Encryption; Friend of Freedom, Guardian of Privacy

The issue of government access to private encrypted data has been in the public eye since the San Bernardino shootings in December, 2015. When an iPhone was found the FBI requested that Apple write code to override the phone’s security features. The FBI was ultimately able to decrypt the phone without Apple’s assistance. However, the ensuing debate over encryption has just begun.

High profile criminal and national security issues serve to shed light on an issue which is pervasive throughout the country. Local governments presumably have thousands of devices they would like to decrypt for investigatory purposes as New York City alone has hundreds. Seeking a resolution and remembering the horrific terror attacks of September 11, 2001 New York State Assembly Bill A8093A is in committee and seeks to outlaw the sale of phones in the state which have encryption not by passable to law enforcement.

Encryption allows for the safe keeping and targeting dissemination of private thoughts and information without worry off judgment, retaliation or mistreatment. On a grander scale encryption prevents unchecked government oversight. It can be argued that encryption technology is a hedge against current and future totalitarian regimes. With a history of occupation and abuse of power it is no surprise that Germany and France are not pushing for encryption backdoors.

Backdoors in encrypted devises and software provide another avenue for unwelcome parties to gain access. Hackers are often intelligent, well-funded and act on their own, in groups and most harmfully with foreign entities. Holes have a way of being found and master keys have a way of being lost.

Senators Richard Burr and Diane Feinstein are undoubtedly well intended with their draft law entitled the Compliance with Court Orders Act of 2016. The act calls for providers of communication services including software publishers to decrypt data when served with a court order. The data would have to be provided in an intelligible format or alternatively technical assistance for its retrieval. Prosecutors have a need to gather evidence. Governments have a duty to prevent crime and acts of terror.

However, experts question the feasibility of building backdoors into all types of encryption as it comes in many forms and from a host of global providers. Further, there is concern that the measure, if adopted, will backfire as the targeting of backdoors by our adversaries is assured. Cyberwar in the form of illicit data collection, theft of trade secrets and access to infrastructure is all too common and may escalate as tensions rise between adversaries. Ransomware and cyber extortion have been spreading, most recently at hospitals, and the knowledge of the existence of backdoors will motivate those who seek unseemly profits.

Efforts to prosecute the accused, fight crime and terror are noble causes. However, government should be wise in the approach lest we weaken our shared defenses in the process. The big corporate names of Silicon Valley recognize the dangers of backdoors and are speaking out and lobbying against Senator Burr and Feinstein’s efforts. The draft legislation does ensure that the monetary cost of decrypting is paid to the, “covered entity.” However, the costs to society at large remain up for discussion.

U.S.Defense Secretary Ashton Cater Doesn’t Believe in Encryption Backdoors

Featured

U.S.Defense Secretary Ashton Cater Doesn't Believe in Encryption Backdoors

Secretary of Defense Ashton Carter came out against supporting encryption back-doors at a conference panel on Wednesday.

At the RSA information security conference in San Francisco, Carter told a packed room that he supported strong encryption and thought back-door access to encrypted communication as unrealistic. During his talk on the Apple vs. FBI case, which he shied away from the details because it is a “law enforcement issue,” Carter received scattered applause from the crowd of security professionals after he said he supports strong encryption.

“I think first of all that for the Department of Defense, data security including encryption is absolutely essential to us. We are for strong encryption,” Carter says. “I’m not a believer in backdoors or a single technical approach. I don’t think it’s realistic.”

Carter joined Attorney General Loretta Lynch in supporting encryption at the RSA Conference this week. In a stage interview with Bloomberg at the Moscone Center on Tuesday, Lynch called for “a middle ground” between national security and privacy.

In the 50-odd minute talk with Ted Schlein, general partner for the influential venture capital firm Kleiner, Perkins, Caufield & Byers, Carter focused his talk on how to bridge the gap between the Pentagon and Silicon Valley.

Carter, who was appointed to the secretary position last February by President Barack Obama, spoke about two initiatives in particular: the Defense Innovation Unit-Experimental (DIUx) and the Defense Innovation Advisory Board. Both serve to make the department more agile and tech-savvy in the age of cyberwarfare with competitors like Russia and China, Carter says.

“DIUX is a place to connect. It is down the road [from Silicon Valley]. I’ve given it a very open charter,” Carter says. “We need to be very hawkish on the idea of reform.”

Earlier on Wednesday, the Defense Department announced that former Google CEO Eric Schmidt will chair the Defense Innovation Advisory Board. “There is going to be some technical minds who come in and giving me advice to be more innovative,” Carter says. “I am so grateful to Eric Schmidt for his willingness to do this. He’s the perfect chairman for this.”

He also announced a new competition called “Hack the Pentagon” where ethical, or white hat, hackers find vulnerabilities in the Pentagon’s systems and boost the overall cybersecurity of the department. “You would rather find the vulnerabilities in your networks that way than the other way of pilfering information,” Carter says. Hackers must be American citizens, Carter added.

While the Pentagon is bolstering its defenses in protecting its own data, it is also aggressively attacking ISIS, Carter says. Similar to the radio-jamming tactics during the Cold War, the Pentagon has been disrupting the terrorist group’s online channels of communications. “We will and must defeat ISIL. I’m looking for all the ways to accelerate that,” Carter says. “We are using cyber to disrupt communication and doubt the reliability of the comm. Now that enemies use cyber, that’s another way to shut them down.”

Encryption May Hurt Surveillance, but Internet Of Things Could Open New Doors

Featured

Tech companies and privacy advocates have been in a stalemate with government officials over how encrypted communication affects the ability of federal investigators to monitor terrorists and other criminals. A new study by Harvard’s Berkman Center for Internet and Society convened experts from all sides to put the issue in context.

The report concluded that information from some apps and devices like smartphones may be harder for government investigators to intercept because of stronger encryption. But, it said, we are connecting so many more things to the Internet (light bulbs, door locks, watches, toasters) that they could create new surveillance channels.

Encryption May Hurt Surveillance, But Internet Of Things Could Open New Doors

The encryption debate has reheated recently following the attacks in Paris and to some extent San Bernardino, Calif., with CIA and FBI officials warning about their investigation channels “going dark” because of the stronger encryption placed on communications tools like WhatsApp or FaceTime.

(The distinction is this: With things like emails, Web searches, photos or social network posts, information typically gets encrypted on your phone or laptop and then decrypted and stored on a big corporate data server, where law enforcement officials have the technical and legal ability to get access to the content, for instance, with a subpoena. But with messages that are encrypted end-to-end, data gets encrypted on one device and only gets decrypted when it reaches the recipient’s device, making it inaccessible even with a subpoena.)

The agencies have asked for “back doors” into these technologies, though the Obama administration cooled off its push for related legislation late last year over concerns that such security loopholes would also attract hackers and other governments.

But the Harvard report (which was funded by the Hewlett Foundation) argues that “going dark” is a faulty metaphor for the surveillance of the future, thanks to the raft of new technologies that are and likely will remain unencrypted — all the Web-connected home appliances and consumer electronics that sometimes get dubbed the Internet of Things.

Some of the ways the data used to be accessed will undoubtedly become unavailable to investigators, says Jonathan Zittrain, a Harvard professor who was one of the authors. “But the overall landscape is getting brighter and brighter as there are so many more paths by which to achieve surveillance,” he says.

“If you have data flowing or at rest somewhere and it’s held by somebody that can be under the jurisdiction of not just one but multiple governments, those governments at some point or another are going to get around to asking for the data,” he says.

The study team is notable for including technical experts and civil liberties advocates alongside current and former National Security Agency, Defense Department and Justice Department officials. Another chief author was Matthew Olsen, former director of the National Counterterrorism Center and NSA general counsel.

Though not all 14 core members had to agree to every word of the report, they had to approve of the thrust of its findings — with the exception of current NSA officials John DeLong and Anne Neuberger, whose jobs prevented them from signing onto the report (and Zittrain says nothing should be inferred about their views).

The results of the report are a bit ironic: It tries to close one can of worms (the debate over encryption hurting surveillance) but opens another one (the concerns about privacy in the future of Internet-connected everything).

“When you look at it over the long term,” says Zittrain, “with the breadth of ways in which stuff that used to be ephemeral is now becoming digital and stored, the opportunities for surveillance are quite bright, possibly even worryingly so.”

Tech big guns confront U.K. parliament on backdoors, encryption

Featured

A group of high tech corporate powerhouses has gathered together to protest a law proposed by the U.K. government that would allow an array of legal and intelligence agencies the ability to access computer data through backdoors and decryption.

Facebook, Google, Microsoft, Twitter and Yahoo submitted a letter, dated December 21, 2015, to the parliamentary committee charged with reviewing the Investigatory Powers Bill saying it would have a negative impact on both the nation’s citizenry and the corporation’s customers.

“We believe the best way for countries to promote the security and privacy interests of their citizens, while also respecting the sovereignty of other nations, is to ensure that surveillance is targeted, lawful, proportionate, necessary, jurisdictionally bounded, and transparent. These principles reflect the perspective of global companies that offer borderless technologies to billions of people around the globe. The actions the U.K. Government takes here could have far reaching implications – for our customers, for your own citizens, and for the future of the global technology industry,” the companies wrote.

The five companies belong to a larger group, the two-year-old Reform Government Surveillance (RGS) coalition that is fighting similar legislation in the United States. The RGS website lists Apple, AOL, Dropbox, Evernote and LinkedIn as members, but these names were not included in the U.K. letter.

The group spelled out its misgivings stating the implementation of such a policy could undermine consumer trust of their products, a fear that any legislation passed by the U.K. could be duplicated in another country and making it difficult for companies to understand what is legal and what is not.

“An increasingly chaotic international legal system will leave companies in the impossible position of deciding whose laws to violate and could fuel data localization efforts,” the companies said.

The letter also strongly rejected any use of backdoors, forced decryption or any other technological method allowing government agencies to enter their products.

“The companies believe that encryption is a fundamental security tool, important to the security of the digital economy as well as crucial to ensuring the safety of web users worldwide,” the group wrote.

RGS itself in May 2105 wrote to the U.S. Senate encouraging it to pass the USA Freedom Act. However, it has not yet, as a group, confronted American legislators on the issues of encryption and backdoors.

Microsoft, Google, Facebook to U.K.: Don’t weaken encryption

Featured

Microsoft, Google, Facebook to U.K.: Don’t weaken encryption

Microsoft, Google and Facebook are urging U.K. officials not to undermine encryption as they work on laws that would authorize forcing communications service providers to decrypt customer traffic.

In a joint written submission to the U.K. Parliament the three U.S.-based companies lay down several areas of concern, which, if not addressed, they say could damage their businesses and leave them caught in legal crossfires among the many countries where they do business.

The companies say they don’t want the U.K. to impose restrictions and apply them to foreign service providers such as themselves because, if other countries followed suit, it would lead to a morass of laws impossible to navigate. “Conflicts of laws create an increasingly chaotic legal environment for providers, restricting the free flow of information and leaving private companies to decide whose laws to violate,” the submission says.

They staunchly support encryption without backdoors. “The companies believe that encryption is a fundamental security tool, important to the security of the digital economy as well as crucial to ensuring the safety of web users worldwide,” they write. “We reject any proposals that would require companies to deliberately weaken the security of their products via backdoors, forced decryption, or any other means.”

Despite what the U.K.’s Home Secretary Theresa May has said about not seeking encryption backdoors, they want it in writing. “We appreciate the statements in the Bill and by the Home Secretary that the Bill is not intended to weaken the use of encryption, and suggest that the Bill expressly state that nothing in the Bill should be construed to require a company to weaken or defeat its security measures.”

The Parliament is considering bills that would give government agencies access to communications across service provider networks with proper legal authorization, which would affect Microsoft, Google and Facebook, all of which operate globally and face compliance with laws in many countries.

As the U.K. is considering such laws, the Netherlands have rejected forcing providers to break encryption on demand. In the U.S., Congress has held hearings in which members say they will propose legislation to require providing cleartext versions of encrypted traffic when presented with a judge’s order.

The three companies ask that if the U.K. does create lawful access to encrypted communications, companies based outside the U.K. would not be required to comply if that would go against laws it has to follow in other countries.

They urge an international agreement on how the lawful-access laws of individual countries should be observed in other countries to remove ambiguities that might prevent them from complying with all of them.

The companies want to protect customer privacy by requiring notification of those whose communications are intercepted. “While it may be appropriate to withhold or delay notice in exceptional cases, in those cases the burden should be on the Government to demonstrate that there is an overriding need to protect public safety or preserve the integrity of a criminal investigation,” they say.

They also seek to protect data stored in the cloud the same way it is protected in private data centers. The government should go to a business if it is seeking a business’s data, just as it did before cloud services existed. “This is an area where the UK can lead the rest of the world, promoting cloud adoption, protecting law enforcement’s investigative needs, and resolving jurisdictional challenges without acting extraterritorially,” they say.

They note that the draft lacks requirements for agencies to tell the providers if they know of vulnerabilities in their networks that could be exploited, and that any authorized actions agencies take don’t introduce new vulnerabilities.

Microsoft, Google and Facebook seem concerned that agencies granted legal access to their networks might alter them lest that have a negative effect on the services they deliver over those networks. “The clearest example is the authority to engage in computer network exploitation, or equipment interference,” they say. “To the extent this could involve the introduction of risks or vulnerabilities into products or services, it would be a very dangerous precedent to set, and we would urge your Government to reconsider.”

The companies want protections for their executives located within the U.K. They want warrants, when they have to be served on communications companies, to be served to officers of the companies who are located at the companies’ headquarters, not to employees of the companies located in the U.K. “We have collective experience around the world of personnel who have nothing to do with the data sought being arrested or intimidated in an attempt to force an overseas corporation to disclose user information,” they write. “We do not believe that the UK wants to legitimize this lawless and heavy-handed practice.”

They don’t want to be forced to create and retain data about customers that they don’t already in the normal course of business. “Some language under the retention part of the Bill suggests that a company could be required to generate data – and perhaps even reconfigure their networks or services to generate data – for the purposes of retention,” they write.

The companies think whatever judicial approvals are required to issue warrants to decrypt communications ought to apply to other U.K. orders issued to communications providers by the U.K.’s Defense Intelligence and other intelligence services. These other orders include national security notices, maintenance of technical capability orders, and modifications to equipment interference warrants.

They want the law to narrowly define bulk collection of data so it doesn’t include all traffic on a given channel, but rather is restricted to traffic specified by specific indicators such as source and destination, for example. The law should allow only necessary and proportionate amounts of data be analyzed and retained, and the rest be destroyed, they say.

Service providers should be allowed to hire attorneys and protest warrants without running the risk of violating disclosure laws or acknowledging that they actually are subject to the law, they write.

They take exception to a single word – urgent – not being defined in drafts of the law where it says requiring decryption of communications in urgent cases. “Clarity on this term – which other countries may seek to emulate and even abuse – is important,” they say.

Netherlands opposes backdoors, but encryption still under assault

Featured

Netherlands opposes backdoors, but encryption still under assault

The Dutch government has officially declared its opposition to any restrictions on the development or use of encryption products, even as Dutch lawmakers are weighing legislation that could mandate backdoor government access to encrypted communications.

In a 4 January 2016 letter to the Dutch parliament, the head of the Ministry of Security and Justice, Ard van der Steur, explained the government’s reasons for endorsing strong encryption, which sound quite similar to those cited by technologists such as Apple’s Tim Cook, the most high-profile critic of backdoors.

According to a translation of the letter, provided by Dutch cybersecurity consultant Matthijs R. Koot, van der Steur points to the uses of encryption for protecting the privacy of citizens, securing confidential communications by government and businesses, and ensuring the security of internet commerce and banking against cybercrime.

Privacy of communications is also a protected right under the Dutch constitution, and a fundamental right protected by the European Convention on Human Rights and the Charter of Fundamental Rights of the EU, van der Steur’s letter says.

The minister acknowledges that criminals and terrorists may also use encryption, making it difficult if not impossible for law enforcement and intelligence services to monitor their communications in defense of national security and public safety.

But van der Steur also observes that encryption is widely available and requires “little technical knowledge, because encryption is often [an] integral part of the internet services that they too can use.”

But because today’s communications products and services use unbreakable encryption, demands that technology companies hand over decrypted data would essentially require weakening encryption to provide backdoors.

Van der Steur notes that any “technical doorways” [backdoors] in encryption would undermine the security of digital systems, making them “vulnerable to criminals, terrorists and foreign intelligence services.”

As fellow Naked Security writer Paul Ducklin put it in a recent article we published about the risks of deliberately weakening cryptographic systems:

[M]andatory cryptographic backdoors will leave all of us at increased risk of data compromise, possibly on a massive scale, by crooks and terrorists…

…whose illegal activities we will be able to eavesdrop and investigate only if they too comply with the law by using backdoored encryption software themselves.

Van der Steur agrees very strongly:

[Backdoors] would have undesirable consequences for the security of communicated and stored information, and the integrity of IT systems, which are increasingly important to the functioning of society.

In his conclusion, van der Steur states:

The government endorses the importance of strong encryption for internet security, for supporting the protection of citizens’ privacy, for confidential communication by the government and companies, and for the Dutch economy.

Therefore, the government believes that it is currently not desirable to take restricting legal measures concerning the development, availability and use of encryption within the Netherlands.

A VICTORY IN THE CRYPTO WARS?

The debate over encryption backdoors goes back to the 1980s and 1990s, was revived in the past two years by law enforcement officials like FBI Director James Comey, and has intensified since the 13 November 2015 terrorist attacks in Paris.

While efforts to pass legislation in the US and UK mandating backdoors have so far been unsuccessful, some advocates fighting against backdoors are worried the Crypto Wars have gone global.

China recently passed an anti-terrorism law that compels technology companies to decrypt data upon request of the government; while in Pakistan, the government’s demand for backdoor access to BlackBerry customer data led the company to pull out of the country entirely.

Concerns over proposed surveillance legislation in the UK has led Apple to take unusually bold steps to oppose passage of the Investigatory Powers Bill.

Apple submitted a letter to the bill’s oversight committee saying language in the draft bill could force Apple to “weaken security for hundreds of millions of law-abiding customers,” in order to allow security services to eavesdrop on encrypted communications such as iMessage.

In the US, Republican Senator Richard Burr, chairman of the Senate Intelligence Committee, has indicated that he wants to propose legislation requiring companies to decrypt data at the government’s request.

Even in the Netherlands, the government’s recent pro-encryption stance is not a complete victory for opponents of backdoors.

As Koot noted on his blog, the pro-encryption policy isn’t guaranteed to remain policy in the future, and Dutch law already requires technology companies to decrypt data sought in targeted investigations.

Meanwhile, the Dutch parliament is considering updating a 2002 security and intelligence law to compel bulk decryption of communications, Koot reports.

The war over backdoors has yet to be lost or won, and it is far from over.

It’s Time to End the “Debate” on Encryption Backdoors

Featured

Yesterday, on Lawfare, FBI Director James Comey laid out his concern that the growing adoption of strong encryption technologies will frustrate law enforcement’s ability to conduct investigations — what he calls the “Going Dark” problem. The gist of Comey’s position is this: He recognizes encryption is important to security and privacy, but believes we are fast approaching an age of “universal encryption” that is in tension with the government’s investigative needs. Although he assures us he is not a “maniac,” Comey also feels it is his duty to ensure that we have a broad public debate that considers the costs as well as the benefits of widespread encryption. Comey will presumably be making the same points tomorrow afternoon at a Senate Intelligence Committee hearing where he will be the sole witness, while a broader panel of witnesses will be testifying on the same controversy tomorrow morning before the Senate Judiciary Committee.

First, credit where credit is due: James Comey is certainly not a maniac but a dedicated law enforcement official, one who has in the past put his career on the line to impose the rule of law on overreaching government surveillance. And it’s true that encryption will likely frustrate some investigations, a point I addressed directly when I testified House hearing on the subject in April. It’s also true that the FBI has so far to come up with any compelling examples of how encryption has actually stymied any investigations, and the latest wiretapping report shows that encryption is not yet a significant barrier to FBI electronic surveillance — encryption prevented law enforcement from obtaining the plaintext of communications in only four of the 3,554 criminal wiretaps authorized in 2014! Even so, it’s a given that just as ordinary citizens use encryption, so too will criminals, and that will likely pose a challenge for law enforcement in some cases.

So we are not “talking past each other” on encryption, as Comey puts it. Rather, since he first raised this issue last October, there has been an incredibly robust debate (as reflected in this massive of recent statements and writing on the subject), directly addressing the Director’s suggestion that companies should engineer their encrypted products and services to enable government surveillance. As that debate reflects, the broad consensus outside of the FBI is that the societal costs of such surveillance backdoors — or “front doors,” as Comey prefers to call them — far outweigh the benefits to law enforcement, and that strong encryption will ultimately prevent more crimes than it obscures.

Tech companies, privacy advocates, security experts, policy experts, all five members of President Obama’s handpicked Review Group on Intelligence and Communications Technologies UN human rights experts, and a majority of the House of Representatives all agree: Government-mandated backdoors are a bad idea. There are countless reasons why this is true, including: They would unavoidably weaken the security of our digital data, devices, and communications even as we are in the midst of a cybersecurity crisis; they would cost the US tech industry billions as foreign customers — including many of the criminals Comey hopes to catch — turn to more secure alternatives; and they would encourage oppressive regimes that abuse human rights to demand backdoors of their own.

Most of these arguments are not new or surprising. Indeed, it was for many of the same reasons that the US government ultimately rejected the idea of encryption backdoors in the 90s, during what are now called the “Crypto Wars.” We as a nation already had the debate that Comey is demanding — we had it 20 years ago! — and the arguments against backdoors have only become stronger and more numerous with time. Most notably, the 21st century has turned out to be a “Golden Age for Surveillance” for the government. Even with the proliferation of encryption, law enforcement has access to much more information than ever before: access to cellphone location information about where we are and where we’ve been, metadata about who we communicate with and when, and vast databases of emails and pictures and more in the cloud. So, the purported law enforcement need is even less compelling than it was in the 90s. Meanwhile, the security implications of trying to mandate backdoors throughout the vast ecosystem of digital communications services have only gotten more dire in the intervening years, as laid out in an exhaustive new report issued just this morning by over a dozen heavy-hitting security experts.

Yesterday, Comey conceded that after a meaningful debate, it may be that we as a people decide that the benefits of widespread encryption outweigh the costs and that there’s no sensible, technically feasible way to guarantee government access to encrypted data. But the fact is that we had that debate 20 years ago, and we’ve been having it again for nearly a year. We are not talking past each other; a wide range of advocates, industry stakeholders, policymakers, and experts has been speaking directly to Comey’s arguments since last fall. Hopefully he will soon start listening, rather than dooming us to repeat the mistakes of the past and dragging us into another round of Crypto Wars.

We have already had the debate that Comey says he wants. All that’s left is for him to admit that he’s lost.