FBI wants to require all encrypted communications systems to have backdoors

[SageVisitor]

The FBI now wants to require all encrypted communications systems to have back doors for surveillance, according to a New York Times report, and to the nation’s top crypto experts it sounds like a battle they’ve fought before.

Back in the 1990s, in what’s remembered as the crypto wars, the FBI and NSA argued that national security would be endangered if they did not have a way to spy on encrypted e-mails, IMs and phone calls. After a long protracted battle, the security community prevailed after mustering detailed technical studies and research that concluded that national security was actually strengthened by wide use of encryption to secure computers and sensitive business and government communications.

Now the FBI is proposing a similar requirement that would require online service providers, perhaps even software makers, to only offer encrypted communication unless the companies have a way to unlock the communications.

In the New York Times story that unveiled the drive, the FBI cited a case where a mobster was using encrypted communication, and the FBI had to sneak into his office to plant a bug. One of the named problems was RIM, the maker of BlackBerrys, which provides encrypted e-mail communications for companies and governments, and which has come under pressure from India and the United Arab Emirates to locate its severs in its countries.

According to the proposal, any company doing business in the States could not create an encrypted communication system without having a way for the government to order the company to decrypt it, and those who currently do offer that service would have to re-tool it. It’s the equivalent of outlawing whispering in real life.

Cryptographers have long argued that back doors aren’t a feature — they are just a security hole that will inevitably be abused by hackers or adversarial governments.

The proposal also contradicts a congressionally-ordered 1996 National Research Council report that found that requiring back doors was not a sensible policy for the government.

“While the use of encryption technologies is not a panacea for all information security problems, we believe that adoption of our recommendations would lead to enhanced protection and privacy for individuals and businesses in many areas, ranging from cellular and other wireless phone conversations to electronic transmission of sensitive business or financial documents,” said committee chair Kenneth W. Dam, professor of American and foreign law at the University of Chicago. “It is true that the spread of encryption technologies will add to the burden of those in government who are charged with carrying out certain law enforcement and intelligence activities. But the many benefits to society of widespread commercial and private use of cryptography outweigh the disadvantages.”

Moreover, cases of encryption tripping up law enforcement are extremely rare, according the government’s own records. In 2009, for instance, the government got court approval for 2,376 wiretaps and encountered encryption only once — and was able to get the contents of the communication. Statistics for other years show no problems whatsoever for the government.

Jim Dempsey, the West Coast director of the Center for Democracy and Technology, told Wired.com that the FBI is now saying that the numbers are mistaken — and they’ll issue new ones in the spring.

Despite that, the FBI is saying that its spying capabilities could be degraded unless the Congress requires companies using encryption to remake their current systems so that the companies have some way to spy on the communications.

The FBI did not return a call seeking comment, but the FBI’s general counsel Valerie Caproni told the New York Times that companies “can promise strong encryption. They just need to figure out how they can provide us plain text.”

While the scope of the proposal isn’t clear, it would seem to target Hushmail, Skype, RIM and PGP, each of which use encryption to make it possible for users to communicate without fear of being eavesdropped on by the company making the service, hackers, criminals, business competitors, and governments (authoritarian or otherwise).

There’s also a number of open-source software packages that might also get swept up by the proposal, including OpenPGP (an open protocol for sending encrypted e-mails), TOR (a system for disguising the origin of web traffic), and OTR (a system for encrypting instant messages).

University of Pennsylvania computer science professor Matt Blaze, a cryptography expert co-authored a paper in 1998 about the technical limitations of requiring back doors in crypto, says he’s confused by the return of the dream of perfect surveillance capabilities.

“This seems like a far more baffling battle in a lot of ways,” Blaze said. “In the 1990s, the government was trying to prevent something necessary, good and inevitable.”

“In this case they are trying to roll back something that already happened and that people are relying on,” Blaze said.

Few net users realize that they rely on cryptography every day. For instance, online shopping relies on browsers and servers communicating using SSL. Government employees, NGOs and businesses use RIM and PGP’s e-mail encryption systems to safely protect diplomatic secrets, confidential business documents and human rights communications. It’s not clear how those services could continue since they work by having each user create special decryption keys on their own devices, so that no one, including PGP or RIM, could decrypt the communication if they wanted to. In PGP’s case, the company doesn’t even run a mail server.

Skype routes calls through peer-to-peer connections in order to be able to offer free internet calls, uses encryption to prevent the computers in the middle from being able to listen in. Under the FBI’s proposed rules, that architecture would be illegal. Targeted calls would have to be routed through Skype.

“It would make Skype illegal,” said Peter Neumann, a scientist who testified to Congress in the 1990s on the earlier proposal.

“The arguments haven’t changed,” Neumann said. “9/11 was something long predicted and it hasn’t changed the fact that if you are going to do massive surveillance using the ability to decrypt — even with warrants, it would have to be done with enormously careful oversight. Given we don’t have comp systems that are secure, the idea we will have adequate oversight is unattainable.”

“Encryption has life-critical consequences,” Neumann added.

The CDT’s Dempsey, who spent years working on the Hill on digital policy issues, says the issue won’t get to Congress until next year, and depending on the election, could face Republican backlash, especially given that the Tea Party movement is driven in part by a distrust of big government.

Most importantly, for encryption advocates is getting the government to describe in detail what their problems are and what they propose as a solution.

In the 1990s, the NSA created the Clipper chip intended for telecoms to use to encrypt phone calls. The NSA initially refused to let outsiders see the chip, which had a backdoor for the government.

“We, meaning Matt Blaze, Peter Neumann and [Columbia University professor] Steven Bellovin, got them to show us details,” Dempsey said. “Then Matt broke the Clipper chip.”

That put an end to that proposal.

“No disrespect to Matt, but there are 10,000 people who can do what he did, and my worry is half of them work for Moldovian criminal hacker groups,” Dempsey said.

Another concern is that wiretapping requirements in software have a tendency to be used not just by governments bound to the rule of law. For instance, Nokia and Siemens were lambasted last year for selling telecom equipment to Iran that included the ability to wiretap mobile phones at will. Lost in that uproar was the fact that sophisticated wiretapping capabilities became standard issue for technology thanks to the U.S. government’s CALEA rules that require all phone systems, and now broadband systems, to include these capabilities.

Blaze says he’s just confused by the proposal.

“If the point is to discourage the use of encryption broadly, that contradicts the policy position of this administration and the two before it,” Blaze said. “We need to protect the country’s information infrastructure. I was at meeting of the White House and the very same officials backing this were talking about the rollout of DNSSEC [a technology that protects the internet's lookup system from hackers].

“So how do you reconcile that with the policy of discouraging encryption broadly?,” Blaze asked.


FBI Drive for Encryption Backdoors Is Déjà Vu for Security Experts | Threat Level | Wired.com

[Gullible]

This is big govt at it's worst. I see more and more of this junk all the time.

"if you aren't doing anything wrong why do you need privacy?"

For about a million reasons, that's all. I trust govt about as much as i trust microsoft. Chinese hackers will have a field day if this passes. They won't have to work as hard to steal our secrets. They will even steal credit card info and use it.

[SWIGRx]

then what would be the point of encryption? thank god the hackers/coders will never let this happen. encryption will ALWAYS be a step ahead of decryption.

[SageVisitor]

then what would be the point of encryption?

To reduce encryption to a point where it may only present challenges for spouses?

[SWIGRx]

To reduce encryption to a point where it may only present challenges for spouses?

the same spouses that put GPS trackers on their counterparts' cars? the same ones that hire PI's? IMO spouses are more nosy than LE, and can be much more cruel (as in leaving with half of what you own). your post cracked me up though. just tryin to jumpstart this thread.

[Anxiously_waiting]

then what would be the point of encryption? thank god the hackers/coders will never let this happen. encryption will ALWAYS be a step ahead of decryption.

This. The FBI can mandate a backdoor for the encryption programs they use, but there will always be open source encryption methods. And really if they do mandate a backdoor, then why not outlaw encryption altogether? essentially thats what they'd be doing, only they'd be the only ones with the keys. And if they did make it to where there was a backdoor, hackers would easily find it and we'd be way worse off.

[Bananastickers]

To reduce encryption to a point where it may only present challenges for spouses?

That's why when anyone mentions enspousing I throw up a peace sign & run top speed in the other direction.

And yes this hopefully will never happen. Why does government think this wouldnt be exploited to the highest degree? A waste of time & resources b/c as anxiously_awaiting said open source will always be there.

Thanks for another good story @SageVisitor!

[vor]

Since the FBI has jurisdiction only in the US, I am wondering how this would work with open source? You couldn't FORCE both sides of the encryption/decryption to comply if it were say in US/EU TOR example. Maybe I'm taking this too far... Great post though!

[dsteury]

All comes down to is the NSA/FBI/CIA spend gos knows how many millions on a classified project code named Raptor which was so be uesed to decrypt any coded communications for keywords, phrases, code name, etc. Three year into the program a whistle blower dropped a dime to the right senator and the agencies were monitoring there communications as well as the families and the list goes on. I remember what all was done but I know the Supreme Court ruled there system was an invasion of privacy and to stop immediately. Now I notice that Guess Raptor I'm sure a modified version is a free Linux down load which encrypts and decrypts Email messages. What this tells me they build a better mouse trap in the last half decade. My opinion only too lazy to look up the particulars it was over a decade ago when the thing blew up wannbe be spooks.

[Carter]

Mere interagency squabbling, the FBI just wants what the NSA already has. Which by the way is scary as sh**.


The only safe communication now is carrier pigeons (sp?)

[sharpiesniffer]

To hopefully make people feel better, current encryption schemes cannot to broken even with supercomputers.

FBI hackers fail to crack TrueCrypt - Techworld.com

Truecrypt uses standard encryption methods that every one has access to.

[Squelix]

@Bananastickers, What is "enspousing"? Is that sort of like getting married? Good one.

[Bananastickers]

@Bananastickers, What is "enspousing"? Is that sort of like getting married? Good one.

It's a word I made up. Judging by your guess it does indeed get my point across.