Thursday, February 27, 2020

Encryption Foes in Washington Won't Give Up

By J.D. Tuccille - February 27, 2020 at 08:10AM

It's impossible to overstate just how much governments hate not being able to read your mail, listen to your phone calls, and peruse your text messages. When all that snoopy officials can pull up is scrambled gobbledygook, they just know they're missing out on the good stuff, like little kids bristling at whispered adult conversations.

That explains the U.S. government's decades-long war against private cryptography and its most recent manifestation in the crusade against "warrant-proof encryption."

No matter how much government officials stamp their feet and hold their breath, it'd be a bad idea to give them the access they want to our data. And they do keep stamping their feet.

"By enabling dangerous criminals to cloak their communications and activities behind an essentially impenetrable digital shield, the deployment of warrant-proof encryption is already imposing huge costs on society," Attorney General Bill Barr huffed last summer when he delivered the keynote address at the International Conference on Cyber Security in New York City. "It seriously degrades the ability of law enforcement to detect and prevent crime before it occurs. And, after crimes are committed, it thwarts law enforcement's ability to identify those responsible or to successfully prosecute the guilty parties."

If that sounds familiar, it's because it's essentially a rephrasing of former FBI Director James Comey's 2014 argument that "those charged with protecting our people aren't always able to access the evidence we need to prosecute crime and prevent terrorism even with lawful authority. We have the legal authority to intercept and access communications and information pursuant to court order, but we often lack the technical ability to do so."

In turn, Comey barely rewarmed the Clinton White House's overwrought 1994 warnings that "the same encryption technology that can help Americans protect business secrets and personal privacy can also be used by terrorists, drug dealers, and other criminals."

The encryption technology that gets officials so hot and bothered year after year grows increasingly widespread for the simple reason that it satisfies a very real demand. Barr may worry about privacy-minded terrorists and drug sellers, but most people are more concerned about hackers, identity thieves, and nosy busybodies. In response, tech companies build end-to-end encryption into a host of products so that regular people can benefit without memorizing a user's manual.

In response, Barr and company argue that all they want is a "back door" built into communications services so that they can gain access when necessary—and only after they jump through all the legal niceties, we're assured.

But weakened, government-accessible encryption isn't a magic solution that will be used only to catch bad guys. It will be weakened encryption, period.

"The problem with backdoors is known—any alternate channel devoted to access by one party will undoubtedly be discovered, accessed, and abused by another," notes David Ruiz, a writer with the internet security firm Malwarebytes Labs. "Cybersecurity researchers have repeatedly argued for years that, when it comes to encryption technology, the risk of weakening the security of countless individuals is too high."

"Encryption is one of the few security techniques that mostly works. We can't afford to mess it up," cautions Matt Blaze, a cybersecurity expert at the University of Pennsylvania. "As someone who's been working on securing the 'net for going on three decades now, having to repeatedly engage with this 'why can't you just weaken the one tool you have that actually works' nonsense is utterly exhausting."

How can we know that the critics are right? Because the U.S. government itself claims that a Chinese company has, for years, been misusing exactly such back doors.

"U.S. officials say Huawei Technologies Co. can covertly access mobile-phone networks around the world through 'back doors' designed for use by law enforcement, as Washington tries to persuade allies to exclude the Chinese company from their networks," the Wall Street Journal reported on February 12.

Well, it's only fair. For half a century, the CIA and German intelligence spied on international communications courtesy of back doors they built into the products of Crypto AG, a company the agencies co-owned.

The CIA and its German partner kept that arrangement secret for a long time, but mandated access to everybody's messaging apps would be public knowledge and serious hacker-bait. It might even be a target for bad actors wielding the hacking tools that were stolen in 2017 from the National Security Agency—an exploit generally considered among the most significant events in cybersecurity.

Whoopsies. It's almost like you really shouldn't trust government types with the ability to peruse your communications and paw through your data.

Despite that history, Senators Lindsey Graham (R-S.C.) and Richard Blumenthal (D-Conn.) are floating a bill that would make tech companies "earn" Section 230 protection against liability for other people's communications that pass through their platforms by adopting "best practices" that satisfy amorphous government standards.

"The AG could single-handedly rewrite the 'best practices' to state that any provider that offers end-to-end encryption is categorically excluded from taking advantage of this safe-harbor option," writes Riana Pfefferkorn, associate director of surveillance and cybersecurity at Stanford Law School. "Or he could simply refuse to certify a set of best practices that aren't sufficiently condemnatory of encryption. If the AG doesn't finalize a set of best practices, then this entire safe-harbor option just vanishes."

The whole thing is cloaked in the language of "child sex-abuse material" so that privacy advocates have to argue against a measure nominally aimed at kiddy porn in order to protect strong encryption protection for everybody's communications. Yes, once again, government officials pretend that the terrible things they want to do are all about protecting the children.

Meanwhile, any back doors forced into our encrypted communications are likely to affect harmless people more than they inconvenience criminals and terrorists.

"Short of a form of government intervention in technology that appears contemplated by no one outside of the most despotic regimes, communication channels resistant to surveillance will always exist," states a 2016 report from the Berkman Center for Internet and Society at Harvard University.

Unwilling to rely on commercial products that may or may not keep their secrets, criminals and terrorists develop their own encryption products—including secure phones. They're very unlikely to comply with law enforcement demands for back doors.

"I think there's no way we solve this entire problem," the FBI's Comey admitted to the U.S. Senate Judiciary Committee in 2015. "Encryption is always going to be available to the sophisticated user."

But what about the rest of us? Despite all the evidence of the foolishness of their efforts, government officials keep trying to make us expose our data to them and the criminals who ride on their coattails.


from Reason Magazine Articles
via IFTTT