Government Forced Tech Companies To Hand Over Source Code and Private Keys
Unlike the very public fight between the FBI and Apple, the U.S. Government has made many quiet attempts to force tech companies to turn over source code and private encryption keys.
In some cases, this was done via civil cases sealed by the court, but in other cases, it was done via a secret order from a secret court that in many cases, the CEO or Board of the company can not be told about.
According to ZDNet, their source has “direct knowledge” but can’t be named as the information revealed is likely classified.
The source said that the tech companies are losing their cases in the FISA court “most of the time”.
The Justice Department did admit that they have demanded source code and private encryption keys before, so that seems to validate what the source told the media.
One very public case was that of Lavabit who decided to shut down their service and erase their disks rather than turn over the information.
The spokesman for the Justice Department declined to answer the question about whether they would demand source code and encryption keys in the future.
While I doubt the Justice Department would give that source code or keys to a rival, it is certainly possible that the code could be hacked. After all, sensitive information in government custody has been hacked on numerous occasions.
Depending on how the encryption is implemented, revealing the keys MAY allow the government to decrypt information captured in the past. There are ways to mitigate that, but most companies don’t use them. Many companies, such as Google and Microsoft, among others, want to be able to decrypt your data so that they can serve up better ads for you.
The Justice Department might use that source code to create a fake honey pot web site to lure in a suspect or they might use it to look for security holes in order to obtain information. It is unlikely that the government would tell that company if they did find any security holes.
While most of the tech companies contacted by ZDNet refused to comment, Cisco did say that they have not and will not hand over source code to any customers, especially governments.
IBM said that the company does not provide source code or encryption keys to the NSA or any other government agency for the purpose of accessing client data (emphasis added). IBM would not say if source code had been handed over to the government for any other reason.
Apple said in court recently that it has never revealed its iOS source code to any government. I am not sure what that means about Os X. That document was related to a concern that Apple had agreed to security checks from China, including turning over source code.
FISA Court orders are so secretive that only those people necessary to execute the order may be told about it and that may not include the C-Suite or the Board.
Documents leaked by Edward Snowden certainly indicate that companies seem to cooperate with the feds in placing backdoors in their code and then go “Oh, My!” when the backdoors are discovered.
Depending on your level of paranoia, you will need to make your own decisions regarding protecting yourself, but I would certainly suggest that if the vendor has the encryption key, it is likely that they would turn it over to the government if asked. Whether they would do the same for foreign governments is less clear, but certainly of concern.
Information for this post came from ZDNet.