Code Specialists Oppose U.S. and British Government Access to Encrypted Communication
SAN
FRANCISCO — An elite group of code makers and code breakers is taking
American and British intelligence and law enforcement agencies to task
in a new paper that evaluates government proposals to maintain special
access to encrypted digital communications.
On
Tuesday, the group — 13 of the world’s pre-eminent cryptographers,
computer scientists and security specialists — released the paper,
which concludes there is no viable technical solution that would allow
the American and British governments to gain “exceptional access” to
encrypted communications without putting the world’s most confidential
data and critical infrastructure in danger.
The
report was released a day before James B. Comey Jr., the director of
the Federal Bureau of Investigation, and Sally Quillian Yates, the
deputy attorney general at the Justice Department, are scheduled to
testify before the Senate Judiciary Committee on the concerns that they
and other government agencies have about “going dark” — the fear that
new encryption technologies will prevent them from monitoring the
communications of kidnappers, terrorists and other adversaries.
The
authors of the report said such fears did not justify putting the
world’s digital communications at risk. Given the inherent
vulnerabilities of the Internet, they argued, reducing encryption is not
an option. Handing governments a key to encrypted communications would
also require an extraordinary degree of trust. With government agency
breaches now the norm — most recently at the United States Office of Personnel Management,
the State Department and the White House — the security specialists
said authorities cannot be trusted to keep such keys safe from hackers
and criminals. They added that if the United States and Britain mandated backdoor keys to communications, it would spur China and other governments in foreign markets to do the same.
“Such
access will open doors through which criminals and malicious
nation-states can attack the very individuals law enforcement seeks to
defend,” the report said. “The costs would be substantial, the damage to
innovation severe, and the consequences to economic growth hard to
predict. The costs to the developed countries’ soft power and to our
moral authority would also be considerable.”
While government pleas for exceptional access to encrypted communications have already drawn plenty of criticism
from privacy advocates and technology companies, the report is the
first in-depth, technical analysis of government proposals by leading
cryptographers and security thinkers. The group — which includes
Whitfield Diffie, a pioneer of public key cryptography, and Ronald L.
Rivest, the “R” in the widely used RSA public cryptography algorithm —
fought a similar proposal for encryption access in 1997.
Back
then, the group analyzed the technical risks and practical shortcomings
of a proposal in the Clinton administration called the Clipper chip.
Clipper would have poked a hole in cryptographic systems by requiring
technology manufacturers to include a small hardware chip in their
products that would have ensured the government would always be able to
unlock scrambled communications.
The
group of cryptographers won that round. The Clinton administration,
which had pushed for the Clipper chip, abandoned the effort after the
group’s analysis showed it would have been technically unfeasible. An
unlikely coalition of technologists, liberals, conservatives and even
evangelicals argued that the chip would destroy privacy. The final nail
in the coffin came after Matthew Blaze,
then a 32-year-old computer scientist at AT&T Bell Laboratories,
discovered a flaw in the Clipper system that would have allowed anyone
with technical know-how to get access to the key to encrypted
communications.
Now
the group of cryptographers has convened for the first time since 1997.
“The decisions for policy makers are going to shape the future of the
global Internet and we want to make sure they get the technology
analysis right,” said Daniel J. Weitzner, head of the MIT Cybersecurity
and Internet Policy Research Initiative and a former deputy chief
technology officer at the White House, who coordinated the latest
report.
Encryption
has been gaining momentum — and been hotly debated — over the last few
years, after several security breaches and revelations by Edward J.
Snowden, the former National Security Agency contractor, which showed
the extent to which the United States and its allies were siphoning and
spying on digital communications. Leading technology companies,
including Microsoft, Facebook and Twitter, have been moving to transient
messaging plans that dispose of the encryption key to customers’
messages once their session ends.
If
American and British government proposals were carried out, those
companies would have to ease such programs. In Britain, Prime Minister
David Cameron has threatened to ban encrypted messaging apps altogether.
In the United States, Michael S. Rogers, the director of the N.S.A.,
has proposed that technology companies be required to create a digital
key that could unlock encrypted communications, but divide and secure
the key into pieces so that no one person or government agency could use
it alone.
The
report’s authors argue that not only is such a plan technically
unfeasible, the approach understates how much higher the stakes are
today. In the 1990s, the Internet era was just beginning — their 1997
report is littered with references to “electronic mail” and “facsimile
communications,” which are now quaint communications methods. Today, the
government’s plans could affect the technology used to lock financial
institutions and medical data, and poke a hole in mobile devices and the
countless other critical systems — including pipelines, nuclear
facilities, the power grid — that are moving online rapidly.
“The
problems now are much worse than they were in 1997,” said Peter G.
Neumann, a co-author of both the 1997 report and the new paper, who is a
computer security pioneer at SRI International, the Silicon Valley
research laboratory. “There are more vulnerabilities than ever, more
ways to exploit them than ever, and now the government wants to dumb
everything down further.”
Other
report authors include Harold Abelson, a computer science professor at
MIT; Josh Benaloh, a leading cryptographer at Microsoft; Susan Landau, a
professor of cybersecurity at Worcester Polytechnic Institute and
formerly a senior privacy analyst at Google; and Bruce Schneier, a
fellow at the Berkman Center for Internet and Society at Harvard Law
School and a widely read security author.
“The
government’s proposals for exceptional access are wrong in principle
and unworkable in practice,” said Ross Anderson, a professor of security
engineering at the University of Cambridge and the paper’s sole author
in Britain. “That is the message we are going to be hammering home again
and again over the next few months as we oppose these proposals in your
country and in ours.”
No comments:
Post a Comment