A brief history of Anonymous

ExpressVNPAnonymous taking to the streets to protest

Anonymous has beef with Donald Trump.

Earlier this week the hacking networkreleased a video declaring “total war” on the U.S. presidential hopeful, claiming his racist stance and unkind remarks warranted an all-out attack. According to Anonymous, “Operation Trump” will go into full effect April 1st.

We’ve heard a lot about Anonymous over the years, but who are they? And just how worried should Trump and his cavalcade of supporters really be?

From Pasty Keyboard Warriors to Global Freedom Fighters

Anonymous is a loose network of hacktivists (hacker activists) who aspire to change the status quo. They’re strongly against any and all forms of censorship, as well as government surveillance. The group is said to have originated in 2003 when a few random users came together to talk about anarchy, oppression, and the state of things on 4Chan image boards. 

“We are Anonymous. We are legion. We do not forgive. We do not forget. Expect us.”

In 2006, they caught their first glimpse of attention after infiltrating the Finnish social networking hub Habbo and blocking access to certain parts of the site. Reports had surfaced how the site had been racially profiling certain users, so Anonymous decided to strike back. 

They made a name for themselves, but it would be another two years before anyone outside of 4Chan circles would recognize it.

Anonymous Reached Near Divinity When They Hacked the Church of Scientology

Flash forward to 2008 when Anonymous made headlines by releasing a macabre video declaring war on the Church of Scientology. In the video below the group claims the church had been exploiting its members for years and therefore deserved to be brought down.

“For the good of your followers, for the good of mankind—and for our own enjoyment—we shall proceed to expel you from the Internet.” 

A series of DDoS attacks and various waves of in-person protests followed. Thousands of protesters wearing Guy Fawkes masks flocked to Scientology centers around the world, forever damning the church’s reputation and costing millions in damages.

The church suffered massive attacks to their website, but worse they suffered irreparable damage to their credibility.

This was the first time hacktivists united under the same banner, for the same cause, and it set the stage for what was to happen next.

Avenging Assange and Toppling Government Oppression

In 2010, the U.S. tried to close the whistleblowing website WikiLeaks by forcing sites like Amazon, PayPal, and MasterCard to remove their services from the site. By doing so, the government could block off any and all access to the site’s public funds. 

In response, Anonymous launched an attack named “Operation Avenge Assange”, where they temporarily brought down PayPal’s, Visa’s, and MasterCard’s websites.

PayPal estimated the damages had cost the company $5.5 million, which subsequently led to 14 Anonymous arrests.

13 out of the 14 hackers pled guilty to the attack, but WikiLeaks lives on.

Fighting Oppression and Giving Back to the People

Shortly after,  Anonymous took to Tunisia in support of the Arab Spring by launching numerous DDoS attacks on Tunisian government websites. They also helped empower the Tunisian people by providing them with the proper tools and information needed to hack the government (one of which being the Tor browser). 

This led to a massive government uprising which eventually helped topple the dictatorship.

Similar attacks occurred in Egypt, where Anonymous helped restore certain parts of the Internet that were being censored by the government. The group also hacked and took down numerous government websites. These sites remained offline until then-president Hosni Mubarak officially resigned.

Countless other attacks have been documented–including the famous Westboro Baptist Church hacking, where Anonymous released the names, numbers, email and home addresses of many of the church’s members in a tweet. 

Westboro Baptist Church Dox | http://t.co/RDTaMpWc Have fun, and remember, these are terrible people who picket funerals | #YAN #OpWestBor

— Anonymous (@YourAnonNews) December 17, 2012

This is only a glimpse of the group’s exploits. You can see a more cohesive timetable here.

How Big Is Anonymous?

Here’s the thing, Anonymous isn’t so much an organization as it is an ideology. What started as a *** 4Chan message board has morphed into a global cause for advocacy that is growing by the day.

Anonymous has received attention from both sides of the advocacy spectrum, from being hailed as heroes to being called cyber terrorists. In 2012, the group was named one of the most influential people in the world by Time Magazine.

Because Anonymous is ubiquitous, they’re able to coalesce whenever and however they want. There are no company headquarters, no (known) agendas, and no real way to tie anything back to them. But while this helps them stay private it also opens the door for other people to claim attacks in their name. It’s virtually impossible to tell who’s the real Anonymous and who’s not. Are these threats against Trump legitimate?

While we’re unable to answer this, we can safely say their numbers are growing.

Should Trump and co. be concerned? You tell us.


Featured image: “Anonymous at Scientology in Los Angeles” by Vincent Diamante is licensed under CC BY-SA 2.0.


Internet hacks: What is a man-in-the-middle attack?


When you enter ExpressVNP.com into your browser bar, your computer looks up the physical address of ExpressVNP.com in a global database called DNS, which is kind of like a phone book for websites.

These global databases are mirrored across different servers around the world, and one is often situated very close to your present location, wherever you are.

Domain Name System Operators

Your local telecommunications provider probably maintains such a DNS server. Google, ExpressVNP, and others also run their own DNS services, although for different reasons. Google wants to know every single page that you navigate to while ExpressVNP runs the service to protect your privacy and increase your browsing speed.

There are also other, free DNS services that promise privacy and censorship resistance, like the Open NIC Project.

Man-in-The-Middle Attacks

The DNS server is the first possible entry point of a man-in-the-middle-attack. There is no way of knowing whether the DNS server is returning the correct IP address, so it’s possible you might end up on the wrong server, or the server of the attacker, when you type in a web address.

A man-in-the-middle attack theoretically explains a very specific attack in which the attacker sits between the two victims (in this case, you and the server). Both sides are victims because both sides are tricked into thinking they are communicating directly with each other when in fact they are talking through a third party, the attacker.

Of course, in reality, a man-in-the-middle attacker does not have to be a man or even a single person. It could be a group of people, but it’s most likely simply a piece of software.

Imagine being victim to such an attack. The attacker could read all your Internet traffic, including any passwords you enter onto a website, and all the emails you type. This would be a disaster, so how can we have a secure and functioning internet when vulnerabilities like this exist?

http middle man HTTP, where the magic is.

Hypertext Transfer Protocol Secure and the Green Lock

The answer to the problem is HTTPS (Hypertext Transfer Protocol Secure).

HTTP stands for Hypertext Transfer Protocol and was developed in the 1990s. Since 1997, HTTP has been the de-facto standard to exchange structured text — I.E. websites — across the web.

HTTPS significantly improved the security of HTTP in the late 2000s. The S stands for secure, and currently, relies on two main protocols for encryption: SSL (Secure Sockets Layer) and TLS (Transport Layer Security), though the former is on its way to becoming redundant.

HTTPS does two things: It encrypts the traffic between you and the site you are visiting, and it provides you with authentication that the site you are visiting is really the site you intend to visit. You can tell if a site uses HTTPS, as a green lock will appear in your browser bar.

To achieve this, the owner of the site is required to register their encryption keys with a Certificate Authority (CA). The keys and registrations are made public to ensure that if a certificate is issued incorrectly, the owner can easily find out, as happens to Google frequently.

You can look up anybody’s CA certificates using Google’s online transparency tool, simply by typing in their URL.

So as long every site uses HTTPS, and as long as we check each site we visit for the green lock in the browser bar, we are theoretically safe from these man-in-the-middle attacks.

If we navigate to a new site and find that the connection is not being encrypted (no green lock), it is impossible to know if the site doesn’t support encryption (in which case we might publicly shame them and avoid them until they do), or whether we are victim to a man-in-the-middle attack.

Even if a site requires you to connect to their site through an encrypted channel, a man-in-the-middle attack might encrypt the connection, leading the site to believe everything is fine, when, in fact, the connection between the attacker and the user remains unencrypted.

HTTP Strict Transport Security Is a Higher Level of Security

To protect against this, ExpressVNP and many others use something called HSTS (HTTP Strict Transport Security).

When you first connect to an HSTS website, the website instructs your browser to only ever connect through HTTPS in the future, and never connect through any unencrypted means. This only works, however, if the first time you connect to the site you are not already being attacked.

Some popular, high-profile websites do go a step further and have convinced developers of major browsers to include a special rule into their software to ensure that even a first-time connection is made over an encrypted channel.

HTTPS Everywhere for Your Browser

The Electronic Frontier Foundation has released a clever tool called HTTPS Everywhere that allows you to set rules for all the sites you visit and forces your browser to only use https. This makes it far less likely that you accidentally overlook a man-in-the-middle-attack.

HTTPS Everywhere is an extension to your browser, and it works with Firefox, Chrome, and Opera. You can even set a rule that blocks all connections made with HTTP, although sadly this makes many sites unusable.

mobile chat design It’s important to keep your email and chat secure.

Encrypt Chat and Email Protect from Man-In-The-Middle Attacks

Man-in-the-middle attacks are not limited to browsing. They are a threat wherever encryption is used, for example, email or chat messaging. In encrypted chat and email the strategy of the attack is similar to that of web browsing, but the defense is slightly different.

Off-the-record Messaging (OTR)

OTR is a protocol that allows for strong encrypted chat conversations between individuals. When OTR chat is initiated, encryption keys are exchanged between the users. If an attacker places themselves in the middle of two users, they could set up two separate encrypted chats with the two victims, *** them believe they are talking directly to each other.

As Certificate Authorities don’t exist for chat apps, the two users need to verify their keys manually to ensure they are indeed talking directly to each other. They can do this by listing their keys on their website, business card, or communicating it over any secure channel that the attacker would not have access to.

Pretty Good Privacy (PGP)

PGP is the gold standard in encryption. It is used to encrypt text, emails, and files. It can also be used to verify the integrity of any kind of data.

Since anyone can create a PGP key, an attacker might simply distribute a key in the name of an intended victim. Now, if anyone tries to communicate with the victim, they actually end up communicating with the attacker, who will forward the messages to the victim. Both parties think that since they are using PGP, they are secure, but instead they are outright sharing their messages with the attacker.

PGP keys are commonly uploaded to keyservers, where they become publicly visible. To defend against false keys, PGP uses a feature called key signing. This works by getting several of your colleagues and trusted friends to sign your key. Working on the principle everyone on the internet is connected through less than four people, it’s likely that someone you trust has signed a stranger’s key.

In practice, however, keys are not commonly signed, and you will still need to rely on authenticating your chat partner yourself.

Other Encrypted Chat Apps

Some chat apps, such as Signal and Telegram, allow you to verify the fingerprint of your conversation partner and, therefore, have some mechanism to detect man-in-the-middle attacks.

Other encrypted message platforms, such as iMessage and Whatsapp, do not have these features. They leave you in the dark about such attacks, so you are forced to rely on the service to defend you, somehow.

It’s Important to Protect Yourself from Man-In-The-Middle Attacks

Checking that the sites you visit are using sufficient encryption is the only effective defense against man-in-the-middle attacks.

For sites you regularly visit, the HTTPS Everywhere extension will make sure every time you connect to the site, it is over an encrypted connection. Doing so ensures an attacker cannot trick you into entering information to a server that merely impersonates the server you wanted to be connected to.

When the green lock is missing, under no circumstances should you enter any personal information such as email addresses or passwords. If there is no green lock on display, try again later, connect through a VPN. Or reach out to the website operator.

Featured image: Vladimir Koletic / Dollar Photo Club
HTTP: Melpomene / Dollar Photo Club
Chat: Gstudio Group / Dollar Photo Club

Also published on Medium.


What happens when good Chrome extensions turn bad


In one of the strangest (and funniest) web faux pas of the century, Wired magazine recently published an article accidentally referring to Donald Trump as someone with teeny-tiny hands. How did it happen? The unlikely culprit was theTrumpweb Chrome extension, which automatically replaces the words “Donald Trump” with “Someone With Tiny Hands.”

This isn’t the first case of rogue extensions wreaking havoc. In 2015, antivirus software AVG (ironically) released a Chrome extension that exposed the personal information ofnearly 9 million users.

good news: my latest piece @wired is blowing up! bad news: it’s because of this: pic.twitter.com/cb1ijVyveR

— Jason Tanz (@jasontanz) March 9, 2016

Novelty Chrome extensions like this are growing more popular. But instead of simply installing a random extension, having a few lols and then promptly moving on, people sometimes forget these extensions are installed, which leaves room for random extensions to not only cause embarrassing grammar gaffes (see above) but also potentially leak your private info.

Even worse, they can invite dangerous malware onto your system.

The Rise of Novelty Chrome Extensions

For the unaware, Chrome extensions are mostly free plugins users can download for their browsers.

These extensions come in a wide variety of uses—from helping protect your privacy to *** sure you don’t accidentally read the latest Game of Thrones spoiler.

Last year Google removed 200 malware-infused extensions

But while most are just for fun and/or helpful, there are malicious extensions out there that can leak your personal information and cause gnarly computer viruses. Just last year Google removed more than 200 random extensions, citing the fact thatmany contained malware.

How You Can Install Add-Ons While Staying Safe

Luckily, there’s an easy way to check if your extensions are clean. You can use theChrome Cleanup Tool to scan your extensions and install the Chrome Protector add-on, which will notify you if and when any of your extensions is acting sketchy.

Simple, right?

Never take an extension at face value. Make sure you read the reviews and take the time to thoroughly research an extension before you invite it into your browser.

Super Happy Mega Fun Chrome Extension Time!

Now, ExpressVNP couldn’t write an article about random Chrome extensions without offering a bunch of crazy options. So, for spits and giggles, here are a few office favorites:

  • nCage  For those who can’t get enough Nic Cage (which, let’s face it, is everyone), this novelty app replaces every web image with a pic of Cage himself. This one’s great for about five seconds. After the novelty’s worn off it’s probably best to uninstall it and move on with your life.
  • Wurstify – When you’re itching for a “hairier” web experience, this app adds a beard to each and every image.
  • Downworthy– Tired of the same old boring headlines? This little extension reinterprets article headlines to be a little more realistic–and funny.

And for the privacy-concerned and productively impaired, here are a few all-around useful extensions.

  • Stay Focused– If you’re like us and have trouble focusing, this app helps you buckle down by limiting the amount of time you can waste on random sites. A very nifty app.
  • Wunderlist– Nothing screams organization more than lists, and Wunderlist helps you create them with ease. From organizing your grocery items to helping you plan your next vacation, Wunderlist is pretty a-ok.
  • DuckDuckGo – If you’re reading this post, chances are you care about your privacy. This extension takes the “ogle” out of Google, meaning it works in basically all the same ways but has much, much better privacy settings.

Additionally, the ExpressVNP Chrome extension is also available to keep your network safe and secure at all times.

Remember, folks, to scan your extensions from time to time, and if you see one you’re not using anymore, let it go! And if you’re in the mood for even more extension awesomeness, check out ExpressVNP’s best privacy extensions tips for Chromeand Safari.

What are your favorite extensions? Leave your top picks in the comments below. As always, stay safe, stay private, and stay secure.


Featured image: “DonaldTrump speaking at CPAC” by Gage Skidmore is licensed under CC BY-SA 3.0.


As users turn to ad blockers, sites start blocking users


Last December, Forbes started blocking access to visitors who used ad-blocking software. Visitors with any type of ad blocker installed on their web browser were immediately met with an obtrusive white wall asking them to politely disable their settings in order to view the site.

(In other news, Forbes is serving malware with its mandatory ads.)

But Forbes isn’t the only company taking ads into its own hands. The Washington Post, Slate and more recently Wiredhave also dabbled in blocking ad blockers.

There are many irrefutablebenefits to using an ad blocker–they help protect you from malware, speed up load times, and offer an all-around better site experience–but there’s also a valid counter argument: How can domain owners make money without ads?

The Uncanny Rise of Ad Blockers

In 2015 alone, ad blocking software rose a whopping 41 percent, with an estimated 200 million active users worldwide. It’s changed from something only a handful of tech-savvy people used to an everyday household tool.

We venture to argue one of the main reasons why more people are installing ad blockers is because they’re becoming increasingly sensitive to how their information is being shared. Targeted ads track your browsing history in order to serve up customized ads, and they’ve regrettably become the status quo.

forbes homepage blocking ad blockers Forbes politely asking to turn off ad blockers while uBlock Origin proceeds to block 19 unknown scripts

It’s scary how ads today are so personalized. It’s gotten to the point where they process thousands of bits of data before a website even loads, pulling apart different aspects of your browsing history to create highly personal–and often highly intrusive–adverts.

Perhaps this is why so many companies are developing ad-blocking software. (See Apple’s iOS 9 ad blockers and Android’s blockers for proof.)

Why Targeted Ads Are Dangerous

In a study conducted by the University of Pennsylvania, 66 percent of Internet userssaid they were uncomfortable with the thought of targeted advertising. Interestingly, the number grew to 86 percent when they learned how marketers were getting the data to tailor these ads.

Targeted ads expose users’ privacy, and the trackers behind these ads are more common than you think.

Take a look at the Wall Street Journal’s What They Know series to see just how exposed some websites leave their visitors. (Props to Wikipedia for having 0 trackers installed.)

sites and their exposure index and trackers Screenshot of WSJ’s What They Know series

Taking the Internet Into Their Own Hands

We get it. Ads generate revenue. The problem, however, is that the public is catching on to how these tailored ads are made and how they expose and pervert people’s privacy. Users are changing the way they want to receive information, and sites like Forbes and Wired are greatly underestimating how much people really hate ads.

Browser Media puts it well:

“Users are blocking ads to retaliate against intrusive, irrelevant and often downright dreadful ads in terms of quality – you know the data-sucking ones that take over your screen with auto-play videos and flashing slogans so you struggle to sort the content from the crap. But those ads pay the bills. No money, no website.”

In 2002,only one percent of Internet users were using an ad blocker. Today it’s nearly 50 percent.

And yet instead of trying to fix this and protect the privacy and well-being of their visitors, more sites today are forcing readers to willingly disarm themselves in order to view any type of content.

Not a great way to earn the reader’s trust, is it?

The Ongoing Debate Over Privacy Vs Revenue

Unlike other companies, Forbes has been transparent with how their new business system has affected the site’s performance. Ina public statement, chief content officer Lewis DVorkin emphasizes how nearly 44 percent, roughly 1.6 million visitors, disabled their ad blockers in order to view the site. “We monetized 15 million ad impressions that would otherwise have been blocked,” DVorkin boasts.

Sounds good, right? Not really…

What DVorkin fails to mention is while they monetized 15 million new ad impressions, they actually drove away 56 percent of users who weren’t willing to disable their blockers. 

These users may not be coming back anytime soon.

Looking Towards the Future

more web searches are now done on mobile devices More people today are browsing the Web on their smartphone, sending ad execs into a tizzy

As more people start to see the benefits of ad blockers, fewer visitors will be willing to disable them. This is especially true when it comes to mobile devices, where ad blockers are beginning to come pre-installed.

We’re curious to see if sites like Forbes and Wired will continue to block ad blockers, or if they’ll realize it’s a wasted effort and instead focus on changing how these ads are being served.

Our bet is on the latter.


Featured image: Viktor Hanacek/PicjumboWomen with phone: Benjamin Child/Unsplash


The court case that will define technology and privacy for decades


On December 2, 2015, the married couple Syed Rizwan Farook and Tashfeen Malik shot and killed fourteen people at a training event for the Department of Health in San Bernardino, California, where Farook was employed. A further twenty-two were injured in what was the deadliest mass shooting in the United States since 2012, and the deadliest in California since 1984. The entire shooting took less than four minutes.

The shooters fled the scene in a rented car, leaving behind explosive devices intended to target emergency responders. Fortunately, these bombs never exploded.

About four hours after the shooting, police were able to find and stop Farook and Malik in their rental car. There was an exchange of fire and both shooters died at the scene.

apple-v-fbi Image from the San Bernadino County Sheriff’s Department.

According to the FBI, Farook and Malik had sent Facebook messages to each other in which they both committed to violent Jihad. Their Facebook profiles also declared an allegiance to ISIS leader, Baghdadi. In light of these findings, on December 6, 2015, President Obama defined the shooting as a terrorist attack — the deadliest on US soil since 9/11.

According to the media, Farook and Malik had both thoroughly destroyed their personal phones prior to the attack, *** it impossible to retrieve any information from the devices.

Farook’s employer, however, had issued him with an iPhone 5C, which Farook did not destroy before his death. This iPhone is running iOS 9, which is secured with a numeric passcode and had regularly backed up with Apple’s iCloud service. While the information on the iPhone itself is encrypted, the backups in the cloud are not. The investigators could have triggered an automatic iCloud backup by simply returning the iPhone to one of the Wi-Fi networks it had previously accessed. But this option became moot when an investigator reset the passwords of the iCloud account, thereby disabling the automatic backups.

Why the iPhone’s Passcode Is Impossible to Crack

While a *** numeric passcode would be easy for any computer to guess, three restrictions in iOS 9 prevent devices from being cracked:

  1. There is an 80 ms delay between each password attempt.
    • While the 80 ms delay would slow down an attack, in theory, it would nonetheless only take 800 seconds to go through all 10,000 possible combinations of a four-digit code. Without the artificial delay, it would take less than a second to crack the password. This lag becomes very significant with longer passwords.
  2. The passcode must be entered by hand.
    • If it takes two seconds to manually enter an incorrect passcode and get an error message, it would still only take about five and a half hours to guess the code.
  3. The kicker: the device becomes unrecoverable after ten failed attempts.
    • While the first two restrictions are only relevant for complex passcodes for which millions or billions of possible combinations exist, this third barrier makes it entirely unfeasible to attempt to unlock the phone by simply guessing the password.

To circumvent these barriers, the FBI would have to write their own version of the iOS firmware, load it onto the phone, then attempt to automatically guess the password. Such a technique could still be unsuccessful if the phone were protected with a strong password, as it would take today’s computers too long to crack.

Perhaps the FBI do not have the technological experience to create such a hacking tool. But it is very likely that other agencies, such as the NSA, do. We don’t know if the FBI has asked the NSA for assistance in this matter, or whether the NSA has already developed software capable of thwarting the three restrictions mentioned above, but we do know that they could — just as we know Apple could.

hack-apple The FBI are asking Apple to stab themselves in the back.

The FBI Wants Apple to Help Hack Apple Devices

When the FBI asked Apple to voluntarily help them create software to remove the three restrictions, Apple said no. So, a few days before the warrant to search the phone expired, the FBI sought the assistance of the United States District Court for the District of California. On February 16, the court ordered Apple to comply with the FBI’s request.

The original order asked Apple to provide the FBI with firmware that bypasses the restrictions, although it does gives Apple the permission to design firmware that can function solely on Farook’s phone, as identified by its unique identifier (UDID), which functions like a serial number. The order also allows Apple to conduct this “recovery” on its own premises, and to charge the government for “providing this service”.

Apple refused to comply and their response, signed by CEO Tim Cook, has since been praised and shared countless times all over the Internet. In their response, Apple stresses that they have already shared all data they can share (which presumably includes the iCloud backups of the iPhone in question), and they did everything within the law to help the FBI.

Apple also stresses that it would be technologically impossible to create this kind of software in such a way that can only be used once. Any firmware capable of cracking Farook’s phone would work on any other iOS device. The federal government has already sought Apple’s help to unlock phones in 12 other cases, and the newly-created software would no doubt be requested again the next time the FBI want to access a phone. Once a legal precedent is set, it would be very difficult to refuse a demand in the future.

The FBI Wants You to Take Their Side

It seems the FBI chose Farook’s case to create a precedent. The FBI chose it not because of its relevance to national security, but because Farook’s label as a “terrorist” makes it more likely public opinion will side with the FBI.

We are witnessing not just a court battle but also a battle for public opinion. And a lot is at stake.

The FBI is determined to set a legal precedent in which it successfully unlocks an encrypted phone using modified firmware, because it seeks to use dozens if not hundreds of unlocked phones as evidence in criminal trials. Seeking the NSA’s help to unlock a device might be useful in an investigation, but when it comes time for a public trial, the NSA would not be willing to share details of how they obtained the evidence, and the evidence would have to be dismissed. And without evidence, nobody can be convicted of a crime.

In this case, the FBI argues that Farook may have used this phone to communicate with his colleagues. Imagine if the NSA had already hacked the device and found that one of Farook’s colleagues had prior knowledge or even involvement in the attack. Knowledge of this communication would not necessarily be enough for this colleague to be convicted because the state attorney or FBI would not be able to explain to the court how they know (i.e., with help from the NSA), and the evidence would not be admissible.

Who Should You Trust: Apple or the FBI?

This FBI vs Apple court case puts Apple in an extremely difficult situation, because their decision affects the security of all Apple devices, not just Farook’s iPhone. While it’s likely that Apple would be willing to assist in gathering evidence in this particular case, providing the FBI with an altered version of their software has grave consequences.

As with other technology and data, it is not unreasonable to assume that this password-guessing software would quickly spread: first among various agencies of the US government, then to foreign governments, then to organized criminal organizations, and later end up as an open-source tool on Github.

This issue is less a question of data privacy (a philosophical right) than it is about data security (a technical problem), although the two are interlinked. While Apple, and particularly Tim Cook, has been vocal about our need for privacy in the past, Apple products have surpassed its competitors as best in class when it comes to built-in device security.

Apple, along with other manufacturers, wants us to store all our personal information on devices in our pockets, at our homes, and on our wrists. To do that, the tech giants need to convince us their devices are safe. So far Apple has been very successful at establishing trust with their customers and convincing people that Apple products are secure. If this relationship of trust were to be damaged, especially in such a public way, Apple’s market position might be severely harmed.

In contrast to Apple, the United States government and its various agencies no longer have the reputation they used to have, especially as perceived by individuals and organizations abroad. Apple, then, is a reliable supplier to international companies and foreign governments: they are willing to stand up to the FBI, and they work tirelessly to maintain the security of their products — even against some of the most sophisticated potential adversaries.

apple-unconstitutional Should Apple be protected by the government?

Are the FBI’s Demands Unconstitutional?

Beyond the question of security, the court case raises another important issue: conscription. Forcing individuals and private companies to hand over information they possess is hugely different from forcing these individuals and private companies to perform actions they find morally questionable.

The FBI is asking Apple and their engineers to create a tool they believe shouldn’t exist. To force Apple to build the firmware quite likely violates the Thirteenth Amendment to the United States Constitution (involuntary servitude). In the past, exemptions to this amendment have been granted by the Supreme Court only in cases of war.

Apple, however, argues that the court order violates their First Amendment rights: that code is free speech. Apple says their code incorporates their values, which are protected by the First Amendment. Changing the code violates and alters these values and it is unconstitutional for the government to force them to do it.

The Government Has Always Hated Encryption

A similar argument has successfully been applied in the past. When Phil Zimmermann, the inventor of the encryption program PGP, was distributing PGP around the world, he was investigated in 1993 for “munitions export without a license”. At the time, encryption was considered a weapon. To get around this ban, Zimmermann and his followers challenged this regulation by printing the source code into a hardcopy book and distributing it around the world. They argued that, as a book, the code constituted protected speech and could barely be considered a weapon. The investigation against Zimmermann was eventually dropped.

While the Zimmermann case was unfolding, the NSA was busy promoting its Clipper Chip, a tool for transmitting encrypted telephone conversations. The Clipper Chip contained a backdoor that would have gained the agency access to all phone conversations.

The agency abandoned the Clipper Chip project after significant backlash from the Electronic Privacy Information Center and the Electronic Frontier Foundation. Fears that the NSA would not be able to force foreign companies to include this chip into their products, and that these companies could then gain a competitive edge in the international markets, also prompted the NSA to drop the Clipper Chip.

This consideration will play a role in the current court case with the FBI vs. Apple, with many fearing US technology companies could lose out on contracts with foreign governments, companies, and individuals.

The Clipper Chip was later found to be insecure, and would have quickly become breachable by foreign intelligence agencies and large criminal organizations.

crypto-war Is this the start of another crypto war?

Is This the Return of the Crypto Wars?

The controversies around the Clipper Chip and other attempts by the government to weaken the security of our everyday communications and devices gave rise to the term Crypto Wars. The wars were infamously declared “won” after the UK Government also shelved its plans to restrict access to strong encryption protocols.

Today encryption has become widely accessible and used across the Internet. Most reputable websites encrypt their traffic with HTTPS (as indicated by the green lock in the address bar). Operating systems encrypt their hard drives by default. And messaging systems like Signal, Telegram, and Whatsapp all encrypt chat traffic in transit.

With the FBI’s attacks on Apple’s device security and encryption techniques, we may have entered the second round of the Crypto Wars. The two cases are similar in that they both remove vital security features for the sake of government access in the name of national security.

May history repeat itself and encryption win once more.

Featured image: Andrey Burmakin / Dollar Photo Club
Apple stab: Krzysztof Budziakows / Dollar Photo Club
Unconstitutional: larryhw / Dollar Photo Club
Crypto war: kaalimies / Dollar Photo Club