{"id":57475,"date":"2015-05-04T12:00:50","date_gmt":"2015-05-04T11:00:50","guid":{"rendered":"https:\/\/www.transcend.org\/tms\/?p=57475"},"modified":"2015-05-05T21:24:41","modified_gmt":"2015-05-05T20:24:41","slug":"feds-are-using-fear-not-facts-in-anti-encryption-crusade","status":"publish","type":"post","link":"https:\/\/www.transcend.org\/tms\/2015\/05\/feds-are-using-fear-not-facts-in-anti-encryption-crusade\/","title":{"rendered":"Feds Are Using Fear, Not Facts, in Anti-Encryption Crusade"},"content":{"rendered":"

Federal agencies say encryption will doom us, but they\u2019re already using spy tools that circumvent it.<\/em><\/p>\n

30 Apr 2015 – <\/em>For months, the FBI, the National Security Agency and an alphabet soup of other spooky agencies have been lashing out at tech companies that have responded to former NSA contractor Edward Snowden\u2019s surveillance revelations by starting to protect customers with stronger encryption. But it\u2019s increasingly obvious that the government\u2019s crypto panic is powered by fear, not facts.<\/p>\n

Last week at the RSA security conference in San Francisco, Department of Homeland Security Director Jeh Johnson begged Silicon Valley<\/a> companies to give the government access to encrypted communications, asking the crowd to \u201cimagine the problems if well after the advent of the telephone, the warrant authority of the government to investigate crime had extended only to the U.S. mail.\u201d<\/p>\n

\u201cImagine an America where federal, state and municipal law enforcement agencies cannot access critical communications, even when legally authorized to do so,\u201d begins<\/a> a recent Wall Street Journal blog post written by Amy Hess, the FBI\u2019s executive assistant director. \u201cImagine the injustice if a suspected criminal can hide incriminating communications without fear of discovery by the police or if information that could exonerate an innocent party is inaccessible.\u201d<\/p>\n

The reason the FBI, Homeland Security and other agencies want us to imagine these frightening scenarios is that their encryption problem is just that: imaginary. It\u2019s built on the false premise that making encryption more accessible will allow criminals to shield themselves from the law. The only solution, the government says, is for companies to put backdoors into their devices and apps, which by definition means installing defects<\/a> that make our data more vulnerable to criminals and spies.<\/p>\n

One need look only at what law enforcement agencies are doing in secret to see that these predictions of digital anarchy are pure fantasy.<\/p>\n

Earlier this month, Motherboard reporter Lorenzo Franceschi-Bicchierai discovered that the Drug Enforcement Administration has been buying hacking tools<\/a> from an Italian company, Hacking Team, through a shell company based in Maryland. The software, Remote Control System, is a remote host-based interception suite that allows police to infect devices, steal passwords, intercept Skype calls and even monitor targets in real time through their webcams. Researchers discovered it (and a competing product, FinFisher<\/a>) is being used to spy on journalists and activists<\/a> in Morocco, Ethiopia, the United Arab Emirates and other countries<\/a> with notoriously poor human rights records.<\/p>\n

Here\u2019s how Hacking Team advertises<\/a> the software (emphasis added):<\/p>\n

You cannot stop your targets from moving. How can you keep chasing them? What you need is a way to bypass encryption<\/em>, collect relevant data out of any device<\/em> and keep monitoring your targets wherever they are, even outside your monitoring domain. Remote Control System does exactly that.<\/em><\/p>\n

These kinds of tools aren\u2019t new, but their recent prevalence as commercial products underscores how government agencies are increasingly utilizing hacker techniques. The FBI has been in the hacking business for more than a decade, and it recently won new powers<\/a> to hack computers even when their user and location are unknown. This despite the fact that in 2013, a judge in Texas rejected an FBI request to send spyware<\/a> to an unknown suspect\u2019s computer, saying the agency offered \u201clittle more than vague assurances\u201d that it wouldn\u2019t intrude on innocents in the process.<\/p>\n

From a practical standpoint, these tactics make sense. Encryption protects data using impossibly complicated math, and it\u2019s infinitely easier to solve complicated math problems by stealing the answers than by cracking the code. The strongest encryption in the world won\u2019t save you if someone can get inside your computer and steal your encryption keys, and products such as Remote Control System and FinFisher are giving those capabilities to police and governments around the globe.<\/p>\n

It might also explain why U.S. agencies are still unable to show a single case in which encryption has crippled a criminal investigation. According to annual reports presented to Congress since 1997, encryption wasn\u2019t an obstacle to government wiretaps even once until 2012<\/a>. Of the 3,576 wiretaps authorized in 2013, the government was bested by encryption in only nine cases<\/a>. None of those cases involved terrorists, kidnappers or any of the other cyberbogeymen the FBI keeps warning about, and there\u2019s no indication that encryption alone prevented any crimes from being solved.<\/p>\n

So either government agencies are being incredibly modest or they\u2019re simply hiding the fact that encryption isn\u2019t a real problem because they already have the means to circumvent it.<\/p>\n

Of course, giving police hacking powers presents a whole new set of problems. When should they be allowed to break into someone\u2019s computer? How would a judge ensure that they\u2019re hacking the right device and that innocent bystanders won\u2019t be affected? How long should a police or government agency be allowed to exploit a commercial software vulnerability for hacking purposes?<\/p>\n

Hacking isn\u2019t the only way police can get access to encrypted communications. In most cases, a court will simply compel a suspect to surrender their passwords or encryption keys. And the four-digit PIN that protects your iPhone or Android can be easily cracked in a matter of days<\/a>.<\/p>\n

When it comes to encrypted messaging apps such as WhatsApp and Signal, another option for the government is to force companies to send a fake key to the target. Even though the companies can\u2019t read their users\u2019 messages, they still control the system that distributes the keys needed to encrypt them. That means the FBI could compel WhatsApp to send a suspect an FBI key instead of an intended recipient\u2019s, allowing agents to decrypt the message.<\/p>\n

These aren\u2019t perfect solutions, but their targeted nature undoubtedly makes them better options than forcing tech companies to build backdoors for police. Security experts have warned again and again<\/a> that you can\u2019t create \u201cgolden keys\u201d for the FBI that will be safe from Chinese hackers and Russian credit card thieves \u2014 a backdoor for one can be found and exploited by all.<\/p>\n

The FBI keeps plugging its ears and saying there\u2019s a way to make backdoors work. But so far, its only ideas are fantasies. Take the split key escrow system, in which a \u201ctrusted third party\u201d such as the FBI holds a portion of the keys needed to decrypt data. Cryptographers<\/a> rejected this concept nearly two decades ago.<\/p>\n

Testifying before Congress on Wednesday<\/a> (PDF), Matt Blaze, the cryptographer who famously discovered flaws in the NSA\u2019s proposed Clipper Chip<\/a> key escrow system, said:<\/p>\n

Harsh technical realities make such an ideal solution effectively impossible, and attempts to mandate one would do enormous harm to the security and reliability of our nation\u2019s infrastructure, the future of our innovation economy and our national security.<\/p>\n

Amazingly, when Rep. Blake Farenthold, R-Texas, asked<\/a> the panel of experts at the hearing whether anyone thought it was possible to build secure crypto backdoors, no one \u2014 including the FBI\u2019s own expert witness \u2014 raised their hand. That law enforcement groups continue to ignore this broad consensus proves that their position relies on scaremongering and distortions.<\/p>\n

These agencies need to accept that they can\u2019t have their cake and eat it too. Criminals have always taken steps to avoid being caught, and if we\u2019ve learned anything from the FBI\u2019s takedown of the online drug bazaar Silk Road, it\u2019s that even the strongest encryption and anonymity tools can\u2019t stop people from making mistakes.<\/p>\n

In asking for backdoors, the government is simply trying to double down on surveillance powers while putting the security of law-abiding citizens at risk \u2014 and inviting other countries to come knocking for golden keys of their own.<\/p>\n

______________________________<\/p>\n

Joshua Kopstein is a cyberculture journalist and researcher from New York City. His work focuses on Internet law and disorder, surveillance and government secrecy.<\/em><\/p>\n

Go to Original \u2013 aljazeera.com<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

Federal agencies say encryption will doom us, but they\u2019re already using spy tools that circumvent it. That law enforcement groups continue to ignore a broad consensus of experts speaks to how desperately their position relies on scaremongering and distortions. <\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[60],"tags":[],"class_list":["post-57475","post","type-post","status-publish","format-standard","hentry","category-whistleblowing-surveillance"],"_links":{"self":[{"href":"https:\/\/www.transcend.org\/tms\/wp-json\/wp\/v2\/posts\/57475","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.transcend.org\/tms\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.transcend.org\/tms\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.transcend.org\/tms\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/www.transcend.org\/tms\/wp-json\/wp\/v2\/comments?post=57475"}],"version-history":[{"count":0,"href":"https:\/\/www.transcend.org\/tms\/wp-json\/wp\/v2\/posts\/57475\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.transcend.org\/tms\/wp-json\/wp\/v2\/media?parent=57475"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.transcend.org\/tms\/wp-json\/wp\/v2\/categories?post=57475"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.transcend.org\/tms\/wp-json\/wp\/v2\/tags?post=57475"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}