A fleeting moment of joy
And then I realised it was not Rupert Murdoch being arrested.
Encrypted phone network Sky Global has seemingly shut down after European police swooped on users and distributors, and its chief exec was indicted by American prosecutors. News of the company shutdown was broken by Vice News after raids in Belgium and the Netherlands on Sky ECC users and resellers. We're told Canada's …
The problem with proper encryption and security is decentralization and compartmentalization. Having a central hub (even with geographic spread) is only good if the hub-admins cannot decrypt the stream/contents. Only single endpoint final recipient should be able to decrypt. From the looks, the system's security could be cracked by cracking one point at the edge. Not good design.
Why do people not use PGP mail? Oh, yes, it is difficult (and old). Well, let me tell you, secure communication is very hard to do right. Even PGP security can suffer, if you send messages to multiple users in the same stream because it can expose the (existence of) other recipients. If you are a smart criminal, then you know what to do. But then, those who get caught are surely not the "smart" criminals.
"If you are a smart criminal, then you know what to do. But then, those who get caught are surely not the "smart" criminals."
Have a friend in law enforcement. He said they didn't always catch the smart criminals, but they always catch the dumb ones.
Criminals probably think they're being smart when they use dark web sites, or modified encrypted phones, or money laundering exchanges. Instead it just makes law enforcement super interested & determined to infiltrate these service providers because the effort is worth it. The criminals are merrily discussing and transacting on their "safe haven" so the cops infiltrate, listen in and choose the moment to take them down. All designed to arrest as many people as possible and cause disruption and fear amongst the rest.
Criminals probably think they're being smart when they use dark web sites, or modified encrypted phones, or money laundering exchanges.
We are presented with a very one-sided picture. It is natural for the authorities to broadcast their triumphs, and keep very quiet indeed about their failures.
For example, in 2015 there was estimated to be about £10.7 billion of cocaine imported into the UK, i.e. the illegal UK cocaine industry is about eight times the size of the pre-Brexit fishing industry. The people at the top of this industry are clearly doing rather well, despite the occasional high profile success by the police.
if you truely REALLY want to destroy the narcotics cartels there's a really simple low cost answer
Decriminalise, treat as a heatlh issue and give addicts clean cheap supplies
The ACTUAL cost of a medical-grade knockout dose of heroin or cocaine is still far less than £1
When you realise how fantastic the profits are you understand why this keeps happening - it's not about the drugs, it's abotu the MONEY - and the police are busy hoovering up money too - they don't want the "war" to end because it would make them unemployed
Portugal is a good example of what happens when you take the Dutch exeroeiment to its logical end. There are virtually no pushers left operating in the country - why try to sell anything when you can't make a profit from the addicts?
oh, but "power", "control", "criminals", "rule of law"
Funnily enough one of the knockond effects of the Portuguese approach has been a major drop in minor crime as addicts no longer mug or steal to support their habits.
There's a lot of money to be made in selling fear and authoritarianism
I can imagine a raft of high-profile celebrities, corporate executives and the ludicrously wealthy who might all find encyrpted comms useful.
Just providing encryption doesn't make it a criminal business, no matter how much the cops would like it to be.
Use by criminals doesn't make the business a criminal conspiritor, no matter how much the cops would like it to.
No, the cops want to shut this guy down because the service he provides can get in their way, and so they're throwing a bunch a charges at him to see if anything sticks, and to scare other potential providers away from offering a similar service.
If there's actual proof Sky Global knowingly and deliberately markets to criminals, then there's a case to answer. But since crim's are unlikely to announce themselves as such, it's unlikely such evidence exists.
This case feels a lot like going after BMW because criminals sometimes drive a Beemer.
Well, they can both be used to commit a crime. A car lets a criminal get to or away from a crime scene a lot faster or you can kill someone with it. For the same reason, encryption can be used to hide information about your crime. Both can be put to nefarious use. They are also similar because both are heavily used by others for entirely legitimate purposes.
The important detail is whether the operators of the encrypted communication company knew their products were being sold to criminals. The wording there is important. It's not enough that the equipment was being used by criminals; car companies know that criminals will use cars and ISPs know that people will send malicious packets. The business has to know that they're interacting with a criminal for them to share culpability. Again, the wording is important. If they went to strange steps not to know their customers because they knew they would be criminals, then they knew and the circling around doesn't help them. If they actually thought the products were being used by normal businesses which would have a reason to want secure communications, they aren't culpable. This is the reason the trials of these companies have to be based on specific evidence from each company. There have been many companies deliberately aiding criminals and this might be one of them, but that has to be proven and just saying "they provide useful stuff that criminals used" isn't enough.
> Well, they can both be used to commit a crime.
In the US, and NATO countries, encryption exceeding a certain strength (loosely key length but it's more complicated than that) is classified either as a weapon, or as munition. Military-use only. In the US, strong encryption is regulated under ITAR, and Export Controls apply.
Selling or transmitting strong crypto to a non-friendly country will find one charged under the Trading With The Enemy Act.
In a previous job I had to deal with US Export Controls for crypto. To give you an example, GnuPG required - and still requires - US Export Control approval. We had to remove some of the crypto algorithms available in GnuPG because they were not cleared for export.
I am not talking about the crap commercial-grade encryption that is commonly found in smartphones or web browsers, and that a police department or the FBI or DHS would have no difficulty in cracking. I am talking about the kind of encryption that this Canadian fellow decided to install on mobile phones he subsequently sold to drug cartels - as it is alleged, and as he was charged and indicted.
The culpability in this case is two-fold: (a) he sold strong encryption to drug dealers for the purpose of evading detection while committing a crime and (b) in the process of committing (a) he violated ITAR and US Export Control regulations.
For the purposes of (b) it doesn't matter if one sells strong crypto to a known drug cartel boss, or to a nun. Or if he knew his customer. The culpability is the same.
If you are not a resident of the US - and something tells me you aren't - you may want to check the crypto export regulations of your own country. If your country is a NATO member, the rules for exporting and/or trafficking in crypto are exactly the same as the US rules.
Switzerland is not a NATO member and their crypto trading and export rules are stricter than the US rules.
So no, crypto is not just like a car.
You are wrong several times. Let's start with the obvious one:
"The culpability in this case is two-fold: (a) he sold strong encryption to drug dealers for the purpose of evading detection while committing a crime and (b) in the process of committing (a) he violated ITAR and US Export Control regulations."
A is covered in my original comment, short version is "more proof than that needed". For B, no, he did not violate U.S. export controls. He and his company are Canadian. The exports happened from Canada. U.S. export controls only apply to people exporting stuff from the U.S. Same with ITAR. It's a U.S. law and applies only to the U.S. Other countries have similar legislation, at times structured to be compatible, but it's not ITAR. Canada has export control legislation. Calling it ITAR and alleging that U.S. export regulations apply to Canadians makes it clear you do not understand how those laws work.
Now let's consider Canada's legislation. Actually, it's best we don't, because Canada hasn't charged anybody with breaking its export legislation, and they are the ones who would have to. But let's consider it anyway. In the list of controlled items, it originally seems somewhat damning since symmetric cryptography which works is prohibited (limit of 56 bit keys). However, there are long lists of exceptions. One of them looks like this:
"e. Portable or mobile radiotelephones and similar client wireless devices for civil use, that implement only published or commercial cryptographic standards (except for anti piracy functions, which may be non-published) and also meet the provisions of paragraphs a.2. to a.4. of the Cryptography Note (Note 3 in Category 5 - Part 2), that have been customised for a specific civil industry application with features that do not affect the cryptographic functionality of these original non-customised devices;"
Well, the phones themselves are mass-market with hardware modifications unrelated to the cryptography. So as long as they use public algorithms, they count under this exception. Public algorithms include AES and RSA. So now, if Canada wants to charge him, they will have to identify the encryption in use. I'm guessing it's likely to be a public one, in which case they have already allowed it.
Also see this FAQ about cryptography exports. It's useful in determining what is allowed and what is not.
By the way, you'll find that no charges for breaking export controls, whether Canadian or U.S., have been filed. That's because the lawyers understand what is illegal and what isn't. They are hinging their entire case on point A, and point A is quite plausibly true. Still, it needs more proof than you have.
Have you expressed your concerns to the Belgians and the Dutch? I am sure they would be very interested.
I did not realize that Belgium and Holland were such obedient agents of Big Bad Imperialist US.
Insofar as the US is concerned, your Canadian hero and his buddy were indicted by a Grand Jury in the Southern District of California:
From the indictment:
According to the indictment, Sky Global’s devices are specifically designed to prevent law enforcement from actively monitoring the communications between members of transnational criminal organizations involved in drug trafficking and money laundering. As part of its services, Sky Global guarantees that messages stored on its devices can and will be remotely deleted by the company if the device is seized by law enforcement or otherwise compromised.
[ ... ]
According to the indictment, Sky Global’s purpose was to create, maintain, and control a method of secure communication to facilitate the importation, exportation, and distribution of heroin, cocaine and methamphetamine into Australia, Asia, Europe, and North America, including the United States and Canada; to launder the proceeds of such drug trafficking conduct; and to obstruct investigations of drug trafficking and money laundering organizations by creating, maintaining, and controlling a system whereby Sky Global would remotely delete evidence of such activities.
Insofar as jurisdiction is concerned: trafficking drugs on US territory is a US jurisdiction concern. Using strong encryption in the process of trafficking drugs on US territory triggers ITAR, among other things.
I do not need your help on accessing ITAR regulations on strong crypto, should I ever need to consult them again (I really hope I don't because it's a very boring read).
What happened to your "crypto is just like a car" theory? What about the "Yeah, but he didn't know his services were being used by drug cartels" theory?
Is that why Eap and Herdman designed their servers such that [ ... ] messages stored on its devices can and will be remotely deleted by the company if the device is seized by law enforcement or otherwise compromised?
Following your theory, this would be a self-defeating move. If the operation was as innocent as you - and others here - claim it was, deleting these messages would also destroy exculpatory evidence, wouldn't it?
Are you aware that obtaining a Federal Grand Jury indictment in the US is not a single-handed one-man operation?
You have now proven my point. The indictment linked is entirely about complicity with criminal clients. What did I say about that option? I called it "plausibly true".
My complaints are about application of export law which doesn't apply outside the U.S. Is that in the indictment? No, it's not. Is it in the Dutch or Belgian reports? No, it's not. Why not? Because it does not apply. The lawyers and I agree on what charges are valid. We also agree on what's plausible. To prove it true instead of just plausible, they'll need more proof than I've seen. They probably have it. That's their job.
They are likely correct. You ... are not. They are focusing on a crime which they will have to prove. You're attacking cryptography on fallacious arguments and incorrect application of limited legislation.
Seriously, if your security endpoint is not outside your communication endpoint (e.g. if your top-secret proprietary encryption scheme runs _on_ the phone), you lose almost immediately. Why would Officer Plod and Nefarious Hacker bother to decrypt when they can just watch the keylogger in real time via a back-channel?