If we want strong encryption, we’ll have to fight for it
As digital rights lawyer and special counsel to the Electronic Frontier Foundation Marcia Hofmann correctly noted in her keynote at Hack in the Box Amsterdam 2015 on Thursday, this issue is like a pendulum: sometimes, like in the wake of the 1990s crypto wars, it swings towards strong encryption, but it could now swing in the other direction.
One could argue that it swung in the other direction without us knowing: while we believed ourselves relatively safe, the documents leaked by Edward Snowden revealed that governments actively worked at subverting encryption efforts.
After the public exposure of NSA’s and GCHQ’s MUSCULAR operation, which was aimed at tapping the overseas fiber-optic cables used by Google and Yahoo to exchange data stored in their many data centers in the US and abroad, tech companies began seeing governments are adversaries, and have started working on encrypting their users’ communications.
And, as they already witnessed the government’s power to force them to hand over data and make them keep quiet about it, they have decided to opt for encryption systems that made it impossible for them to hand over the encryption keys.
The US and UK governments reacted by raising a campaign (still ongoing), trying to paint encryption as something only criminals use, and started lobbying for mandated backdoors. Smartphone encryption is particularly offensive to them, it seems, and even the Washington Post Editorial Board joined in the discussion, saying that Apple and Google could use their “wizardry” and “invent a kind of secure golden key they would retain and use only when a court has approved a search warrant.”
But as EFF’s Jeremy Gillula explained, “there is no such thing as a key that only law enforcement can use—any universal key creates a new backdoor that becomes a target for criminals, industrial spies, or foreign adversaries,” and can be stolen.
This idea of a backdoor for law enforcement is a bad idea now as it was when it was first trotted out in the ’90s, and it’s the infosecurity community’s duty to speak up again and again and to try to make the point across.
So far, there hasn’t been a concrete proposal on how this thing could be accomplished, but when (if) one is presented, it’s important for security experts to offer technical critiques of this and any other proposal to weaken security.
It’s also critical for the infosec community to offer concrete input on the negative effects of security-related export restrictions, Hofmann says, and they have an opportunity to do so right now, as the US Department of Commerce has published last week its proposed implementation of the December 2013 changes to the Wassenaar Arrangement regarding intrusion and surveillance software, and has asked for the public to comment on it.
As always, there are four forces that exert pressure on what security looks and will look like: norms, the market, the architecture, and the law.
Encryption has become widespread and easy to use by default and, what’s more, expected by consumers. Privacy and security have become selling points, and have and are likely to lead to more re-assessments of business models. Business opportunities in encryption-friendly countries have blossomed.
The biggest force the security community is now running against is the law.
As providers are working on making it so that they can’t be pressured by law to give access to encrypted data, the government and law enforcement have been forced to shift the pressure on users.
Ultimately, that doesn’t work as well, and they are actively working on shifting the pressure back onto the providers.
Aside from critiquing flawed proposals, the security community, tech companies and digital rights activists have the possibility – and, I would say, the obligation – to put forward legal challenges to laws that could hurt users, researchers (see the aforementioned Wassenaar Arrangement) and others.
It all really comes down to what kind of world we want to live in, says Hofmann.
She comes down on the side of strong encryption, but is conscious that online security is a fight that will probably have to be fought again and again, and that’s why it’s important for the security community – as the civil libertarians in the first crypto wars did – to keep fighting.