More on Law Enforcement Backdoor Demands

The Carnegie Endowment for International Peace and Princeton University's Center for Information Technology Policy convened an Encryption Working Group to attempt progress on the "going dark" debate. They have released their report: "Moving the Encryption Policy Conversation Forward.

The main contribution seems to be that attempts to backdoor devices like smartphones shouldn't also backdoor communications systems:

Conclusion: There will be no single approach for requests for lawful access that can be applied to every technology or means of communication. More work is necessary, such as that initiated in this paper, to separate the debate into its component parts, examine risks and benefits in greater granularity, and seek better data to inform the debate. Based on our attempt to do this for one particular area, the working group believes that some forms of access to encrypted information, such as access to data at rest on mobile phones, should be further discussed. If we cannot have a constructive dialogue in that easiest of cases, then there is likely none to be had with respect to any of the other areas. Other forms of access to encrypted information, including encrypted data-in-motion, may not offer an achievable balance of risk vs. benefit, and as such are not worth pursuing and should not be the subject of policy changes, at least for now. We believe that to be productive, any approach must separate the issue into its component parts.

I don't believe that backdoor access to encryption data at rest offers "an achievable balance of risk vs. benefit" either, but I agree that the two aspects should be treated independently.

EDITED TO ADD (9/12): This report does an important job moving the debate forward. It advises that policymakers break the issues into component parts. Instead of talking about restricting all encryption, it separates encrypted data at rest (storage) from encrypted data in motion (communication). It advises that policymakers pick the problems they have some chance of solving, and not demand systems that put everyone in danger. For example: no key escrow, and no use of software updates to break into devices).

Data in motion poses challenges that are not present for data at rest. For example, modern cryptographic protocols for data in motion use a separate "session key" for each message, unrelated to the private/public key pairs used to initiate communication, to preserve the message's secrecy independent of other messages (consistent with a concept known as "forward secrecy"). While there are potential techniques for recording, escrowing, or otherwise allowing access to these session keys, by their nature, each would break forward secrecy and related concepts and would create a massive target for criminal and foreign intelligence adversaries. Any technical steps to simplify the collection or tracking of session keys, such as linking keys to other keys or storing keys after they are used, would represent a fundamental weakening of all the communications.

These are all big steps forward given who signed on to the report. Not just the usual suspects, but also Jim Baker -- former general counsel of the FBI -- and Chris Inglis: former deputy director of the NSA.

Posted on September 11, 2019 at 6:11 AM • 26 Comments

Comments

Clive RobinsonSeptember 11, 2019 9:13 AM

Bruce,

The real statment everyone should take to heart is,

    If we cannot have a constructive dialogue in that easiest of cases, then there is likely none to be had with respect to any of the other areas.

Nobody in the FBI or DoJ want's a "constructive dialogue" at any point, they have no wish to listen to reason no matter how valid. Thus the conclusion of,

    ... then there is likely none to be had with respect to any of the other areas.

Holds. Thus the best thing to do is realise that there is only one way to deal with them. Firstly to not engage with them in any way secondly shout them down and show up their falsehoods at every oportunity.

As I've said before they will carry on arguing some trite argument because they know that at some point the eternal vigulance will blink, thus they will be able to slip something by. As they have no real skin in the game they will just keep arguing and pushing till they get what they want, and every citizen losses yet more freedoms for nothing.

The only way to stop this game is to make them have real personal skin in the game not just as an organisation put personally as individuals. Untill then they can only win or draw whilst the citizens can at best hope to draw, whilst losing in the long term.

GokuSeptember 11, 2019 9:30 AM

Weakening encryption on endpoints is a terribly bad idea in an always-on everything-connected world, it is plainly a shortcut to mass data theft, and mass identity forging.

This will bring to unprecedenred level of ddos on two levels:

- secure services, which cannot be broken but will have hard/impossible time telling what the legitimate requests are

- public and private security spending, to investigate the skyroketing identity frauds and privacy breaches on / through weak endpoint machines

Ross SniderSeptember 11, 2019 10:38 AM

For the Department of Justice and FBI, this is about power and control in a post-9/11 security state more than it is about justice or investigative authority. There will always be non-technical means of extracting information out of specific devices for specific investigations subject to warrant, due process and rule of law. Backdoors are their reach for forms of invisible control and management that are subject to secret courts, internal standard operating procedures, and self-enforced private interpretations of law.

Denton ScratchSeptember 11, 2019 10:57 AM

"If we cannot have a constructive dialogue in that easiest of cases"...

What is this "constructive dialogue"? And who is this "we"?

Am I to understand that the CITP considers itself to be on the side of Law Enforcement, in that it is soliciting a dialogue of some kind with the crypto extremists?

There are no half-measures here; either a thing is encrypted, or it is not. If it is encrypted, then you cannot read it unless you have the key. If there is a "backdoor", then it is not really encrypted, just scrambled.

/me didn't bother to read the article. That kind of language totally turned me off.

Ronda HiltonSeptember 11, 2019 11:33 AM

@Ross Snider, well stated, I agree completely. John Miller, NYPD Deputy Commissioner of Intelligence & Counterterrorism, is one of the most vocal demanding backdoors.

JonKnowsNothingSeptember 11, 2019 11:39 AM

@Clive @Bruce et All

Often we suffer generically from the "You Must Share" mindset indoctrination we get from by our parents or starting at school. Generally meant to share toys with siblings or other children.

We carry this misdirected thought though adulthood and it varies in intensity and individual acceptance. Some do not share at all, some share to excess.

We use this methodology to avoid confrontation but even if you share there is a resentment that you HAVE to share. It's not altruism to be forced to share but we try to convince ourselves that "we did a good thing" even when we didn't want to.

The folks in security services use this "Help Us to Help You" and exploit it constantly because It Works. It Works for the most part.

You cannot engage in ANY conversation with such people because they know how to manipulate our behavior. FB didn't write the manual on that, it was already written.

To see just how far they will go to win our "cooperation" The Intercept has more details on what "cooperation" means. It isn't like we don't know, it's that we refuse to "stop sharing" because "our good moral sense" says we have to do so.

In this case, they want Those With Credible Names to help them do what they are already doing.

STOP SHARING. It's OK. They don't give a RA about you, your family, your kids, your dog, your house, your pension, your old age, your life, your death.
(paraphrased from George Carlin).

Harrowing Cables Detail How the CIA Tortured Accused 9/11 Mastermind Khalid Sheikh Mohammed, Jeopardizing the Case Against Him

Daniel DeFraia
September 11 2019, 3:03 p.m.

ht tps://theintercept.com/2019/09/11/khalid-sheikh-mohammed-torture-cia/
(url fractured to prevent autorun)

Jesse ThompsonSeptember 11, 2019 12:47 PM

@Denton Scratch

There are no half-measures here; either a thing is encrypted, or it is not. If it is encrypted, then you cannot read it unless you have the key. If there is a "backdoor", then it is not really encrypted, just scrambled.

I would not consider that a fair perspective at all.

For example, it's perfectly valid for a cryptosystem to use multiple keys. So, by your definition, if a certain implementation of crypto includes a user-key that's different for every user or profile and a master-key that's kept by law enforcement, such that either of those two (presumably well kept lol) keys are able to decrypt any message pertaining to the user in question, then is that data "encrypted" or not?

Because multi-party keys are entirely legitimate and well-vetted crypto primitives, and they are also a very popular suggested implementation of a back door. Yet we're still arguing that that's an unacceptable risk when one of those keys is a globally applicable master key, because the value of that key material grows beyond the capacity for any single system to keep secure. Especially in the face of the volume of surface area of use it's liable to get.

No, I would recommend against any binary mindset of "it's encrypted or it's not" because security has no such absolutes. Security is all about the estimation of risk based upon circumstances at play. What's the value of the asset you're protecting? How much capital is the enemy willing to sacrifice to get it? How many angles of attack are left exposed? And probably more importantly: when we get compromised to some extent, how shall we detect the problem and react to recover from it?

More than one party can be relied upon to keep a secret given that all parties involved are sufficiently careful and trustworthy. But the more parties you add, or the less trustworthy they are, the number of available angles of attack grow exponentially.

Adding "The Government" writ large to such a secret-keeping party means you are adding literally hundreds of thousands of human beings and computer networks any one of which is virtually guaranteed to either leave the gate open or be convenient for an enemy to compromise. That is why backdoors are doomed, not because of any binary concerned about whether information is "encrypted" or not.

Well, that and "The Government" and "an enemy one wishes to secure one's communications from" have far, far too much natural overlap to begin with. I mean the Fourth Amendment of the US constitution literally clarifies this unavoidable antagonistic relationship between a people and their government. ;P

ReachSeptember 11, 2019 2:19 PM

Ok, let's compare with the old "door of my house" analogy here:

My front door can be kicked in, the lock can be picked, it could be yanked off its hinges, the whole front wall could be bulldozed in, etc etc etc.... My point being: its security is not mathematically absolute.

So, why doesn't this lack of security matter to most people in this case? Answer: it's a matter of reach! By "reach" I mean... how many criminals in this world can practically reach my front door? Only the ones that live on my street have easiest access, and only ones that live in my city have practical access. If I live in a small enough of a town, this might be so few that nobody even bothers locking their doors... If I live in a really large city this might be so many that everyone puts bars on their doors... A lot of people are somewhere inbetween those two...

Now suppose a theoretical city/street/house existed in which every single criminal in the whole world lived... Yep, every single one of them.... Every simple pick-pocketer, every common criminal, every organized crime organization, every terrorist, and every foreign (or even domestic) government agency... and all day they were all trying to take stuff.... If I lived in that city/on that street/next to that house, I would need a whole lot more than bars on my door, wouldn't I? I mean, if I didn't have something "better than fort knox" I just would have no stuff--everything would always be stolen the instant I dropped off anything in my house. Or maybe even my house itself would be a deep crater...

So on the internet, every single criminal worldwide has free and easy access to my computer, as if they lived next door to every door worldwide and could easily spend all day attacking every single door all day long with impunity... The "door" to my computer has to be the strongest thing known to mankind, enough to thwart every attempt possible... otherwise, everything on it will be stolen immediately as soon as I type it, download it, create it, etc.

Whether we know it or not, we all demand absolute "better than fort knox" kind of security on the internet as long as we value any sort of private property at all. Because it's a matter of reach. The internet connects everything to everything else. It's all just a button press away. Every terrorist, every common criminal, every organized crime organization, and every government both foreign and domestic... every one of them really is trying to break into your device all day long. Yes, yours. Your personal computer. Your phone. All your internet-connected devices.

If you're going to say "but I have nothing of value, so it doesn't matter"... you're either ignorant or you're lying. If you didn't value any sort of private property, you'd give all your stuff away... all of it--your money, your house, your car, the clothes on your back, even non-tangible things like your identity, your dignity, your happiness, etc. You'd just be a naked penniless wretch of flesh that would be someone else's problem to shovel around and take care of.

You see, even suppose you had nothing of value on your computer/phone/etc, it's your device itself, i.e. its computational resources and its bandwidth on the internet, that has value. Criminals will break in and steal your cpu resources, and its "pipe" to the internet to commit crimes from your device upon other third parties. If you don't care about that, please just throw it in the trash, right now, and save the rest of us from being attacked by your device. If you don't care about it, don't have it. Please.

I realize most of this crowd is more advanced than this explanation perhaps, just please pass this sentiment along to everyone you know... :)

Sancho_PSeptember 11, 2019 2:38 PM

@Bruce:
Why should that be treated independently? Any arguments or just a feeling?

Data at rest: My data, my thoughts, my ideas, my dreams = my brain.
Why o why should anyone have access to my thoughts?
This is closer to Victor Frankenstein than to common sense.

I agree that this is the easiest case, simple answer: No.

We (whoever that is) don’t need a dialog.

ScaleSeptember 11, 2019 4:38 PM

There's also the old "quality of lock" for 100 mailboxes at an apartment - if a thief has half an hour to pick locks, and 90 of the mailboxes have a 3-minute lock because what is inside them is of so little worth, but 10 of them have a 10-minute lock because they are protecting rare precious objects, the high-quality lock people may say "thieves will just leave me alone because they could be opening three times as many locks in the same window of time" and the low-quality lock people may say "The thief only has enough time to try 10% of our locks before security catches them, we like our odds."

When the thief can tell which lock is the most secure, they know exactly where to find the most precious loot, and they focus on those boxes. This is another good reason to insist on everyone enjoying the best available security.

But more than "how many thieves can try picking a lock", we have "how many locks a thief can try to pick". Automation enables a single thief to scale up their lockpicking technique to accommodate every box. There is no "hiding in the crowd" OR "conserving time/effort for the target most worth it" when a thief can attack every potential target simultaneously.

Some people will say "nobody would bother hacking me because I'm not worth it". This is a variation of "time/effort must be conserved for the most worthwhile targets"; it assumes the thief is targeting individuals by evaluating their likely ROI first, when really it's more cost-effective to simply prepare the best attack they can and seize ALL the targets they can with that level of attack. At scale, it would simply consume ALL of a thief's time to individually evaluate every prospective target. When they go after you, it's not because they've made a conscious decision that you are worth it. It's because, from their perspective, it's more efficient to attack you FIRST and THEN figure out whether you were worth it. Like a military carpet-bombing the city where a suspected high-priority target hides, they won't declare failure by the innocent civilians whose destruction didn't net them anything - they will declare success by the amount of hoped-for targets they caught without being able to pinpoint.

Once they have you, they might find SOME way to use you. It could be that they only cared about targets who could pay a ransomware price well above the means of most people, and simply DIDN'T care about all the unable/unwilling to pay targets along the way; but after their initial payoff, they might try to monetize you either with a reduced price (good ROI at scale . . . ) or through some other means to exploit your information/access. Pro tip: don't be at the mercy of a criminal who just wants to find new ways to abuse you.

Clive RobinsonSeptember 11, 2019 5:07 PM

@ Reach,

Answer: it's a matter of reach! By "reach" I mean... how many criminals in this world can practically reach my front door?

It's also known as "locality of action" when talking about "force multipliers" which when taken to an extream you start talking about "An army of one".

The tangible physical universe applys limits to physical objects, one of which is locality. That is as a physical object you can only be in one place at one time. Thus you can say your actions are "resource bound" because of "locality".

By the use of force multipliers you can create automated tools or you can train other individuals to do set tasks in your stead. Either way you have the expense of creating/training and also power/sustinance whilst the task is carried out. Thus a creative phase and a deployment phase, both of which are very expensive in the physical world which limits your capabilities.

The creative phase is actually two phases the first is the design phase which is information based, and the second is the build phase which involves the taking of raw physical items goods/people and then build/train them for carrying out the desired tasks. Of these two phases it is the second which is by far the most expensive.

If we look at information objects they actually have no physicality, though they might be impressed/modulated onto physical matter/energy.

Thus the design phase of an information object is realy the only part that uses an attackers resources. For an attacker of other peoples information systems the build or duplication/copying phase is done on other peoples hardware using their power, thus is at worst a quite minimal cost for the attacker. Likewise the deployment phase occures on other peoples hardware again at zero cost to the attacker.

Thus to be an "army of one" all an attacker has to do is get the design phase for their information object correct and to push it onto the first victims information systems.

Thus in the case of the Internet it's rather more than just locality which is a problem. It's also the effectivly zero cost to build thousands or millions of force multiplier information objects. Which can not be done with physical objects/people.

Think back to the WannaCry ransomware attack, if the designer had got the design right, it would have been totally devastating around the globe and not just in the few places before it got stopped.

Petre Peter September 11, 2019 7:55 PM

Maybe it's true that power comes from knowing what people want and how far they are willing to go to get it.

IsmarSeptember 12, 2019 12:53 AM

This is absurd as the person who is arguing for weakening of encryption should be prosecuted for weakening of national security.
Here are a couple of examples of what I mean by this:

Say authorities (and here in Australia they now lawfully can and do) hack into individuals mobile phones by weakening the phones security in some shape or form. That same individual is then exposed to hacking by foreign government, criminals and such . The question is then, who is going to take responsibility for the individuals bank account being emptied via it own compromised phone or his personal data being traded on the dark web?

In addition, in many cases, the same hacked phones are used for work purposes giving rise to industrial espionage via these weak points.

JonKnowsNothingSeptember 12, 2019 2:24 AM

@Petre Peter

Maybe it's true that power comes from knowing what people want and how far they are willing to go to get it.

re: @Clive

Think back to the WannaCry ransomware attack, if the designer had got the design right, it would have been totally devastating around the globe and not just in the few places before it got stopped.

@Petre Peter

Just consider what happened to Marcus Hutchins who made the right guess-call-gamble-dart-throw that put a stop to WannaCry. Got a heroes welcome along with a whole lot of bother.

Those same folks are the ones expecting "high class known helpfuls" to help them.

You don't have to wonder how far they are willing to go. Jamal Khashoggi should have been a clue. It that wasn't enough of a hint, try Frank Olson (1944 and still counting waiting for the latest in new new new truths).

The world is abound with examples of how far are they willing to go.

They don't care about you, your family, your politics, your salary, your title, your ability, your knowledge. You will go out the window the same way as the guy who refused to help them. Helping them will not help you.


ht tps://en.wikipedia.org/wiki/Marcus_Hutchins
ht tps://en.wikipedia.org/wiki/Jamal_Khashoggi
ht tps://www.theguardian.com/us-news/2019/sep/06/from-mind-control-to-murder-how-a-deadly-fall-revealed-the-cias-darkest-secrets
(url fractured to prevent autorun)

Name (required):September 12, 2019 2:49 AM

How about this,

- api for law enforcement
- every query audited,
- homepage of the service provider has to have a banner "345 Customers (0.34%) have been queried by law enforcement this month, 2345 (2.34%) in total"
- if the number exceeds certain value or starts climbing too drastically, service provider can revoke access for department abusing the api, or set a hard limit per month, with no penalties
- every customer who has been "inspected" has to be notified 3 months later, no exceptions

I'm not a fan of all of this obviously, but if it's inevitable might as well have a reasonable solution, rather than "giving away all encryption keys". If service providers implemented above, they could always respond with "you already have access".

@Clive Robinson

>The only way to stop this game is to make them have real personal skin in the game not just as an organisation put personally as individuals.

Wouldn't it just increase demand for "professional blame taker" job?

NSeptember 12, 2019 5:18 AM

@Name
- "api for law enforcement / every query audited": devil is in details, how does this backdoor will work? How long before it gets exploited? How bigger the attack surface?
User are responsible of safely managung their own data and key, now service providers will be responsible of securely managing the extra data and keys for backdoors of millions (if not billions) users.

- "if the number exceeds certain value or starts climbing too drastically, service provider can revoke access for department abusing the api": good luck with that, a service provider negotiating with any single agency and department to enforce a definition of reasonable use.

JonKnowsNothingSeptember 12, 2019 9:24 AM

re: Data in motion poses challenges that are not present for data at rest.


Denmark frees 32 inmates over flaws in phone geolocation evidence

Denmark has released 32 prisoners as part of an ongoing review of 10,700 criminal cases after serious questions arose about the reliability of geolocation data obtained from mobile phone operators

...a tendency for the system to omit some data during the conversion process, meaning only selected calls are registered and the picture of the phone’s location is materially incomplete

...The system has also linked phones to the wrong masts, connected them to several towers at once, sometimes hundreds of kilometres apart, recorded the origins of text messages incorrectly and got the location of specific towers wrong


"(the) data is created to help deliver telecom services, not to control citizens or for surveillance.”(an industry spokesperson)

ht tps://www.theguardian.com/world/2019/sep/12/denmark-frees-32-inmates-over-flawed-geolocation-revelations
(url fractured to prevent autorun)

Sancho_PSeptember 12, 2019 9:39 AM

Re @Bruce’s EDIT (9/12):

I think this is a red herring. There is no difference between data at rest and in motion.
The “data in motion” does not exist.
There is a transmission path, but the stream of data (single bits) do not constitute a different data set as the data in rest.
You have to put it "at rest" to make use of it.

Would you say the chat message is protected when it is on any device but not during transmission?
When I send an encrypted text which is envelope encrypted during transmission by another protocol, would it be OK for LE to have the key to the overlay encryption?

The distinction is fuzzy and I think by purpose, to mislead the public.

Unfortunately @Bruce did not (think about?) answer my question:
”Why should that be treated independently? Any arguments or just a feeling?”

My data is my data and not yours - you may get at it if you tell me about access.
I want to know which of my data is probably tampered with.

PatriotSeptember 12, 2019 11:13 PM

We don't know whether the high-sounding Carnegie Endowment for International Peace and Princeton University's Center for Information Technology Policy are disinterested "stakeholders". We don't know whether they were paid or not.

Notice this word "stakeholders"--it's a business, ladies and gentlemen. That is how they think, and that is what they care about.

There is indeed a lot of money at stake here, but so is America remaining the Land of the Free instead of something else that starts to resemble North Korea. Make no mistake, Gestapo 2.0 could make its appearance very fast if the conditions were right. In fact, it depends on specific events that happen at any moment. The time to stop Gestapo 2.0 is now.

You might think that you won't be a victim. I often think that the next victims are likely to be Chinese-Americans, much as Japanese-Americans were after December 7, 1941. We'll see. But notice, once the spying apparatus is built and allowed to function, the one that takes away people's rights, it needs to be fed. Once one group is consumed, another is needed. This has happened over and over again in different places at different times.

The overall chill on free speech is also very worrisome, and I hope that people who still care not to live in a panopticon will see when they are being bamboozled by fancy doubletalk.

American citizens have representatives in Congress, and the institutions that want to take away their rights can be defunded--that gets their attention very well indeed.

Old Crypto GeekSeptember 15, 2019 11:00 AM

I was disappointed by the Carnegie paper and continue to believe that the answer here is just no (as Michael Hayden also seems to). Let’s simplify the multi-key problem to doors, keys, and master keys, and then think back to high school. All it took was one person to give a copy of a master key to one student (or just let them use it) for that key to get into circulation, and I would be stunned if this didn’t happen at nearly every school. Once in circulation, all bets were off and the master key was passed from student to student over generations. Until someone can explain why this isn’t the way to analyze the issue and how it can actually be addressed (“do not copy this key” stamps never stopped master key circulation), to me the answer is just no, no matter whose names are on a paper.

JonSeptember 16, 2019 2:16 AM

@ Name (required):

Do you really trust those who write the rules and those who enforce the rules to obey the rules? And/or not write in cheerful little 'exceptions' that you could drive a Maersk container ship through? Or just rewrite the whole rule whenever they feel like it?

Much of my argument against all government 'back-doors' boils down to "What makes you think the government is the good guy?" If you write a back-door into any popular software, what makes you think the Saudi Arabian religious police won't demand access? Why not? They're a perfectly legally constituted police agency. Or the Russian FSB? Or, for that matter, the FBI and CIA? J. Edgar Hoover and the House Unamerican Activites Committee might like a word too.

If it can be abused, it will be abused. Under colour of law or not.

Jon

JonSeptember 16, 2019 2:19 AM

(As an aside, I concur with Sancho_P. There is no meaningful difference between 'data at rest' and 'data in motion'. Even RS-232 has had buffers from before the turn of the century. Is the data in a buffer at rest? Or in motion? If data is recorded 'while in motion' and stored, and then reviewed, isn't it then 'data at rest'? Preposterous.) J.

NiclSeptember 16, 2019 4:19 AM

@Jon,

Benevolence of system architect cannot be assumed. It must be taken with a grain of sault because it is at worst false advertisement. This holds true for all systems not just backdoors of systems. We live in a very strange world.

ChoHagSeptember 18, 2019 3:58 AM

I'm not sure why I didn't initially post here but c'est la vie. I'm not going to get all spammy. This report makes for a nice demonstration -- that a lot of people discussing cryptography _do not understand it_ (my theory: because the analogies used to explain it to the uninitiated are lacking). Throughout the report encryption "technology" is referred to, with the implication therefore being that we can somehow make it differently. Cryptography isn't technology, cryptography is _maths_ and the rules are simply different. Until that's understood by all sides no conversation will be constructive.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Sidebar photo of Bruce Schneier by Joe MacInnis.