FBI's War On Encryption Is Unnecessary

Uploaded on 2016-02-23 in NEWS-Cybersecurity News, GOVERNMENT-Law Enforcement, FREE TO VIEW

The war on encryption waged by the FBI and other intelligence agencies is unnecessary, because the data trails we voluntarily leak allow “Internet of Things” devices and social media networks to track us in ways the government can access.

That's the short version of what's in “Don’t Panic: Making Progress on the ‘Going Dark’ Debate,” a study published today by the Berkman Center for Internet and Society at Harvard.

The title references the government's argument that “encrypted communications are creating a 'going dark' crisis that will keep them from tracking terrorists and kidnappers,” as David E. Sanger explains in his coverage at the New York Times.

In the last year, conversations around surveillance have centered on the use of encryption in communications technologies. The decisions of Apple, Google, and other major providers of communications services and products to enable end-to-end encryption in certain applications, on smartphone operating systems, as well as default encryption of mobile devices, at the same time that terrorist groups seek to use encryption to conceal their communication from surveillance, has fueled this debate.

The US intelligence and law enforcement communities view this trend with varying degrees of alarm, alleging that their interception capabilities are “going dark.” As they describe it, companies are increasingly adopting technological architectures that inhibit the government’s ability to obtain access to communications, even in circumstances that satisfy the Fourth Amendment’s warrant requirements.

Encryption is the hallmark of these architectures. Government officials are concerned because, without access to communications, they fear they may not be able to prevent terrorist attacks and investigate and prosecute criminal activity. Their solution is to force companies to maintain access to user communications and data, and provide that access to law enforcement on demand, pursuant to the applicable legal process.

However, the private sector has resisted. Critics fear that architectures geared to guarantee such access would compromise the security and privacy of users around the world, while also hurting the economic viability of US companies. They also dispute the degree to which the proposed solutions would truly prevent terrorists and criminals from communicating in mediums resistant to surveillance.

Leading much of the debate on behalf of the US government is the Department of Justice, including the Federal Bureau of Investigation, whose leaders have commented on the matter in numerous public statements, speeches, and Congressional testimony throughout 2014 and 2015. After nearly a year of discourse, which included numerous statements critical of the government’s position from former US intelligence officials and security technologists, the White House declared in October 2015 it would not pursue a legislative fix in the near future.

However, this decision has not brought closure. The FBI has since focused its energy on encouraging companies to voluntarily find solutions that address the investigative concerns. Most recently, terrorist attacks in San Bernardino, Paris, and elsewhere around the world, along with rising concern about the terrorist group ISIS, have focused increased attention on the issues of surveillance and encryption. These developments have led to renewed calls, including among US Presidential candidates, for the government and private sector to work together on the going dark issue and for the Obama administration to reconsider its position.

The “findings” section is chilling. Basically, they're saying the government won't have any problem tracking us and surveilling our communications, because we're freely sharing a lot of very revealing personal data and metadata to third parties, all day, every day, security be damned. “Internet of Things” connected devices, social media, and everywhere else you're leaking data without encryption? All of those are accessible sources of data for intelligence agencies or law enforcement.

In short, our findings are:

  • End-to-end encryption and other technological architectures for obscuring user data are unlikely to be adopted ubiquitously by companies, because the majority of businesses that provide communications services rely on access to user data for revenue streams and product functionality, including user data recovery should a password be forgotten.
  • Software ecosystems tend to be fragmented. In order for encryption to become both widespread and comprehensive, far more coordination and standardization than currently exists would be required.
  • Networked sensors and the Internet of Things are projected to grow substantially, and this has the potential to drastically change surveillance. The still images, video, and audio captured by these devices may enable real-time intercept and recording with after-the-fact access. Thus an inability to monitor an encrypted channel could be mitigated by the ability to monitor from afar a person through a different channel.
  • Metadata is not encrypted, and the vast majority is likely to remain so. This is data that needs to stay unencrypted in order for the systems to operate: location data from cell phones and other devices, telephone calling records, header information in e-mail, and so on. This information provides an enormous amount of surveillance data that was unavailable before these systems became widespread.
  • These trends raise novel questions about how we will protect individual privacy and security in the future. Today’s debate is important, but for all its efforts to take account of technological trends, it is largely taking place without reference to the full picture.

The Harvard study, funded by the Hewlett Foundation, was unusual because it involved technical experts, civil libertarians and officials who are, or have been, on the forefront of counterterrorism. Larry Kramer, the former dean of Stanford Law School, who heads the foundation, noted Friday that until now “the policy debate has been impeded by gaps in trust between academia, civil society, the private sector and the intelligence community” that have impeded the evolution of a “safe, open and resilient Internet.”

Among the chief authors of the report is Matthew G. Olsen, who was a director of the National Counterterrorism Center under Mr. Obama and a general counsel of the National Security Agency.

Two current senior officials of the NSA, John DeLong, the head of the agency’s Commercial Solutions Center, and Anne Neuberger, the agency’s chief risk officer, are described in the report as “core members” of the group, but did not sign the report because they could not act on behalf of the agency or the United States government in endorsing its conclusions, government officials said.

BoingBoing: http://bit.ly/1WCXStm

« Why Aren’t Cyber Criminals Being Brought to Justice?
Strategic Intelligence For The 21st Century. »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

National Cyber Directorate Israel

National Cyber Directorate Israel

The Israeli National Cyber Directorate provides incident handling services for civilian entities and critical infrastructures and works to increase national resilience against cyber threats.

Association of Information Security Professionals (AISP)

Association of Information Security Professionals (AISP)

The Association of Information Security Professionals (AISP) represents the interests of information security professionals in Singapore.

Seagate Technology

Seagate Technology

Seagate data storage systems are purpose-built for enterprise and data centre performance, scalability, reliability and security.

BlueID

BlueID

BlueID is an IDaaS technology product which enables your objects to securely connect and interact with your users’ smart phones and smart watches.

Oxford BioChronometrics

Oxford BioChronometrics

By building profiles based on electronically Defined Natural Attributes, or e-DNA, Oxford BioChronometrics protects digital networks, communities, individuals and other online assets from fraud.

Subex

Subex

Subex leverages its award-winning telecom analytics solutions in areas such as Revenue Assurance, Fraud Management, Asset Assurance and Partner Management, and IoT Security.

Rogue Wave Software

Rogue Wave Software

At Rogue Wave, our mission is to simplify your hardest problems, improve software quality and security, and shorten the time it takes to deliver value.

SolutionsPT

SolutionsPT

SolutionsPT enables customers to strengthen their Operational Technology (OT) network to meet the ever increasing demand for performance, availability, connectivity and security.

Center for Long-Term Cybersecurity (CLTC)

Center for Long-Term Cybersecurity (CLTC)

The Center for Long-Term Cybersecurity is developing and shaping cybersecurity research and practice based on a long-term vision of the internet and its future.

Sysorex Government Services

Sysorex Government Services

Sysorex Government Services helps customers meet their strategic missions by providing secure, optimized IT solutions that allow them to perform more efficiently and effectively.

VerSprite

VerSprite

VerSprite is a specialist information security consulting firm. We provide organizations with detection across all their attack surfaces and deliver critical insight into all possible attack methods.

Bolster

Bolster

Bolster (formerly RedMarlin) is an AI-based cyber-security platform designed to detect phishing and fraudulent sites in real-time.

OptimEyes.ai

OptimEyes.ai

OptimEyes.ai is a unique AI-powered, on-demand SaaS solution for cyber-security, data privacy and compliance risk modeling.

The IoT Academy

The IoT Academy

The IoT Academy is a reputed Ed-Tech Institute that provides training in emerging technologies such as embedded systems, the Internet of Things (IoT), Data Science and many more.

Third Point Ventures

Third Point Ventures

Third Point brings deep technical expertise, a strong network of relationships, and decades of investing experience to add value to our partners throughout their journey from idea to IPO and beyond.

Airlock Digital

Airlock Digital

Airlock Digital was created after many years of experience in implementing whitelisting/ allowlisting solutions in Federal Government and various enterprises in Australia.