Starting in January of 2017, Google’s Chrome browser will start flagging some websites that don’t use web encryption as “Not Secure”—the first step in Google’s eventual plan to shame all sites that don’t use encryption.
In the last couple of years, the web has seen a tremendous rise in the number of websites that use encryption, which is displayed by that little green lock next to the site’s address and an extra “s” at the end of HTTP. The increase in the use of HTTPS web encryption has been part of a collective effort to improve security and privacy on the web, often under the banner of the campaign “Encrypt All The Things.”
At the beginning of this year, Google hinted—without announcing it officially—that it was going to flag all unencrypted websites as insecure, as Motherboard reported. At the time, Parisa Tabriz, who manages Google’s security engineering team, said that Google’s intention was to “call out” websites that still were on HTTP as “unsafe.”
On Thursday, Google officially announced its anti-HTTP plan. The company isn’t going to shame all unencrypted websites all at once, but start only with HTTP sites that ask users to input passwords or credit cards. These sites will be flagged as “Not secure” in the Chrome address bar.
Then, in the future—Google is not saying exactly when yet—Chrome will flag all sites that don’t use TLS encryption as “Not secure” and also display a red triangle indicator, which Chrome already uses when users go to a dangerous website.
“We definitely do plan to label all HTTP pages as non-secure eventually,” Emily Schechter, the Chrome Security product manager, told Motherboard, explaining that the company didn’t want to all of a sudden flood users with warnings. “We really wanted to be careful about it and we wanted to get it right.”
Schechter explained that Google’s main worry is that displaying alerts for all HTTP sites right away would lead users to see too many warnings and, eventually, ignore them. In other words, Google wants to educate users about the risks of unencrypted websites striking the right balance and without leading them to what’s called as “warning fatigue,” a term that indicates when users get so used to warnings that they stop paying attention.
Google also wanted to announce the change before it was implemented to give webmasters time to migrate to HTTPS and not get caught by surprise, Schechter said.
While it seems like a small change, HTTPS provides multiple protections for users. Not only does it ensure that hackers and spies can’t easily intercept passwords and other sensitive data travelling on the internet, it also ensures that the site you’re looking at really is the site you want, and not an imposter. Without HTTPS, it’s trivial for a hacker sitting in the same public WiFi you’re using, or government spies, to spy on you and interfere with the sites you go to trick you into giving up sensitive information.
With this move, Google is pushing for even more HTTPS adoption. And at this point, an HTTPS-only future seems inevitable. Google reported that nowadays, more than half of the sites visited by Chrome users are encrypted already.
Posts Tagged ‘#encryption’
Starting in January of 2017, Google’s Chrome browser will start flagging some websites that don’t use web encryption as “Not Secure”—the first step in Google’s eventual plan to shame all sites that don’t use encryption.
The head of the FBI said Wednesday that the government will bring more legal cases over encryption issues in the near future.
Speaking with reporters at FBI headquarters in Washington, FBI Director James Comey specifically said that end-to-end encryption on WhatsApp is affecting the agency’s work in “huge ways.” However, he noted the FBI has no plans to sue Facebook, the app’s parent company.
He also said that since October 2015, the FBI has examined “about 4,000 digital devices” and was unable to unlock “approximately 500.”
The FBI paid gray hat hackers at least $1.3 million for a way to get into the seized iPhone used by Syed Rizwan Farook, the now-dead terrorist involved in the December 2015 attack in San Bernardino, California. At the last minute, the Department of Justice canceled a highly anticipated court hearing over the issue in March 2016.
However, Comey said that the hackers’ identities are so closely held inside the government that even he doesn’t know who they are, according to Reuters.
By Cyrus Farivar
When U.S. Magistrate Sheri Pym ruled that Apple must help the FBI break into an iPhone belonging to one of the killers in the San Bernardino, Calif., shootings, the tech world shuddered.
Why? The battle of encryption “backdoors” has been longstanding in Silicon Valley, where a company’s success could be made or broken based on its ability to protect customer data.
The issue came into the spotlight after Edward Snowden disclosed the extent to which technology and phone companies were letting the U.S. federal government spy on data being transmitted through their network.
Since Edward Snowden’s whistleblowing revelations, Facebook, Apple and Twitter have unilaterally said they are not going to create such backdoors anymore.
So here’s the “backdoor” the FBI wants: Right now, iPhone users have the option to set a security feature that only allows a certain number of tries to guess the correct passcode to unlock the phone before all the data on the iPhone is deleted. It’s a security measure Apple put in place to keep important data out of the wrong hands.
Federal prosecutors looking for more information behind the San Bernardino shootings don’t know the phone’s passcode. If they guess incorrectly too many times, the data they hope to find will be deleted.
That’s why the FBI wants Apple to disable the security feature. Once the security is crippled, agents would be able to guess as many combinations as possible.
Kurt Opsahl, general counsel for the Electronic Frontier Foundation, a San Francisco-based digital rights non-profit, explained that this “backdoor” means Apple will have to to write brand new code that will compromise key features of the phone’s security. Apple has five business days to respond to the request.
What does Apple have to say about this? Apple CEO Tim Cook said late Tuesday that the company would oppose the ruling. In a message to customers published on Apple’s website, he said: “We can find no precedent for an American company being forced to expose its customers to a greater risk of attack. For years, cryptologists and national security experts have been warning against weakening encryption. Doing so would hurt only the well-meaning and law-abiding citizens who rely on companies like Apple to protect their data.”
Back in December, Cook defended the company’s use of encryption on its mobile devices, saying users should not have to trade privacy for national security, in a broad interview with 60 Minutes. In the interview, Cook stood by the company’s stance of refusing to offer encrypted texts and messages from users.
What does this mean for the next time the government wants access? The order doesn’t create a precedent in the sense that other courts will be compelled to follow it, but it will give the government more ammunition.
What do digital rights experts have to say? There are two things that make this order very dangerous, Opsahl said. The first is the question is raises about who can make this type of demand. If the U.S. government can force Apple to do this, why can’t the Chinese or Russian governments?
The second is that while the government is requesting a program to allow it to break into this one, specific iPhone, once the program is created it will essentially be a master key. It would be possible for the government to take this key, modify it and use it on other phones. That risks a lot, that the government will have this power and it will not be misused, he said.
And the lawmakers? Well, they are torn. Key House Democrat, Rep. Adam Schiff, D-Calif., says Congress shouldn’t force tech companies to have encryption backdoors. Congress is struggling with how to handle the complex issue.
On the other side of things, Senate Intelligence Committee Chairman Richard Burr, R-N.C., and Vice Chair Dianne Feinstein, D-Calif., say they want to require tech companies to provide a backdoor into encrypted communication when law enforcement officials obtain a court order to investigate a specific person.
What now? This could push the tech companies to give users access to unbreakable encryption. To some extent, it’s already happening. Companies like Apple and Google — responding to consumer demands for privacy — have developed smart phones and other devices with encryption that is so strong that even the companies can’t break it.
A new Supreme Court justice could tip the scales away from the controversial third party doctrine.
The passing of Justice Antonin Scalia has brought a wave of speculation about current and future U.S. Supreme Court cases. One area where there might be a significant impact will be the 4th Amendment, which provides the primary constitutional protection against government surveillance and information gathering. A new justice could usher in a dramatic expansion in 4th Amendment protections against government surveillance.
Justice Scalia was not antagonistic to the 4th Amendment, and in many cases he supported 4th Amendment protections. Most notably, in Kyllo v. United States, 533 U.S. 27 (2001), Justice Scalia wrote for the majority in a 5-4 decision holding that the 4th Amendment required a warrant to use thermal sensors to detect heat patterns emanating from inside a home. Justice Scalia also wrote the majority opinion in United States v. Jones, 132 S. Ct. 945 (2012), holding that the police needed a warrant to affix a GPS surveillance device to a car.
Kyllo and Jones are two of the most important U.S. Supreme Court cases of this century involving technology, and both come out in favor of 4th Amendment protection. So why would a new justice potentially lead to more 4th Amendment protection?
Justice Antonin Scalia Speaks with Staff at the U.S. Mission in Geneva. Photo via WikiCommons
Justice Scalia hearkened back to a very old test for when a search falls under the scope of the 4th Amendment
The reason is that Justice Scalia had a narrow view of original intent. Kyllo turned heavily on the fact that the thermal sensor was used on a home—the quintessential private place to the Framers of the Constitution. Scalia’s opinion in Jones turned on the placement of the GPS device on a car—a trespass to a person’s property. Hearkening back to a very old test for when a search falls under the scope of the 4th Amendment, Justice Scalia focused on the fact that putting the device on the car was a physical trespass. This led to a very narrow holding. Five justices in concurring opinions suggested a much broader approach, holding that people had a reasonable expectation of privacy in not being exposed to very extensive surveillance—even in public.
THE COMING DEMISE OF THE THIRD PARTY DOCTRINE
The first issue in a 4th Amendment case is whether a particular instance of government surveillance or data gathering activity even falls under the 4th Amendment’s scope. If the 4th Amendment is implicated, then the 4th Amendment generally provides protection by requiring the government to obtain a warrant supported by probable cause—the government must justify its search, and the judiciary evaluates. Searches are circumscribed and limited. The prevailing test for whether the 4th Amendment applies is whether there is a reasonable expectation of privacy in what the government is searching.
When the 4th Amendment applies, a warrant and probable cause aren’t always required—there are a lot of exceptions—but if the 4th Amendment doesn’t apply, then there is often no protection at all against a particular instance of government surveillance unless there is a federal statute restricting it. State constitutions and state statutes can limit state law enforcement, but not federal officials. An enormous amount of government surveillance and information gathering is not regulated by federal statute, so if the 4th Amendment doesn’t apply, there might be nothing to require any oversight or limitation on these government surveillance powers. Thus the determination of whether certain government surveillance measures fall within the scope of the 4th Amendment is often one of enormous significance.
A new justice replacing Justice Scalia might take a more expansive approach to the applicability of the 4th Amendment, and be the vote that tips the scales against a controversial doctrine that has dramatically limited the scope of the 4th Amendment in the digital age: the third party doctrine.
Under the third party doctrine, the U.S. Supreme Court has held that that there is no reasonable expectation in privacy for information known or exposed to third parties. In United States v. Miller, 425 U.S. 435 (1976), the Court held that there is no reasonable expectation of privacy in financial records maintained by one’s bank because “the Fourth Amendment does not prohibit the obtaining of information revealed to a third party and conveyed by him to Government authorities.” In Smith v. Maryland, 442 U.S. 735 (1979), the Court concluded that there was no reasonable expectation of privacy when the government obtained a list of phone numbers a person dialed from the phone company because people “know that they must convey numerical information to the phone company” and cannot “harbor any general expectation that the numbers they dial will remain secret.”
The implications of the third party doctrine for the digital age are enormous. Today, so much of our data is maintained by third parties. Countless companies maintain records about us. We store documents and photos with cloud service providers. Credit card companies keep detailed records about our purchases. Our location information is available to telecommunications companies. Our Web surfing activity is in the hands of ISPs. Merchants such as Amazon.com have records about our purchases of books and movies and other things. The government no longer needs to enter a person’s home to learn about that person—the books that person is reading, the person’s communications, hobbies, interests, intellectual exploration, and more can all be learned from third party records. I wonder whether the justices writing in the 1970s had any idea of how profound the implications of the third party doctrine would be in today’s age.
The third party doctrine is one of the main reasons why the 4th Amendment has often not had much relevance when digital data is involved. Several courts have held that broad government surveillance programs, including some of the NSA’s surveillance programs, escape the reach of 4th Amendment protection due to the third party doctrine.
A GPS tracking device like that involved in the Jones case. Photo via iFixit
Actually, Justice Scalia’s opinion in Jones provides very little protection against government location tracking
Justice Scalia’s opinion in Jones actually provides very little protection against government location tracking. Only the physical affixing of a GPS device to a car violates the 4th Amendment according to his view. But under the third party doctrine, the government can readily obtain GPS data from third parties that provide GPS services without a physical trespass to the car. People’s location can also be tracked from their phones. Scalia’s view misses a key fact: It’s not the device that matters; it’s the data.
Jones is a bizarre case because five justices wrote or joined concurring opinions that suggested a much bolder approach to the reasonable expectation of privacy. Until Jones, U.S. Supreme Court cases had generally held in a rather binary way that there is no reasonable expectation of privacy from surveillance in public places. The five concurring justices articulated a different view that extensive surveillance—even in public—could fall under the scope of the 4th Amendment.
Justice Sotomayor, writing a solo concurring opinion, explicitly called the third party doctrine into question. She stated that “it may be necessary to reconsider the premise that an individual has no reasonable expectation of privacy in information voluntarily exposed to third parties. This approach is ill suited to the digital age.”
The other concurring opinion, authored by Justice Alito, doesn’t say anything about the third party doctrine. My sense is that Justice Alito might be tepid about how far he would expand 4th Amendment protection. The other three justices joining Alito’s concurrence—Justices Ginsburg, Breyer, and Kagan—all might be good candidates to join Justice Sotomayor in reversing the third party doctrine sometime in the future. One more vote is needed for five votes, and that could be the demise of the third party doctrine.
The end of the third party doctrine would herald a dramatic increase in 4th Amendment protection in today’s digital age. The third party doctrine is, in my view, the most significant and wrongheaded impediment to effective 4th Amendment regulation of government surveillance. (For more about my concerns about the third party doctrine, see my 2002 Southern California Law Review article, Digital Dossiers and the Dissipation of Fourth Amendment Privacy.)
CLAPPER AND NSA SURVEILLANCE
Another key case turning on Justice Scalia’s vote was Clapper v. Amnesty International, 568 U.S. __ (2013). There the Supreme Court held, with Justice Alito writing for the majority, that plaintiffs lacked standing to challenge NSA surveillance because they couldn’t know for sure that they were subjected to it. The fact of whether they were under surveillance was classified, so the government had quite the chutzpah to argue that the plaintiffs’s case should be dismissed because they couldn’t prove they were under surveillance.
The plaintiffs put forth evidence that they were very likely under surveillance and claimed that they were harmed because they had to expend time and money to take measures to avoid the surveillance. The U.S. Supreme Court held that they failed to show the required injury for standing because all they couldn’t confirm the surveillance with certainty and their evasive measures were just an attempt to “manufacture standing based on hypothetical future harm.” Justice Scalia was in the majority. Justices Breyer, Ginsburg, Sotomayor, and Kagan dissented. So a change in Scalia’s vote would mean the case would come out the other way 5-4.
NSA Utah Data Center. Photo via Parker Higgins / EFF
A different outcome on Clapper would have a significant impact on future cases challenging government surveillance. It would also have an impact on data breach litigation cases, which often cite to Clapper to hold that plaintiffs whose data is compromised in a data breach lack standing to sue because they are not yet harmed.
But would the Supreme Court overrule Clapper so soon after it was decided? Ironically, perhaps, Justice Scalia would have no problem with that.
Dissenting in South Carolina v. Gathers, 490 U.S. 95 (1989), Justice Scalia wrote:
Overrulings of precedent rarely occur without a change in the Court’s personnel. The only distinctive feature here is that the overruling would follow not long after the original decision. . . . Indeed, I had thought that the respect accorded prior decisions increases, rather than decreases, with their antiquity, as the society adjusts itself to their existence, and the surrounding law becomes premised upon their validity. The freshness of error not only deprives it of the respect to which long established practice is entitled, but also counsels that the opportunity of correction be seized at once, before state and federal laws and practices have been adjusted to embody it.
The U.S. Supreme Court appears to be very close to making some dramatic changes in 4th Amendment law. With Justice Scalia’s passing, a sometimes-champion of the 4th Amendment has been lost. Will the next justice also have a narrow version of originalism or will he or she have a more progressive approach? If the latter, we might see some dramatic shifts in 4th Amendment protection of government surveillance.
Daniel J. Solove is the John Harlan Marshall Research Professor of Law at the George Washington University Law School. He founded TeachPrivacy, a company providing privacy and data security training.
In 2014, Baltimore Police obtained a warrant for the arrest of Kerron Andrews for attempted murder. To find him, law enforcement requested a pen register to record his location data and all outgoing phone calls. The request, however, didn’t ask about using a Hailstorm (a type of Stingray — a bulk collection device meant to intercept data meant for cell towers) to collect this data.
The police used it anyway.
Warrantless bulk collection by use of a Stingray isn’t anything new. The secrecy is often due to an NDA (like this one) between law enforcement and the FBI itself.
After learning about the non-disclosure of the use of a Stingray, a judge concluded the police had violated Andrews’ Fourth Amendment right and granted the defense’s request to suppress the evidence collected by the Stingray.
But here’s where it gets interesting.
The state appealed the decision.
It argued that the court erred in its original ruling by claiming that Andrews voluntarily shared his cellphone information with law enforcement (and other third parties) when he turned the phone on.
Screen Shot 2016-02-11 at 9.46.11 AM
This is dangerous precedent.
If the Maryland court overturns the ruling and says that the suppressed evidence collected by the Stingray device is admissible, look for other state courts to begin citing this ruling when justifying the use of bulk collection tools without a warrant.
For now, just revel in the fact that, according to the State of Maryland, turning your phone on is giving implicit consent to being tracked.