Proposed Chinese security law could mean tough rules for tech companies

China apparently wants to one-up the U.S. and the U.K. when it comes to urging technology companies to install security backdoors and break their encrypted documents and user communications in the name of national security.

Reuters reported on Friday that a newly proposed Chinese counterterrorism law calls for technology companies to turn over encryption keys to the Chinese government, allow for ways to bypass security mechanisms in their products, require companies to store user data and maintain servers in China, and remove any content that the country deems supportive of terrorists.

China is expected to adopt the draft legislation in the “coming weeks or months,” according to the report. The proposed law follows a set of banking security rules that the Chinese government adopted in late 2014 that requires companies that sell both software and hardware to Chinese financial institutions to place security backdoors in their products, hand over source code and comply with audits.

The Reuters report cited several anonymous executives of U.S. technology companies who said they are more worried about this newly proposed law than the banking rules because of the connection to national security. Supposedly, the laws are worded in a way as to be open to interpretation, especially in regards to having to comply with Chinese law enforcement, which has some executives fearful of “steep penalties or jail time for non-compliance.”

The newly proposed law follows recent news that China has been peeved by U.S. intelligence-gathering operations revealed by the leaked Edward Snowden NSA documents and allegations by the U.S. government that members of the China’s People’s Liberation Army used cyber espionage tactics to steal business trade secrets. China apparently doesn’t take those allegations too kindly and instead the country claims that products sold in China by U.S. technology companies pose security concerns.

If there’s one thing both China, the U.S. and the U.K. can all agree upon, however, is that companies should not be using encrypted technology to mask user communications. If companies do use the security technology, governments want those companies to hand over their encryption keys in case law enforcement or government investigations warrant it.

Attorney General Eric Holder and FBI Director James Comey have made public their displeasure with how encryption supposedly makes it easier to hide the activities of criminals. However, a recently leaked document from the Edward Snowden NSA data dump showed that some U.S. officials believe encryption is the “[b]est defense to protect data.”

Tech and media firms join Twitter in key test of FBI gag orders

A bitter fight between the Justice Department and Silicon Valley is expanding as a diverse group of companies have lined up behind Twitter in a case that will help determine the limits of free speech in the age of Edward Snowden.

On Tuesday, groups ranging from BuzzFeed to Wikipedia to the Guardian filed friend-of-the-court briefs (see below) to support a challenge by Twitter to Patriot Act gag orders. Two other large companies, which are only allowed to refer to themselves as “Corporations 1 & 2,” also filed briefs.

The case, which began when Twitter sued the Justice Department in October, turns on how companies may use so-called “transparency reports” to tell users about government requests for their data.

Twitter claims it has a right under the First Amendment to say specifically how often it receives National Security Letters, while the government counters that companies can only do so in broad strokes lest they jeopardize national security.

In recent years, the FBI has made extensive use of National Security Letters to obtain information about subscribers, while also attaching gag orders to the letters that forbid companies from revealing they have even received a letter in the first place. The Justice Department has issued hundreds or thousands of such letters to companies like Google, Facebook and AT&T.

In its lawsuit, Twitter claims it is an illegal prior restraint of free speech for the government to bar companies from even disclosing that they have received a letter. A group of media companies has now voiced support for that argument:

“Twitter’s proposed transparency report is no less entitled to free speech protections than ‘literature’ or ‘movies,'” said the brief filed on behalf of BuzzFeed, NPR, the Washington Post, PEN America, the Guardian and First Look Media.

The brief reflects the media’s newfound legal interest into what has largely been a tech industry fight, but also shows how digital media companies like BuzzFeed are finally taking up the legal fight for free speech, a burden that has long been borne almost entirely by old-line newspaper companies.

“Corporations 1 & 2”

Meanwhile, a separate filing shows that a phone and internet company are also weighing in on the Twitter case, but in the guise of “Corporations 1 & 2.” The companies (which are likely Verizon and Google or Yahoo) are using the pseudonyms at the direction of a judge, and are muzzled in part because they are already before an appeals court in another national security case over the right to disclose government demands.

The right of internet companies to discuss security letters has become more pressing since 2013 , when leaked documents from Edward Snowden revealed massive surveillance operations by the U.S. government. Those operations rely on obtaining information from tech and phone companies, and have been facilitated by the legal process governing Patriot Act letters, as well as a related process for NSA demands.

In response, companies like Twitter have come to claim that free speech and the public interest give them the freedom to disclose how many NSA and FBI letters they receive in the first place. The companies stress they are not arguing for the right to disclose the contents of the letters, since doing so could jeopardize ongoing investigations, but only the existence of the letters.

The docket also shows that a group of other entities  — the Wikimedia Foundation, CloudFlare, Sonic, Wickr, Credo Mobile and Automattic (publisher of WordPress.com) — filed a brief in support of Twitter.

Here’s a copy of the media companies’ filing with some of the key parts underlined. Note that a key part of the argument turns on whether the federal judge has authority to hear the case in the first place (as the companies argue) or if the case belongs instead in a controversial secret court (as the Justice Department claims).

Media Amicus in Twitter Case

[protected-iframe id=”c2f560431d071729a0491afe9d08caae-14960843-34118173″ info=”https://www.scribd.com/embeds/256148646/content?start_page=1&view_mode=scroll&show_recommendations=true” width=”100%” height=”600″ frameborder=”0″ scrolling=”no”]

This article was updated at 12:35pm ET to note that Automatic is the publisher of WordPress.com; an earlier version said “WordPress” (which refers to the software used by the company, WordPress.com). This article was also updated at 1:40pm on Thursday to clarify that it was the Wikimedia Foundation (not Wikipedia) that was on the amicus brief.

DARPA shows off its tech for indexing the deep web

On Sunday night, 60 Minutes aired a segment about the Defense Advanced Research Projects Agency, or DARPA, and its attempts to secure the internet from hackers, human traffickers and other criminals. One of the DARPA efforts the program highlighted — and did so even more in an unaired segment for the web — is a project called Memex, which is essentially a search engine for the deep web and the dark web.

The technology looks pretty amazing in a number of ways, including its scale, its speed and its interface. Of course, it’s also tackling a horrible and often under-appreciated problem, which is the illegal trafficking of women and girls as sex objects. Asked why DARPA is concerned with sex trafficking, Memex inventor Chris White explained that people willing to take part in that endeavor are often more likely to take part in other endeavors — including things like weapons or drug trafficking — that could have national security implications.

A Memex-generated map of sex trafficking.

A Memex-generated map of sex trafficking.

I wrote briefly about Memex last month, as part of a post about DARPA-funded research into machine learning algorithms — including computer vision and text analysis algorithms — for extracting even more info from deep web content.

The work DARPA is doing is part of a larger effort, which also includes tech companies like Google and Palantir, to identify and map instances of human trafficking around the world. It’s one of many problems that has existed for a long time, but that the internet has made easier to engage in. However, these efforts and others also show how the internet is making it easier for law-enforcement agencies to track and prosecute these crimes, provided the right analytical techniques are in place.

The 60 Minutes segment also featured DARPA innovation head Dan Kaufman, who spoke about web security at our Structure conference last June.

http://youtu.be/VXnFNd9WAAk

NSA surveillance blowback could hit marketers

The revelation that the NSA piggybacks on commercial cookies to track individuals’ web habits could spread the economic fallout from the spying disclosures much more widely, by drawing attention to the very thin and fuzzy line separating commercial and government surveillance.