More like postcards than like letters

Every couple of years, sometimes more often, some politician or law enforcement officer brings up that encryption is preventing them from doing their job. Just recently reported in Arstechnica was such an article about the US Attorney General William Barr.

“Encryption seriously degrades law enforcements ability to detect and prevent crime before it occurs.”

It is true that when messages or data is encrypted it is difficult to impossible to decrypt depending on how well the encryption was done. I do have to agree that as a law professional it must be frustrating to be thwarted by locked phones, encrypted messages, mail or documents. In the “good old days” you only needed to turn on the device to be able to browse through it looking for something incriminating. In retrospect that should probably be thought of the as the golden age of law enforcement starting with the creation of the personal computer and lasting up until about 2000. It is a subjective date but at the time the new kid on the block was the BlackBerry which was a cell phone with secure encryption. This was the first wake up call that information could be encrypted so that it could not be simply intercepted and examined. This allowed anti-government groups to both communicate in real time without the fear of that information getting out.

Over the years since then more and more security (ie encryption) technology has become main-stream. So simple in fact that you only need to know how to make a call or send a message and not be forced to use other intrusive methods to protect your message.

Prevention

The argument of Mr. Barr and all of these other well meaning people is that if this information was not encrypted it would allow law enforcement the ability to prevent bad things from happening. This is both a very admirable goal but quite lofty as well. The number of emails sent per day is 269 billion while the number of text messages are 18 billion per day. I am not sure what the US infrastructure would need to be in order to process this bulk of information, but it would be substantial. It is not the few computers needed to sift through the data but what happens to the threats that are found. If the goal was to prevent crimes then coordination between a group of potential bank robbers in rural Nebraska should be reported to the nearest authorities.

To be honest, I cannot see this level of access by the government being all that helpful for local crimes. I would imagine that they would focus on Federal crimes such as threats to the nation’s leaders or general Terrorism. Unless the terrorists are pretty stupid, they would not be telegraphing their movements.

Poor

We will all meet at the corner of 3rd street as planned on Tuesday 13 March at 5pm.

Average

We are meeting on Tuesday at 5pm

Clever

The plan is on, meet next Tuesday at the spot we agreed.

These exact messages are not so much help unless you have the context. These messages could be for some sort of terrorist plot or it could be meeting for a bachelor party. The context may be found in a single email but more than likely it would need to be gathered through many mails with other methods (ie humans interacting with bad guys). The emails, despite the massive volume, may not provide enough information.

Improve access or allow overreach

Allowing lawful access to encrypted information without prior approval or assistance of the party being surveilled would be really nice. The government has knowledge that you are purchasing very questionable materials and would like to take a peek into your communications to verify this. This request, if guarded by impartial people, on the ground of national security does seem reasonable. Nobody wants a bombing or a plane crash to occur if it can be prevented.

Yet there is always mission creep. If this ability to access emails were possible and the government decided that they would also use this power to tackle large scale fraud and corruption it would probably be viewed as good. It would not be long before some ambitious person decided that people cheating on their taxes would also be a good target for this as well. What about helping to prosecute spouses that do not pay their alimony or child support?

None of these are bad uses but what is the person who had this access was not impartial and had a chip on his or her shoulder. This would be a great way to do the same thing in a directed manner. Trying to dig up dirt on an ex-boyfriend. Getting hints on what your political opponent is doing and find ways to undermine them – part of the problem is that people are flawed.

Sometimes this access to the data is referred to as a back door. Basically, a hidden way to monitor or access data in a given system. It seems to be that it should really be referred to as the front door. To enable this functionality, you are giving either a key for that particular user or for all users of that particular system to the government. Would you trust that some government official, policeman or other political appointee had access to all your data? Would you trust them to have the key to your house or apartment?

No encryption would provide effective access

Well, at least if this power would be given over it would be effective? It would be probably 98% effective or perhaps even more emails or social media accounts. The problem is the smartest “bad people” would be able to cover their tracks pretty effectively.

  • Private mode browsing to reduce browsing history
  • Using docker or virtual machines to reduce browsing history
  • Old fashioned couriers for transferring messages or materials
  • Dead drops for transmitting information in an unseen manner
  • Book ciphers to make the data uniquely encrypted
  • Spam encoding another interesting way to pass messages around in plain sight
  • Embedded in pictures yet another way of hiding or transferring messages
  • Foldering, messages saved in draft folder
  • Use messaging services that have not been compromised

The ability for law enforcement to have access to the contents of a smart phone is not useless but it is more useful for prosecuting people who have already done bad things. Depending on the crime, the criminal is no longer alive to have justice meted out to him.

Presumably, just having access to the SIM card in the smart phone would allow the investigators a trail of people or phones that they can follow. This information would (currently) provides a digital footprint to where the phone went.

What could it hurt to provide this “back door”?

People are basically honest and hard working so we have little to fear. Many people have access to other types of high security materials. Well, that may be the case but people are also basically lazy and have a tendency to do the least possible work to get the most possible income.

Not only that but this provides a very juicy target for people with bad intentions. Look at the problems that occurred due to incompetence, laziness or bad luck.

It is truely difficult to ensure that personal data is kept secure even with no back door as these companies can attest to.

The benefit of providing such a “secret back door” is questionable while the damage would be immeasurable if this access made its way into the wrong hands. This “leak” wouldn’t have to be sabotage or ill will, it could be carelessness by someone who had legitimate access.

After all, if the NSA cannot manage to keep their secret tools and methods secret what are the odds that a group that is controlled by politicians will fare any better?

This entry was posted in security, Soapbox. Bookmark the permalink.