On Tom Cotton

Apple is a distinctive company that has improved the lives of millions of Americans. But Tim Cook omitted critical facts about data encryption on 60 Minutes last night. He claimed that Apple does not comply with lawful subpoenas because it cannot. While it may be true that Apple doesn’t have access to encrypted data, that’s only because it designed its messaging service that way. As a society, we don’t allow phone companies to design their systems to avoid lawful, court-ordered searches. If we apply a different legal standard to companies like Apple, Google, and Facebook, we can expect them to become the preferred messaging services of child pornographers, drug traffickers, and terrorists alike—which neither these companies nor law enforcement want. Our society needs to address this urgent challenge now before more lives are lost or shattered.
— Tom Cotton

That was the recent statement by Tom Cotton (R-AR) in response to Tim Cook’s segment on 60 Minutes.  As usual, Tom Cotton doesn’t really know what the hell he’s talking about, so let’s take a deeper look:

  • “[Tim Cook] claimed that Apple does not comply with lawful subpoenas because it cannot.” 

Apple can, and does, comply with lawful court orders (even those from the contentious Foreign Intelligence Surveillance Court which allows Apple little judicial protection against sweeping requests), when it can.  When can it do this?  Any time data is stored in Apple’s iCloud.  What’s stored in the iCloud?  Quite a bit:  Contacts, e-mails, pictures (if enabled), voicemail, MMS, app data, device settings, health data, ring tones, and app settings.

  • “While it may be true that Apple doesn’t have access to encrypted data, that’s only because it designed its messaging service that way.” 

This is technically true for basic functions (calls and SMS – which can be skimmed through PRISM anyways), the advanced functions (e-mail, contacts, pictures (if enabled), voicemail, MMS, app data, device settings, health data, ring tones, and app settings) end up in iCloud by default.

  • “If we apply a different legal standard to companies like Apple, Google, and Facebook, we can expect them to become the preferred messaging services of child pornographers, drug traffickers, and terrorists alike—which neither these companies nor law enforcement want.”

Well, this just isn’t true.  Encryption methods on iPhones or Androids aren’t the primary encryption methods for nefarious activities.  I’m not involved in any nefarious activities, but working in security it’s fairly easy to deduce the methods used:

1.      Obfuscation:  The Dark Web.  Nefarious things don’t happen on easily skimmed websites or highly insecure public networks like AT&T or Sprint.

2.      Mesh Networking:  We learned in The Malware Business Model that the primary method for malware delivery is decentralization because it gives them redundancy, load sharing, and a host of proxies to obfuscate and share the data.

3.      Proxy NetworksThe Onion Router (TOR) is a good example of this, and while this is encryption (that is used for good and evil), it is by and large a complex proxy network.  The ability to make a packet travel around the world makes analysis of where the packet originated a little more difficult; especially when you’re fighting competing jurisdictions during every step.

Let’s recognize this statement for what it is:  More partisan hyperbole by Cotton to appeal to the lowest common denominator of his voter base.  It’s the same nonsense that led him to piss all over official diplomacy law (e.g. only POTUS and Secretary of State) and write an open letter to Iran; simply put, Cotton plays fast and loose with the facts to promote whatever rhetoric he deems appropriate at the time. 

But, let’s give Cotton some credit, maybe this is just an abrupt and misguided statement from someone with just enough technology background to sound silly. Let’s rewind a bit:  Immediately after the Paris terrorist attacks in November, Cotton released this statement:

The terrorist attacks in Paris last week are a terrible reminder of the threats we face every day. And it made clear that the President’s empty policy of tough talk and little action isn’t working against ISIS. Regrettably, these policy follies also extend to the Intelligence Community, whose hands were tied by the passage of the USA FREEDOM ACT. This legislation…takes us from a constitutional, legal, and proven NSA collection architecture to an untested, hypothetical one that will be less effective. And this transition will occur less than two weeks from today, at a time when our threat level is incredibly high.
— Tom Cotton

 

Cotton willfully ignores that the USA FREEDOM ACT was passed in June to curtail the National Security Agency’s bulk metadata collection program (PRISM), which a federal appeals court had recently ruled unconstitutional. Ignoring what Cotton’s individual ideology contains, to describe the USA FREEDOM ACT as something that removed “constitution, legal, and proven collection architecture” is highly suspect.  While the proven efficacy of the collection methods are hotly debated (and outside the scope of this), the legality of this was clear-cut decided through the federal appellate court; it’s constitutional viability is summarily proven through the same court ruling until overturned by a higher court.

Combine this rhetoric with that of earlier, and his deliberate attempt to sandbag the Iran relations, his rhetoric is clearly warhawkish.  But, let’s be honest, rhetoric is pretty toxic on both sides of the fence:  Is Cotton really voting based on this rhetoric?  Well, let’s take a look (with/against party designations here):

Immediately there’s a trend with the things Cotton votes on:  They contain “Security” or “Protect” in the title almost exclusively, but that analysis is pretty shallow.  What’s striking, in my opinion, is when Cotton finds himself voting against the party.  These things also tend to have a trend.

  • Against  Res. 719 – TSA Office of Inspection Accountability
  • Against  Res 61 – Hire More Heroes
  • Against  Res 2048 – USA Freedom Act

Similarly, the bills he co-sponsors have a trend:

  • Condemning and Disapproving of the Failure of the Obama Administration to Comply with the Lawful Statutory Requirement to Notify Congress before Transferring Individuals Detained at [Guantanamo Bay] and Expressing Concern About the National Security Risks Over the Transfer of Five Taliban Leaders and the Repercussions of Negotiating with Terrorists.
  •  A Joint Resolution Providing for Congressional Disapproval Under Chapter 8 of Title 5, United States Code, of a Rule Submitted by the Environmental Protection Agency Relating to "Standards of Performance for Greenhouse Gas Emissions from New, Modified, and Reconstructed Stationary Sources: Electric Utility Generating Units"
  • A Bill to Approve the Keystone XL Pipeline
  • Keep Your Health Plan Act of 2013
  • Keep the IRS Off Your Health Care Act of 2013
  • No Taxpayer Funding for Abortion Act
  • Regulations From the Executive in Need of Scrutiny Act of 2013
  • Eliminates the 2013 Statutory Pay Adjustment for Federal Employees

I’m not going to delve into each individual act – who has the time to write about all of that? – however the overwhelming trend is that Tom Cotton votes with the Republican Party 92% of the time; when he votes differently than the Republican Party, it is typically to err on the side of more conservativism.  His co-sponsor bills are alarmingly: (a) Critical of the Obama administration, (b) against EPA resolutions, and (c) against affordable health care.  

Taken individually, none of these things (rhetoric, critical of Obama, or voting record) are alarming, but when taken at aggregate it is clear that Tom Cotton’s far more right than Arkansas voters probably anticipated. When Cotton says that the NSA bulk collection methods were constitutional, he genuinely believes that the appellate court decision does not matter.  When he states that encryption on iOS devices enable criminals and threaten Americans, he genuinely believes that nonsense.  It is, unfortunately, up to American voters to elect senators who are technologically savvy enough to see through this emagerhd encryption paranoia and let the facts speak for themselves:  dismantling public encryption will harm more law abiding Americans than criminals.  Furthermore, it is the burden of every educated American voter to look past the rhetoric of each political pundit and determine where their motives lie.

When we look at Cotton’s anti-encryption rhetoric in the framework of his voting record, it is clear that Tom Cotton is pushing the same surveillance state nonsense that many republicans - and a few democrats (Clinton among them) - have been pushing over the last several years.  Where Cotton distances himself from his other pro-Orwellian colleagues on both sides of the aisle is in his complete disregard for judicial precedent and his overwhelming disdain for the actions of the Executive Branch.  Apparently, in the eyes of this congressional freshman:  If it goes against Tom Cotton, it's bad for America.