Cybersecurity and Legal lessons after Apple v FBI

Cybersecurity and Legal Lessons after Apple v FBI

Benjamin AngSenior Fellow, Centre of Excellence for National SecurityEducation Chair, Internet Society Singapore Chapter

Where we come from

CENS

Multinational team of

specialists in national and

homeland security

Based at NTU’s RSIS,

working closely with

NSCS and CSA

ISOC.SG

Dedicated to ensuring

that the Internet stays

open, transparent and

defined by you.

Organizing events,

Providing education,

Engaging policy

Myself

Former Lawyer

Former CIO

Senior Research Fellow

in Cybersecurity Law and

Policy

Cybersecurity issues in IPV6

Misconception #1

Misconception:

IPV6 automatically

applies IPSEC because

IPSEC is built in

Reality:

IPSEC is an option

Solution:

Enable IPSEC

Misconception #2

Misconception:

Every device should

have its own IP address

Reality:

NAT protects devices

which only need to

reached within network

Solution:

Use both IPV4 and IPV6

Misconception #3

Misconception:

Encryption will protect

everything

Reality:

Metadata can still be

exposed

Solution:

Be aware

Timeline of Apple v FBI

As of mid 2016

16 Feb

Judge orders Apple to

help FBI unlock iPhone

belonging to dead

terrorist

17 Feb

Tim Cook (Apple CEO):

This would undeniably

create a backdoor, we

will NOT comply

18 Feb

Twitter, Google, Former

NSA Director: USA is

safer with unbreakable

encryption

19 Feb

FBI filed motion that

Apple is not above the

law

1 Mar

Apple General

Counsel spoke to

House Judiciary

Committee

1 – 15 Mar

Apple and US DOJ

lawyers file arguments

in court

21 Mar

US attorneys ask to

vacate hearing

28 Mar

US govt announces it

has gained access to the

phone without Apple’s

help

8 April

US DOJ said they

need help to unlock an

iPhone 5s in New York

22 Apr

US DOJ no longer

needs Apple’s help

because they also

unlocked this phone

What’s at stake

The ‘Security’ Argument

FBI:

We need access so that

we can investigate

crime, prevent crime

Fears:

‘Going dark’

The ‘Privacy’ Argument

Technology Cos:

Creating back doors will

expose users to

criminals

What if it happened in Singapore?

Criminal Procedure Code

Criminal Procedure Code

39.—(1) A police officer or an authorised person, investigating an arrestable offence, may at any time —

access, inspect and check the operation of a computer that he has reasonable cause to suspect is or has been used in connection with the arrestable offence; or

use or cause to be used any such computer to search any data contained in or available to such computer.

Power to access computer

I’m investigating an

arrestable offence, so I want

to ACCESS all the data on

this computer Do you need a

warrant?

No.

Criminal Procedure Code

39(2) The police officer or authorised person may also require any assistance he needs to gain such access from —

… 39 (5) (3) Any person who obstructs the lawful exercise … or who fails to comply with any requirement of the police officer … shall be guilty of an offence

Power to access computer

Can I

refuse?

No.

Criminal Procedure Code

40.—(2) The police officer shall be entitled to —

access any information, code or technology which has

the capability of retransforming or unscrambling

encrypted data into readable and comprehensible format

or text for the purposes of investigating …;

Require [any person] to provide assistance

Power to access decryption

I’m investigating an arrestable

offence, so I want to

DECRYPT all the data on this

computer Do you need a

warrant?

No.

Criminal Procedure Code

39(2) The police officer or authorised person may also require any assistance he needs to gain such access from —

… 39 (5) (3) Any person who obstructs the lawful exercise … or who fails to comply with any requirement of the police officer … shall be guilty of an offence

Power to access decryption

Can I

refuse?

No.

Criminal Procedure Code

40(7) … if that person was in possession of any decryption information at any time before the time of the request for access to such information, that person shall be presumed … to have continued to be in possession of that decryption information …, unless—

(a) It was not in his possession at the time of request and

(b) It continued not to be in his possession.

Power to access decryption

I don’t have the

keys

Didn’t you use to

have them?

But there is a limit

I got into the laptop, but the files

are individually encrypted by an

unknown software

What about messages (data in motion)?

Computer Misuse and Cybersecurity Act

Computer Misuse and Cybersecurity Act

15A.—(1) Where the Minister is satisfied that it is necessary for the purposes of preventing, detecting or countering any threat to the national security, essential services or defence of Singapore or foreign relations of Singapore,

the Minister may, authorise or direct any person or organisation … to take such measures or comply …

We have a national security

concern, so I’m giving you a

direction

Can you

do that?

Yes

Computer Misuse and Cybersecurity Act

s15A(2)(c) … (including real-time information)

obtained from any computer controlled or

operated by the specified person, or obtained by

the specified person from another person

Monitor all messages in real

time to find out if a riot is going

to take place REAL TIME? What if

we catch some

personal data?

Computer Misuse and Cybersecurity Act

s15A(3) Any measure or requirement …

shall have effect notwithstanding any obligation

or limitation imposed or right, privilege or

immunity conferred by or under any law,

contract or rules of professional conduct …

Computer Misuse and Cybersecurity Act

s15A(4) A specified person who, without reasonable excuse, fails to take any measure or comply with any requirement directed by the Minister under subsection (1) shall be guilty of an offence

and shall be liable on conviction to a fine not exceeding $50,000 or to imprisonment for a term not exceeding 10 years or to both.

Is there a limit?I can’t monitor the messages,

they’re encrypted end to end!

On the other hand

Businesses are legally required to protect customer data

PDPC fined KBOX $50K

“The practice of sending large volumes of members’ personal data via unencrypted email is a vulnerability and an example of how K Box had not sufficiently protected the members’ personal data.” – PDPC

On the other hand

End users and manufacturers of IOT may need access

Manufacturers

…need to send

security updates

to IOT Devices

End users

… sometimes

need to override

our own security

Humanity

… may one day

need to override

security

What can we do?

End Users

• We need choices

Law Enforcement

• We need access

Tech Companies

• We need security

Regulators

• We need to secure

Weak (or weakening) encryption is unsafe

Because criminals can get access to victims’ data or worse

How are you going to

get through the user’s

security?

No problem, I found

out the back door that

police use!

Weak encryption doesn’t really help law enforcement

Because the really serious criminals and terrorists use additional encryption tools

How are we going to carry

out our secret bomb attack?

Police have back doors into

everyone’s phone!

No problem, I’m using a

Russian encryption app

that has no back door

But end users and manufacturers need a safe way in

Are there solutions besides encryption alone?

Secure Privacy

3FA

Biometrics

Escrow Dual Key

Notification

Blockchain

3FA

Biometrics

Key Escrow

Dual Key

Notification

Blockchain

The Solution is out there

We all need to work together to create one that works for everyone

54

Singapore Chapter

Your Membership helps Change the World

Internet Society members achieve change through partnerships and technical expertise.

90+Chapters

Worldwide

Your membership to the Internet Society gives you a

powerful voice.

50000+Individual

Members

140+Organization

Members

55

Singapore Chapter

Workshops and training

Educational events

You can play a Key Role in Singapore

Public Policy issue advocacy

Networking events

56

Singapore Chapter

Get Involved

Join the Singapore Chapter, or

Attend an Event

– Blockchain Seminar 2016

Contact us at www.isoc.sg

This is your Internet.Join it!

Cybersecurity and

Legal Lessons

after Apple v FBIBenjamin AngSenior Fellow, Centre of Excellence for National Security

Education Chair, Internet Society Singapore Chapter

Slides and further discussion at www.isoc.sg

Background Information

Centre of Excellence for National Security

Multinational team of research

specialists in national security

Working with National Security

Coordination Secretariat (NSCS) and

Cyber Security Agency (CSA)

CENS Research Programmes

Homeland Defence

Programme

Radicalisation

Studies Programme

Social Resilience

Programme

Cybersecurity

Programme

• Strategic

Communication

• Social Media

Analysis

• Radicalisation to of

individuals and

groups

• Criminology,

psychology,

sociology, history

and political science

• Multiculturalism,

citizenship, class,

immigration

• How globalised

societies cope with

crises such as

pandemics and

terrorist attacks.

• Cyber threats

• Cybercrime

• Smart Cities

• Confidence Building

Measures

• Controversies

(security vs privacy)

How CENS influences national policy

Publish Commentaries and Briefs

Educate National Security Officials

Organize workshops and seminars for

to create a community of practice in

public and private sectors

62

Singapore Chapter

Internet Society Mission

To promote the open development,

evolution, and use of the Internet for

the benefit of all people throughout

the world.

63

Singapore Chapter

Internet Society Singapore Chapter

Provides

leadership in

policy issues

Advocates open

Internet

Standards

Promotes Internet

technologies that

matter

Develops Internet

infrastructure

Undertakes

outreach that

changes lives

Recognizes

industry leaders

64

Singapore Chapter

Current Priorities

Internet Governance

Open Internet Standards

Online Identity

IPv6

Blockchain

Domain Name System Security (DNSSEC)

Internet and Human Rights

Intellectual Property and Digital Content

Internet of Things

65

Singapore Chapter

Programmes

Awards

Internet Hall of Fame

Jonathan B. Postel Service Award

Applied Networking Researching Prize (ANRP)

Grants

Community Grants

ICT Innovation

Individual Fellowships

66

Singapore Chapter

Examples of the Internet Societyin Action

67

Singapore Chapter

Public Consultation with MDA on changes to Licensing of Websites

Photo: © Stonehouse Photographic

www.internetsociety.org/wcit

68

Singapore Chapter

Lodging complaint against law firm representing Dallas Buyers Club in threatening users

Photo: © Stonehouse Photographic

www.internetsociety.org/wcit

69

Singapore Chapter

Seminars on Charlie Hebdo, Cybersecurity Skills Building, Election Blogging, IOT, and more

Photo: © Stonehouse Photographic

www.internetsociety.org/wcit

70

Singapore Chapter

World IPv6 Launch

www.WorldIPv6Launch.org