cybersecurity and legal lessons after apple v fbi
TRANSCRIPT
![Page 1: Cybersecurity and Legal lessons after Apple v FBI](https://reader034.vdocument.in/reader034/viewer/2022042723/5878728e1a28ab497b8b6797/html5/thumbnails/1.jpg)
Cybersecurity and Legal Lessons after Apple v FBI
Benjamin AngSenior Fellow, Centre of Excellence for National SecurityEducation Chair, Internet Society Singapore Chapter
![Page 2: Cybersecurity and Legal lessons after Apple v FBI](https://reader034.vdocument.in/reader034/viewer/2022042723/5878728e1a28ab497b8b6797/html5/thumbnails/2.jpg)
Where we come from
CENS
Multinational team of
specialists in national and
homeland security
Based at NTU’s RSIS,
working closely with
NSCS and CSA
ISOC.SG
Dedicated to ensuring
that the Internet stays
open, transparent and
defined by you.
Organizing events,
Providing education,
Engaging policy
Myself
Former Lawyer
Former CIO
Senior Research Fellow
in Cybersecurity Law and
Policy
![Page 3: Cybersecurity and Legal lessons after Apple v FBI](https://reader034.vdocument.in/reader034/viewer/2022042723/5878728e1a28ab497b8b6797/html5/thumbnails/3.jpg)
Cybersecurity issues in IPV6
![Page 4: Cybersecurity and Legal lessons after Apple v FBI](https://reader034.vdocument.in/reader034/viewer/2022042723/5878728e1a28ab497b8b6797/html5/thumbnails/4.jpg)
Misconception #1
Misconception:
IPV6 automatically
applies IPSEC because
IPSEC is built in
Reality:
IPSEC is an option
Solution:
Enable IPSEC
![Page 5: Cybersecurity and Legal lessons after Apple v FBI](https://reader034.vdocument.in/reader034/viewer/2022042723/5878728e1a28ab497b8b6797/html5/thumbnails/5.jpg)
Misconception #2
Misconception:
Every device should
have its own IP address
Reality:
NAT protects devices
which only need to
reached within network
Solution:
Use both IPV4 and IPV6
![Page 6: Cybersecurity and Legal lessons after Apple v FBI](https://reader034.vdocument.in/reader034/viewer/2022042723/5878728e1a28ab497b8b6797/html5/thumbnails/6.jpg)
Misconception #3
Misconception:
Encryption will protect
everything
Reality:
Metadata can still be
exposed
Solution:
Be aware
![Page 7: Cybersecurity and Legal lessons after Apple v FBI](https://reader034.vdocument.in/reader034/viewer/2022042723/5878728e1a28ab497b8b6797/html5/thumbnails/7.jpg)
Timeline of Apple v FBI
As of mid 2016
![Page 8: Cybersecurity and Legal lessons after Apple v FBI](https://reader034.vdocument.in/reader034/viewer/2022042723/5878728e1a28ab497b8b6797/html5/thumbnails/8.jpg)
16 Feb
Judge orders Apple to
help FBI unlock iPhone
belonging to dead
terrorist
17 Feb
Tim Cook (Apple CEO):
This would undeniably
create a backdoor, we
will NOT comply
18 Feb
Twitter, Google, Former
NSA Director: USA is
safer with unbreakable
encryption
19 Feb
FBI filed motion that
Apple is not above the
law
1 Mar
Apple General
Counsel spoke to
House Judiciary
Committee
![Page 9: Cybersecurity and Legal lessons after Apple v FBI](https://reader034.vdocument.in/reader034/viewer/2022042723/5878728e1a28ab497b8b6797/html5/thumbnails/9.jpg)
1 – 15 Mar
Apple and US DOJ
lawyers file arguments
in court
21 Mar
US attorneys ask to
vacate hearing
28 Mar
US govt announces it
has gained access to the
phone without Apple’s
help
8 April
US DOJ said they
need help to unlock an
iPhone 5s in New York
22 Apr
US DOJ no longer
needs Apple’s help
because they also
unlocked this phone
![Page 10: Cybersecurity and Legal lessons after Apple v FBI](https://reader034.vdocument.in/reader034/viewer/2022042723/5878728e1a28ab497b8b6797/html5/thumbnails/10.jpg)
What’s at stake
![Page 11: Cybersecurity and Legal lessons after Apple v FBI](https://reader034.vdocument.in/reader034/viewer/2022042723/5878728e1a28ab497b8b6797/html5/thumbnails/11.jpg)
The ‘Security’ Argument
FBI:
We need access so that
we can investigate
crime, prevent crime
Fears:
‘Going dark’
![Page 12: Cybersecurity and Legal lessons after Apple v FBI](https://reader034.vdocument.in/reader034/viewer/2022042723/5878728e1a28ab497b8b6797/html5/thumbnails/12.jpg)
The ‘Privacy’ Argument
Technology Cos:
Creating back doors will
expose users to
criminals
![Page 13: Cybersecurity and Legal lessons after Apple v FBI](https://reader034.vdocument.in/reader034/viewer/2022042723/5878728e1a28ab497b8b6797/html5/thumbnails/13.jpg)
What if it happened in Singapore?
Criminal Procedure Code
![Page 14: Cybersecurity and Legal lessons after Apple v FBI](https://reader034.vdocument.in/reader034/viewer/2022042723/5878728e1a28ab497b8b6797/html5/thumbnails/14.jpg)
Criminal Procedure Code
39.—(1) A police officer or an authorised person, investigating an arrestable offence, may at any time —
access, inspect and check the operation of a computer that he has reasonable cause to suspect is or has been used in connection with the arrestable offence; or
use or cause to be used any such computer to search any data contained in or available to such computer.
![Page 15: Cybersecurity and Legal lessons after Apple v FBI](https://reader034.vdocument.in/reader034/viewer/2022042723/5878728e1a28ab497b8b6797/html5/thumbnails/15.jpg)
Power to access computer
I’m investigating an
arrestable offence, so I want
to ACCESS all the data on
this computer Do you need a
warrant?
No.
![Page 16: Cybersecurity and Legal lessons after Apple v FBI](https://reader034.vdocument.in/reader034/viewer/2022042723/5878728e1a28ab497b8b6797/html5/thumbnails/16.jpg)
Criminal Procedure Code
39(2) The police officer or authorised person may also require any assistance he needs to gain such access from —
… 39 (5) (3) Any person who obstructs the lawful exercise … or who fails to comply with any requirement of the police officer … shall be guilty of an offence
![Page 17: Cybersecurity and Legal lessons after Apple v FBI](https://reader034.vdocument.in/reader034/viewer/2022042723/5878728e1a28ab497b8b6797/html5/thumbnails/17.jpg)
Power to access computer
Can I
refuse?
No.
![Page 18: Cybersecurity and Legal lessons after Apple v FBI](https://reader034.vdocument.in/reader034/viewer/2022042723/5878728e1a28ab497b8b6797/html5/thumbnails/18.jpg)
Criminal Procedure Code
40.—(2) The police officer shall be entitled to —
access any information, code or technology which has
the capability of retransforming or unscrambling
encrypted data into readable and comprehensible format
or text for the purposes of investigating …;
Require [any person] to provide assistance
![Page 19: Cybersecurity and Legal lessons after Apple v FBI](https://reader034.vdocument.in/reader034/viewer/2022042723/5878728e1a28ab497b8b6797/html5/thumbnails/19.jpg)
Power to access decryption
I’m investigating an arrestable
offence, so I want to
DECRYPT all the data on this
computer Do you need a
warrant?
No.
![Page 20: Cybersecurity and Legal lessons after Apple v FBI](https://reader034.vdocument.in/reader034/viewer/2022042723/5878728e1a28ab497b8b6797/html5/thumbnails/20.jpg)
Criminal Procedure Code
39(2) The police officer or authorised person may also require any assistance he needs to gain such access from —
… 39 (5) (3) Any person who obstructs the lawful exercise … or who fails to comply with any requirement of the police officer … shall be guilty of an offence
![Page 21: Cybersecurity and Legal lessons after Apple v FBI](https://reader034.vdocument.in/reader034/viewer/2022042723/5878728e1a28ab497b8b6797/html5/thumbnails/21.jpg)
Power to access decryption
Can I
refuse?
No.
![Page 22: Cybersecurity and Legal lessons after Apple v FBI](https://reader034.vdocument.in/reader034/viewer/2022042723/5878728e1a28ab497b8b6797/html5/thumbnails/22.jpg)
Criminal Procedure Code
40(7) … if that person was in possession of any decryption information at any time before the time of the request for access to such information, that person shall be presumed … to have continued to be in possession of that decryption information …, unless—
(a) It was not in his possession at the time of request and
(b) It continued not to be in his possession.
![Page 23: Cybersecurity and Legal lessons after Apple v FBI](https://reader034.vdocument.in/reader034/viewer/2022042723/5878728e1a28ab497b8b6797/html5/thumbnails/23.jpg)
Power to access decryption
I don’t have the
keys
Didn’t you use to
have them?
![Page 24: Cybersecurity and Legal lessons after Apple v FBI](https://reader034.vdocument.in/reader034/viewer/2022042723/5878728e1a28ab497b8b6797/html5/thumbnails/24.jpg)
But there is a limit
I got into the laptop, but the files
are individually encrypted by an
unknown software
![Page 25: Cybersecurity and Legal lessons after Apple v FBI](https://reader034.vdocument.in/reader034/viewer/2022042723/5878728e1a28ab497b8b6797/html5/thumbnails/25.jpg)
What about messages (data in motion)?
Computer Misuse and Cybersecurity Act
![Page 26: Cybersecurity and Legal lessons after Apple v FBI](https://reader034.vdocument.in/reader034/viewer/2022042723/5878728e1a28ab497b8b6797/html5/thumbnails/26.jpg)
Computer Misuse and Cybersecurity Act
15A.—(1) Where the Minister is satisfied that it is necessary for the purposes of preventing, detecting or countering any threat to the national security, essential services or defence of Singapore or foreign relations of Singapore,
the Minister may, authorise or direct any person or organisation … to take such measures or comply …
![Page 27: Cybersecurity and Legal lessons after Apple v FBI](https://reader034.vdocument.in/reader034/viewer/2022042723/5878728e1a28ab497b8b6797/html5/thumbnails/27.jpg)
We have a national security
concern, so I’m giving you a
direction
Can you
do that?
Yes
![Page 28: Cybersecurity and Legal lessons after Apple v FBI](https://reader034.vdocument.in/reader034/viewer/2022042723/5878728e1a28ab497b8b6797/html5/thumbnails/28.jpg)
Computer Misuse and Cybersecurity Act
s15A(2)(c) … (including real-time information)
obtained from any computer controlled or
operated by the specified person, or obtained by
the specified person from another person
![Page 29: Cybersecurity and Legal lessons after Apple v FBI](https://reader034.vdocument.in/reader034/viewer/2022042723/5878728e1a28ab497b8b6797/html5/thumbnails/29.jpg)
Monitor all messages in real
time to find out if a riot is going
to take place REAL TIME? What if
we catch some
personal data?
![Page 30: Cybersecurity and Legal lessons after Apple v FBI](https://reader034.vdocument.in/reader034/viewer/2022042723/5878728e1a28ab497b8b6797/html5/thumbnails/30.jpg)
Computer Misuse and Cybersecurity Act
s15A(3) Any measure or requirement …
shall have effect notwithstanding any obligation
or limitation imposed or right, privilege or
immunity conferred by or under any law,
contract or rules of professional conduct …
![Page 31: Cybersecurity and Legal lessons after Apple v FBI](https://reader034.vdocument.in/reader034/viewer/2022042723/5878728e1a28ab497b8b6797/html5/thumbnails/31.jpg)
Computer Misuse and Cybersecurity Act
s15A(4) A specified person who, without reasonable excuse, fails to take any measure or comply with any requirement directed by the Minister under subsection (1) shall be guilty of an offence
and shall be liable on conviction to a fine not exceeding $50,000 or to imprisonment for a term not exceeding 10 years or to both.
![Page 32: Cybersecurity and Legal lessons after Apple v FBI](https://reader034.vdocument.in/reader034/viewer/2022042723/5878728e1a28ab497b8b6797/html5/thumbnails/32.jpg)
Is there a limit?I can’t monitor the messages,
they’re encrypted end to end!
![Page 33: Cybersecurity and Legal lessons after Apple v FBI](https://reader034.vdocument.in/reader034/viewer/2022042723/5878728e1a28ab497b8b6797/html5/thumbnails/33.jpg)
On the other hand
Businesses are legally required to protect customer data
![Page 34: Cybersecurity and Legal lessons after Apple v FBI](https://reader034.vdocument.in/reader034/viewer/2022042723/5878728e1a28ab497b8b6797/html5/thumbnails/34.jpg)
PDPC fined KBOX $50K
“The practice of sending large volumes of members’ personal data via unencrypted email is a vulnerability and an example of how K Box had not sufficiently protected the members’ personal data.” – PDPC
![Page 35: Cybersecurity and Legal lessons after Apple v FBI](https://reader034.vdocument.in/reader034/viewer/2022042723/5878728e1a28ab497b8b6797/html5/thumbnails/35.jpg)
On the other hand
End users and manufacturers of IOT may need access
![Page 36: Cybersecurity and Legal lessons after Apple v FBI](https://reader034.vdocument.in/reader034/viewer/2022042723/5878728e1a28ab497b8b6797/html5/thumbnails/36.jpg)
Manufacturers
…need to send
security updates
to IOT Devices
![Page 37: Cybersecurity and Legal lessons after Apple v FBI](https://reader034.vdocument.in/reader034/viewer/2022042723/5878728e1a28ab497b8b6797/html5/thumbnails/37.jpg)
End users
… sometimes
need to override
our own security
![Page 38: Cybersecurity and Legal lessons after Apple v FBI](https://reader034.vdocument.in/reader034/viewer/2022042723/5878728e1a28ab497b8b6797/html5/thumbnails/38.jpg)
Humanity
… may one day
need to override
security
![Page 39: Cybersecurity and Legal lessons after Apple v FBI](https://reader034.vdocument.in/reader034/viewer/2022042723/5878728e1a28ab497b8b6797/html5/thumbnails/39.jpg)
What can we do?
![Page 40: Cybersecurity and Legal lessons after Apple v FBI](https://reader034.vdocument.in/reader034/viewer/2022042723/5878728e1a28ab497b8b6797/html5/thumbnails/40.jpg)
End Users
• We need choices
Law Enforcement
• We need access
Tech Companies
• We need security
Regulators
• We need to secure
![Page 41: Cybersecurity and Legal lessons after Apple v FBI](https://reader034.vdocument.in/reader034/viewer/2022042723/5878728e1a28ab497b8b6797/html5/thumbnails/41.jpg)
Weak (or weakening) encryption is unsafe
Because criminals can get access to victims’ data or worse
![Page 42: Cybersecurity and Legal lessons after Apple v FBI](https://reader034.vdocument.in/reader034/viewer/2022042723/5878728e1a28ab497b8b6797/html5/thumbnails/42.jpg)
How are you going to
get through the user’s
security?
No problem, I found
out the back door that
police use!
![Page 43: Cybersecurity and Legal lessons after Apple v FBI](https://reader034.vdocument.in/reader034/viewer/2022042723/5878728e1a28ab497b8b6797/html5/thumbnails/43.jpg)
Weak encryption doesn’t really help law enforcement
Because the really serious criminals and terrorists use additional encryption tools
![Page 44: Cybersecurity and Legal lessons after Apple v FBI](https://reader034.vdocument.in/reader034/viewer/2022042723/5878728e1a28ab497b8b6797/html5/thumbnails/44.jpg)
How are we going to carry
out our secret bomb attack?
Police have back doors into
everyone’s phone!
No problem, I’m using a
Russian encryption app
that has no back door
![Page 45: Cybersecurity and Legal lessons after Apple v FBI](https://reader034.vdocument.in/reader034/viewer/2022042723/5878728e1a28ab497b8b6797/html5/thumbnails/45.jpg)
But end users and manufacturers need a safe way in
Are there solutions besides encryption alone?
![Page 46: Cybersecurity and Legal lessons after Apple v FBI](https://reader034.vdocument.in/reader034/viewer/2022042723/5878728e1a28ab497b8b6797/html5/thumbnails/46.jpg)
Secure Privacy
3FA
Biometrics
Escrow Dual Key
Notification
Blockchain
![Page 47: Cybersecurity and Legal lessons after Apple v FBI](https://reader034.vdocument.in/reader034/viewer/2022042723/5878728e1a28ab497b8b6797/html5/thumbnails/47.jpg)
3FA
![Page 48: Cybersecurity and Legal lessons after Apple v FBI](https://reader034.vdocument.in/reader034/viewer/2022042723/5878728e1a28ab497b8b6797/html5/thumbnails/48.jpg)
Biometrics
![Page 49: Cybersecurity and Legal lessons after Apple v FBI](https://reader034.vdocument.in/reader034/viewer/2022042723/5878728e1a28ab497b8b6797/html5/thumbnails/49.jpg)
Key Escrow
![Page 50: Cybersecurity and Legal lessons after Apple v FBI](https://reader034.vdocument.in/reader034/viewer/2022042723/5878728e1a28ab497b8b6797/html5/thumbnails/50.jpg)
Dual Key
![Page 51: Cybersecurity and Legal lessons after Apple v FBI](https://reader034.vdocument.in/reader034/viewer/2022042723/5878728e1a28ab497b8b6797/html5/thumbnails/51.jpg)
Notification
![Page 52: Cybersecurity and Legal lessons after Apple v FBI](https://reader034.vdocument.in/reader034/viewer/2022042723/5878728e1a28ab497b8b6797/html5/thumbnails/52.jpg)
Blockchain
![Page 53: Cybersecurity and Legal lessons after Apple v FBI](https://reader034.vdocument.in/reader034/viewer/2022042723/5878728e1a28ab497b8b6797/html5/thumbnails/53.jpg)
The Solution is out there
We all need to work together to create one that works for everyone
![Page 54: Cybersecurity and Legal lessons after Apple v FBI](https://reader034.vdocument.in/reader034/viewer/2022042723/5878728e1a28ab497b8b6797/html5/thumbnails/54.jpg)
54
Singapore Chapter
Your Membership helps Change the World
Internet Society members achieve change through partnerships and technical expertise.
90+Chapters
Worldwide
Your membership to the Internet Society gives you a
powerful voice.
50000+Individual
Members
140+Organization
Members
![Page 55: Cybersecurity and Legal lessons after Apple v FBI](https://reader034.vdocument.in/reader034/viewer/2022042723/5878728e1a28ab497b8b6797/html5/thumbnails/55.jpg)
55
Singapore Chapter
Workshops and training
Educational events
You can play a Key Role in Singapore
Public Policy issue advocacy
Networking events
![Page 56: Cybersecurity and Legal lessons after Apple v FBI](https://reader034.vdocument.in/reader034/viewer/2022042723/5878728e1a28ab497b8b6797/html5/thumbnails/56.jpg)
56
Singapore Chapter
Get Involved
Join the Singapore Chapter, or
Attend an Event
– Blockchain Seminar 2016
Contact us at www.isoc.sg
This is your Internet.Join it!
![Page 57: Cybersecurity and Legal lessons after Apple v FBI](https://reader034.vdocument.in/reader034/viewer/2022042723/5878728e1a28ab497b8b6797/html5/thumbnails/57.jpg)
Cybersecurity and
Legal Lessons
after Apple v FBIBenjamin AngSenior Fellow, Centre of Excellence for National Security
Education Chair, Internet Society Singapore Chapter
Slides and further discussion at www.isoc.sg
![Page 58: Cybersecurity and Legal lessons after Apple v FBI](https://reader034.vdocument.in/reader034/viewer/2022042723/5878728e1a28ab497b8b6797/html5/thumbnails/58.jpg)
Background Information
![Page 59: Cybersecurity and Legal lessons after Apple v FBI](https://reader034.vdocument.in/reader034/viewer/2022042723/5878728e1a28ab497b8b6797/html5/thumbnails/59.jpg)
Centre of Excellence for National Security
Multinational team of research
specialists in national security
Working with National Security
Coordination Secretariat (NSCS) and
Cyber Security Agency (CSA)
![Page 60: Cybersecurity and Legal lessons after Apple v FBI](https://reader034.vdocument.in/reader034/viewer/2022042723/5878728e1a28ab497b8b6797/html5/thumbnails/60.jpg)
CENS Research Programmes
Homeland Defence
Programme
Radicalisation
Studies Programme
Social Resilience
Programme
Cybersecurity
Programme
• Strategic
Communication
• Social Media
Analysis
• Radicalisation to of
individuals and
groups
• Criminology,
psychology,
sociology, history
and political science
• Multiculturalism,
citizenship, class,
immigration
• How globalised
societies cope with
crises such as
pandemics and
terrorist attacks.
• Cyber threats
• Cybercrime
• Smart Cities
• Confidence Building
Measures
• Controversies
(security vs privacy)
![Page 61: Cybersecurity and Legal lessons after Apple v FBI](https://reader034.vdocument.in/reader034/viewer/2022042723/5878728e1a28ab497b8b6797/html5/thumbnails/61.jpg)
How CENS influences national policy
Publish Commentaries and Briefs
Educate National Security Officials
Organize workshops and seminars for
to create a community of practice in
public and private sectors
![Page 62: Cybersecurity and Legal lessons after Apple v FBI](https://reader034.vdocument.in/reader034/viewer/2022042723/5878728e1a28ab497b8b6797/html5/thumbnails/62.jpg)
62
Singapore Chapter
Internet Society Mission
To promote the open development,
evolution, and use of the Internet for
the benefit of all people throughout
the world.
![Page 63: Cybersecurity and Legal lessons after Apple v FBI](https://reader034.vdocument.in/reader034/viewer/2022042723/5878728e1a28ab497b8b6797/html5/thumbnails/63.jpg)
63
Singapore Chapter
Internet Society Singapore Chapter
Provides
leadership in
policy issues
Advocates open
Internet
Standards
Promotes Internet
technologies that
matter
Develops Internet
infrastructure
Undertakes
outreach that
changes lives
Recognizes
industry leaders
![Page 64: Cybersecurity and Legal lessons after Apple v FBI](https://reader034.vdocument.in/reader034/viewer/2022042723/5878728e1a28ab497b8b6797/html5/thumbnails/64.jpg)
64
Singapore Chapter
Current Priorities
Internet Governance
Open Internet Standards
Online Identity
IPv6
Blockchain
Domain Name System Security (DNSSEC)
Internet and Human Rights
Intellectual Property and Digital Content
Internet of Things
![Page 65: Cybersecurity and Legal lessons after Apple v FBI](https://reader034.vdocument.in/reader034/viewer/2022042723/5878728e1a28ab497b8b6797/html5/thumbnails/65.jpg)
65
Singapore Chapter
Programmes
Awards
Internet Hall of Fame
Jonathan B. Postel Service Award
Applied Networking Researching Prize (ANRP)
Grants
Community Grants
ICT Innovation
Individual Fellowships
![Page 66: Cybersecurity and Legal lessons after Apple v FBI](https://reader034.vdocument.in/reader034/viewer/2022042723/5878728e1a28ab497b8b6797/html5/thumbnails/66.jpg)
66
Singapore Chapter
Examples of the Internet Societyin Action
![Page 67: Cybersecurity and Legal lessons after Apple v FBI](https://reader034.vdocument.in/reader034/viewer/2022042723/5878728e1a28ab497b8b6797/html5/thumbnails/67.jpg)
67
Singapore Chapter
Public Consultation with MDA on changes to Licensing of Websites
Photo: © Stonehouse Photographic
www.internetsociety.org/wcit
![Page 68: Cybersecurity and Legal lessons after Apple v FBI](https://reader034.vdocument.in/reader034/viewer/2022042723/5878728e1a28ab497b8b6797/html5/thumbnails/68.jpg)
68
Singapore Chapter
Lodging complaint against law firm representing Dallas Buyers Club in threatening users
Photo: © Stonehouse Photographic
www.internetsociety.org/wcit
![Page 69: Cybersecurity and Legal lessons after Apple v FBI](https://reader034.vdocument.in/reader034/viewer/2022042723/5878728e1a28ab497b8b6797/html5/thumbnails/69.jpg)
69
Singapore Chapter
Seminars on Charlie Hebdo, Cybersecurity Skills Building, Election Blogging, IOT, and more
Photo: © Stonehouse Photographic
www.internetsociety.org/wcit
![Page 70: Cybersecurity and Legal lessons after Apple v FBI](https://reader034.vdocument.in/reader034/viewer/2022042723/5878728e1a28ab497b8b6797/html5/thumbnails/70.jpg)
70
Singapore Chapter
World IPv6 Launch
www.WorldIPv6Launch.org