The Latest in IT Security

Should encryption be limited or encouraged?

18
Nov
2015

encryptiondebate_converted

The encryption debate reads the following way: while the logic of cyber-security and its encryption tools forecasts an impenetrable encryption, the government is worried that such an efficient cyber feature would block the law enforcers.

Although creating a relative paradox, the diverging opinions over the encryption legal status come with valid arguments for each side.

On one hand, encryption itself defends our data from various threats and malicious entities. On the other hand, making communications impenetrable could benefit the wrong parties, and all the legal requirements needed when constructing a legal case would be harder to procure/gather.

The security expert Bruce Schneier settles the issue in favor of infallible encryption. In a republished article that first appeared in 2014 on CNN, Schneier underlines that in fact prevailing strong encryption would only set the balance right. As for the government access, it can still continue to the cloud data, and it needs to remain limited to a case-by-case authorization algorithm, and not generalized by default.

To have an idea of how the other side’s arguments look like, you may see here an article by James Comey dating July 2015. The decision lies with the public, concludes the article, and the public should balance absolute data security with national safety.

Lawful hacking

This term describes the legal permission given to the appropriate entities to use software vulnerabilities for surveillance. The encryption debate brought precisely this element into public discussion. In addition, it also brought to light the risks that ensue from such a capability: reduced transparency and risk of abuse (induced by a simplified compliance regime). Privacy protection collides with public safety and the challenges are deeper than they might appear.

Besides the lawful hacking issue, the tensions were refueled by the pace at which technology advances. Even when disposing of the authorization to access devices and data that belong to citizens, the government agents might face the impossibility to do so because of tech development. Unless the tech companies intentionally configure hardware or software in a way that allows interferences, the devices of the near future might be impenetrable.

What is the reaction coming from the tech companies? Recently, Apple’s CEO Tim Cook declared that the technology company would not weaken encryption and allow intentional backdoors for lawful hacking, since such backdoors cannot be configured to discern between intruders, and would open up vulnerabilities for any kind of cyber-attack. Tim Cook also appeared at the WSJDLive conference opposite the NSA’s Director Michael Rogers – as the voices of the two opposite sides.

Another element that increased the tensions is the one regarding the Diffie-Hellman key – used as the method for legal data hacking. An algorithm of modern cryptography employed in many digital communication protocols, this crypto-key, once cracked, provides access to a vast amount of data in any network. Allegedly used by NSA in decrypting Internet traffic – and able to account for the huge quantity of decrypted data, the Diffie-Hellman cryptanalytic activities have been studied by two specialists. The costs and the consequences of employing such a method are highly debatable, in their opinion. Questioning these decrypting techniques and their actual costs also sent ripples into the concerned web communities – reflecting further into the main debate. The revelations concerning such surveillance activities also generated tech companies’ losses of approximately 35 billion in lost sales and contracts by 2016.

Another research demonstrates that the Diffie-Hellman key fails in practice, being less secure then believed. The risks when employing such tools are inherent.

A recent development related with the so called legal hacking activity is represented by the Senate passing of the Cybersecurity Information Sharing Act of 2015. Controversial in itself and highly contested by privacy advocates, the bill concerns information sharing between private companies and state agencies (Homeland Security and NSA). For further details on the concerns you may check this article, for example.

Encryption as a weapon

At a time when the term of cyber-warfare has already entered public awareness, being endowed with potential cyber-attacks that bridge into materiality – as in car hacking, drone hacking, critical infrastructure hacking as so on, encryption standing in the way of monitoring potential harmful entities is perceived as an accessory to crime.

FBI Dir­ect­or James Comey supported his repeated requests for backdoor-accessible products addressed to the tech companies using this kind of argument. When law enforcement suffers because of digital encryption barriers, encryption may be considered as a weapon. The number of cases in which encryption disrupted the agents: dozens. We may well remember a different instance where the same weapon-ized encryption paradigm appeared – when export rules where established for cryptography.

In January 2015, a WSJ article observed that the U.S. position followed and synchronized with the British official position. During the entire year several proposal and hypothesis circulated in attempts to find an appropriate way of solving the issue, so that both major parties would be appeased.

Possible solutions for the encryption dilemma

The 2015 initial idea was that technology must come up with a solution that would both protect users from malicious cyber-attacks and leave a way for national security to access devices and data when needed. Out of the proposals, DarkMatters selected the best ones (all rejected by the current administration):

  • Encrypted port for devices, usable with a separate set of keys whenever a court order required so (cost prohibitive);
  • Automatic software updates, usable for spyware delivery (client trust-issues prohibitive);
  • Split software keys, usable only combined under court order (complexity prohibitive);
  • Forced backup (implementation prohibitive, since the companies would have to substantially modify their current systems).

Under detailed scrutiny, the entire problem might juxtapose tech versus tech. Leaving the principle-focused debate aside, it seems that the current technology does provide a way of ensuring special access into encrypted data. While the encryption might grow stronger, it is not designed with such a unilateral backdoor in mind, or at least not one for law enforcers.

The intervention of Magistrate Judge James Orenstein of the U.S. District Court for the Eastern District of New York somehow underlines the same thing. He requested Apple to explain the way a government smartphone unlocking request would be “unduly burdensome”.

This article further details how “the burdensomeness and technical feasibility of compliance with the government’s proposed order” is the key factor in the judge’s analysis.

So, is technology so advanced that it might come up with impenetrable encryption, but not advanced enough to provide a safe backup key for that encryption, or not?

Moreover, where such a debate should reside: in the field of principles or in the field of technology?

If the law would change and move the issue solely into the technology field, should weakening encryption be considered as the answer, or should tech specialists make a huge effort and come up with an innovative solution?

Ultimately, should encryption be limited, or encouraged while other technological solutions ensure that impenetrable encryption would in fact remain almost impenetrable?

However, and gravity of facts like the latest Paris events create a climate of urgency and refuel the debate over encryption. As a CIO article interviewee states, the encryption issue is a “two edged sword” – and it may depend on the developing context which blade would be more urgently needed.

Leave a reply


Categories

SUNDAY, NOVEMBER 17, 2019
WHITE PAPERS

Mission-Critical Broadband – Why Governments Should Partner with Commercial Operators:
Many governments embrace mobile network operator (MNO) networks as ...

ARA at Scale: How to Choose a Solution That Grows With Your Needs:
Application release automation (ARA) tools enable best practices in...

The Multi-Model Database:
Part of the “new normal” where data and cloud applications are ...

Featured

Archives

Latest Comments