Same Rhetoric Permeates Going Dark Encryption Debate

The Going Dark encryption debate resurfaced at the Advanced Cyber Security Center annual conference, and the government’s stance hasn’t changed much.

BOSTON — The Going Dark encryption debate surfaced again on Wednesday at a small security conference here, and as in previous iterations before larger technical audiences and even Congress, the issue continues to spin on a hamster wheel going nowhere.

This time the notable dignitary stumping for so-called exceptional access was FBI general counsel James Baker, and not director James Comey, reiterating that technology companies should find an answer to law enforcement’s problem of unlocking encrypted devices.

Baker—speaking at the Advanced Cyber Security Center conference and flanked by crypto luminary Susan Landau of Worcester Polytech Institute and Eric Wenger, director of cybersecurity and privacy, global government affairs at Cisco—made the case that encryption hampers law enforcement investigations on a local level and surveillance efforts on national security and terrorism fronts.

The other side argues that, especially post-Snowden and the endless run of evidence of the National Security Agency’s overreach on surveillance and deliberate efforts to weaken cryptographic standards, that encryption remains the best defense against government surveillance and advanced attackers targeting intellectual property. Asking Silicon Valley for help in solving Going Dark, for example, seems to be an unlikely proposition.

“Silicon Valley distrusts the U.S. government, especially after the Snowden leaks,” said Landau, who was one of 15 authors of a paper that laid out the risks associated with granting the government exceptional access to encrypted data. “I worked at Google shortly after [the Snowden leaks started] and there were accusations of the government having direct access to Google’s servers. There was genuine anger in those meetings because they were threatening Google’s product. This cost real money to many companies. At the same time, I don’t see Silicon Valley not helping law enforcement when there is legitimate risk. There is interest in helping and self-interest in protecting their business model.”

Since Snowden, technology companies across the board have accelerated encryption rollouts, with end-to-end encryption securing Yahoo email, Google encrypting connections between its data centers that were being tapped by the NSA, and Apple relinquishing control to the user of encryption keys securing iOS devices—the true harbinger of the Going Dark debate.

“This is about rule of law and the fundamental rights we have from the Constitution, creating laws that enable government to obtain the results of surveillance in ways that are consistent with constitutional rights,” Baker said. “Today, that’s not happening. We are not able to use what’s available today with a 4th Amendment warrant. We do what the law requires, show up with a court order, and can’t get the fruits of surveillance because of encryption.”

Laundau and Wenger, however, countered that there are alternatives available to help the FBI and law enforcement compel companies to turn over customer data.

“Someone with the NSA once said to me: ‘The law in the case of a wiretap warrant gives us the right to collect information. It doesn’t say it should be easy,'” Landau said. “The FBI is in a really hard spot, and part of that is because of the way we define the political discussion, which is zero failure. Asking the FBI to have zero cases of terrorism is not plausible.”

Companies, meanwhile, need encryption to secure transactions and protect intellectual property from leaking overseas. Activists in oppressed regions require encryption not only to foster their causes, but in some cases, to maintain personal safety. Going Dark proponents fear that split key-escrow solutions that have been proposed will only further weaken crypto and certainly increase complexity.

“If we were able to engineer a mechanism where we’re splitting a key and having a third party escrow it where the government could ask for it, the very next thing that would happen is that China et al will ask for the same solution. And we’re unlikely to give them the same solution,” Wenger said. “Complexity kills, and the more complex you make a system, the more difficult it is to secure it. I don’t see how developing a key-bases solution secures things the way you want it to without creating a great deal of complexity and having other governments demand the same thing.”

Landau made the same complexity argument, and fortified her case that exceptional access would also break forward secrecy. With forward secrecy, now considered a baseline encryption rollout, ephemeral keys secure communication rather than one private key securing all sessions. Should an ephemeral key be cracked, all future communication remains secure.

“The complexity of 165 to 200 nations, each with access to keys, is unimaginable,” Landau said.

Baker, meanwhile, stood by the stance that Comey took before Congress in July when he volleyed the issue back to technology companies, telling them to essentially try harder to find a solution.

“We’re looking for help. We want all the smart people in this country to help us figure out this complicated problem we’ve been struggling with for a long time,” Baker said. “At the most fundamental level, it is about the relationship between the people and the government when it relates to surveillance by the government of the people and under what set of circumstances do people want that to happen. What do you want us to do? What risks are you wiling to take and what can we do to mitigate risks out there that exist on all sides of the equation?”

Suggested articles

Discussion

  • Karen Bannan on

    "...encryption remains the best defense against government surveillance and advanced attackers targeting intellectual property." Yes, but it also becomes a crutch for IT, which assumes it is protected. Here's a good blog that looks at encryption, actually: http://bit.ly/0NVP1kH --KB Karen Bannan, commenting on behalf of IDG and Dell
  • Terry on

    For thousands of years, you've lacked access to the contents of communications secured by one time pads. You continuing to lack that access does not strike me as cataclysmic. If you hadn't abused our trust already, we would not be tightening down the bolts now. Expect that we will be tightening them further, should you continue to abuse our trust in the future.
  • Meir on

    Moslem terrorists are too stupid to use encryption properly anyways. As long as it stays something that requires an IQ of above 100 to use, (requiring command line instead of GUI for instance) we are fine.
    • Bill on

      That is one of the most ignorant comments I have ever heard.
  • Andy Freeman on

    > “This is about rule of law and the fundamental rights we have from the Constitution, creating laws that enable government to obtain the results of surveillance in ways that are consistent with constitutional rights,” Baker said. “Today, that’s not happening. We are not able to use what’s available today with a 4th Amendment warrant. We do what the law requires, show up with a court order, and can’t get the fruits of surveillance because of encryption.” - See more at: https://threatpost.com/same-rhetoric-permeates-going-dark-encryption-debate/115271/#sthash.DexNI7Ar.dpuf Wowsers - he really seems to believe that the 4th amendment is about guaranteeing govt access to surveillance information. FWIW, my copy doesn't seem to contain that guarantee "The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no warrants shall issue, but upon probable cause, supported by oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized."

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.