Police, Passwords; Law and Order; facts?

Posted on by

The police chiefs of Canada have just started a fear and smear campaign. It’s aim: to force anyone to reveal her/his password to any device.

This is, of course, contrary to current Canadian law.
It is also contrary to current American law.

I have been following this legal discussion in the USA. A criminal’s phone  was suspected of containing extra evidence. The US authorities tried to force the owner to provide the password. Then they tried to force the phone provider (Apple?) to break the password.
Then they claimed that they, the FBI, actually broke the password themselves.

I will more or less refute every claim implied in the above paragraph. I simply don’t believe what we were, by implication, told. Here goes:

Once the phone was, as claimed, broken, no new evidence was shouted from the rooftops. If I were the winning prosecutor in such a technological battle, and it provided key evidence that added to proof of existing charges, or suggested additional charges, I’d let the reporters all know. Loudly.
Instead we got silence. This after the FBI claimed they broke the phone and could break another one.

In US law, the owner does not have to provide the password. There’s some very old American legislation on this. I won’t research it again, but merely provide you with the basic court decisions’ net results. This from memory, ok? (Based on CRS reports.)
Self-incrimination includes being forced to disclose the content of one’s mind. Thus a physical key can be compelled, but a lock’s combination cannot. Consequently an accused canNot be compelled to provide a password: the legal equivalent of a lock’s combination.

In US law, a provider of equipment does not need to do the work of breaking its password protection. (This even if the password could be demanded by law.) To make this happen, the authorities would need to prove that the password could be broken, and that the provider was the only possible breaker. In addition, the authorities would have to recompense the provider for the costs involved. Apple simply said that the costs were large and it probably couldn’t be done; the authorities said that others could do it, so get on with it. Apple responded by saying, if they can do it, then you should ask them to. We’re busy.

That the FBI broke the password themselves is, imho, open to doubt. No evidence was claimed, so far as I know, to have come from this. (How they would prove they got something both new and critical, from a phone, with a suspect in custody with clearly little chance of beating the charges, is unclear to me.)
I suspect the entire episode was intended to create a precedent for forcing passwords to be given out, broken, or circumvented. (By password I also include encryption key. It’s merely the ‘password’ for decryption, eh?) I don’t think more evidence was needed, or even useful. I see it as a publicity stunt.
I note that the FBI say they cannot break ‘more recent phones’.

OK, so why should you care?

Government surveillance is a key part of a police state. The best way to lose your freedom is to be under scrutiny at all times.
We’re moving, as a society, and the direction is disturbing.

Citizens can defend themselves from such constant scrutiny in various ways. Or can they?

  • Encrypt your messages. Your online financial transactions are encrypted. The US Government made sure that the encryption keys were short enough that their supercomputer could always break that encryption.
    At one point, longer keys were treated as munitions and penalties for exporting supporting software were like those for shipping missiles and bombs.
  • Hide their actions. You might behave behind your high fence with no overlooking buildings. A US case whereby a surveillance airplane, flying where a private airplane could conceivably fly, detected marijuana plants in such a backyard. This was Not deemed to be a violation of a reasonable expectation of privacy.
  • Use a device that ensures privacy. Barack Obama insisted on keeping his Blackberry. The spooks around him found a way to agree that it was suitably secure. But if you buy a smartphone, you may be compelled to disclose its password and thus your encryption key. Not in the United States of America, but here in Canada if our police chiefs have their way.
    It appears that Blackberry pulled out of India over security demands. Could they have decrypted user’s messages? (I thought not, but the reason is technical and boring.)
  • Go off the grid. There is no protection from the likes of the Unabomber. There is no protection from a secretly radicalized individual.

The last point is part of my reason for keying all this crud. Law enforcement authorities will use any possible slant to increase their powers. It is the nature of power to augment itself. Thus any failure on the part of law enforcement is taken as the fault of the country and its citizens, for not having given law enforcement sufficiently intrusive powers as to curtail illegal acts of any kind. The indefensible must be met with more intrusion and more surveillance of citizens.

Since it is impossible to win against the lone wolf, it is necessary to stop short of tying all freedoms in knots while making the attempt.

I will give a few examples of why I think government inspection of our lives should be curtailed, not increased. I simply don’t trust them.

  • At one point, Intel was requested to put a back door into every CPU chip they made. In the hands of law enforcement, this is like having your life story available to anyone who can touch your back door. With such broad access as the prize, criminals would find or buy a hack. (Consider ‘trojan’ malware, which makes your computer usable by a remote chat room visitor. Look how much trouble and social engineering goes into conning users into downloading such misery. Imagine if the bad guys could simply connect, like the FBI wanted to, to your CPU without you making a single error in security.)
    Intel’s refusal was not greeted with enthusiasm by law enforcement.
  • At one point, DES keys were limited in length. Then financial institutions were allowed to use longer keys. I believe the US law now allows any key length, and we’re moving forward into AES. This as the supercomputers get better.
    In short, I think we’ve always been spied on.
  • The HeartBleed bug. This was known by the spooks for about two years before it became common knowledge amongst us mere users. USA government departments reportedly used this to spy on all manner of website contents.
    (The bug is part of a protocol whereby two machines reassure themselves that the other is ‘still there.’ A ‘heartbeat’ request is sent and returned. If the request asks for a lot more data than it sent, random extra data (adjacent computer memory contents) will be returned. So a peek into the memory of any web-active computer can be achieved with this bug. The machines don’t really have to be in any collaboration at all; web protocol says, you answer a heartbeat request with a heartbeat response.)
  • Most of us are too young to remember when seasonal greeting cards could be sent more cheaply (postage-wise) if their envelopes were not sealed.

Your government has various ‘law enforcement’ agencies. They all want to spy on you. The balance between freedom and law and order is being tilted, and the larger forces are those wanting to intrude on your privacy.

Do you care? Will you write, phone, or eMail your federal and provincial representative? (or, in the USA, federal and state?)

Those are the dumb questions.

Americans should watch this with some slight unease. A shift in legal ground in Canada could be trumpeted as cause for new legislation in other countries.

Leave a Reply

Your email address will not be published. Required fields are marked *