Encryption back doors: Is there more to this debate?

No readers like this yet.
A bank vault

Opensource.com

"I think that it's a mistake to require companies that are making hardware and software to build a duplicate key or a back door even if you hedge it with the notion that there's going to be a court order. And I say that for a number of reasons and I've given it quite a bit of thought."

As the the encryption access debate heats up in the United States and abroad, statements like the one above have become commonplace.

But this is not just another expert giving an opinion. Rather, it's the potent observation of Michael Chertoff, former U.S. Secretary of Homeland Security, former Federal Appeals Court judge, ex-Chief of the Criminal Division at the U.S. Department of Justice, and, for almost a decade, a prosecutor.

Speaking at a conference this summer, Chertoff crystallized what he sees as the risks of heading down such a path (that could likely prevent use of certain kinds of encryption). First, there is increased vulnerability. "You're basically making things less secure for ordinary people," he said.

Second, emphasizing a point that other experts have made with his practical experience, "Really bad people are going to find apps and tools that are going to allow them to encrypt everything without a back door." It's a "pipe dream" to think governments will be able to stop this, given the global environment we live and work in. The likely result is that "legitimate actors will be making somewhat less secure communications and the bad guys will still not be able to be decrypted."

And, Chertoff asks, what do you do when other countries want the same duplicate keys or backdoor access? It's a "strategic problem for us" as "companies are not going to have a principled basis to refuse to do that."

A few days later, Chertoff joined Mike McConnell, former Director of the National Security Agency, and William Lynn, former Deputy Secretary of Defense—a group of individuals with decades of national security experience between them—to articulate many of the same points in a Washington Post opinion piece.

They touch on past endeavors—such as the Clipper Chip—and highlight an updated critique by noted computer security experts ("Keys Under Doormats: Mandating insecurity by requiring government access to all data and communications"), and conclude:

"Today, with almost everyone carrying a networked device on his or her person, ubiquitous encryption provides essential security. If law enforcement and intelligence organizations face a future without assured access to encrypted communications, they will develop technologies and techniques to meet their legitimate mission goals."

Are we missing a larger debate?

Encryption back doors have captured the headlines of recent various Congressional hearings, and that theme has predominated in media reports.

In joint testimony this summer before the Senate Judiciary Committee, Deputy Attorney General Sally Quinn Yates and Federal Bureau of Investigation Director James B. Comey not so subtly telegraphed a bit different, broader, focus:

"In a world where users have sole control over access to their devices and communications, and so can easily block all lawfully authorized access to their data ... the theoretical availability of other types of evidence would [make] no difference ... The core question is this: once all of the requirements and safeguards of the laws and the Constitution have been met, are we comfortable with technical design decisions that result in barriers to obtaining evidence of a crime?"

They review the history of Title III of the Omnibus Crime Control and Safe Streets Act of 1968 (often referred to as "Title III" or the "Wiretap Act") and the Foreign Intelligence Surveillance Act of 1978 (FISA), finding:

"Collectively, these statutes reflect a concerted Congressional effort, overseen by an independent judiciary, to validate the principles enshrined in our Constitution and balance several sometimes-competing, yet equally legitimate social interests: privacy, public safety, national security, and effective justice. The evolution and operation of technology today has led to recent trends that threaten this time-honored approach. In short, the same ingenuity that has improved our lives in so many ways has also resulted in the proliferation of products and services where providers can no longer assist law enforcement in executing warrants."

What particularly caught my attention was the time spent in their testimony highlighting the "mandatory technical assistance" provided for in both statutes. In particular, they point out how passage of the Communications Assistance for Law Enforcement Act (CALEA) in 1994 "ensured that law enforcement could reliably obtain evidence from emerging telecommunications networks" at a time, two decades ago, when "the telecommunications industry was undergoing a major transformation and the Government faced a similar problem."

For those of you not familiar with the statute, CALEA requires telecommunications carriers to develop and deploy intercept solutions in their networks to ensure that the Government is able to intercept electronic communications when lawfully authorized, although it does not require a carrier to decrypt communications encrypted by the customer unless the carrier provided the encryption and possesses the information necessary to decrypt.

Specifically, as pointed out by Deputy Attorney General Yates and FBI Director Comey, "[CALEA] requires carriers to be able to isolate and deliver particular communications, to the exclusion of other communications, and to be able to deliver information regarding the origination and termination of the communication ... [and] regulates the capabilities that covered entities must have," adding that it "does not affect the process or the legal standards that the Government must meet in order to obtain a court order to collect communications or related data."

But they point out that "while CALEA was intended to keep pace with technological changes, its focus was on telecommunications carriers that provided traditional telephony and mobile telephone services, not Internet-based communications services." In the middle of the last decade:

"... through interpretation of the statute by the Federal Communications Commission (FCC), the reach of CALEA has been expanded to include facilities-based broadband Internet access and Voice over Internet Protocol (VoIP) services that are fully interconnected with the public switched telephone network ... CALEA does not cover popular Internet-based communications services such as email, Internet messaging, social networking sites, or peer-to-peer services."

What is missing in their narrative was that passage of CALEA was controversial, presaging the "encryption wars" later in the decade. It imposes on telecommunications carriers the obligation to ensure that equipment, facilities, or services that allow a customer or subscriber to "originate, terminate, or direct communications," enable law enforcement officials to conduct electronic surveillance pursuant to court order or other lawful authorization, according to the FCC website. "CALEA is intended to preserve the ability of law enforcement agencies to conduct electronic surveillance by requiring that telecommunications carriers and manufacturers of telecommunications equipment design and modify their equipment, facilities, and services to ensure that they have the necessary surveillance capabilities as communications network technologies evolve." The specific implementations are based on industry standards developed by the carriers, based on the performance requirements in CALEA.

In their testimony, Yates and Comey state that "there has not yet been a decision whether to seek legislation," though reports of proposals have appeared frequently in recent years. But they make clear that "due to the revolutionary shift in communications technology in recent years, the Government has lost ground in its ability to execute court orders on communications not covered by CALEA ... we must work ... to craft an approach that addresses all of the multiple, competing legitimate concerns that have been the focus of so much debate."

Reopening CALEA: The Challenge of Maintaining Security

A debate about updating CALEA is of far greater scale than merely a discussion about encryption back doors'. It potentially raises broader issues of Internet and network security, not limited just to access to email, videos, and pictures that may be encrypted on an end user device.

To recall, CALEA was an update of then-existing wiretap statutes, occurring "at the time [when] Internet-based communications were in a fairly early stage of development," as Yates and Comey point out. The notion of a distributed networked world was still in its infancy.

As such, the implications of reopening CALEA have been explored by security experts identifying specific risks that probably only begin to touch on the complexity:

"Security is a fundamental requirement of communications systems. Commerce, government and interpersonal relationships all rely upon secure communications. However, we know that our communications systems today are under attack, with a particular focus on endpoint systems. Government information and communications systems, including law enforcement and national security systems, have been targeted, as have corporate systems, including the systems of communications service providers. It is in this context that we raise our concern: A wiretap design mandate on communications tools is, plainly put, an opportunity for increased exploitation." [footnotes omitted]

Interestingly (and perhaps more than coincidentally), just weeks after the joint testimony, consumer protection authorities weighed in. Federal Trade Commission (FTC) Commissioner Terrell McSweeny wrote on Huffington Post that "if consumers cannot trust the security of their devices, we could end up stymieing innovation and introducing needless risk into our personal security. In this environment, policy makers should carefully weigh the potential impact of any proposals that may weaken privacy and security protections for consumers." Commissioner McSweeny went on to point out that "many can and should do more to protect against breaches," citing a FTC report released earlier this year which noted a disparate range of security practices in Internet-of-Things (IoT) products.

Meanwhile, Ashkan Soltani, the Chief Technologist of the FTC, reported in a blog post about his own recent experience with having a laptop stolen. Fortunately, for him, he had used a combination of firmware passwords and strong disk encryption, thus preventing the thief from accessing the laptop. (Apparently, the thief tried to get assistance at an Apple Genius Bar, which assisted Soltani in retrieving his computer.)

We are just at the beginning of this latest chapter of the debate, which will include an intense look at the extent to which law enforcement faces real instances of going dark. Prof. Peter Swire, who chaired a review of reopening the wiretap statutes over a decade ago, testified at the same July hearing. "Law enforcement may face small subsets of circumstances that match Director Comey's stated concern: locked devices or end-to-end encryption—'access only by the participants to a conversation.' At a factual level, however, we should remain highly alert to over-broad assertions about the pervasiveness of such 'going dark.'"

Legislation on this is very unlikely to happen this Congress, but the the debate is ripening. And as it continues, the issues are complex, and not just about our personal privacy but also about the security of essential networks and system we increasingly rely.

User profile image.
Mark Bohannon | Mark Bohannon is Vice President of Global Public Policy and Government Affairs at Red Hat. Previously, he served as Senior Vice President, Public Policy and General Counsel at the Software & Information Industry Association (SIIA), the principal U.S. trade association for the software and digital content industry.

Comments are closed.

Creative Commons LicenseThis work is licensed under a Creative Commons Attribution-Share Alike 4.0 International License.