from Net Politics and Digital and Cyberspace Policy Program

Cyber Week in Review: July 10, 2015

Comey encryption going dark cfr cyber net politics
Comey encryption going dark cfr cyber net politics

July 10, 2015

Comey encryption going dark cfr cyber net politics
Comey encryption going dark cfr cyber net politics
Blog Post
Blog posts represent the views of CFR fellows and staff and not those of CFR, which takes no institutional positions.

Here is a quick round-up of this week’s technology headlines and related stories you may have missed:

  • The encryption debate was back at Capitol Hill this week. FBI Director James Comey testified before two Senate committees, arguing that law enforcement needs privileged access to encrypted files to thwart terrorist plots, arrest child pornographers, and keep the public safe. Absent the ability to decrypt data, Comey warned that it would become impossible to wiretap certain devices to protect the public. While some Senators were sympathetic to Comey’s plea, Senator Al Franken pointed out that FBI was unable to offer data “about how often encryption is thwarting investigations” and Senator Ron Wyden criticized the government for creating the problem in the first place by engaging in mass surveillance. Technologists and experts have long warned that the FBI’s request is impossible to implement without inserting security vulnerabilities in applications that use encryption. They reiterated these concerns in a report published on Tuesday, arguing that government access to encrypted data would “pose far more grave security risks…than we could have imagined when the Internet was in its infancy.”
  • Hacking Team, an Italian-based surveillance firm dogged by allegations that it sells its wares to countries with poor human rights records, was hacked. Approximately 400 GB of company data was made public, including client lists, source code for the company’s "Remote Control System" hacking tool, and a Flash zero-day. The governments of Australia, Azerbaijan, Egypt, Russia, Saudi Arabia, Bahrain, Ethiopia, the United Arab Emirates, Kazakhstan, the United States, and Uzbekistan were clients. By selling to Sudan, it’s possible that Hacking Team violated UN sanctions that prevent arms sales to that country. It also contradicts claims the company made over a year ago that it didn’t sell spyware to “any repressive regime.” The incident underscores one of the primary reasons countries sought to amend the export control regime known as the Wassenaar Arrangement to limit the proliferation of surveillance software. David has more on the policy implications of the Hacking Team hack here.
  • The lengthy communiqué issued by the BRICS (Brazil, Russia, India, China, and South Africa) leaders this week contained nine paragraphs dedicated to Internet issues. Of note, they have decided to strike a working group to cooperate on the development of cyber norms, exchanging cybersecurity best practices, and combatting cyber crime. They also reiterated their call for a global cybercrime treaty under the auspices of the United Nations, and called for the "evolution of the Internet governance ecosystem, which should be based on an open and democratic process, free from the influence of any unilateral considerations." The reference to "unilateral considerations" is a not-so-subtle dig at the U.S. Department of Commerce’s relationship with the Internet Corporation for Assigned Names and Numbers.
  • Four noteworthy legal developments occurred this week. First, the National People’s Congress of China published a draft of a cybersecurity law. You can read my quick assessment of it here. Second, the Russian parliament overwhelmingly approved a “Right to be Forgotten” law, which would allow users to request that search engines remove links to information that the user deems “untrustworthy,” “no longer relevant” or “distributed in violation of the law.” Third, the Senate Intelligence Committee approved a bill that would require social media operators to alert the federal government of “terrorist activity” online. Last but not least, Canada finally ratified the Council of Europe’s Convention on Cybercrime, more commonly known as the Budapest Convention.