When Government is the Hacker, How Do You Protect Yourself?
FBI malware and mass government surveillance breach U.S. citizens’ privacy, tech firms say.
During October's National Cybersecurity Awareness Month, when industry and government are supposed to unite in solidarity against hackers, some companies are pointing the finger at the elephant hacker in the room -- the government itself.
Leaks by ex-intelligence contractor Edward Snowden ignited awareness that U.S. authorities access U.S. citizens' private call records and correspondence with foreigners. Just like cyber criminals, they break into personal devices, using phishing techniques. Bogus, yet persuasive emails -- say, ones that contain an Associated Press article about bomb threats at schools -- secretly slip surveillance malware into a suspect's computer.
The feds also compel telecom companies to turn over bulk call records and tap international communications.
Tech developers cashing in on the mass spying revelations are promoting products that prevent the government from breaching citizens' data.
Yet these companies, according to U.S. authorities, are impeding legal efforts to track down criminals and terrorists.
The code-making, code-breaking tug of war was highlighted by remarks this month from FBI Director James Comey, in which he said encrypted, lock-boxed communications could make the job of law enforcement more difficult.
FBI 'Struggling to Keep Up'
"We are struggling to keep up with changing technology and to maintain our ability to actually collect the information we are authorized to collect," he said at an Oct. 16 forum hosted by the Brookings Institution. "And if the challenges of real-time data interception threaten to leave us in the dark, encryption threatens to lead us all to a very, very dark place. I am a huge believer in the rule of law, but I also believe that no one in this country should be beyond the law. There should be no law-free zones in this country."
This fall, Internet giants Apple and Google joined the encryption revolution by promising to offer consumers software that automatically scrambles their messages into secret code.
Apple spokesman Colin Johnson referenced a company webpage promoting its commitment to confidentiality. The site assures that devices running iOS 8 will be protected from governments seeking to collect photos, messages, email, contacts, call history, iTunes content, notes and reminders. All that data is encrypted. The only entity with a passcode to unlock the ciphers is the user.
“It’s not technically feasible for us to respond to government warrants for the extraction of this data from devices in their possession running iOS 8," the webpage states.
Google officials offered a similar privacy pledge: “For over three years, Android has offered encryption, and keys are not stored off of the device so they cannot be shared with law enforcement. As part of our next Android release, encryption will be enabled by default out of the box, so you won't even have to think about turning it on.”
Tips from Privacy-Conscious Companies
Even some former U.S. national security personnel are selling software to draw a line between the authorities and private individuals.
Mike Janke, previously a Navy SEAL and now co-founder of encrypted communications provider Silent Circle, recommended the following for "pulling back the protections that were already granted to you in the Constitution":
- "What happens when you use encryption is that you force the government and law enforcement to actually use the legal system."
- Do not let the government force product makers to dent security on their merchandise: "If you make technology weak, it opens it up to criminals and to hackers."
- “We are all for intelligence agencies using technology to find bad guys. Absolutely. But what we are not for is the max vacuuming of all citizens' data."
Jennifer DeTrani, general counsel and chief privacy officer at texting service Wickr, says any U.S. citizen interested in protecting privacy rights should take the following precautions:
- "Watch out for front-facing cameras on your phone, tablet, computer and TV. Masking tape is still the best solution. It is also good to plug your headphone jacks; this will stop 99 percent of the bugs from listening."
- “Be careful what apps you download. Look closely at the company behind the app and the privacy policy. Do not import your address book without careful consideration.”
- “If you don’t want your location physically tracked, consider removing your battery or shielding your phone in a Faraday cage when you are not using it."
Andy Feit, chief executive officer of Enlocked, who co-created an encryption Web tool marketed as the simplest way to secure email, advises that citizens take these precautions:
- Communicate using tools that lock out even the communications provider from being able to read your messages.
- PGP encryption, which is used by most secure communications providers, hasn't been broken to anyone's knowledge. The technology slows the government's ability to surveil, he said. "The days of them being able to just blanket mass surveillance an entire community or country or set of users -- it would be much, much harder, when that happens," he said.
- "In the end, I want the NSA and the CIA ... to do it in the right way and not (by) monitoring everybody . . . It’s hard work. That's what you are paid to do.”
Law Enforcement Officials Want to Keep "Backdoors"
The Office of the Director of National Intelligence, which coordinates data surveillance activities across civilian and defense intelligence agencies, deferred to the FBI’s position on encryption and new technologies.
FBI officials view such incognito communications as detrimental to the public’s well-being. The government continues urging businesses to build "backdoors" into products before they hit store shelves.
"There is much more risk associated with the after-the-fact intercept capability being built in," Comey said. "There is a non-zero risk associated with building it in, in the first place. But there is also risk to us, as a society, by foregoing the ability to collect that information with lawful authority. My view is that the risk mitigation associated with building it in the front end and the risk avoidance by not having a dark spot -- that is spreading across our entire country -- makes sense."
And while the market imperative for companies to offer privacy-protecting services appears sensible, it's not industry's role to decide whether it is safe, he added.
Businesses are saying, “’Our stuff is protected.’ I get that and that makes sense for them to advocate that position," Comey said, but "I think what they are not able to advocate -- because it's frankly not a thing they own except as citizens in this great country -- is the safety trade off, the security trade off."
NEXT STORY: Building top-notch information security teams