The Crypto War Is Obsolete
- July 12, 2015
- Clayton Rice, K.C.
On June 29, 2015, Britain’s Prime Minister David Cameron caught the public ear again by claiming that the Bogeyman is lurking somewhere on the Internet. Mr. Cameron said that the privacy policies of companies such as Google, Facebook and Twitter are “unsustainable” and that security services must be able to “get to the bottom” of online communications: “We have always been able, on the authority of the home secretary, to sign a warrant and intercept a phone call, a mobile phone call or other media communications, but the question we must ask ourselves is whether, as technology develops, we are content to leave a safe space – a new means of communication – for terrorists to communicate with each other.” (See: Adam Bienkov. David Cameron: Twitter and Facebook privacy is unsustainable. Home Affairs. June 30, 2015)
In the wake of the recent tragedy in Tunisia, Mr. Cameron went on to advocate a ban on encryption to “ensure that terrorists do not have a safe space in which to communicate.” We have been down this road with Mr. Cameron before when he advocated clamping down on secure communications that could not be decrypted by law enforcement after the Charlie Hebdo shootings in Paris. His latest tirade prompted the following response from Bruce Schneier of the Berkman Center at Harvard Law School in an interview titled Bruce Schneier: David Cameron’s proposed encryption ban would ‘destroy the internet’ reported by Rob Price in Business Insider UK on July 6, 2015:
“My immediate reaction was disbelief, followed by confusion and despair. When I first read about Cameron’s remarks, I was convinced he had no idea what he was really proposing. The idea is so preposterous that it was hard to imagine it being seriously suggested. But while Cameron might not understand what he’s saying, surely he has advisers that do. Maybe he didn’t listen to them. Maybe they aren’t capable of telling him that what he’s saying doesn’t make sense. I don’t understand UK politics sufficiently well to know what is going on in the background. I don’t know anything about Cameron’s tech background. But the only possible explanation is that he didn’t realize the full extent of what he was saying. Then I wondered why he would even wish for such a thing? Does he realize that this is the sort of thing that only authoritarian governments do? Again, my knowledge of the UK is limited, but I assume they are a free country that champions liberty.”
Mr. Cameron, however, is not alone among the Five Eyes nations. In the United States, Admiral Michael S. Rogers, the Director of the National Security Agency, has proposed a requirement that technology companies create a digital key to unlock encrypted data but that the key be divided into pieces and secured so that no one person or government agency could use it alone. The tantalizing question is: Who gets the pieces? The answer might stretch the dystopian imagination of George Miller in a new screenplay for Mad Max: Fury Road II.
So the stage was set for the U.S. Senate Judiciary Committee and Senate Intelligence Committee hearings on July 8, 2015, and the anticipated appearances of FBI Director James Comey and Deputy Attorney General Sally Quillian Yates. But then, BOOM! An elite group of security technologists released a major paper asserting that the American and British governments cannot demand access to encrypted communications without putting the world’s most confidential data and critical infrastructure in danger. The paper is titled: Keys Under Doormats: Mandating insecurity by requiring government access to all data and communications by Hal Abelson, Ross Anderson, Steve Bellovin, Josh Benaloh, Matt Blaze, Whitfield Diffie, John Gilmore, Matthew Green, Susan Landau, Peter Neumann, Ron Rivest, Jeff Schiller, Bruce Schneier, Michael Specter and Danny Weitzner. Mr. Schneier posted an abstract on July 9, 2015, titled The Risks of Mandating Backdoors in Encryption Products on his blog: Schneier on Security. It is worth reading:
- Abstract: Twenty years ago, law enforcement organizations lobbied to require data and communication services to engineer their products to guarantee law enforcement access to all data. After lengthy debate and vigorous predictions of law enforcement channels going dark, these attempts to regulate the emerging Internet were abandoned. In the intervening years, innovation on the Internet flourished, and law enforcement agencies found new and more effective means of accessing vastly larger quantities of data. Today we are again hearing calls for regulation to mandate the provisions of exceptional access mechanisms. In this report, a group of computer scientists and security experts, many of whom participated in a 1997 study of these same topics, has convened to explore the likely effects of imposing extraordinary access mandates. We have found that the damage that could be caused by law enforcement exceptional access requirements would be even greater today than it would have been 20 years ago. In the wake of the growing economic and social cost of the fundamental insecurity of today’s Internet environment, any proposals that alter the security dynamics online should be approached with caution. Exceptional access would force Internet system developers to reverse forward secrecy design practices that seek to minimize the impact on user privacy when systems are breached. The complexity of today’s Internet environment, with millions of apps and globally connected services, means that new law enforcement requirements are likely to introduce unanticipated, hard to detect security flaws. Beyond these and other technical vulnerabilities, the prospect of globally deployed exceptional access systems raises difficult problems about how such an environment would be governed and how to ensure that such systems would respect human rights and the rule of law.
In an article titled Security Experts Oppose Government Access to Encrypted Communication reported in The New York Times edition of July 7, 2015, Nicole Perlroth described the paper as a “formidable salvo” in a skirmish between intelligence and law enforcement leaders on the one side, and technologists and privacy advocates on the other. Ms. Perlroth continued: “In the paper, the authors emphasized that the stakes involved in encryption are much higher now than in their 1997 analysis. In the 1990s, the Internet era was just beginning – the 1997 report is littered with references to ‘electronic mail’ and ‘facsimile communications,’ which are now quaint communications methods. Today, the government’s plans could affect the technology used to lock data from financial and medical institutions, and poke a hole in mobile devices and countless other critical systems that are moving rapidly online, including pipelines, nuclear facilities and the power grid.”
Also on July 7, 2015, with the congressional hearings imminent, Kevin Bankston, the Director of New America’s Open Technology Institute, in a blogpost titled It’s Time to End the “Debate” on Encryption Backdoors, entered the fray:
“Yesterday, on Lawfare, FBI Director James Comey laid out his concern that the growing adoption of strong encryption technologies will frustrate law enforcement’s ability to conduct investigations – what he calls the ‘Going Dark’ problem. The gist of Comey’s position is this: He recognizes encryption is important to security and privacy, but believes we are fast approaching an age of ‘universal encryption’ that is in tension with the government’s investigative needs. Although he assures us he is not a ‘maniac’, Comey also feels it is his duty to ensure that we have a broad public debate that considers the costs as well as the benefits of widespread encryption.
Tech companies, privacy advocates, security experts, policy experts, all five members of President Obama’s handpicked Review Group on Intelligence and Communications Technologies, UN human rights experts, and a majority of the House of Representatives all agree: Government-mandated backdoors are a bad idea. There are countless reasons why this is true, including: They would unavoidably weaken the security of our digital data, devices, and communications even as we are in the midst of a cybersecurity crisis; they would cost the US tech industry billions as foreign customers – including many of the criminals Comey hopes to catch – turn to more secure alternatives; and they would encourage oppressive regimes that abuse human rights to demand backdoors of their own.”
Mr. Bankston called into question Mr. Comey’s warnings that encryption would lead to law enforcement “Going Dark” against threats: “…[T]he latest wiretapping report shows that encryption is not yet a significant barrier to FBI electronic surveillance – encryption prevented law enforcement from obtaining the plaintext of communications in only four of the 3,554 criminal wiretaps authorized in 2014!” Mr. Bankstrom is right. I reviewed the most recent wiretap reports in my post on this blog titled Wiretap Reports: Canada and the United States dated July 6, 2015.
In an article titled Security gurus deliver coup de grace to US govt’s encryption backdoor demands published by The Register on July 8, 2015, Iain Thompson also highlighted the response of the technologists to the encryption key proposal: “Nowadays the entire e-commerce system relies on encryption, so does much of the mobile telephony industry and corporate systems. Introducing flaws would cause more harm than good…and would cripple US businesses, since who wants to buy technology with a back door? The paper also points out that there are massive technical challenges in instituting an encryption key escrow service, such as the one suggested by the director of the FBI, James Comey. Such a system would lock the industry into a specific crypto system and poses a major question – who holds the master decryption key?”
It appears that Mr. Comey may have relented in the face of technological reality during his twin appearances before the Senate’s judiciary and intelligence committees on July 8, 2015. In an article titled FBI chief wants ‘backdoor access’ to encrypted communications to fight ISIS published in The Guardian edition dated July 8, 2015, Spencer Ackerman reported:
“Since October, following Apple’s decision to bolster its mobile-device security, Comey has called for a ‘debate’ about inserting ‘back doors’ – or ‘front doors’, as he prefers to call them – into encryption software, warning that ‘encryption threatens to lead us all to a very, very dark place’. But Comey and deputy attorney general Sally Quillian Yates testified that they do not at the moment envision proposing legislation to mandate surreptitious or backdoor access to law enforcement. Both said they did not wish the government to itself hold user encryption keys and preferred to ‘engage’ communications providers for access, though technicians have stated that what Comey and Yates seek is fundamentally incompatible with end-to-end encryption. Comey, who is not a software engineer, said his response to that was: ‘Really?’
In advance of Comey’s testimony, several of the world’s leading cryptographers, alarmed by the return of a battle they thought won during the 1990s ‘Crypto Wars’, rejected the effort as pernicious from a security perspective and technologically illiterate. A paper they released on Tuesday, called ‘Keys Under Doormats’, said the transatlantic effort to insert backdoors into encryption was ‘unworkable in practice, raise[s] enormous legal and ethical questions, and would undo progress on security at a time when internet vulnerabilities are causing extreme economic harm’. Asked by Feinstein if the experts had a point, Comey said: ‘Maybe. If that’s the case, I guess we’re stuck’.”
Mr. Bankstrom concluded his blogpost of July 7, 2015, with a plea that the current round of Crypto War is obsolete: “Yesterday [July 6, 2015, on Lawfare] Comey conceded that after a meaningful debate, it may be that we as a people decide that the benefits of widespread encryption outweigh the costs and that there’s no sensible, technically feasible way to guarantee government access to encrypted data. But the fact is that we had that debate 20 years ago, and we’ve been having it again for nearly a year. We are not talking past each other; a wide range of advocates, industry stakeholders, policymakers, and experts has been speaking directly to Comey’s arguments since last fall. Hopefully he will soon start listening, rather that dooming us to repeat the mistakes of the past and dragging us into another round of Crypto Wars.”
The necessity of encryption in the post-Snowden era is universal. Every individual requires it to protect his or her domain of personal autonomy. Journalists use it to protect sources and curb self-censorship. Lawyers require it to protect privileged communications with clients. Human rights activists rely on it to foster relationships of trust and confidence in carrying out their vital work. Dissidents living under repressive regimes where an email or text might land them in prison cannot communicate without it. As Edward Snowden said in 2013: “Encryption works. Properly implemented strong crypto systems are one of the few things that you can rely on.” And, as Mr. Schneier said in a recent post on Schneier on Security titled Why We Encrypt dated June 23, 2015: “Encryption protects our data. It protects our data when its sitting on our computers and in data centres, and it protects it when it’s being transmitted around the Internet. It protects our conversations, whether video, voice, or text. It protects our privacy. It protects our anonymity. And sometimes, it protects our lives.”
It seems that Mr. Comey may be listening. Now, someone tell Mr. Cameron: “The ban on encryption left the building. Ahem, through the back door.”