Surveillance

Wired Speaks to William C. Banks About Privacy & Surveillance Post-9/11

Our Connected World and the Unseen Legacies of 9/11

(Wired, Sept. 11, 2016)  Tom Drake arrived at work on his first day as a full-time employee of the National Security Agency before sunrise on a cool, clear morning: September 11, 2001. As he shadowed the NSA’s director of signals intelligence in a briefing about a new $4 billion plan, codenamed Trailblazer, that would better apply the agency’s spying to the Internet, an aide opened a door and interrupted with news: A plane had hit the north tower of the World Trade Center. Minutes later, the aide returned. The south tower had been hit, too. Drake, a thin man with severe, deep-set eyes, stood up and said the words everyone in the room had been thinking: “America is under attack.” The agency’s modernization plan was already too late.

“I think we’ve just come to accept these differences in our way of life.”

The director, Drake remembers, was whisked onto an express elevator to a crisis war room. Drake and thousands of other employees were sent home, as rumors swirled that Fort Meade might be the next target. The exodus caused a traffic jam. “We just sat in traffic, stunned.”

In the weeks and months that followed, the NSA indeed transformed, along with the rest of America.  “It was clear that it was going to be a different world…that this was not going to be a normal crisis, but a years-long crisis,” Drake says. Today you can see just how much that moment reshaped America, in how you travel, the buildings you live in, the things you fear, and the privacy you expect. That’s the technological legacy of 9/11—an almost incalculable change to the visible and invisible infrastructure of everyday life.

The Surveillance State

American surveillance was reborn on September 11, and no single government agency embodies that change better than the National Security Agency. After the Cold War, the NSA had been reduced to a kind of backwater within the Pentagon, says James Bamford, the author of a trilogy of books on the agency. By the mid-1990s, it began to position itself as the go-to agency for preventing terrorism. But to do so required a fundamental shift in mission, from targeted eavesdropping on government satellite channels to eavesdropping on the far more diverse forms of communication used by terrorists, like cell phones and the nascent Internet. So the agency needed money.

After 9/11, it got it—coupled with the legal authority and the political mandate to take on that immense spying task. The Patriot Act, rushed through Congress within a month, allowed the NSA to suck up data from telecom and tech firms like never before (leading to the warrantless wiretapping scandal revealed by the New York Times in 2005). A provision of the law—Section 215—allowed the agency to continue collecting the metadata of every American phone call for well over a decade, until Edward Snowden’s leaks exposed the program in 2013 and led to its suspension …

… Following the attacks in 2001, federal, local, and state law enforcement agencies started protecting special events. Over time, that meant greater police presence at everything from New York Giants football games to Taylor Swift concerts. While lots of us remember being able to walk into a stadium with the scantest of bag checks, we’re now accustomed to a procedure not all that different from airport security lines: metal detectors, wands, and even pat-downs. “I think it has taken most of 15 years for the American people to get used to these ideas, but it seems to me now that there’s very little pushback,”says William Banks, the director of the Institute for National Security and Counterterrorism at Syracuse University. “I think we’ve just come to accept these differences in our way of life.”

Once a privacy debate lightening rod, even body scanners aren’t so controversial anymore to most Americans, according to a study by researchers at James Madison University.  “In general I think people who fly understand that they want to be safe, and in their own minds think, ‘What may I give up to maintain my safety?’” says  Thomas Dillon, an information security and privacy specialist.

Children born in the years after September 11, 2001 will never experience meeting relatives at the gate. The scene in Love, Actually, where families gather in the terminal to shower Hugh Grant and the rest of the characters with hugs and flowers will seem implausible at best. If you remember when flying was a more casual affair, that kind of movie scene appears now as a throwback to a more naive time.

Banks sees a future where attendance at concerts and sporting events is monitored ever more closely but less obviously, with drones, stingrays, and  biometric systems paired with watchlist databases (in many cases—like the Super Bowl—this is already happening).” It won’t be noticed as much by many people,” Banks says, “but they may in some ways be more pervasive than the physical security.” After all, physical security screeners see what’s in your bag and your pockets; aerial and digital surveillance sees behavior, and potentially everything else …

To read the full article, click here.

Nathan Sales Speaks to NBC News About the Patriot Act

Did the Patriot Act Change US Attitudes on Surveillance?

(NBC News | Sept. 8, 2016) In the emotional wake of 9/11, a shocked and grieving nation demanded answers and justice. Lawmakers pledged to provide both with the Patriot Act.

Fifteen years later, the law dramatically expanded the government’s ability to gather surveillance, broadened the definition of terrorism and sought to strengthen border security. It led to roving wiretaps and the much-criticized collection and storage of U.S. citizens’ phone and internet metadata while requiring communications companies to hand over that data.

“The laws were so that it was harder to investigate terrorists than Tony Soprano.”

The law, and subsequent revelations about government surveillance of Americans, also helped push a GOP-dominated Congress to move to narrow the scope. The law also ultimately helped force into the public sphere a debate over the conflict between the government’s desire to protect its citizens and its citizens’ civil liberties …

… Nathan Sales was fresh off a judicial clerkship and working at the Office of Legal Policy at the Department of Justice when he found himself part of the effort to help draft the USA PATRIOT Act, or the Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001. The task was a daunting one: Promote information sharing between law enforcement and the intelligence community in an effort to ward off future attacks.

“The laws were so that it was harder to investigate terrorists than Tony Soprano,” Sales told NBC News. “The right hand needs to know what the left hand is doing. Cops and spies, everyone needs to be talking.”

Sales, who is now a professor at Syracuse University School of Law, said the law did just that as well as offered the intelligence community some of the same intelligence gathering tools used by law enforcement, such as wiretapping …

To read the full article, click here.

Suspicion in America: Creating a Problem for a Solution

By Ryan J. Suto

(Re-published from Fair Observer, Aug. 23, 2016) Amid an election full of outlandish statements, Twitter spats, and ad hominem accusations, many important problems facing America have failed to grace headlines. In Suspicion in America, the second of a five-part series exploring issues ignored during the 2016 presidential election season, Ryan J. Suto addresses the danger of continuing the implementation of the CVE program at the federal level. Click here for part 1.

The Obama administration recently led the federal government in pursuing a discriminatory and ineffectual anti-terrorism policy that, at best, adds little to present efforts and, at worst, could alienate and disenfranchise an entire segment of the American population. The next president will inherit this policy, Countering Violent Extremism (CVE), facing the decision to abandon or maintain it.

“Terrorism research routinely concludes that there is no known ‘terrorist profile,’ single set of indicators of radicalization, nor a unitary path toward violence that local leaders could be taught.”

CVE is a federal program with the stated goal of providing planning and funding to support the community-based recognition, reporting and, ultimately, prevention of the root causes of violent extremism. In 2015, the White House launched the program with a summit to coordinate efforts with both local and international leaders. As part of CVE, the Federal Bureau of Investigation (FBI) has begun to train students, teachers and other community members with the hope that they could recognize and prevent violent extremism.

The program’s framework emphasizes cooperation with local officials and has thus launched three pilot programs: one in Boston, another in Los Angeles and the last in Minnesota. Speaking on the subject, George Selim, the head of the new office of community partnerships within the Department of Homeland Security, admitted, “There is no uniform agreement on the best way to tackle terror recruitment and the risk of violence on American soil”—the motivating justification behind the local focus of the program. Despite this recognition, CVE, like the Transportation Security Administration’s SPOT program, is based on no scientific evidence regarding methods of detecting potential extremists or terrorists.

Nonetheless, earlier this year, Senator Cory Booker introduced a new bill to “authorize the Secretary of Homeland Security to establish university labs for student-developed technology-based solutions for countering online recruitment of violent extremists.” More recently, Representative Todd Young introduced a bill to ensure the CVE program is effective via an oversight group. While neither bill has advanced to the president’s desk for a signature, it is clear that both parties have taken up CVE as a noble policy model for bureaucratic growth.

WHAT CVE GETS WRONG

There are at least three policy-based deficiencies of the Countering Violent Extremism program.

First, CVE creates more national security bureaucracy: America now has yet another office, here within the Department of Homeland Security, with the goal of preventing terrorism within our borders. Since the passage of the USA PATRIOT Act in 2001, the federal government has been endeavoring to improve coordination among federal agencies and between them and local law enforcement on this singular subject. While overlapping competencies may have the aim of eliminating holes in coverage and jurisdiction, the funding diverted for CVE would be better spent improving the accuracy and efficacy of existing efforts.

Second, CVE inherently assumes that either local community leaders can be effectively trained on detecting future terrorists, or that communities presently turn a blind eye toward potential extremists. However, terrorism research routinely concludes that there is no known “terrorist profile,” single set of indicators of radicalization, nor a unitary path toward violence that local leaders could be taught. Indicators are not simple enough to present during a workshop and expect results without large numbers of false positives. Moreover, there is no evidence whatsoever that American Muslim communities have knowingly harbored any past active or potential terrorists.

Third, while CVE emphasizes coordination with local actors, the program itself is still top-down, instead of originating from grassroots efforts. The messaging of this and related federal government anti-terrorism programs, for example, is comical. Catchphrases such as “Think Again, Turn Away” and “Don’t Be a Puppet” ring hollow when originating from a government, viewed as either secular or Christian, that routinely guns down Muslims via drone strikes or detains them for decades without trial …

To read the full blog, click here.

INSCT CAS in Postconflict Reconstruction alumnus Ryan J. Suto (JD/MS/MAIR ’13) currently works for Cydecor, a defense consulting firm based in Washington, DC.

An Essay on Domestic Surveillance

By Philip B. Heymann

(Re-published from Journal of National Security Law & Policy, 8:3 (June 2016)) Whoever becomes president in the decades ahead may inherit extensive institutional knowledge (or the capacity to create such knowledge) about almost every citizen’s beliefs, concerns, ambitions, interests, fears, actions, intentions, and associates. These multiple funds of information will also be readily subject to electronic search, storage, and combination and will generate increasingly reliable conclusions about our past as well as predictions about our future activities.

“Government surveillance has far greater reach. The FBI and other law enforcement agencies can – without any showing of a compelling social need (a predicate) or of a judicial warrant – do whatever private individuals are allowed to do to discover information.”

Should this scenario concern a far-sighted citizen? The possible ramifications for democracy and for civil society are dangerous. For instance, consider the importance of privacy of association. For an individual challenging a political or organizational leader, privacy of association is essential in the earliest stages of the challenge when that leader enjoys discretionary powers to help or harm the individual engaged in the challenge. Privacy of association was the issue in NAACP v. Alabama.

In this case, the State of Alabama demanded and sought to make public the membership lists of the local NAACP. Releasing these membership lists would have allowed private groups that were hostile to the political rights of black Americans to use that information as they chose On a more intimate basis, privacy is also necessary to shape one’s behavior and self image, free from social pressures. It limits how one’s choices, including associations, affect others’ attitudes about us—often a necessary safeguard in developing and projecting a chosen “self.” The capacity of a government to use its surveillance systems to reveal what an individual is not yet willing to reveal denies our ability to choose our paths slowly and deliberately.

There is a second question, closely related to the first. Why, in an age of rapidly expanding use of the Internet and surveillance of that use by Internet service providers of various sorts, should we worry about the government? After all, the government probably gathers only a fraction of what private organizations do to learn about our interests, concerns, etc. for their commercial purposes, knowledge they use to create and sell new products and services.

The reasons are near at hand. Government surveillance has far greater reach. The FBI and other law enforcement agencies can – without any showing of a compelling social need (a predicate) or of a judicial warrant – do whatever private individuals are allowed to do to discover information. But they can do much more. They can demand, with the assistance of a federal prosecutor, any records that “might” be useful to a grand jury. The government can be and is empowered to demand access to any records kept by third parties, including the vast array of electronic records now kept by businesses about their customers.

What private businesses can obtain by requiring a waiver of privacy rights as a condition of access to their services, the government can obtain without even that strained form of consent and without the alerting knowledge that consent gives to the individual being monitored. Indeed, notice can be forbidden with judicial approval. The government is allowed to use informants and undercover agents in a way that is rarely available to businesses. The government can and does develop technology, such as drones, which can greatly increase its powers to observe the activities of individuals from public spaces. The use of drones for surveillance is legal without any special showing of need and without getting a judge’s certificate showing that a required predicate such as “probable cause” of a crime or a foreign danger has been met. With a predicate and a judicial warrant, the government can search places or activities, such as homes and electronic communications that no private individual can search without consent.

The government also has capacities to use information it acquires in ways far more frightening and more likely to be hostile than those of a company, like Google or Facebook, that seek to make you a loyal customer. It can turn suspicions into investigations, and investigations into an arrest and search with probable cause; it can deny discretionary benefits, insist on cumbersome formalities when you cross U.S. borders, and encourage the actions of others by making obvious its suspicion of, or attention to, particular individuals. It can acquire and store vast troves of data to be used for any of these purposes or for noncriminal forms of regulation …

To read the complete essay, click here.

An Essay on Domestic Surveillance

LAW 759 Holds Apple vs. FBI Courtroom Simulation

Watch the simulation

On April 7, 2016, students in INSCT Faculty Member William C. Snyder’s LAW 759 Computer Crimes class took part in a courtroom simulation that assumed that the lawful order to compel Apple to help the FBI unlock an iPhone that had been in possession of one of the San Bernardino terror attackers (from the Dec. 2, 2015, incident) went before the US Court of Appeals for the Ninth Circuit. (In reality, the issue of breaking the security on this iPhone was resolved before the parties went before the judges.)

The students were asked to argue the legal (as attorneys) and policy (as “amici curiae”) cases for and against Apple being compelled to assist the FBI in the search. Each group had 15 minutes to state their arguments, while being questioned by the panel, made up of Snyder, Professor Lisa Dolak, and Professor George McGuire. A show of hands at the end of the exercise gave a narrow victory to the government’s case, but there were plenty of caveats and stipulations aired in court. Taking place in the Melanie Gray Ceremonial Courtroom at SU Law, the exercise was simulcast to interested admitted law students.

SIMULATION: COMPELLED ASSISTANCE TO LAW ENFORCEMENT TO EXECUTE A SEARCH WARRANT FOR PASSWORD AND ENCRYPTION PROTECTED DIGITAL DATA

April 7, 2016

Purpose

This simulation is intended to explore the existing law and policy issues relevant to mandating government access to stored digital data when government agents have a valid search warrant. This topic overlaps with the so-called “Going Dark” problem. It exists in the context of the Communications Assistance to Law Enforcement Act of 1994, which mandates that telecommunications carriers provide access to data traveling over their networks – that is, data in motion. The manufacturers of smartphones are not covered by CALEA. Data stored on a device possessed by an individual – that is, data at rest – is not covered by CALEA and is the topic of this simulation.

Fact Pattern

Most of the fact pattern for this simulation tracks the real events in what is popularly known as the San Bernardino Apple v. FBI case, correctly captioned as: In The Matter of the Search of an Apple iPhone Seized During the Execution of a Search Warrant on a Black Lexus IS300, California License Plate 35KGD203, at No. ED 15-0451M of the United States District Court for the Central District of California.

Before Syed Rizwan Farook and his wife Tafsheen Malik shot and killed 14 people and injured 22 others at the Inland Regional Center in San Bernardino, California, Farook’s employer issued him an iPhone. The Federal Bureau of Investigation (“FBI”) recovered that iPhone during the investigation into the massacre. The FBI obtained a warrant to search the iPhone for data or information, and the owner of the iPhone, Farook’s employer, also gave the FBI its consent to the search.

Because the iPhone was locked, the government sought Apple’s help in its efforts to execute the lawfully issued search warrant. Apple refused. The government applied to the United States District Court and that court subsequently issued an Order Compelling Apple, Inc. to Assist Agents in Search (2/16/16). Subsequently, the government filed a Motion to Compel Apple Inc. to Comply With This Court’s February 16, 2016 Order Compelling Assistance in Search (2/19/16). Apple responded with Apple Inc’s Motion To Vacate Order Compelling Apple Inc. To Assist Agents In Search, And Opposition To Government’s Motion To Compel Assistance (2/25/16). The court scheduled a hearing for March 22, 2016.

In real life, the hearing never occurred, the FBI executed its search without Apple’s assistance, and the order compelling apple was dismissed. For purposes of this simulation, the hearing did occur on March 22, 2016. Assume that the arguments at the hearing were consistent with the pleadings listed above. Assume that the contents of [document to be provided] were the sworn testimony of the government’s witness(es) at the hearing, and that the contents of [document to be provided] were the sworn testimony of Apple’s witness(es) at the hearing.

The United States District Court then issued this order [fictitious, to be provided] affirming its earlier order compelling Apple, Inc., to assist in the search. The matter is now on (an expedited) appeal to the United States Court of Appeals for the Ninth Circuit.

The Assignment

The simulation is the argument before a panel of the Ninth Circuit. Three professors will perform the roles of the judges. Students will serve as the attorneys arguing for the parties before the court. Assume that the panel of judges expects to find that there is no binding precedent requiring it to affirm or reverse the order to compel Apple and that, therefore, the Court has invited policy-based arguments about what it should do, to the extent that the law allows it discretion.

The students will operate in four teams, one each for and against the lower court’s order based upon law and separately based upon policy. More specifically, the four groups are defined:

Group A: Will argue that, as a legal matter, the government’s motion to compel Apple, Inc., to assist in the search of the iPhone should be granted (or, more specifically, should have been granted)

Group B: Will argue that, as a legal matter, the government’s motion to compel Apple, Inc., to assist in the search of the iPhone should be denied (or, more specifically, should have been denied).

Group C: Will argue that, as a policy matter, the government’s motion to compel Apple, Inc., to assist in the search of the iPhone should be granted (or, more specifically, should have been granted)— that is, that the benefits to the United States people of access to digital data pursuant to a search warrant outweigh the risk to privacy and security posed by the creation of a means to access the phone listed in this search warrant.

Group D: Will argue that, as a policy matter, the government’s motion to compel Apple, Inc., to assist in the search of the iPhone should be denied (or, more specifically, should have been denied) — that is, the benefits to the American people of unbreakable encryption and of data being inaccessible even to the government when authorized by a court of law outweigh the benefits of the government having the data on this phone for its terrorism investigation and the harm and risk that would be generated by not creating a method to defeat the password protection and encryption on the phone listed in the warrant.

Each group will have fifteen (15) minutes to argue its position under the grilling of the judges.

William C. Snyder Speaks to CNET About Apple, FBI, & the “All Writs Act”

Feds to Apple: You’re not above the law in iPhone case

(CNET, March 10, 2016) The US Department of Justice fired back at Apple on Thursday in an ongoing battle over unlocking an iPhone, saying that complying with the FBI’s request wouldn’t be an “undue burden” for the company.

The government, in a 43-page court filing, said Apple “deliberately raised technological barriers that now stand between a lawful warrant and an iPhone containing evidence related to the terrorist mass murder of 14 Americans.”

To argue that the All Writs Act doesn’t apply in the Apple case “is like arguing that the Writ of Habeas Corpus shouldn’t apply to persons held in custody because it is hundreds of years old.”

“Apple alone can remove those barriers so that the FBI can search the phone, and it can do so without undue burden,” the government said.

The Justice Department noted that the Constitution, the All Writs Act (the 227-year-old law used to compel Apple to assist the FBI), and the three branches of government should be trusted to “strike the balance between each citizen’s right to privacy and all citizens’ right to safety and justice. The rule of law does not repose that power in a single corporation, no matter how successful it has been in selling its products.”

Apple, during a call with reporters on Thursday, disputed the assertions in the Justice Department’s filing and accused the government of taking cheap shots.

“In 30 years of practice, I don’t think I’ve ever seen a legal brief more intended to smear the other side with false accusation and innuendo,” Bruce Sewell, Apple’s top attorney, said. “I can only conclude the DOJ is so desperate at this point it’s thrown all decorum to the winds.”

The back-and-forth on Thursday is the latest skirmish in the war between the FBI and Apple, which is resisting a February 16 federal court order to unlock an iPhone 5C tied to December’s San Bernardino, California, massacre. The FBI wants Apple to create a special version of its mobile software to help access data on an iPhone used by Syed Farook, one of two terrorists who killed 14 people and wounded 20 others. Apple, which said it has already helped the FBI as much as it can, contends the court doesn’t have the authority to force it to write a special version of iOS and has turned this into a broader debate over personal privacy, one that has drawn the tech industry to its side.

The Cupertino, California, company says that complying with the FBI’s request will create a back door into the iPhone and set a “dangerous precedent” that exposes all its customers to security risks. The government says this is a onetime request (even though there is a list of a dozen other iPhones it wants unlocked) and argues that getting information from the iPhone is a matter of national security …

… The government defended its use of the All Writs Act, saying in passing the act, “Congress gave courts a means of ensuring that their lawful warrants were not thwarted by third parties like Apple.”

William C. Snyder, visiting assistant professor of law at Syracuse University College of Law and a former federal prosecutor, said he personally used the All Writs Act scores, if not hundreds, of times in the 1990s when prosecuting organized crime and narcotics cases. The act may be seen by Apple as outdated, he said, but it’s viewed in the legal community as a well-established, useful tool.

To argue that the All Writs Act doesn’t apply in the Apple case “is like arguing that the Writ of Habeas Corpus shouldn’t apply to persons held in custody because it is hundreds of years old or that the Fourth Amendment [that protects from unreasonable search and seizure] doesn’t apply in cyberspace because it is from a different technological era,” Snyder said.

The government also accused Apple of being accommodating to similar requests in China, something Sewell and Apple’s other attorneys fiercely disputed. The attorneys called the accusations “ridiculous” and said Apple has never built a back door in its products, nor has any government ever asked it to do so. Only now, in the US, is it facing that question, the attorneys said.

The Justice Department, meanwhile, said that Apple, by its own calculations, would have to set aside as few as six of its 100,000 employees for as little as two weeks to assist the FBI in accessing the iPhone 5C. And the government said Apple’s concern that its reputation would be harmed and consumers would lose faith in Apple’s security isn’t reason enough to allow it to avoid the search warrant. The same argument has been used before, by telecommunications companies and others, but it hasn’t stood up in court, the government noted …

To read the full article, click here.

The Ongoing iPhone Encryption Saga & Why Apple’s Arguments are Superfluous

By Christopher Folk

(Re-published from blog.cybersecuritylaw.us, March 3, 2016) Apple’s assertions in the ongoing iPhone encryption saga are typical slippery slope, descent into anarchy, watch out as we move through Dante’s Nine Circles of Hell, Chicken Little “the sky is falling”-type arguments.  Essentially what Apple is saying is that, yes, we could write software that will remove the timing delay issue between subsequent passcode entries; yes, we can remove the data delete feature that erases all content on an iOS device after n unsuccessful passcode entry attempts; but since only we can do that because only Apple developers have the insider expertise and access to the code to effect such a workaround, someone may get access to it and then the world will fall into chaos and eternal damnation.  

“So how about it Apple, are you really worried that writing code to bypass a previous generation iPhone to allow a brute force attack is going to expose millions of user’s iPhones to government intrusion into their encrypted data?”

The fiction that Apple purports seems to be that they have a death grip on their proprietary operating system and no one can bypass it, so if they modify their code and then use that same code to enable access to iOS data, then the mere act of developing the code would essentially let the genie out of the bottle and life will never be the same.

First of all, the phone in question—an iPhone 5c—is an older generation iPhone and does not incorporate either the A7 (A-series) processor nor does it use TouchID, which works in conjunction with the Secure Enclave, according to the Apple iOS security guide.  

Consequently, the concerns about this software code being utilized outside the iPhone 5c class of devices are likely unwarranted.  Whereas, devices based on the Apple A7 or later A-series processors have a co-processor fabricated within the processor referred to as the “secure enclave,” the 5c does not. The later iPhone models use a co-processor that leverages encrypted memory and is provisioned during the manufacturing process with a Unique ID (“UID”) that is not known to either Apple nor to other system components.  Consequently, when an iOS device with a secure enclave starts up, a key is created that intertwines the UID and thereby encrypts the device memory space.  Data on the iOS file system is encrypted by the secure enclave using the UID and an anti-replay counter (“nonce”) to form an encryption key.  Additionally, communication between the secure enclave and the touch ID sensor utilizes 2-way AES encryption, and data sent from the processor to the secure enclave cannot be read by the processor, according to the iOS security guide.

Similarly, since the UID is burned into the silicon and is unknown to Apple, there exists no mechanism whereby Apple could discern the UID, and thus the only entry point into iOS encrypted data requires the use of brute force.  Here, too, the issue becomes the fact that the data storage model relies on access via the processor and everything ties back to the UID.

One of the biggest issues with gaining access to the encrypted data on an iOS device is the way the devices are purpose-built with security in mind.  For instance, file access passes keys through the secure enclave; gaining access isn’t as simple as pulling a hard drive out of a server and then using brute force tools to decrypt the drive.  Here, files are accessed only through the secure enclave and, thus, decryption must take place at this level, and the speed and access are thereby constrained by the processor and the secure enclave.  Additionally, the secure enclave performs the key checks and initiates the delays (for instance, for successive failed passcode attempts).

The short version: if Apple modifies its code such that an iPhone 5c’s passcode delays and auto-delete functions can be impaired, and while in physical possession of the iPhone 5c in question, it loads this iOS version onto that single iPhone and then it delivers that iPhone to the government to allow a brute-force attack  attempt upon it, the implications to other Apple devices are minimal.  

A future government intrusion using this scenario would therefore require:

  1. Probable cause sufficient such that a judge would order the lawful search and seizure of said device;
  2. Physical possession of an Apple iOS device that lacks the new “secure enclave” found on new models;
  3. Loading customized code onto this non-secure enclave iOS device;
  4. Allowing the government to attempt a brute-force hack on the device.

This scenario is not analogous to a “backdoor,” whereby Apple or any other company would provide code that actually allows someone to access encrypted data using a master key or something similar.  In the present San Bernardino case, all the government is requesting is that Apple modifies their iOS code on a specific, older iPhone to allow it to:

  1. Bypass or disable the auto-erase function;
  2. Enable the FBI to submit passcodes to the subject device via the physical device port, or Bluetooth, Wi-Fi, or another available protocol;
  3. Remove the delay between successive passcode attempts.

It seems the slippery slope argument is not wholly compelling, and in any case, Apple would be writing the code, deploying the code, and maintaining the code, so anytime a lawful mandate is issued directing Apple to deploy that code, Apple has available legal remedies with which to resist an order.

So how about it Apple, are you really worried that writing code to bypass a previous generation iPhone to allow a brute force attack is going to expose millions of user’s iPhones to government intrusion into their encrypted data? If so, then perhaps the iOS security guide is not as accurate as it is purported to be and your devices aren’t as secure as we believe, which would explain the reluctance to pull back the curtain, even if only a little.

Christopher Folk is a candidate (2017) for both a master’s in Forensic Science and Technology (Syracuse University) and a Juris Doctor degree (SU Law). Also a software engineer, Folk’s legal externship is with Chertoff Group company Delta Risk, where he focuses on legal and policy analysis pertaining to US and International cyber law.

Corri Zoli Speaks to CNY Central About Terrorists Exploiting Visa Loopholes


Congressman Katko, Experts Question Counterterrorism Systems

(CNY Central, Dec. 14, 2015) As more information is revealed about Tashfeen Malik and Syed Rizwan Farook, the husband and wife pair who killed 14 and left 17 wounded after a mass shooting in San Bernadino, CA, many are questioning how the two were able to fly under the radar of US Homeland Security.

“It’s terrible that it takes these kinds of events before we try to close some of these visa loopholes,” said Corri Zoli, Director of Research and Research Assistant Professor at the Syracuse University Institute for National Security and Counterterrorism.

Zoli believes one of the biggest security loopholes the pair may have exploited is the K-1 visa Malik was able to obtain in order to enter the US. The K-1 visa is issued to fiancés of US citizens and allows a sort of privileged and immediate entry route into the country. Those entering the country on a K-1 visa must marry his or her sponsor within 90 days. Once married, a foreign citizen can then obtain a Green Card and is eligible for employment. As Zoli points out, this type of visa has a high potential for fraud.

“It just has some aspects that make it more ripe for abuse than others do because you have a person there on the inside who can vouch for you. Your visa application process is the two of you and not just you and we have a bias towards reuniting families,” explained Zoli. “Judging from what’s happened it looks like smart, jihadist organizations are looking at some of these routes to see which ones are most vulnerable for some of their operatives.”

Security officials are now debating whether to impose a temporary freeze on K-1 visas, something Congressman John Katko says he’d support. Last Friday, Congressman Katko, the Chair of the House Homeland Security Committee’s Subcommitte on Transportation Security, pressed top counterterrorism officials for answers about how the San Bernadino killers were able to skirt terror watchlists.

“The two people from San Bernadino should have been on the watchlist,” said Katko. “There was enough chatter from 2012 coming forward on the Internet where we should have done a better job to find it …

To read the whole story, click here.

Nathan Sales Interviews About “Fiancée Visas” & French Surveillance

Professor Nathan Sales Speaks on K-1 “Fiancée” Visas

INSCT Faculty Member and Associate Professor of Law Nathan Sales recently spoke with CBS News’ Los Angeles radio affiliate on K-1 “Fiancée” Visas and the visa waiver program in the wake of the San Bernadino attacks.

In the interview, Professor Sales noted, “The real trick is how do you identify the unknown terrorist, and information sharing with European and other foreign countries is one important way of beginning to solve that problem.”

Rand Paul largely correct that French electronic surveillance law is stronger than what U.S. has

(Politifact, Dec. 8, 2015) … Where the French system goes further than the United States’ system

Judicial review

Under the United States’ Foreign Intelligence Surveillance Act, law enforcement officials must go to a special judicial court to receive permission to conduct electronic surveillance of American citizens. Historically, law enforcement officials have generally gotten what they’ve wanted from the court, leading critics to question how much of a hurdle this is. Still, the fact that members of the judiciary are passing judgment on the government’s requests does provide at least a modicum of independent oversight.

By contrast, under the French system’s analogous body, only a minority of members of the National Commission for the Control of Intelligence Techniques — six of 13 — are judges. Another six are legislators and the last is a technical expert. The panel can be overruled by the prime minister.

“Because there is no opportunity for independent and neutral judges to decide whether surveillance of a particular target is justified (in the French system), there is a heightened risk that government officials might engage in improper monitoring,” wrote Nathan A. Sales, a Syracuse University law professor in an analysiscommissioned by the bar association of Paris while the law was being debated.

Sales held senior positions in the Justice Department and Department of Homeland Security under President George W. Bush and was involved in the drafting of the Patriot Act.

Lack of “minimization”

The United States’ system takes steps, albeit imperfect ones, to focus intelligence collection on suspicious behavior, thereby “minimizing” the amount of unrelated data swept up. These can involve restricting who can see the information, how long it may be retained, and whether or how it can be disseminated, Sales wrote.

By contrast, the French system has few if any such protections, Sales wrote. He suggested an area of particular concern is a “lack (of) any limits on the monitoring of privileged communications between attorneys and their clients.”

Search and seizure

One of the more contentious parts of the Patriot Act has involved delayed-notification searches — that is, searches of properties in which the target not only isn’t present but is not even notified about the search until well after it takes place. These are sometimes called “sneak and peek” searches, or “sneak and steal” when it involves seizing and removing items from the location.

These types of searches existed before the Patriot Act, but their use was tightly constrained; the Patriot Act loosened the rules.

The French system, meanwhile, permits even more expansive action for tracking data and communications during such searches than the United States does, critics say. Under the French law, bugs, cameras and keystroke loggers could be planted during such searches, according to multiple media reports.

Location-based surveillance

The French law allows the use of devices variously known as “proximity sensors,” “cell site simulators,” “IMSI catchers” or “Stingrays.” Rather than targeting surveillance on a specific person, these devices allow surveillance of cellphone calls and text messages at a given location. Privacyadvocates say this technology is likely to capture communications by uninvolved bystanders.

In the United States, it is Justice Department policy to seek a FISA probable-cause warrant before using such techniques. On paper, at least, that appears to be a tougher hurdle than what the French law includes.

Going beyond terrorism

The Patriot Act includes terrorism in its title (it’s the final “t” in the acronym “patriot”), and at the FISA court, the government must show that the target is an “agent of a foreign power,” which has generally been interpreted to mean a spy or a terrorist.

By contrast, the French law includes some broader justifications for action, including protecting France’s “economic, industrial and scientific interests” and prevention of “organized delinquency.”

“In general, I think it’s accurate to say that French surveillance law is more permissive than U.S. surveillance law,” Sales said in an interview …

To read the full story, click here.

RFI Brasil Interviews Nathan Sales About a Possible “French PATRIOT Act”

To author of the “Patriot Act,” new French law surveillance stricter than the US

(Translated from the Portuguese, RFI Brasil, Nov. 18, 2015) Following the attack on the newspaper Charlie Hebdo in January 2015, there were few voices in French policy to ask for a ‘Patriot Act à la française’, a new legislation to address terrorism inspired by the American law. The controversial Patriot Act enacted by George Bush after Sept. 11, 2001 is criticized for having increased the permissions for the government to monitor suspects through surveillance techniques such as wiretapping. Law professor at Syracuse University in New York and INSCT Faculty Member Nathan A. Sales was part of the team that wrote the law. To this jurist, who at the time worked at the US Department of Justice, the French do not need a “Patriot Act” to fight terrorism because their current surveillance law, passed last summer, gives even more power to the French government than US laws provide Washington, DC. 

“French law is more permissive than the American. It provides stronger surveillance authorities of the United States.”

RFI Brazil – Is the Patriot Act still useful in fighting terrorism?

Nathan A. Sales – It’s working well, but no anti-terrorist surveillance will be perfect. Technological change is putting a lot of pressure on surveillance laws here in the United States but also in France. One of the challenges that we started to face last year is encryption. There is now a large number of new technologies that did not exist years ago, applications like WhatsApp and other technologies that terrorists such Islamic State and other groups increasingly use to protect communication. This means that even if you have a law like the Patriot Act or a new French surveillance law that allow researchers to intercept the communications of suspects, these laws cannot do much if you cannot decipher the information. This type of high-quality encryption used to be a unique, sophisticated technology for governments such as the US, Britain, and France. It is now available to anyone who has an iPhone.

What was the main concern when the Patriot Act was written?

Nathan A. Sales – We had two key objectives. One of the things that the Patriot Act did was allow counterterrorism investigators to use the same techniques that ordinary police have been using for decades; for example, use mobile wiretapping. Another thing that the Patriot Act tried to do was to create a judicial approval system that would allow the anti-terrorism investigators to conduct wiretaps, but subject to strict authorization of a judge. You needed permission of the court, for example, to watch Khalid Sheikh Mohammed [the terrorist imprisoned in Guantanamo, accused of being an “architect of 9/11”].

How do you see the new French law surveillance law passed in June?

Nathan A. Sales – French law is more permissive than American. It provides stronger surveillance authorities than the United States. There is no need for court approval, and there are a greater number of case types that you can monitor not only terrorism and espionage but also for industrial and economic research. In terms of legal authorities, the French government has more tools than the American.

So that French law should be enough?

Nathan A. Sales – Hard to say. The attack in Paris took place despite this law. We need to know why. The attack was a very sophisticated operation, involving a lot of money, training, travel, and communication. It will be very important for researchers to figure out how the attack could happen without the French authorities detecting it. [At a time when France is considering new surveillance laws, it’s important to understand whether there are any gaps in the current laws that contributed to the attacks.]*

The French generally reject the idea of making a “French Patriot Act” because they are afraid of losing civil liberties. Does this make sense?

Nathan A. Sales – France already has surveillance laws that go beyond the US Patriot Act.

“The most important part of the Patriot Act is the judicial approval. Generally, if the NSA wants to intercept a communication in the US, it must go to the court responsible for surveillance and intelligence and demonstrate probable cause that the target is a spy or terrorist.”

Does the Patriot Act not affect the individual rights of citizens?

Nathan A. Sales – The most important part of the US Patriot Act is the judicial approval. Generally, if the NSA wants to intercept a communication in the US, it must go to the court responsible for surveillance and intelligence and demonstrate probable cause that the target is a spy or terrorist. This is very similar to the laws that apply to ordinary criminal investigation. The basic concept is: you need to ask a judge before acting. And this is an important way to avoid abuse or unnecessary surveillance.

How would you advise President François Hollande to act from now on?

Nathan A. Sales – There is no single answer or a silver bullet to solve the problem. In part action will have to be an international military coalition led by France, and I would like to see the United States have a greater role. Our president said Friday (Nov. 13, 2015), throughout the day, that Islamic State was contained. This was a surprise to the people of Paris. I would advise the French president and others to put together a military coalition, including Sunni Arab states such as Saudi Arabia, and others like Georgia and Egypt, which are in the region and have a military force that, combined with NATO, can defeat this threat.

Is the fight against ISIS different from that fight al-Qaeda?

Nathan A. Sales – There are some disturbing similarities between the two. Al-Qaeda in 2000 looked a lot like the ISIS in 2015. The two have territories where they are safe, but the territory controlled by ISIS is much larger than that of Al-Qaeda in Afghanistan. ISIS held large-scale attacks as did al-Qaida in the 90s, such as attacks on US embassies in Africa. My concern is that ISIS is now just warming up. The catastrophic attack on Paris, the downing of the Russian plane, and the attack in Lebanon could be the prelude to something bigger, something with a Sept. 11, 2001 scale.

To see the original article, click here.

* English translation of this sentence clarified by Professor Sales on Nov. 18, 2015.