Schneier on Security
A blog covering security and security technology.
« Friday Squid Blogging: Baby Opalescent Squid |
| Israel Demanding Passwords at the Border »
June 11, 2012
Changing Surveillance Techniques for Changed Communications Technologies
New paper by Peter P. Swire -- "From Real-Time Intercepts to Stored Records: Why Encryption Drives the Government to Seek Access to the Cloud":
Abstract: This paper explains how changing technology, especially the rising adoption of encryption, is shifting law enforcement and national security lawful access to far greater emphasis on stored records, notably records stored in the cloud. The major and growing reliance on surveillance access to stored records results from the following changes:
(1) Encryption. Adoption of strong encryption is becoming much more common for data and voice communications, via virtual private networks, encrypted webmail, SSL web sessions, and encrypted Voice over IP voice communications.
(2) Declining effectiveness of traditional wiretaps. Traditional wiretap techniques at the ISP or local telephone network increasingly encounter these encrypted communications, blocking the effectiveness of the traditional techniques.
(3) New importance of the cloud. Government access to communications thus increasingly relies on a new and limited set of methods, notably featuring access to stored records in the cloud.
(4) The "haves" and "have-nots." The first three changes create a new division between the "haves" and "have-nots" when it comes to government access to communications. The "have-nots" become increasingly dependent, for access to communications, on cooperation from the "have" jurisdictions.
Part 1 of the paper describes the changing technology of wiretaps and government access. Part 2 documents the growing adoption of strong encryption in a wide and growing range of settings of interest to government agencies. Part 3 explains how these technological trends create a major shift from real-time intercepts to stored records, especially in the cloud.
Posted on June 11, 2012 at 6:36 AM
• 15 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
This feels like deja vu all over again. CALEA, after all, was all about "people are using bits, we don't have alligator clips for bits; people are using encryption, we have to have a plaintext port."
But on thing that isn't mentioned here is the regulatory arbitrage: in most cases, anything stored in the cloud is a belongs to the cloud provider for purposes of disclosure, so there's potentially much less hassle about warrants and subpoenas and suchlike.
(Perhaps of interest to only to old fogies: law enforcement officials back in the 80s and 90s made the argument that electronic communications seizures weren't subject to wiretapping law because the information wasn't actually seized in transit on a wire, but instead lifted from RAM or disk. It took a while for courts to slap them down on that.)
It's pretty much inevitable that governments will not only seek but also achieve access to any data, whether it's local, intercepted in transit or stored in the cloud. Most big corps will only be too happy to oblige. Even strong crypto is unlikely to hold them off forever. They'll eventually get around it or put legislation in place forcing people to hand over their keys. I believe this is already the case in the UK.
This predicament does however create an interesting business opportunity for the Catholic Church. It would probably suffise to change Canon Law for (encrypted) data handed over in the form of a digital confession to keep them out of reach of any government, especially when held in data centres at Vatican City. By becoming a cloud provider, they could not only make themselves very relevant again, they'd also be making lots of money and attract converts by the thousands.
This would definitely create a serious issue in many western countries, and to the best of my knowledge even in the US the seal of confession is protected by federal law.
Now you know why I have been saying that the next privacy battlefield is data retention. The incremental cost of storing data on a hard drive is so low and once it is stored it is there until someone deletes it (and even then if can often be brought back to life) that big corporations and governments can keep track of my on-line activities for an entire life.
I find that profoundly scary because who knows what I do today might be considered illegal 30 years from now. And even if it doesn't land me in jail could be used to embarrass me or blackmail me.
I sometimes get into arguments with family members about what really happened in the past. But thinking through these issue has helped me to understand that maybe one of the greatest attributes of the human mind is that we can forget.
I asked a lawyer friend of mine recently "does the concept of 'statue of limitations' make any sense anymore when so much evidence is now digital and can essentially be preserved forever". He thought that was a good question.
@Dirk Praet: "data handed over in the form of a digital confession to keep them out of reach of any government, especially when held in data centres at Vatican City."
Not to mention that this would re-gain the church one of the central advantages of confession: They get to know people's dirty little secrets...
OTOH, one might confess to be in posession of a Truecrypt container, namely 0100101101001011100010110101101... ;-)
@Daniel: I think a good devil's advocate argument can be made for even shorter statutes of limitations for some offenses in a digital age. So many offenses are right out in plain sight that if the injured party or law enforcement doesn't get to them in short order, any subsequent prosecution is bound to be arbitrary and capricious.
And although records are more detailed and are kept for longer, there's no guarantee whatever that they're any more accurate. (Imagine, for example, that a debt-collection company appears with a shiny preserved file ostensibly showing that you never paid a final $213 bill to your cable company in the apartment you lived in 20 years ago, and generously offers to settle for $500. The forensics required to determine whether they're lying would cost way more than a settlement.)
And even when torts or crimes are laid out in plain text, memories of context fade. Lengthened statutes of limitations for a lot of things could be a nightmare all round.
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.