The government thinks your emails are too secure. And your text messages. Oh, and your messaging apps. In fact, anything that relies on cryptography. Your messages are too secure in transit. And they are too secure when stored. They are too secure on your computers, your phone, in the cloud, in the control of third parties. And it’s about time someone did something about it. Of course, that’s not how that government would put it. On Sunday, October 11, the U.S. Justice Department issued a press release together with the governments of the other “five eyes” nations (United Kingdom, Australia, New Zealand and Canada) urging the technology industry to finally do something about secure communications! Not to make them more secure, but to make them less secure. In the press release, DOJ urged the tech industry “to address our serious concerns where encryption is applied in a way that wholly precludes any legal access to content” and called upon these tech companies to redesign the way they secure communications to “enable law enforcement access to content in a readable and usable format” and to give governments a say in how the security of communications is designed with the goal of ensuring that these governments can get access to communications at any time. In particular, the DOJ and the five eyes countries call out “end-to-end encryption that precludes lawful access to the content of communications in any circumstances.” You know, the kind of encryption that actually protects the contents of information, rather than “point to point” encryption that is vulnerable to hacking, spoofing, MITM (Man in the Middle) attacks and other forms of attack.
Of course, end to end encryption does not “preclude lawful access to the content of communications.” It just changes HOW law enforcement or intelligence agencies can get access to those contents. For things like email, it means that, if the government (or a private litigant) want to read an email, it must force the sender or recipient to give up the email rather than “intercepting” the email in transmission, or compelling some intermediary email provider to provide plain text versions of the email. With true end to end encryption, only the sender and recipient can read the mail.
The DOJ memo presents the scourge of child pornography as grounds for needing the tech industry to weaken encryption for everyone. They note, that in 2018, Facebook Messenger was responsible for nearly 12 million of the 18.4 million worldwide reports of CSAM [child sexual abuse material to the US National Center for Missing and Exploited Children (NCMEC)].” In other words, Facebook currently scans the contents of their customer’s messages, and if they find a communication or file that is likely CSAM, they report it to NCMEC and then to the FBI. That is, Facebook scans the contents of everyone’s communications. Every message. By everyone. Grandparents pictures of their grandkids. A meme. A newspaper article. All of them are scanned for kiddie porn by Facebook. But the FBI is worried that this might not continue if either Facebook were to implement end-to-end encryption or if users started encrypting their messages with their own “home grown” crypto. If people started taking security seriously, and if the technology made it easy for them to do so, DOJ warns “[t]these [CSAM] reports risk disappearing.”
They’re not wrong — it’s just that they’re not right either. If it becomes easier for people to have secure and confidential communications, the government loses the ability to quickly and easily monitor what they are doing. Not only can’t they have ISP’s and other providers scan communications for them (well, for NCMEC), but they can’t force these third parties to produce plain text communications — even when they have a warrant. This WILL mean that terrorist and child porn investigations will be harder to do, as will tax fraud, securities fraud, and run of the mill politician having affair with a WOTHW (Woman Other Than His Wife) investigations. It’s harder to investigate crimes when communications are secret. And criminals will go free. Some of them pretty bad criminals.
But what the DOJ (and the five eyes guys) don’t mention is that we are living in the golden age of government surveillance. From the beginning of this country in 1776 to about the mid-1980’s, conducting surveillance was a slow, labor intensive, time consuming, costly and only partially effective enterprise. If you wanted to know where someone was going, you had to follow them with a team of cops. Sure, you could track someone’s credit card payments, but people still paid cash for things. You could monitor the calls they made (from and to) but to “read” the contents of their communications (mail, letters, etc.) required physical intervention and people reading (mostly). If you wanted to track someone driving you had to put a device in their car and follow them. If you wanted to see what was going on in their house, you needed to install a camera. Now, people can be tracked, their communications monitored, their friends identified, their interests surveilled, and their movements registered — often with a click of a button. Yet the five eyes complain that they can’t conduct surveillance.
What the DOJ and other five eyes guys want — or at least what they say they want — is simple. Strong, robust, unbreakable encryption which is weak, not robust, and breakable. They want a “back door” so that they — and only they — can read anyone’s communications. And a unicorn. They want a unicorn too. Because both of those things don’t exist. Sure, maybe it could be developed, but the problem is not technological alone. If you create a vulnerability – a weakness – a back door, you have created weakened encryption. And then you rely on the bona fides of the person with the master key (or keys) to use them properly and not share them, and on the fact that nobody will ever come up with a way to duplicate the master key. Here’s a simple question for the five eyes guys — if there was an end to end encryption program with a back door key that only you and the other five eyes guys had, and you wanted to keep things secret, would you use it, or would you use an end to end encryption that had NO back door keys? Easy peasy lemon squeezy.
And let’s face it. If there was such secret sorta crypto, the really bad guys (terrorists, state actors, etc.) would just use stronger crypto and layer it over the weaker crypto. Sure, there might be vulnerabilities, but the fact is, society is made safer, more secure and more reliable if we all have access to ubiquitous encryption that works end to end without us having to do anything. And the government has been fighting against that since the days of clipper ships. Sorry, since the days of clipper chips. Chips.
Mark Rasch is an attorney and author of computer security, Internet law, and electronic privacy-related articles. He created the Computer Crime Unit at the United States Department of Justice, where he led efforts aimed at investigating and prosecuting cyber, high-technology, and white-collar crime.