Here we go again... UK Prime Minister urges nerds to come up with magic crypto backdoors
Broken security? More like broken record
Posted in Security, 25th January 2018 22:31 GMT
UK Prime Minister Theresa May has reiterated calls for a special magic version of encryption to be developed by technologists so law enforcement can access everyone's communications on demand – and somehow engineer it so that no one else can abuse this backdoor.
Speaking at the World Economic Forum (WEF) in Davos, Switzerland, May today talked extensively about the benefits and dangers of technology (quick version: tech in business: good; tech in society: bad) and returned again to the issue of extremist content swirling around platforms like Facebook, arguing that more rules and laws were needed.
As part of that push, however, May ended up repeating the same message that politicians in both the US and UK have been pushing for over a year: that tech companies have to find a way to flip mathematics itself for the convenience of security services.
"We need cross-industry responses because smaller platforms can quickly become home to criminals and terrorists, " May said, even picking on a minor player in the market – Telegram, an encrypted messaging app. "We have seen that happen with Telegram. And we need to see more co-operation from smaller platforms like this."
She then threatened to use her pulpit to apply social pressure: "No-one wants to be known as 'the terrorists’ platform' or the first choice app for paedophiles."
At the heart of the issue is software using truly end-to-end encryption – where not even the biz that developed the app is able to read messages sent between users. Governments fear that such applications will be used by extremists to plot attacks on Western targets without tipping off the intelligence agencies. Similarly, devices these days use tough filesystem encryption so not even the manufacturer can decrypt the data on demand without the password or passcode.
However, as technologists have consistently pointed out, there is no mathematical way to introduce a backdoor in a system to allow access to one particular group that cannot also be discovered and accessed by a different group. Whatever mechanism the Feds can use, hackers and criminals can potentially eventually use, too.
Just as May reiterated her own calls when she was UK Home Secretary and her current Home Secretary Amber Rudd who has also insisted on government agents being given access to people's private encrypted messages, so the issue has again reared its head on the other side of the Atlantic.
Reminder: Spies, cops don't need to crack WhatsApp. They'll just hack your smartphoneREAD MORE
New FBI director Christopher Wray gave a speech earlier this month in which he outlined his views on encryption. And it was more of the same.
Companies "should be able to design devices that both provide data security and permit lawful access with a court order," he argued. And, reiterating the exact same wording of his predecessor, Wray also swore that he was "not looking for a backdoor."
But when he went on to describe what he did want – "the ability to access the device once we've obtained a warrant from an independent judge" – it was pretty much indistinguishable from a backdoor.
In another go around the roundabout, Wray's comments sparked a letter [PDF] today from Senator Ron Wyden (D-OR) in which the US lawmaker lambasted the g-man for "parroting the same debunked arguments espoused by your predecessors, all of whom ignored the widespread and vocal consensus of cryptographers."
"I would like to learn more about how you arrived at and justify this ill-informed policy proposal," wrote Wyden. "Please provide me with a list of the cryptographers with whom you’ve personally discussed this topic ... and specifically identify those experts who advised you that companies can feasibly design government access features into their products without weakening cybersecurity."
Don't hold your breath, Ron.
The insistence by political leaders and prosecutors that there is a way to both have a backdoor and not have a backdoor has been put forward so frequently that experts have even come up with a term to summarize it: magical thinking.
Faced with the magical thinking argument, those who want exclusive access to people's communications and documents regardless have come up with their own pat response: passive-aggressive flattery.
It was there in spades in May's speech this week: "These companies have some of the best brains in the world. They must focus their brightest and best on meeting these fundamental social responsibilities."
So what are politicians hoping to achieve by maintaining an impasse: refusing to acknowledge the logical argument against putting a backdoor into encryption while jamming their foot in the door by claiming that the "best brains" can come up with a solution?
In all likelihood, they are waiting on a change in public mood.
The reason that fully encrypted apps exist – and are even made available by huge, consumer-focused companies like Apple and Facebook – is because of public fury over mass surveillance revealed by former NSA techie Edward Snowden back in 2013.
When it became clear that the US and UK governments (among others) were tapping everyone's communications through a "gather it all" philosophy, a huge market opened up for people who want to be able to communicate in private without the sense that the government was keeping an eye on everything they said.
Downloads of privacy protecting apps like Signal and WhatsApp rocketed – even among ordinary folk – giving those developers a far greater profile and allowing them to edge toward the critical tipping point where so many of your friends and family already have the same app that there is little or no barrier to using it as a default.
Crimefighters, snoops, and politicians who rely on intelligence gathered on citizens to make critical decisions are not willing to accept this rise of strong personal encryption as the new status quo. And so they are waiting for the public mood to turn – which, unfortunately, will likely come when a major terrorist attack kicks off and governments can point to the use of encrypted apps as a critical factor for why the assault wasn't thwarted earlier.
Even though Theresa May has taken a strong stance on the issue of extremist content online, even threatening new laws, she did not suggest in Davos that companies be legally restricted from offering heavy duty encryption. Instead, she sought to pressure corporations and programmers to voluntarily introduce backdoors into their systems.
And there is good reason for that: because a law limiting encryption would be very unlikely to pass Parliamentary scrutiny. Electronic encryption is an increasingly important aspect of our modern digital lives. Business and government rely heavily on it to keep their own communications private, as well as keep customers' and citizens' personal information out of the hands of crooks hackers.
And so we have the ludicrous situation of encryption Groundhog Day where the same things are said and done over and over again, each day the same.
The question is: when and how will the edifice crack? Governments and their intelligence services clearly feel at the moment that time will act in their favor and they will soon be able to return to a situation where they can access our private information readily and easily.
And they may be right: tech giants are only responding aggressively when they are put under direct pressure – such as when the FBI tried to force Apple's hand over the iPhone of San Bernardino shooter Syed Farook.
Despite those companies claiming philosophical opposition to granting governments blanket access to their users' private information, everyone knows that it only takes a change of mind from top management for them to devise face-saving measures and communications strategies to flip their position. Meanwhile, these organizations regularly cough up personal information on individual suspects to the cops and Feds because the law requires it.
"Protecting all of us against a few", "For the Greater Good" – you can almost predict the lines the chief executives will take while switching on backdoors to mass surveillance. Assuming, that is, they tell their customers at all (here's betting Apple won't). All it takes is a perceived shift in public opinion. And as time fades, and fury over Snowden's revelations dies down, that may well happen.
Just look at the reauthorization of America's Section 702 spying program – which stores vast amounts on US citizens despite claiming not to – earlier this month. A minority of lawmakers opposed it and fought hard for more safeguards, but the sad truth is that the program was reauthorized for another six years because not enough Americans were incensed enough to call their congressfolk about the issue.
Likewise in the UK, the government has already attempted to write in encryption-busting rules into law. But recognizing how unpopular that was going to be, it did so entirely in secret – at least until someone leaked the proposal.
It may be worth looking at the alternative. Let's assume that the status quo does hold and neither government pressure nor future terrorist attacks are sufficient to undermine public opinion over encryption and privacy. What does that look like?
Well, the biggest and hardest shift would have to be within the Establishment. The security services would have to let go of their favorite tools – keyword searching of vast databases of people's chatter. Or at least rely on them far less.
That is going to be a difficult mindset to shift, especially since it has been building and solidifying for a number of decades. In order to fill in the intelligence gaps, law enforcement and the security services would have to hire many more people who specialize in on-the-ground intelligence gathering. And that is both complex and time-consuming.
There would have to be a greater focus on metadata – which is information about people's messages, such as the time a text is sent and to whom, as opposed to the actual encrypted content. Metadata already provides a heck of a lot of intelligence – it reveals networks of associates, for example – but it's not quite the same as searching and reading actual texts and emails.
Unable to intercept messages or defeat filesystem cryptography, spies would also have to hack more and more suspected criminals and terrorists' phones and other devices to obtain information that is encrypted in transit and at rest. That's also complex, time-consuming, and risky.
There is good reason why intelligence services across the globe have shifted away from these complex and laborious operations in favor of armchair blanket snooping. Aside from being cheaper, it is also easier: you can read or listen first-hand to what a target says or types. It is also faster: no need to embed agents within evil organizations over months, slowly building trust, or develop exploits to hack computers and handhelds – just tap the network traffic and you're golden. Unless, of course, that traffic is end-to-end encrypted.
Simply put, electronic surveillance is extremely useful for figuring out what those who would seek to cause harm to a country are up to. And the security services are not going to give it up – or even one aspect of it – until they have no other choice.
And while the head of the FBI and the prime minister of the United Kingdom can be relied upon to maintain an encryption impasse, that's the position the intelligence services will maintain. Watch and wait. It's what they do. ®