Encryption & Key Management , Fraud Management & Cybercrime , Security Operations
Attorney General Barr Argues for Access to Encrypted Content
Critics Argue That Backdoors Would Create Security RisksU.S. Attorney General William Barr argued on Tuesday that “irresponsible encryption” - deployed in applications such as Facebook’s WhatsApp – is endangering public safety, arguing that backdoor access by law enforcement would only minimally increase data security risks.
See Also: Encryption is Worthless Without Protecting Your Keys
Barr’s remarks, at Fordham University’s International Conference on Cyber Security in New York, extends what has been the U.S. government's longstanding position on encryption.
The FBI and law enforcement agencies contend that end-to-end encryption systems have locked up potential evidence that could be used to fight terrorism, drug trafficking and sexual predators.
“By enabling dangerous criminals to cloak their communications and activities behind an essentially impenetrable digital shield, the deployment of warrant-proof encryption is already imposing huge costs on society,” Barr said, according to his prepared remarks published by the Justice Department.
Barr says allies such as the U.K. and Australia are addressing the encryption issue with new legal frameworks. He advocates that the U.S. should do the same.
“There have been enough dogmatic pronouncements that lawful access simply cannot be done," Barr said. “It can be, and it must be.”
Barr’s comment drew criticism from Matt Blaze, a professor in the Department of Computer Science at Georgetown. In 1994, Blaze discovered a flaw within the so-called “Clipper” chip, which was a U.S. government plan to allow for law enforcement access to encrypted content. The system was abandoned about two years later.
“I have to say, Barr’s argument that the personal and commercial data protected by encryption isn’t all that important and that software security risks aren’t that big a deal is so flat-earth bizarre that I don’t even know where to begin,” Blaze writes on Twitter.
Sen. Ron Wyden, D-Ore., writes on Twitter: “This is just another attempt by Barr to undermine strong encryption and require government backdoors into Americans’ personal devices. I’m heading to the Senate floor to speak against Barr's dangerous proposal.”
Locking Content
End-to-end encryption systems are designed so that a service provider can’t access the content. The keys to decrypt the content are held on sender and recipient devices. If content is intercepted in transit, it is unreadable.
There are a bevy of end-to-end encrypted messaging applications, including WhatsApp, Signal, Apple’s iMessage and Wickr. Technology companies have redesigned their systems to offer more protection from cybercriminals. Another impetus was former NSA contractor Edward Snowden’s national security leaks in 2013 that detailed large-scale government surveillance programs by the U.S. and U.K., raising civil liberty concerns.
I have to say, Barr’s argument that the personal and commercial data protected by encryption isn’t all that important and that software security risks aren’t that big a deal is so flat-earth bizarre that I don’t even know where to begin.
— matt blaze (@mattblaze) 23 July 2019
Barr specifically called out Facebook’s WhatsApp, which implemented the Signal open-source protocol for messaging in 2016. The protocol also employs perfect forward secrecy, which means if the keys on users’ devices are compromised, those keys cannot be used to decrypt older content.
But there are other methods that law enforcement can use. For example, a software vulnerability in a messaging application could potentially be used to gain access to unencrypted data. Also, seizing an offender’s device could be a means of accessing data if the device can be unlocked.
Law enforcement, however, is seeking a way to access encrypted information, which Barr emphasizes would be done with a warrant and in compliance with Fourth Amendment principles.
Tradeoff: Public Safety vs. Security
Technology companies, including Apple, have maintained there is no safe way of allowing backdoors in applications without increasing the risks from nation-state attackers and cybercriminals.
In early 2016, Apple resisted a legal challenge that ordered it to create a special version of its iOS mobile operating system. The FBI sought to unlock an iPhone 5 belonging to an attacker in the San Bernardino, Calif., shooting in 2015. Apple CEO Tim Cook called engineering such a tool the equivalent of creating “cancer,” and the Justice Department dropped its legal action.
Barr argued that it's possible to safety design a backdoored system.
“For example, providers design their products to allow access for software updates using centrally managed security keys,” Barr said. “We know of no instance where encryption has been defeated by compromise of those provider-maintained keys. Providers have been able to protect them.”
He contended that society would be safer with lawful access with only slightly increased risks to data security.
“If the choice is between a world where we can achieve a 99 percent assurance against cyber threats to consumers, while still providing law enforcement 80 percent of the access it might seek, or a world where we have boosted our cybersecurity to 99.5 percent but at a cost reducing law enforcement's access to zero percent - the choice for society is clear,” Barr said.
U.K., Australia Move Forward
The U.K. and Australia have been among the most aggressive western countries in legislating ways to press technology companies into subverting their own security measures.
The U.K.’s Investigatory Powers Act 2016 gives the government leverage to ask technology companies to remove electronic protections on encrypted content.
Australia took encryption-busting further when Parliament passed in December the Assistance and Access Bill 2018. Under the law, an organization can be served with a technical assistance request, which asks for voluntary cooperation (see: Australia Passes Encryption-Busting Law).
The most concerning potential action is a technical assistance notice, which could force a company to engineer a way around encryption or otherwise subvert it (see: Australia's Crypto-Cracking Law Is Spooking Big Tech).
The law was hastily hurried through the last day of Parliament with strong opposition from civil liberties groups and technology companies. The government acknowledged the law was flawed and pledged to fix it this year. The law is currently under review (see: Tech Industry Pushes for Australian Encryption Law Changes).
The Australian news outlet ABC reported on July 10 that the government consulted international technology companies such as Apple, Facebook and Google while the legislation was being developed. But it didn’t consult Australian startups or IT companies aside from telecommunication companies.
Some Australian companies argue that the law is hampering their business opportunities outside the country because the government could serve them with a secret notice to intercept content.