Riana Pfefferkorn is the Cryptography Fellow at the Stanford Center for Internet and Society. Her work, made possible through funding from the Stanford Cyber Initiative, focuses on investigating and analyzing the U.S. government's policy and practices for forcing decryption and/or influencing crypto-related design of online platforms and services, devices, and products, both via technical means and through the courts and legislatures. Riana also researches the benefits and detriments of strong encryption on free expression, political engagement, economic development, and other public interests.
Prior to joining Stanford, Riana was an associate in the Internet Strategy & Litigation group at the law firm of Wilson Sonsini Goodrich & Rosati, where she worked on litigation and counseling matters involving online privacy, Internet intermediary liability, consumer protection, copyright, trademark, and trade secrets and was actively involved in the firm's pro bono program. Before that, Riana clerked for the Honorable Bruce J. McGiverin of the U.S. District Court for the District of Puerto Rico. She also interned during law school for the Honorable Stephen Reinhardt of the U.S. Court of Appeals for the Ninth Circuit. Riana earned her law degree from the University of Washington School of Law and her undergraduate degree from Whitman College.
High Res Photo of Riana Pfefferkorn
Today, CIS is publishing a whitepaper called “Security Risks of Government Hacking.” Also called “equipment interference” or “lawful hacking,” government hacking allows investigators to exploit hardware and software vulnerabilities to gain remote access to target computers. We hope our new publication will make a valuable contribution to policy discussions about this important topic.
On August 19, the CRYPTO 2018 conference on cryptographic research hosted a one-day workshop in Santa Barbara called “Encryption and Surveillance.” The goal of the workshop was to “examine how encryption and related technologies pose both challenges and opportunities for surveillance and reform of surveillance.” I was fortunate to be able to attend this workshop, listen to the panelists’ presentations, and observe the intelligent discussion between speakers and attendees about the topics at hand.
Earlier this month, the Department of Justice’s “Cyber-Digital Task Force” released a report “assess[ing] the Department’s work in the cyber area.” The report, which runs over 150 pages, covers a broad range of topics. Among these, in the “Looking Ahead” chapter, is “Going Dark”: DOJ’s name for a constellation of issues that render the government “unable to obtain critical information in an intelligible and usable form (or at all),” primarily encryption (and default encryption in particular).
In the upcoming version of the Apple iPhone iOS operating system, iOS 12, the phone’s Lightning cable port (used for charging and data transmission) will be disabled an hour after the phone is locked. The device will still charge, but transferring data to or from the device via the Lightning cable will require entering the device’s password first.
Arguing that if the court should not compel Apple to create software to enable unlocking and search of the San Bernardino shooter’s iPhone, it will jeopardize digital and personal security more generally.
Abstract: As the use of encryption and other privacy-enhancing technologies has increased, government officials in the United States have sought ways to ensure law enforcement’s capability to access communications and other data in plaintext. One of those methods is government hacking, also called “equipment interference.” Government hacking allows investigators to exploit hardware and software vulnerabilities to gain remote access to target computers.
Apple recently confirmed the introduction of a new feature called “USB Restricted Mode” in the latest version of the iPhone’s mobile operating system, iOS 12. If enabled in the user’s settings, USB Restricted Mode will disable data transfer from the iPhone over the Lightning cable once the phone has been locked for an hour unless the phone’s password is entered.
Included in this PDF are:
- Petitioners' Notice of Motion and Motion for Leave to file Motion for Reconsideration
- Exhibit A Petitioners' [Proposed] Notice of Motion and Motion for Reconsideration of the May 1, 2018 Order
- Declaration of Jennifer Stisa Granick in Support of Petitioners' Motion for Leave to File a Motion for Reconsideration
- [Proposed] Order Granting Petitioners' Motion for Leave to File Motion for Reconsideration Pursuant to Local Rule 7-9.
Which would you prefer: keeping your valuables in a locked safe, or keeping them in a shoebox and trusting that everyone will adhere to laws against theft and their concomitant penalties? Most, if not all, of us will choose the former. That’s so even if we realize that safe-crackers may ultimately find a way someday to bust open even the most top-of-the-line safe currently on offer.
"“She wouldn't outright say, ‘Yes, I want a backdoor,’ yet she voiced support for the idea of providers keeping the keys to decrypt data,” Riana Pfefferkorn, cryptography fellow at Stanford Center for Internet and Society, told me. “None of that really suggests to me that she's going to be better on ‘going dark’ or on surveillance and government access more generally.”"
"The encryption push may be harder now that the public knows about law enforcement's errors. “DOJ has had years to 'collect accurate metrics' on encryption's impact on investigations on prosecutions, but the only number it has ever provided to the public is the one the DOJ had to admit was inaccurate,” said Riana Pfefferkorn, cryptography fellow at the Stanford Center for Internet and Society. “If they're serious about this, they should release those metrics once they have them, plus info about how they arrived at those numbers.”"
"Even if authorized by a warrant, the dissemination of vulnerable devices could create a risk of significant harm. Riana Pfefferkorn, a cryptography fellow at Stanford Law School’s Center for Internet and Society, told Human Rights Watch it would be “frightening to use a wiretap order to authorize seeding compromised devices among people.” She suggested that anyone who might accept such a tactic when the targets are suspected drug traffickers should consider a hypothetical scenario in which agents secretly gave such non-secure devices to “journalists or activists.”"
"Riana Pfefferkorn, a cryptography fellow at the Stanford Law School’s Center for Internet and Society, said FlexiSPY is “kind of an app version of a wire.” Wiretaps are the traditional monitoring tool used by law enforcement after obtaining a warrant signed by a judge.
“It can be done quickly, but it’s not something that can be done remotely,” Pfefferkorn said. “That raises the question for me of whether this was a U.S. law enforcement agency that installed this on Chapo’s phone, if it was his phone.”"
"“There's nothing preventing an Apple employee from doing the exact same thing in a world where there's mandatory key escrow for exceptional access to smartphones,” said Riana Pfefferkorn, a cryptography fellow at the Stanford Center for Internet and Society. “Once the deed is done by an insider, then what was supposed to be a tool only for the ‘good guys’ is out there for the ‘bad guys’ as well.”"
Widespread availability of advanced encryption technology has improved security for consumers and businesses. But as digital products and services have become more secure, some in the law enforcement and intelligence communities have voiced concerns that encryption inhibits their ability to prevent terrorism and prosecute crimes. For example, the Department of Justice is exploring a potential legal mandate requiring companies to design their technologies to allow law enforcement to access consumer data during criminal investigations.
When you give sites and services information about yourself, where does it go? Who else will get hold of it, and what will they use it for? The recent revelations about Cambridge Analytica's acquisition of data about tens of millions of Facebook users without their knowledge or consent have prompted renewed interest in how data about us gets shared, sold, used, and misused -- well beyond what we ever expected. Join us for a SLATA/CIS lunchtime conversation with three experts from Stanford’s Center for Internet and Society as we discuss the legal and policy implications of the Cambridge Analytica scandal and responses from Congress and courts. How can we prevent this from happening again? What new problems might we create through poorly-crafted legal responses?
CIS Cryptography Fellow Riana Pfefferkorn will be speaking on a panel on "Cryptography and Ethics"at the 2018 Cybersecurity Law Symposium. Leading experts from academia and industry will discuss the legal and policy issues that arise from the latest developments in cybersecurity. This event is open to the public, but registration is required.
Cryptography Fellow Riana Pfefferkorn will be speaking at the 2018 InfoSec Southwest.
Encryption shields private information from malicious eavesdroppers. After years of slow adoption, encryption is finally becoming widespread in consumer-oriented electronic devices and communications services. Consumer-oriented encryption software is now more user-friendly, and much of it turns on encryption by default. These advances enhance privacy and security for millions of people.
Cryptography Fellow Riana Pfefferkorn was a guest on the WashingTech Policy Podcast with Joseph Miller.
"While the battle against encryption has been going on within federal law enforcement circles (dubbed "going dark") since at least the early 1990s, Rosenstein has now called for "responsible encryption."