We are developing the social individualist meta-context for the future. From the very serious to the extremely frivolous... lets see what is on the mind of the Samizdata people.

Samizdata, derived from Samizdat /n. - a system of clandestine publication of banned literature in the USSR [Russ.,= self-publishing house]

An indication two big tech companies might be on the right track?

Apple and Google recently stated that they intend to encrypt-by-default in future mobile phones, and the FBI does not like it one bit. Interesting.

But then again, I asked a highly skilled technical chum of mine about this a few days ago:

What is your technical take on this? Is this a welcome development or bullshit?

And his reply was:

Somewhere between. Trust in closed-source product is hard to build.

Still… the fact the FBI is bleating is heartening. But it is true that we need to keep in mind that these are indeed closed-source products, thus we really do only have Apple and Google’s word for it that they will be as secure as they say they will be.

19 comments to An indication two big tech companies might be on the right track?

  • Laird

    Perhaps. I am guardedly optimistic. But very guardedly.

    This may (probably will) keep local police from hacking into cell phone data, and I view that as a good thing. If it make their job a little tougher, and forces them to rely on old-fashioned police work, I view that as a fair exchange for protecting our privacy.

    But we know that the NSA has built back doors into many supposedly secure system. And much of that was, it appears, with the active cooperation of those very corporations who now would have us believe that they are going to be the honest guardians of our secrets. Have they really changed their spots? They’ll have to work hard to regain our trust. And at least some of those back doors may still remain, giving the NSA access where it now supposedly lacks it. So just how much this really means remains to be seen.

  • Alex

    iOS is closed-source but Android (Google-sponsored mobile OS) is open source. However the mobile developers often produce pretty bastardized versions of Android for their offerings so I agree that it is difficult to build trust in the actual software running on such devices. Hardware is a an issue too – just because the software isn’t doing anything nefarious doesn’t mean the hardware isn’t, or the layers of software before the OS e.g. firmware.

  • Not quite the same thing, Alisa, but that is nevertheless very interesting.

  • Gareth

    Presumably Apple will retain the ability to reset your pass code in case you forget it. I expect they will make use of that ability if presented with a search warrant.

  • Bruce Hoult

    You can reset iPhones. In fact the owner can do it remotely via the internet. It instantly wipes all data on the phone (deletes the encryption key), and then you have to set it up again (or restore from your backups).

  • PersonFromPorlock

    September 27, 2014 at 10:15 pm
    Have they really changed their spots?

    Their spots are probably the same, ‘profits’, but data security has now become a driver of profitability. If the encryption isn’t really secure, the first criminal case that uses supposedly safeguarded data will expose the fact, to the great detriment of profitability. Which is why it probably is secure.

    And anyway, if you’re not doing anything wrong, you have nothing to worry about. ;^p

  • Chip

    “Their spots are probably the same, ‘profits’, but data security has now become a driver of profitability. ”

    As it should be. Profit is just a name for producing something with more value than cost.

    It should be written in the sky along with love, family, logic and all those other words that make us more than paramecium.

  • Yes Perry, I imagined that much, having not looked into it in any depth. My point was mainly about general attitudes and the like.

  • Runcie Balspune

    I refer my good gentleman once again to the excellent xkcd on this topic.

  • Kevin B

    Could Google be a big Corporation in an era of Corporatism?

    Some evidence:

    Apparently most of the fuss is because Google are withdrawing from a group called ALEC (American Legislative Exchange Council), allegedly because of their “denial of climate change”. The Wall St Journal claims that this is a smear campaign, and ALEC have no position on climate science.

    “ALEC provides a forum for sundry businesses to discuss free-market reforms with state lawmakers. Two of its policy targets are renewable-energy mandates and subsidies, which are being exploited by big businesses like Google at the expense of low- and middle-income taxpayers.

    Google’s real problem with ALEC is a conflict of pecuniary interests.”

    So can we trust them in their user protection stance?

  • Sam Duncan

    Good spot, Kevin. And Alex, Google’s “official” Android is drifting further and further from the AOSP (Android Open Source Project). It’s quite a bone of contention among open source people. I wouldn’t be surprised in the least if this encryption-by-default turns out to be a proprietary black box, same as Apple’s. Then again, it would annoy a lot of people for whom the AOSP was a reason to adopt Android over iOS, right at a time when several new mobile operating systems are looking for a break (Jolla, FirefoxOS, Ubuntu…), which might not be the smartest of moves. So it remains to be seen. But don’t count on it; I mean, how many of the unimaginably huge Android userbase actually care?

  • Actually, encryption is already available on Android devices (including those running AOSP like mine) the new Android will just have it turned on by default.

  • Ockham's Spoon

    wh00ps, I think its a bit more than that, they seem to be saying they’re also taking themselves out of the loop as well, which *allegedly* might make whacking ’em with a court order moot. If I understand right. Which maybe I don’t.

  • Sam Duncan

    Fair enough, wh00ps. I’m running a very old version indeed, so I hadn’t noticed that. I don’t think OS’s observation necessarily invalidates yours, although given Google’s drift away from open source it certainly could if it means a new encryption subsystem. But clearly I don’t know as much about this as I thought I did. 🙂

  • The software libraries that Android uses to encrypt the Flash memory on the phone are open source. But Alex above is correct: you don’t know what source code your phone manufacturer built. There’s little stopping you from building it yourself though, apart from some book learning. You can flash your own software to the phone and compare the source code with official releases.

    Even so, there are some problems:

    1. Bugs in the encryption code — these will be there. The only question is whether any bad guys know about bugs that the good guys don’t. Did the NSA take advantage of Heartbleed, for example?

    2. Close hardware and drivers. For all you know there are keyloggers in the hardware or the drivers, recording your password, and storing it in some secret memory on the chip.

    It comes down to this: the more interesting your secrets, the more effort people will go to to find them out. How much you have to worry about depends on how interesting your secrets are. This encryption is at least good against a common thief who steals your phone.

  • I really have been hoping Ubuntu would get its Ubuntu Phone product done sooner… it would be sharp poke in the eye to closed source companies such as Apple. I have no illusions that the first version of this would be annoying (especially given Canonical’s history of thinking it knows what users want better than the users do), but like Linux in general, it just gets better and better.

  • Dale Amon

    A big problem is that there are phony cell towers in the US that are sending control commands to the ‘lower operating system’ on the phone chip, totally behind your back. There was a recent article in Popular Science (or Popular Mechanics?) about a company that sells phones for $3500 that will detect this and pop up a warning message. They’ve mapped out the location of a fair number of the phony’s and there seems to be a connection with government and defense facilities…

    So the FBI doesn’t like end to end encryption? Screw ’em.