Sunday, 1 September 2024

The FBI's Exaggerated Claims of Going Dark: A Closer Look


 The FBI has often claimed that its ability to fight crime is being hampered by "going dark"—a term used to describe the challenges law enforcement faces when encrypted communications prevent them from accessing crucial evidence. According to former FBI Director James Comey on page 5 of the House Homeland Security Committee report titled: "Going Dark, Going Forward: A Primer on the Encryption Debate", “Going Dark” refers to the phenomenon in which law enforcement personnel have the “legal authority to intercept and access communications and information pursuant to court order,” but “lack the technical ability to do so.”

While encryption is an important tool for protecting privacy, the FBI's assertions of going dark have been criticized as exaggerated.

The FBI argues that encryption impedes investigations into serious criminal activities, from terrorism to child exploitation. They suggest that tech companies' refusal to create backdoors for law enforcement is creating a significant barrier to solving these crimes. This stance has fueled public debates and legislative efforts to mandate decryption capabilities.

However, critics argue that the FBI's claims are overstated. For one, there's little evidence that encryption has directly prevented major investigations. Many successful cases have been solved without requiring direct access to encrypted communications. One of such cases is the recent indictment of Seth Herrera for transportation, receiving and possession of child pornography.

According to Nate Anderson who writes for Ars Technica:

“I've never seen anyone who, when arrested, had three Samsung Galaxy phones filled with "tens of thousands of videos and images" depicting CSAM (child sexual abuse material), all of it hidden behind a secrecy-focused, password-protected app called "Calculator Photo Vault." Nor have I seen anyone arrested for CSAM having used all of the following: Potato Chat ("Use the most advanced encryption technology to ensure information security.") Enigma ("The server only stores the encrypted message, and only the users client can decrypt it.") nandbox [presumably the Messenger app] ("Free Secured Calls & Messages.") Telegram ("To this day, we have disclosed 0 bytes of user data to third parties, including governments.") TOR ("Browse Privately. Explore Freely.") Mega NZ ("We use zero-knowledge encryption.") Web-based generative AI tools/chatbots”

The indictment did not state in details exactly how Seth’s criminal activities were discovered. However, according to the indictment, Seth’s criminal conduct was finally uncovered after he tried to access a link containing apparent CSAM.  This link described CSAM  depicting  prepubescent  minor  females  around  the  same  age  as  Seth’s young daughter.

Anderson also observed that: “Presumably, this "apparent" CSAM was a government honeypot file or web-based redirect that logged the IP address and any other relevant information of anyone who clicked on it. In the end, given that fatal click, none of the "I'll hide it behind an encrypted app that looks like a calculator!" technical sophistication accomplished much.”

Despite Seth’s use of encrypted messaging applications such as Potato Chat, Enigma, nandbox, and Telegram, he was still found out by law enforcements presumably using honeypot file or web-based redirect that logged the IP address and any other relevant information of Seth Herrera when he clicked on it.

Therefore, Seth’s indictment clearly shows that in spite of the use of encryption messaging applications by criminals, there are still many other ways of unearthing their criminal activities without breaking encryption, therefore the “going dark” claim by the FBI can be said to be an exaggeration of the true state of affairs.

Also, the prosecution being cagey in the indictment, about exactly how the alleged criminal acts of Seth were discovered, reminds me of the Nigerian Police Force who, when announcing the arrest of some notorious criminals, would simply say they acted on "credible intelligence". They would rarely disclose the details of how and what was done that led to the arrest with the use of credible intelligence.

The going dark debate highlights a broader tension between national security and individual privacy. While it's crucial to support law enforcement in their efforts to combat crime, it's equally important to consider the potential risks of compromising encryption standards. Balancing these needs requires careful consideration and a nuanced approach to both technology and security policy.

Tuesday, 18 June 2024

UNITY BANK SUED FOR UNAUTHORIZED DEBIT OF N324,000

Tersugh Wuese Nelson, a customer of Unity Bank, has filed a lawsuit against the bank, alleging unauthorized debits to the tune of N324,000 from his account. On Saturday, August 26, 2023, Tersugh woke up and discovered 12 debit transactions on his account through email notifications. These debit transactions occurred in quick succession, with 10 of them happening within two minutes on Friday, August 25, 2023, at about 11:51pm, while the other two happened at about 2:49am on Saturday 26th August, 2023.

Upon discovering the debits, Tersugh immediately emailed the bank, stating that he did not initiate or authorize the transactions. After several email exchanges, Unity Bank informed him in October 2023 that their investigation revealed the disputed transactions were web-based, conducted using his ATM card details (PAN, PIN, expiry date, and CVV) via the Flutterwave platform as detailed below: 

The bank stated that the transactions were authenticated using Tersughs ATM card PIN, which only he knew, and that their review of the card activity logs did not indicate any PIN tries or changes prior to the transactions. This, the bank argued, indicated that the person conducting the transactions knew Tersugh's PIN. Unity Bank further claimed that they had reached out to Flutterwave for a possible refund, but Flutterwave declined, stating that the value was given to the cardholder.

Consequently, the bank concluded that, in accordance with CBN regulations on liability shift regarding card and PIN usage, it was not liable for the unauthorized transactions, as Tersugh's ATM card details and PIN were used to validate the transactions.

Rejecting the bank's findings, Tersugh has filed a case at the High Court of Justice in Makurdi, Benue State (Case No.: MHC/215/2024: Tersugh Wuese Nelson v. Unity Bank Plc.). He alleges that the bank was negligent in protecting his funds by failing to implement behavioral monitoring systems and robust fraud monitoring tools to detect and block suspicious transactions in real time, as required by CBN regulations.

Tersugh is requesting that the court order Unity Bank to refund the N324,000 debited from his account without authorization. Additionally, he is demanding N10 million in damages from the bank.