Tech industry on the offensive against government

There was a time, not long ago, when the biggest companies were cowed by the national security state. Now they aren't afraid to stand up for the rights and interests of their users.
Written by Larry Seltzer, Contributor

In 2008 the U.S. government threatened Yahoo with daily $250,000 fines if it refused to comply with its demands for user data. What was Yahoo to do? Without any relief from the (secret) courts it had either to comply or commit corporate suicide. And we didn't find out about it until just a few weeks ago.

Things have changed a lot. The biggest companies in the business are taking on the national security state. It began with court maneuvers by Microsoft, Google, Yahoo, LinkedIn and Facebook to protect their reputations with customers by allowing them to disclose aggregate information about the extent of their compliance with government information requests.

Read this

The FISA court has permitted some, though not enough disclosure. The numbers these companies actually released don't prove a lot, because the court would not allow them to disclose all important categories of government requests. The important part is that it shows the companies are taking their customers' interests seriously and are working to protect them to the greatest extent possible. Assume this is the norm, such as in this recent letter from Facebook to the US DEA (Drug Enforcement Administration) telling them that they are obligated to follow Facebook's terms of service the same as everyone else, and they are not permitted to use fake profiles in investigations.

The second thing companies did was to harden their infrastructures against government surveillance. It was only about a year ago that Google found out that the NSA had been sniffing on the connections between their data centers. Google and others went on to harden their internal security against such invasions.

Now, perhaps the most direct act in favor of their customers' interests against those of the surveillance state, Apple is making it easy and the default for users to encrypt their iOS data in ways that nobody, even Apple itself, can crack. I agree with cryptography academic Matthew Green that Apple is not trying to shut out valid government requests; they are trying to give customers the best tools to protect their own data. Let the government go to the users for the data if they want it.

Google has followed suit, promising default encryption on Android, although its availability depends on hardware design requirements (i.e. the cryptographically secure storage for the keys) that are trickier for Google to specify than for Apple. At best, default and strong encryption on Android will be available where handset companies have gone to the trouble and expense of integrating the necessary hardware.

One of the galling things about this episode is that the ease of access for the government is something new with mobile devices, at least with respect to suspects who put some effort and intelligence into protecting themselves. On Macs and other PCs, users have long had the ability to use strong disk encryption that (NSA subterfuge aside) would make forensics impractical. Reports indicate that Apple will be turning strong disk encryption on by default even on Macs running Yosemite, but it's not the same thing; there is no secure cryptographic hardware in the Mac, so users either have to store the key in iCloud, in which case Apple can give it up, or store it themselves locally, which can be complicated and inconvenient. So mobile devices actually represented a substantial improvement in surveillance capabilities for governments. And now that's going away.

An iOS 8 level of encryption on PCs and servers has also long been available in the form of HSMs (Hardware Security Modules), and in fact the new iOS 8/iPhone encryption is an HSM implementation. You can even get HSMs running in the cloud; Microsoft supports Thales HSMs in Azure. Neither Microsoft nor Thales can deliver up the key to anyone; it's not available to them. (The downside is that if you lose your key, you're completely screwed.)

The mainstreaming of HSMs is a good thing for users. They have always been a very high-end tool for very high-value data. We should thank all the companies who move as quickly as possible to make these tools as widespread, cheap and accessible as possible. It's important that governments be able to investigate crimes properly, but in the US it's more important that people be able to protect themselves and their data.

Editorial standards