Encryption: “We’re Engineers, Not Wizards”

If you have kept up to date with my recent posts you may have noticed my love for the right to privacy, particularly in the online sphere, and hatred against the many, many attempts to infringe upon that right in some manner. Well, I’m afraid this post will be no different as we go down the rabbit hole of encryption and law enforcement, and the larger issue of privacy vs security. 

While I might be quite vocal about the importance of the right to privacy, and the important role encryption plays in protecting that right online, there are others who see it as an annoyance, a barrier for “the good guys”: law enforcement. It makes it harder to use surveillance on a suspect’s communications due to end-to-end encryption, it means they can’t extract evidence from a suspect’s phone because they cannot access it, and then the terrorists will win! I mean, you have nothing to fear if you have nothing to hide right? I mean a government would never use this information for malicious purposes right? They’re totally trustworthy, right? Right?

This debate is certainly not a new one. From the Crypto Wars of the Cold War (sadly not as awesome as it sounds, with the US Government attempting to limit public access to encryption strong enough to pose a problem for intelligence agencies) to the proposal for the Clipper Chip (a computer chip developed by the NSA in order to provide a back door into early computer systems and allow law enforcement agencies to access and decode “intercepted voice and data transmissions”), the war between law enforcement and encryption has been fought since the development of encryption itself. 

However it has once again come to the fore due to a number of legal cases, most notably the San Bernadino terrorist attack. In the aftermath of this attack, the FBI attempted to compel Apple to design a back door into their operating system in order for the FBI to gain access to the encrypted data and gain more information on perpetrator. That sounds reasonable doesn’t it? A backdoor which only the FBI can use? There’s just one problem with it...

Exactly! You cannot construct a back door for one party alone. A back door for one hacker is a backdoor for another, and complying with the FBI would have resulted in a massive vulnerability that any skilled hacker could take advantage of! But it was necessary! We needed it to get access! Again, this is nonsense, as can clearly be seen from the FBI gaining access without Apple’s help (albeit spending $900,000 to do so). And while a Big Brother scenario might be somewhat unlikely at the offset, a very real concern would be a massive data breach. In addition, there are countless apps in place to provide encryption so that even if there is a crackdown on encryption and back doors become commonplace, any criminal worth their salt could just use one of these apps. And if that apps gets removed, well then another will pop up, and some are very difficult to bring under a country’s jurisdiction. 

So just remember, when a government or body asks you to trade your privacy for security, they’re probably just trying to make their lives easier, and yours a hell of a lot less safe. 

“Hey Brian, I was running some tests last night and found that even though my location services were turned off, I was still getting rough location data.”

“Yeah that’s probably fine”

“But isn’t that a breach of privacy?”

“Pri-va-cy? Is that French?”

“But couldn’t a hacker use this, and additional cell towers, to track my location?”

“What? No, no. I mean, yes but I wouldn’t worry about it. Hackers aren’t a major issue or anything”

“Jesus Christ Brian, isn’t our motto “Don’t Be Evil”?!?!”

“It’s more of a guideline...”

H3ll0 Friend: Mr Robot through the lens of UK Law

Post contains minor spoilers for the show: proceed at own risk

Mr. Robot is one of those gems that I arrived late to the party for and then fell head over heels in love with. For those unfamiliar with the show, it follows antisocial vigilante hacker Elliot Alderson as he hacks people’s social media accounts both in order to expose criminal activity and so that he doesn’t feel so crushingly alone. Elliot is then drawn into the schemes of F Society, a hacktivist group attempting to topple E Corp (one of the largest multi-national conglomerates in existence), led by the elusive “Mr Robot”. Though the show has moved beyond this premise by season 3, today I’d like to discuss one of the first hacks we see in the show.

Elliot cracks into “Michael’s” (his therapists boyfriend’s) social media accounts, just as he hacks most people in his life. Elliot accomplishes this through clever social engineering, namely by posing as a member of the Bank of E fraud team on the phone and asking security questions in order to tease out personal information, and brute force hacking using the information “Michael” gave him. Elliot then discovers that Michael, aka Lenny, is married, and carrying out multiple affairs, including with his therapist Krista. Elliot then confronts Lenny and demands he break up with Krista, or Elliot will expose his affairs and tell the police that one of the women he slept with was a minor (the latter of which is a lie). He also takes Lenny’s dog, Flipper. So, having done all this, what could Elliot be charged with?

First, when Elliot posed as a member of the Bank of E fraud team he was committing fraud by false representation, as found under section 2 of the Fraud Act 2006. This states a person will be guilty of an offence where: they “dishonestly make a false representation”; “intends, by making the representation...to cause a loss to another or to expose another to a risk of loss.” Elliot’s social engineering of Lenny certainly seems to match this criteria nicely! 

Secondly, could Elliot be charged with blackmail under the Theft Act 1968? There are four elements to blackmail: a demand; made with “menaces” (i.e. a threat); where the menaces were unwarranted; with the intent to gain for himself or cause a loss to another. Elliot certainly made a demand, and backed it with threats. However, the unwarranted menaces requirement is subjective, and given Elliot’s instability he may well believe he has reasonable grounds for making the demand. Elliot also intended to commit a loss/gain by taking Flipper. As gain/loss only extends to property and money if Elliot had not taken the dog he would have been unable to be charged with this offence. 

Finally we have the most relevant offence: unauthorised access to computer material under the Computer Misuse Act 1990. For this the prosecutor would have to show that Elliot used a computer to secure access to any program or data on a computer, and that Elliot knew he did not have authorisation to do so. This is clearly the best fit for Elliot’s actions against Lenny, and here in the UK could see Elliot jailed for up to two years on indictment if caught. 

But of course, that’s just the problem isn’t it? It’s all very well and good legislating for these crimes, but in a practice enforcement is a major issue. Through the use of various computer programs, proxy servers, and botnets it is possible to leave little evidence for law enforcement to use to track and charge the perpetrator of cybercrimes. In the real world, this can make it all but impossible to prosecute for a cyber attack. In Mr Robot, it means our favourite anti-hero can continue his fight against/for society/himself/everyone. 

The need to ensure transparency when dealing with internet filtering is vital, and sadly one that is often not upheld. Even if filtering sets out with the best of intentions, it can result in indirect discrimination. It is hopeful that the implementation of the General Data Protection Regulation next year will herald a new age of digital transparency, but it is important to be vigilant in ensuring that filtering does not begin to creep silently onto the internet in order to protect government involvement and private interests. 

And why stop at the music industry? Books, video games, they are all better enjoyed when we can share them with each other. I mean except for all of the reports and proof that it doesn’t harm business (bar the film industry with recent films), file sharing is just bad for business right?

Oh rolling stone, if only you still did music reviews and less political commentary. Regardless, this is awesome. 

DRM in video games and why we should let it die

Digital Rights Management (”DRM”), for those who don’t know, is a method of attempting to prevent unlawful reproduction or “piracy” of copyright protected materials in the age of the Internet. This can take many forms, from limiting the amount of devices the material can be activated on at any one time to much more restrictive measures. However, this has led to a push back from the gaming community. 

With video games, DRM has been implemented in a particularly restrictive manner. At worst, you cannot play your game without a stable internet connection (those exist??) which can infuriate gamers who have legitimately purchased a product only to be punished with extra requirements to play the game. In some cases, the DRM software can result in performance issues, as can be seen from the Sonic Mania game which has since had some DRM software patched out. Obviously, it did not take long until people were attempting to circumvent this software through exploits. However, originally it could take some length of time before the DRM software could be “cracked”. 

One of the most widespread anti-tamper software kits is Denovo, and when it was first introduced it could take months for hackers to defeat the software. In recent years, this time frame has been further and further reduced. When Resident Evil 7 was released, it took seven days for hackers to circumvent the software. When Middle Earth: Shadow of War was released, it took a day. Given how quickly after launch this software is being defeated, why does the gaming industry insist on its continued use?

So, what side should the law take on this issue? On the one hand, there are copyright violations taking place in relation to video games. But is it as much of an issue as some game developers make it out to be? Does it warrant placing highly restrictive software in their game? The EU commissioned a report on the effect of piracy on the sale of copyright material. The report found that, with the exception of recent top films there is little “statistical evidence of displacement of sales by online copyright infringements.” CD Projekt Red, famous for its Witcher games, has come out in opposition to DRM. The Witcher 3 has no DRM software, and yet has sold 10 million copies. While it has been pirated, Marcin Iwinski (co-founder of GOG.com and CD Projeckt Red) has stated many of the pirates have subsequently purchased the game when they could afford it. 

Ultimately, it may be time for the law to adapt to changing social norms regarding copyright and cyberspace. Some measure of protection should be included, but it should be kept at a minimum. After all, any game that includes severe DRM restrictions is a prime target for hackers, resulting in more people downloading the cracked version rather than buying the game. Let CD Projekt Red stand as a lesson for other video game developers: support your fan base, and they will return the favour.

The balance discussed by Lessig towards the end of the video, and the line which the artists themselves are willing to draw when it comes to what situations they will pursue infringement is vital to understanding why so many people rail against corporations or artists aggressively pursuing their IP rights. 

In many cases, the proclivity for companies to go after individuals who, in many cases, have no intention of using the work for profit or are using the material for comedic or critical purposes can turn a fanbase against the company (the case of a large unnamed miniatures company *cough* GW *cough* looking to copyright the term “space marine” comes to mind). 

Basically, law school.

Patents are incredibly important for inventors and creators, protecting their creations from theft and unlawful reproduction. However there is potential for abuse, particularly when widely defined patents are given in a field that develops so quickly and in unexpected ways.  If patent protection is abused, it creates a chilling effect, stifling innovation and creating monopolies which can deter individuals form innovating an inventing. This potential for abuse was even recognised by Bill Gates:

While Microsoft may have become more litigious surrounding their IP rights in recent years, the same fears regarding the granting of software patents remains. While the current protection for computer programs, namely copyright, provides less rights and is weaker than a patent due to the requirements for infringement (namely one would have to copy the code directly in order to infringe) the alternative is a system similar to the US approach, where patent trolls can bring lawsuits on the basis of widely defined patents, from companies that do nothing with said patents except for bringing lawsuit against corporations which create technology that is even tangentially related to the patent description in the hopes of shaking them down. All done in the knowledge that the company will settle out of court because it isn’t worth the time and money necessary to defend it.

Ideally, laws ratify already developed social consensus. They are less the Social Contract itself than a series of memoranda expressing a collective intent that has emerged out of many millions of human interactions. […] Whenever there is such profound divergence between law and social practice, it is not society that adapts.

John Perry Barlow, “The Economy of Ideas” (via andrewbaggott)

In considering the regulation of cyberspace, it is important to remember John Barlow’s words. Social consensus should form the basis of any regulation, especially with a medium with such far reaching consequences. The law should reflect the will of the people, of society at large, not the interests of private corporations or the wealthy elite. 

You can only win the game when you understand that it is a game. Let a man play chess, and tell him that every pawn is his friend. Let him think both bishops holy. Let him remember happy days in the shadows of his castles. Let him love his queen. Watch him lose them all.

Mark Lawrence, “Prince of Thorns” (via turibulum)

And people wonder why the creation of smart homes is terrifying...