As government and technology companies square up once again over encryption, Tom Fox-Brewster reports from the frontline of the Cryptowars’ second coming
Privacy is dead and we all need to deal with it. That statement was a shibboleth of those who would directly benefit from saying it, according to Jon Callas, world renowned cryptographer and co-founder of secure smartphone maker Blackphone. It’s simply not true, he adds.
Who would benefit from a world with no privacy? Intelligence agencies and companies that trade people’s data without affected individuals knowing are two obvious examples. But the tide is turning against them. The rise of cheap and widespread encryption across the web and internet-enabled communications has, in fact, pointed to a world where online privacy might be ubiquitous.
Watershed Moment
When historians look back at 2014, they’ll likely see it as the year when this movement gained proper momentum. Just recently, WhatsApp added end-to-end encryption to its massively popular messaging service thanks to a collaboration with Open Whisper Systems, which had already created the much-respected TextSecure and RedPhone apps for private communications. Companies like Silent Circle and Blackphone have pushed on, trying to create financially viable businesses with their encrypted comms offerings. Much-used content delivery network CloudFlare decided to enable Secure Sockets Layer (SSL) web encryption across the sites it served, whilst notable tech experts like Chris Soghoian have been pushing for SSL across every website on the planet. Apple and Google, meanwhile, announced their respective mobile operating systems would encrypt users’ data by default.
It was the actions of those two tech giants that irked law enforcement in America the most, however. FBI director James Comey told media he was concerned that Apple and Google were marketing a technology that would “allow people to place themselves beyond the law.” Added to the Edward Snowden documents that revealed various attempts by US and UK intelligence agencies to break much-used cryptography, Comey’s comments made it apparent that certain corners of government were willing to fight against widespread encryption. Privacy advocates the world over looked on dumbfounded. They felt it was a sign: Cryptowars 2.0 had begun.
Going Underground
The original Cryptowars, according to the account of Ross Anderson, professor of security engineering at the University of Cambridge, lasted roughly from 1993 till 2000. President Clinton was persuaded by the National Security Agency (NSA) to try to grab everyone’s encryption keys, says Anderson: “We all fought back, from NGOs to Microsoft, and the policy was abandoned while Al Gore was trying to get elected. We thought we’d won, but it just went underground, as Snowden told us.”
He points to one Snowden revelation in particular, the NSA decryption program known as BULLRUN, which has been covertly compromising cryptography in various ways. For starters, the NSA had spent at least $250 million on influencing companies’ technical designs to try to ensure it could crack their protections, while GCHQ had explored ways to get access to Hotmail, Google, Yahoo and Facebook traffic. The NSA had also set up a ten-year program solely designed to crack encryption.
But the tech industry’s response hasn’t been to bow down to intelligence agencies. Instead, it has only bolstered encryption, hence the rush to push out end-to-end protected systems. And what they’re doing is wholly legal, which leaves law enforcement with one of the toughest questions it has ever had to answer: how does it legally get access to data when users have total control over protections around their information?
"We thought we’d won, but it just went underground"Ross Anderson, University of Cambridge
Various countries are trying to pass access laws which would compel service firms – whether internet service providers like BT and Virgin, or internet firms like Facebook and Google – to do everything that’s demanded of them. In the UK there’s the Data Retention and Investigatory Powers Act 2014, which is heading for a judicial review after concerns were raised that the government had extended its powers to reach into foreign data centers and into webmail services such as Gmail.
But there are legal contradictions that police have to cope with and that bemuse critics of surveillance. For instance, privacy laws in the UK demand that firms should not hand over information on their own nationals to anyone outside the country, unless they have proven their ability to protect data. The Information Commissioner’s Office has been demanding properly implemented encryption from private and public organizations. In the US, various laws, such as the Sarbanes-Oxley Act, require decent data protection. So on the one hand, governments are demanding encryption, whilst on the other they want easy access to data. As Callas notes: “There is no such thing as ‘Government.’”
The Rise and Rise of Encryption
With such apparent paradoxes and with various forces fighting their corners, how might the second Cryptowars be settled? The cryptographers certainly won’t be backing down. Callas, who was also involved in the Dark Mail bid to create highly secure email, says crypto designers have to create systems that “actually work; they have to be effective.” It’s their raison d’être. “We’re in the job of protecting people’s communications because there are gazillions of people who have the right to talk to people,” Callas adds. “They have business needs and personal needs and I believe they have a fundamental human right to defend themselves.”
The tech companies will continue to improve encryption too, partly as part of a PR campaign in response to the Snowden leaks, but also because they are keen to place control of data into the hands of users so they don’t have to make decisions on whether to work alongside governments. The technology itself will distance them from intelligence agencies as it’ll prevent them accessing any data directly, though there are still some weaknesses that could allow them to access users’ communications.
From a technical perspective, though they will likely continue to break encryption, intelligence agencies don’t have to spend all their resources subverting cryptography. They could, and have, sought to get to data before it’s encrypted.
“It’s easier, for example, to wait until a message has arrived and is decrypted by the recipient in order to read it rather than try to decode the message yourself. Don’t think Bletchley Park, where messages were plucked out of the ether and decrypted; think of the technology you use in front of you being subverted to read your communications,” says Professor Alan Woodward, a security expert and a visiting professor of the Department of Computing at the University of Surrey. It’s believed GCHQ infected Belgian telecoms giant Belgacom with the Regin malware partly because it wanted to get at communications before they were turned into completely garbled nonsense.
The Long Arm of the Law
Law enforcement still has certain laws on its side if it does want to break encryption, even if they’re limited. The UK Regulation of Investigatory Powers Act does allow law enforcement to demand that a suspect decrypts anything that has been seized, though it might be tricky to get certain sticklers to comply. In the US, citizens have claimed their Fifth Amendment rights, which protects against unfair treatment in legal processes, when such demands were made.
As subverting technologies becomes increasingly difficult and citizens can either flout the law or use it to their advantage, governments will likely have to rethink their strategy. Anderson wants to end the Cryptowars 2.0 early with a new treaty about law enforcement wiretapping that would let police forces in signatory states get access to communications data and content in other signatory states, with a number of safeguards. These would include judicial warrants, where an independent person has assessed the case and found probable cause for further investigation, rather than relying on a minister or intelligence agent to make the call.
There also needs to be transparency, including the eventual disclosure of all warrants after a fixed period of time, or when the suspect is charged or case dropped, says Anderson. There should also be jurisdiction, so that countries have to go through another’s legal system if they want to get at data outside of their borders, he adds.
“These Cryptowars are probably un-winnable by either side, if there are actually any clear ‘sides’ in this debate"Professor Keith Martin, Royal Holloway
These are sensible suggestions, but some see no end to the back and forth between tech companies and global governments.
“These Cryptowars are probably un-winnable by either side, if there are actually any clear ‘sides’ in this debate – the battleground just continues to move around,” says Professor Keith Martin, director of the Information Security Group at Royal Holloway.
Wherever individuals stand on the issue, they should remember not to place all their faith in encryption to protect their privacy. Just look at the many SSL weaknesses that received so much press last year, from the Heartbleed vulnerability to the Poodle flaw.
“It is certainly the case that there are more encryption products and services around. However, it is important to realize that encryption has its limitations. It is very good at making data unreadable while it is stored and/or communicated across a channel. But when that data is actually used, it normally needs to be decrypted and then exists in a readable state. Thus, use of encryption certainly makes it harder to access data – but it does not make it impossible to access,” concludes Martin.
This feature was originally published in the Q1 2015 issue of Infosecurity – available free in print and digital formats to registered users