Miranda – Page 19 – DoGoodSoft's Official Blog

SafeChats aims to give messaging an encryption edge

THE revelations from former US National Security Agency (NSA) contractor Edward Snowden that the US Government has been tapping communications have created greater awareness on the need for secure communications, which in turn has given rise to secure messaging apps such as Telegram, Wickr and Threema.

Privacy should not be a concern for just individuals, but businesses also need to be aware of how tapped communications can affect them, according to Maxim Glazov (pic above), chief executive officer of Singapore-based SafeChats.

For example, customers’ VoIP (Voice-over-Internet Protocol) calls can be intercepted and sensitive information gathered for blackmail. Hackers can gain unauthorised access to a customer’s webmail account to forge emails, and issue payment instructions to send the money to the hackers’ accounts instead.

The scenario is made worse by the fact that many businesses use unsecured mass-market services because of their ease of use.

It was this realisation that catalysed Glaznov and his chief technology officer Nikita Osipov to build SafeChats, which they claim is a secure communications platform that protects collaboration as well.

The company was one of the finalists at the recent RSA Conference Asia Pacific and Japan (RSAC APJ) Innovation Sandbox startup competition in Singapore.

SafeChat began as an internal project for an undisclosed international logistics and finance company that Osipov and Glaznov were part of, looking into the problem of communicating sensitive information with customers more securely and efficiently than existing methods.

Glaznov’s initiative to build a secure communication platform got traction with his customers which were eager to use the platform for themselves

The market for secure communication, whether for consumers or enterprises, is gaining traction with the entry of companies like Silent Circle, Tigertext and ArmourText.

Osipov recognises the growing maturity of the market but remains undeterred. “We keep ourselves motivated by acquiring more use cases for what is essentially a red-ocean market, and the constant validation that there is a need for such a communications platform.”

The SafeChats platform aims to encompass the entire suite of communications, from email to messaging, and from file transfers to video and voice calls. It also gives the option of using the customer’s own server infrastructure instead of SafeChats’.

“SafeChats is the only secure communications platform that also integrates collaborative features and a full suite of privacy features,” Osipov claimed.

The SafeChats messaging volume has grown 10 times in the last six months, organically from initial customers, without an official release, the startup claimed.

When asked about its customers, Osipov cryptically replied, “As a company entrenched in security and privacy, we cannot reveal our current client list … and there are some users on board that we simply don’t know who they are.”

The company’s revenue model is set to be freemium Software-as-a-Service, with different tiers of control and fees being charged for white labeling and on-premises installation.

It also charges enterprise customers on a per-user if they “enforce a security policy on employees or create groups of more than 15 individuals,” Osipov said.

SafeChats is currently in public beta and will be officially launched at the end of August. It is currently available for the iOS and Android platforms. There are plans to make a desktop version for Mac OS X and Windows.

The challenges

Spinning off into its own startup has seen some challenges, with Osipov (pic above) saying that one main one was building the right team.

“Once you have a great team, everything becomes so much easier,” he said.

On the technical front, coming up with the right set of technologies to use was one of the biggest challenges.

“We evaluated multiple different software solutions, protocols and algorithms that we could use before we settled on the current architecture,” said Osipov.

“All that required extensive research work – thinking of the whole system from the technical side and possible technical challenges in the future … and how to solve them … [while making sure] it remains very easy to use,” he added.

Under the hood

SafeChats uses a variety of encryption algorithms, depending on the particular function.

“We use well-known end-to-end encryption algorithms trusted by security experts as the core of our platform, which means that your data stays safe in transit and only you and the intended recipient have access to it,” Osipov said. For instant messaging, it uses Off-the-Record messaging (OTR) and the socialist millionaire protocol. OTR messaging uses a combination of Advanced Encryption Standard (AES) algorithms with a 128-bit key strength, with a public key exchange protocol for authentication. The socialist millionaire protocol allows two parties to verify each other’s identity through a shared secret.

For voice calls and file transfers, SafeChats uses an AES 256-bit key, military-grade encryption to protect data and calls.

Future plans

SafeChats started as a bootstrapped startup, and is now on the lookout for investors who will be more than just people writing cheques.

“We are on the lookout for investors with the capacity to be strategic partners and who can provide channels for the product and its derivatives,” Osipov said.

SafeChats will be seeking pre-Series A round within the next six months, and is looking to raise over US$700,000, aiming for a valuation of US$6 million.

It intends to expand the team, especially on the marketing and technical fronts, the latter including 24/7 support.

And it will beef up its software development team “to work on enterprise features like integration with third-party services and advanced authentication options like two-factor authentication (2FA) using software and hardware tokens,” Osipov said.

Beyond expanding the platforms SafeChats works on, the company is also working on integrating the platform with other software and hardware solutions to utilise its end-to-end encryption. This will secure other software solutions as well as pave the way for Internet of Things (IoT) security.

“We won’t announce any names for now as there are many legal issues involved in this sort of integration, and with providing official software developer kits to everyone,” Osipov said.

“All we can say at the moment is that you can be sure that most popular software and hardware solutions will work with SafeChats,” he declared.

The company wants to open up its Application Program Interface (API) to others so that they can work on their own integrations as well, bringing the SafeChats level of security to other software.

“We also hope to form a community of developers to implement future integrations so everyone benefits,” Osipov claimed.

Researchers develop quantum-computing safe crypto

Practical implementation of secure key exchange for TLS.

A team of researchers claim to have developed secure, quantum computing-proof encryption that can be practically implemented today.

The paper, Post-quantum key exchange for the TLS protocol from the ring learning with errors problem [pdf] is written by Joppe Bos from NXP Semiconductors in Belgium, Craig Costello and Michael Naehrig at Microsoft Research, and mathematician Douglas Stebila from Queensland University of Technology.

Quantum computers have long been thought to be able to guess encryption keys much faster than traditional computers, which in turn would make it possible to unscramble the vast majority of internet-borne communications.

The researchers constructed ciphersuites for the Transport Layer Security protocol commonly used on the internet, providing digital key exchanges based on the ring learning with errors problem accompanied with traditional RSA and ellliptic curve cryptography signatures for authentication.

Using traditional RSA and EC signatures would speed the implementation of quantum-safe key exchanges among digital certificate authorities, the researchers believe.

There is a performance penalty of 21 percent compared to the non-quantum-safe key exchange, the researchers noted. However, that is is considered minimal, and demonstrates that provably secure post-quantum key exchanges are practical.

A theorem published by mathematician Peter Shor in 1994 and further work by other researchers has shown that quantum computers could break public-key cryptography, something which is not feasible with today’s binary devices.

As quantum computers are under development currently, the researchers believe it is important to strengthen today’s encryption protocols against future attacks using these far more powerful devices.

DA Hillar Moore: Cellphone encryption hurting murder investigation of woman, her baby; family holds onto hope the case will be solved

Cellphone encryption practices could be keeping investigators from solving the murder of Brittney Mills and her son, East Baton Rouge Parish District Attorney Hillar Moore III said Saturday, but family members remain hopeful the truth will surface.

“By no means have we forgotten them,” said Mills’ mother, Barbara Mills, on Sunday. “This will be in the forefront until it is solved.”

Brittney Mills, 29, who was eight months pregnant, was shot and killed April 24 at her Ship Drive apartment. Authorities believe Mills opened the door for someone who wanted to use her car and was shot multiple times when she refused. Doctors delivered her baby, but the baby boy,Brenton Mills, died May 1.

Three months later, the case is still unsolved.

Investigators said the shooter likely was someone Mills knew. They have looked to her cellphone for evidence, but her phone, like many others, uses software that is said to block anyone from accessing its data, including investigators.

While they have tried to crack the phone using possible pass codes suggested by family members, investigators have been unsuccessful.

“We don’t know her code number,” Mills’ mother said. “It may very well be a very important part of the investigation.”

Even Apple, the manufacturer, claims it cannot decrypt the phone.

“From what we’re told by the company that makes the encryption, the only way we can get into a phone is if the phone subscriber gives the password to us,” Moore said. “When you’re dead, it’s hard to give that to us.”

Apple’s most recent software upgrade is a response, Moore suspects, to Edward Snowden’s decision to leak U.S. National Security Agency information surrounding a national spy program. The iOS 8 software is fully encrypted, meaning the only way to access Mills’ phone data is to enter the pass code.

“If you attempt to use (too many) false passwords, though, it shuts it down for good,” Moore said. “We are cautious about that.”

While only a few cellphones previously used this technology, Moore said, this software is installed in more than 80 percent of cellphones now.

Moore recently wrote to the U.S. Senate Committee on the Judiciary to urge representatives to address this failure of balance between public safety and privacy, citing Mills’ unsolved case.

Mills’ “family indicated that she recorded all activity on her phone and join law enforcement in their frustration due to the inability to access this phone, that would in all likelihood provide information necessary to obtain justice and remove this murderer from the street,” Moore wrote.

Moore said Manhattan District Attorney Cyrus Vance is “leading the charge” for Congress to create legislation to address this problem, specifically in Apple’s and Google’s latest encryption technology. Moore said criminals, like most citizens, use their cellphones to communicate regularly and do business, which often makes their cellphones integral to many investigations. Even so, seizing someone’s phone requires a warrant, Moore said, to protect citizens’ privacy.

“I think the way Apple, the way that community has built their operating systems, they’re beyond the law,” Moore said Saturday. “It is the only way I know that you cannot court-order information. Without us being able to get into the phone itself through a subpoena, we are really at a disadvantage and at a loss to solve crimes.”

“It’s really frustrating for us and people like the Mills family,” Moore said. “There’s a darn good chance that there is info on the phone that could be extremely helpful for us.”

As the investigation continues, the family held a memorial Friday night in memory of Mills and her son for what would have been her 30th birthday. The estimated attendance was more than 150 people.

“It’s something we wanted to do because she talked a lot about turning 30,” Barbara Mills said.

She added that Mills and her son were “so special to us” and will not soon be forgotten.

Mills’ family has stayed involved with the case, encouraging investigators to do all they can to solve it, Barbara Mills said, because the family needs closure.

“We need to find out what happened,” Mills’ mother said. “We’re wanting results.”

Barbara Mills agreed with police that the killer must be someone her daughter knew because she would not have opened the door for a stranger.

Still, neither the family nor police have any leads as to the killer’s identity.

A few days after Mills was killed, the case received heavy attention when Baton Rouge police said they wanted to question former LSU star offensive lineman La’el Collins as part of the investigation into her death.

Collins was in Chicago for the NFL draft at the time, but once national media got wind that the police wanted to speak to Collins, the first-round prospect went undrafted.

Although he was never considered a suspect in the shooting, Collins was said to have had a relationship with Mills. After meeting with police, however, a paternity test ruled Collins out as the father of Mills’ son.

Barbara Mills said the family is leaving the details of the investigation up to the police but added that investigators could seek another paternity test sometime in the future.

After he was questioned and cleared by police, Collins signed as a guard with the Dallas Cowboys.

Apple could be held liable for supporting terrorism with strong iOS encryption, experts theorize

In the second installment of a thought piece about end-to-end encryption and its effect on national security, Lawfare editor-in-chief Benjamin Wittes and co-author Zoe Bedell hypothesize a situation in which Apple is called upon to provide decrypted communications data as part of a legal law enforcement process.

Since Apple does not, and on devices running iOS 8 cannot, readily hand over decrypted user data, a terrorist might leverage the company’s messaging products to hide their agenda from government security agencies. And to deadly effect.

As The Intercept reported, the hypotheticals just made the ongoing government surveillance versus consumer protection battle “uglier.”

Wittes and Bedell lay out a worst case scenario in which an American operative is recruited by ISIS via Twitter, then switches communication methods to Apple’s encrypted platform. The person might already be subject to constant monitoring from the FBI, for example, but would “go dark” once they committed to iOS. Certain information slips through, like location information and metadata, but surveillance is blind for all intents and purposes, the authors propose. The asset is subsequently activated and Americans die.

Under the civil remedies provision of the Antiterrorism Act (18 U.S. Code §2333), victims of international terrorism can sue, Lawfare explains, adding that an act violating criminal law is required to meet section definitions. Courts have found material support crimes satisfy this criteria. Because Apple was previously warned of potential threats to national security, specifically the danger of loss of life, it could be found to have provided material support to the theoretical terrorist.

The authors point out that Apple would most likely be open liability under §2333 for violating 18 USC §2339A, which makes it a crime to “provide[] material support or resources … knowing or intending that they are to be used in preparation for, or in carrying out” a terrorist attack or other listed criminal activity. Communications equipment is specifically mentioned in the statute.

Ultimately, it falls to the court to decide liability, willing or otherwise. Wittes and Bedell compare Apple’s theoretical contribution to that of Arab Bank’s monetary support of Hamas, a known terrorist organization. The judge in that case moved the question of criminality to Hamas, the group receiving assistance, not Arab Bank.

“The question for the jury was thus whether the bank was secondarily, rather than primarily, liable for the injuries,” Wittes and Bedell write. “The issue was not whether Arab Bank was trying to intimidate civilians or threaten governments. It was whether Hamas was trying to do this, and whether Arab Bank was knowingly helping Hamas.”

The post goes on to detail court precedent relating to Apple’s hypothetical case, as well as legal definitions of what constitutes criminal activity in such matters. Wittes and Bedell conclude, after a comprehensive rundown of possible defense scenarios, that Apple might, in some cases, be found in violation of the criminal prohibition against providing material support to a terrorist. They fall short of offering a viable solution to the potential problem. It’s also important to note that other companies, like Google and Android device makers, proffer similar safeguards and would likely be subject to the same theoretical — and arguably extreme — interpretations of national policy described above.

Apple has been an outspoken proponent of customer data privacy, openly touting strong iOS encryption and a general reluctance to handover information unless served with a warrant. The tack landed the company in the crosshairs of law enforcement agencies wanting open access to data deemed vital to criminal investigations.

In May, Apple was one of more than 140 signatories of a letter asking President Barack Obama to reject any proposals that would colorably change current policies relating to the protection of user data. For example, certain agencies want Apple and others to build software backdoors into their encrypted platforms, a move that would make an otherwise secure system inherently unsafe.

VeriFyle reveals Cellucrypt, a new multi-layer encryption key management technology

VeriFyle, the company headed by Hotmail inventor and co-founder Jack Smith, has a new encryption key management technology which it believes will “re-invent how the world thinks about secure sharing and messaging”. The major difference is that any object that is shared to the cloud using the system is encrypted for individual users rather than in bulk.

Cellucrypt offers such a high level of security that VeriFyle believes that it “makes illicit bulk-access to customer data virtually impossible.” It’s a bold claim, but Cellucrypt builds on the traditional a public-key system with the addition of password-derived keys.

The encryption technique will be used by VeriFyle’s messaging and file-sharing services when it launches later in the year. Cellucrypt has been patented by VeriFyle and will be made available to customers free of charge. Introducing the new encryption technique VeriFyle says

The patented Cellucrypt technology assigns each data object (e.g. document, note or conversation) a unique encryption key, which is itself encrypted uniquely each time a user shares that object. By encrypting each data object individually for users, Cellucrypt makes illicit bulk-access to customer data virtually impossible.

CEO Jack Smith has high hopes for his company’s new technology:

Key management should be invisible to the end-user and it should maximize users’ security and peace of mind without burdening them with extra steps and add-on products. VeriFyle is the first all-in-one product that combines advanced key management technology with cloud sharing and messaging. The result is a significantly more secure way to share data.

Silent scanners: Emergency communications encrypted across Nova Scotia

SYDNEY — Citizens who like listening in on police, fire department and ambulance calls are out of luck, now that most emergency services communications in Cape Breton are conducted on fully encrypted radios.

The scanners have gone silent, for the most part, with the introduction of the second generation of Trunk Mobile Radio (TMR2) communications.

Being unable to monitor police traffic can be dangerous for citizens, said one longtime listener who didn’t want to be named.

“You don’t know what’s going on in the city unless you have a scanner,” said the citizen, who lives in Sydney’s north end.

“No offence to radios or newspaper, but you don’t hear everything that goes on.”

Recently, police were looking for a man seen on Dolbin Street, who reportedly had a gun. Thankfully, people listening to scanners were able to alert neighbours to stay inside, the citizen said.

“Certain things cannot be aired over the scanner, of course. It’s common logic. But they shouldn’t be blocking everything out.

“I’ve asked the police several times, and they say it’s not illegal to have a scanner. It’s illegal to follow the police cars when you have a scanner, because that’s interfering.”

The citizen said no one has yet heard of a way to crack the new encryption.

“I was hoping you would have heard,” the listener said.

Cape Breton Regional Police spokeswoman Desiree Vassallo said police haven’t heard any complaints from citizens about the encryption system.

She said police need secure communications, especially during sensitive operations when police don’t want suspects or the public to know exactly where they are.

Listeners can still occasionally hear some fire department traffic, because the Cape Breton Regional Municipality’s volunteer fire departments only have four radios each, for now.

The municipality is considering buying more radios for volunteers, but for now, fire department commanders use the TMR2 radios to talk to the dispatch centre and other emergency personnel, such as the police and ambulance services.

The commanders then communicate with individual firefighters using the older very-high-frequency (VHF) radios, which scanners can pick up.

That means listeners may hear some radio traffic, but not necessarily the most critical information, such as the location or severity of a fire or emergency scene.

Fire Chief Bernie MacKinnon said encryption is not important for fire departments, in part because fires are usually obvious and people can phone their neighbours or put messages out on social media anyway.

“TMR2 encryption is a police animal,” he said.

“When we have a raging fire, it’s not a secret. Even if we didn’t use the radios, everybody in the world is going to know, especially with the emerging technology that’s out there today.”

However, he said, maintaining clear communications with other emergency services is important.

Whether the service outfits all volunteer firefighters with the new radios is still under discussion, said MacKinnon, but it’s likely both VHF and TMR2 radios will be used for some time to come.

“To the best of my knowledge, outside of Halifax, all the other departments are running a hybrid system of using VHF in combination with TMR,” he said.

Twitter Security Pro: Encryption Isn’t Enough

Encryption can appear to be priceless when it’s absent, as it was in the recent Office of Personnel Management breach. It can appear to be costly when it’s present, as FBI director James Comey has argued. But not everything is as it appears.

Michael Coates, trust and information security officer at Twitter and global board member of the Open Web Application Security Project (OWASP), suggests encryption gets more credit than it deserves.

“Encryption is thrown around as the solution to prevent people from seeing your data,” said Coates in an interview at InformationWeek’s San Francisco office. “But if you dive into the dynamics of how data is stolen, you’ll find that encryption actually is not effective in those scenarios.”

Coates described a scenario involving a database with encrypted information. In order for a Web application to work with that database, it must decrypt the data.

“The way that data is most often compromised is through a vulnerability in the Web application … So when the attacker steals the data, that data will be unencrypted.”

Along these lines, a DHS official has asserted that encryption would not have helped in the OPM breach because the attacker had valid credentials. It may also turn out that encryption’s ability to conceal crime from the authorities is overstated.

Coates stopped by in his OWASP capacity in order to promote the OWASP Application Security Conference, which takes place Sept. 22 through 25 in San Francisco. The aim of the conference is to raise the bar for application security by helping individuals and organizations understand how to build better defended software.

“There’s a definite security talent shortage, so by educating more people we’re hopefully bringing more people into the fold,” said Coates.

Coates hopes the conference will provide companies with specific actions they can take to make their software more secure and with a roadmap to integrate best practices into their software development life cycle.

There are companies doing a good job with security, said Coates, citing Google, Facebook, Mozilla (where he used to work), Netflix, and Twitter (where he currently works). “The challenge is what do you say to the industry at large, to the companies in the Midwest that have one security person. … They can’t hire all these people and build custom solutions.”

Coates agrees with Google and other computer security professionals about the need for access to intrusion software, something could become more difficult if proposed export controls are adopted. “I think security engineers need both [offensive and defensive] skillsets,” he said. “Training someone how to attack software that they need to defend is vital. Anything less than that is just putting blinders on their eyes.”

At the same time, Coates is focused on providing developers with the tools and knowledge to write secure code. “We can’t just run around hacking ourselves secure,” he said. “Instead, we have to say, ‘I understand the symptom, how do I build a solution that is comprehensive and stops this problem from happening again in hundreds of applications?'”

Pointing to the way Java limits buffer overflow errors through array bounds checking and the way Python’s Django framework uses templates to prevent cross-site scripting, Coates expects some help will come through advances in programming languages that limit unsafe coding practices.

But because each application is unique and there are still so many ways to introduce vulnerabilities, Coates is pushing for security training, and for security as part of the software life cycle. “You can’t have security be this other team where you just throw things over the wall and fix stuff,” he said. “That’s a bottleneck and the business grinds to a halt. So you have to have this integrate into the life cycle and have tools that scale, because the cost of human capital for security is really high. And that’s what I see in enterprises that are doing well. They’ve found a way to minimize the human involvement and instead use highly accurate automation.”

Coates recommends that companies implement content security policies for their Web applications to defend against cross-site scripting. He also suggests using SSL everywhere and HSTS (HTTP Strict Transport Security) as defenses against man-in-the-middle attacks. He also advises use of the X-Frame-Options header, to prevent clickjacking (UI redress attacks).

“Fundamental security at the application layer and strong access controls at the enterprise layer governing who can interact with the data, those turn into the bread and butter of security,” said Coates. “And that’s where people need to spend the time.”

It’s Time to End the “Debate” on Encryption Backdoors

Yesterday, on Lawfare, FBI Director James Comey laid out his concern that the growing adoption of strong encryption technologies will frustrate law enforcement’s ability to conduct investigations — what he calls the “Going Dark” problem. The gist of Comey’s position is this: He recognizes encryption is important to security and privacy, but believes we are fast approaching an age of “universal encryption” that is in tension with the government’s investigative needs. Although he assures us he is not a “maniac,” Comey also feels it is his duty to ensure that we have a broad public debate that considers the costs as well as the benefits of widespread encryption. Comey will presumably be making the same points tomorrow afternoon at a Senate Intelligence Committee hearing where he will be the sole witness, while a broader panel of witnesses will be testifying on the same controversy tomorrow morning before the Senate Judiciary Committee.

First, credit where credit is due: James Comey is certainly not a maniac but a dedicated law enforcement official, one who has in the past put his career on the line to impose the rule of law on overreaching government surveillance. And it’s true that encryption will likely frustrate some investigations, a point I addressed directly when I testified House hearing on the subject in April. It’s also true that the FBI has so far to come up with any compelling examples of how encryption has actually stymied any investigations, and the latest wiretapping report shows that encryption is not yet a significant barrier to FBI electronic surveillance — encryption prevented law enforcement from obtaining the plaintext of communications in only four of the 3,554 criminal wiretaps authorized in 2014! Even so, it’s a given that just as ordinary citizens use encryption, so too will criminals, and that will likely pose a challenge for law enforcement in some cases.

So we are not “talking past each other” on encryption, as Comey puts it. Rather, since he first raised this issue last October, there has been an incredibly robust debate (as reflected in this massive of recent statements and writing on the subject), directly addressing the Director’s suggestion that companies should engineer their encrypted products and services to enable government surveillance. As that debate reflects, the broad consensus outside of the FBI is that the societal costs of such surveillance backdoors — or “front doors,” as Comey prefers to call them — far outweigh the benefits to law enforcement, and that strong encryption will ultimately prevent more crimes than it obscures.

Tech companies, privacy advocates, security experts, policy experts, all five members of President Obama’s handpicked Review Group on Intelligence and Communications Technologies UN human rights experts, and a majority of the House of Representatives all agree: Government-mandated backdoors are a bad idea. There are countless reasons why this is true, including: They would unavoidably weaken the security of our digital data, devices, and communications even as we are in the midst of a cybersecurity crisis; they would cost the US tech industry billions as foreign customers — including many of the criminals Comey hopes to catch — turn to more secure alternatives; and they would encourage oppressive regimes that abuse human rights to demand backdoors of their own.

Most of these arguments are not new or surprising. Indeed, it was for many of the same reasons that the US government ultimately rejected the idea of encryption backdoors in the 90s, during what are now called the “Crypto Wars.” We as a nation already had the debate that Comey is demanding — we had it 20 years ago! — and the arguments against backdoors have only become stronger and more numerous with time. Most notably, the 21st century has turned out to be a “Golden Age for Surveillance” for the government. Even with the proliferation of encryption, law enforcement has access to much more information than ever before: access to cellphone location information about where we are and where we’ve been, metadata about who we communicate with and when, and vast databases of emails and pictures and more in the cloud. So, the purported law enforcement need is even less compelling than it was in the 90s. Meanwhile, the security implications of trying to mandate backdoors throughout the vast ecosystem of digital communications services have only gotten more dire in the intervening years, as laid out in an exhaustive new report issued just this morning by over a dozen heavy-hitting security experts.

Yesterday, Comey conceded that after a meaningful debate, it may be that we as a people decide that the benefits of widespread encryption outweigh the costs and that there’s no sensible, technically feasible way to guarantee government access to encrypted data. But the fact is that we had that debate 20 years ago, and we’ve been having it again for nearly a year. We are not talking past each other; a wide range of advocates, industry stakeholders, policymakers, and experts has been speaking directly to Comey’s arguments since last fall. Hopefully he will soon start listening, rather than dooming us to repeat the mistakes of the past and dragging us into another round of Crypto Wars.

We have already had the debate that Comey says he wants. All that’s left is for him to admit that he’s lost.

Encryption, Privacy, National Security And Ashley Madison

So, as about a million Australians quietly shit themselves as the Ashley Madison data breach starts to bleed data, we have the UK government talking about banning encryption. Although they have backtracked to some some degree UK Prime Minister David Cameron told his parliament the country needed to crack down on encryption in order to make it harder for terrorists to communicate.

While the Ashley Madison hack is barely surprising — mega-breaches are a fact of life in today’s world — there’s a whole level of cock up associated with not encrypting such sensitive data. And if encryption becomes harder to access we can expect sensitive data to not only be captured but easily read and shared. And not actually deleting the data they promised to remove with their paid-for profile removal service suggests the story will be played out in the courts.

So, what’s happening in the Australian policy world when it comes to balancing act between security and privacy? We spoke with Tobias Feakin, the director of the International Cyber Policy Centre and Senior Analyst with the National Security at Australian Strategic Policy Institute. He works with and directly advises the government through the bipartisan Australian Strategic Policy Institute on cyber security matters.

“I think that’s the problem with the discussion right now. There’s a dichotomy that governments find themselves in. What is their primary responsibility? To protect the nation from whatever serious threat might be of the day. But here are all these other responsibilities about promoting good business practice and good cyber hygiene”.

Feakin pondered whether incidents like the Ashley Madison breach would drive governments to consider mandating the use of encryption on data.

However, there’s a real balancing act in all of this. Encrypted data can be a significant barrier that hampers police investigations but there are clear benefits when it comes to protecting the privacy of individuals and companies.

“For me, it’s about having a decent public policy discussion,” says Feakin. “It’s something that needs to be nurtured… in the Australian context is a more mature conversation around national security threats. More in terms of shaping them as risks rather than just threats because there is a distinct difference”.

Feakin noted the need for a providing balance to the debate.

“I’m always very careful… to say we’ve got to keep this in perspective. We live longer lives. We’re safer than at any point in human history.”

US officials target social media, encryption after Chattanooga shooting

Was the Chattanooga shooter inspired by IS propaganda? There’s no evidence to back the claim, but some officials are already calling for access to encrypted messages and social media monitoring. Spencer Kimball reports.

It’s not an unusual story in America: A man in his 20s with an unstable family life, mental health issues and access to firearms goes on a shooting spree, shattering the peace of middle class life.

This time, the shooter’s name was Muhammad Youssef Abdulazeez, a Kuwaiti-born naturalized US citizen, the son of Jordanian parents of Palestinian descent. And he targeted the military.

Abdulazeez opened fire on a recruiting center and naval reserve facility in Chattanooga, Tennessee last Thursday. Four marines and a sailor, all unarmed, died in the attack.

But the picture that’s emerged from Chattanooga over the past several days is complicated, raising questions about mental health, substance abuse, firearms, religion and modernity.

Yet elected officials have been quick to suggest that events in Chattanooga were directly inspired by “Islamic State” (also known as ISIL or ISIS) Internet propaganda, though there’s still no concrete evidence to back up that claim.

“This is a classic lone wolf terrorist attack,” Senator Dianne Feinstein told US broadcaster CBS. “Last year, 2014, ISIL put out a call for people to kill military people, police officers, government officials and do so on their own, not wait for direction.”

And according to Feinstein, part of the solution is to provide the government with greater access to digital communications.

“It is now possible for people, if they’re going to talk from Syria to the United States or anywhere else, to get on an encrypted app which cannot be decrypted by the government with a court order,” Feinstein said.

Going dark

Two years ago, former NSA contractor Edward Snowden revealed the extent of US government surveillance to the public. Responding to public outcry in the wake of the NSA revelations, companies such as Facebook, Yahoo, Google and others stepped up efforts to encrypt users’ personal data.

But the Obama administration, in particular FBI Director James Comey, has expressed growing concern about encryption technology. Law enforcement argues that even with an appropriate court order they still cannot view communications masked by such technology. They call it “going dark.”

Feinstein and others believe that Internet companies have an obligation to provide law enforcement with a way to view encrypted communications, if there’s an appropriate court order. But according to Emma Llanso, that would only create greater security risks.

“If you create a vulnerability in your encryption system, you are creating a vulnerability that can be exploited by any malicious actor anywhere in the world,” Llanso, director of the Free Expression Project at the Center for Democracy and Technology, told DW.

Monitoring social media

It’s not just an issue of encryption technology. There’s also concern about how militant groups such as the “Islamic State” are using social media, in particular Twitter.

“This is the new threat that’s out there over the Internet that’s very hard to stop,” Representative Michael McCaul told ABC’s This Week. “We have over 200,000 ISIS tweets per day that hit the United States.

“If it can happen in Chattanooga, it can happen anywhere, anytime, any place and that’s our biggest fear,” added McCaul, the chairman of the House Homeland Security committee.

In the Senate, an intelligence funding bill includes a provision that would require Internet companies to report incidents of “terrorist activity” on their networks to authorities.

According to Llanso, such activity isn’t defined anywhere in the provision, which means companies would have an incentive to overreport in order to meet their obligations. And speech clearly protected by the US First Amendment can also lead to incitement, said Philip Seib, co-author of “Global Terrorism and New Media.”

“If somebody puts something up on Facebook that says Muslims are being oppressed in the Western world, maybe that’s an incentive to somebody to undertake a violent act,” Seib told DW. “But you can’t pull that down, that is a free speech issue.”

Islamist connections?

In the case of Chattanooga, it’s unclear how government access to encrypted communications or requiring social media reporting would have stopped the shooting. One of Abdulazeez’s friends told CNN that the 24-year-old actually opposed the “Islamic State,” calling it a “stupid group” that “was completely against Islam.”

But Abdulazeez was critical of US foreign policy and expressed a desire to become a martyr in his personal writings, according to CNN sources. The young man’s father was put on a terrorist watch list but was then cleared of allegedly donating money to a group tied to Hamas. Abdulazeez also spent seven months in Jordan visiting family in 2014.

He also reportedly viewed content related to radical cleric Anwar al-Awlaki. An American citizen, Awlaki was killed in 2011 by a US drone strike in Yemen for alleged ties to al Qaeda in the Arabian Peninsula.

“The Guardian” reported that just hours before the shooting spree, Abdulazeez sent a text message to a friend with a verse from the Koran: “Whosoever shows enmity to a friend of Mine, then I have declared war against him.”

Guns, drugs and depression

Abdulazeez reportedly suffered from depression and had suicidal thoughts. He abused alcohol and drugs, including marijuana and caffeine pills. He had recently been arrested and charged with driving under the influence, with a court date set for July 30. He also took muscle relaxants for back pain and sleeping pills for a night shift at a manufacturing plant, according to the Associated Press.

His family life was also unstable. In 2009, Abdulazeez’s mother filed for divorce, accusing his father of abuse. The two later reconciled, according to the “New York Times.”

And he had access to guns, including an AK-47 assault rifle. Abdulazeez liked to go shooting and hunting. He also participated in mixed martial arts.

Officials told ABC News that Abdulazeez had conducted Internet research on Islamist militant justifications for violence, perhaps hoping to find religious atonement for his problems.

“The campaigns by the Western governments – the US primarily, the Brits and others – have indicated that they don’t really understand what’s going on in the minds of many young Muslims,” Seib told DW.

“The Western efforts don’t ring true amongst many people they seek to reach because on issues such as human rights the Western governments don’t have much credibility,” he added.