The Fog of Cryptowar (2/4)
Editor’s Note: This is page 2/4 of this extensive article. Click here to go back to the beginning.
Motives for regulating cryptography.
The quest to regulate cryptography has had several motivations during history. The earliest forms were informed solely by military needs to access the secrets of enemies. While this still plays some role, the motive for the current debate lies in the so called “Going Dark Problem”.
Since the advent of mass individual communication technologies (telegram, phone) and wide spread information processing technology, law enforcement and intelligence agencies became accustomed to interception and recovery of large amounts of incriminating data without having to invest too much man-power or risky infiltration. In parallel to the scientific, technological and digital advance in all fields of life the methods of investigation and intelligence gathering shifted from human-driven (HUMINT) to technology driven (SIGINT, ELINT, etc.) methods. This also fostered a growing disconnect between enforcement agencies and population, as well as a relative decrease of officers active in the interpersonal nuances of police work. The same is true for intelligence agencies.
This vision of police and intelligence work has been reinforced both by politics demanding more substantive information and media portraying modern investigative work as a combination of cutting edge forensics and all-knowing computers, cell phone tracking and Internet tracing. Since we live in a mass media society, these media portrayals both in news coverage and entertainment products has shaped the expectations of the population. It is quite common these days that juries put all emphasis on forensic evidence while ignoring other information, and being shocked when the forensic results are less comprehensive and clear-cut as they have come to expect from shows like CSI (Crime Scene Investigations, a cop show centered on forensic experts).
By now global, instant, widely available and cheap communication is a normal part of life, and almost everybody owns personal computing devices (PCs, laptops, tablets, smart phones, game consoles) that outperform anything that was available just a few decades ago. This technology is of course available to criminals and other targets of law enforcement and intelligence agencies, as it is to anybody else.
At the same time cryptography became widely available. Since the 1990s anybody can, with some effort, use cryptography that is practically unbreakable. Indeed, cryptographic protection has become so wide spread that it often goes unnoticed. It protects our online shopping, credit card transactions, cellphone calls, and a myriad of other applications. The modern world is unthinkable without cryptography protecting the integrity of data and allowing us to authenticate to remote systems for a host of useful purposes.
However, it was the advent of individual use of cryptography to protect the confidentiality of communication that ushered in a new time. Instead of using cryptography only in the interaction with companies and the state, cryptography is now widely used for the protection of personal computer data storage and inter-personal communication. Every major operating system today ships with tools for hard disc encryption, and a whole host of messenger services offers encryption of communication directly between the persons that want to talk with each other, without relying on the security of the provider itself. Again, criminals are amongst the many users.
Now police and intelligence agencies are increasingly confronted with communication they cannot tap anymore, and personal notes they cannot decrypt anymore. Them confiscating computers and smartphones is no longer a guarantee for gathering evidence that would stand up in court.
The situation is even worsened by the wide availability of anonymous communication tools like Tor, I2P etc. Now not just the content of communication becomes virtually inaccessible, but also the fact of who communicates with whom.
This quick and wide-spread individual use of cryptography has an increasing impact on long-cherished investigative methods, leading to more and more cases that cannot be solved or that don’t lead to convictions in court. Sources of information that were long relied upon are now “going dark”. Of course, law enforcement opposes this development. They want their work to be as easy and effective as possible. But it is also a development that receives critical attention in the public discourse. Many people are not willing to accept the laughing criminal that leaves the courthouse with a smile, simply because his computers could not be decrypted.
This is especially true when it comes to the two areas of crime that incorporate the notion of universal evil and use of cryptography like no other: Computer Aided Child Exploitation (CACE) and International Terrorism (IntT).
Cryptography has helped criminals of both kinds to cover their tracks and conceal evidence in many high profile cases. Due to the fact that both crimes are universally considered to be of the worst evil – exploiting and killing the random innocent – they fuel public outrage like nothing else. The public demands of law enforcement to prevent those crimes, and to bring the perpetrators to justice.
It is thus no wonder that the new debate about crypto regulation was initiated by law enforcement failing (for a while) to access the iPhone of the San Bernadino attackers because it was encrypted. After every major terror incident we now see law enforcement and politicians complain about information being inaccessible because of technical protections. Similarly cases of alleged child pornography consumers – who’s hard discs are so well encrypted that the court cannot rely on them for evidence and that therefor escape prosecution – repeatedly made the news.
In this context the outrage felt by many in politics, law enforcement and the public about the protections granted by cryptography is understandable, possibly even justified.
It is important to really grasp the core of what is going on here. Possibly for the first time have methods to keep evidence from law enforcement reached an universal availability and wide spread use. This is quite possibly a qualitative change of singular importance. All previous means of hiding from law enforcement were based on error prone wit or physical protections that could be overcome or fail randomly, or were simply not widely available. Effective means to oppose, or hide from law enforcement have previously been banned from personal use – like effective body armor (in many countries), guns, doors that could resist police raids, forged identification papers, face masks…
It is in light of cryptography providing effective limits to court orders and warrants, and the history of previous regulation to make law enforcement effective, that now regulation on cryptography is demanded.
The main question remaining is if and how cryptography can be regulated without causing too much collateral damage to the societal uses of cryptography.
It is necessary to stress that these positive uses exist, and are widely accepted. Even law enforcement and intelligence agencies have no interest in making cryptographic protections disappear completely, simply because they prevent a whole host of crimes every second and protect secrets of national importance against foreign spies. It could reasonably be said that everybody today loves and relies on cryptography, except for those few cases where it prevents the enforcement of law.
This must lead to the realization that the current debate since 2015 is fundamentally different from the first Crypto War in the 1990s. The goal is not, and cannot be, to snatch strong cryptography from the hands of people. Instead, the current debate is about making the secrets that cryptography protects accessible to law enforcement. This is no minute point since it deeply shapes the approach that regulators take, and it is therefor the point with which pro-crypto activists must engage. Failing to see that the goal is access to the plaintext confines arguments into a space that is neither relevant nor commonly understandable for public opinion. While it is certainly difficult to appreciate this difference from the perspective of cryptography it is nevertheless substantial – because it allows for very different technical implementations and legislative action.
Insisting that plaintext access is the same as banning strong cryptography misses the point and excludes pro-crypto activists from the debate. Instead one has to engage with cryptography in the actual technical context, including the hardware it is run on, the operating systems, networks, and current structure of service providers.
Access to plaintext is of interest for law enforcement primarily in four forms:
- Data at Rest.
This refers to data that is stored on the user’s local computer or phone. Cryptography here hinders access through device and hard disc encryption. Device encryption is by now a common feature on smartphones, and all major operating systems for personal computers include software to encrypt the local device, including full disk encryption which prevents all data except for the bootloader from being understood by anybody who does not have access to the user’s secret key or password.
- Data in Transit.
The contents of communication between two or more parties that is carried by telecommunication networks, especially the Internet. Previously wiretaps would reveal this information, but with the use of encryption a growing part of the contents of Internet communication cannot be understood by anybody that does not have access to secret keys held only by the communication partners.
- Data in Cloud.
A growing amount of data falls in between the “Data at Rest” and “Data in Transit” categories because it is stored remotely with cloud service providers. While the data is readily available to law enforcement through subpoenas and warrants, an increasing amount of data in the cloud is now encrypted. The cloud also serves as a means to transfer data between multiple parties without retransmission from the local device. Cloud data is especially valuable to law enforcement because it contains local device backups and histories/logs of many services. The contents of email accounts should be considered “Data in Cloud” as well.
- Data in Processing.
This is data currently processed by a device and located in the volatile memory or temporary files.
In security terms the data at rest is the easiest to protect, since an attacker needs physical access to the device.
Data in Transit is more readily available since it travels a number of links on the Internet – including potentially insecure wireless networks – but apart from attacks to the user’s own local network most data is not readily available to the common criminal (though law enforcement wiretaps and intelligence agencies surveillance is commonplace).
The least easy to protect data is the data in cloud. Numerous successful hacks on cloud providers and enormous data leaks every few weeks attest to that.
In all three cases encryption serves as a meaningful way to secure data against unlawful use. Personal devices are stolen frequently, wireless networks are sniffed easily, and cloud storage providers are a juicy target for any hacker.
The “Data at Rest” and “Data in Cloud” are similar from the point of cryptographic protection because both only require a single instance (the user) to have access to the key to encrypt/decrypt the data. “Data in Transit” however requires that both sender- and recipient share keys, in practice both even share a single secret key valid for a communication.
Law enforcement would like to get access to all three forms of data, and precisely to the plaintext (unencrypted) content. Access is of interest in two time variations:
- “Realtime access”.
This is the equivalent to the old wiretap. Law enforcement would like to record/listen in to communication while it happens. This applies directly only for Data in Transit. For realtime access Data in Cloud is sometimes an option if communication tools use the cloud to store conversation histories, or to access email communication.
- “Post-Fact access”.
This is equivalent to a regular search warrant. Law enforcement would like to access data stored on the local device and in the cloud. This is the current focus of the debate, where after a crime has been committed police is searching for evidence to present in court, and information that would produce new investigative leads. Furthermore law enforcement usually seeks access to communication data logs stored by providers.
Realtime access to both Data in Transit and Data in Cloud are most controversial in the debate. Both must be considered surveillance and happen without the affected person knowing about it. Post-fact access to devices in possession of a suspect is much less controversial since it is equivalent to the standard search warrant that is commonly accepted by the public.
Post-fact access to devices is also least controversial from the point of view of international investigations. It only rarely requires action within more than one jurisdiction, and time constraints usually allow for legal processes to be adhered to. This is also reflected in the fact that international standards for digital evidence collection are debated and agreed upon in various international forums – notably the EU and the G20.
For post-fact access to devices many issues of international cooperation and multi-jurisdictional applicability of law are much clearer and easier to solve than for realtime access for data in transit, or any access to data in cloud. This is of particular import for law enforcement because here the goal of investigations is usually the presentation of evidence that stands up in court.
It must be noted however that two hybrids between the time variations and storage forms exist that has no previous parallel in analog technology:
- “Realtime access to Data in Processing”.
This is of interest for capturing communication data before it is encrypted and transmitted. In essence this would constitute a tap into the local device – a “telephone bug”.
- “Realtime access to Data at Rest”.
Law enforcement might want to search a device remotely that is in the possession of a user. This differs from the case of a usual search warrant because the user would not be aware of such a search while it happens, and thus be delayed – or even prevented – from legal recourse.
Both of these methods are controversial because of their hidden nature and the necessity of remotely exploitable security bugs in the user’s device or a pre-installed backdoor. Nevertheless they are already considered, or even codified, in several jurisdictions because they prevent evidence from becoming inaccessible through encryption, or the loss/destruction of the user’s device.
A further issue with realtime remote access to a user’s local device is that it poses questions for the admissibility of evidence. The precise targeting of the device, as well as the ability of such a remote access to modify data without trace, should cast doubt on any data collected. Both errors and undetectable falsification can occur and are extremely difficult to prevent – if they can be prevented at all.
The above points mostly concern law enforcement investigations. They do not equally apply for intelligence agencies (IAs) for a couple of reasons:
- Intelligence Agencies often fall under special legal regimes. Due to the fact that they often have no direct law enforcement powers, and because they often operate outside their home jurisdiction they are imbued with special legal privileges that restrict their methods much less – amongst them not requiring previous legal codification of the methods they might want to employ.
- Thus, IAs have the ability to directly hack, steal or manipulate devices.
- IAs frequently pressure, infiltrate or hack service providers.
- IAs are far more concerned with the action of foreign hostile actors. They not only are interested in stealing the secrets of foreign governments, but also want to protect their own government and key industry against attacks by the same. This puts them in the double position of being both offensive and defensive in their activities. Globally undermining cryptography in a transparent way could potentially backfire and harm their mission.
- IAs do however try to covertly undermine cryptographic research and algorithms in such a way that the weakened products are only attackable by themselves. This is a very risky game, especially when discovered, or if the secret knowledge that is the foundation of such an asymmetric weakening becomes known.
As such intelligence agencies are not the primary actors in the cryptography regulation debate. They either choose to abstain from the topic altogether, or only partake in the debate in a rather covert way. It is also not unlikely that they might occasionally put their defensive purposes first and thus become temporary – and questionable – allies of pro-crypto activists.
No treatment of the “going dark problem” and the interests of law enforcement and intelligence is complete without highlighting a part of the debate that is all to often conveniently omitted by politician’s speeches.
The spread of digital communication – encrypted or not – has lead to a new plethora of information that is available to relevant parties already. This is the whole realm of metadata – data about data – or specifically here: Data about communications. Police and others now have access to a depths of information of who communicated with whom, when and how long, as well as location data of nearly every communication device that is powered up. The range of devices that constantly produce this kind of data is growing daily, from mobile phones to cars, power meters to TV sets.
Metadata has contributed as much to changes in law enforcement as the “going dark problem” has. New methods of investigation, often very effective, have become available. And contrary to content data, metadata lends itself to automated processing and analysis – leading to new problems like global mass surveillance.
Interestingly these new opportunities for law enforcement and intelligence, and those new threats to citizens’ privacy, do not appear in the calls for crypto regulation. We shall come back to this issue below.
Technical aspects of crypto regulation and plaintext recovery.
We shall now give an overview of means by which regulation of cryptographic applications could potentially soften the Going Dark problem. Afterwards we will look at challenges that impact all regulation attempts in this field.
Means to regulate:
Outlaw strong algorithms
The first attempt at regulation of cryptography has been the outlawing of strong cryptography and forcing users to rely on algorithms that could be broken by intelligence agencies, and potentially law enforcement. This approach is off the table today because the knowledge and processing power to attack those algorithms is, or would, be widely available. Most governments, and not few corporations and criminal organizations would be put into the position that they can intercept and decrypt communications and therefor have access to secrets globally. This would put economies and nations at an unprecedented risk in a world that is shaped, and relies on, international secure communication. We simply rely on strong cryptographic algorithms to deal with the risk of computer break-ins, espionage, cyber war and computer crime.
The same applies to variations of weak algorithms like limiting the effective key size, transferring keys through side channels or oblivious transfer, or mandating predictable random number generators for key generation.
Manipulate strong algorithms
There have been attempts by intelligence agencies (specifically, the NSA) to manipulate algorithms so that their strength relies on the secrecy of hidden, or underhanded, parameters. This approach reduces to the outlawing of strong cryptography since the secrets on which the security of the algorithm rests would have either be spread widely to be used by law enforcement, or everybody would be at the mercy of the party that knows those secrets. While it might be an interesting method for a single intelligence agency, it would fail in softening the Going Dark problem in a meaningful way and at the same time create a power asymmetry that dooms the acceptance of such a scheme.
Some recent statements by politicians (esp Rudd, UK SI) have hinted at making end-2-end encryption illegal, especially for messaging services. This would result in protocols that may provide confidentiality between user and provider, but not between user and user when communicating through a provider.
Similar suggestions exist for mandating that all communication systems should retain interception capabilities. As with the Lavabit case, law enforcement might rely on the cooperation of the provider, or the sharing of identity keys with law enforcement to enable man-in-the-middle attacks, to gain access to data in transit.
This is a possible approach for regulation since it leaves most of the existing infrastructure in place and puts all liability on the communication providers and intermediaries – as is already the case with lawful-interception legislation for telephone etc.
The products most affected by this variant would be those that try to offer secure communication that is inaccessible by anybody but the final sender and recipient. Those products include instant messaging services, voice over IP telephony, video conferencing and encrypted email (PGP/SMIME). Furthermore Virtual Private Network links would fall under this approach, even though they don’t rely on an intermediary.
Making end-2-end encryption illegal means that all security rests on the communication provider or intermediary, and potentially also on the certifier of keys that the parties require for mutual identification and integrity protection. Especially big global providers are thus put into the cross hairs of hackers and foreign governments since they present a treasure trove of valuable information.
Auditable communication is used, and often mandated, in some industries already, like banking and high-security environments in which traffic traveling through a local network must be inspected by security appliances. To enable this, security devices need a way to decrypt the traffic either by active interception and reencryption (man in the middle) or by using deterministic key generation whose secret is shared with the security appliance. This approach can be applied to any mediated communication that transits a provider as mentioned in the previous section. It is therefor nothing novel.
Please enjoy, share the podcast around, and consider financially supporting the podcast–we need YOUR help to keep this going. You can become a patron on Patreon for exclusive content by clicking the image below. You can also donate crypto-currencies by clicking here.