Changing Surveillance Techniques for Changed Communications Technologies

New paper by Peter P. Swire -- "From Real-Time Intercepts to Stored Records: Why Encryption Drives the Government to Seek Access to the Cloud":

Abstract: This paper explains how changing technology, especially the rising adoption of encryption, is shifting law enforcement and national security lawful access to far greater emphasis on stored records, notably records stored in the cloud. The major and growing reliance on surveillance access to stored records results from the following changes:

(1) Encryption. Adoption of strong encryption is becoming much more common for data and voice communications, via virtual private networks, encrypted webmail, SSL web sessions, and encrypted Voice over IP voice communications.

(2) Declining effectiveness of traditional wiretaps. Traditional wiretap techniques at the ISP or local telephone network increasingly encounter these encrypted communications, blocking the effectiveness of the traditional techniques.

(3) New importance of the cloud. Government access to communications thus increasingly relies on a new and limited set of methods, notably featuring access to stored records in the cloud.

(4) The "haves" and "have-nots." The first three changes create a new division between the "haves" and "have-nots" when it comes to government access to communications. The "have-nots" become increasingly dependent, for access to communications, on cooperation from the "have" jurisdictions.

Part 1 of the paper describes the changing technology of wiretaps and government access. Part 2 documents the growing adoption of strong encryption in a wide and growing range of settings of interest to government agencies. Part 3 explains how these technological trends create a major shift from real-time intercepts to stored records, especially in the cloud.

Posted on June 11, 2012 at 6:36 AM • 15 Comments

Comments

llewellyJune 11, 2012 10:29 AM

Amusing implication: By using encryption, we favor the NSA over the local police.

NobodySpecialJune 11, 2012 12:11 PM

Even more amusing it drives 'sensitive' data offshore.

If you don't want the NSA to have back- door access to your data your best option at the moment is to put it on a Russian or Chinese server!


paulJune 11, 2012 12:52 PM

This feels like deja vu all over again. CALEA, after all, was all about "people are using bits, we don't have alligator clips for bits; people are using encryption, we have to have a plaintext port."

But on thing that isn't mentioned here is the regulatory arbitrage: in most cases, anything stored in the cloud is a belongs to the cloud provider for purposes of disclosure, so there's potentially much less hassle about warrants and subpoenas and suchlike.

(Perhaps of interest to only to old fogies: law enforcement officials back in the 80s and 90s made the argument that electronic communications seizures weren't subject to wiretapping law because the information wasn't actually seized in transit on a wire, but instead lifted from RAM or disk. It took a while for courts to slap them down on that.)

Dirk PraetJune 11, 2012 6:04 PM

It's pretty much inevitable that governments will not only seek but also achieve access to any data, whether it's local, intercepted in transit or stored in the cloud. Most big corps will only be too happy to oblige. Even strong crypto is unlikely to hold them off forever. They'll eventually get around it or put legislation in place forcing people to hand over their keys. I believe this is already the case in the UK.

This predicament does however create an interesting business opportunity for the Catholic Church. It would probably suffise to change Canon Law for (encrypted) data handed over in the form of a digital confession to keep them out of reach of any government, especially when held in data centres at Vatican City. By becoming a cloud provider, they could not only make themselves very relevant again, they'd also be making lots of money and attract converts by the thousands.

This would definitely create a serious issue in many western countries, and to the best of my knowledge even in the US the seal of confession is protected by federal law.

DanielJune 11, 2012 6:14 PM

Now you know why I have been saying that the next privacy battlefield is data retention. The incremental cost of storing data on a hard drive is so low and once it is stored it is there until someone deletes it (and even then if can often be brought back to life) that big corporations and governments can keep track of my on-line activities for an entire life.

I find that profoundly scary because who knows what I do today might be considered illegal 30 years from now. And even if it doesn't land me in jail could be used to embarrass me or blackmail me.

I sometimes get into arguments with family members about what really happened in the past. But thinking through these issue has helped me to understand that maybe one of the greatest attributes of the human mind is that we can forget.

I asked a lawyer friend of mine recently "does the concept of 'statue of limitations' make any sense anymore when so much evidence is now digital and can essentially be preserved forever". He thought that was a good question.

NobodySpecialJune 11, 2012 11:10 PM

@dirk - now you've done it. You've only gone and given Dan Brown an idea for another ****ing awful book!

AC2June 12, 2012 1:40 AM

The paper doesn't offer any new insights or proposed solutions... And it does have an overall smell of "how all this new fangled technology is bad for our good ol' law enforcement officials".

Oh wait, it's written by a Professor of Law... Very well, carry on then...

PaeniteoJune 12, 2012 2:58 AM

@Dirk Praet: "data handed over in the form of a digital confession to keep them out of reach of any government, especially when held in data centres at Vatican City."

Not to mention that this would re-gain the church one of the central advantages of confession: They get to know people's dirty little secrets...

OTOH, one might confess to be in posession of a Truecrypt container, namely 0100101101001011100010110101101... ;-)

Dirk PraetJune 12, 2012 3:38 AM

@ NobodySpecial

Actually, the thought did cross my mind. Let me put it this way: if one of these days I get a call from either Dan Brown or the VC IT Department, I promiss this forum is where we'll be solliciting consultants and ideas for this new and exciting CAAS (Confession As A Service) platform.

llewellyJune 12, 2012 5:54 PM

"Now you know why I have been saying that the next privacy battlefield is data retention."

And again, privacy advocates are in the position of putting a genie back in a bottle.

paulJune 12, 2012 7:43 PM

@Daniel: I think a good devil's advocate argument can be made for even shorter statutes of limitations for some offenses in a digital age. So many offenses are right out in plain sight that if the injured party or law enforcement doesn't get to them in short order, any subsequent prosecution is bound to be arbitrary and capricious.

And although records are more detailed and are kept for longer, there's no guarantee whatever that they're any more accurate. (Imagine, for example, that a debt-collection company appears with a shiny preserved file ostensibly showing that you never paid a final $213 bill to your cable company in the apartment you lived in 20 years ago, and generously offers to settle for $500. The forensics required to determine whether they're lying would cost way more than a settlement.)

And even when torts or crimes are laid out in plain text, memories of context fade. Lengthened statutes of limitations for a lot of things could be a nightmare all round.

DerpJune 14, 2012 7:37 PM

It's a mistake to think the US doesn't have informal lower level cooperation and agreements in place where they can contact a Russian server admin, bribe them and get whatever info of yours they want.

The paper doesn't explain how the problem is 'the cloud' and how it wants to host all your data, encrypt it for you and take a subscription fee. You should encrypt everything yourself, then upload it to their useless cloud.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Resilient Systems, Inc.