LAS VEGAS – Try as they might, technologists are struggling to find a feasible way to solve the government’s and law enforcement’s “Going Dark” crypto issue.
Cryptographer Matthew Green and D.C. intellectual property attorney James Denaro today during a talk at the Black Hat conference made no promise of a working solution, but instead broke down this contentious topic from a historic, legal and technical point of view.
The arguments from officials wanting “exceptional access” to data are that decisions such as Apple’s to relinquish control of encryption keys to the user device inhibits law enforcement’s ability to hunt criminals and government’s ability to monitor terror suspects and those radicalizing. This is what FBI Director James Comey called “Going Dark.”
Opponents of proposals that would include key escrow systems, for example, point out that not only would mandatory backdoor access would intentionally introduce a vulnerability into systems, but would also break existing security such as forward secrecy.
And then there legal concerns, Denaro said, such as potential First Amendment issues where the government is demanding that private software companies build products in a certain way, not to mention oversight questions.
“How can you have a regime that communicates securely only until someone decides not to?” Denaro questioned. “How do you make that decision? Is there a review process? Clearly this is ripe for abuse.”
Short of outlawing cryptography, which would ensure that only outlaws have crypto, some of the solutions on the table call for either key escrow or building access for law enforcement into key servers.
“There’s no assurance that something like this would not be abused for mass surveillance,” Green said.
The FBI’s Comey, as recently as a month ago, eased off demands for exceptional access, and instead told technology companies they need to try harder to find a solution to the problem. Key escrow, where trusted parties share keys, was part of Comey’s solution.
“I’ve heard that it’s too hard, that there’s no solution. Really?” Comey said during a Congressional hearing July 8, mentioning Silicon Valley by name. “Maybe it is too hard, but given the stakes, we’ve got to give it a shot and I don’t think it’s been given an honest hard look.
“We want people to be in position to comply with judges’ orders in the U.S. We want creative people to figure out how to comply with court orders,” Comey said. “You shouldn’t be looking at the FBI director for innovation.”
Green and Denaro pointed out during today’s session a number of technical issues that make exceptional access a bad idea, in particular the fact that this issue has no geographic borders. Should Apple, for example, build in a backdoor for U.S. law enforcement, how does it say no to other countries, including leaders in oppressive or sanctioned nations?
“Once we have the capability to eavesdrop, even if you build in a legal safeguard to make sure it’s not abused, what happens when you send this to repressive governments that don’t have a First Amendment?” Green said. “Build it here to chase [criminals] and give that same technology to oppressive governments to own devices? If ISIS needs encryption, it will get it. It will stop relying on iMessage pretty quickly if it’s backdoored.”
Mobile apps such as Apple’s iMessage and the Facebook-owned WhatsApp between them count close to 2 billion active downloads, a massive number of people using end to end device encryption. This is a significant roadblock, law enforcement says, and it and the government have resorted to making emotional arguments to legislators and policymakers that encryption facilitates the activities of terrorists and child predators.
“Government is not articulating this well and has stopped talking about the future. We’re left trying to find a way forward through this,” Denaro said. “The question we need to ask is there a way that reasonably satisfies the interests of these parties so that they can get the types of communication they had until ‘Going Dark.’
“The problem is that it’s hard to make a system that allows exceptional access that wouldn’t have inherent or opportunistic flaws that wouldn’t be found.”