TAG | law enforcement
Cnet reports that an internal DEA document reveals that the DEA are unable to intercept text messages sent over Apple’s iMessage protocol.
The protocol provides end to end encryption for messages between iOS and Mac OS X devices.
This is not to suggest that the encryption in iMessages is particularly good, but to contrast with standard text messages and voice calls which are completely unprotected within the phone company’s networks.
It appears that an active man in the middle attack would be able to thwart the encryption, but would be significantly more effort. The lack of any kind of out of band channel authentication suggests that such an attack should not be too difficult.
If you really need to protect your chat messages, I suggest using a tool like Silent Text. They take some steps that make man in the middle attacks almost impossible.
In this CNET article by Declan McCulagh, he reports that the DoJ is planning to request mandatory data retention by Internet providers. Their argument is that the lack of data retention is interfering with law enforcement’s ability to investigate cases. This implies some kind of shift in the balance of privacy vs. access. No such shift has taken place.
I think that they are more frustrated by the fact that a huge potential gold mine of information is out there to which they don’t have access. Prior to the various modern technological revolutions people used pay phones, sent letters, and paid cash for toll roads.
Now they use Twitter, SMS, Facebook, Email, cell phones, electronic toll payment etc. There is way more information available to law enforcement now than before. The fact that this data retention is only on the Internet may make people feel better, but one would certainly learn more about me from my Internet activities than from following me around physically.
Lets look at what is being asked for with a real world analogy. This is like saying that the US Postal Service should photograph and database the address, and return address, on every letter which goes through the system. Physically is it like saying the cell phone company should record and retain my GPS location at all times. Either of those would actually be much less intrusive than monitoring how I use the Internet at all times.
Lets not get in to the cost of maintaining these records or the issues with leaks or hackers. Consider the Chinese attacks on dissident Google accounts. This plan would ensure that such information was much more widely maintained.
At this point it appears to be a only a request. I am curious to see how this evolves over the congressional term.
3 Comments · Posted by lance in Computer Security, Cryptography, First Amendment, Innovation, Internet, legal, Legislation, National Security, Online Privacy, Personal Privacy, Security Breaches, Surveillance
The EFF has an excellent article on eight reasons why government regulation of cryptography is a bad idea.
The short answer is: the bad guys can easily get it and use it anyway, and it will make security for the rest of us much worse (not including the big brother surveillance and constitutional issues).