Sure, encrypt your email – while your shiny IoT toothbrush spies on you
Harvard's internet arm frets about gizmo security
Analysis The increasingly noisy debate over encryption is nothing to worry about, eggheads at Harvard have announced today: it's your toothbrush you need to worry about.
In a 37-page paper titled Don't Panic: Making Progress on the 'Going Dark' Debate [PDF], a team from the Berkman Center has summarized discussions between themselves, security experts, and a number of unnamed people from the US intelligence community.
The goal of the discussions was to bridge the gap that has opened up between law enforcement and politicians – who have been asking for backdoors in software products and access to encrypted information – and tech companies and security bods, who have been arguing that strong encryption is critical for our digital future.
The end result is a very readable summary of the current situation with respect to encryption and why the FBI feels end-to-end encryption is a danger. Ultimately though, beyond producing a useful article for Wikipedia, the paper boils down to two things:
- The Feds shouldn't worry too much about encryption because it's not in tech companies' financial interests to provide it, and
- Whatever evidence is lost from the end-to-end encryption of, say, text messages will be more than made up with the expansion of Internet of Things products that have horrible security.
The first point: "First, many companies' business models rely on access to user data. Second, products are increasingly being offered as services, and architectures have become more centralized through cloud computing and data centers."
So because it's not in companies' interests to do so, they won't create truly secure end-to-end encryption for everything. Which means eavesdroppers will still, somewhere along the line, have access to sensitive stuff like encryption keys: law enforcement can get a court order (or otherwise pressure the corporation) to hand over the necessary information or cough up the knowhow to successfully wiretap internet-connected gadgets.
The paper notes two additional elements in favor of this argument: one, fully secure encryption is technically complex and can have a performance hit on low-end devices, and; two, the ecosystem of electronic devices is so broad that it is a pain to introduce a system that will provide trustworthy end-to-end encryption.
We can see you
As to the second, scarier point: the internet of things super-surveillance net.
The paper has this to say: "The Internet of Things promises a new frontier for networking objects, machines, and environments in ways that we are just beginning to understand. When, say, a television has a microphone and a network connection, and is reprogrammable by its vendor, it could be used to listen in to one side of a telephone conversation taking place in its room – no matter how encrypted the telephone service itself might be. These forces are on a trajectory towards a future with more opportunities for surveillance."
The paper uses recent examples, including the Samsung TV, the listening Barbie dolls, and Amazon's Echo. It also makes reference to an interesting case back in 2001 when the FBI tried to get a car company to use its roadside assistance service to record conversations in a vehicle. The company took the matter to the US Court of Appeals, which shot the FBI's case down but, according to the Berkman Center, not on surveillance grounds. By extension, it says that it is possible your car could act as a bug against you so long as your car's security features aren't impacted.
For some reason however, the paper doesn't then point to the high-profile recent cases of cars being hacked.
It's not just cars though: "Appliances and products ranging from televisions and toasters to bed sheets, light bulbs, cameras, toothbrushes, door locks, cars, watches and other wearables are being packed with sensors and wireless connectivity."
The argument is that this wealth of devices is going to provide intelligence services with the ability to track and listen in to people far beyond what they can do now. Hence: let's not worry about encryption – your kitchens and bathrooms are being bugged anyway.