New study refutes encryption alarmists - but with a concerning twist

Profile picture for user jreed By Jon Reed February 5, 2016
Summary:
A new Harvard study successfully challenges "going dark" encryption paranoia. The problem is that it bolsters concerns about the rise of the surveillance state.

man-with-camera

Thanks to a new study, the encryption debate has taken an important/concerning twist. The report, issued by Harvard’s Berkman Center for Internet and Society, counters those in the U.S. intelligence community who claim that end-to-end encryption on iPhones and Android devices poses a threat to anti-terrorist surveillance.

Unfortunately, the Harvard study's most persuasive argument carries troubling implications. Don’t Panic: Making Progress On The ‘Going Dark’ Debate" (PDF link), is the result of an atypical collaboration between academics, security experts and intelligence officials, including two prominent members of the National Security Agency: John DeLong, its director of the Commercial Solutions Center and Anne Neuberger, its chief risk officer. (Though the NSA participated as "core members" of the study, the Harvard’s Berkman Center took pains to emphasize that as government employees, Delong and Neuberger could not formally endorse the report or its conclusions).

In  Privacy, back doors, and you – get ready for the tech encryption debate of 2016 (November 2015), I noted that the Obama administration opted not to seek legislation that would require tech companies to provide back doors to U.S. agencies. However, the terror attack in Paris and the political opportunism of election season have put the pressure back on Silicon Valley, with top administration officials such as FBI Director James Comey pressing for back door access - and warning that going dark on encyrpted data comes at a public safety cost.

I joined those who believe the "going dark" argument is flawed in Encryption, back doors, and IoT software locks – a bad “experience” in the making. Ethics aside, the best arguments for this stance are practical:

  • back doors won't work because terror groups have plenty of communication workarounds beyond smart phones.
  • back doors create new exposure that can be exploited by bad actors and rogue states

Countering the "back door advocates" - a concerning twist

The Harvard report's position has a disturbing twist: even IF some data access is lost due to encrypted phones, this setback will be more than offset by the ability of U.S. intelligence agencies to exploit the comparatively weak security of the sensors and connected devices now populating our homes and workplaces.

As the authors state:

The going dark metaphor suggests that communications are becoming steadily out of reach – an aperture is closing, and once closed we are blind. This does not capture the current state and trajectory of technological development.

The report's core position:

  • End-to-end encryption and other technological architectures for obscuring user data are unlikely to be adopted ubiquitously by companies. This leaves data openings for both intelligence agencies and hackers.
  • Software ecosystems tend to be fragmented. That makes the goal of total data encryption difficult for companies to achieve. Standards that would govern such encryption are either in their infancy, or do not exist.
  • Metadata is not encrypted, and the vast majority is likely to remain so. "This information provides an enormous amount of surveillance data that was unavailable before these systems became widespread."
  • These trends raise new questions about how we will protect individual privacy and security in the future.

In sum: there are plenty of security holes for intelligence agencies to exploit. Therefore the pressure on smart phone makers and/or social media platforms is an unrealistic overreaction.

My take

Buzzfeed notes that this study "might provide some amount of comfort to law enforcement officials fearing their diminishing powers amid heightened threats." I sincerely hope not.  The lesson for intelligence agencies is not one of comfort. It's that a narrow focus on smart phone encryption, and the pursuit of a legislative remedy via sanctioned back doors, is a futile project. For the law-abiding individual, there is no comfort whatsoever. Even if end-to-end encryption on our phones remains intact, we are all public figures in ways we are only beginning to grasp.

The report's authors are aware of these implications. In the appendix, report co-author Jonathan Zittrain wrote a potent piece entitled "The Good News and the Troubling News: We’re not going dark." Zittrain writes:

As data collection volume and methods proliferate, the number of human and technical weaknesses within the system will increase to the point that it will overwhelmingly likely be a net positive for the intelligence community. Consider all those IoT devices with their sensors and poorly updated firmware. We’re hardly going dark when – fittingly, given the metaphor – our light bulbs have motion detectors and an open port. The label is “going dark” only because the security state is losing something that it fleetingly had access to, not because it is all of a sudden lacking in vectors for useful information.

If government officials take comfort in these findings, we certainly shouldn't. Zittrain:

But exactly what should reassure government officials, and stay the momentum for major policy interventions into Internet technology development, is what should also trouble everyone: we are hurtling towards a world in which a truly staggering amount of data will be only a warrant or a subpoena away, and in many jurisdictions, even that gap need not be traversed. That’s why this report and the deliberations behind it are genuinely only a beginning, and there’s much more work to do before the future is upon us.

In past installments, I made recommendations for enterprises. I won't repeat those, but a few more come to mind:

  • Get involved in groups that create encryption standards in your industry.
  • If you provide encryption tools for customers, conduct simulations of what might happen it government officials requested data or back door access. Consult with legal counsel and track relevant issues, e.g. Stuart Lauchlan's ongoing coverage of cloud data and post-Safe Harbor talks.
  • Examine your data exposure across disparate platforms and software programs, with an eye towards issues such as master data vulnerability, or lagging upgrades on certain systems.
  • Communicate privacy policies openly with all stakeholders. Don't just push out boilerplate terms and conditions, onto constituents; hold Q/A sessions where privacy concerns can be discussed.
  • Collaborate with privacy and security experts inside and outside your organization to expose and address issues pro-actively.

There will never be a perfect way to balance privacy and the ability to hide in its shadows. But there are better ways of handling this than the uninformed political posturing we've heard lately. On the Republican side, the presidential candidate with the most nuanced grasp of the encryption issue, Rand Paul, got his butt kicked in the polls and dropped out of the race.

Meanwhile, the Democratic candidates don't seem to be well informed on this complicated issue, either. Alas, that doesn't bode well for the encryption debate, where happy talk about privacy falls short when confronted with technical specifics. It was good to see this particular report informed by discussions with NSA officials - that means at least some inside the government are willing to grapple with the pace of change. That obligation extends to all of us.

Image credit - Security Consultant Fitting Security Camera To House Wall © highwaystarz - Fotolia.com.