunion Weekend.
Some of the rantings made in response to his presentation are the work of Vanessa Kachadurian who is a defendant in a cyber harassment suit currently pending in federal court in Fresno. http://kachadurianlit.wordpress.com/
Municipalities & The Internet: A Few Legal IssuesShawn Tuma
In the Fall of 2000, I delivered this presentation at the North Central Texas Council of Governments' e-Government 2000 Fall Forum. There were no slides at this presentation but this is the paper that was delivered to the group.
Presentation on Cyber Harassment at 2009 Georgetown Law Reunion Weekend.
Some of the rantings made in response to his presentation are the work of Vanessa Kachadurian who is a defendant in a cyber harassment suit currently pending in federal court in Fresno. http://kachadurianlit.wordpress.com/
Municipalities & The Internet: A Few Legal IssuesShawn Tuma
In the Fall of 2000, I delivered this presentation at the North Central Texas Council of Governments' e-Government 2000 Fall Forum. There were no slides at this presentation but this is the paper that was delivered to the group.
This is a slide presentation on ways people can misuse the computer on the internet.
I am currently an ICT Educator at Good Shepherd Schools Lagos State, Nigeria.
Note: I will be uploading more powerpoint presentation in my field so ensure your following me to get updated thanks.
JUDGE BOBBY DeLAUGHTER - INDICTMENT
This is the Judge ASSIGNED the Mitchell McNutt & Sams Matter (i.e. Unemployment Benefits Issue). A TAINTED/CORRUPT Judge known to take BRIBES/KICKBACKS to "Throw Lawsuits."
Garretson Resolution Group appears to be FRONTING Law Firm for United States President Barack Obama and Legal Counsel/Advisor (Baker Donelson Bearman Caldwell & Berkowitz) which has submitted a SLAPP Complaint to OneWebHosting.com in efforts of PREVENTING the PUBLIC/WORLD from knowing of its and President Barack Obama's ROLE in CONSPIRACIES leveled against Vogel Denise Newsome in EXPOSING the TRUTH behind the 911 DOMESTIC TERRORIST ATTACKS, COLLAPSE OF THE WORLD ECONOMY, EMPLOYMENT violations and other crimes of United States Government Officials. Information that United States President Barack Obama, The Garretson Resolution Group, Baker Donelson Bearman Caldwell & Berkowitz, and United States Congress, etc. do NOT want the PUBLIC/WORLD to see. Information of PUBLIC Interest!
"How private is your privacy" is a descriptive travel from history into recent incidents that triggered an unbelievable ignorance towards the value of one's virtual privacy.
This is a slide presentation on ways people can misuse the computer on the internet.
I am currently an ICT Educator at Good Shepherd Schools Lagos State, Nigeria.
Note: I will be uploading more powerpoint presentation in my field so ensure your following me to get updated thanks.
JUDGE BOBBY DeLAUGHTER - INDICTMENT
This is the Judge ASSIGNED the Mitchell McNutt & Sams Matter (i.e. Unemployment Benefits Issue). A TAINTED/CORRUPT Judge known to take BRIBES/KICKBACKS to "Throw Lawsuits."
Garretson Resolution Group appears to be FRONTING Law Firm for United States President Barack Obama and Legal Counsel/Advisor (Baker Donelson Bearman Caldwell & Berkowitz) which has submitted a SLAPP Complaint to OneWebHosting.com in efforts of PREVENTING the PUBLIC/WORLD from knowing of its and President Barack Obama's ROLE in CONSPIRACIES leveled against Vogel Denise Newsome in EXPOSING the TRUTH behind the 911 DOMESTIC TERRORIST ATTACKS, COLLAPSE OF THE WORLD ECONOMY, EMPLOYMENT violations and other crimes of United States Government Officials. Information that United States President Barack Obama, The Garretson Resolution Group, Baker Donelson Bearman Caldwell & Berkowitz, and United States Congress, etc. do NOT want the PUBLIC/WORLD to see. Information of PUBLIC Interest!
"How private is your privacy" is a descriptive travel from history into recent incidents that triggered an unbelievable ignorance towards the value of one's virtual privacy.
Accessing Password Protected andor Encrypted Mobile DataAbstrac.docxnettletondevon
Accessing Password Protected and/or Encrypted Mobile Data
Abstract- This research paper examines the potential solution to a problem faced by law enforcement; wherein the inability to decrypt a number of encrypted communications that they have been given appropriate legal permission to intercept or examine, loom large. This research paper utilizes a theoretical approach to explore the ‘going dark’ concern. This paper will also provide an overview of an encryption workaround, which will address the widely used “Signal Messaging Protocol” which is used to encrypt messages transmitted via applications such as Whatsapp, Telegram, Facebook, among others.
Keywords—Signal Messaging Protocol, Encrypted Messaging, Privacy, Law Enforcement, Mobile Phones, WhatsAppI. Introduction
As the use of digital mobile devices continues to become more ubiquitous, so too does the use of strong encryption protocols, which are being made available to users by communication application providers. In an effort to provide even more security to users, those same application providers are developing the encryption protocols in such a way that the providers themselves are not even able to decrypt the private messages. These trends are posing an ever-increasing challenge to law enforcement agencies who are often able to obtain the legal authority necessary to intercept or retrieve certain communication dataonly to find that they are unable to decrypt and view that same data. The FBI has labeled this issue as the “Going Dark” problem.
The “Going Dark” problem often has adverse effects on law enforcement’s ability to investigate all kinds of crimes; such as kidnappings, child pornography, violent gang activity, etc. However, the gravest consequential examples of this problem have arisen through terrorist investigations, wherein the stakes are extremely high.
Agencies charged with combating terrorism, such as the FBI, quietly face this obstacle every day. In December 2015, the public was given an inside view of this dilemma, during the aftermath of the San Bernardino, California, terrorist attack. Following the attack, the FBI recovered a passcode locked iPhone 5, which had belonged to one of the shooters. The passcode function keeps the encased data encrypted until the correct passcode is entered. If the wrong passcode is entered more than ten times, the data is automatically permanently wiped from the device. In response, the FBI obtained a court order directing Apple to assist them in developing software to unlock the phone. Apple refused, which set off a fierce public outcry, and a subsequent legal battle. The standoff was ultimately diffused when the FBI was able to find a third party to crack the four-digit passcode.
As a result of that legal dispute between the Department of Justice and Apple not having being resolved in court, the debate continued over the question: should the government be able to legally force private vendors to create decryption keys for law .
Lofty Ideals: The Nature of Clouds and EncryptionSean Whalen
An overview of the legal, privacy, and security issues surrounding modern cloud services and cryptography
Created as an alumnus talk for the Computer & Network Support Technology Fairfield Career Center senior class of 2016.
1- In the dispute between the FBI and Apple- which side do you support.docxEdwardk3aWallacey
1. In the dispute between the FBI and Apple, which side do you support and why?
2. How would you counter the arguments offered by those on the other side of this debate?
3. Are there any circumstances in which you think the government's right to information
should take precedence over an individual's right to privacy?
4. Should any technology firm be allowed to create a privacy protection system that is so
impenetrable that it could never be overridden, regardless of the government's need for this information?
order. In a strongly wurded lenter to Apple customers posted to the company's website, Cook called the onder "an unprecedented step which threatens the security of our custemers" with "implications far beyond the legal case at hand." In a court filing. Apple claimed. "This isn't a case about one isolated iPhone. No court has ever authorized what the goverament now secks, no law supports such unlimited and swecping use of the judicial proccs. and the Constitution forbids it." The day before the FBI director and Apple's top lawyers were to tevify before Cangress, a federal judge in New York sided with Apple in a related case. Magistrate Jadge James Orenstein rejected the Justice Departmenf's argument that the I8th century All Writs Act gave prosecutors the authority to compel Apple to help investigators bypass the passeodeprotection system on an Apple iPhone seized in a drug investigation. He said the critical issues of 2 Ist century privacy and technology should be decided by soday's lassmakers, rather than by reinterpreting an old law. Around this time, the media reported that an outside party had demonstrated to the FBI a possible method for unlocking Farook's iPhone that, if successful, would climinate the need for assistance from Apple. "This uugeess that the very thing that Apple feared already exists in some form and it exists outside the walls of Cupertino [Apple's home]." said attorney Edward McAndrew: A month later, the FBI announced that it had cracked Farook's iPhone and was dropping its legal cave against Apple. A Justice Depurtment spokesperson said. -While this particular phone is no longer an issue, the broader fight over encryption-protected technology is Fikely to continue. It remains a priority for the government to ensure that law enforcement can obtain cnucial digital information to protect national security and public safety." And the controversy may intensify in the futore. FBt director Comey announced in April 2016 that the secret technique used to unlock Farook's iPhone 5 C , for which the FBI reportedly paid more than $1 million, would not work on newer iPhone models. Two yean laler, Apple announced that it was planning an iFhone update that would effectively disable the phone's charging and data port-the opening where users plug in headphooss. power cables, and adapters - an hour after the phone is locked. This change was seca a direct response to govemment efforts to unlock phones without the owner's permiss.
Marcia Hofmann is a senior staff attorney at the Electronic Frontier Foundation, where she works on a broad range of digital civil liberties issues including computer security, electronic privacy, free expression, and copyright. She is also a non-residential fellow at the Stanford Law School Center for Internet and Society and an adjunct professor at the University of California Hastings College of the Law. She tweets about law and technology issues at @marciahofmann.
Bring your Shmoo Balls, we have some juicy opinions on how the federal government should vet cloud services. After going through the FedRAMP authorization process with multiple companies, we have grey hair, scars, and some things to say.
We’ll go through some systemic problems and flag some of those weird controls that have always bugged us, and then when we’ve finished airing our grievances we’ll dig into the tough stuff: what can possibly change? Should it change? Will r5 ever be fully adopted? Should FedRAMP continue to exist?
Shea Nangle is a Director at a cybersecurity consultancy. He has been involved with FedRAMP (as a consultant and working for cloud service providers) since 2014. In 2023, he was recruited for the position of FedRAMP Director but chose to stay in private industry.
Wendy Knox Everette is a software developer & hacker lawyer who is currently the CISO at a healthcare data analytics firm. She has co-authored a peer reviewed article on FedRAMP in IEEE Security & Privacy, as well as another reviewing other security issues caused by control frameworks in NDSS.
Weaponizing Your Fitness Tracker Against You_ Health, Fitness, & Location Tra...Wendy Knox Everette
Many women wear fitness trackers, use period tracking software, and geo tag photos on their phone without thinking about the data ever being used against them. But in a world where states are now exploring private citizen bounties against women suspected of receiving abortions, could the digital trails you create be used against you? Privacy leaks through fitness tech are nothing new -see the secret military bases exposed by Strava a few years ago. But now the confluence of health trackers which record a woman’s body temperature (Oura rings), their locations (maybe you logged a walk in a new city with Apple Fitness), and even period tracking applications can be used to implicate women, even if they just missed periods due to stress, took a work trip to a city, or any other benign reason. What legal and technical protections are in place to shield women from a techno-dystopia in a post-Roe world?
How do we get a SOC 2?” Do those words strike fear and anxiety into your heart as an infosec professional? Do you have visions of being buried under a mountain of fancy risk management software, endless numbers of spreadsheets, and losing sleep for weeks implementing complex audit logging software? Well, take a deep breath and join this talk, in which we break down how to achieve SOC 2 Type II compliance without losing your mind. Your guide today has led many companies of various sizes- but mostly tiny startups- through several years of successful SOC 2 audits, and is here to break it all down. Bring your notebook as we explain why and how.
This talk will not focus on endless checkboxes, or push compliance at the expense of security. Instead, it will be a real world view of how to achieve compliance audit success without wasting your time, creating busy work, undoing your hard work securing your users’ data, and building a resilient architecture. We’ll explore how to automate, what to automate, how to build a control set that fits your organization, and how to come out the SOC 2 hero.
Vendors, and Risk, and Tigers, and Bears, Oh My: How to Create a Vendor Revie...Wendy Knox Everette
ShmooCon 2020
You’ve just been tasked with creating a vendor review management process at your company, but what does that even mean, and how are you going to do this? Do you need to buy a lot of expensive GRC software and hire an army of compliance staffers? This talk will explain what a vendor review process is and walk through setting one up at your company, using nothing more complicated than email, text files, and maybe some Slack and Google Forms.
Security engineering 101 when good design & security work togetherWendy Knox Everette
Security concerns are often dealt with as an afterthought—the focus is on building a product, and then security features or compensating controls are thrown in after the product is nearly ready to launch. Why do so many development teams take this approach? For one, they may not have an application security team to advise them. Or the security team may be seen as a roadblock, insisting on things that make the product less user friendly, or in tension with performance goals or other business demands. But security doesn’t need to be a bolt-on in your software process; good design principles should go hand in hand with a strong security stance. What does your engineering team need to know to begin designing safer, more robust software from the get-go?
Drawing on experience working in application security with companies of various sizes and maturity levels, Wendy Knox Everette focuses on several core principles and provides some resources for you to do more of a deep dive into various topics. Wendy begins by walking you through the design phase, covering the concerns you should pay attention to when you’re beginning work on a new feature or system: encapsulation, access control, building for observability, and preventing LangSec-style parsing issues. This is also the best place to perform an initial threat model, which sounds like a big scary undertaking but is really just looking at the moving pieces of this application and thinking about who might use them in unexpected ways, and why.
She then turns to security during the development phase. At this point, the focus is on enforcing secure defaults, using standard encryption libraries, protecting from malicious injection, insecure deserialization, and other common security issues. You’ll learn what secure configurations to enable, what monitoring and alerting to put in place, how to test your code, and how to update your application, especially any third-party dependencies.
Now that the software is being used by customers, are you done? Not really. It’s important to incorporate information about how customers interact as well as any security incidents back into your design considerations for the next version. This is the time to dust off the initial threat model and update it, incorporating everything you learned along the way.
Incident Response and the Attorney Client Privilege - ShmooCon 2019Wendy Knox Everette
Oh no, you’ve suffered a computer security incident. The DFIR team you hired wrote up a great report detailing exactly what happened and making suggestions for how to fix some of these issues. But now you’re being sued, and opposing counsel requests that report!
Many times, companies will seek to protect investigations under the cover of attorney-client privilege. But what is that, when and how does the privilege attach, and how helpful is it most of the time? What should your goal be, and just what are best practices for working with attorneys?
How do you give your personal domain a green "Secure" lock? Can you prevent your domain from being used for spam and phishing emails?
This talk is a little different from most "crypto" talks - it's not about how some neat new encryption algorithm works, or writing code. Instead, it's about how to use the awesome crypto tools already available to make your online presence more secure. This talk came out of my frustration with tutorials online for setting up my personal website domain with TLS and my email domain with DMARC/DKIM/SPF. We'll walk through how to use free services to serve a website over TLS and how to configure a personal email domain to block it from being used to send spam and phishing emails.
Warrants. Wiretaps. PRTTs. Subpoenas. Section 702. 2703(d) order. National Security Letters. All Writs Act. Many in the infosec community are aware that the government has an array of legal authorities to use in investigating crimes which allow them access to user content and metadata, but few people could articulate the differences among these types of orders. This talk will review each type of legal process used by state and federal agencies to request access to various types of user data and content.
Fingerprints, Passcodes, and Self Incrimination - BSides NovaWendy Knox Everette
You’re arrested and your phone is held up to your face to be unlocked by the arresting officer, then sent to a forensics lab. Dystopian future or one where FaceID collides with weak self-incrimination protections for biometrics? This talk will explain how your 4th and 5th Amendment rights interact with advances in biometric technology. Along the way it will offer design suggestions for creators of mobile devices and tips to end users.
Regulatory Nets vs the Fishing Hook of Litigation - BSides Las Vegas 2017Wendy Knox Everette
What sort of legal and policy choices would lead to more secure and safer software and computing-enabled devices? The patchwork of existing legal regimes in the US is based on regulations imposed on a few verticals (finance, healthcare, and education in particular), and a complex web of compliance frameworks, contractual provisions, and consumer lawsuits. As we think about making software safer and more secure for users, the policy choices we preference now may have long reaching effects. This talk will explore the implications of relying on software liability or other ex-post options vs. regulations or similar ex-ante choices.
Security Vulnerabilities, the Current State of Consumer Protection Law, & how...Wendy Knox Everette
BSides Las Vegas 2016 - Proving Ground Track -
Video of talk: https://www.youtube.com/watch?v=EFGcZwjw9Q4&t=4s
If a consumer purchases software (like, perhaps, a word processor or a note taking software) and that leads to some harm- perhaps the software allows malware to run on their computer, locking all their data for ransom, or their private data is stolen, then do they have any recourse?
In the area of private law suits, a consumer would likely first look to products liability. Product liability law acts as a form of insurance to protect users - if a product is built in an unsafe way, and it injures you, you may sue the retailer or manufacturer of the product.
There are three general theories a consumer can recover under:
Design defect: the product was designed in an unsafe way
Manufacturing defect: the specific instance of a product was assembled incorrectly and had a one-off manufacturing flaw
Failure to warn claim: the product had non-obvious ways it could harm the consumer, that the consumer should be told about
Although these suits are common for defective products such as lawn mowers, coffee makers, and other consumer goods, they are not used by purchasers or users of software. The primary reason why this is so far is that products liability is so focused on physical harms- it covers serious injuries like losing your finger to a bagel cutter, for instance, and the fact that until somewhat recently, most software couldn’t physically harm you. (Although alternatively, some users can recover if they had a contract with the software creator or provider - as in the Trustwave Incident Response suit)
The rise of the Internet of Things is about to change a lot of that. There have already been a small number of cases where liability was found where buggy software caused physical harm to some consumers. Returning to the fridge, what if someone could connect remotely to your fridge, and adjust the temperature to be a little too warm, leading you to get food poisoning? What if they could do so without the temperature display in the fridge changing, so it looked like it was still cold enough?
This talk will explore the background of product liability law, and discuss how and why IOT might bring about a change in expanding coverage of software flaws.
Responsibilities of the office bearers while registering multi-state cooperat...Finlaw Consultancy Pvt Ltd
Introduction-
The process of register multi-state cooperative society in India is governed by the Multi-State Co-operative Societies Act, 2002. This process requires the office bearers to undertake several crucial responsibilities to ensure compliance with legal and regulatory frameworks. The key office bearers typically include the President, Secretary, and Treasurer, along with other elected members of the managing committee. Their responsibilities encompass administrative, legal, and financial duties essential for the successful registration and operation of the society.
ALL EYES ON RAFAH BUT WHY Explain more.pdf46adnanshahzad
All eyes on Rafah: But why?. The Rafah border crossing, a crucial point between Egypt and the Gaza Strip, often finds itself at the center of global attention. As we explore the significance of Rafah, we’ll uncover why all eyes are on Rafah and the complexities surrounding this pivotal region.
INTRODUCTION
What makes Rafah so significant that it captures global attention? The phrase ‘All eyes are on Rafah’ resonates not just with those in the region but with people worldwide who recognize its strategic, humanitarian, and political importance. In this guide, we will delve into the factors that make Rafah a focal point for international interest, examining its historical context, humanitarian challenges, and political dimensions.
A "File Trademark" is a legal term referring to the registration of a unique symbol, logo, or name used to identify and distinguish products or services. This process provides legal protection, granting exclusive rights to the trademark owner, and helps prevent unauthorized use by competitors.
Visit Now: https://www.tumblr.com/trademark-quick/751620857551634432/ensure-legal-protection-file-your-trademark-with?source=share
Military Commissions details LtCol Thomas Jasper as Detailed Defense CounselThomas (Tom) Jasper
Military Commissions Trial Judiciary, Guantanamo Bay, Cuba. Notice of the Chief Defense Counsel's detailing of LtCol Thomas F. Jasper, Jr. USMC, as Detailed Defense Counsel for Abd Al Hadi Al-Iraqi on 6 August 2014 in the case of United States v. Hadi al Iraqi (10026)
How to Obtain Permanent Residency in the NetherlandsBridgeWest.eu
You can rely on our assistance if you are ready to apply for permanent residency. Find out more at: https://immigration-netherlands.com/obtain-a-permanent-residence-permit-in-the-netherlands/.
NATURE, ORIGIN AND DEVELOPMENT OF INTERNATIONAL LAW.pptxanvithaav
These slides helps the student of international law to understand what is the nature of international law? and how international law was originated and developed?.
The slides was well structured along with the highlighted points for better understanding .
1. An Update from the
Crypto Wars 2.0
BSidesPDX - October 25, 2019
Wendy Knox Everette
@wendyck
2. Who am I? Wendy Knox Everette
@wendyck
Hacker lawyer. Has handled law enforcement
requests for companies.
I am a lawyer. I am very much not your
lawyer.
6. Daniel J. Bernstein et al., v. United States Department of State, 922 F. Supp. 1426
(April 15, 1996)
Daniel J. Bernstein et al., v. United States Department of State, 945 F. Supp. 1279
(December 9, 1996)
Daniel J. Bernstein et al., v. United States Department of State, 176 F.3d 1132
(August 25, 1997)
Encryption regulations prevented export of
software code. Court finds that software code is
speech & receives First Amendment protections
7.
8. Law enforcement argues that encryption of iCloud
backups prevented them from investigating the San
Bernardino shooting. February 16, 2016, a C.D.
Cal. magistrate judge issued an order requiring
Apple to assist the FBI with extracting data.
9. Apple replies that building any custom iOS
software to circumvent the encryption raises
unacceptable implications for all iOS customers.
12. 4th Amendment creates the
groundwork for this area
● Based on the “reasonable
expectation of privacy”
standard
● Most 4th Amendment law is
case law
29. What was the outcome in Apple
v. FBI?
The FBI used a vulnerability to
hack into the phone - to date,
bugs have been providing a
form of pressure release
31. “According to Reuters and The Washington Post,
the Justice Department sought an order from a
federal court to force Facebook to wiretap
encrypted voice conversations on Facebook
Messenger as part of an investigation into the MS-
13 gang”
https://www.aclu.org/blog/privacy-
technology/internet-privacy/aclu-seeks-secret-
ruling-stopped-feds-hacking-facebook
32. Facebook refuses, saying would need to re-write
Messenger app’s code & undermine security for all
users.
DOJ tries to hold Facebook in contempt of court,
but lost. ACLU filed a motion to unseal judicial
rulings associated with the attempt to make
Facebook decrypt Messenger calls.
https://www.aclu.org/blog/privacy-
technology/internet-privacy/aclu-seeks-secret-
ruling-stopped-feds-hacking-facebook
35. Can we have messaging systems that are engineered to
deal with child porn and law enforcement access, without
building tech that gets used for censorship and copyright
enforcement?
38. Barr’s remarks
“But the digital world that has proven such a boon in many ways has also
empowered criminals. Like everybody else, criminals of all stripes increasingly
rely on wireless communications, hand-held devices, and the internet. In today’s
world, evidence of crime is increasingly digital evidence. As we work to secure
our data and communications from hackers, we must recognize that our citizens
face a far broader array of threats...While we should not hesitate to deploy
encryption to protect ourselves from cybercriminals, this should not be done in a
way that eviscerates society’s ability to defend itself against other types of criminal
threats.”
39. Barr’s remarks
“What is happening here is that some companies want to say to the individual,
“Hey, we can make you invisible to law enforcement.” But do we want to live in a
society where everyone is invisible to law enforcement?”
40. Barr’s remarks
“These considerations apply to privacy. That right has never been absolute. The
Fourth Amendment strikes a balance between the individual citizen’s interest in
conducting certain affairs in private and the general public’s interest in subjecting
possible criminal activity to investigation.”
47. Can’t we just compel people to provide decryption
keys?
1. This doesn’t work so well in the investigative stage
2. The Fifth Amendment can be invoked by the
defendant to resist providing their encryption keys
48. Sources
● Clipping Clipper https://www.wired.com/1994/09/clipping-clipper-matt-blaze/ &
https://www.mattblaze.org/papers/eesproto.pdf
● EFF’s Bernstein summaryhttps://www.eff.org/cases/bernstein-v-us-dept-justice
● Apple v FBI timeline: https://www.usatoday.com/story/tech/news/2016/03/15/apple-v-fbi-timeline/81827400/
● Software Alliance paper https://www.bsa.org/policy-filings/us-encryption-and-law-enforcement-access-to-data
● Video of DOJ’s Lawful Access Summit https://www.justice.gov/opa/video/lawful-access-summit
● https://freedom-to-tinker.com/2019/10/06/content-moderation-for-end-to-end-encrypted-messaging/ and Barr’s
remarks: https://www.justice.gov/opa/speech/attorney-general-william-p-barr-delivers-remarks-lawful-access-summit
● https://cyberlaw.stanford.edu/blog/2019/10/william-barr-and-winnie-pooh
● Content Moderation for End-to-End Encrypted Messaging by Jonathan Mayer, https://freedom-to-
tinker.com/2019/10/06/content-moderation-for-end-to-end-encrypted-messaging/
● US Attorney’s Manual, Section 9-7.000 - Electronic Surveillance, https://www.justice.gov/usam/usam-9-7000-
electronic-surveillance
● FBI Domestic Investigations and Operations Guide
https://vault.fbi.gov/FBI%20Domestic%20Investigations%20and%20Operations%20Guide%20%28DIOG%29/FBI%2
0Domestic%20Investigations%20and%20Operations%20Guide%20%28DIOG%29%202016%20Version
● Lawfare blog, https://www.lawfareblog.com
Feb 1994, NSA wanted to test Clipper chip as a replacement to current standard, DES
Used hardware; had “Law Enforcement Access Field (LEAF)” that can read data encoded with the chip; information was held in separate secret digital vaults by two government agencies
The LEAF is protected by a 16-bit checksum,
But any random sequence of 16 bits has a 1-in-65,000 shot at passing that checksum test
& we can script that. Matt Blaze found it took about 42 minutes to make a fake one that was good enough that law enforcement officials can't tell if they have a valid or bogus LEAF -- the bogus number strings he generated could pass the checksum
July 20, 1994 - govt abandons clipper chip
In the Bernstein case, a professor challenged the ITAR restrictions on software encryption, arguing that they infringed his first amendment rights.
He developed an encryption algorithm & wanted to publish a math paper & source code with the algorithm. ITAR requirements at the time required him to register as an arms dealer & have the software reviewed by the government.
Software still can be covered by ITAR or EAR restrictions, but they aren’t as restrictive as they used to be, and the courts did recognize software as speech, and found that restrictions on some software could have first amendment implications.
FBI didn’t know the passcode to iphone, and the iphone would erase the contents after 10 incorrect passcodes. So they needed a way to bypass this restriction.
https://flickr.com/photos/matsuyuki/8444605838
Apple says that building this custom iOS will cause security problems for all users of iPhones
https://flickr.com/photos/151234415@N07/32480841316
Apple published a letter to their customers explaining why they weren’t complying with the order
Once this tool was created, how would Apple restrict who could use it? Would every cellphone taken from someone arrested for a drug misdemeanor charge be subject to this type of unlocking and search?
There are some rules in this area, but it turns out that they tend to silent on a lot of topics relevant to the search of digital devices
The 4th Amendment still applies here, though. It guarantees protection from unreasonable government intrusion, and is largely case law.
Ask-> statutes v case law
Common law
Judge made law
www.flickr.com/photos/ianafotog/6903741624
Title III prohibits private citizens from using electronic surveillance techniques and sets up rules for law enforcement to use wiretaps and record calls, but it requires compliance with specific requirements
www.flickr.com/photos/jcphotolog/5592963392
ECPA passed in 1986-Specifically, Congress added "electronic communications" as a new category of communications whose interception is covered by Title III.
Electronic communications are non-voice communications made over a network in or affecting interstate commerce, and include text messages, electronic mail ("email"), facsimiles ("faxes"), other non-voice Internet traffic, and communications over digital-display pagers
Network Investigative Technique - rules around them changed with Rule 41 of Fed Rules of Crim Pro that took effect Dec 2016
www.flickr.com/photos/thomashawk/7117207093
Warrant from a NIT from https://motherboard.vice.com/en_us/article/d3b3xk/the-fbi-created-a-fake-fedex-website-to-unmask-a-cybercriminal
Location to be searched here is an email address
Turns out that law enforcement having trouble getting evidence isn’t a new problem
https://flickr.com/photos/tigerplish/250835499
passed as part of the Judiciary Act of 1789 - this is what was used in the NY Telephone & in Apple v FBI. But it was also used in an earlier case as well
https://www.flickr.com/photos/thomashawk/11028266054/
Usually this is really boring stuff to help make the court system run
https://www.flickr.com/photos/wiechert/6441071577/
court used the authority of the All Writs Act to order the phone company to lend the FBI a telephone line and to help them install the monitoring device at the phone company
The old methods of clipping into wires for PRTTs and wiretaps didn’t work anymore with the new phone company infrastructure
This still leaves us with questions about what’s an unreasonable burden under the AWA, applicability to information services, and post-CALEA holdings
1994: Communications Assistance for Law Enforcement Act to require phone service providers to assist law enforcement with wiretaps
Treats internet services differently from communication services
Internet services were explicitly excluded from being required to build their systems in a way that could be easily wiretapped
www.flickr.com/photos/nic1/17262200550
https://flickr.com/photos/smemon/8039833659/
At least 10:00 - 15:00
-FB refused, saying they’d need to rewrite the messenger code
-DOJ tried to hold FB in contempt
-ACLU filed a motion to unseal; no updates since November 2018
https://flickr.com/photos/jason_ff/1455514845
Australia’s law
Held on October 4 in DC
https://www.justice.gov/opa/video/lawful-access-summit
-criminals are using mobile phones and the internet! And Law Enforcement can’t access some of the content of their messages
You say invisible to law enforcement, I say TLS and end to end encryption protect my data from data breaches
https://flickr.com/photos/jbedrina/27514581535
How do we write a system that can only be used by the government and is impervious to being hacked? It is unreasonable to assume that any such system won’t be probed and investigated, and the entire history of software suggests that someone will find an exploit that works against the system
https://flickr.com/photos/94132145@N04/16039293156/
How do you keep US citizens from just installing non-backdoored messaging apps made in other countries?
https://flickr.com/photos/klubmoozak/8231390644
And how do you keep repressive regimes from demanding the use of these backdoors as well?