The worry that communications companies increasingly offering default encryption for their services will severely hamper law enforcement and intelligence operations is significantly overblown, according to a new report out Monday from Harvard University.
The problem of increasing encryption in criminal or terrorist electronic devices locking out legal and legitimate law enforcement or intelligence operations has been called the problem of “going dark.” The U.S. intelligence and law enforcement communities have described a situation where technology architectures, especially encryption, are increasingly inhibiting the government’s ability to obtain access to communications, even under Fourth Amendment warrant requirements (Defense Daily, June 3, 2015).
The new report from the Berklett Cybersecurity Project at Harvard’s Berkman Center for Internet and Society, “Don’t Panic, Making Progress on the ‘Going Dark’ Debate,” argues the going dark metaphor does not accurately describe the state of affairs and the U.S. is not headed “to a future in which our ability to effectively surveil criminal and bad actors is impossible.”
Law enforcement officials, like FBI Director James Comey, have raised a possible solution that companies could maintain access to user data and communications and provide that information to law enforcement through a legal process. However, many in the private sector have resisted, arguing that any back door into an encryption system for law enforcement purposes would inevitably make these systems less secure overall – if the government has access then criminals and foreign bad actors would find a way in too.
While the report takes the warnings of law enforcement at
face value, short of despotic technology intervention, “communication channels resistant to surveillance will always exist.”
This report is the result of Berkman Center convening a group of security and policy experts to work through particularly enduring problems in surveillance and cybersecurity. The experts draw from academia, civil society, and the U.S. intelligence community. Several of the group participants signed and endorsed the report in general, although the report states each signatory does not necessarily endorse every finding and recommendation. Government agency participants did not sign on because of their employment and nothing in the report should be inferred about their views, Harvard said.
“The aim of this project is to bring together people who come from very different starting points and roles, and who very rarely have a chance to speak frankly with one another. We want to come away with some common insights that could help push the discussion into some new territory,” Jonathan Zittrain, faculty chair of the Berkman Center and project member, said in a statement.
The authors argue that in contrast to the government’s fears of encryption, future market forces and commercial interests will limit how encryption is offered. Moreover, “the trajectory of technological development points to a future abundant in unencrypted data, some of which can fill gaps left by the very communication channels law enforcement fears will “go dark” and beyond reach.”
The report names three technological trends that run counter to the forces of encryption that may make surveillance more difficult in some cases: many companies’ business models rely on access to user data; products are increasingly being offered as services that use an ongoing relationship between the vendor and user; and the Internet of Things (IoT) promises a new frontier of networking objects, machines, and environments.
The IoT includes a set of products that previously have not had internet connections but are increasingly networked to offer new features and remote control. This group includes cars, refrigerators, lights, home alarm systems, security cameras, door locks, watches, thermostats, and various wearable devices.
For example, “when, say, a television has a microphone and a network connection, and is reprogrammable by its vendor, it could be used to listen in to one side of a telephone conversation taking place in its room–no matter how encrypted the telephone service itself might be,” the report said.
The report explains that despite some increasing encryption by Google [GOOG] and Apple [AAPL] in their mobile devices, technology business models discourage end-to-end encryption and impediments to user information because “consumer-facing Internet companies have relied on advertising as their dominant business model.” Data-driven advertising in particular is increasingly reliant on user behavior, which works against encryption architecture.
“Implementing end-to-end encryption by default for all, or even most, user data streams would conflict with the advertising model and presumably curtail revenues. Market trends so far reflect that companies have little incentive to veer from this model, making it unlikely that end-to-end encryption will become ubiquitous across applications and services,” the report said.
The authors also note end-to-end encryption is impractical for companies that are increasingly offering cloud services to access plaintext data. Google offers several web-based services that require company access to plaintext data, including full text search of documents and files stored in the cloud. Similarly, while Apple says it encrypts communications in some apps, that does not include all of its services and even the iCloud backup service encryption keys are held by the company for users who have lost normal procedures for accessing the information.
Another reason companies may not use encryption is because it usually adds complexity to the user experience. The report notes a Facebook [FB] official has said the company could deploy end-to-end encryption but has not because when done right it is hard for the average person to communicate. Google has also reportedly delayed default encryption on Android devices because it affects performance.
The report highlighted the increasingly prevalent Internet of Things because “These are prime mechanisms for surveillance: alternative vectors for information-gathering that could more than fill many of the gaps left behind by sources that have gone dark.” IoT mechanisms also raise questions about how much the general public may be increasingly exposed to eavesdropping.
Companies working on products for the IoT are including various sensors that will be connecting on the internet and transmit telemetry data for cloud processing. They include gyroscopes, accelerometers, magnetometers, proximity sensors, microphones, speakers, barometers, infrared sensors, fingerprint readers, and radio frequency antennae.
These networked sensors offer many opportunities for law enforcement and intelligence agency usage: audio and video capture through a car’s microphones, smartphone camera or microphones, baby monitor, a television with increasing microphone capability, internet-enabled security cameras, laptop or desktop computers with voice command software and cloud connections, and interactive toys.
Although the increased availability of encryption technologies impedes government surveillance in some sectors, the report concludes new technological developments and market forces combined are likely to fill some of the gaps and ensure the government will generally gain new opportunities for surveillance.
Report signatories include Urs Gasser, executive director of the Berman Center; Nancy Gertner, former U.S. federal judge for the District Count for the District of Massachusetts; Jack Goldsmith, former Assistant Attorney General, Office of Legal Counsel, and Special Council to the Defense Department in the Bush administration; Susan Landau, professor of cybersecurity policy at Worcester Polytechnic Institute; Joseph Nye, Harvard international relations scholar and former high level government official in the State and Defense Departments; David O’Brien, senior researcher at the Barkman Center; and Matthew Olsen, former Director of the U.S. National Counterterrorism Center, General Counsel for the National Security Agency, Justice Department official, and federal prosecutor;
Other signatories include Daphna Renan, former Attorney Adviser in the Justice Department’s Office of Legal Counsel and Counsel to the Deputy Attorney General; Julian Sanchez, senior fellow at the Cato Institute; Bruce Schneier, technology security expert serving at Resilient Systems, a fellow at the Berkman Center, a fellow at the Open Technology Institute, and a board member of the Electronic Frontier Foundation; Larry Schwartztol, former staff attorney at the American Civil Liberties Union’s National Security projects; and Jonathan Zittreain, international law and computer science professor at Harvard.