Encryption: Decriminalizing Necessary Security ...

Running head: ENCRYPTION: DECRIMINALIZING NECESSARY SECURITY

Encryption: Decriminalizing Necessary Security James Gibbons Western Governors University

1

ENCRYPTION: DECRIMINALIZING NECESSARY SECURITY

2

Encryption: Decriminalizing Necessary Security

The Crypto Wars are back, or at least it definitely feels that way. Research suggests that the United States government should not pass laws that enable it to break commercial encryption because this adds unnecessary complications to already complex software and this would only force criminals to use open source encryption solutions from outside the U.S. Recent media coverage has been documenting the United States, Great Britain, and France’s governmental outcry to vilify strong encryption. Encryption that is used every day online to secure commerce transactions, websites, and account passwords. The fundamental backbone of internet security is in jeopardy now that governments around the world are trying to legislate forced backdoors into software. This paper will answer the question of why the United States government should promote strong encryption and not continue on a dangerous path towards vilifying it. United States Law Enforcement Agencies like the Federal Bureau of Investigation (F.B.I.), headed by James Comey are repeatedly appealing to congress for something to be done with regard to encryption on mobile devices and also in encrypted messaging apps. The problem presented by top law enforcement officials is that terrorists and criminals are using encryption to hide their plans to conduct terrorist attacks. The main argument is that encryption allows terrorists to plan and carry out attacks that may injure or kill civilians. This is a strong argument, but it may be a problem that ends up being too difficult to solve. Before the internet was as popular with ordinary people as it is today, the debate began. This is known as the crypto wars of the 90’s. This debate went away temporarily because politicians realized that strong encryption was needed to secure web sites and commerce on the internet. There was a standard known as the Escrowed Encryption Standard introduced which

ENCRYPTION: DECRIMINALIZING NECESSARY SECURITY

3

would allow surveillance to continue as long as this standard (now known as the Clipper Chip) was used on any encrypted device, however, serious security flaws were found in the chip, and its design was halted. Then the debate disappeared until last year, when Apple and Google decided to encrypt mobile devices by default in a way such that they could no longer decrypt devices to comply with law enforcement requests. This move to default encryption has led to the return of the crypto debate, led by FBI Director James Comey. In order for Comey and other agencies like the C.I.A. or N.S.A. to be able to access and read data that is being captured while it travels the internet, they want to be able to read data that is often obfuscated with encryption. Encryption is the process of encoding messages or information in such a way that only authorized parties can read it. Authorized parties usually include only the person sending the data and the person on the receiving end. This is of course not good for law enforcement because in order to protect its citizens, they feel they need to be able to see all communication. However, when two parties use strong encryption in the way that it is intended, it could take years to find the decryption key using the brute-force method to obtain the clear text. Until recently, much of the internet was not always encrypted, however as more and more security breaches and hacks have resulted in numerous large troves of data being exposed to the public, encryption which used to be used only by sophisticated tech savvy users or corporations, is now becoming the default for ordinary people. The reasons for not regulating strong encryption and the companies responsible for implementing it in software and devices have not changed dramatically since the crypto wars of the 90’s. There was a journal article written in 1997 by several cryptography experts and professionals in the field. This paper was titled “The Risks of Key Recovery, Key Escrow, and Trusted Third Party Encryption” (Abelson et al. 1997). In this article, it was explained that what

ENCRYPTION: DECRIMINALIZING NECESSARY SECURITY

4

the government is asking for should be called key recovery, or key escrow. The original arguments were that it would be too expensive and complicated to create a key recovery system of the scale needed to satisfy government requests. This source was updated in 2015 by many of the same authors in a journal article titled “Keys Under Doormats: Mandating Insecurity by Requiring Government Access to All Data and Communications,” which revisits the original article and discusses how the risks would be increased if access was required today (Abelson et al. 2015). The arguments against creating a massive key recovery/key escrow system that the government would use if it needed to decrypt data on a mobile device or in an end to end encrypted communication data stream are not a short list. For example, it is often argued that this will be an impossible problem to solve, given the enormous landscape of devices and applications worldwide that have already implemented encryption in a way that only the sender and receiver can decode the message. It is often stated that forcing a way in for the good guys will open up a vulnerability for the hackers and bad guys as well. This is what happened with the original Clipper Chip proposed, and security researchers found many problems. The purpose of this paper is to demonstrate why it is a bad idea for the United States government to implement legislation requiring companies to be able to decrypt any encrypted data if presented with a court order. Not only will requiring companies to provide access to customer’s encrypted data decrease these same customers’ security, but it also will hurt U.S. businesses, as customers will switch to services from other countries that do not have the same laws requiring backdoors in encryption services. This was brought up at a senate judiciary committee hearing recently by Senator Mike Lee, who when asking questions to FBI Director James Comey, asked this very question. Mike Lee’s questions, when answered in the affirmative

ENCRYPTION: DECRIMINALIZING NECESSARY SECURITY

5

by Mr. Comey help our argument because they help demonstrate that this problem covers the entire world, as the internet extends much farther than just the United States. In the case of mobile devices like cell phones, there is no reason why data at rest that is stored on a device that the owner bought and paid for should not remain secret to only the holder or holders of the encryption key. This key is usually derived from the device owner’s passphrase that they create upon initial setup of the device, however, until recently it was not mandatory that the owner would be required to create a passphrase and encrypt the device. Recent versions of Apple’s IOS mobile operating system and Google’s Android mobile operating system now require that some type of password, passcode, PIN, or passphrase are used to login to the devices. In past versions, it was not necessary to even use a passcode to login to the device, and many users would never choose to require a PIN, or password to get into the devices. As attacks and breaches have become a regular occurrence, companies have been advancing their technologies to keep up with each other and customers’ desire for privacy and security. This is precisely why FBI Director James Comey has been testifying to Congress about the need for a change with regards to encrypted devices and also encrypted communication. He feels that this move to default encryption is not necessary, and he has stated that he feels it is a business model question, because Apple and Google have been able to decrypt devices in the past. However, this move to encrypt devices by default can be linked to the public’s desire for privacy and protection against their information being accessed if the phone is stolen. It is important to explain that just because citizens use encryption, it does not mean that they are hiding criminal actions. Common arguments made in the defense of government surveillance typically follow one of two closely related themes: “If you have nothing to hide,

ENCRYPTION: DECRIMINALIZING NECESSARY SECURITY

6

you have nothing to fear” (the government’s perspective), or “I have nothing to hide, so I have no objection to government surveillance.” This statement has been used by law enforcement to support their push for complete surveillance of United States citizens, however, the government is in place to protect the people’s constitutional rights, and many argue that surveillance is a breach of the Fourth Amendment of the United States Constitution. The article by Jeffrey Vagle “Furtive Encryption: Power, Trust, and the Constitutional Cost of Collective Surveillance” goes into detail to explain why the people should be allowed to have a virtual locked closet (Vagle 2015). Although this debate has also been reintroduced today, because of the increasing use of encryption and also due to terrorist organizations such as the Islamic State(ISIS) and their supposed technical abilities to use encryption, it is still true that any key recovery system that would be suitable for law enforcement requests would be extremely risky and expensive to implement, if not impossible to create without leading to serious vulnerabilities in the process. In the same journal article from 1997, it is stated that “the secure computercommunication infrastructure necessary to provide adequate technological underpinnings demanded by these requirements would be enormously complex and is far beyond the experience and current competency of the field.” These requirements referred to are the needs and requirements of a law enforcement request for the key to encrypted information, which are usually 24 hours a day, 7 days a week, and have about a 2-hour requested turnaround time (Abelson et al 1997). This is of course still the case today, and the newer updated article also points to complexity as being the main problem of implementing a system of this size. The complexity argument is a strong one. “Complexity is the enemy of security” is stated in “Keys Under Doormats: Mandating insecurity by requiring government access to all data and

ENCRYPTION: DECRIMINALIZING NECESSARY SECURITY

7

communications” (Abelson et al. 2015). This is also a well-known fact to anyone working in the information technology field, that any new feature added in software can interact with other features to create new vulnerabilities. Anytime software gets more complicated the likelihood of finding bugs and new vulnerabilities increases. “Features to permit law enforcement exceptional access across a wide range of Internet and mobile computing applications could be particularly problematic because their typical use would be surreptitious making security testing difficult and less effective” (Abelson et al. 2015). Law enforcement requests to decrypt data on a scale of this size will require the creation of a system that will require extreme trust from each and every employee at the key recovery center. Not only will this system require trust of all employees but in order to create a system this large and complex, cooperation will be needed between different countries and nations around the world. The internet obviously does not just connect computers and devices from American users, but those from all over the world, which ultimately makes the encryption problem perhaps the most complex to solve since the creation of the internet. Another reason why it would be a bad idea for congress to legislate requiring backdoors for government access into all encryption is because this would not actually solve the problem anyway. If all software developed in the United States was created with key recovery ability available for law enforcement, the terrorists and criminals could easily obtain software that is already freely available from other nations and has been for many years. Back when this debate began over 20 years ago there was already encryption software available from numerous countries and today this figure has increased tremendously. In fact, Mr. Comey recently stated that this problem would require cooperation with European nations and he admitted that the problem could never be solved entirely (Comey et al. 2015).

ENCRYPTION: DECRIMINALIZING NECESSARY SECURITY

8

Cryptography expert Matt Green offers the public a look into “How Do We Build Encryption Backdoors?” on his website (Green 2015). He explains in technical detail how to create the key escrow system that is needed to satisfy the government’s requests for access into encrypted data. Mr. Green explains that the most likely method would include the software developer needing to create two keys or split keys which would need to be archived and saved securely until requested. The problem then is the storage of these extremely sensitive private keys that would become targets for hackers and nation states. Also, hackers often prove that it is not easy to keep data secure. One mistake can lead to a data breach which then costs corporations millions of dollars. He explains in technical detail what would be required to create the key escrow system that is needed to satisfy the government’s requests for any users encrypted data. Mr. Green explains that any end to end encryption product that correctly utilizes strong encryption to protect users’ data should not be able to decrypt the data without the sender and receiver’s private keys. The public keys are always available, but the private key should only live on each user’s device or should be protected by the user only and not the company or provider. In order to comply with a warrant, the private keys would need to be duplicated when they are produced and the application provider would then need to hold onto the private keys in case a request is received. This actually causes a huge vulnerability, because it is especially risky for any company to be tasked with the job of holding on to private keys, which will lead to a high value target for hackers and nation states to attack (Green 2015). On December 9, 2015, FBI Director James Comey testified at a Senate Judiciary Committee oversight hearing on his agency’s operations. He answered questions by senators and spoke about how encryption is affecting law enforcement investigations. Although many senators seemed to agree with Comey that there should be a way for law enforcement to access

ENCRYPTION: DECRIMINALIZING NECESSARY SECURITY

9

encrypted devices and communication, there were really no good solutions introduced at the hearing. One senator Mike Lee (Republican from Utah) actually understood the problem better than most as he asked questions such as even if legislation was enacted in the United States, what about all the other countries where encryption software is being produced, wouldn’t this actually lead to United States companies’ innovation being hampered. Mike Lee (R) asked a few questions that actually support the thesis of this paper, and Comey’s answer was that he is only seeking to keep companies from encrypted devices by default. Comey actually agrees that this problem could never fully be solved without multiple nations acting together to implement similar legislation. Since this would require an enormous amount of cooperation, what Comey is actually shooting for is just for Apple and Google to end their practice of encrypting all mobile devices by default. He claims that it is a business model problem, and that Apple and Google should simply leave it up to the user of the device to decide if they want to encrypt the device or not. So the main problem according to James Comey is simply that large companies like Apple and Google have decided to encrypt all new devices by default with a key that only the owner knows when they create a passcode to unlock the device (Comey et al. 2015). The fact that there is already software freely available for download online that makes implementing end to end encryption relatively easy for developers, is enough to persuade most in Silicon Valley that United States legislation would only hurt American companies bottom line. Encryption is used not only to secure credit card transaction information but also for personal data, corporate secrets, and even to protect data in simple games as well. If the use of end-to-end encryption is either outlawed or forced to allow third-party law enforcement access, criminals and terrorists would simply use these open source encryption algorithms to create applications that were not known to have backdoors (Comey et al. 2015).

ENCRYPTION: DECRIMINALIZING NECESSARY SECURITY

10

In the Washington Post article “As encryption spreads, U.S. grapples with clash between privacy, security,” it is stated that “Even if Congress passed such a law, it could not bind devicemakers and software engineers overseas. Privacy advocates said strong encryption is now sufficiently widespread that it is effectively beyond the reach of government control” (Gellman, Nakashima 2015). This means that the encryption ‘problem,’ as law enforcement like to call it, will not be solved by simple United States legislation and any attempt to restrict encryption will actually do nothing to prevent criminals and terrorists from using it. Recent podcasts of “Security Now” with security expert Steve Gibson and technology giant Leo Laporte discuss the encryption debate in detail. Mr. Gibson claimed that he was called by politicians and asked to comment on the debate and as he stated on podcast episode 534, his response was basically: “You can’t take back the math. The math is already out there” (Gibson, Laporte 2015). Research suggests that the United States government should not pass laws that enable it to break commercial encryption because this adds unnecessary complications to already complex software and this would only force criminals to use open source encryption solutions from outside the U.S. It should be apparent that any attempt at regulating or restricting the use of encryption will not end its use by terrorists and criminals. The discovery of nation-state scale surveillance programs recently disclosed by ex-NSA contractor Edward Snowden have made the public concerned about privacy and their constitutional rights to keep their information safe and secure with encryption. This concern has led many to use encryption to secure their documents and data in more instances than ever before, which has led large companies such as Apple and Google to begin encrypted new mobile phones by default with keys that only the device owner has access to. This has caused law enforcement agencies to begin debating that encryption keys should be available if these devices are used by terrorists and criminals. However, criminals and

ENCRYPTION: DECRIMINALIZING NECESSARY SECURITY

11

terrorists will always be able to encrypt their devices and communication, and any legislation that forces companies to be able to access all encrypted data will lead to vulnerabilities that can be accessed by hackers and other nation-state attackers. In conclusion, it should now be more clear why strong encryption should not be tampered with to provide government access. Not only is software extremely delicate to any subtle changes, but encryption is a complicated beast, and algorithms are attacked for years before vulnerabilities may be found. This is why encryption in software is best left alone to only the designs that have withstood the test of time. Complicating software with the added code required for key recovery will undoubtedly lead to security vulnerabilities that must be avoided at all costs. Not only that, but since encryption algorithms are going to always be available from all over the world, legislation in the United States will just move criminals and terrorists to use software and devices that is not subject to American law.

ENCRYPTION: DECRIMINALIZING NECESSARY SECURITY

12

References:

Abelson, H., Anderson, R., Bellovin, S. M., Benaloh, J., Blaze, M., Diffie, W., et al. (1997). The risks of key recovery, key escrow, and trusted third-party encryption. World Wide Web Journal, 2(3), 241–257. Retrieved from http://dl.acm.org/citation.cfm?id=275079.275104 Abelson, H., Anderson, R., Bellovin, S. M., Benaloh, J., Blaze, M., Diffie, W., et al. (2015). Keys Under Doormats: Mandating insecurity by requiring government access to all data and communications. Journal of Cybersecurity, 0(0), 11. http://doi.org/10.1093/cybsec/tyv009 Comey, J., Coons, C., Durbin, D., Feinstein, D., Lee, M., …et al. (2015 December 09). Senate Judiciary Committee Oversight hearing on Federal Bureau of Investigation (FBI). Retrieved from: http://c-span.org/video/?401606-1/fbi-director-james-comey-oversighthearing-testimony Gellman, B., Nakashima, E. (2015). As encryption spreads, U.S. grapples with clash between privacy, security. Retrieved April 10, 2015, from https://www.washingtonpost.com/world/national-security/as-encryption-spreads-usworries-about-access-to-data-for-investigations/2015/04/10/7c1c7518-d401-11e4-a62fee745911a4ff_story.html

ENCRYPTION: DECRIMINALIZING NECESSARY SECURITY

13

Gibson, S. & Laporte, L. Laporte, L., & Gibson, S. (Producers). (2015, November 17). Encryption: Law Enforcement's Whipping Boy [Episode 534]. Security Now. Podcast retrieved from http://twit.tv/shows/security-now/episodes/534?autostart=false

Green, M. (2015). How do we build encryption backdoors? Retrieved from http://blog.cryptographyengineering.com/2015/04/how-do-we-buildencryption-backdors.html Vagle, J. L. (2015). Furtive Encryption: Power, Trust, and the Constitutional Cost of Collective Surveillance. Indiana Law Journal, 90(1), 101–150. Retrieved from: http://search.ebscohost.com/login.aspx?direct=true&db=buh&AN=101616873&site=eho st-live