Wendy Knox Everette provides a summary of the history of encryption regulation and debates around law enforcement access to encrypted data. She discusses key cases like Bernstein v. United States and Apple v. FBI. Everette notes ongoing tensions between law enforcement desires for access and technology companies' stance that weakened encryption harms all users. Recent events like attempts to force Facebook to wiretap Messenger and Attorney General Barr's calls for lawful access are also summarized.

1. An Update from the
Crypto Wars 2.0
BSidesPDX - October 25, 2019
Wendy Knox Everette
@wendyck

2. Who am I? Wendy Knox Everette
@wendyck
Hacker lawyer. Has handled law enforcement
requests for companies.
I am a lawyer. I am very much not your
lawyer.

3. Some history:
1993 Clipper Chip
1995-1997 Bernstein v. United States
2015 Apple v. FBI

6. Daniel J. Bernstein et al., v. United States Department of State, 922 F. Supp. 1426
(April 15, 1996)
Daniel J. Bernstein et al., v. United States Department of State, 945 F. Supp. 1279
(December 9, 1996)
Daniel J. Bernstein et al., v. United States Department of State, 176 F.3d 1132
(August 25, 1997)
Encryption regulations prevented export of
software code. Court finds that software code is
speech & receives First Amendment protections

8. Law enforcement argues that encryption of iCloud
backups prevented them from investigating the San
Bernardino shooting. February 16, 2016, a C.D.
Cal. magistrate judge issued an order requiring
Apple to assist the FBI with extracting data.

9. Apple replies that building any custom iOS
software to circumvent the encryption raises
unacceptable implications for all iOS customers.

10. https://www.apple.com/customer-letter/

12. 4th Amendment creates the
groundwork for this area
● Based on the “reasonable
expectation of privacy”
standard
● Most 4th Amendment law is
case law

13. Wiretaps are covered
by Title III

14. Electronic Communications Privacy Act & Stored
Communications Act

15. NIT Warrants

16. https://motherboard.vice.com/en_us/article/d3b3xk/the-fbi-created-a-fake-fedex-website-to-unmask-a-cybercriminal

20. Great, so the government has ways to request data from
software companies and service providers so that they
can investigate crimes.
Except

21. Sometimes new systems are built
and the old ways of wiretapping,
etc., don’t work anymore

22. All Writs Act

23. Courts may issue all writs
necessary or appropriate in
aid of their respective
jurisdictions and agreeable
to the usages and
principles of law

24. United States v. New York Telephone Co.,
434 U.S. 159 (1977)

25. “We agree that the power of federal courts to impose
duties upon third parties is not without limits;
unreasonable burdens may not be imposed.”

26. So now we have
CALEA

27. CALEA
● telecom providers are
required to assist law
enforcement
● fuzzy applicability to internet
service companies

28. The All Writs Act was
used in Apple v. FBI

29. What was the outcome in Apple
v. FBI?
The FBI used a vulnerability to
hack into the phone - to date,
bugs have been providing a
form of pressure release

30. What now?

31. “According to Reuters and The Washington Post,
the Justice Department sought an order from a
federal court to force Facebook to wiretap
encrypted voice conversations on Facebook
Messenger as part of an investigation into the MS-
13 gang”
https://www.aclu.org/blog/privacy-
technology/internet-privacy/aclu-seeks-secret-
ruling-stopped-feds-hacking-facebook

32. Facebook refuses, saying would need to re-write
Messenger app’s code & undermine security for all
users.
DOJ tries to hold Facebook in contempt of court,
but lost. ACLU filed a motion to unseal judicial
rulings associated with the attempt to make
Facebook decrypt Messenger calls.
https://www.aclu.org/blog/privacy-
technology/internet-privacy/aclu-seeks-secret-
ruling-stopped-feds-hacking-facebook

33. also

34. https://www.nytimes.com/interactive/2019/09/28/us/child-sex-abuse.html

35. Can we have messaging systems that are engineered to
deal with child porn and law enforcement access, without
building tech that gets used for censorship and copyright
enforcement?

36. Forced signing of
“malicious” updates by a
government?

37. DOJ’s Lawful Access
Summit

38. Barr’s remarks
“But the digital world that has proven such a boon in many ways has also
empowered criminals. Like everybody else, criminals of all stripes increasingly
rely on wireless communications, hand-held devices, and the internet. In today’s
world, evidence of crime is increasingly digital evidence. As we work to secure
our data and communications from hackers, we must recognize that our citizens
face a far broader array of threats...While we should not hesitate to deploy
encryption to protect ourselves from cybercriminals, this should not be done in a
way that eviscerates society’s ability to defend itself against other types of criminal
threats.”

39. Barr’s remarks
“What is happening here is that some companies want to say to the individual,
“Hey, we can make you invisible to law enforcement.” But do we want to live in a
society where everyone is invisible to law enforcement?”

40. Barr’s remarks
“These considerations apply to privacy. That right has never been absolute. The
Fourth Amendment strikes a balance between the individual citizen’s interest in
conducting certain affairs in private and the general public’s interest in subjecting
possible criminal activity to investigation.”

41. But weakening
encryption is not like
a 4th Amendment
balancing test

42. Backdoored encryption
standards are encryption
algorithms that have been
intentionally weakened

43. https://twitter.com/mattblaze/status/1180864669822652416

44. How would we
protect escrowed
keys?
Does only the FBI get them? How
do local law enforcement use them?

45. How does this
even work with the
global Internet?

46. https://www.jumble.io/blog/2016/02/26/apple-vs-fbi-battle-encryption-privacy-security/

47. Can’t we just compel people to provide decryption
keys?
1. This doesn’t work so well in the investigative stage
2. The Fifth Amendment can be invoked by the
defendant to resist providing their encryption keys

48. Sources
● Clipping Clipper https://www.wired.com/1994/09/clipping-clipper-matt-blaze/ &
https://www.mattblaze.org/papers/eesproto.pdf
● EFF’s Bernstein summaryhttps://www.eff.org/cases/bernstein-v-us-dept-justice
● Apple v FBI timeline: https://www.usatoday.com/story/tech/news/2016/03/15/apple-v-fbi-timeline/81827400/
● Software Alliance paper https://www.bsa.org/policy-filings/us-encryption-and-law-enforcement-access-to-data
● Video of DOJ’s Lawful Access Summit https://www.justice.gov/opa/video/lawful-access-summit
● https://freedom-to-tinker.com/2019/10/06/content-moderation-for-end-to-end-encrypted-messaging/ and Barr’s
remarks: https://www.justice.gov/opa/speech/attorney-general-william-p-barr-delivers-remarks-lawful-access-summit
● https://cyberlaw.stanford.edu/blog/2019/10/william-barr-and-winnie-pooh
● Content Moderation for End-to-End Encrypted Messaging by Jonathan Mayer, https://freedom-to-
tinker.com/2019/10/06/content-moderation-for-end-to-end-encrypted-messaging/
● US Attorney’s Manual, Section 9-7.000 - Electronic Surveillance, https://www.justice.gov/usam/usam-9-7000-
electronic-surveillance
● FBI Domestic Investigations and Operations Guide
https://vault.fbi.gov/FBI%20Domestic%20Investigations%20and%20Operations%20Guide%20%28DIOG%29/FBI%2
0Domestic%20Investigations%20and%20Operations%20Guide%20%28DIOG%29%202016%20Version
● Lawfare blog, https://www.lawfareblog.com