At a glance.
- EU looks back at two years of GDPR.
- US Defense Department designates certain Chinese companies as controlled by China's military.
- US Senate warrant-proof encryption bill introduced.
- Certificates for successful "covert operation."
- The US Navy is not recruiting Sailors on an adult site.
EU declares success after two years of GDPR (but seeks more "vigorous" enforcement).
The European Commission yesterday released its assessment of the EU's General Data Protection Regulation (GDPR) two years after GDPR took effect. That assessment is thoroughly positive. Věra Jourová, the European Commission's Vice-President for Values and Transparency, summed up the conclusion as follows: “Europe's data protection regime has become a compass to guide us through the human-centric digital transition and is an important pillar on which we are building other policies, such as data strategy or our approach to AI.The GDPR is the perfect example of how the European Union, based on a fundamental rights' approach, empowers its citizens and gives businesses opportunities to make the most of the digital revolution. But we all must continue the work to make GDPR live up to its full potential.” The principal work that needs to be done, as TechCrunch puts it, is that enforcement needs to grow more "vigorous."
More trouble for Huawei (and some other Chinese companies).
The US Department of Defense has designated Huawei and Hikvision, among other firms, as companies owned or controlled by China's military, Reuters reports. The designation in itself triggers no sanctions, but it can lay the groundwork for more restrictions on the companies named. The list is also likely to highlight relationships between the named Chinese firms and their US partners.
Axios published the complete list, which includes Aviation Industry Corporation of China, China Aerospace Science and Technology Company, China Aerospace Science and Industry Company, China Electronics Technology Group Corporation, China South Industries Group Corporation, China Shipbuilding Industry Corporation, China State Shipbuilding Corporation, China North Industries Group Corporation, Hangzhou Hikvision Digital Technology Company Limited, Huawei, Inspur Group, Aero Engine Corporation of China, China Railway Construction Corporation, CRRC Group, Panda Electronics Group, Dawning Information Industry Company, China Mobile Communications Group, China General Nuclear Power Corporation, China National Nuclear Corporation, and China Telecommunications Corporation.
There are also new difficulties for Huawei in the UK. The company had been planning to open a facility in Cambridgeshire where it intended to conduct broadband research. The Telegraph reports that there are now calls to delay or cancel the facility on the grounds that it represents part of a general threat the company presents to security.
Artillery preparation in the Crypto Wars.
On Tuesday three US Republican Senators, Lindsey Graham of South Carolina, Tom Cotton of Arkansas, and Marsha Blackburn of Tennessee announced their introduction of a bill that would aspire to end what they characterize as "warrant-proof encryption," that is, encrypted communication that cannot be broken, even under a properly executed and duly approved warrant. The measure's short title is the "Lawful Access to Encrypted Data Act."
The Senators cite five cases in which they say legitimate and urgent investigations were impeded by strong encryption of the suspects' communications:
- Investigation of the December 2019 shootings by a radicalized Saudi officer at the Pensacola Naval Air Station that killed three and wounded eight was impeded by the encryption on the shooter's device. The FBI was eventually able to access encrypted data, but only after four months and considerable expense.
- The Sinaloa Cartel, under investigation for money laundering, was able to use encrypted WhatsApp communications to frustrate attempts to identify its members and seize illegal drugs and money. A court-ordered wiretap was rendered useless by the encryption.
- A May 2015 terrorist attack in Garland, Texas, for which ISIS claimed responsibility, was coordinated with an overseas collaborator using an end-to-end encrypted app. The FBI remains unable to read the content of more than a hundred messages the terrorists exchanged.
- A computer scientist accused of cyberstalking, harassment, and collection of child sexual abuse material encrypted much of his material, which was therefore unavailable at trial "to present a fuller, more accurate portrayal of Lin’s conduct at sentencing."
- A 2016 case in which child pornography was encrypted with BitLocker, prevented the FBI from getting evidence that would have enabled them to prosecute the suspect. "The target of the investigation had regular access to children through his employment as a school bus driver."
The bill proposes, in outline, the following measures, its "highlights":
- It would "enable law enforcement to obtain lawful access to encrypted data," requiring device manufacturers and service providers to help access encrypted data "if assistance would aid in the execution of the warrant." The Attorney General would be authorized to direct such manufacturers to report on their ability with court orders. The Attorney General would, however, be prohibited from "issuing a directive with specific technical steps for implementing the required capabilities," and "anyone issued a directive may appeal in federal court to change or set aside the directive." The Government would compensate manufacturers and providers for "reasonable costs incurred in complying with the directive."
- The bill would "incentivize technical innovation" by establishing a prize competition for development of a lawful access solution that "maximiz[es] privacy and security."
- Finally, it would promote technical and lawful access training and assistance through the Justice Department's National Domestic Communications Assistance Center.
Several points are worth noting. First, the argument for the measure is buttressed with cases in which encryption was used by terrorist killers, murderous drug cartels, and loathsome child abusers (we add "allegedly" in cases where no one was convicted). These are three classes of bad actors that have little if any sympathy with the general public, or even with members of Congress. Such cases have long been a concern of the Justice Department and the FBI, going back to the previous Administration at least.
Second, the bill requires device manufacturers and service providers to give such assistance as they're able to give, and it specifically prohibits the Attorney General from directing anyone to take any particular technical approach to delivering such assistance. Thus it would appear not to be the bill's intent to mandate backdoors in communication products that could be accessed under a warrant. It would presumably be possible that a manufacturer could say, truthfully, sorry, we don't have the keys, and we don't have a backdoor, and there's no further assistance we could render.
Finally, the prize competition for a solution that would simultaneously maximize lawful access, privacy, and security seems a gesture in the direction of technological optimism.
Much of the commentary in the industry press has been predictably unfavorable. Ars Technica calls the bill "yet another attempt to torpedo encryption," C|NET characterizes it as Congress's "latest attempt to weaken encryption," and the Register gleefully says that "After huffing and puffing for years, US senators unveil law to blow the encryption house down with police backdoors." They argue that in fact the law intends to require backdoors, which would in principle themselves be vulnerable to exploitation by bad actors, not just drug gangs, terrorists, and child pornographers, but foreign intelligence services as well, thereby weakening security generally. They also view any attempt to simultaneously achieve access, security, and safety as a logical impossibility. Pick one, or at most two. But all three? That's an impossibility on a par with the probably apocryphal law the Indiana state legislature is said to have passed in the late 19th Century, specifying that, to make calculations easier, henceforth the Hoosier state would define the value of pi as 3.
The impossibility the critics see certainly seems to be there. But it's not clear that the bill really does want to mandate backdoors. It would seem in fact to specifically prohibit the Attorney General from requiring them. It does commit companies to provide all the help that's possible (but the privacy-preserving access-on-demand might just not be possible). And some useful results might come from pursuing research into even an impossible task. If anything, the bill might have the effect, intentional or not, of reducing the pressure to systematically weaken encryption with backdoors.
Israeli intelligence units recognized for "successful covert operation."
Haaretz reports that some Israeli intelligence units have received certificates of appreciation for their "participation in a successful covert operation." The announcement of the recognition comes a month after a successful cyberattack against an Iranian port, widely attributed to Israel (and not really denied by the Israeli government, either) so Haaretz simply connects the dots.
Policy shoots down creativity, again.
Maybe you heard from a friend that the United States Navy was posting recruiting messages to a well-known adult site, and maybe you thought to yourself, hey, good idea, what better place to find potential sailors? Bravo Zulu, USN! Well, Task & Purpose has dashed cold water on the story. There were some messages that looked like recruiting messages, but they were just spoofs. “The social media account discussed on the podcast is a fraudulent account with no official connection to the Navy,” said Navy spokeswoman Lieutenant Commander Megan Isaac. “As a matter of policy, Navy recruiters are not authorized to recruit on pornographic websites.” It's difficult not to notice that Lieutenant Commander Isaac's statement technically doesn't rule out an unofficial connection, but we doubt there's one of those, either. And the Naval Criminal Investigative Service (the actual NCIS, not the television franchise) has asked the adult site in question to take down the account. Suggestion to NCIS, if they're looking for the spoofer's hidden hand: tell it to the Marines.