Tech firms fight anti-encryption demands after Paris murders
If the US govt wants iMessages, well, tough
Comment Anti-encryption sentiment among politicians is rising following the Paris terror attacks, but Silicon Valley firms are so far resisting attempts to weaken crypto systems to allow easier access to private communications for law enforcement and intel agencies.
WhatsApp on Android and Apple's iMessage (as well as other applications) provide end-to-end encryption, which means that encryption keys are held on devices and not by the firms providing the services.
Hence, they are unable to hand over private crypto keys even if presented with a court order, a set-up roundly criticised by politicians including Prime Minister David Cameron and others, even before last Friday’s attacks.
Politicians have upped the rhetoric in the days since as pressure for a fundamental change grows.
American senator Dianne Feinstein, who chairs the US Senate Intelligence Committee, told MSNBC: "If you create a product that allows evil monsters to communicate in this way, to behead children, to strike innocents – whether it's at a game in a stadium, in a small restaurant in Paris, take down an airline – that is a big problem.”
An opinion column in the New York Times, authored by Manhattan's district attorney and the City of London Police's commissioner, argued that "encryption blocks justice". The piece, which logs law enforcement’s frustration with encryption technologies, was first published in August.
Previously, tech firms might have been won over by such pleas. However, the Snowden leaks about the lengths intel agencies are prepared to go to in developing mass surveillance capabilities (AKA bulk interception) have forced technology firms to push back, partly as a way of restoring user confidence that products and services are worthy of their trust.
Technology developers also argue strongly against granting backdoor access to data or communications, claiming it creates a security weakness that third parties (foreign government and criminals) might be able to exploit, as well as creating a logistical nightmare.
Faced with a user backlash over apparent cooperation with the US government, technology companies were desperate to show they could be trusted. Apple, in particular, has been bullish about encryption.
"If the government laid a subpoena to get iMessages, we can't provide it," Apple boss Tim Cook told US public broadcaster PBS last year. "It's encrypted and we don't have a key.”
Enterprise encryption providers are sticking to this stance even in the wake of recent terrorist attacks in Beirut, Lebanon and Paris.
“The events in Beirut and Paris have revived calls for increased surveillance and weakened encryption as the means to prevent another atrocity,” said Pravin Kothari, founder and chief exec of CipherCloud. “Renewed calls for government shared encryption keys are emerging in the US. In the UK, some advocate expediting the passage of the Investigatory Powers Bill [IPB], which mandates cloud providers to remove encryption to make data accessible.”
Kothari argued interfering with commercial encryption products and services would be both counterproductive and ineffective.
“Diluting commercial encryption won’t prevent the bad guys from using their own proprietary encryption and won’t make us safer,” Kothari argued. “Weakening the technology that companies use to protect average users misses the mark. Nor will enacting the IPB better protect the homeland as many of its monitoring provisions already exist in France following Charlie Hebdo.”
It’s not yet clear if terrorists used encrypted comms in commissioning the Paris attack, with some early reports suggesting the group used SMS messaging and other suggesting encrypted apps played a part.
Encryption policy in any case shouldn’t turn on whether the Paris attackers were using crypto, some independent security experts argue.
“Paris attackers probably used encryption [and the] Snowden revelations probably helped those attackers,” said Rob Graham of Errata Security in a Twitter update. “None of this says we should install crypto backdoors, or employ mass surveillance of the population,” he added. ®