Apple’s Privacy Officer Jane Horvath Uses CES Appearance to Defend Company Stance on Encryption and Software Backdoors

Apple's chief privacy officer attended a discussion panel at the Consumer Electronics Show in Las Vegas on Tuesday to debate the state of consumer privacy, marking the first time in 28 years that Apple has been at CES in an official capacity.

Apple's privacy officer at CES 2020 panel (Image: Parker Ortolani)

Jane Horvath, Apple's senior director for global privacy, joined an all-female panel consisting of representatives from Facebook, Procter & Gamble and the Federal Trade Commission. During the discussion, Horvath defended Apple's use of encryption to protect customer data on mobile devices.
"Our phones are relatively small and they get lost and stolen," Horvath said. "If we're going to be able to rely on our health data and finance data on our devices, we need to make sure that if you misplace that device, you're not losing your sensitive data."
Apple has held a consistent position regarding its use of encryption, even if that means it has limited ability to help law enforcement access data on devices involved in criminal investigations.

Just this week, the FBI asked Apple to help unlock two iPhones that investigators believe were owned by Mohammed Saeed Alshamrani, who carried out a mass shooting at a Naval Air Station in Florida last month. Apple said that it had already given the FBI all of the data in its possession.

Apple's response suggests it will maintain the same stance it took in 2016, when the FBI demanded that Apple provide a so-called "backdoor" into iPhones, following the December 2015 shooter incidents in San Bernardino. Apple refused, and the FBI eventually backed down after it found an alternate way to access the data on the iPhone.

Horvath took the same tack by saying that Apple has a team working around the clock to respond to requests from law enforcement, but that building backdoors into software to give law enforcement access to private data is something she doesn't support.
"Building backdoors into encryption is not the way we are going to solve those issues," Horvath said.
Horvath went on to talk up Apple's "privacy by design" technologies like differential privacy, user randomization in native apps and services, the on-device facial recognition in the Photos app, and minimal data retrieval for Siri. Horvath also confirmed that Apple scans for child sexual abuse content uploaded to iCloud. "We are utilizing some technologies to help screen for child sexual abuse material," she said.

Horvath became Apple's chief privacy officer in September 2011. Prior to her work at Apple, Horvath was global privacy counsel at Google and chief privacy counsel at the Department of Justice.

Note: Due to the political nature of the discussion regarding this topic, the discussion thread is located in our Political News forum. All forum members and site visitors are welcome to read and follow the thread, but posting is limited to forum members with at least 100 posts.


This article, "Apple's Privacy Officer Jane Horvath Uses CES Appearance to Defend Company Stance on Encryption and Software Backdoors" first appeared on MacRumors.com

Discuss this article in our forums

U.S. Senators Threaten Apple and Facebook With Encryption Regulation

Executives from Apple and Facebook were grilled over their encryption policies in a U.S. Senate Judiciary Committee hearing, with senators threatening encryption regulation.

According to Reuters, senators told Apple and Facebook that the two companies need to find a way to make encrypted data available to law enforcement for investigations.


"You're going to find a way to do this or we're going to go do it for you," said Senator Lindsey Graham. "We're not going to live in a world where a bunch of child abusers have a safe haven to practice their craft. Period. End of discussion."
Facebook earlier this year said that it would extend end-to-end encryption across all of its messaging services and has since faced blowback from U.S., UK, and Australian government officials who have requested backdoor access.

Apple faced a major encryption battle with the United States government in 2016 when it refused to provide the government with the tools to unlock the iPhone owned by the San Bernadino shooter.

Apple at the time argued that adding backdoor access to the ‌iPhone‌ would weaken it for everyone and that criminals would quickly gain access to any backdoor tools that Apple established.

Facebook privacy chief Jay Sullivan was at the hearing with Apple privacy chief Erik Neuenschwander, and even amid scrutiny from regulators, the two companies were still at each other's throats, with Neuenschwander and Sullivan each suggesting lawmakers focus scrutiny on the other company's business.

Sullivan pointed out that Facebook does not build devices or operating systems, while Neuenschwander said that Apple doesn't have "forums for strangers to contact each other" and doesn't see Apple "scanning material of our users to build profiles of them."

Apple has been staunchly against creating backdoors for government access and has warned of the dangers of weakening encryption. Apple does cooperate with law enforcement by providing relevant iCloud data in law enforcement investigations when requested.

Note: Due to the political nature of the discussion regarding this topic, the discussion thread is located in our Political News forum. All forum members and site visitors are welcome to read and follow the thread, but posting is limited to forum members with at least 100 posts.


This article, "U.S. Senators Threaten Apple and Facebook With Encryption Regulation" first appeared on MacRumors.com

Discuss this article in our forums

Telegram Messenger Service Suffers Cyberattack Originating From China

The CEO of messaging service Telegram has suggested that a recent cyber attack on the encrypted chat platform was the work of the Chinese government as part of an attempt to disrupt use of the app to coordinate ongoing protests in Hong Kong.

Telegram founder Pavel Durov said the messaging service experienced a "state actor-sized" distributed denial of service (DDoS) attack yesterday and this morning after "garbage requests" flooded its servers and disrupted communications.

DDoS attacks typically work through the use of botnets – often operating on hijacked computers infected with malware – which bombard servers with redundant requests to prevent them from processing legitimate requests.


Most of those requests came from IP addresses originating in China and appeared to be coincided in time with protests in Hong Kong, founder Pavel Durov said in a later Twitter post.

Protesters in the hundreds and thousands have been marching through Hong Kong's streets this week in opposition to a controversial law that would allow people in the city to be extradited to China.

Chinese state media have condemned the protests, which they claim is being motivated by outside forces and risks undermining social stability in the region.

This isn't the first time apps have been blocked in Hong Kong. In 2014, China's cyberspace administration cut access to Instagram during the city's Umbrella Movement, which used umbrellas as a tool of passive resistance to the police's use of pepper spray on protestors who were seeking more transparent elections.

Note: Due to the political nature of the discussion regarding this topic, the discussion thread is located in our Politics, Religion, Social Issues forum. All forum members and site visitors are welcome to read and follow the thread, but posting is limited to forum members with at least 100 posts.


This article, "Telegram Messenger Service Suffers Cyberattack Originating From China" first appeared on MacRumors.com

Discuss this article in our forums

Apple and Other Tech Giants Condemn GCHQ Proposal to Eavesdrop on Encrypted Messages

Apple and other tech giants have joined civil society groups and security experts in condemning proposals from Britain's cybersecurity agency that would enable law enforcement to access end-to-end encrypted messages (via CNBC).

British Government's Communications HQ in Cheltenham, Gloucestershire

In an open letter to the U.K.'s GCHQ (Government Communications Headquarters), 47 signatories including Apple, Google and WhatsApp urged the U.K. eavesdropping agency to ditch plans for its so-called "ghost protocol," which would require encrypted messaging services to direct a message to a third recipient, at the same time as sending it to its intended user.

Ian Levy, the technical director of Britain's National Cyber Security Centre, and Crispin Robinson, GCHQ's head of cryptanalysis, published details of the proposal in November 2018. In the essay, Levy and Robinson claimed the system would enable law enforcement to access the content of encrypted messages without breaking the encryption.

The officials argued it would be "relatively easy for a service provider to silently add a law enforcement participant to a group chat or call," and claimed this would be "no more intrusive than the virtual crocodile clips," which are currently used in wiretaps of non-encrypted chat and call apps.

Signatories of the letter opposing the plan argued that the proposal required two changes to existing communications systems that were a "serious threat" to digital security and fundamental human rights, and would undermine user trust.
"First, it would require service providers to surreptitiously inject a new public key into a conversation in response to a government demand. This would turn a two-way conversation into a group chat where the government is the additional participant, or add a secret government participant to an existing group chat.

"Second, in order to ensure the government is added to the conversation in secret, GCHQ's proposal would require messaging apps, service providers, and operating systems to change their software so that it would 1) change the encryption schemes used, and/or 2) mislead users by suppressing the notifications that routinely appear when a new communicant joins a chat.

"The overwhelming majority of users rely on their confidence in reputable providers to perform authentication functions and verify that the participants in a conversation are the people they think they are, and only those people. The GCHQ's ghost proposal completely undermines this trust relationship and the authentication process."
Apple's strong stance against weakened device protections for the sake of law enforcement access was highlighted in the 2016 Apple vs. FBI conflict that saw Apple refuse to create a backdoor access solution to allow the FBI to crack the iPhone 5c owned by San Bernardino shooter Syed Farook.

Responding to the open letter, which was first sent to GCHQ on May 22, the National Cyber Security Centre's Ian Levy told CNBC: "We welcome this response to our request for thoughts on exceptional access to data — for example to stop terrorists. The hypothetical proposal was always intended as a starting point for discussion."

"We will continue to engage with interested parties and look forward to having an open discussion to reach the best solutions possible," Levy said.

Note: Due to the political nature of the discussion regarding this topic, the discussion thread is located in our Politics, Religion, Social Issues forum. All forum members and site visitors are welcome to read and follow the thread, but posting is limited to forum members with at least 100 posts.


This article, "Apple and Other Tech Giants Condemn GCHQ Proposal to Eavesdrop on Encrypted Messages" first appeared on MacRumors.com

Discuss this article in our forums

FBI Director Christopher Wray on Encryption: We Can’t Have an ‘Entirely Unfettered Space Beyond the Reach of Law Enforcement’

Encryption should not provide an "unfettered space" for criminals to hide behind, FBI Director Christopher Wray said today in an interview at the RSA conference, a cybersecurity event in San Francisco.

As noted by CNET, Wray said that while the FBI is not seeking backdoors in electronics, encryption needs to have limitations.

"It can't be a sustainable end state for there to be an entirely unfettered space that's utterly beyond law enforcement for criminals to hide," Wray said, echoing a position that law enforcement officials have taken on encryption time and time again.

Apple and other technology companies have been clashing with law enforcement agencies like the FBI and fighting anti-encryption legislation for years now. Apple's most public battle with the U.S. government was in 2016, when the Cupertino company was ordered to help the FBI unlock the iPhone used by Syed Farook, a shooter in the 2015 attacks in San Bernardino.

Apple opposed the order and said that it would set a "dangerous precedent" with serious implications for the future of smartphone encryption. Apple held its ground and the U.S. government backed off after finding an alternate way to access the data on the device, but Apple is continually dealing with additional law enforcement attempts to weaken encryption.

Multiple tech companies, Apple included, have formed the Reform Government Surveillance coalition to promote strong device encryption and fight against legislation calling for backdoor access into electronic devices.

Apple has argued that strong encryption is essential for keeping its customers safe from hackers and other malicious entities. A backdoor created for government access would not necessarily remain in government hands and could put the company's entire customer base at risk.

During the interview, Wray said that encryption is a "provocative subject" and he provided no additional insight into how tech companies might provide strong encryption for customers while also acquiescing to law enforcement demands for device access.

Wray did say that the U.S. is seeing an uptick in threats from "various foreign adversaries" that are using criminal hackers, which suggests the need for strong encryption is greater than ever.

Note: Due to the political nature of the discussion regarding this topic, the discussion thread is located in our Politics, Religion, Social Issues forum. All forum members and site visitors are welcome to read and follow the thread, but posting is limited to forum members with at least 100 posts.


This article, "FBI Director Christopher Wray on Encryption: We Can't Have an 'Entirely Unfettered Space Beyond the Reach of Law Enforcement'" first appeared on MacRumors.com

Discuss this article in our forums

How to Encrypt a USB Flash Drive in macOS Mojave

In macOS Mojave, you can choose to encrypt and decrypt disks on the fly right from the desktop. Using this convenient Finder option, we're going to show you how to encrypt a USB flash drive (or "thumb drive"), which is useful if you're traveling light and want to take sensitive data with you for use on another Mac.

Finder uses XTS-AES encryption, the same encryption that FileVault 2 uses to prevent access to data on a Mac's startup disk without a password. Note that the following method is only compatible with Macs – you won't be able to access data on the encrypted drive using a Windows machine.

If this is a requirement, you'll need to use a third-party encryption solution like VeraCrypt. With that in mind, here's how to securely encrypt your USB flash drive.


Attach the USB flash drive to your Mac and locate its disk icon on your desktop, in a Finder window, or in the Finder sidebar, then right-click (or Ctrl-click) it and select Encrypt "[USB stick name]"... from the contextual menu.

(Note that if you don't see the Encrypt option in the dropdown menu, your USB flash drive hasn't been formatted with a GUID partition map. To resolve this, you'll need to erase and encrypt the USB drive in Disk Utility – before that though, copy any data on the drive to another location for temporary safekeeping.)


When you select Encrypt, Finder will prompt you to create a password, which you'll need to enter the next time you attach the USB flash drive to a Mac. (Don't forget this, otherwise you'll lose access to any data stored on the USB drive!) Once you've chosen a password, verify it, add a meaningful hint if desired, and click Encrypt Disk.

The encryption process depends on how much data you have on the USB flash drive, but you'll know it's completed when its disk icon disappears and re-mounts. You'll now be able to access the contents of the USB flash drive as usual, but if you physically detach it and re-attach it to your Mac you'll be prompted to enter the password.


Note that the prompt includes an option for macOS to remember this password in my keychain. Check the box, and whenever you attach the USB stick to your Mac again you won't be prompted to enter the password and you'll have automatic access to it, just like any other drive.


If you ever want to decrypt the USB flash drive in future, right-click (or Ctrl-click) its disk icon, select Decrypt "[USB stick name]" from the contextual menu, and enter the password to turn off encryption protection.

How to Encrypt a USB Flash Drive in Disk Utility

Before proceeding, make sure you've copied any data on the USB flash drive to a safe location, like your Mac's internal disk.
  1. Launch Disk Utility, located on your Mac in Applications/Utilities.

  2. In the Disk Utility toolbar, click the View button and select Show All Devices if it isn't already ticked.

  3. Select your USB flash drive in the sidebar by clicking its top-level device name (i.e. not the volume name that's listed beneath it).

  4. Click the Erase button in the toolbar.

  5. Give the USB flash drive a name.

  6. Next, click the Scheme dropdown menu and select GUID Partition Map. (It's important to do this first before the next step, otherwise you won't see the encryption option in the Format dropdown.)

  7. Now click the Format dropdown menu and select Mac OS Extended (Journaled, Encrypted).

  8. Click Erase.

  9. Enter your new password, enter it once more to verify, include a password hint if desired, then click Choose.

  10. Click Erase once again, and wait for your disk to be formatted and encrypted.
Once the process is complete, copy across your sensitive data to the blank USB flash drive, where it will be automatically encrypted and secured with a password.


Discuss this article in our forums

Australia Passes Controversial Encryption Bill Despite Opposition From Apple and Other Tech Companies

The Australian parliament on Thursday passed controversial encryption legislation that could result in tech companies being forced to give law enforcement access to encrypted customer messages.

As we reported in October, Apple opposed the legislation in a seven-page letter to the Australian parliament, calling the encryption bill "dangerously ambiguous" and wide open to potential abuse by authorities.


Advocates of the bill, officially titled "Assistance and Access Bill 2018," argue it is essential to national security because encrypted communications are used by terrorist groups and criminals to avoid detection.

CNET provided a breakdown on the Australian bill and the three tiers of law enforcement and state agency assistance it covers:
  • Technical assistance request: A notice to provide "voluntary assistance" to law enforcement for "safeguarding of national security and the enforcement of the law."

  • Technical assistance notice: A notice requiring tech companies to offer decryption "they are already capable of providing that is reasonable, proportionate, practicable and technically feasible" where the company already has the "existing means" to decrypt communications (e.g. where messages aren't end-to-end encrypted).

  • Technical capability notice: A notice issued by the attorney general, requiring tech companies to "build a new capability" to decrypt communications for law enforcement. The bill stipulates this can't include capabilities that "remove electronic protection, such as encryption."
The Australian government insists that the laws don't provide a backdoor into encrypted communications, however Apple says says the language in the bill permits the government to order companies who make smart home speakers to "install persistent eavesdropping capabilities" or require device makers to create a tool to unlock devices.

Likewise, the joint industry lobby group DIGI, which includes Amazon, Facebook, Google, Oath, and Twitter, said they were willing to work with the government to promote public safety, but the laws could "potentially jeopardize the security of the apps and systems that millions of Australians use every day."

Apple has fought against anti-encryption legislation and attempts to weaken device encryption for years, and its most public battle was against the U.S. government in 2016 after Apple was ordered to help the FBI unlock the iPhone owned by Syed Farook, one of the shooters in the December 2015 attacks in San Bernardino.

Apple opposed the order and claimed that it would set a "dangerous precedent" with serious implications for the future of smartphone encryption. Apple ultimately held its ground and the U.S. government backed off after finding an alternate way to access the device, but Apple has continually had to deal with further law enforcement efforts to combat encryption.

Note: Due to the political nature of the discussion regarding this topic, the discussion thread is located in our Politics, Religion, Social Issues forum. All forum members and site visitors are welcome to read and follow the thread, but posting is limited to forum members with at least 100 posts.


Discuss this article in our forums

Apple Criticizes Proposed Anti-Encryption Legislation in Australia

The Australian government is considering a bill that would require tech companies like Apple to provide "critical assistance" to government agencies who are investigating crimes.

According to the Australian government, encryption is problematic because encrypted communications "are increasingly being used by terrorist groups and organized criminals to avoid detection and disruption."


As noted by TechCrunch, Apple today penned a seven-page letter to the Australian parliament criticizing the proposed legislation.

In the letter, Apple calls the bill "dangerously ambiguous" and explains the importance of encryption in "protecting national security and citizens' lives" from criminal attackers who are finding more serious and sophisticated ways to infiltrate iOS devices.
In the face of these threats, this is no time to weaken encryption. There is profound risk of making criminals' jobs easier, not harder. Increasingly stronger -- not weaker -- encryption is the best way to protect against these threats.
Apple says that it "challenges the idea" that weaker encryption is necessary to aid law enforcement investigations as it has processed more than 26,000 requests for data to help solve crimes in Australia over the course of the last five years.

According to Apple, the language in the bill is broad and vague, with "ill-defined restrictions." As an example, Apple says the language in the bill would permit the government to order companies who make smart home speakers to "install persistent eavesdropping capabilities" or require device makers to create a tool to unlock devices.

Apple says additional work needs to be done on the bill to include a "firm mandate" that "prohibits the weakening of encryption or security protections," with the company going on to outline a wide range of specific concerns that it hopes the Australian parliament will address. The list of flaws Apple has found with the bill can be found in the full letter.

Apple has been fighting against anti-encryption legislation and attempts to weaken device encryption for years, and its most public battle was against the U.S. government in 2016 after Apple was ordered to help the FBI unlock the iPhone owned by Syed Farook, one of the shooters in the December 2015 attacks in San Bernardino.

Apple opposed the order and claimed that it would set a "dangerous precedent" with serious implications for the future of smartphone encryption. Apple ultimately held its ground and the U.S. government backed off after finding an alternate way to access the device, but Apple has continually had to deal with further law enforcement efforts to combat encryption.

Note: Due to the political nature of the discussion regarding this topic, the discussion thread is located in our Politics, Religion, Social Issues forum. All forum members and site visitors are welcome to read and follow the thread, but posting is limited to forum members with at least 100 posts.


Discuss this article in our forums

‘Five Eyes’ Governments Urge Tech Companies to Build Backdoors into Encrypted Services

Five nations including the U.S. and the U.K. have urged tech companies to comply with requests to build backdoors into their encrypted services, or potentially face legislation requiring them to do so by law.

The statement is a result of a meeting last week between the "Five Eyes" intelligence sharing countries, which include the U.S., the U.K., Canada, Australia, and New Zealand.

In a published memo, the governments claim that the use of such backdoors for accessing encrypted data would respect personal rights and privacy, and be limited only to criminal investigations by law enforcement.
Privacy laws must prevent arbitrary or unlawful interference, but privacy is not absolute. It is an established principle that appropriate government authorities should be able to seek access to otherwise private information when a court or independent authority has authorized such access based on established legal standards. The same principles have long permitted government authorities to search homes, vehicles, and personal effects with valid legal authority.
The memo goes on to note that each of the Five Eyes jurisdictions will consider how to implement the statement principles, including "with the voluntary cooperation of industry partners", while adhering to lawful requirements for proper authorization and oversight.

The statement of principles underlines the fractious relationship between some governments and tech companies regarding encryption over the last few years, in which the popularity of digital messaging services has exploded.

The U.K. government has long argued that encrypted online channels such as WhatsApp and Telegram provide a "safe haven" for terrorists because governments and even the companies that host the services cannot read them.

In 2016, Apple and the FBI were involved in a public dispute over the latter's demands to provide a backdoor into iPhones, following the December 2015 shooter incidents in San Bernardino.

Apple refused to comply with the request, saying that the software the FBI asked for could serve as a "master key" able to be used to get information from any iPhone or iPad - including its most recent devices - while the FBI claimed it only wanted access to a single iPhone.

In another potential test case, Facebook is currently contesting a demand from the U.S. government that it break the encryption of its popular Messenger app so that law enforcement can listen in to a suspect's conversations as part of an ongoing investigation into a criminal gang.

Note: Due to the political nature of the discussion regarding this topic, the discussion thread is located in our Politics, Religion, Social Issues forum. All forum members and site visitors are welcome to read and follow the thread, but posting is limited to forum members with at least 100 posts.


Discuss this article in our forums

Facebook Fights US Government Demand to Break Messenger Encryption in Criminal Case

Facebook is contesting a demand from the U.S. government that it break the encryption of its popular Messenger app so that law enforcement can listen in to a suspect's conversations as part of an ongoing investigation into the MS-13 gang.

The U.S. Department of Justice's demand is in relation to a case proceeding in a federal court in California that is currently under seal, so public files are unavailable. However, Reuters' sources said the judge in the case heard arguments on Tuesday on a government motion to hold Facebook in contempt of court for refusing to carry out the surveillance request.

Facebook says it can only comply with the government's request if it rewrites the code relied upon by all its users to remove encryption or else hacks the government's current target, according to Reuters.

Legal experts differed over whether the government would likely be able to force Facebook to comply. However, if the government gets its way in the case, experts say the precedent could allow it to make similar arguments to force other tech companies to compromise their encrypted communications services.

Messaging platforms like Signal, Telegram, Facebook's WhatsApp and Apple's iMessage all use end-to-end encryption that prevents communications between sender and recipient from being accessed by anyone else, including the service providers.

Tech companies have pushed back against previous attempts by authorities to break encryption methods, such as the FBI's request that Apple help it hack into the iPhone owned by Syed Farook, one of the shooters in the December 2015 attacks in San Bernardino.

In February 2016, a U.S. federal judge ordered Apple to help the FBI, but Apple opposed the order in an open letter penned by Tim Cook, who said the FBI's request would set a "dangerous precedent" with serious implications for the future of smartphone encryption.

Apple's dispute with the FBI ended on March 28, 2016 after the government found an alternate way to access the data on the iPhone with the help of a private contractor and withdrew the lawsuit.

Note: Due to the political nature of the discussion regarding this topic, the discussion thread is located in our Politics, Religion, Social Issues forum. All forum members and site visitors are welcome to read and follow the thread, but posting is limited to forum members with at least 100 posts.


Discuss this article in our forums