Lentis/Law Enforcement Access to Encrypted Data

From Wikibooks, open books for an open world
< Lentis
Jump to navigation Jump to search

Though once considered a munition[1], encrypted communications have become commonplace in commercially available software. Apple’s iMessage system, for instance, is end-to-end encrypted, meaning that no-one (not even Apple) can read a message except the sender and the recipient[2]. Apple now also encrypts all data on its iOS devices,[3] and Google does the same on its Android operating system.[4] These systems prevent anyone besides the device owner from accessing the data on the device. Law enforcement agencies have had problems with this technology, however, because it also prevents them from viewing the data on phones, even when they have a search warrant. In one case, Apple refused to open a locked iPhone for the FBI in a drug investigation,[5] stating that doing so was impossible. Law enforcement agencies have argued that tech companies should provide them with a “backdoor,” a special way to decrypt messages that can only be used by law enforcement and which would require a search warrant.[6] In this chapter, we examine the sociotechnical forces surrounding this proposal in the United States and its allies.

Background[edit]

Although relevant today, law enforcement's access to encrypted communications is not a new issue in the United States. As personal digital communication grew more common in the early 1990s, the Clinton Administration began to push for a way to "preserve a government capability to conduct electronic surveillance in furtherance of legitimate law enforcement and national security interests."[7] There have been several subsequent proposals for policies directly addressing the issue, though a variety of technical and social issues have prevented any such policy from taking effect.

Clipper Chip[edit]

Clipper Chip that could be included in the hardware of any personal computer or communication device

The Clinton Administration's first proposal was the Clipper Chip, a hardware device designed by the United States government that manufacturers would build into their computers. This used a system called "key escrow" where each chip would be given a corresponding key that could decrypt any message encrypted by the chip. The key would be held by the United States government and released to law enforcement when legally required.[8] A variety of social and technical problems, such as the high monetary and economic costs of implementation[9] and weaknesses in the encryption algorithm[8] meant that the Clipper Chip was never adopted.

Key Recovery[edit]

Following the Clipper Chip's failure, the Clinton Administration proposed a system it called "key recovery." In this system, trusted third party organizations would hold users' keys and provide them to law enforcement upon request.[9] At the time of this proposal encryption technology was still classified as a munition, making it illegal to export from the United States. With the backing of the CIA, the Clinton Administration proposed weakening these restrictions as long as companies agreed to develop key recovery technology.[9] By doing this, the Administration hoped to make key recovery the standard domestically and globally, giving law enforcement and intelligence agencies access to encrypted data worldwide.

Organized groups within the Clinton Administration had opposing views on this issue. Though the Administration, with the internal backing of the CIA, publicly supported this key recovery plan, the Justice Department internally opposed it, believing that the plan did not go far enough and proposing that the law be modified to only allow the export and import of encryption technology that worked with key recovery systems.[9]

Outside of government, many prominent groups opposed the plan for largely the same reasons that they had opposed the Clipper Chip. Trade groups such as the Institute of Electrical and Electronics Engineers (IEEE) and Association for Computing Machinery (ACM) opposed the plan on economic, technical, and moral grounds. They believed that these restrictions would put American companies at an economic disadvantage while ultimately proving insecure and threatening civil freedoms.[10] Ultimately legislation implementing the proposal never passed the Senate.[11]

Current Status[edit]

Though there have been many proposals for extending law enforcement's access to encrypted data in the United States, no proposals the scale of the Clipper Chip or key recovery have come into effect. Companies and individuals can generally develop and use cryptography systems freely.

Recent criminal investigations where the United States Justice Department was unable to retrieve encrypted information from phones, along with concerns over terrorist attacks, have led policymakers such as Senate Judiciary Chair Chuck Grassley and Deputy Attorney General Sally Yates to renew calls for expanding law enforcement's access to encrypted data,[12] bringing the issue back into the public eye.

Support for Expanded Law Enforcement Access[edit]

In the United States and abroad, many organized groups want to give government agencies expanded power to read encrypted data in order to prevent and prosecute criminal activity. Government and law enforcement organizations are the most prominent of these groups.

The Obama Administration[edit]

In the aftermath of the terrorist attacks in Paris and San Bernardino, President Obama gave a national address about responding to future threats.[13] One step in the plan is to prevent criminal activity on encrypted channels.[14] However, it is unclear by what means the administration intends this to be accomplished. Earlier in the year, the Obama administration conceded its fight to make tech companies add a backdoor to encryption, agreeing that doing so would weaken defenses against foreign governments and cybercriminals.[15] One of the Administration’s fears is that requiring a backdoor for companies in the United States would set a similar precedent for American companies in other countries, such as China.[15]

Federal Bureau of Investigation[edit]

The Federal Bureau of Investigation (FBI) has recently fought with Apple over encryption in iMessage.[16] In the newest versions of iOS, iMessage uses end-to-end encryption so that only the sender and recipient can read messages[17], making it impossible for law enforcement to access encrypted content. FBI Director James Comey compared this to an unlockable door and said that a warrant should be all that is required to access this data[18]. Comey noted how a terrorist who attempted to attack an event in Texas in May 2015 had been communicating with other terrorists abroad using encrypted messages[19], implying that these messages would have given authorities advance notice of the attempt had they been intercepted and read. The United States has no key disclosure law, unlike Canada, the UK, and France, effectively keeping these encrypted messages a secret. While key disclosure allows agencies to access encrypted data, it only helps when the suspect is known. It is useful for gathering evidence, but not for intelligence, when fast response times are necessary, especially in preventing terrorist attacks.

United Kingdom's Cameron Administration[edit]

Similar battles are happening outside the United States. In the United Kingdom, Prime Minister David Cameron has spoken out against apps that send encrypted messages because most of them cannot be read by government.[20] Cameron argued that, in the past, government agents could get a warrant and intercept phone calls or mail, but now there are channels that government cannot access, creating a “safe space” for criminals and terrorists.[20] Cameron would like legislation that bans apps that use encryption unless the app has a government backdoor.[20]

Opposition to Expanded Law Enforcement Access[edit]

Not everyone is in favor of expanding the government's access to private encrypted data. According to a 2014 poll, a majority of Americans (54%) “disapprove” of bulk government collection of phone and internet records,[21] and presidential candidates as diverse as Bernie Sanders[22] and Rand Paul[23] have spoken in favor of reining in the National Security Agency’s data collection programs during the 2016 election cycle. Most opposition comes from participants with concerns over privacy or technical issues, though other factors such as economic issues are also relevant.

Participants with Privacy Concerns[edit]

Many opponents of government access to data do so on privacy grounds. For instance, Apple CEO Tim Cook, speaking about his company’s end-to-end encrypted iMessage service, said “we believe the contents of your text messages and your video chats is none of our business.”[24] Groups like the Electronic Frontier Foundation[25] advocate for reducing government access to data on privacy grounds and enjoy reasonable support, including a budget in the tens of millions of dollars.[26]

Privacy concerns are not a new topic in the social sciences, but researchers have struggled even to define "privacy."[27] Despite the difficulty in defining it, researchers have found that people place significant value on keeping their data private,[28] and concern over privacy is likely at least partially motivated by economic factors; companies like Apple even expressly use their protection of consumer privacy as a selling point.[17]

Participants with Technical Concerns[edit]

Many participants oppose weakening encryption on technical grounds. The basic argument is that a backdoor for law enforcement means that the encryption cannot be perfectly secure, because an attacker could use the backdoor to gain entry. As the Information Technology Industry Council said in a statement following calls to add backdoors after the Paris attacks in November 2015, weakening encryption by adding backdoors “simply doesn’t make sense.”[29] This is the same argument that security experts used when the Clipper Chip was proposed, and which ultimately helped defeat it.[30]

Opponents also contend that adding backdoors to encryption systems will not actually help law enforcement defeat threats. Nate Cardozo, staff attorney for the Electronic Frontier Foundation, has said that "intel agencies are drowning in data... It's not about having enough data; it's a matter of not knowing what to do with the data they already have."[31] Reports that the 2015 Paris attacks (which have been cited in proposals for backdoors, including by CIA director John Brennan)[32] were planned using unencrypted communications only make this claim stronger.[33]

Conclusion[edit]

The struggle over encryption backdoors is far from over, and there will almost certainly be more developments on this topic in the future as new solutions are proposed and enacted or defeated. Although we have covered significant parts of the debate in the United States and the United Kingdom, participants in other places have different perspectives. Interesting additions to this chapter could include updates covering future developments and expansion to cover encryption worldwide.

References[edit]

  1. US Department of State. (1992). Code of Federal Regulations. https://epic.org/crypto/export_controls/itar.html
  2. Apple Corporation. (2011). iOS 5 Press Release. http://www.apple.com/pr/library/2011/06/06New-Version-of-iOS-Includes-Notification-Center-iMessage-Newsstand-Twitter-Integration-Among-200-New-Features.html
  3. Apple Corporation. (2014). iOS Security Guide, September 2014. https://www.documentcloud.org/documents/1302613-ios-security-guide-sept-2014.html
  4. Android Project. (2015). Full Disk Encryption. https://source.android.com/security/encryption/
  5. Appuzo, M., Sanger, D., Schmidt, M. (2015). Apple and Other Tech Companies Tangle with US Over Data Access. New York Times, September 8, 2015. http://www.nytimes.com/2015/09/08/us/politics/apple-and-other-tech-companies-tangle-with-us-over-access-to-data.html?_r=0
  6. Comey, J. (2015). http://www.theguardian.com/technology/2015/jul/08/fbi-chief-backdoor-access-encryption-isis
  7. White House. (1993). Public encryption management. https://fas.org/irp/offdocs/pdd5.htm
  8. a b Blaze, M. (1994). Protocol failure in the escrowed encryption standard. http://www.crypto.com/papers/eesproto.pdf
  9. a b c d Deutch, J. (1996). Memorandum for the president. https://web.archive.org/web/20121015182952/http://www.foia.cia.gov/docs/DOC_0000239468/DOC_0000239468.pdf
  10. IEEE and ACM. (1997). Letter to Senator John McCain. http://usacm.acm.org/images/documents/spna_letter.pdf
  11. McCain, J. (1997). Secure Public Networks Act. http://thomas.loc.gov/cgi-bin/bdquery/z?d105:s909:
  12. Grassley, C. (2015). Grassley questions White House commitment to going dark solution. http://www.grassley.senate.gov/news/news-releases/grassley-questions-white-house-commitment-going-dark-solution
  13. White House. (2015). Address to the Nation by the President. https://www.whitehouse.gov/the-press-office/2015/12/06/address-nation-president
  14. Rampton, R. (2015). Obama appeals to Silicon Valley for help with online anti-extremist campaign. http://www.reuters.com/article/california-shooting-cyber-idUSKBN0TQ0A320151207
  15. a b Perlroth, N. & Sanger, D. (2015). Obama Won’t Seek Access to Encrypted User Data. http://www.nytimes.com/2015/10/11/us/politics/obama-wont-seek-access-to-encrypted-user-data.html
  16. Hern, A. (2015). Apple's Encryption Means It Can't Comply with US Court Order. http://www.theguardian.com/technology/2015/sep/08/apple-encryption-comply-us-court-order-iphone-imessage-justice
  17. a b Apple. (2015). Our Approach to Privacy. http://www.apple.com/privacy/approach-to-privacy/
  18. Nakashima, E. (2015). With Court Order, Federal Judge Seeks to Fuel Debate About Data Encryption. https://www.washingtonpost.com/world/national-security/federal-judge-stokes-debate-about-data-encryption/2015/10/10/c75da20e-6f6f-11e5-9bfe-e59f5e244f92_story.html
  19. Harte, J. & Volz, D. (2015). Shooter at Texas 'Draw Mohammed' Contest Messaged Foreign Militants: FBI. http://www.reuters.com/article/us-texas-shooting-comey-idUSKBN0TS2FU20151209
  20. a b c Bienkov, A. (2015). David Cameron: Twitter and Facebook Privacy is Unsustainable. http://www.politics.co.uk/news/2015/06/30/david-cameron-twitter-and-facebook-privacy-is-unsustainable
  21. Pew Research Center. (2014). Beyond Red vs. Blue: The Political Typology. http://www.people-press.org/files/2014/06/6-26-14-Political-Typology-release1.pdf
  22. https://berniesanders.com/issues/war-and-peace/
  23. https://www.randpaul.com/issue/ending-nsa-spying
  24. Cook, T. (2015). Speech at Electronic Privacy Information Center. http://techcrunch.com/2015/06/02/apples-tim-cook-delivers-blistering-speech-on-encryption-privacy/#.ulz3r9:kVGu
  25. Electronic Frontier Foundation. (2015). https://www.eff.org
  26. Electronic Frontier Foundation. (2015). Annual Report. https://www.eff.org/about/annual-reports-and-financials
  27. Solove, D. J. (2008). Understanding privacy.
  28. Acquisti, A., John, L. K., & Loewenstein, G. (2013). What is privacy worth?. The Journal of Legal Studies, 42(2), 249-274.
  29. Information Technology Industry Council. (2015). http://www.reuters.com/article/us-tech-encryption-idUSKCN0T82SS20151119
  30. Abelson, H., Anderson, R. N., Bellovin, S. M., Benaloh, J., Blaze, M., Diffie, W., ... & Schneier, B. (1997). The risks of key recovery, key escrow, and trusted third-party encryption.
  31. Cardozo, N. (2015). http://www.wired.com/2015/11/paris-attacks-cia-director-john-brennan-what-he-gets-wrong-about-encryption-backdoors/
  32. Brennan, J. (2015). Speech at Center for Strategic International Studies. http://www.defenseone.com/technology/2015/11/brennan-paris-wakeup-call-europe-encryption/123732/
  33. Froomkin, D. (2015). Signs point to unencrypted communications between terror suspects. https://theintercept.com/2015/11/18/signs-point-to-unencrypted-communications-between-terror-suspects/