28 December 2023

Encryption: It’s Not About Good and Bad Guys, It’s About All of Us

Heather West

Introduction

It reads like a classic Hollywood script: the detective — Miss Marple or Sherlock Holmes — takes on the evidence, studiously following a trail to understand a crime and catch the perpetrator. We celebrate smart detective work in the media and the real world, making sure that law and order are preserved and that criminals are caught and punished.

But over the last few decades, the detective’s job has changed. The way we communicate and share information has evolved, going online, and the detectives have followed. Where once letters were sealed in envelopes, today they’re drafted at a computer, encrypted, and zipped along a wire as bits and bytes. Detectives aren’t just examining footprints or interviewing eyewitnesses; they’re sitting at a computer and sifting through digital evidence. This evidence comes from digital devices and online services, which often protect the content and communication of their users with encryption. Encryption safeguards the privacy, security, and authenticity of information that is stored on a device or in the cloud or sent digitally. Many regulatory and industry bodies require the use of encryption, particularly for sensitive information, but it is also a well-established best practice for almost any kind of data.

These security protections for digital information have created a conflict: law enforcement and intelligence agencies feel that they’re losing the trail. Governments are looking for new investigatory tools to chase down criminals, yet these often amount to blunt instruments. Some mechanisms amount to wholesale interference with the encryption that protects everyone’s online banking, messaging, and digital trail, making this information accessible both to the good and bad actors and impacting every user of these products and services.

It’s an old debate. Over the years, many proposals have aimed to interfere, degrade, or even ban encryption. When the telephone was created, controversy swirled over wiretapping. As soon as the internet was introduced to the public, proposals to interfere with encryption became more common than ever. Throughout, technologists have raised the same concerns that creating a weakness – metaphorically opening a door — or sharing encryption keys hurts their ability to protect people using online services.

The modern debate over encryption has focused on combatting child sexual abuse and terrorism. These are worthy causes and it’s important that law enforcement has the tools it needs to investigate them. But it is also clear that providing them with some of the tools they ask for — to degrade or break encryption — risks significant social costs. Encryption is a technology that we rely on, as a society, to protect our data. The ends do not justify the means when we talk about undermining encryption and security.


Photo: An iPhone with privacy and security settings is seen in this photo illustration in Warsaw, Poland on 05 January, 2022. CNIL, the French data protection authority has fined Apple EUR 8 million for harvesting iPhone user’s data for advertisement targeting without consent. 

Despite the focus on encryption, other options do exist. Investigators can use online services and devices to collect information about users’ online interactions, even without content of communications. The metadata, analytics, and telemetry data collected by services as part of their operation often includes information about the sender and recipient of information, timestamps and IP addresses, message size or duration, header information, location data, or device information. Much of this digital content is accessible to law enforcement via court orders. Companies often partner with law enforcement in the jurisdiction where information is held to turn over records, following legal processes, and further protecting their platforms and other users. In recent reports from Australia, online services detailed the many ways that companies combat child sexual abuse material and cooperate with law enforcement. 1

Even the most publicized and controversial cases often have been solved without requiring companies to break their own encryption. After two shooters killed 14 people in San Bernardino, California, in December 2015, the Federal Bureau of Investigation (FBI) tried to compel Apple to unlock an iPhone used by one of the attackers. 2Apple resisted. Instead, the FBI hired a firm that cracked the phone, likely using a vulnerability to crack the encryption — but not a company-provided backdoor. In a similar case that year in New York, police demanded that Apple break into a phone owned by a drug dealer, even after the suspect pled guilty. 3 The standoff ended after the suspect’s wife shared the device’s password.

Much like almost a decade ago, renewed calls are rising to offer ways around encryption, through back doors, front doors, and client-side scanning. A series of legislative proposals in Europe, the US, Australia, and the United Kingdom (UK) all risk requiring companies to break encryption in pursuit of child safety. Despite intentions to protect children, all these measures are problematic. Instead of fighting against encryption, it should be preserved and protected while measures are taken to support alternative investigatory mechanisms.

Law enforcement does need support in this fight, in the form of training and effective partnerships. It should pursue alternative methods to investigate, and, in limited situations, find its own way into encrypted conversations. Governments should fund the training and education that their agencies need to use these tools, instead of insisting on blunt legal and technical tools that undermine security.

Encryption, Decrypted

Encryption secures digital information by ensuring that only authorized users with decryption keys can access the original data. It transforms readable information and data (plaintext) into an unreadable format (ciphertext) using an algorithm and an encryption key.

At the core, an encryption algorithm is math — sometimes more or less complex or secure, but always a series of mathematical operations that are performed on data. Encryption and decryption happen behind the scenes, without requiring users to act, protecting them by design and by default. For messaging and other digital communications and storage, encryption has become standard best practice.

Modern encryption uses different encryption keys to encrypt and decrypt the data: a public key known to everyone, and a private key known only to the recipient. This public and private key pair eases the path to negotiate encrypted connections and communications. Algorithms in widespread use that provide “strong encryption,” which protects against almost any eavesdropper if they don’t have the key to decrypt it.


Photo: Whatsapp Billboard is seen in Mumbai, India, 24 August, 2022. Whatsapp introduces end- to-end encryption of messages, photos, videos, voice messages, documents, status updates and calls are secured from falling into the wrong hands according to their official whatsapp website. 

This math ensures the confidentiality of sensitive data, protecting it from unauthorized access. Encryption safeguards much of the information that is transmitted over the internet, including financial transactions, personal information, and communications. It ensures the authenticity of information and sources, making sure that data have not been altered in transit and that the sender is correctly identified. It secures information at rest, stored on a device or server, against attack.

Strong encryption is deployed in many contexts: data can be encrypted at rest on a device or a server or in transit between devices. Most online activity is encrypted, though often a platform or service provider can decrypt those data. But not always: messaging services are moving toward “end-to-end” encryption as best practice, where only the sender and recipient can decrypt the encrypted content, and no one else, including the platform providing the service, can read the content.

Encryption is only as strong as its algorithms and keys. Encryption algorithms and software are frequent targets of hackers looking for vulnerabilities. Even so, strong encryption protects against almost any eavesdropper that doesn’t have the key to decrypt it.

A Little History of Encryption

Digital encryption dates to the Cold War. Militaries started using modern encryption to protect their secrets from adversaries. The technology proved far too useful to remain limited to national security. Commercial encryption became prevalent in important sectors such as financial services as early as the 1960s.

The US government standardized encryption algorithms and encouraged their commercial use during the mid-1970s. Over the next five decades, encryption rolled out across the globe. If you read this paper digitally, it’s likely that your computer received it in encrypted form — whether you accessed it via our website, or someone sent it to you over email or in another kind of message.

Export Controls

As encryption became widespread, governments and law enforcement stepped up efforts to limit its use. Export controls represented a first attempt. During World War II, encryption and codebreaking proved critical. Militaries were keen to protect their communications during the Cold War and developed new encryption tools that were more useful, more flexible, and more secure than early models — but they did not want that kind of encryption to fall into the hands of their adversaries. During the 1950s, export controls limited the export of strong encryption algorithms for communication in both the US and Europe. Governments deemed these encryption algorithms, and the software incorporating them, as “dual use” technologies subject to export controls.

Discouraged, companies limited investments and turned to weak encryption algorithms not subject to controls to ensure that they could sell their software globally. Encryption technology stagnated — and most systems were easy to circumvent. Ironically, since encryption is just math, anyone could develop and improve their own encryption. If they did so outside export rules, strong encryption would spread around the globe without immediately being commercialized. At the same time, it was clear that commercial use of encryption was important, and the 1996 Wassenaar Arrangement brought 33 countries together to agree on relaxed global export, including for encryption. Unsurprisingly, this has led to better and stronger encryption for everyone.

Today, limited export controls remain in place for encryption hardware, software, and design in the US, EU, and other Wassenaar countries. Encryption technologies have become prevalent in consumer products, with new research and innovation around encryption and security resulting from relaxed export controls and widespread commercial use.

Encryption Back Doors

Many governments are demanding a “back door” into the encryption algorithm that they can exploit. Encryption back doors are designed weaknesses or access points in encryption algorithms. They allow parties, typically government agencies or law enforcement, to bypass encryption and access encrypted data without the knowledge or consent of the data’s owner, and potentially without the knowledge of the company providing the service or device.

For its supporters, back doors offer an appealing approach, allowing services and data to remain encrypted while ensuring law enforcement and other good actors access to needed information. Unfortunately, anyone can use vulnerabilities in the encryption algorithm with the back door — whether they’re the people who created them, the people who are supposed to use them, or the bad actors seeking to exploit the vulnerability. In 2006, for example, the National Security Agency (NSA) introduced a vulnerability into widely used encryption standards so that it could access encrypted content. 4 A decade later, this led to mass surveillance unveiled by the Snowden leaks. Once intentional back doors are injected into algorithms, other actors can exploit them, too — and no one would know.


Photo: NEW LONDON, Conn. – More than 200 women and men participated from military service academies and NSA’s development programs in a three-day competition designed to develop and test cybersecurity skills virtually, April 8-10, 2021. 

This precedent has impacted trust in encryption algorithms for decades, with concern that the NSA and other intelligence agencies continue to work to weaken encryption. 5 In 2012, US law enforcement started asking judges to compel technology companies to break into devices. Law enforcement used the centuries-old All Writs Act in at least 86 cases to attempt to compel companies to make data protected by strong encryption readable by law enforcement, though it is not clear that the courts ever required it. 6

Back doors have been proposed throughout each evolution of the encryption debate. In 2015, UK Prime Minister David Cameron called for outlawing encryption without government access. 7 In 2019, the FBI drafted a resolution for Interpol, an international police organization, condemning strong encryption and calling for encryption back doors to provide exceptional access to law enforcement. 8 US, British, and Australian leaders offered support. End-to-end encryption, they argued, leaves service providers unable to produce content in response to wiretap orders and search warrants and “significantly hinders, or entirely prevents serious criminal and national security investigations.”

Over decades, technology companies, which want to use secure algorithms to protect their information and the information of their users, have rejected these calls — and say that other ways exist to detect illegal content and aid law enforcement. Only a few authoritarian countries led by China and Russia have passed mandates for encryption back doors, and as a result, some companies have stopped operating there.

Encryption Front Doors

After governments faced strong opposition to force encryption back doors, they began demanding “front doors,” using the metaphor to imply that this access was legitimate — like knocking on someone’s door. Front doors, governments insist, allow access to encrypted information legally and with proper oversight, with the knowledge of the companies. They avoid degrading the security and integrity of encrypted systems for other users. The idea is to create a secure and accountable mechanism that enables authorized access to encrypted data without the vulnerabilities inherent in deliberately weakened encryption or back-door access. However, the impact is much the same, regardless of how access to encrypted content is implemented, and companies have roundly rejected the idea.

During the 1990s, the US government proposed a system called the Clipper Chip for secure telephone equipment that would allow law enforcement to decrypt traffic. Manufacturers of phones or other electronic devices would add an encryption key, which would then be provided to the government. FBI Director James Comey raised the idea of front doors again in 2014, followed by Admiral Michael Rogers of the National Security Agency in 2015. Rogers asked technology companies to create multipart encryption keys for their devices and services to allow government access, suggesting that they would lock the front door when it was not needed — taking the metaphor of a front door well past the capabilities of the math involved. 9 10

Unfortunately, front doors are as vulnerable to misuse and exploitation as back doors. 11 Although governments hoped that they would be considered a trusted third party if they looked for a front door, they have been met with skepticism. Regardless of how the front doors into encryption are managed, companies that would need to implement and maintain them have rejected the idea, expressing concerns about transparency and ubiquitous surveillance in the wake of the Snowden revelations. Since then, efforts to share front-door encryption key access have largely been abandoned.

Today’s Encryption Debates

Encryption has become ubiquitous. Some 95% of online traffic is now encrypted, and encrypting stored data is a best practice for individuals and enterprises. 12 As encryption technologies have evolved and become integrated into online products and services, new proposals would prevent companies from implementing strong encryption. Governments often citing national security and the need to fight terrorism, child sexual abuse, election tampering, and other scourges. Brazilian authorities want to break encryption to investigate corruption, Indian police to stop mob violence, and Germans to prevent hate crimes against refugees. No matter the proximate cause, the impact doesn’t change. But the most widespread debate in both the US and EU focuses on child safety.

Client-side scanning

In the face of resistance to front and back doors, government proposals have attempted to shift responsibility for investigation to companies operating digital platforms and messaging services. These proposals do not always mention encryption. Instead, they require companies to search the contents of devices and communications for content — scanning the data before it is encrypted, or using encryption that can be scanned. This scanning often happens on the “client-side” – that is, on the device or service, and sometimes before any crime has been alleged. Even this idea has drawn criticism, with technical experts skeptical that it can avoid the same pitfalls as other proposals to break encryption. 13

Encryption in the United Kingdom

The United Kingdom is on the front lines of encryption efforts. Several UK legislative proposals are moving forward that would require technology companies to break encryption. The Online Safety Bill has given the UK government the ability to demand that online platforms search through photos, files, and messages to find illegal content. It creates stiff fines for companies that don’t comply — including criminal penalties. This changes the debate: it not only requires companies to have access to user content and communications, but deputizes those companies to act as law enforcement, searching through digital content to find potential crimes.

This requirement stretches reality. Technically, the demand that companies read end-to-end encrypted messages is not feasible with today’s technology, and is not likely to be in the future, either.


Photo: Prime Minister Rishi Sunak visits the operation room of the new small boats command in central London and the headquarters of the National Crime Agency. 

Another threat comes from a scheduled update to the Investigatory Powers Act. It would compel companies to inform the Home Office about changes to security features before they are released, and to disable those updates or features that the Home Office deems would impede investigations — without judicial process.

The Home Office has pressed technology companies to avoid implementing end-to-end encryption. 14 If companies already provide this protection, they would be compelled to abandon it. Several leading messaging services, including WhatsApp, Apple, and Signal, have already promised to leave the UK market if these requirements become law. 15 16

Encryption in the European Union

In the EU, the focus is on the Child Sex Abuse Regulation, also called the “Chat Control” law. Under its provisions, messaging services would be required to use automated systems to hunt for content disseminating harmful materials and pass that evidence on to the police. For some service providers, this is possible — but not for those that use strong end-to-end encryption.

The Chat Control law has faced legal scrutiny. While the European Court of Justice has ruled that screening communications metadata is appropriate to safeguard national security, experts within the European Parliament believe judges would be skeptical about going further. According to this internal parliament report, Europe’s privacy regulations would preclude continuous surveillance of content — potentially leading to the recent adoption of text that excludes end-to-end encryption from the scope of the detection orders, which are to be used only when other mitigation measures are not effective. 17 18

Across the Globe

Australia, India, and the US have proposals and laws with similar themes.

Australia is often cited as the author of the democratic world’s most aggressive anti-encryption legislation. Its Assistance and Access Act, passed in 2018, creates the unprecedented requirement that companies create exceptional access tools, even if they don’t have access to the data themselves. 19 Canberra is now fighting with technology companies about whether they will provide access to encrypted data. 20

In India, the Intermediary Guidelines and Digital Media Ethics Code requires platforms to identify the origins of messages and pre-screen content, breaking encryption. 21

In the US, Congress has considered a number of proposals that would require companies to provide exceptional assistance or access to law enforcement. These include the Eliminating Abusive and Rampant Neglect of Interactive Technologies (EARN IT) Act, the Strengthening Transparency and Obligations to Protect Children Suffering from Abuse and Mistreatment (STOP CSAM) Act, and the Kids Online Safety Act (KOSA). While these proposals often do not address encryption directly and have not passed into law, all potentially impose requirements that serve as de facto requirements that companies degrade security protections.


Photo: The US Capitol building is seen at night before US President Joe Biden addresses a joint session of Congress during the State of the Union address, in Washington, U.S., February 6, 2023. 

Unintended Consequences

Government policies that weaken or bypass encryption pose significant security, privacy, and legal risks. And they may be ineffective.

Security

Laws that force organizations and individuals to weaken encryption leave data and communications vulnerable to unauthorized access and breaches. Encryption is only as strong as the algorithms and keys that are used, and encryption algorithms and software are frequently a target for malicious actors, hackers, and cybercriminals. There is no way to securely give governments — or anyone else — exceptional access. Any door, front or back, will serve as a tempting target.

By forcing technology companies to use weakened encryption, anti-encryption mandates also risk stifling cybersecurity innovation, leaving industries and individuals vulnerable in the long term. If laws require companies to break encryption, it’s a waste of time and resources to roll out improved encryption and cyber defenses.

Privacy and Surveillance

Anti-encryption policies infringe upon individuals’ expectation of privacy for their digital information. Encryption is fundamental to protecting sensitive information. If it is undermined, personal and confidential data are exposed.

Targeted interception can easily slip into ubiquitous surveillance. Technology companies have a strong business interest in ensuring that people trust their services, products, and devices. They consider their duty to protect users from prying eyes, both from governments and criminals. It is impossible to ensure that exceptional access is used only for certain kinds of crimes. Scope creep is inevitable. The same governments that criticize companies’ collection of data seek to require additional surveillance and processing of data for their own purposes.


Photo: Air Force Tech. Sgt. Jochen Emrich, of the 189th Airlift Wing, Communications Flight, Arkansas Air National Guard, assesses real-world cyber threats, Dec. 5, 2021, at Little Rock Air Force Base, Arkansas. 

Global Communication

Given that the internet is a global network, one country’s anti-encryption laws pose interoperability and compatibility issues with other countries that do not share similar laws. These conflicting laws threaten international communications and transactions. The problem is already visible. Under US and EU export controls, companies that wanted to encrypt data globally have been forced to use weak encryption accessible to law enforcement.

A 2015 technical report from the Massachusetts Institute of Technology notes that the complexity of the modern internet, with its myriad platforms and services built on any number of diverse infrastructures, “means that new law enforcement requirements are likely to introduce unanticipated, hard-to-detect security flaws.” 22

Deputization

Some proposals would compel technology companies to search their users’ content for illegal material and, in effect, turn the companies into police or intelligence agencies. Few private enterprises want — or should be forced — to take on this role. It also introduces perverse incentives for companies that are urged to limit their data collection and secure the data that they collect.

Don’t Break Encryption

Effective investigation does not require compromising encryption — there are many less harmful ways to support law enforcement and national security interests. 23 The encryption debate is often presented as a zero-sum game, but alternatives exist for partnerships between companies and law enforcement that do not balloon into a ubiquitous surveillance state. Investigators can usually find the information they need without breaking encryption. Traditional investigative methods often suffice. In a world where digital evidence rails abound, investigators often can make progress incrementally without undermining or banning effective encryption.

Digital Training

Law enforcement teams need to understand about how to work with companies and leverage accessible information. For example, they could access metadata about communications — that is, which accounts communicate with each other and share content, or which accounts disproportionately connect with children. Studies have shown that such metadata-based detection systems can be effective. 24

Alternative access

Law enforcement agencies can physically access devices and employ various techniques to bypass passwords. Information can be sourced from the device of a third party involved in the communication or through other services that may not employ encryption. Unencrypted metadata, which gives insights into patterns of communication, can offer valuable intelligence without requiring a compromise of encryption.

In the US All Writs Act cases, law enforcement found other ways to access phones — hiring someone to break into them or simply asking friends and family to share the phones’ passcodes. Australia’s eSafety Commissioner recently issued several reports outlining many of the ways that platforms are fighting abuse, describing the techniques companies use at all stages that can help detect and prevent it. 25

Collaboration

Technology companies have partnered with law enforcement to detect and combat child safety abuse. No reputable company wants child sexual abuse material on its systems. Indeed, the National Center for Missing & Exploited Children and the International Center for Missing & Exploited Children serve as a bridge between law enforcement agencies and technology companies. Both organizations conduct law enforcement training. Many platforms use their tools to detect child safety abuse on their platforms — and, in turn, contribute money and in-kind human resources to the mission. 26 As part of this collaboration, companies have developed tools to detect child safety abuse and investigate instances of it, without breaking encryption.


Photo: A woman looks at the screens during the Locked Shields, cyber defence exercise organized by NATO Cooperative Cyber Defence Centre of Exellence (CCDCOE) in Tallinn, Estonia April 10, 2019. 

Resources

Law enforcement agencies often need additional resources. We must give them the budget to take advantage of the capabilities that companies put at their disposal. Some of these approaches require relatively low investment, but digital crime labs and training centers need significant funding.

International coordination

Since criminals often do not operate out of any one country, law enforcement and national security organizations have arms that collaborate across borders. There have been many successful collaborations from online platforms facilitating illegal content for international investigations. 27 28 Information sharing and collaboration among these agencies can help solve digital crimes.

Conclusion

The debate over encryption, safety, and security isn’t new; it has been a recurrent theme, with clear tensions. And yet, the conclusion seems clear: No viable middle ground around encryption exists to allow exceptional access to user content.

Each round of debate has a different focus and uses different metaphors about the kind of access that governments demand. From back doors to side doors to windows and keys under doormats, these techniques look to normalize allowing a government to enter a “house” during an investigation. At this point, no viable technical proposals exist to create a secure mechanism that allows authorized access without introducing vulnerabilities. Even with oversight, risks remain that authorities or malicious actors could misuse access to these systems.

On one side, law enforcement seeks access to ensure that it can track and prosecute criminals and threats to public safety. On the other, billions of people using digital platforms and services trust that their messages and information are safe.


Photo: Chanteloup-les-Vignes, France, 4 February 2021. Pupils in computer classes at Rene Cassin College. This college is one of the schools that have benefited from the ”les cites educatives” programme. 

The impasse is exacerbated by the fact that both sides often talk past each other, entrenched in their respective viewpoints around encryption, rather than looking towards the goal of reducing illegal activity and content. Government advocates for restricting or hobbling encryption often disregard other options, including cooperation from companies and new investigatory techniques taking advantage of the large amounts of information that technology can facilitate. Instead, they ignore the impact these anti-encryption measures would have on security for everyone, not just targeted criminals. Additionally, concerned by proposals to weaken encryption, technologists and companies are focused on protecting encryption rather than on how to help law enforcement make the most effective use of information that is already available to them.

This deadlock diminishes hope of reaching a well-rounded, mutually beneficial solution. By failing to consider the range of alternatives available, advocates of weakening encryption put global cybersecurity at risk. They also inhibit the development of more equitable and effective solutions for digital law enforcement. Despite the years of discussions, we find ourselves at a standstill.

Policymakers around the world need to back away from making our digital world less secure with anti-encryption mandates. Instead, they need to use more targeted, and potentially just as effective, tools.

No comments: