The US Department of Justice (DOJ), together with government representatives from six other countries, has recently re-ignited the perennial Battle to Break Encryption.
Last weekend, the DOJ put out a press release co-signed by the governments of the UK, Australia, New Zealand, Canada, India and Japan, entitled International Statement: End-To-End Encryption and Public Safety.
You might not have seen the press release (it was put out on Sunday, an unusual day for news releases in the West), but you can almost certainly guess what it says.
Two things, mainly: think of the children, and something needs to be done.
If youre a regular reader of Naked Security, youll be familiar with the long-running tension that exists in many countries over the use of encryption.
Very often, one part of the public service the data protection regulator, for instance will be tasked with encouraging companies to adopt strong encryption in order to protect their customers, guard our privacy, and make life harder for cybercriminals.
Indeed, without strong encryption, technologies that we have come to rely upon, such as e-commerce and teleconferencing, would be unsafe and unusable.
Criminals would be trivially able to hijack financial transactions, for example, and hostile countries would be able to eavesdrop on our business and run off with our trade secrets at will.
Even worse, without a cryptographic property known as forward secrecy, determined adversaries can intercept your communications today, even if they arent crackable now, and realistically hope to crack them in the future.
Without forward secrecy, a later compromise of your master encryption key might grant the attackers instant retrospective access to their stash of scrambled documents, allowing them to rewind the clock and decrypt old communications at will.
So, modern encryption schemes dont just encrypt network traffic with your long-term encryption keys, but add in what are known as ephemeral keys into the mix one-time encryption secrets for each communication session that are discarded after use.
The theory is that if you didnt decrypt the communication at the time it was sent, you wont be able to go back and do so later on.
Unfortunately, forward secrecy still isnt as widely supported by websites, or as widely enforced, as you might expect. Many servers still accept connections that reuse long-term encryption keys, presumably because a significant minority of their visitors are using old browsers that dont support forward secrecy, or dont ask to use it.
Similarly, we increasingly rely upon what is known as end-to-end encryption, where data is encrypted for the sole use of its final recipient and is only ever passed along its journey in a fully scrambled and tamper-proof form.
Even if the message is created by a proprietary app that sends it through a specific providers cloud service, the company that operates the service doesnt get the decryption key for the message.
That means that the service provider cant decrypt the message as it passes through their servers, or if it is stored there for later not for their own reasons; not if theyre told to; and not even if you yourself beg them to recover it for you because youve lost the original copy.
Without end-to-end encryption, a determined adversary could eavesdrop on your messages by doing the digital equivalent of steaming them open along the way, copying the contents, and then resealing them in an identical-looking envelope before passing them along the line.
Theyd still be encrypted when they got to you, but you wouldnt be sure whether theyd been decrypted and re-encrypted along the way.
At the same time, another part of the government will be arguing that strong encryption plays into the hands of terrorists and criminals especially child abusers because, well, because strong encryption is too strong, and gets in the way even of reasonable, lawful, court-approved surveillance and evidence collection.
As a result, justice departments, law enforcement agencies and politicians often come out swinging, demanding that we switch to encryption systems that are weak enough that they can crack into the communications and the stored data of cybercriminals if they really need to.
After all, if crooks and terrorists can communicate and exchange data in a way that is essentially uncrackable, say law enforcers, how will we ever be able to get enough evidence to investigate criminals and convict them after something bad has taken place?
Even worse, we wont be able to collect enough proactive evidence intelligence, in the jargon to stop criminals while they are still at the conspiracy stage, and therefore crimes will become easier and easier to plan, and harder and harder to prevent.
These are, of course, reasonable concerns, and cant simply be dismissed out of hand.
As the DOJ press release puts it:
[T]here is increasing consensus across governments and international institutions that action must be taken: while encryption is vital and privacy and cyber security must be protected, that should not come at the expense of wholly precluding law enforcement, and the tech industry itself, from being able to act against the most serious illegal content and activity online.
After all, in countries such as the UK and the US, the criminal justice system is largely based on an adversarial process that starts with the presumption of a defendants innocence, and convictions depend not merely on evidence that is credible and highly likely to be correct, but on being sure beyond reasonable doubt.
But how can you come up with the required level of proof if criminals can routinely and easily hide the evidence in plain sight, and laugh in the face of court warrants that allow that evidence to be seized and searched?
How can you ever establish that X said Y to Z, or that A planned to meet B at C, if every popular messaging system implements end-to-end encryption, so that service providers simply cannot intercept or decode any messages, even if a court warrant issued in a scrupulously fair way demands them to do so?
We cant weaken our current encryption systems if we want to stay ahead of cybercriminals and nation-state enemies; in fact, we need to keep strengthening and improving the encryption we have, because (as cryptographers like to say), attacks only ever get better.
But were also told that we need to weaken our encryption systems if we want to be able to detect and prevent the criminals and nation-state enemies in our midst.
The dilemma here should be obvious: if we weaken our encryption systems on purpose to make it easier and easier to catch someone, we simultaneously make it easier and easier for anyone to prey successfully on everyone.
O, what a tangled web we weave!
Theres an additional issue here caused by the fact that uncrackable end-to-end encryption is now freely available to anyone who cares to use it for example, in the form of globally available open source software. Therefore, compelling law-abiding citizens to use weakened encryption would make things even better for the crooks, who are not law-abiding citizens in the first place and are unlikely to comply with any weak crypto laws anyway.
Governments typically propose a range of systems to solve the strong encryption problem, such as:
The problem with all these solutions is that they can all be considered variations on the master key theme.
Endpoint interception only when its needed is just a specialised, once-in-a-while case of general message escrow; message escrow is just a specialised case of a master key; and a deliberate cryptographic flaw is just a complicated sort of master key wrapped up in the algorithm itself.
They all open up a glaring threat, namely, What happens when the Bad Guys uncover the secrets behind the message cracking system?
Simply put: how on earth do you keep the master key safe, and how do you decide who gets to use it anyway?
The DOJ seems to think that it can find a Holy Grail for lawful interception, or at least expects the private sector to come up with one:
We challenge the assertion that public safety cannot be protected without compromising privacy or cyber security. We strongly believe that approaches protecting each of these important values are possible and strive to work with industry to collaborate on mutually agreeable solutions.
Wed love to think that this is possible, but in case you were wondering were sticking to what we call our #nobackdoors principles:
[At Sophos,] our ethos and development practices prohibit backdoors or any other means of compromising the strength of any of our products network, endpoint or cloud security for any purpose, and we vigorously oppose any law that would compel Sophos (or any other technology supplier) to intentionally weaken the security of its products.
Where you do stand in this perennial debate?
Have your say in the comments below. (If you omit your name, you will default to being Anonymous.)
- All About Encryption Backdoors - Hashed Out by The SSL Store - Hashed Out by The SSL Store - January 25th, 2021
- Global Database Encryption Market Snapshot Analysis and Increasing Growth Demand by Forecast To 2025 The Courier - The Courier - January 25th, 2021
- Hardware Encryption Market worth $313 million by 2025 - Exclusive Report by MarketsandMarkets - PRNewswire - January 25th, 2021
- Encryption Software Market to Reach USD 24.94 billion by 2027; Surging Cyber Security Threats to Improve Sales Prospects, states Fortune Business... - January 25th, 2021
- Facebook has accepted that encryption will damage the child protection program from its platform - Digital Information World - January 25th, 2021
- Facebook admits encryption will harm efforts to prevent child exploitation - The Guardian - January 25th, 2021
- Disk Encryption Market Analysis And Demand With Forecast Overview To 2027 - KSU | The Sentinel Newspaper - January 25th, 2021
- Following a Year of Privacy Worries and Security Breaches, Ring Implements End-to-End Encryption - CPO Magazine - January 25th, 2021
- Encryption Key Management Market 2021 to Perceive Biggest Trend and Opportunity by 2028 - KSU | The Sentinel Newspaper - January 25th, 2021
- Outlook on the Endpoint Encryption Market to 2025 by Application, End-user an - Business-newsupdate.com - January 25th, 2021
- Covid-19 Positive Impact on Encryption Software Market 2021-2027 |Gemalto (Amsterdam,Netherlands), Symantec (California,US), Dell (Texas,US), Sophos... - January 25th, 2021
- Ring adds end-to-end video encryption to its doorbells and security cameras at CES 2021 - CNET - January 14th, 2021
- Encrypted Phones iPhone and Android Encryption - Reader's Digest - January 14th, 2021
- Millions Flock to Telegram and Signal as Fears Grow Over Big Tech - The New York Times - January 14th, 2021
- Signal, the encrypted messaging app and WhatsApp alternative, explained - Vox.com - January 14th, 2021
- Heres why Telegram does not offer end-to-end encryption by default - The Indian Express - January 14th, 2021
- Mobile Encryption Market Structure, Industry Inspection, and Forecast 2025 - Business-newsupdate.com - January 14th, 2021
- Comprehensive Report on Email Encryption Market 2020 | Size, Growth, Demand, Opportunities & Forecast To 2030 - KSU | The Sentinel Newspaper - January 14th, 2021
- The World's Only Processor Family with Full Memory Encryption* - PCWorld - January 14th, 2021
- What is Signal? The basics of the most secure messaging app. - Mashable - January 14th, 2021
- WhatsApp chats are encrypted so how will Facebook use chat data for ads? This is how - India Today - January 14th, 2021
- Encryption Software Market Current and Future Industry Trends, 2020-2025 - AlgosOnline - January 14th, 2021
- What Is Signal, and Why Is Everyone Using It? - How-To Geek - January 14th, 2021
- Data Encryption Market Analysis and In-depth Research on Size, Trends, Emerging Growth Factors and Forecasts 2026 - Murphy's Hockey Law - January 14th, 2021
- Elon Musk says to use Signal instead of Facebook. What to know about the messaging app - CNET - January 10th, 2021
- Global Document Encryption Software Market 2020 Industry Analysis, Key Drivers, Business Strategy, Opportunities and Forecast to 2025 The Sentinel... - January 10th, 2021
- Encryption Software Market Segmentation and Analysis by Recent Trends, Development and Growth by Regions to 2026 - Farming Sector - January 10th, 2021
- Homomorphic Encryption Market 2020 | COVID-19 Impact With Top Key Players, Trends, Overview, Insights And Outlook 2027 : Cosmian, CryptoExperts,... - January 10th, 2021
- Global Email Encryption Market Expected to reach highest CAGR by 2025 : Hewlett-Packard, Symantec Corporation, Cisco Systems, Mcafee (Intel), Trend... - January 10th, 2021
- Homomorhpic Encryption Market Latest Innovations, Analysis, Business Opportunities, Overview, Component, Industry Revenue and Forecast - LionLowdown - January 10th, 2021
- Homomorphic Encryption Market Forecast 2021-2027, Latest Trends and Opportunities|Microsoft (US), IBM Corporation (US), Galois Inc (US) - Farming... - January 10th, 2021
- Are We Heading Towards EU Legislation Banning End-to-End Encryption? - Lexology - December 29th, 2020
- Encryption Software Market Trending Technologies, Industry Growth, Share, Opportunities, Developments And Forecast - LionLowdown - December 29th, 2020
- Signals famous encryption may have been cracked - TechRadar - December 29th, 2020
- AES Encryption Software Market 2021: Comprehensive Analysis and Growth Forecast - NeighborWebSJ - December 29th, 2020
- Encryption, zero trust and the quantum threat security predictions for 2021 - BetaNews - December 29th, 2020
- Encryption Software Market By Business Analysis, Industry Types, Demand, Capacity, Applications, Services, Innovations and Forecast 2025 - Farming... - December 29th, 2020
- Encryption Software Market Size 2020 by Top Key Players, Global Trend, Types, Applications, Regional Demand, Forecast to 2027 - LionLowdown - December 29th, 2020
- How to Securely Send Sensitive Information over the Internet - TechBullion - December 29th, 2020
- In 2020, Congress Threatened Our Speech and Security With the EARN IT Act - EFF - December 29th, 2020
- Encryption Key Management Market Key Trends and how do they Impact the Specific Regions - NeighborWebSJ - December 29th, 2020
- The ACLU Is Suing For Info On The FBI's Encryption Breaking Capabilities - Gizmodo - December 29th, 2020
- Encrypting data is the key to a peaceful New Year (Includes interview) - Digital Journal - December 29th, 2020
- Proton's Calendar Platform With End-to-End Encryption Now Available as an Android App - News18 - December 29th, 2020
- Encryption Software Market 2020: COVID19 Impact on Industry Growth, Trends, Top Manufacturer, Regional Analysis and Forecast to 2027 - The Monitor - December 29th, 2020
- The Same U.S. Government That Wants To Weaken Our Encryption Just Got Massively Hacked - Reason - December 15th, 2020
- How to Enable End-to-End Encryption in Google Messages - Lifehacker - December 15th, 2020
- Ransomware gangs are getting faster at encrypting networks. That will make them harder to stop - ZDNet - December 15th, 2020
- UK has not ordered 'backdoor access' to WhatsApp messages - but could issue injunction against Facebook's encryption plans - Sky News - December 15th, 2020
- From the bottom of the sea rose a piece of encrypted history. What were the Nazi Enigmas? - The Indian Express - December 15th, 2020
- Global Cloud Encryption Software Market To Witness Huge Gains Over 2020-2026 - The Courier - December 15th, 2020
- Google Messages End-to-End Encryption Guide: How It Works on Android - Tech Times - December 15th, 2020
- Facebooks encryption could prevent MI5 and police from stopping terror attacks and child abuse - Telegraph.co.uk - December 15th, 2020
- S'pore seizes $5.3m in illicit funds linked to Canadian network used by crime syndicates - The Straits Times - December 15th, 2020
- Encrypted messaging could increase child abuse cases, report warns - E&T Magazine - December 9th, 2020
- A Balanced DNS Information Protection Strategy: Minimize at Root, TLD; Encrypt When Needed Elsewhere - CircleID - December 9th, 2020
- Protecting consumer data is leading driver for encryption in Middle East: report - Gulf Business - December 9th, 2020
- Insights on the Cloud Encryption Software Market 2020-2024: COVID-19 Industry Analysis, Market Trends, Market Growth, Opportunities and Forecast 2024... - December 9th, 2020
- Commercial Encryption Software Market Trends, Growth, Analysis, Opportunities and Overview by 2026 - Murphy's Hockey Law - December 9th, 2020
- Does opening a 'back door' to encrypted communications create a whole new raft of problems? How can firms promise privacy if there is official access?... - December 9th, 2020
- Enigma encryption machine used by Nazis in World War II found on bottom of ocean - ABC News - December 9th, 2020
- Encryption Software Market 2020 | Latest Trend, Swot Analysis, Covid-19 Impact And Forecast - The Haitian-Caribbean News Network - December 9th, 2020
- Data Encryption Market Size with Business Opportunity, Challenges, Standardization, Competitive Intelligence and Regional Analysis - The... - December 9th, 2020
- COVID-19 Update: Global Encryption Software Market is Expected to Grow at a Healthy CAGR with Top players: Dell , Eset , Gemalto , IBM , Mcafee , etc.... - December 9th, 2020
- SSL-based threats remain prevalent and are becoming increasingly sophisticated. - The CyberWire - December 9th, 2020
- What Is the Signal Encryption Protocol? - WIRED - November 30th, 2020
- Data Protection | The Pros and Cons of End-to-End Encryption - DIGIT.FYI - November 30th, 2020
- Encryption Software Market Overview, Growth, Types, Applications, Dynamics, Companies, Regions, & Forecast to 2026 - The Haitian-Caribbean News... - November 30th, 2020
- Encryption Software Market to Witness Astonishing Growth by 2027 | Dell , Eset , Gemalto and more - Cheshire Media - November 30th, 2020
- EU targets end-to-end encryption tools after rise in terror attacks - DIGIT.FYI - November 30th, 2020
- European Legislators Move to Eliminate End-to-End Encryption in Messaging Services Following Terror Attacks - Digital Information World - November 30th, 2020
- Facebook urged to end encryption to help cops stop paedophiles using app - The Sun - November 30th, 2020
- Inside the French governments mission to develop an encrypted messaging platform - NS Tech - November 30th, 2020
- Hardware-based Full Disk Encryption Market Size, Key Manufacturers, Demand, Application And Opportunities By 2027 - The Haitian-Caribbean News Network - November 30th, 2020
- The tech and security backends that keep your data safe - Business MattersBusiness Matters - November 30th, 2020
- Encryption Software Market Expected to Boost the Global Industry Growth in the Near Future - Cheshire Media - November 30th, 2020
- Commercial Encryption Software Market Will Generate Record Revenue by 2025 - The Haitian-Caribbean News Network - November 30th, 2020
- Symmetric Encryption Algorithms: Live Long & Encrypt - Hashed Out by The SSL Store - Hashed Out by The SSL Store - November 24th, 2020
- Google plans to test end-to-end encryption in Android messages - TechCrunch - November 24th, 2020
- Google Messages Set to Roll Out End-to-End Encryption - Infosecurity Magazine - November 24th, 2020