The US Department of Justice (DOJ), together with government representatives from six other countries, has recently re-ignited the perennial Battle to Break Encryption.
Last weekend, the DOJ put out a press release co-signed by the governments of the UK, Australia, New Zealand, Canada, India and Japan, entitled International Statement: End-To-End Encryption and Public Safety.
You might not have seen the press release (it was put out on Sunday, an unusual day for news releases in the West), but you can almost certainly guess what it says.
Two things, mainly: think of the children, and something needs to be done.
If youre a regular reader of Naked Security, youll be familiar with the long-running tension that exists in many countries over the use of encryption.
Very often, one part of the public service the data protection regulator, for instance will be tasked with encouraging companies to adopt strong encryption in order to protect their customers, guard our privacy, and make life harder for cybercriminals.
Indeed, without strong encryption, technologies that we have come to rely upon, such as e-commerce and teleconferencing, would be unsafe and unusable.
Criminals would be trivially able to hijack financial transactions, for example, and hostile countries would be able to eavesdrop on our business and run off with our trade secrets at will.
Even worse, without a cryptographic property known as forward secrecy, determined adversaries can intercept your communications today, even if they arent crackable now, and realistically hope to crack them in the future.
Without forward secrecy, a later compromise of your master encryption key might grant the attackers instant retrospective access to their stash of scrambled documents, allowing them to rewind the clock and decrypt old communications at will.
So, modern encryption schemes dont just encrypt network traffic with your long-term encryption keys, but add in what are known as ephemeral keys into the mix one-time encryption secrets for each communication session that are discarded after use.
The theory is that if you didnt decrypt the communication at the time it was sent, you wont be able to go back and do so later on.
Unfortunately, forward secrecy still isnt as widely supported by websites, or as widely enforced, as you might expect. Many servers still accept connections that reuse long-term encryption keys, presumably because a significant minority of their visitors are using old browsers that dont support forward secrecy, or dont ask to use it.
Similarly, we increasingly rely upon what is known as end-to-end encryption, where data is encrypted for the sole use of its final recipient and is only ever passed along its journey in a fully scrambled and tamper-proof form.
Even if the message is created by a proprietary app that sends it through a specific providers cloud service, the company that operates the service doesnt get the decryption key for the message.
That means that the service provider cant decrypt the message as it passes through their servers, or if it is stored there for later not for their own reasons; not if theyre told to; and not even if you yourself beg them to recover it for you because youve lost the original copy.
Without end-to-end encryption, a determined adversary could eavesdrop on your messages by doing the digital equivalent of steaming them open along the way, copying the contents, and then resealing them in an identical-looking envelope before passing them along the line.
Theyd still be encrypted when they got to you, but you wouldnt be sure whether theyd been decrypted and re-encrypted along the way.
At the same time, another part of the government will be arguing that strong encryption plays into the hands of terrorists and criminals especially child abusers because, well, because strong encryption is too strong, and gets in the way even of reasonable, lawful, court-approved surveillance and evidence collection.
As a result, justice departments, law enforcement agencies and politicians often come out swinging, demanding that we switch to encryption systems that are weak enough that they can crack into the communications and the stored data of cybercriminals if they really need to.
After all, if crooks and terrorists can communicate and exchange data in a way that is essentially uncrackable, say law enforcers, how will we ever be able to get enough evidence to investigate criminals and convict them after something bad has taken place?
Even worse, we wont be able to collect enough proactive evidence intelligence, in the jargon to stop criminals while they are still at the conspiracy stage, and therefore crimes will become easier and easier to plan, and harder and harder to prevent.
These are, of course, reasonable concerns, and cant simply be dismissed out of hand.
As the DOJ press release puts it:
[T]here is increasing consensus across governments and international institutions that action must be taken: while encryption is vital and privacy and cyber security must be protected, that should not come at the expense of wholly precluding law enforcement, and the tech industry itself, from being able to act against the most serious illegal content and activity online.
After all, in countries such as the UK and the US, the criminal justice system is largely based on an adversarial process that starts with the presumption of a defendants innocence, and convictions depend not merely on evidence that is credible and highly likely to be correct, but on being sure beyond reasonable doubt.
But how can you come up with the required level of proof if criminals can routinely and easily hide the evidence in plain sight, and laugh in the face of court warrants that allow that evidence to be seized and searched?
How can you ever establish that X said Y to Z, or that A planned to meet B at C, if every popular messaging system implements end-to-end encryption, so that service providers simply cannot intercept or decode any messages, even if a court warrant issued in a scrupulously fair way demands them to do so?
We cant weaken our current encryption systems if we want to stay ahead of cybercriminals and nation-state enemies; in fact, we need to keep strengthening and improving the encryption we have, because (as cryptographers like to say), attacks only ever get better.
But were also told that we need to weaken our encryption systems if we want to be able to detect and prevent the criminals and nation-state enemies in our midst.
The dilemma here should be obvious: if we weaken our encryption systems on purpose to make it easier and easier to catch someone, we simultaneously make it easier and easier for anyone to prey successfully on everyone.
O, what a tangled web we weave!
Theres an additional issue here caused by the fact that uncrackable end-to-end encryption is now freely available to anyone who cares to use it for example, in the form of globally available open source software. Therefore, compelling law-abiding citizens to use weakened encryption would make things even better for the crooks, who are not law-abiding citizens in the first place and are unlikely to comply with any weak crypto laws anyway.
Governments typically propose a range of systems to solve the strong encryption problem, such as:
The problem with all these solutions is that they can all be considered variations on the master key theme.
Endpoint interception only when its needed is just a specialised, once-in-a-while case of general message escrow; message escrow is just a specialised case of a master key; and a deliberate cryptographic flaw is just a complicated sort of master key wrapped up in the algorithm itself.
They all open up a glaring threat, namely, What happens when the Bad Guys uncover the secrets behind the message cracking system?
Simply put: how on earth do you keep the master key safe, and how do you decide who gets to use it anyway?
The DOJ seems to think that it can find a Holy Grail for lawful interception, or at least expects the private sector to come up with one:
We challenge the assertion that public safety cannot be protected without compromising privacy or cyber security. We strongly believe that approaches protecting each of these important values are possible and strive to work with industry to collaborate on mutually agreeable solutions.
Wed love to think that this is possible, but in case you were wondering were sticking to what we call our #nobackdoors principles:
[At Sophos,] our ethos and development practices prohibit backdoors or any other means of compromising the strength of any of our products network, endpoint or cloud security for any purpose, and we vigorously oppose any law that would compel Sophos (or any other technology supplier) to intentionally weaken the security of its products.
Where you do stand in this perennial debate?
Have your say in the comments below. (If you omit your name, you will default to being Anonymous.)
- Five Eyes Call for Tech World to Weaken Encryption - ClearanceJobs - ClearanceJobs - October 17th, 2020
- Zoom Begins Rollout of End-To-End Encryption - My TechDecisions - TechDecisions - October 17th, 2020
- Could homomorphic encryption be the solution to big data's problem? - Siliconrepublic.com - October 17th, 2020
- U.S., UK and other countries warn tech firms that encryption creates 'severe risks' to public safety - CNBC - October 17th, 2020
- Is Signal secure? How the messaging app protects privacy - Business Insider - Business Insider - October 17th, 2020
- AeroVironment and Viasat to aim to improve radio encryption for Puma AE - Flightglobal - October 17th, 2020
- Encryption Backdoor? The Trump Administration Wants It. - The National Interest - October 17th, 2020
- How to use private conversations on Skype to send encrypted calls and messages - Business Insider India - October 17th, 2020
- AES Encryption Software Industry Market 2020: Potential growth, attractive valuation make it is a long-term investment | Know the COVID19 Impact | Top... - October 17th, 2020
- Trustifi Named Overall Encryption Solution Provider of the Year in 2020 CyberSecurity Breakthrough Awards Program - GlobeNewswire - October 17th, 2020
- ACLU and EFF Call DOJ's Encryption Dream a Nightmare - L.A. Weekly - October 17th, 2020
- Global Database Encryption Market Expected to reach highest CAGR in forecast period : International Business Machines Corporation, Symantec... - October 17th, 2020
- Feds, 'Five Eyes' Allies Take Another Swing at Encryption Policy Changes - MeriTalk - October 13th, 2020
- Homomorphic encryption tools find their niche - CSO Online - October 13th, 2020
- Mission Impossible: 7 Countries Tell Facebook To Break Encryption - Forbes - October 13th, 2020
- Dutton pushes against encryption yet again but oversight at home is slow - ZDNet - October 13th, 2020
- Western governments double down efforts to curtail end-to-end encryption - The Daily Swig - October 13th, 2020
- Fuse Analytics integration with StrongSalt offers Enterprise Information Archiving with GDPR protections - PR Web - October 13th, 2020
- Is Signal Safe? What to Know About the New Encrypted Messaging App - Parentology - October 13th, 2020
- Five Eyes alliance warning: 'Encryption creates severe risks to public safety' - New Zealand Herald - October 13th, 2020
- Privateness or youngster safety? 7 governments, together with US & UK, argue Fb's new encryption plan would profit PEDOPHILES - Editorials 360 - October 13th, 2020
- Optical Encryption Market Analysis And Demand With Forecast Overview To 2025 - Express Journal - October 13th, 2020
- Encrypted messages don't always stay private. Here's what that means for you - CNET - October 11th, 2020
- EARN IT Act a Dire Threat to Encryption, Speech Online, Critics Say - Decrypt - October 11th, 2020
- Analyzing Impacts of Covid-19 on Cloud Encryption Software Market Effects, Aftermath, Global Industry Challenges, Business Overview and Forecast To... - October 11th, 2020
- Parts of the Election System Are Ripe for Hacking: 'Encryption? We Don't Do That' - Josh Kurtz - October 6th, 2020
- WikiLeaks led the way for newsrooms to use encryption to protect sources, says Italian journalist - ComputerWeekly.com - October 6th, 2020
- Global Encryption Software Market 2020 Industry Size, Shares and Upcoming Trends 2025 - Reported Times - October 6th, 2020
- Encryption Software Market 2020 2027: Recent Trends, Growth Opportunities and Business Development Strategies By IBM, Trend Micro, Symantec, McaFee,... - October 6th, 2020
- Encryption Key Management Market Research By Growth, Competitive Methods And Forecast To 2026 - The Daily Chronicle - October 6th, 2020
- Global Hardware-based Full Disk Encryption Market Size, Share, Trends, CAGR by Technology, Key Players, Regions, Cost, Revenue and Forecast 2020 to... - October 6th, 2020
- Global Encryption Software Market 2020 | Know the Companies List Could Potentially Benefit or Loose out From the Impact of COVID-19 | Top Companies:... - October 6th, 2020
- Stay Tuned with the Epic Battle in the Encryption Key Management Market - The Daily Chronicle - October 6th, 2020
- Hardware-based Full Disk Encryption Market To Drive Highest Growth By 2027 With Leading Key Players: Seagate Technology PLC, Western Digital Corp,... - October 6th, 2020
- Encrypted USB flash drive you can unlock with your smartphone (or Apple Watch) - ZDNet - October 6th, 2020
- Global Mobile Encryption Market is slated to grow rapidly in the coming years: McAfee(Intel Corporation), Blackberry, T-Systems International, ESET,... - October 6th, 2020
- Cloud Encryption Software Market Potential Growth, Size, Share, Demand and Analysis of Key Players Research Forecasts to 2026 - The Daily Chronicle - October 6th, 2020
- Best Encryption Software in 2020 - Latest Quadrant Ranking Released by 360Quadrants - PRNewswire - September 30th, 2020
- 4 Reasons Why Encryption Is a Must for Data Protection - CIOReview - September 30th, 2020
- Prospective Node Operators Stake $125M in ETH to Participate in NuCypher Encryption Network - CoinDesk - Coindesk - September 30th, 2020
- Fortanix Partners with VMware to Enable Cloud Service Providers to Deliver Data Security as a Service - GlobeNewswire - September 30th, 2020
- SanDisks latest portable SSDs have boosted speed and security - The Verge - September 30th, 2020
- What Facebook users need to know about end-to-end encryption - Fast Company - September 30th, 2020
- Whats really up with your secure WhatsApp chats - Mint - September 30th, 2020
- Hardware Encryption Technology Market Trends Together With Growth Forecast To 2026 - The Daily Chronicle - September 30th, 2020
- Global Cloud Encryption Market- Industry Analysis and forecast 2020 2027: By Industrial verticals, Services, and Region. - Unica News - September 30th, 2020
- Global Hardware-based Full Disk Encryption (FDE) Market to Witness a Pronounce Growth During 2020-2026 - The Daily Chronicle - September 30th, 2020
- Global Cloud Encryption Technology Market with (Covid-19) Impact Analysis: Growth, Latest Trend Analysis and Forecast 2026 - The Daily Chronicle - September 30th, 2020
- Global Email Encryption Software Market Report 2020-2027: Production Capacity and Consumption Analysis by Regions and Country Wise - Crypto Daily - September 30th, 2020
- Cloud Encryption Service Market 2020 | Detailed Analysis, Growth, Research and Forecast - The Daily Chronicle - September 30th, 2020
- Database Encryption Market Potential Growth, Size, Share, Demand and Analysis of Key Players Research Forecasts to 2027 - The Daily Chronicle - September 30th, 2020
- Optical Encryption Industry 2020 Includes The Major Application Segments And Size In The Global Market To 2026 - The Daily Chronicle - September 30th, 2020
- Hardware Based Encryption Market Projected to Be Resilient During 2020-2025 - The Market Records - September 30th, 2020
- Hardware Encryption Market (2020-2026) | Where Should Participant Focus To Gain Maximum ROI | Exclusive Report By DataIntelo - Crypto Daily - September 30th, 2020
- Ring plans to offer end-to-end encryption by the end of the year - The Verge - September 29th, 2020
- Encryption Software Market Comprehensive Study With Key Trends, Major Drivers And Challenges 2020-2026 - The Market Records - September 29th, 2020
- Ring to offer opt-in end-to-end encryption for videos beginning later this year - TechCrunch - September 29th, 2020
- WhatsApp Encryption Is Not Foolproof; Chats Can Be Accessed In These Ways - Yahoo India News - September 29th, 2020
- Hardware-based Full Disk Encryption (FDE) Market Forecast to 2027 Covid-19 Impact and Global Analysis by Type, Deployment Type and Industry Vertical... - September 29th, 2020
- EU Still Asking For The Impossible (And The Unnecessary): 'Lawful Access' To Encrypted Material That Doesn't Break Encryption - Techdirt - September 29th, 2020
- Encryption Software Market Report Examines Growth Overview And Predictions On Size, Share And Trend Through 2025 - The Daily Chronicle - September 29th, 2020
- Russia Is Trying Something New to Isolate Its Internet From the Rest of the World - Slate - September 29th, 2020
- Network Encryption Market From 2020-2026: Growth Analysis By Manufacturers, Regions, Types And Applications - The Daily Chronicle - September 29th, 2020
- Encryption Software Market Size, Analytical Overview, Key Players, Growth Factors, Demand, Trends And Forecast to 2027 - The Daily Chronicle - September 29th, 2020
- Top Technologies To Achieve Security And Privacy Of Sensitive Data In AI Models - Analytics India Magazine - September 29th, 2020
- Database Encryption Market Analysis and the Impact of COVID-19 Key Vendors, Growth Rate and Forecast To 2028 - The Daily Chronicle - September 29th, 2020
- Cloud Encryption Technology Market Size, Analytical Overview, Key Players, Growth Factors, Demand, Trends And Forecast to 2027 - The Daily Chronicle - September 29th, 2020
- Cloud Encryption Market 2020 Global Share, Growth, Size, Opportunities, Trends, Regional Overview, Leading Company Analysis And Forecast To 2026 |... - September 29th, 2020
- WhatsApp says end-to-end encryption to protects chats among app however not cloud backups - Stanford Arts Review - September 29th, 2020
- Cloud Encryption Market 2020-2028 Research Report| Know The Growth Factors and Future Scope - The Daily Chronicle - September 25th, 2020
- Cloud Encryption Market to Witness Astonishing Growth by 2026 | Ciphercloud, Gemalto, Hytrust and more - Crypto Daily - September 25th, 2020
- One Way to Prevent Police From Surveilling Your Phone - The Intercept - September 25th, 2020
- COVID-19 Impact on Global Encryption Software Market Report to Share Key Aspects of the Industry with the details of Influence Factors - Scientect - September 4th, 2020
- Encryption Software Market: Regional Overview and Trends Evaluation to 2026 - Fractovia News - September 4th, 2020
- Encryption Software Market is Expected to reach $2.16 billion by 2020| Growing at a CAGR (compounded annual growth rate) of CAGR of 14.27% from 2014... - September 4th, 2020
- WD unveils encrypted ArmorLock SSD that unlocks using your smartphone - 9to5Toys - September 4th, 2020
- Encryption Software Market report, upcoming trends, share report, growth size, industry players and global forecast to 2025 - Galus Australis - September 4th, 2020
- COVID-19 Impact on Global Encryption Software Market: Global Industry Analysis by Size, Share, Growth, Trends and Forecast 2020 2025 - The Daily... - September 4th, 2020
- Hardware Encryption Technology Steady Growth to be Witnessed by 2019-2029 - The News Brok - September 4th, 2020
- Encryption Software Market to Witness Astonishing Growth by 2026 | Dell , Eset , Gemalto and more - The Daily Chronicle - September 4th, 2020