FLICKER OF HOPE? Left, Senator Ron Wyden. Middle, Director of National Intelligence Tulsi Gabbard. Right, Rep. Andy Biggs

Racket News  By Matt Taibbi

While J.D. Vance was speaking in Munich, the U.K. was demanding encrypted data from Apple. For the first time in nine years, America may fight back

Last Friday, while leaders around the Western world were up in arms about J.D. Vance’s confrontational address to the Munich Security Council, the Washington Post published a good old-fashioned piece of journalism. From “U.K. orders Apple to let it spy on users’ encrypted accounts”:

Security officials in the United Kingdom have demanded that Apple create a back door allowing them to retrieve all the content any Apple user worldwide has uploaded to the cloud, people familiar with the matter told The Washington Post.…

[The] Home Secretary has served Apple with… a technical capability notice, ordering it to provide access under the sweeping U.K. Investigatory Powers Act of 2016, which authorizes law enforcement to compel assistance from companies… The law, known by critics as the Snoopers’ Charter, makes it a criminal offense to reveal that the government has even made such a demand.

This rare example of genuine bipartisan cooperation is fascinating for several reasons. Oregon’s Ron Wyden teamed up with Arizona Republican Congressman Andy Biggs to ask new Director of National Intelligence Tulsi Gabbard for help in beating back the British. While other Democrats like Michael Bennet and Mark Warner were smearing Gabbard as a Russian proxy in confirmation hearings, Wyden performed an homage to old-school liberalism and asked a few constructive questions, including a request that Gabbard recommit to her stance against government snatching of encrypted data. Weeks later, the issue is back on the table, for real.

The original UK demand is apparently nearly a year old, and Apple has reportedly been resisting internally. But this show of political opposition is new. There has been no real pushback on foreign demands for data (encrypted or otherwise) for almost nine years, for an obvious reason. Europe, the FBI, and the rest of the American national security apparatus have until now mostly presented a unified front on this issue. In the Trump era especially, there has not been much political room to take a stand like the one Wyden, Biggs, and perhaps Gabbard will be making.

The encryption saga goes back at least ten years. On December 2, 2015, two men opened fire at the Inland Center in San Bernardino, killing 14 and injuring 22. About two months later, word got out that the FBI was trying to force Apple to undo its encryption safeguards, ostensibly to unlock the iPhone of accused San Bernardino shooter Syed Rizwan Farook. The FBI’s legal battle was led by its General Counsel Jim Baker, who later went to work at Twitter.

One flank of FBI strategy involved overhauling Rule 41 of the Rules of Criminal Procedure. The FBI’s idea was that if it received a legal search warrant, it should be granted power to use hacking techniques, if the target is “concealed through technological means.” The Department of Justice by way of the Supreme Court a decade ago issued this recommendation to Congress, which under a law called the Rules Enabling Act would go into force automatically if legislation was not passed to stop it. In 2016, Wyden joined up with Republican congressman Ted Poe to oppose the change, via a bill called the Stopping Mass Hacking Act.

Two factors conspired to kill the effort. First, the FBI had already won its confrontation with Apple, obtaining an order requiring the firm (which said it had no way to break encryption) to write software allowing the Bureau to use “brute force” methods to crack the suspect’s password. While Apple was contesting, the FBI busted the iPhone anyway by hiring a “publicity-shy” Australian firm called Azimuth, which hacked the phone a few months after the attack. The Post, citing another set of “people familiar with the matter,” outed the company’s name years later, in 2021.

The broader issue of whether government should be allowed to use such authority in all cases was at stake with the “Stopping Mass Hacking” bill. It was a problem for the members that the FBI called its own shot in the San Bernardino case, but the fatal blow came on November 29, 2016, when the UK passed the bill invoked last week, called the Investigatory Powers Act. This legal cheat code gave agencies like Britain’s GHCQ power to use hacking techniques (called “equipment interference”) and to employ “bulk” searches using “general” warrants. Instead of concrete individuals, the UK can target a location or a group of people who “share a common purpose”:

THE IPA: Bulk warrants, warrants by location, warrants on groups with “common purpose”

The law was and is broad in a darkly humorous way. It mandates that companies turn over even encrypted data for any of three reasons: to protect national security, to protect the “economic well-being of the UK,” and for the “prevention or detection of serious crime.”

Once the Act passed, American opposition turtled. How to make a stand against FBI hacking when the Bureau’s close partners in England could now make such requests legally and without restriction? The Wyden-Poe gambits were wiped out, and just two days after the IPA went into effect, changes to Rule 41 in America did as well. These granted American authorities wide latitude to break into anything they wanted, provided they had a warrant. As one Senate aide told me this week, “That was a game-over moment.”

Once the British got their shiny new tool, they weren’t shy about using it. The Twitter Files were full of loony “IPA” dramas that underscored just how terrifying these laws can be. In one bizarre episode in August of 2021, Twitter was asked to turn over data on soccer fans to a collection of alphabet soup agencies, including the Home Office and the “Football Policing Unit.” The Football Police informed Twitter that “in the UK… using the ‘N word’ is a criminal offence — not a freedom of speech issue.”

Twitter executives scrambled to explain to football’s cyber-bobbies that many of their suspects were black themselves, and tweets like “RAHEEM STERLING IS DAT NIGGA” were not, in fact, “hateful conduct.” (The idea that British police needed American executives to interpret sports slang is a horror movie in itself.) Accounts like @Itsknockzz and @Wavyboomin never knew how close they came to arrest:

N**** PLEASE: British police invoked the Investigatory Powers Act to get user information about nonwhite football fans

British overuse was obvious, but Twitter elected not to complain. They also kept quiet when American authorities began pushing for the same power. Though the Apple standoff aroused controversy, 50% of Americans still supported the FBI’s original stance against encryption, which seemed to embolden the Bureau. Senior officials began asking for the same virtually unlimited authority their friends in the UK (and soon after, Australia) were asserting. Donald Trump’s Attorney General, William Barr, seethed about encryption in a keynote speech at an International Cybersecurity Conference on July 23rd, 2019. The Justice Department was tiring of negotiations with tech companies on the issue, Barr said:

While we remain open to a cooperative approach, the time to achieve that may be limited. Key countries, including important allies, have been moving toward legislative and regulatory solutions. I think it is prudent to anticipate that a major incident may well occur at any time that will galvanize public opinion on these issues.

God knows what he meant about a “major incident” that “may well occur at any time,” but Barr was referring to the Investigatory Powers Act and imitator bills that by 2019 were being drafted by most U.S. intelligence partners.

Even without a central “incident,” European officials have been pursuing the dream of full “transparency” into user data ever since, often with support from American politicians and pundits. It was not long ago that Taylor Lorenz was writing outrage porn in the New York Times about the “unconstrained” and “unfettered conversations” on the Clubhouse App. As Lorenz noted, Clubhouse simply by being hard to track aroused the hostility of German authorities, who wrote to remind the firm about European citizens’ “right to erasure” and “transparent information”:

Providers offering services to European users must respect their rights to transparent information, the right of access, the right to erasure and the right to object.

Eventually, the EU tried to submarine end-to-end encryption through dystopian bills like “Chat Control,” which would have required platforms to actively scan user activity for prohibited behavior. This concept was widely criticized even in Europe, and in the States, which was mostly still in the grip of “freedom causes Trump” mania, TechCrunch called it “Hella Scary.”

Chat Control just barely stalled out in October, thanks to the Dutch, but Europe’s feelings about encryption were still more than made clear with this past summer’s arrest of Telegram founder Pavel Durov. That event was largely cheered in the U.S. press, where Durov was accused of actively “hiding illegal behavior,” and turning his platform into a “misinformation hot spot” used by “far right groups,” “neo-Nazis,” and “Proud Boys and QAnon conspiracy theorists.” The consensus was Durov himself was helping sink the concept of encryption.

“If we assume this becomes a fight about encryption, it is kind of bad to have a defendant who looks irresponsible,” was how Stanford Cyber Policy Analyst Daphne Keller described Durov to the New York Times after his arrest.

The Durov arrest may have marked the moment of peak influence for the cyber-spook movement. Though the Investigatory Powers Act was a major political surveillance tool, it was far from the only important law of its type, or the most powerful. The IPA was in fact just one of a long list of acronyms mostly unfamiliar to American news consumers, from France’s LCEN to Germany’s NetzDG to the EU’s TERREG as well as its Code of Practice on Disinformation and Code of Conduct on Countering Illegal Hate Speech Online, among many others. American authorities usually followed the pattern in the case of encryption and the IPA, doing informally what European counterparts were able to effect openly and with the force of law.

Now however it looks like efforts by government officials to completely wipe out encryption have failed, and events have taken a new turn. “Wild,” is how the Senate aide characterized the Wyden-Biggs letter, resuming another bipartisan fight put on hold nine years ago. “I’d forgotten what this looks like.”

IRONY ALERT: Germans protesting FBI efforts to break iPhone encryption, 2016

Subscribe to Racket News. 

For the full experience, become a paying subscriber.