US deputy attorney general just called for 'responsible encryption.' Don't fall for it.
(Image: via Wikipedia)
There's a new term on the political scene you might have heard recently.
During a speech at the US Naval Academy on Tuesday, deputy US attorney general Rod Rosenstein, one of the most senior government lawyers, called on tech giants to embrace "responsible encryption."
According to a transcript, Rosenstein said:
"Responsible encryption is achievable. Responsible encryption can involve effective, secure encryption that allows access only with judicial authorization. Such encryption already exists. Examples include the central management of security keys and operating system updates; the scanning of content, like your emails, for advertising purposes; the simulcast of messages to multiple destinations at once; and key recovery when a user forgets the password to decrypt a laptop."
"Responsible encryption can protect privacy and promote security without forfeiting access for legitimate law enforcement needs supported by judicial approval," he added.
"No one calls any of those functions a 'backdoor," he said.
Not so fast. "All these mechanisms are effectively backdoors," Matt Blaze, a professor and cryptographer, said in an email.
Backdoors, front doors, golden keys -- or "responsible encryption" -- whatever you want to call it -- it's the debate that just won't end. The government has been pushing for exclusive access to scrambled, impossible to intercept end-to-end encrypted communications in times of emergency, or crisis, or when there's a valid warrant for data.
While encryption has proliferated to the point where it's practically ubiquitous across tech products, the government's hunger for data has only gotten stronger. Lawmakers have even threatened to pass legislation that would grant the government it's long desired access.
But the brightest security experts, cryptographers and technologists have for years said that there is no way to provide a secure system to allow police in, and keep malicious hackers out.
Blaze said that any backdoor system described by Rosenstein would "reduce the security of the system by greatly increasing the attack surface."
In other words, it would make even the toughest messaging apps easier to hack.
"In some limited applications, this security reduction may be a worthwhile tradeoff to enable users to recover lost keys, but in others, it represents a significant decrease in security, with a significant increase in risk, complexity and cost, for no benefit to the user," he said.
Adding a recovery key feature "that you can own and use at your own exclusive discretion is not a back door," Jake Williams, a security expert and founder of RenditionSec, told ZDNet. But he warned that the moment law enforcement or anyone else has access means it "absolutely" becomes a backdoor.
Keeping things out of the wrong hands is getting tougher -- for the big companies and government alike. The problem is that nobody wants to admit it. You only need to look at the past year of data breaches, leaks, and exposures to see that some of the most precious national security and technological secrets in the US aren't safe.
And yet Rosenstein, in his speech, thinks companies can keep their secrets safe.
"A major hardware provider, for example, reportedly maintains private keys that it can use to sign software updates for each of its devices," he said.
"That would present a huge potential security problem, if those keys were to leak. But they do not leak, because the company knows how to protect what is important," he said.
Take Yahoo, which revealed this year that all three billion users -- about half the world's population -- were put at risk by a 2013 breach. The company also lost control of its secret source code which enabled hackers to access accounts without even needing to steal passwords. In the same year, hackers stole more than half of the US population's credit files, thanks to Equifax's bad security. And Verizon was just one major tech and phone giant that admitted millions of customer records were left exposed for anyone to find for months.
Even the US intelligence community, trusted with the country's most sensitive national security secrets, can't handle its security. This year, hackers obtained the CIA's most sensitive hacking tools. A former NSA staffer was indicted over a massive theft of terabytes of classified information. And, later in the year, it was revealed that the NSA lost control of more hacking tools that resulted in the expulsion of Kaspersky software from all federal agencies.
And if you really want to hear the definition of irony? Rosenstein recounted in his speech how "medical facilities around the world were attacked with ransomware, resulting in the cancellation of medical procedures, the unavailability of patient records, and the diversion of ambulances."
Guess what caused that ransomware attack? Unknown hackers infected thousands of computers around the world using stolen NSA hacking tools to deliver ransomware to hospitals.
One leading privacy-minded senator criticized the speech.
"The last year has made painfully obvious that cybersecurity protections for Americans' personal information is far too weak, in part, thanks to the examples Mr. Rosenstein cited," said Ron Wyden, a Democratic senator from Oregon and a senior member of the Senate Intelligence Committee, to ZDNet.
"Despite his attempts at rebranding, a government backdoor by another name will still make it easier for criminals, predators and foreign hackers to break into our phones and computers," he said. "The Department of Justice should be using their bully pulpit to promote the adoption of strong encryption and other defensive cybersecurity technologies, not demonizing companies who are attempting to protect their customers' private data and compete on cybersecurity."
Security
Security researchers and industry experts agree.
"Given the serious cybersecurity crisis facing our nation, it's disturbing that a senior law enforcement official would advocate adopting mechanisms that would make our infrastructure less secure rather than more," said Blaze.
"Contrary to Rosenstein's inflammatory digs, strong encryption does help prevent crime, such as identity theft -- something 'responsible' companies need to worry about at a time when massive data breaches regularly dominate the headlines," said Riana Pfefferkorn, a cryptography fellow at Stanford Law School.
"Strong encryption does save lives," she said, "something a 'responsible' law enforcement agency, charged with protecting and serving the public, might be expected to care about at a time when it's open season on immigrants, Muslims, black and trans people, and anyone else who's 'other'."
The Electronic Frontier Foundation, a privacy and digital rights group, agreed.
A blog post said: "The DOJ needs to understand that secure end-to-end encryption is a responsible security measure that helps protect people."
The sad reality is that backdoors aren't something that the government is going to give up on any time soon. While the notion of national security is, to government, seen in the narrow scope of terrorism or serious crime, many fail to accept that ensuring good cybersecurity is a key facet of keeping the nation safe. If the worry is terrorism, there's nothing stopping terrorists from building their own encryption. Leaving Americans' secrets flowing across the open web or through a vulnerable pipe open to hackers is only going to harm consumers and businesses down the line.
But that isn't stopping Rosenstein from toeing the party line.
"It's a scary story just in time for Halloween, courtesy of the zombie encryption debate that just won't die," said Pfefferkorn.