Friday, September 19, 2014

When the canary dies, get out of the garden

Reported at Gigaom and elsewhere, Apple's "warrant canary" has disappeared, suggesting new Patriot Act demands. In this case, a canary refers to a statement on a website or in a report that states something about the company or its security. For example, a company might add a canary statement to their website's footer that "We have not been compelled to add a security backdoor to our products." If that canary statement disappears from the website, you can assume the company has been compelled to add a security backdoor.

Why the canary? Such demands are usually accompanied by a non-disclosure statement. The company cannot let its customers know that their products now have a backdoor. But a canary is different, a sort of compromise. Like the canary in a coal mine, when the canary statement disappears ("dies") it's time to get out.

When Apple published its first Transparency Report on government activity in late 2013, the document contained an important note (page 5, see PDF) that stated: "Apple has never received an order under Section 215 of the USA Patriot Act. We would expect to challenge such an order if served on us." Section 215 of the Patriot Act permits the National Security Agency to demand companies to hand over their business records in secret. It also vastly expands the FBI's power to spy on ordinary people living in the United States, and those served with Section 215 orders are prohibited from disclosing the fact.

Now, that canary statement has disappeared from Apple's reports. And as reported in Gigaom, Apple has become suddenly quiet on the subject.

However, Apple has recently announced a technical solution: Apple has reworked its latest encryption that prevents anyone but the device's owner from accessing data. It's not that Apple won't unlock the data for police, but Apple can't. In a page about "government information requests," Apple claims about the new features in iOS 8:
"On devices running iOS 8, your personal data such as photos, messages (including attachments), email, contacts, call history, iTunes content, notes, and reminders is placed under the protection of your passcode. Unlike our competitors, Apple cannot bypass your passcode and therefore cannot access this data. So it's not technically feasible for us to respond to government warrants for the extraction of this data from devices in their possession running iOS 8."
And that's good. Device encryption should be such that no one else can access your data. That's security. Unfortunately, it has taken until late 2014 for Apple to realize that.

So what's next? Last week, I was asked at an open source software event for my views on the future of free software and open source software. I responded that while the iPhone and iPad are "sexy" devices (and I have an iPad at home, which I use to watch videos and play games, but nothing of value) there will come a time with government spying that people will want to escape the "walled garden" of iOS. People will no longer want a company like Apple or Microsoft or Google to control their data; they will want to take back control of their own data and keep it safe.

That's where open source software will come to the rescue. Free software and open source software is peer reviewed. As open source software advocate Eric S. Raymond is quoted saying, "Given enough eyeballs, all bugs are shallow." It's highly unlikely a backdoor or other data surveillance method could escape detection in an open source software project, especially one with an active user-developer community.

Maybe the Apple canary is the start of that trend. Will people realize the importance of Apple's canary, that Apple is affected by FISA proceedings, and that user privacy is at risk? I think the user-private encryption in iOS 8 may delay the collapse of Apple's "walled garden," but I for one will no longer trust my Apple device.
photo: Majd Mohabek

No comments:

Post a Comment