cybersecurity and legal lessons after apple v fbi
TRANSCRIPT
Cybersecurity and Legal Lessons after Apple v FBI
Benjamin AngSenior Fellow, Centre of Excellence for National SecurityEducation Chair, Internet Society Singapore Chapter
Where we come from
CENS
Multinational team of
specialists in national and
homeland security
Based at NTU’s RSIS,
working closely with
NSCS and CSA
ISOC.SG
Dedicated to ensuring
that the Internet stays
open, transparent and
defined by you.
Organizing events,
Providing education,
Engaging policy
Myself
Former Lawyer
Former CIO
Senior Research Fellow
in Cybersecurity Law and
Policy
Cybersecurity issues in IPV6
Misconception #1
Misconception:
IPV6 automatically
applies IPSEC because
IPSEC is built in
Reality:
IPSEC is an option
Solution:
Enable IPSEC
Misconception #2
Misconception:
Every device should
have its own IP address
Reality:
NAT protects devices
which only need to
reached within network
Solution:
Use both IPV4 and IPV6
Misconception #3
Misconception:
Encryption will protect
everything
Reality:
Metadata can still be
exposed
Solution:
Be aware
Timeline of Apple v FBI
As of mid 2016
16 Feb
Judge orders Apple to
help FBI unlock iPhone
belonging to dead
terrorist
17 Feb
Tim Cook (Apple CEO):
This would undeniably
create a backdoor, we
will NOT comply
18 Feb
Twitter, Google, Former
NSA Director: USA is
safer with unbreakable
encryption
19 Feb
FBI filed motion that
Apple is not above the
law
1 Mar
Apple General
Counsel spoke to
House Judiciary
Committee
1 – 15 Mar
Apple and US DOJ
lawyers file arguments
in court
21 Mar
US attorneys ask to
vacate hearing
28 Mar
US govt announces it
has gained access to the
phone without Apple’s
help
8 April
US DOJ said they
need help to unlock an
iPhone 5s in New York
22 Apr
US DOJ no longer
needs Apple’s help
because they also
unlocked this phone
What’s at stake
The ‘Security’ Argument
FBI:
We need access so that
we can investigate
crime, prevent crime
Fears:
‘Going dark’
The ‘Privacy’ Argument
Technology Cos:
Creating back doors will
expose users to
criminals
What if it happened in Singapore?
Criminal Procedure Code
Criminal Procedure Code
39.—(1) A police officer or an authorised person, investigating an arrestable offence, may at any time —
access, inspect and check the operation of a computer that he has reasonable cause to suspect is or has been used in connection with the arrestable offence; or
use or cause to be used any such computer to search any data contained in or available to such computer.
Power to access computer
I’m investigating an
arrestable offence, so I want
to ACCESS all the data on
this computer Do you need a
warrant?
No.
Criminal Procedure Code
39(2) The police officer or authorised person may also require any assistance he needs to gain such access from —
… 39 (5) (3) Any person who obstructs the lawful exercise … or who fails to comply with any requirement of the police officer … shall be guilty of an offence
Power to access computer
Can I
refuse?
No.
Criminal Procedure Code
40.—(2) The police officer shall be entitled to —
access any information, code or technology which has
the capability of retransforming or unscrambling
encrypted data into readable and comprehensible format
or text for the purposes of investigating …;
Require [any person] to provide assistance
Power to access decryption
I’m investigating an arrestable
offence, so I want to
DECRYPT all the data on this
computer Do you need a
warrant?
No.
Criminal Procedure Code
39(2) The police officer or authorised person may also require any assistance he needs to gain such access from —
… 39 (5) (3) Any person who obstructs the lawful exercise … or who fails to comply with any requirement of the police officer … shall be guilty of an offence
Power to access decryption
Can I
refuse?
No.
Criminal Procedure Code
40(7) … if that person was in possession of any decryption information at any time before the time of the request for access to such information, that person shall be presumed … to have continued to be in possession of that decryption information …, unless—
(a) It was not in his possession at the time of request and
(b) It continued not to be in his possession.
Power to access decryption
I don’t have the
keys
Didn’t you use to
have them?
But there is a limit
I got into the laptop, but the files
are individually encrypted by an
unknown software
What about messages (data in motion)?
Computer Misuse and Cybersecurity Act
Computer Misuse and Cybersecurity Act
15A.—(1) Where the Minister is satisfied that it is necessary for the purposes of preventing, detecting or countering any threat to the national security, essential services or defence of Singapore or foreign relations of Singapore,
the Minister may, authorise or direct any person or organisation … to take such measures or comply …
We have a national security
concern, so I’m giving you a
direction
Can you
do that?
Yes
Computer Misuse and Cybersecurity Act
s15A(2)(c) … (including real-time information)
obtained from any computer controlled or
operated by the specified person, or obtained by
the specified person from another person
Monitor all messages in real
time to find out if a riot is going
to take place REAL TIME? What if
we catch some
personal data?
Computer Misuse and Cybersecurity Act
s15A(3) Any measure or requirement …
shall have effect notwithstanding any obligation
or limitation imposed or right, privilege or
immunity conferred by or under any law,
contract or rules of professional conduct …
Computer Misuse and Cybersecurity Act
s15A(4) A specified person who, without reasonable excuse, fails to take any measure or comply with any requirement directed by the Minister under subsection (1) shall be guilty of an offence
and shall be liable on conviction to a fine not exceeding $50,000 or to imprisonment for a term not exceeding 10 years or to both.
Is there a limit?I can’t monitor the messages,
they’re encrypted end to end!
On the other hand
Businesses are legally required to protect customer data
PDPC fined KBOX $50K
“The practice of sending large volumes of members’ personal data via unencrypted email is a vulnerability and an example of how K Box had not sufficiently protected the members’ personal data.” – PDPC
On the other hand
End users and manufacturers of IOT may need access
Manufacturers
…need to send
security updates
to IOT Devices
End users
… sometimes
need to override
our own security
Humanity
… may one day
need to override
security
What can we do?
End Users
• We need choices
Law Enforcement
• We need access
Tech Companies
• We need security
Regulators
• We need to secure
Weak (or weakening) encryption is unsafe
Because criminals can get access to victims’ data or worse
How are you going to
get through the user’s
security?
No problem, I found
out the back door that
police use!
Weak encryption doesn’t really help law enforcement
Because the really serious criminals and terrorists use additional encryption tools
How are we going to carry
out our secret bomb attack?
Police have back doors into
everyone’s phone!
No problem, I’m using a
Russian encryption app
that has no back door
But end users and manufacturers need a safe way in
Are there solutions besides encryption alone?
Secure Privacy
3FA
Biometrics
Escrow Dual Key
Notification
Blockchain
3FA
Biometrics
Key Escrow
Dual Key
Notification
Blockchain
The Solution is out there
We all need to work together to create one that works for everyone
54
Singapore Chapter
Your Membership helps Change the World
Internet Society members achieve change through partnerships and technical expertise.
90+Chapters
Worldwide
Your membership to the Internet Society gives you a
powerful voice.
50000+Individual
Members
140+Organization
Members
55
Singapore Chapter
Workshops and training
Educational events
You can play a Key Role in Singapore
Public Policy issue advocacy
Networking events
56
Singapore Chapter
Get Involved
Join the Singapore Chapter, or
Attend an Event
– Blockchain Seminar 2016
Contact us at www.isoc.sg
This is your Internet.Join it!
Cybersecurity and
Legal Lessons
after Apple v FBIBenjamin AngSenior Fellow, Centre of Excellence for National Security
Education Chair, Internet Society Singapore Chapter
Slides and further discussion at www.isoc.sg
Background Information
Centre of Excellence for National Security
Multinational team of research
specialists in national security
Working with National Security
Coordination Secretariat (NSCS) and
Cyber Security Agency (CSA)
CENS Research Programmes
Homeland Defence
Programme
Radicalisation
Studies Programme
Social Resilience
Programme
Cybersecurity
Programme
• Strategic
Communication
• Social Media
Analysis
• Radicalisation to of
individuals and
groups
• Criminology,
psychology,
sociology, history
and political science
• Multiculturalism,
citizenship, class,
immigration
• How globalised
societies cope with
crises such as
pandemics and
terrorist attacks.
• Cyber threats
• Cybercrime
• Smart Cities
• Confidence Building
Measures
• Controversies
(security vs privacy)
How CENS influences national policy
Publish Commentaries and Briefs
Educate National Security Officials
Organize workshops and seminars for
to create a community of practice in
public and private sectors
62
Singapore Chapter
Internet Society Mission
To promote the open development,
evolution, and use of the Internet for
the benefit of all people throughout
the world.
63
Singapore Chapter
Internet Society Singapore Chapter
Provides
leadership in
policy issues
Advocates open
Internet
Standards
Promotes Internet
technologies that
matter
Develops Internet
infrastructure
Undertakes
outreach that
changes lives
Recognizes
industry leaders
64
Singapore Chapter
Current Priorities
Internet Governance
Open Internet Standards
Online Identity
IPv6
Blockchain
Domain Name System Security (DNSSEC)
Internet and Human Rights
Intellectual Property and Digital Content
Internet of Things
65
Singapore Chapter
Programmes
Awards
Internet Hall of Fame
Jonathan B. Postel Service Award
Applied Networking Researching Prize (ANRP)
Grants
Community Grants
ICT Innovation
Individual Fellowships
66
Singapore Chapter
Examples of the Internet Societyin Action
67
Singapore Chapter
Public Consultation with MDA on changes to Licensing of Websites
Photo: © Stonehouse Photographic
www.internetsociety.org/wcit
68
Singapore Chapter
Lodging complaint against law firm representing Dallas Buyers Club in threatening users
Photo: © Stonehouse Photographic
www.internetsociety.org/wcit
69
Singapore Chapter
Seminars on Charlie Hebdo, Cybersecurity Skills Building, Election Blogging, IOT, and more
Photo: © Stonehouse Photographic
www.internetsociety.org/wcit
70
Singapore Chapter
World IPv6 Launch
www.WorldIPv6Launch.org