Apple iPhone Unlock Order

Here is a copy of the Order from U.S. Magistrate Judge Sheri Pym in California requiring Apple to render “reasonable technical assistance” to the FBI in obtaining access to an iPhone used by one the San Bernardino terror shooters.

I have previously argued that, under appropriate circumstances and pursuant to a search warrant, the government should be able to obtain passwords and decryption keys from suspects necessary to obtain the plaintext versions of files on seized devices.  The Apple case, however, is different because the court is ordering a non-suspect third party technology company to actively assist with an investigation.  While I might support carefully tailored legislation regarding law enforcement access to encryption keys, a court order such as this one without specific statutory authorization seems troubling.

Curated Links on Ukraine Power Grid Hack

Here are some key sources discussing the recent cyber attack on Ukraine’s power grid:

SANS ICS Blog:  Confirmation of Coordinated Attack on Ukranian Power Grid

iSight Partners Blog:  Sandworm Team and the Ukranian Power Attacks

ESET:  BlackEnergy Trojan Strikes Again:  Attacks on Ukrainian Electric Power Industry

SecureList:  New Observations on BlackEnergy 2 APT Activity




Klayman v. Obama Stay Left in Place

On November 9, 2015, Judge Richard Leon issued a preliminary injunction against the NSA bulk data collection program.  On November 10, in a per curiam Order, the D.C. Circuit stayed the preliminary injunction pending the government’s appeal.  Last Friday, November 20, the Circuit denied the plaintiffs’ emergency request for rehearing of the stay order en banc.  In a somewhat unusual move, Circuit Judge Brett Kavanaugh wrote a concurrence to the Order denying the request for hearing en banc.  Judge Kavanaugh states in the concurrence that “the Government’s metadata collection program is entirely consistent with the Fourth Amendment.”  Concurrence at 1.  Judge Kavanaugh states that the bulk data collection program satisfies the “special needs” exception under the Fourth Amendment because it “serves a critically important special need — preventing terrorist attacks on the United States.”  Id. at 2.  According to Judge Kavanaugh, “that critical national security need outweighs the impact on privacy occasioned by the program.”  Id.

In my view, Judge Kavanaugh’s concurrence is troubling.  An emergency petition for en banc review is an extraordinary request that can be denied for many reasons without opining on the merits.  It is difficult to see how Judge Kavanaugh could reach such an easy conclusion about the NSA program in the context of an emergency en banc petition, without full briefing and argument on the merits.  Unfortunately, it seems that the threat of terrorist attacks will remain with us in the foreseeable future.  While the threat is deadly serious, the ordinary rule of law cannot remain suspended in a perpetual state of exception, or else it is a rule of power and not of law.

Sikhs for Justice v. Facebook: Site Blocking

The ability of an ISP or social media site to block access to controversial or inflammatory content is a difficult issue at the intersection of cybersecurity and Internet governance.  In a case just decided by Judge Lucy Koh in the Northern District of California, Facebook won dismissal on the pleadings of Sikhs for Justice’s (“SFJ”) claim that Facebook blocked access to  SFJ’s page in India.

SJF’s claim was based on Title II of the Civil Rights Act of 1964, 42 U.S.C. § 2000a, which provides that “[a]ll persons shall be entitled to the full and equal enjoyment of the goods, services, facilities, privileges, advantages, and accommodations of any place of public accommodation . . . without discrimination or segregation on the ground of race, color, religion, or national origin.”

The court held that SJF’s Title II claim is barred by the Communications Decency Act (“CDA”), 47 U.S.C. § 230.  This holding was consistent with other cases holding that ISPs are publishers entitled to CDA immunity.

Cases like this are important for Internet governance because of the gate keeping role played by large ISPs, search providers, and social media sites such as Facebook.  If these gate keepers can arbitrarily block access to sites a government finds objectionable, traditional political sovereigns can exercise significant control over the Internet.  On the other hand, if these gate keepers cannot accede to the wishes of governments in territories where they have users without threat of liability elsewhere, users in one country (such as the U.S.) could use local law to thwart the policies of another country (such as India).

NY Department of Financial Services Cybersecurity Regulations

Yesterday the New York State Department of Financial Services sent a letter to members of the Financial and Banking Information Infrastructure Committee announcing a plan to enact new cybersecurity regulations for financial institutions.  The regulations would require covered entities to

  • Maintain written internal cybersecurity policies and procedures;
  • Maintain policies and procedures to ensure the security of data held by third party providers;
  • Adopt multi-factor authentication for some resources;
  • Designate a CISO responsible for the institution’s cybersecurity program;
  • Adopt procedures and guidelines to ensure the security of applications used by the entity;
  • Employ personnel adequate to manage the entity’s cyber risks;
  • Conduct annual penetration testing and quarterly vulnerability assessments;
  • Maintain an audit trail system; and
  • Notify the Department of cyber incidents.

While most sophisticated financial institutions already engage many of these functions, the regulations would add a new dimension to compliance.  The requirement to employ certain kinds of personnel, in particular, will be controversial.

Charges Announced in J.P. Morgan Hacking Case 

Federal prosecutors unsealed indictments against three men who allegedly engaged in a sprawling cybercriminal enterprise that hacked into J.P. Morgan Chase & Co. and several U.S. financial institutions.

Source: Charges Announced in J.P. Morgan Hacking Case – WSJ