“In war, truth is the first casualty.”
We are at war again. FBI vs. Apple is all over the headlines and this seems to be one of the most important battles in Crypto War II (CWII). For the record. The first Crypto War raged in the end of the last millennium. US authorities wanted, among other things, to put chips with a backdoor in phones. ISIS and the recent wave of terrorism has once again brought back the demands to ban strong encryption. UK’s prime minister is on a crusade against messaging his snoops can’t read. And details about the San Bernardino shootings is in a locked iPhone that FBI wants to open. Strong encryption is at the same time becoming the norm and many services are secured by default. This development has accelerated significantly after the Snowden revelations. So it’s no wonder we are at war again.
Yes, Aeschylus was right. Truth is always a victim in wars. Time for some myth busting. Let’s take a look at some of the jargon of CWII.
Totally wrong. Everyone who is using Internet is using strong encryption. It’s the fundament of securing our passwords, our communications, our stored data and e-commerce. Just to mention a few things. Most of us are not even aware of it, the systems provide security by default. And encryption is a cornerstone for this. The Internet, as we know it, would disappear if we took away encryption.
Wrong again. It’s very dangerous to accept a mindset that people who care about protection automatically must be bad. I use Tor frequently in work for various, perfectly legal, reasons. And many other use them too for both practical and principal reasons. Not to mention that this kind of protection can be a matter of life and death. We all agree that the authorities should have tools against criminals. But what about the police in Iran hunting people for illegal political activities? Do you still support the authorities or should the “criminals” be able to protect themselves?
There’s a lot of examples proving this statement wrong. It turned out that the Paris terrorists had used ordinary mobile phones that would have been easy to tap with a warrant. Other terrorists have been watched by the authorities and their communications have been intercepted. But the authorities have collected so much data that they failed to spot the interesting stuff in the haystack. This myth seems to have its roots in movie plots like the James Bond stories, where the villain is a super-criminal with hyper-technology. In reality, terrorists are often just ideologically driven youngsters with poor op-sec.
This sounds smart. Keep the benefits of strong encryption and just let the good guys get in to protect us. Right? No, wrong! This is really a naive idea. Authorities typically have unlimited trust in their own ability to use such capabilities only for legit reasons. And to keep the backdoors or escrowed keys safe and secret. Reality is totally different. The question is not if this very sensitive information will leak or be cracked, it is when. And the secret is really like a Pandora’s Box. Both good and bad guys will march through the backdoors once they become known.
It’s no coincidence that these two groups keep appearing in the headlines. They are widely hated and the authorities are most likely to get sympathy for their war against encryption by picking enemies like this. It’s also risky to oppose as you may get smeared as a protector of pedophiles. Usage of backdoors or weakened encryption would definitively not be limited to just these target groups. The Snowden documents showed how USA used every available method gather intelligence, including spying on heads of states and even the Climate Summit. And the same is true for many other nations too.
Our homes can be searched with a warrant if there’s proper suspicion of a crime. This is a widely accepted practice. But things get complex if you try to apply these principals to digital data. The police will break your door if you’re not there to open it. But there’s no obligation for you to use a weak lock just in case the police one day has a warrant to search your home. That applies perfectly to digital data as well. Another issue is that there is protection against self-incrimination in almost every legislation. You can’t be forced to surrender information that you have stored in your brain. But what about digital extensions to your memory? A constantly increasing part of our brains’ content is mirrored into our gadgets. Making them searchable will cripple our fundamental protection against self-incrimination.
It’s of course convenient to claim this when asking for new rights, but it is far from the truth. The authorities can still use wiretaps on the phone, access text messages, place surveillance in the suspects’ home or track vehicles. Not to talk about implants in their devices. A tiny piece of spyware can “see through” encryption, as the data need to be decrypted by the device before presented to the user. On top of that, metadata about who the suspects are communicating with is typically accessible despite encryption. Either by tapping the cable or searching the service provider. And no chain is stronger than its weakest link. One sloppy hoodlum in the gang is enough to get them all busted.
This is the tin-foil hat way to see things. I can’t deny that there may lay a grain of truth in this, in some cases. But this is not the main driver. It is very clear that all actors in the crypto wars have one thing in common. All want to stop terrorism and other types of crime, and ensure that our authorities have a suitable set of tools to do that. The authorities are no doubt mainly driven by a true desire to make our society more secure. The crypto wars is really about what methods we can use without harming our fundamental right to privacy too much.
Public domain image by unknown photographer
This is a guest post from an F-Secure fellow. Hi, my name is Matti Aksela…
May 22, 2017
Last week’s WannaCry outbreak caused havoc in many parts of the world before subsiding thanks…
May 18, 2017