BOSTON — The Going Dark encryption debate surfaced again on Wednesday at a small security conference here, and as in previous iterations before larger technical audiences and even Congress, the issue continues to spin on a hamster wheel going nowhere.
This time the notable dignitary stumping for so-called exceptional access was FBI general counsel James Baker, and not director James Comey, reiterating that technology companies should find an answer to law enforcement’s problem of unlocking encrypted devices.
Baker—speaking at the Advanced Cyber Security Center conference and flanked by crypto luminary Susan Landau of Worcester Polytech Institute and Eric Wenger, director of cybersecurity and privacy, global government affairs at Cisco—made the case that encryption hampers law enforcement investigations on a local level and surveillance efforts on national security and terrorism fronts.
The other side argues that, especially post-Snowden and the endless run of evidence of the National Security Agency’s overreach on surveillance and deliberate efforts to weaken cryptographic standards, that encryption remains the best defense against government surveillance and advanced attackers targeting intellectual property. Asking Silicon Valley for help in solving Going Dark, for example, seems to be an unlikely proposition.
“Silicon Valley distrusts the U.S. government, especially after the Snowden leaks,” said Landau, who was one of 15 authors of a paper that laid out the risks associated with granting the government exceptional access to encrypted data. “I worked at Google shortly after [the Snowden leaks started] and there were accusations of the government having direct access to Google’s servers. There was genuine anger in those meetings because they were threatening Google’s product. This cost real money to many companies. At the same time, I don’t see Silicon Valley not helping law enforcement when there is legitimate risk. There is interest in helping and self-interest in protecting their business model.”
Since Snowden, technology companies across the board have accelerated encryption rollouts, with end-to-end encryption securing Yahoo email, Google encrypting connections between its data centers that were being tapped by the NSA, and Apple relinquishing control to the user of encryption keys securing iOS devices—the true harbinger of the Going Dark debate.
“This is about rule of law and the fundamental rights we have from the Constitution, creating laws that enable government to obtain the results of surveillance in ways that are consistent with constitutional rights,” Baker said. “Today, that’s not happening. We are not able to use what’s available today with a 4th Amendment warrant. We do what the law requires, show up with a court order, and can’t get the fruits of surveillance because of encryption.”
Laundau and Wenger, however, countered that there are alternatives available to help the FBI and law enforcement compel companies to turn over customer data.
“Someone with the NSA once said to me: ‘The law in the case of a wiretap warrant gives us the right to collect information. It doesn’t say it should be easy,'” Landau said. “The FBI is in a really hard spot, and part of that is because of the way we define the political discussion, which is zero failure. Asking the FBI to have zero cases of terrorism is not plausible.”
Companies, meanwhile, need encryption to secure transactions and protect intellectual property from leaking overseas. Activists in oppressed regions require encryption not only to foster their causes, but in some cases, to maintain personal safety. Going Dark proponents fear that split key-escrow solutions that have been proposed will only further weaken crypto and certainly increase complexity.
“If we were able to engineer a mechanism where we’re splitting a key and having a third party escrow it where the government could ask for it, the very next thing that would happen is that China et al will ask for the same solution. And we’re unlikely to give them the same solution,” Wenger said. “Complexity kills, and the more complex you make a system, the more difficult it is to secure it. I don’t see how developing a key-bases solution secures things the way you want it to without creating a great deal of complexity and having other governments demand the same thing.”
Landau made the same complexity argument, and fortified her case that exceptional access would also break forward secrecy. With forward secrecy, now considered a baseline encryption rollout, ephemeral keys secure communication rather than one private key securing all sessions. Should an ephemeral key be cracked, all future communication remains secure.
“The complexity of 165 to 200 nations, each with access to keys, is unimaginable,” Landau said.
Baker, meanwhile, stood by the stance that Comey took before Congress in July when he volleyed the issue back to technology companies, telling them to essentially try harder to find a solution.
“We’re looking for help. We want all the smart people in this country to help us figure out this complicated problem we’ve been struggling with for a long time,” Baker said. “At the most fundamental level, it is about the relationship between the people and the government when it relates to surveillance by the government of the people and under what set of circumstances do people want that to happen. What do you want us to do? What risks are you wiling to take and what can we do to mitigate risks out there that exist on all sides of the equation?”