24 August 2020

Crypto wars enter a new phase: “the nuclear assault”

Liviu Ioniţă

The US National Security Agency/NSA has recently published warnings on the possibility of enemies accessing and using mobile data and devices connected to the Internet. The NSA has recommended for government employees, mostly people concerned with privacy, to stop the FindMyDevice, Wi-fi and Bluetooth when not necessary and to also restrict some apps from using location data. It seems that’s something usual lately for the agency to make warnings and share guidelines on cyber security.

Image source: DoD

In June, the NSA has warned about Russian hackers exploiting the e-mail servers’ vulnerabilities.

And, before that, in April, given the “work from home” extended period, the agency was analyzing the security of encrypted platforms, offering “criteria by which the employees and governmental organizations to decide which are the app safely cater to their particular needs”.

Meanwhile the NSA is sharing advices, the battle for privacy entered a new chapter: on June 23th 2020, the American senators Marsha Blackburn, Tom Cotton and Lindsey Graham have introduced the Lawful access to encrypted data act, an act forcing tech companies operating in the US to offer the government and law enforcement agencies the access to encrypted data when they are asked to do so.

Unauthorized access of mobile devices becomes a national security risk

In the US’s National Security Agency’s guideline published on August 4th it is warned that the location of every enabled smartphone can be traced.

The NSA asks its employees to disable their location on the mobile devices and other gadgets to eliminate any security risk and information leaks, stating that, although their guideline is mostly dedicate to the military and intelligence employees, it is also applicable to normal smartphone users.

The agency recommends less permission to apps and more restrictions to web navigation on phones.

According to the guideline, the mobile devices should not have the location services enabled, because these can easily track the movement inside the government’s institutions, thus offer access to sensitive data.

Sharing the location may be essential for certain apps like Google Maps, but the information they collect about users’ location get to tech companies, which can eventually sell them to tradesman and advertising agencies.

The NSA guideline covers, also, the IoT devices, which is targeting the connection to Internet of devices that might share data about military operations. Also, the warning applies to tracking equipment used for fitness and other incorporated technologies in smart watches and computers founds in cars.

In the meantime, the competition between the encrypted messages platform providers (Facebook, Whatsapp, iMessage) and politicians entered a new phase.

The US governments, as well as the other Five Eyes states’ governments are dealing with big tech companies to make the end-to-end encryption available for the law enforcement agencies, meanwhile the IT industry says this process will affect the privacy and will weaken the security of all users.

The end-to-end encryption is a system wherein only the users (emitter/receiver) involved in the communication process can read the messages, which stops a third party from accessing the cryptographic keys necessary for getting access to the conversation. Therefore, in order to follow privacy, the companies using this procedure are not able to send the authorities the text messages of their clients.

For the governmental agencies to actually have access to data, they will have to be incorporated in the so-called backdoors devices (a type of software dedicated to avoiding the security systems) or making what they call…key escrow (a data security measure where a cryptographic key is given to a third party), but that’s a major security risk: the user offers access to information to the one that has the cryptographic key.

The problem for those opposing the idea is what if the “good guys” have access to these backdoors, which is less likely to happen.

The debate on the future end-to-end encryption has divided even the public opinion and it seems to be getting worse.

On one side of the debate are the ones saying that the investigations are stopped by the existence of end-to-end encryption, and on the other side are the ones thinking that any compromise in end-to-end encryption and the introduction of backdoors will be exploited by bad-intended people.

The debate on digital devices privacy is nothing new. Back in 1993, the National Security Agency has developed the Clipper chip to offer the government access to any mobile device where this has been installed. This chip is using a strong encryption algorithm, using a key escrow system” a universal decoding key is in the hands of the government agencies.

Once Clipper appeared, it started what we now know as “crypto wars” between the government and the mobile phones producers, the latter wining, eventually, when the project got cancelled in 1996.

The intention of the state of finding means to overcome the encryption limits has continued, and the Edward Snowden reveals have showed how far these efforts went, as the intelligence agencies became able to avoid the encryption of both the iOS smartphones and the Android ones.

The end stage of this fight took place in 2016, when the FBI could not access the Iphone of one of the shooters involved in the terrorist attack from San Bernardino.

The phone was projected so that to delete all data after many failed connection attempts. Eventually, NSA and the FBI asked Apple not only to offer them access to that phone, but also to develop a new iOS version with different disabled security characteristics.

Whatsapp vulgarized the security level offered by the end-to-end encryption and is also currently saying it will continue to make efforts against governmental access attempts, making sure the users are protected.

Whatsapp proved to be open to fight, together with Facebook, for the end-to-end encryption in the court. Within the court’s actions, Whatsapp had the surprise to acknowledge that, after the reveal of some documents during the processes, the FBI director, Christopher Wray, currently an active militant to the backdoors introductions, argued, in the past, for the end-to-end encryption when, as a lawyer, partner of the King&Spalding company, he was hired to protect the Whatsapp software from the Justice Department’s attempt to weaken the encryption.

Also a surprise in the complicated pro and against end-to-end encryption wars between the law enforcement agencies and companies was the fact that the NSA published, on April 24, a consultative document on the security of video conferences and message platforms.

The NSA documents offers a “snapshot of the best practices” of some “simple,  actionable, consideration for individual government users, allowing its workforce to operate remotely using personal devices”.

The NSA gave high ratings to the information security of WhatsApp, Wickr and Signal, the three platforms to be the most avid supporters of end-to-end encryption messages. And among the criteria for the NSA ratings there is: the end-to-end encryption.

Law project to offer the authorities unlimited access to encrypted data

However, what some call the “nuclear assault” in the crypto wars is the normative act introduced, on June 23 2020, by the US senators Marsha Blackburn, Tom Cotton and Lindsey Graham.

The Lawful Access to Encrypted Data Act of 2020/LAED will stop the tech companies working in the US from offering end-to-end encryption in online services and to offer encrypted devices which cannot be unlocked and do not include decryption methods of the data dedicated to law enforcement agencies.

Thus, the law project allows courts to force the operation systems, devices producers and communication services providers to help the government whenever asked through a warrant. Furthermore, these providers are asked to give assurances that they can offer that assistance, which includes forcing them to share data about “any technical capacity which is necessary to apply and follow the anticipated court orders”.

This law project is basically the end of all digital services which include the end-to-end encryption and which is not offering backdoors for access dedicated to law enforcement governmental agencies and are not addressing only Apple, Google, Facebook, Signal and similar tech companies.

These apply equally to operating system, messages and chat platforms and apps, social media platforms and storing services through e-mail and cloud, videoconference, smartphones, laptops and desktops and, most likely, voting machines and IoT devices, targeting any electronic device with only 1GB storing capacity.

Furthermore, the law project applies to metadata as well.

For the stored data, whether it is remotely or from a local device, the force orders will go in front of a judge and will ask for a court order which asks for technical assistance from the provider (that it can simultaneously be done with the information demands or after getting a warrant). If the force orders can indicate the existence of “reasonable motivation”, according to which the process “will help executing the warrant”, the judge is forced to issue an order for technical assistance provision.

For the data in motion, the law project foresees another type of court order: the interception warrant.

For all these rules to give technical assistance there is containment: the provider which has to decrypt the data, “except for the cases wherein independent actions of an unaffiliated entity are making it impossible from this point of view”, meaning, if the data were encrypted by someone else, not by the provider.

This means, for example, that Facebook will no longer be allowed to say that it does not have the ability to decrypt WhatsApp messages; Apple will no longer be allowed to say that it does not have the ability to unlock an iPhone. If the law passes, it will be necessary to redesign those products so that they can decrypt them.

If a provider has not already designed a decryption capability, the attorney general may require that one be built using the so-called "assistance capability directive".

To create a decryption capability, suppliers can extend the work to contractors, but only if it is based in the United States.

There are views that the bill is an "unfortunate combination" between Communications Assistance for Law Enforcement Act/CALEA, Senators Richard Burr and Dianne Feinstein's 2016 Compliance with Court Orders Act (which has not been finalized) and 2018  Australian law on assistance and access.

US law enforcement will not stop criminals and terrorists from finding other ways to encrypt their data and communications. Al Qaeda is running its own encrypted messaging software, which will not respond to a court order in the United States. Moreover, most entities that offer encrypted products are outside the United States, outside the jurisdiction of Congress.

The bill is worded so broadly that it will only remove the privacy and security guarantees that encryption currently provides to regular users, while the "bad guys" will stop using the products and services of technology providers in the US and will move to other areas - whether they are illicit applications and platforms (such as the application run by Al Qaeda) or to legitimate ones outside the US - which make it difficult for US authorities to monitor.

The concern of those who support communications security and end-to-end encryption is that, “while we’re all distracted by stockpiling latex gloves and toilet paper, there’s a bill tiptoeing through the U.S. Congress that could inflict the backdoor virus that law enforcement agencies have been trying to inflict on encryption for years".  US Senator Ron Wyden calls the promotion of the legislation as a "Trojan horse", which gives the government "access to all aspects of American life".

Last year, the CEO of the uber-Wickr messaging platform acknowledged the real and “completely legitimate” need for law enforcement, but also warned that “deciding who gets access (to the encryption key) means being able to determine who is good and who is bad".

It is the key argument against the new legislation: it generates risks while not delivering the expected assets.

The Center for Internet and Society at Stanford University calls the bill, which is in line with the position of the Five Eyes intelligence alliance, a "full frontal nuclear assault on encryption in the United States" (Riana Pfefferkorn).

The cybersecurity company, SecureWorld, analyzed the draft law in the light of the Five Eyes statements in the 2018 privacy and security debate:

"Privacy laws must prevent arbitrary or unlawful interference, but confidentiality is not absolute".

"The growing gap between law enforcement's ability to legally access data and their ability to acquire and use the content of that data is a pressing international concern".

"We are always willing to work with technology providers to fulfill our public security responsibilities and to ensure the ability of citizens to protect their sensitive data".

A coalition of several cybersecurity and Internet freedom groups (Internet Society, Wikimedia Foundation, Center for Democracy and Technology), as well as academics and experts from the American Civil Liberties Union, Stanford University and the Massachusetts Institute of Technology, sent, on July 7, a letter to the initiators of the anti-encryption bill, arguing that it would make hundreds of millions of Americans more vulnerable to hacking.

The letter mentions the dramatic change in recent years, as parliamentarians and officials have become increasingly skeptical of the importance of solid encryption backed by specialists.

The authors of the message also mention the vulnerabilities generated by the increase in teleworking during the pandemic, which opened up new possibilities for hackers and made encryption vital, and argue that law enforcement does not explore other ways to track criminals online without cracking encryption.

These methods include using legally authorized hacking to exploit errors in the way criminals use encryption.

Proponents of encryption also speak out against another Senate bill that threatens encryption and would, in fact, be a first step in eliminating it: Eliminating Abusive and Rampant Neglect of Interactive Technologies, EARN IT Act.

Once in force, EARN IT would eliminate the legal exemption from liability currently granted to "Internet communication" messaging platforms in its own networks, provided for by the Communications Decency Act (CDA). As a result, in the event of the transmission of dangerous and illegal content, they may be held liable.

The EARN IT Act, whose initiators find the same Senator Lindsey Graham again, does not mention the introduction of backdoors, but comes with the message "if you transmit illegal or dangerous content, you will be responsible".

Carnegie Endowment for International Peace and Princeton University convened an expert group - the Encryption Working Group - to promote a constructive dialogue on encryption policy.

The working group consists of former government officials, business representatives, privacy and civil rights lawyers, law enforcement experts and IT specialists.

Starting in 2018, the group met to discuss important issues related to encryption policy, and some of the working sessions were also attended by representatives of US federal government agencies.

The group considered that revelations of massive data privacy breaches and disclosures about the tracking capabilities of technology users highlighted the role that encryption can play in protecting personal data.

From ordinary citizens to so-called people at risk (journalists, activists, marginalized groups who fear persecution), encryption is increasingly used to protect not only against cybercrime, but also against the unwanted disclosure and monitoring of messages by technology platforms and other stakeholders. The importance of encryption has grown as information technology has made it possible to create and store increasingly sensitive personal information.

The conclusion is this workgroup: many processes are necessary to detail the debate, to divide the approach related to stored data from the one regarding data in motion and to examine both the risks and advantages.

Therefore, there is not enough to have one approach to the legal access demands to the content of communication to be applied to any technology or communication methods.

Translated by Andreea Soare