China hacked Verizon, AT&T and Lumen using the FBI’s backdoor
On OCTOBER 23 at 7PM, I'll be in DECATUR, presenting my novel THE BEZZLE at EAGLE EYE BOOKS.
State-affiliated Chinese hackers penetrated AT&T, Verizon, Lumen and others; they entered their networks and spent months intercepting US traffic – from individuals, firms, government officials, etc – and they did it all without having to exploit any code vulnerabilities. Instead, they used the back door that the FBI requires every carrier to furnish:
In 1994, Bill Clinton signed CALEA into law. The Communications Assistance for Law Enforcement Act requires every US telecommunications network to be designed around facilitating access to law-enforcement wiretaps. Prior to CALEA, telecoms operators were often at pains to design their networks to resist infiltration and interception. Even if a telco didn't go that far, they were at the very least indifferent to the needs of law enforcement, and attuned instead to building efficient, robust networks.
Predictably, CALEA met stiff opposition from powerful telecoms companies as it worked its way through Congress, but the Clinton administration bought them off with hundreds of millions of dollars in subsidies to acquire wiretap-facilitation technologies. Immediately, a new industry sprang into being; companies that promised to help the carriers hack themselves, punching back doors into their networks. The pioneers of this dirty business were overwhelmingly founded by ex-Israeli signals intelligence personnel, though they often poached senior American military and intelligence officials to serve as the face of their operations and liase with their former colleagues in law enforcement and intelligence.
Telcos weren't the only opponents of CALEA, of course. Security experts – those who weren't hoping to cash in on government pork, anyways – warned that there was no way to make a back door that was only useful to the "good guys" but would keep the "bad guys" out.
These experts were – then as now – dismissed as neurotic worriers who simultaneously failed to understand the need to facilitate mass surveillance in order to keep the nation safe, and who lacked appropriate faith in American ingenuity. If we can put a man on the moon, surely we can build a security system that selectively fails when a cop needs it to, but stands up to every crook, bully, corporate snoop and foreign government. In other words: "We have faith in you! NERD HARDER!"
NERD HARDER! has been the answer ever since CALEA – and related Clinton-era initiatives, like the failed Clipper Chip program, which would have put a spy chip in every computer, and, eventually, every phone and gadget:
https://en.wikipedia.org/wiki/Clipper_chip
America may have invented NERD HARDER! but plenty of other countries have taken up the cause. The all-time champion is former Australian Prime Minister Malcolm Turnbull, who, when informed that the laws of mathematics dictate that it is impossible to make an encryption scheme that only protects good secrets and not bad ones, replied, "The laws of mathematics are very commendable, but the only law that applies in Australia is the law of Australia":
CALEA forced a redesign of the foundational, physical layer of the internet. Thankfully, encryption at the protocol layer – in the programs we use – partially counters this deliberately introduced brittleness in the security of all our communications. CALEA can be used to intercept your communications, but mostly what an attacker gets is "metadata" ("so-and-so sent a message of X bytes to such and such") because the data is scrambled and they can't unscramble it, because cryptography actually works, unlike back doors. Of course, that's why governments in the EU, the US, the UK and all over the world are still trying to ban working encryption, insisting that the back doors they'll install will only let the good guys in:
Any back door can be exploited by your adversaries. The Chinese sponsored hacking group know as Salt Typhoon intercepted the communications of hundreds of millions of American residents, businesses, and institutions. From that position, they could do NSA-style metadata-analysis, malware injection, and interception of unencrypted traffic. And they didn't have to hack anything, because the US government insists that all networking gear ship pre-hacked so that cops can get into it.
This isn't even the first time that CALEA back doors have been exploited by a hostile foreign power as a matter of geopolitical skullduggery. In 2004-2005, Greece's telecommunications were under mass surveillance by US spy agencies who wiretapped Greek officials, all the way up to the Prime Minister, in order to mess with the Greek Olympic bid:
This is a wild story in so many ways. For one thing, CALEA isn't law in Greece! You can totally sell working, secure networking gear in Greece, and in many other countries around the world where they have not passed a stupid CALEA-style law. However the US telecoms market is so fucking huge that all the manufacturers build CALEA back doors into their gear, no matter where it's destined for. So the US has effectively exported this deliberate insecurity to the whole planet – and used it to screw around with Olympic bids, the most penny-ante bullshit imaginable.
Now Chinese-sponsored hackers with cool names like "Salt Typhoon" are traipsing around inside US telecoms infrastructure, using the back doors the FBI insisted would be safe.
Tor Books as just published two new, free LITTLE BROTHER stories: VIGILANT, about creepy surveillance in distance education; and SPILL, about oil pipelines and indigenous landback.
If you'd like an essay-formatted version of this post to read or share, here's a link to it on pluralistic.net, my surveillance-free, ad-free, tracker-free blog:
Looking for something to read tonight? Try "Lawful Interception," a novella by Cory Doctorow.
A tale of Marcus Yallow, the hero of the bestselling novels Little Brother and Homeland—as he deals with the aftermath of a devastating Oakland earthquake, with the help of friends, hacker allies, and some very clever crowdsourced drones.
I'm on a 20+ city book tour for my new novel PICKS AND SHOVELS. Catch me in NYC on TOMORROW (26 Feb) with JOHN HODGMAN and at PENN STATE THURSDAY (Feb 27). More tour dates here. Mail-order signed copies from LA's Diesel Books.
The UK government has just ordered Apple to secretly compromise its security for every iOS user in the world. Instead, Apple announced it will disable a vital security feature for every UK user. This is a terrible outcome, but it just might be the best one, given the circumstances:
https://www.bbc.com/news/articles/cgj54eq4vejo
So let's talk about those circumstances. In 2016, Theresa May's Conservative government passed a law called the "Investigative Powers Act," better known as the "Snooper's Charter":
https://www.snooperscharter.co.uk/
This was a hugely controversial law for many reasons, but most prominent was that it allowed British spy agencies to order tech companies to secretly modify their software to facilitate surveillance. This is alarming in several ways. First, it's hard enough to implement an encryption system without making subtle errors that adversaries can exploit.
Tiny mistakes in encryption systems are leveraged by criminals, foreign spies, griefers, and other bad actors to steal money, lock up our businesses and governments with ransomware, take our data, our intimate images, our health records and worse. The world is already awash in cyberweapons that terrible governments and corporations use to target their adversaries, such as the NSO Group malware that the Saudis used to hack Whatsapp, which let them lure Jamal Khashoggi to his death. The stakes couldn't be higher:
Encryption protects everything from the software updates for pacemakers and anti-lock braking to population-scale financial transactions and patient records. Deliberately introducing bugs into these systems to allow spies and cops to "break" encryption when they need to is impossible, which doesn't stop governments from demanding it. Notoriously, when former Australian PM Malcolm Turnbull was told that the laws of mathematics decreed that there is no way to make encryption that only stops bad guys but lets in good guys, he replied "The laws of mathematics are very commendable but the only law that applies in Australia is the law of Australia":
The risks don't stop with bad actors leveraging new bugs introduced when the "lawful interception" back-doors are inserted. The keys that open these back-doors inevitably circulate widely within spy and police agencies, and eventually – inevitably – they leak. This is called the "keys under doormats" problem: if the police order tech companies to hide the keys to access billions of peoples' data under their doormats, eventually, bad guys will find them there:
Again, this isn't a theoretical risk. In 1994, Bill Clinton signed a US law called CALEA that required FBI back-doors for data switches. Most network switches in use today have CALEA back-doors and they have been widely exploited by various bad guys. Most recently, the Chinese military used CALEA backdoors to hack Verizon, AT&T and Lumen:
This is the backdrop against which the Snooper's Charter was passed. Parliament stuck its fingers in its ears, covered its eyes, and voted for the damned thing, swearing that it would never result in any of the eminently foreseeable harms they'd been warned of.
Which brings us to today. Two weeks ago, the Washington Post's Joseph Menn broke the story that Apple had received a secret order from the British government, demanding that they install a back-door in the encryption system that protects cloud backups of iOS devices:
Virtually every iOS device in the world regularly backs itself up to Apple's cloud backup service. This is very useful: if your phone or tablet is lost, stolen or damaged, you can recover your backup to a new device in a matter of minutes and get on with your day. It's also very lucrative for Apple, which charges every iOS user a few dollars every month for backup services. The dollar amount here is small, but that sum is multiplied by the very large number of Apple devices, and it rolls in every single month.
Since 2022, Apple has offered its users a feature called "Advanced Data Protection" that employs "end-to-end" encryption (E2EE) for these backups. End-to-end encryption keeps data encrypted between the sender and the receiver, so that the service provider can't see what they're saying to each other. In the case of iCloud backups, this means that while an Apple customer can decrypt their backup data when they access it in the cloud, Apple itself cannot. All Apple can see is that there is an impenetrable blob of user data on one of its servers.
2022 was very late for Apple to have added E2EE to its cloud backups. After all, in 2014, Apple customers suffered a massive iCloud breach when hackers broke into the iCloud backups of hundreds of celebrities, leaking nude photos and other private data, in a breach colloquially called "Celebgate" or "The Fappening":
Better late than never. For three years, Apple customers' backups have been encrypted, at rest, on Apple's servers, their contents fully opaque to everyone except the devices' owners. Enter His Majesty's Government, clutching the Snooper's Charter. As the eminent cryptographer Matthew Green writes, a secret order to compromise the cloud backups of British users is necessarily a secret order to compromise all users' encrypted backups:
There's no way to roll out a compromised system in the UK that differs from non-British backups without the legion of reverse-engineers and security analysts noticing that something new is happening in Britain and correctly inferring that Apple has been served with a secret "Technical Capability Notice" under the Snooper's Charter:
Even if you imagine that Apple is only being asked only to target users in the U.K., the company would either need to build this capability globally, or it would need to deploy a new version or “zone”1 for U.K. users that would work differently from the version for, say, U.S. users. From a technical perspective, this would be tantamount to admitting that the U.K.’s version is somehow operationally distinct from the U.S. version. That would invite reverse-engineers to ask very pointed questions and the secret would almost certainly be out.
For Apple, the only winning move was not to play. Rather than breaking the security for its iCloud backups worldwide, it simply promised to turn off all security for backups in the UK. If they go through with it, every British iOS user – doctors, lawyers, small and large business, and individuals – will be exposed to incalculable risk from spies and criminals, both organized and petty.
For Green, this is Apple making the best of an impossible conundrum. Apple does have a long and proud history of standing up to governmental demands to compromise its users. Most notably, the FBI ordered Apple to push an encryption-removing update to its phones in 2016, to help it gain access to a device recovered from the bodies of the San Bernardino shooters:
But it's worth zooming out here for a moment and considering all the things that led up to Apple facing this demand. By design, Apple's iOS platform blocks users from installing software unless Apple approves it and lists it in the App Store. Apple uses legal protections (such as Section 1201 of the US Digital Millennium Copyright Act and Article 6 of the EUCD, which the UK adopted in 2003 through the Copyright and Related Rights Regulations) to make it a jailable offense to reverse-engineer and bypass these blocks. They also devote substantial technical effort to preventing third parties from reverse-engineering its software and hardware locks. Installing software forbidden by Apple on your own iPhone is thus both illegal and very, very hard.
This means that if Apple removes an app from its App Store, its customers can no longer get that app. When Apple launched this system, they were warned – by the same cohort of experts who warned the UK government about the risks of the Snooper's Charter – that it would turn into an attractive nuisance. If a corporation has the power to compromise billions of users' devices, governments will inevitably order that corporation to do so.
Which is exactly what happened. Apple has already removed all working privacy tools for its Chinese users, purging the Chinese App Store of secure VPN apps, compromising its Chinese cloud backups, and downgrading its Airdrop file-transfer software to help the Chinese state crack down on protesters:
These are the absolutely foreseeable – and foreseen – outcomes of Apple arrogating total remote control over its customers' devices to itself. If we're going to fault Theresa May's Conservatives for refusing to heed the warnings of the risks introduced by the Snooper's Charter, we should be every bit as critical of Apple for chasing profits at the expense of billions of its customers in the face of warnings that its "curated computing" model would inevitably give rise to the Snooper's Charter and laws like it.
As Pavel Chekov famously wrote: "a phaser on the bridge in act one will always go off by act three." Apple set itself up with the power to override its customers' decisions about the devices it sells them, and then that power was abused in a hundred ways, large and small:
Of course, there are plenty of third-party apps in the App Store that allow you to make an end-to-end encrypted backup to non-Apple cloud servers, and Apple's onerous App Store payment policies mean that they get to cream off 30% of every dollar you spend with its rivals:
It's entirely possible to find an end-to-end encrypted backup provider that has no presence in the UK and can tell the UK government to fuck off with its ridiculous back-door demands. For example, Signal has repeatedly promised to pull its personnel and assets out of the UK before it would compromise its encryption:
But even if the company that provides your backup is impervious to pressure from HMG, Apple isn't. Apple has the absolute, unchallenged power to decide which apps are in its App Store. Apple has a long history of nuking privacy-preserving and privacy-enhancing apps from its App Store in response to complaints, even petty ones from rival companies like Meta:
If they're going to cave into Zuck's demand to facilitate spying on Instagram users, do we really think they'll resist Kier Starmer's demands to remove Signal – and any other app that stands up to the Snooper's Charter – from the App Store?
It goes without saying that the "bad guys" the UK government claims it wants to target will be able to communicate in secret no matter what Apple does here. They can just use an Android phone and sideload a secure messaging app, or register an iPhone in Ireland or any other country and bring it to the UK. The only people who will be harmed by the combination of the British government's reckless disregard for security, and Apple's designs that trade the security of its users for the security of its shareholders are millions of law-abiding Britons, whose most sensitive data will be up for grabs by anyone who hacks their accounts.
If you'd like an essay-formatted version of this post to read or share, here's a link to it on pluralistic.net, my surveillance-free, ad-free, tracker-free blog:
THIS WEEKEND (November 8-10), I'll be in TUCSON, AZ: I'm the GUEST OF HONOR at the TUSCON SCIENCE FICTION CONVENTION.
My latest Locus Magazine column is "Hard (Sovereignty) Cases Make Bad (Internet) Law," an attempt to cut through the knots we tie ourselves in when speech and national sovereignty collide online:
This happens all the time. Indeed, the precipitating incident for my writing this column was someone commenting on the short-lived Brazilian court order blocking Twitter, opining that this was purely a matter of national sovereignty, with no speech dimension.
This is just profoundly wrong. Of course any rules about blocking a communications medium will have a free-speech dimension – how could it not? And of course any dispute relating to globe-spanning medium will have a national sovereignty dimension.
How could it not?
So if every internet fight is a speech fight and a sovereignty fight, which side should we root for? Here's my proposal: we should root for human rights.
In 2013, Edward Snowden revealed that the US government was illegally wiretapping the whole world. They were able to do this because the world is dominated by US-based tech giants and they shipped all their data stateside for processing. These tech giants secretly colluded with the NSA to help them effect this illegal surveillance (the "Prism" program) – and then the NSA stabbed them in the back by running another program ("Upstream") where they spied on the tech giants without their knowledge.
After the Snowden revelations, countries around the world enacted "data localization" rules that required any company doing business within their borders to keep their residents' data on domestic servers. Obviously, this has a human rights dimension: keeping your people's data out of the hands of US spy agencies is an important way to defend their privacy rights. which are crucial to their speech rights (you can't speak freely if you're being spied on).
So when the EU, a largely democratic bloc, enacted data localization rules, they were harnessing national soveriegnty in service to human rights.
But the EU isn't the only place that enacted data-localization rules. Russia did the same thing. Once again, there's a strong national sovereignty case for doing this. Even in the 2010s, the US and Russia were hostile toward one another, and that hostility has only ramped up since. Russia didn't want its data stored on NSA-accessible servers for the same reason the USA wouldn't want all its' people's data stored in GRU-accessible servers.
But Russia has a significantly poorer human rights record than either the EU or the USA (note that none of these are paragons of respect for human rights). Russia's data-localization policy was motivated by a combination of legitimate national sovereignty concerns and the illegitimate desire to conduct domestic surveillance in order to identify and harass, jail, torture and murder dissidents.
When you put it this way, it's obvious that national sovereignty is important, but not as important as human rights, and when they come into conflict, we should side with human rights over sovereignty.
Some more examples: Thailand's lesse majeste rules prohibit criticism of their corrupt monarchy. Foreigners who help Thai people circumvent blocks on reportage of royal corruption are violating Thailand's national sovereignty, but they're upholding human rights:
Saudi law prohibits criticism of the royal family; when foreigners help Saudi women's rights activists evade these prohibitions, we violate Saudi sovereignty, but uphold human rights:
In other words, "sovereignty, yes; but human rights even moreso."
Which brings me back to the precipitating incidents for the Locus column: the arrest of billionaire Telegram owner Pavel Durov in France, and the blocking of billionaire Elon Musk's Twitter in Brazil.
How do we make sense of these? Let's start with Durov. We still don't know exactly why the French government arrested him (legal systems descended from the Napoleonic Code are weird). But the arrest was at least partially motivated by a demand that Telegram conform with a French law requiring businesses to have a domestic agent to receive and act on takedown demands.
Not every takedown demand is good. When a lawyer for the Sackler family demanded that I take down criticism of his mass-murdering clients, that was illegitimate. But there is such a thing as a legitimate takedown: leaked financial information, child sex abuse material, nonconsensual pornography, true threats, etc, are all legitimate targets for takedown orders. Of course, it's not that simple. Even if we broadly agree that this stuff shouldn't be online, we don't necessarily agree whether something fits into one of these categories.
This is true even in categories with the brightest lines, like child sex abuse material:
But just because not every takedown is a just one, it doesn't follow that every takedown is unjust. The idea that companies should have domestic agents in the countries where they operate isn't necessarily oppressive. If people who sell hamburgers from a street-corner have to register a designated contact with a regulator, why not someone who operates a telecoms network with 900m global users?
Of course, requirements to have a domestic contact can also be used as a prelude to human rights abuses. Countries that insist on a domestic rep are also implicitly demanding that the company place one of its employees or agents within reach of its police-force.
Just as data localization can be a way to improve human rights (by keeping data out of the hands of another country's lawless spy agencies) or to erode them (by keeping data within reach of your own country's lawless spy agencies), so can a requirement for a local agent be a way to preserve the rule of law (by establishing a conduit for legitimate takedowns) or a way to subvert it (by giving the government hostages they can use as leverage against companies who stick up for their users' rights).
In the case of Durov and Telegram, these issues are especially muddy. Telegram bills itself as an encrypted messaging app, but that's only sort of true. Telegram does not encrypt its group-chats, and even the encryption in its person-to-person messaging facility is hard to use and of dubious quality.
This is relevant because France – among many other governments – has waged a decades-long war against encrypted messaging, which is a wholly illegitimate goal. There is no way to make an encrypted messaging tool that works against bad guys (identity thieves, stalkers, corporate and foreign spies) but not against good guys (cops with legitimate warrants). Any effort to weaken end-to-end encrypted messaging creates broad, significant danger for every user of the affected service, all over the world. What's more, bans on end-to-end encrypted messaging tools can't stand on their own – they also have to include blocks of much of the useful internet, mandatory spyware on computers and mobile devices, and even more app-store-like control over which software you can install:
So when the French state seizes Durov's person and demands that he establish the (pretty reasonable) minimum national presence needed to coordinate takedown requests, it can seem like this is a case where national sovereignty and human rights are broadly in accord.
But when you consider that Durov operates a (nominally) encrypted messaging tool that bears some resemblance to the kinds of messaging tools the French state has been trying to sabotage for decades, and continues to rail against, the human rights picture gets rather dim.
That is only slightly mitigated by the fact that Telegram's encryption is suspect, difficult to use, and not applied to the vast majority of the communications it serves. So where do we net out on this? In the Locus column, I sum things up this way:
Telegram should have a mechanism to comply with lawful takedown orders; and
those orders should respect human rights and the rule of law; and
Telegram should not backdoor its encryption, even if
the sovereign French state orders it to do so.
Sovereignty, sure, but human rights even moreso.
What about Musk? As with Durov in France, the Brazilian government demanded that Musk appoint a Brazilian representative to handle official takedown requests. Despite a recent bout of democratic backsliding under the previous regime, Brazil's current government is broadly favorable to human rights. There's no indication that Brazil would use an in-country representative as a hostage, and there's nothing intrinsically wrong with requiring foreign firms doing business in your country to have domestic representatives.
Musk's response was typical: a lawless, arrogant attack on the judge who issued the blocking order, including thinly veiled incitements to violence.
The Brazilian state's response was multi-pronged. There was a national blocking order, and a threat to penalize Brazilians who used VPNs to circumvent the block. Both measures have obvious human rights implications. For one thing, the vast majority of Brazilians who use Twitter are engaged in the legitimate exercise of speech, and they were collateral damage in the dispute between Musk and Brazil.
More serious is the prohibition on VPNs, which represents a broad attack on privacy-enhancing technology with implications far beyond the Twitter matter. Worse still, a VPN ban can only be enforced with extremely invasive network surveillance and blocking orders to app stores and ISPs to restrict access to VPN tools. This is wholly disproportionate and illegitimate.
But that wasn't the only tactic the Brazilian state used. Brazilian corporate law is markedly different from US law, with fewer protections for limited liability for business owners. The Brazilian state claimed the right to fine Musk's other companies for Twitter's failure to comply with orders to nominate a domestic representative. Faced with fines against Spacex and Tesla, Musk caved.
In other words, Brazil had a legitimate national sovereignty interest in ordering Twitter to nominate a domestic agent, and they used a mix of somewhat illegitimate tactics (blocking orders), extremely illegitimate tactics (threats against VPN users) and totally legitimate tactics (fining Musk's other companies) to achieve these goals.
As I put it in the column:
Twitter should have a mechanism to comply with lawful takedown orders; and
those orders should respect human rights and the rule of law; and
banning Twitter is bad for the free speech rights of Twitter users in Brazil; and
banning VPNs is bad for all Brazilian internet users; and
it’s hard to see how a Twitter ban will be effective without bans on VPNs.
There's no such thing as an internet policy fight that isn't about national sovereignty and speech, and when the two collide, we should side with human rights over sovereignty. Sovereignty isn't a good unto itself – it's only a good to the extent that is used to promote human rights.
In other words: "Sovereignty, sure, but human rights even moreso."
If you'd like an essay-formatted version of this post to read or share, here's a link to it on pluralistic.net, my surveillance-free, ad-free, tracker-free blog:
NEXT WEEKEND (June 7–9), I'm in AMHERST, NEW YORK to keynote the 25th Annual Media Ecology Association Convention and accept the Neil Postman Award for Career Achievement in Public Intellectual Activity.
No one was better positioned to tell the tale of the largest sting operation in world history than veteran tech reporter Joseph Cox, and tell it he did, in Dark Wire, released today:
Cox – who was one of Motherboard's star cybersecurity reporters before leaving to co-found 404 Media – has spent years on the crimephone beat, tracking vendors who sold modded phones (first Blackberries, then Android phones) to criminal syndicates with the promise that they couldn't be wiretapped by law-enforcement.
It's possible that some of these phones were secure over long timescales, but all the ones we know about are ones that law enforcement eventually caught up with, usually by capturing the company's top founders explicitly stating that the phones were sold to assist in the commission of crimes, and admitting to remote-wiping phones to obstruct law-enforcement options. It's hard to prove intent but it gets a lot easier when the criminal puts that intent into writing (that's true of tech executives, too!):
But after a particularly spectacular bust landed one of the top crimephone sales reps in the FBI's power, they got a genuinely weird idea: why not start their own crimephone company?
The plan was to build an incredibly secure, best-of-breed crimephone, one with every feature that a criminal would want to truly insulate themselves from law enforcement while still offering everything a criminal could need to plan and execute crimes.
They would tap into the network of crimephone distributors around the world, not telling them who they were truly selling for – nor that every one of these phones had a back-door that allowed law-enforcement to access every single message, photo and file.
This is the beginning of an incredible tale that is really two incredible tales. The first is the story of the FBI and its partners as they scaled up Anom, their best-of-breed crimephone business. This is a (nearly) classic startup tale, full of all-nighters, heroic battles against the odds, and the terror and exhilaration of "hockey-stick" growth.
The difference between this startup and the others we're already familiar with is obvious: the FBI and its global partners are acting under a totally different set of constraints to normal startup founders. For one thing, their true mission and identity must be kept totally secret. For another, they have to navigate the bureaucratic barriers of not one, but many governments and their courts, constitutions and procedures.
Finally, there are the stakes: while the bulk of the crimes that the FBI targets with Anom are just the usual futile war-on-drugs nonsense (albeit at a never-before seen scale), they also routinely encounter murders, kidnappings, tortures, firebombings, and other serious crimes, either in the planning phase, or after they have been committed. They have to make moment-to-moment calls about when and whether to do something about these, as each action taken based on intercepts from Anom threatens to tip the FBI's hand.
That's one of the startup stories in Cox's book. The other one is the crime startup, the one that the hapless criminal syndicates that sign up to distribute Anom devices find themselves in the middle of. They, too, are experiencing hockey-stick growth. They, too, have a fantastically lucrative tiger by the tail. And they, too, have a unique set of challenges that make this startup different from any other.
The obvious difference is that they are involved in global criminal conspiracies. They have to both grow and remain hidden. The tradecraft and skullduggery are fascinating, in the manner of any great crime procedural tale. But there's another constraint: these criminals are competing with one another to corner the market on these incredibly lucrative phones. Being part of violent, global criminal conspiracies, they don't confine themselves to the normal Silicon Valley crimes of violating antitrust law – they are engaged in all-out warfare.
These two startups are, of course, the same startup, but only one side knows it. As Cox weaves these two tales together – along with glimpses into the lives of the hapless gig-work developers in Asia who are developing and maintaining the Anom platform – we get front seat in a series of high-speed, high-stakes near-collisions between these two groups.
And it's not always the cops who have the advantage. When an ambitious mobster figures out how to clone the "black boxes" that initialize new Anom phones, the FBI are caught flatfooted as the number of Anom devices in the hands of criminals balloons, producing a volume of intercepts that vastly exceeds their processing capacity.
Cox has been on this story for a decade, and it shows. He has impeccable sourcing and encyclopedic access to the court records and other public details that allow him to reproduce many of the most dramatic scenes in the Anom caper verbatim. This really shines in the final section of the book, when the FBI and its partners decide to roll up the company with a series of global arrests that culminate in a triumphant press-conference in which the true masters of Anom are revealed.
As a privacy and encryption advocate, there were moments in this story that made me a little uncomfortable. There are places where the FBI is chafing at the constitutional limits on its surveillance powers where we can't help buy sympathize with these "good guys" going after "bad guys." But this the the FBI, a lawless, unaccountable secret police who routinely bypass those limits by secretly buying data from sleazy data-brokers, or illegally sharing data with the NSA.
The conclusion really hammers home the point that the FBI's problem isn't constitutional niceties. Despite seizing hundreds of tons of illegal drugs and arresting thousands of high-ranking criminal syndicate bosses, Anom made no difference in the drug trade. Prohibition, after all, just makes criminals more wealthy and powerful. The Anom raids were, at worst, the cost of doing business – and at best, they were a global reset that cleared the board of established actors so that other criminals could seize their turf.
But even though Anom didn't triumph over crime, Dark Wire is a triumph. The book's out today, and there will shortly be a Netflix adaptation based on it, directed by Jason Bateman:
If you'd like an essay-formatted version of this post to read or share, here's a link to it on pluralistic.net, my surveillance-free, ad-free, tracker-free blog:
The sales office to data localization pipeline for mass surveillance.
Enter American culture-war nonsense.
In Texas, they want to ban websites that explain how to get an abortion, as well as sites that ship the pills for a medication abortion. In Florida, they want to force bloggers who write about the state government to pay a fee and register with the state, prohibiting anonymous commentary about the state legislature and its actions. Florida has also required that online providers cease permitting their users to display pronouns other than the ones they were assigned at birth. Of course, online services have no way to know what pronouns any of their users were assigned at birth, so sites like Github are complying with Florida law by simply not displaying pronouns to Floridian users.
The biggest barrier to enforcing these laws is the US Constitution, which these laws assuredly violate. It’s entirely possible that a lower court will uphold these laws. It’s conceivable that an appeals court will do so as well. It’s not outside the realm of possibility that the current Supreme Court — illegitimately stacked with far-right partisan hacks lacking any shred of principle — will follow suit.
But it’s far from a sure thing. It’s not even clear whether the legislatures that passed these laws and the governors who signed them want them to be enforced. After all, if these policies do come into force, large numbers of corporations are likely to shutter their offices and move out of state (especially in Florida, an increasingly economic irrelevance for any business not engaged in selling soon-to-be-drowned condos and/or shitcoins).
For these cynical political operators, having their laws overturned by “activist judges” lets them eat their cake and have it too — they don’t have to alienate the business lobby, and they get a steady supply of red meat for their cruel base, driving voter turnout and donations from frightened bigots.
The sales office to data localization pipeline for mass surveillance.
National firewalls are everywhere today. Sometimes, they’re sold as turnkey solutions — by both Chinese and western firms — to poor countries with very little technical capacity of their own. Spy agencies from large, powerful countries love it when poor countries install foreign-made national firewalls, as these are key to “third-party collection” (when a spy agency taps into another spy agency’s files) and “fourth-party collection” (when a spy agency taps into another spy agency that has tapped into another spy-agency’s files).
As national firewalls proliferate, so too do enforcement nexuses. After Edward Snowden revealed that US tech giants were allowing US spy agencies to plunder their user data, the EU imposed a (perfectly reasonable) data localization regulation that required US tech companies to keep Europeans’ data on servers within the EU (this regulation remains contentious and fragile).
The EU doesn’t have a regional or national firewall, so tech giants who don’t want to comply with the regulation could simply withdraw their sales offices and engineering departments and lobbyists from the EU and ignore the rule — at least to the extent that they could convince US courts not to enforce EU judgments against them.
But the EU has other enforcement nexuses it could rely upon. It could order European banks and payment processors to block payments to tech firms that ignore the localization rule. Payment processing remains a highly regulated, concentrated industry, and even if, say, Facebook was willing to give up on 520,000,000 European consumers by retreating to the USA, it’s unlikely that Visa and Mastercard would follow suit.
The sales office to data localization pipeline for mass surveillance.
Call this the “enforcement nexus” — for a government to enforce a law, it needs something to seize. Governments have broad latitude to seize things and people within their territorial borders (though this is not absolute, as I’ll discuss below).
But when it comes to conduct outside a government’s territory, enforcement depends upon the cooperation of another government — this is why so many crime dramas turn on a desperate dash for countries that don’t have extradition treaties.
Governments can project enforcement power into any territory that will allow it to seize the people or property of its adversaries. When the Argentinian government defaulted on its bonds, it failed to reckon with the fact that its US dollar holdings were stashed in the US Federal Reserve Bank in New York.
That meant that the vulture capitalists seeking to squeeze Argentina could argue their case in their home court in the USA, seeking a judgment that could be enforced domestically — that is, by seizing the Argentinian government’s assets held on US soil.