OFF THE WIRE
http://news.cnet.com/8301- 13578_3-57577887-38/apples- imessage-encryption-trips-up- feds-surveillance/?part=rss& subj=news&tag=title#. UV1gK672IWg.reddit
Apple's iMessage encryption trips up feds' surveillance
Internal
document from the Drug Enforcement Administration complains that
messages sent with Apple's encrypted chat service are "impossible to
intercept," even with a warrant.
The
DEA is not happy about Apple's iMessage transmissions, which it says
are "considered encrypted communication and cannot be intercepted."
(Credit: Getty Images)
Encryption
used in Apple's iMessage chat service has stymied attempts by federal
drug enforcement agents to eavesdrop on suspects' conversations, an
internal government document reveals.
An
internal Drug Enforcement Administration document seen by CNET
discusses a February 2013 criminal investigation and warns that because
of the use of encryption, "it is impossible tointercept iMessages between two Apple devices" even with a court order approved by a federal judge.
The
DEA's warning, marked "law enforcement sensitive," is the most detailed
example to date of the technological obstacles -- FBI director Robert
Mueller has called it the "Going Dark" problem -- that police face when attempting to conduct court-authorized surveillance on non-traditional forms of communication.
Excerpt
from an iMessage "Intelligence Note" prepared by the Drug Enforcement
Administration and obtained by CNET. Click for larger image.
(Credit: DEA)
When Apple's iMessage was announced in
mid-2011, Cupertino said it would use "secure end-to-end encryption."
It quickly became the most popular encrypted chat program in history:
Apple CEO Tim Cook said last
fall that 300 billion messages have been sent so far, which are
transmitted through the Internet rather than as more costly SMS messages
carried by wireless providers.
A spokeswoman for the DEA declined to comment on iMessage and encryption. Apple also declined to comment.
The
DEA's "Intelligence Note" says that iMessage came to the attention of
the agency's San Jose, Calif., office as agents were drafting a request
for a court order to perform real-time electronic surveillance under
Title III of the Federal Wiretap Act. They discovered that records of
text messages already obtained from Verizon Wireless were incomplete
because the target of the investigation used iMessage: "It became
apparent that not all text messages were being captured."
This echoes what other law enforcement agencies have been telling politicians on Capitol Hill for years. Last May, CNET reported that
the FBI has quietly asked Web companies not to oppose a law that would
levy new wiretap requirements on social-networking Web sites and
providers of VoIP, instant messaging, and Web e-mail. During an
appearance two weeks later at a Senate hearing, the FBI's Mueller confirmed that the bureau is pushing for "some form of legislation."
Andrew
Weissmann, the FBI's general counsel, said last month at an American
Bar Association event that enacting a new law to amend a 1994 law called
the Communications Assistance for Law Enforcement Act is a "top
priority" this year. CALEA requires
telecommunications providers to build in backdoors for easier
surveillance, but does not apply to Internet companies, which are
required to provide technical assistance instead.
What's
difficult, Weissmann said, "is trying to come up with the fairest and
most sort of narrowly tailored means to do this." He added: "We don't
want to have a system where you're needlessly imposing burdens on
thriving industries or even budding industries... So what the bureau has
been spending quite a bit of time on, and certainly has as a top
priority this year, is coming up with a proposal with other members of
the intelligence community that tries to balance all of that. That does
tackle the problem of trying to modernize where we were from 1994, given
how much technology has advanced."
'Not designed to be government-proof'
Apple has disclosed little about how iMessage works, but a partial analysis sheds some light on the protocol. Matthew Green, a cryptographer and research professor at Johns Hopkins University, wrote last summer that because iMessage has "lots of moving parts," there are plenty of places where things could go wrong. Green said that Apple "may be able to substantially undercut the security of the protocol" -- by, perhaps, taking advantage of its position during the creation of the secure channel to copy a duplicate set of messages for law enforcement.
Apple has disclosed little about how iMessage works, but a partial analysis sheds some light on the protocol. Matthew Green, a cryptographer and research professor at Johns Hopkins University, wrote last summer that because iMessage has "lots of moving parts," there are plenty of places where things could go wrong. Green said that Apple "may be able to substantially undercut the security of the protocol" -- by, perhaps, taking advantage of its position during the creation of the secure channel to copy a duplicate set of messages for law enforcement.
Christopher
Soghoian, a senior policy analyst at the American Civil Liberties
Union, said yesterday that "Apple's service is not designed to be
government-proof."
"It's
much much more difficult to intercept than a telephone call or a text
message" that federal agents are used to, Soghoian says. "The government
would need to perform an active man-in-the-middle attack... The real
issue is why the phone companies in 2013 are still delivering an
unencrypted audio and text service to users. It's disgraceful."
Apple introduced iMessage, which encrypts text conversations, in 2011. That has made the DEA a bit unhappy.
(Credit: CNET/CBS Interactive)
The
DEA says that "iMessages between two Apple devices are considered
encrypted communication and cannot be intercepted, regardless of the
cell phone service provider." But, if the messages are exchanged between
an Apple device and a non-Apple device, the agency says, they "can
sometimes be intercepted, depending on where the intercept is placed."
This
isn't the first time that federal agencies have warned of surveillance
woes. An FBI staff operations specialist in the bureau's
Counterterrorism Division complained in
2010 of difficulties in "obtaining information from Internet service
providers and social-networking sites." And a Homeland Security report obtained by the
Electronic Frontier Foundation shows that a working group convened by
an FBI office in Chantilly, Va. requested details about how
"investigations have been negatively impacted" by companies' delays or
inability to comply with surveillance requests.
Going
Dark has emerged as a significant effort inside the FBI, which employed
107 full-time equivalent people on the project as of 2009, commissioned
a RAND study, hired consultants from Booz, Allen and Hamilton, and
sought extensive technical input from its secretive Operational
Technology Division in Quantico, Va.
Related posts
"There
is a growing and dangerous gap between law enforcement's legal
authority to conduct electronic surveillance, and its actual ability to
conduct such surveillance," FBI director Mueller told a House of
Representatives committee two weeks ago. "We must ensure that the laws
by which we operate and which provide protection to individual privacy
rights keep pace with new threats and new technology."
As CNET was the first to report in 2003,
representatives of the FBI's Electronic Surveillance Technology Section
in Chantilly, Va., began quietly lobbying the Federal Communications
Commission to force broadband providers to provide more-efficient,
standardized surveillance facilities. The FCCapproved that
requirement a year later, sweeping in Internet phone companies that tie
into the existing telecommunications system. The regulations were upheld in 2006 by a federal appeals court.
But
the FCC never granted the FBI's request to interpret the law to cover
instant messaging and VoIP programs that are not "managed"--meaning
peer-to-peer programs like Apple's Facetime and iMessage, Facebook Chat,
Gmail's video chat, and Xbox Live's in-game chat that do not use the public telephone network.
If
Congress does nothing, law enforcement still has options. Police can
obtain a special warrant allowing them to sneak into someone's house or
office, install keystroke-logging software, and record passphrases. The
DEA adopted this technique in a case where suspects used PGP and the encrypted Web e-mail service Hushmail.com. They can also send a suspect malware, purchase a so-called zero day vulnerability to
gain control of a target device and extract the contents, or obtain a
warrant to seize the physical device and perform a traditional forensics
analysis.
Apple's privacy policy authorizes
the company to divulge customers' information about customers to law
enforcement when "reasonably necessary or appropriate" or to "comply
with legal process."