Welcome to Codebook, the cybersecurity newsletter that, through a series of mishaps, was written on someone else's iPhone.
Today's newsletter is 1,047 words, about a 4-minute read.
1 big thing: The encryption debate just got harder
Experts fear that the Department of Justice's latest argument against warrant-proof encryption, which emphasizes protecting children and focuses on the use of encrypted messaging apps, may make it harder than ever to resolve the encryption debate.
The big picture: The DOJ's new plea for extraordinary access to encrypted data, put forward at a summit last week, moves the debate toward systems that are harder to secure and uses cases that are exponentially costlier to address.
Background: For years, the DOJ has argued the key reason for tech companies to implement weaker encryption algorithms was that strong encryption helps hide evidence critical to fighting terrorists. The metric the DOJ used to make this point was how many cellphones it was unable to break into to obtain this and other evidence.
- That changed last week when Attorney General William Barr and his counterparts in Australia and the U.K. started emphasizing a different metric and a different topic. In a letter to Facebook and a subsequent conference, Barr emphasized that the key reason for tech firms to weaken encryption was to stymie child exploitation operations run through messaging apps.
The main encryption controversy — whether tech firms should design encryption to let users control who can see their data, or allow law enforcement to access data without user permission — hasn't changed.
- Cryptographers and security experts still believe that weakening security to give authorities access to data will make it easier for everyone else, including bad actors, to access that data, too.
But, but, but: The focus on messaging apps and child exploitation adds a new wrinkle.
- Johns Hopkins associate professor Matthew Green notes that it's harder to safely weaken encryption on chat apps than on physical phones.
- "If China wants to decrypt everyone in the Senate’s phones," he told Codebook, "they need to physically obtain all the phones." But chat messages can be obtained remotely — they pass through the internet to reach their target.
A recent report from the Carnegie Endowment for International Peace noted a variety of other reasons that the debate should focus on phones rather than messaging apps, including chat apps that continuously change encryption keys, a valuable tool that is tough to maintain while extending access to law enforcement.
- "[I[f good-faith debate on all sides can’t lead to more constructive discussions in this area, then there are likely none elsewhere," the report concluded.
And child exploitation is a more sprawling problem to address, in technical terms.
- The DOJ touted Facebook as a company that was able to provide investigators with massive amounts of tips regarding illegal images being shared on the platform.
- But there's a big difference between assisting terrorism investigations with occasional access to specific phones and assisting child exploitation investigations by building massive image analysis networks.
- That would require platforms to invest in costly bulk surveillance systems that will inevitably rely on advanced artificial intelligence to analyze every image — and will also need humans to double-check the work.
- Some, like Facebook, already have a version of that in place to flag illegal content on their unencrypted platforms. But messaging apps that haven't had to screen content in the past would be starting from scratch.
2. Clever GDPR response to China won't work, but still clever
After a long week in which China made moves against American companies disapproving of its handling of pro-democracy Hong Kong protests, clever gamers are trying to fight back using European privacy laws as a cudgel.
Driving the news: On Wednesday, Apple bowed to pressure from the Chinese press to remove an app that protesters used to track the police. That followed the NBA and NBA players distancing themselves from a team general manager who expressed solidarity with the protesters and the video game maker Blizzard nixing a tournament win from a player who did the same.
- Boing Boing noted that some gamers planned an organized protest of flooding Blizzard with GDPR requests — attempting to bleed Blizzard of resources using the European privacy law's requirement that companies tell consumers what personal data they hold.
Will it work? No. Handling GDPR requests isn't cheap, but it also isn't prohibitively expensive. Still, there aren't a huge number of intermediate steps short of canceling accounts to express displeasure with multinational companies' actions.
Meanwhile: China and Taiwan fight the battle of Wikipedia.
3. Russia and China will cooperate to fight illegal online content
The Russian internet regulator Roskomnadzor announced that Moscow and Beijing would sign an accord to cooperate on fighting illegal online content at an Oct. 20 internet conference.
Why it matters: Russia and China share more than a gigantic border. Both countries envision tremendous state controls over internet content in the name of national security. Critics wonder if this move means Russia is taking a first step toward China's world-leading level of censorship.
4. Other news from last week
U.S. courts ruled the FBI overstepped using mass surveillance tools (FISA ruling): The secretive FISA court ruled that the FBI violated the Fourth Amendment and the law permitting the NSA's mass surveillance program thousands of times between 2017 and 2018.
- The ruling was issued in 2018 but only declassified this week.
- The FBI is only supposed to use the NSA's massive archive of globally slurped electronic data to find criminal activity or to investigate foreign targets.
- The court found that FBI agents unlawfully used the systems to investigate each other, family members and sources, none of whom were suspected of criminal activity.
NSO malware in Morocco? (Amnesty International): Amnesty International believes commercial spyware sold to governments was used to surveil human rights advocates in Morocco since 2017.
- The malware in use was built by the NSO Group, a controversial Israeli contracting firm.
- NSO recently announced a battery of new internal rules to prevent human rights abuses with its software.
The White House restricted some sales to China, but is loosening the grip on others (New York Times, BBC): As trading negotiations reignite, the White House plans to issue more licenses to sell tech to the embattled telecommunications provider Huawei. Meanwhile, the Trump Administration barred sales to makers of surveillance equipment used to spy on the Uighur minority.
5. Odds and ends
- Criminal group FIN7 is using new tools. (FireEye)
- Chinese threat group Mustang Panda ramped up activity throughout Asia, including targeting political parties, ethnic groups and an airline. (Anomali)
- It's a great time to work in cybersecurity, especially in Virginia. (Comparitech)
- Headline of the day: "Can the Girl Scouts save the moon from cyberattack?"
- 96% of deepfakes were pornography targeting women. (Sophos)
- DHS wants subpoena authority to find and contact potential hacking victims. (CyberScoop)
- Twitter acknowledged using phone numbers users provided as a second form of authentication to target advertisements. (Axios)