Recent Cases Question Backdoor Encryption
Recent events are calling into question the necessity of computer backdoors and the future of our personal privacy
U.S. law enforcement for decades has decried the “going dark” problem with computers and computer technologies. If anyone can secure their data from prying eyes, then bad guys can secure their data from the prying eyes of the government—bad guys such as terrorists and pedophiles. We need to outlaw encryption!! We need a government-owned backdoor!
However, recent details of Facebook’s voluntary cooperation with the FBI and security companies to develop a zero-day exploit to unmask a cyberstalker, coupled with congressional investigations of NSA-developed backdoor exploits in Juniper Networks devices call into question whether backdoors are even necessary.
The fundamental purpose of Senator Lindsay Graham’s Eliminating Abusive and Rampant Neglect of Interactive Technologies Act (EARN IT Act) is to force tech companies to “earn” the immunity provided by Section 230 of the Communications Decency Act, which currently shields them from liability for the acts of third parties. Specifically, EARN IT would require the creation of a national commission on online child sexual exploitation prevention “to develop recommended best practices that providers of interactive computer services may choose to implement to prevent, reduce, and respond to the online sexual exploitation of children, including the enticement, grooming, sex trafficking, and sexual abuse of children and the proliferation of online child sexual abuse material.” An internet company would have to “earn” the immunity currently provided under the CDA by certifying to the U.S. Attorney General that it is in compliance with the recommendations of the commission.
Of course, the industry is already doing a great deal to combat the creation, storage, sharing, selling and transmission of child sexual exploitation (CSE) materials and to work not only with law enforcement, the National Center for Missing and Exploited Children (NCMEC) and the so-called “Five Eyes” entities to share information. In fact, the technology coalition, made up of 18 of the largest tech companies, has pledged to establish a multimillion-dollar research fund to study patterns of abuse and build technological tools to prevent them.
The problem with the EARN IT act is that to “earn” the immunity under CDA 230, it is likely that the commission will require internet companies to crack down on anonymous accounts, pseudonymous accounts, access by TOR or other anonymizing technologies and, of course, prohibit or restrict the use of strong encryption. If you are a person sharing CSE materials, you probably don’t want law enforcement to know what you are doing. So you will probably encrypt these files (and your communications) at rest and in transmission. You know. Computer security. That’s what this bill will likely outlaw.
Going Dark
Back in April 1983, the government wanted to mandate the installation of a Mykotronx MYK78T chip using the Skipjack algorithm in certain secure communications devices. The chip, known as the Clipper chip, would become the international standard for “secure” communications. Except that it wasn’t; among other things, it wasn’t secure. And deliberately so. The Clipper chip was designed to have a “backdoor” feature to permit U.S. government (intel and law enforcement) access to these “secure” communications. It wasn’t long before AT&T’s Matt Blaze published an article demonstrating the fundamental weakness of the escrowed key system deployed for Skipjack, and the entire Clipper program fell by the wayside.
This didn’t deter the government. Ever since, successive FBI directors, attorneys general and other law enforcement and intel agencies have decried what they call the “going dark” problem: the inability of law enforcement agents, equipped with lawful authority such as search warrants, interception orders or the authority to hack into remote computers, are unable to decrypt or force the decryption of communications and files they intercept. They refer to it as “warrant-proof” technologies. Law enforcement raises the specter of unbridled pedophiles, child kidnappers, terrorists, drug gangs and organized crime running through the Information Superhighway. Human sacrifice, dogs and cats living together … mass hysteria!
The solution? A backdoor for encryption. But not any old backdoor. This is a magic backdoor. One which, like Excalibur or Mjölnir, can only be wielded by one who is pure of heart and worthy. This magic key would require not only law enforcement and intelligence agencies acting legitimately within the scope of their authority to pursue lawful goals and objectives but also would require the blessing of a federal judge or magistrate (or some state equivalent) to be activated. It would be used in the rarest of circumstances—when a terrorist attack is imminent, a child about to be abducted or someone is unlawfully smoking a joint or filing for workers compensation when they are not truly “disabled.” A truly magical key.
A few recent events belie both the need and security of this magical key.
Facebook Cooperation
First, it has recently been reported that Facebook hired a private security firm at the cost of more than $100,000 to help the FBI conduct an investigation of a person who was using the online service to threaten, harass, intimidate and extort teenage girls. According to the report, Buster Hernandez, who went by the name “Brian Kil,” used Tails, a secure operating system that uses the TOR software to encrypt traffic and hide his true IP address, then used the anonymity to cyberstalk, threaten and commit revenge porn against his underage victims, repeatedly setting up new Facebook accounts to do so.
Facebook, with the security company, developed a zero-day attack on Tails that took advantage of a flaw in its video player to reveal the real IP address of the person viewing a video. Facebook also assigned an employee to track Hernandez’s activities for two years and developed a sophisticated AI program to look for accounts being created to reach out to kids. The AI program was able to connect Hernandez through his various IP addresses and identities to specific child victims.
Although the government complained about and ultimately sued Apple for refusing to deliberately cripple the security of its iPhones to help the government extract information from the deceased San Bernardino attacker, it ultimately was able to decrypt the contents of the phone using the old-fashioned means: hard work, time, energy and technology. In most cases where crypto is cracked, it’s often a combination of technology and mistakes by the person encrypting the device. What encryption does frustrate, however, is the ability of governments to intercept communications in real-time.
Juniper Networks
In December 2015, Juniper Networks announced that during an internal code review, it discovered unauthorized code in ScreenOS that could allow a knowledgeable attacker to gain administrative access to its NetScreen devices and to decrypt VPN connections. The secret code, installed in versions of the ScreenOS going back as far as August 2012, essentially enables attackers to take complete control of firewalls and decrypt encrypted traffic running through VPNs through the firewalls. The exploit took advantage of research conducted by the NSA and other intelligence agencies into Dual Elliptical Curve and pseudorandom number generators.
Sauce Goose, Sauce Gander
The government, through legislation such as the EARN IT Act and efforts to create encryption backdoors, is making a determination that the “good” uses of encryption (for data integrity, data security, reliability, authentication and overall privacy) are outweighed by the “bad” uses of encryption (crime, terror, child porn) and that it is essential to enable governments to combat the “bad” use of encryption even at the cost of the “good.” And the “good” is not so “good,” as it permits anonymous communications about protests and other things that governments would like to know about.
Overall, we have to decide whether we are willing to tolerate making it more difficult and expensive to investigate crime in return for making banking, health care and telecommunications more secure overall, or if we should weaken the security of everyone to be able to conduct surveillance on a few. Of course, that’s not how the Department of Justice would put it—the department believes there’s a magic technology that only works for good guys catching bad guys. That, I would love to see.
