Operating Blind

Cybersecurity

​​Illustration by Steve McCracken​​​

Operating Blind
 

In the late 1990s, governments began making a push to require that third parties retain a copy of decryption keys for encrypted information, known as a key escrow system or Clipper Chip. If law enforcement, with proper authorization, requested access to the encrypted information, the third party would use the key escrow system to decrypt the data for law enforcement.

A group of cryptographers and security experts from MIT examined the idea in 1997 and found that it was “beyond the technical state of the art to build key escrow systems” at the scale needed, according to the paper Keys Under Doormats: Mandating Insecurity by Requiring Government Access to All Data and Communications. 

“Governments kept pressing for key escrow, but Internet firms successfully resisted on the grounds of the enormous expense, the governance issues, and the risk,” the paper, published in summer 2015, explained. “The Clipper Chip was eventually abandoned.”

But the effort to require companies to decrypt encrypted communications, and provide the method to do so to a third party, has not. Since the Paris attacks in November and the San Bernardino, California, shooting three weeks later, the issue appears to have gained steam.

Leading that charge is FBI Director James Comey, who said in a Congressional hearing late last year that the practice of using end-to-end encryption is not a technical issue. “It is a business model question,” he said. “The question we have to ask is: Should they change their business model?” 

Encryption, the process of converting messages, information, or data into a form unreadable by anyone but the intended recipient, has been used primarily by the government and financial institutions, but over the past few years it has become more widely used. Many credit this push to the Edward Snowden leaks in 2013, which revealed U.S. intelligence agencies’ abilities to snoop on Internet traffic and communications, and caused many to embrace encryption as a way to shield data from prying government eyes.

Silicon Valley has championed the use of encryption, and Apple became one of its major proponents when, in 2014, it announced the new iOS8 operating system for smartphones and tablets, which uses full-disk encryption as a default. This makes data on its devices inaccessible—even to Apple itself—without a passcode. 

As of October 19, 2015, 91 percent of Apple devices were using iOS8 or iOS9. “Thus, it is no longer possible for Apple to extract data as it did for devices running prior operating systems,” according to a report by the Manhattan District Attorney’s Office on smartphone encryption and public safety. 

Following Apple’s lead, Google also announced that it would begin using full-disk encryption in its new operating system for Android devices. And others have followed suit, including Facebook, Twitter, YouTube, Netflix, and cloud service providers. 

“In 2016, almost two-thirds of traffic on North American fixed access networks will be encrypted, and the reality is it will likely be over two-thirds as additional applications make the switch to HTTPS via programs, such as the Electronic Frontier Foundation’s ‘Let’s Encrypt’ program,” according to a report by Sandvine, an intelligent broadband networks company.

And the trend will continue globally, with Sandvine predicting that by the end of 2016, 65 to 70 percent of traffic will be encrypted in most markets.

The rapid rise of encryption has brought many benefits, such as making it more difficult—or nearly impossible—to decipher communications. This can be beneficial for users in their personal correspondence, such as encrypting their text messages and e-mails, and for corporate users, such as encrypting files that contain trade secret information and customer credit card data.

However, there are negatives associated with encryption because it can make companies blind to malicious activity taking place within their networks. This is because firewalls, intrusion detection systems, and other network monitoring systems are often not installed in-line on the network, meaning they’re passively monitoring the network and not decrypting Secure Socket Layer (SSL) encrypted traffic that passes through it. 

“All of those solutions need to be able to look at the individual packets [Internet traffic in their network] and perform deep packet inspection, and they can’t do that with encryption,” explains Kasey Cross, A10 Networks security evangelist. “For them, the impact is that they don’t see what’s happening in their network.”

This means that malware can get in and exfiltrate data or insiders may accidentally—or purposefully—send confidential data out, and the company would not know it. 

“If you’re not able to decrypt that information and inspect it, and detect the data loss from malware or whatever threat vector, you’re basically blind to those attacks,” Cross says. 

Some firewalls and intrusion prevention systems can be installed in-line on the network to decrypt encrypted traffic, Cross explains, but that can end up slowing down the performance of the system itself. 

“There was a report about two years ago from NSS Labs that showed firewall performance dropped 81 percent if the firewalls were decrypting SSL traffic,” Cross says. “So that’s a reason why people don’t want to decrypt on the firewall.”

Encryption is also presenting problems for law enforcement because authorities are increasingly unable to access encrypted data for investigations. Comey attested to this, citing a specific example in a Congressional hearing in December.

“In May, when two terrorists attempted to kill a whole lot of people in Garland, Texas, and were stopped by the action of great local law enforcement…that morning, before one of those terrorists left to try to commit mass murder, he exchanged 109 messages with an overseas terrorist,” Comey said. “We have no idea what he said, because those messages were encrypted.”

To fix the problem, Comey and others have pushed for technology companies—like Apple—to change their business models and stop using encryption by default. 

“There are plenty of companies today that provide secure services to their customers and still comply with court orders,” he explained. “There are plenty of folks who make good phones who are able to unlock them in response to a court order. In fact, the makers of phones that today can’t be unlocked—a year ago they could be unlocked.”

Comey also proposed less popular solutions, like legislating backdoors that would require companies to provide law enforcement with the ability to decrypt their data. And, during the hearing, Senator Dianne Feinstein (D-CA) said that she was considering introducing legislation to do so after the shooting in San Bernardino that killed 14 people.

The authors of the MIT paper, however, found that providing law enforcement “exceptional access” to encrypted data through such a mechanism would be a mistake.

“The complexity of today’s Internet environment, with millions of apps and globally connected services, means that new law enforcement requirements are likely to introduce unanticipated, hard to detect security flaws,” the authors wrote. “Beyond these and other technical vulnerabilities, the prospect of globally deploying exceptional access systems raises difficult problems about how such an environment would be governed, and how to ensure that such systems would respect human rights and the rule of law.”

Andrew Crocker, staff attorney for the Electronic Frontier Foundation’s civil liberties team, agrees. He says that he is concerned by the vague wording law enforcement and advocates for weaker encryption are using.

“They envision telling a company that ‘We need access to this data,’ but not telling them how they’re going to implement that,” Crocker explains. “It’s a little worrying that they sort of wave their hands at something that even the best technical minds are saying can’t be done.”

And while encryption might pose its own sets of challenges for security, it is essential for day-to-day technology use and is something all Internet users rely on.

“This sort of hammering and fearmongering is really not capturing the whole story, which is that encryption is a fundamental piece of our daily use of technology,” Crocker says. “We use it to keep our data safe. It really is essential to almost everything we do with technology from this point on.” ​