The Encryption Witch Hunt
Written by Nikos Vaggalis   
Monday, 06 January 2020
Article Index
The Encryption Witch Hunt
Facebook Under Scrutiny

A Senate Judiciary Committee hearing was convened on  December 10, 2019 to confront the  ongoing conflict between government and law enforcement agencies and the tech industry regarding encryption. Experts from Apple and Facebook gave testimony but it was clear from the outset that the verdict had  been reached before the hearing even began: encryption is an evil that must be sacrificed in the interests of law enforcement.

hearing-logo

I've followed the press and read many articles about it, but unfortunately none of the coverage went into the level of detail I wanted. So I set about doing it myself. This is my in-depth commentary from a technologist's perspective, of Encryption and Lawful Access: Evaluating Benefits and Risks to Public Safety and Privacy. Follow this link if you want to view the orignal video recording. 

It is important to analyze what took place during the 2 hour 21 minute hearing in order to understand the way governments are approaching this issue. It revals a general lack of understanding of how encryption technology works and a hostile attitude towards the tech industry, represented in this case by Apple and Facebook.

Although the hearing was concerned with every kind of encryption, in the main it was concerned with full device encryption. In particular it focused on the mass shooting at San Bernardino where the shooter's mobile phone was retrieved but the phone's manufacturer, Apple, "denied" unlocking it even though unlocking phones provides major evidence in major crime scenes.

This misinterpretation of "denial" in unlocking the phone, was at the core of the attempts to persecute encryption. It became more complicated when distinguished New York District Attorney (DA) Mr. Cyrus R. Vance, maintained that formerly, before 2014, Apple routinely provided his office with data on its users, and that it was the upgrade to iOS 8 in fall 2014 that made the contents of Apple phones inaccessible. But how was Apple able to give access to encrypted data pre-2014? According to Vance, by using a key that only Apple knew, implying that a backdoor had already existed!

hearing-vance

Apple's Mr. Erik Neuenschwander tried in vain to explain that Apple never denied a request for cooperation and that even Apple hasn't got access to the encrypted data of its users so they simply can't comply; it's the way encryption works.

Continuing, he dispelled the myth that there was ever such a key which would give them access to the encrypted data and what changed in 2014 was the switch to full device encryption in contrast to the state before when the data at rest was stored on the device's storage media, unecrypted.

His attempt as vindication was in vain. The committee wouldn't listen to any of it because as the hearing progressed its members were coming back to bad Apple (pun intended) for having revoked the key.

Two examples where device encryption hindered investigations were given. One was of child exploitation by a baby sitter. The DA's department seized her phone and broke into it by hiring a third party service which used hacking tools and zero day exploits. The issue with this outsourcing is that the New York DA's office is one of the few law enforcement units that possesses the resources to hire such an expensive third party expertise; for most other units such a cost is prohibitive.

In another case, of sex trafficking, the law enforcement agencies couldn't break into the phone so the investigation came to a halt. All-in-all out of 1600 confiscated phones only half could be unlocked. This wasn't the case pre-2014 prompting the DA to ask for Apple to return its devices back to that state.

Neuenschwander explained that the redesign was customer driven as most customers wanted their data protected even after their phones got stolen, otherwise even common criminals could had the phone's data extracted to exploit, blackmail or steal their owner's identity. Rolling back would leave them vulnerable again.

hearing-neuen

But despite Neuenschwander's attemptes to dispel the myth of a backdoor or key, the impression that before 2014 Apple was complying with court orders in retrieving data from phones and that afterwards it somehow stopped complying, persisted The truth is that Apple hasn't stopped complying; after 2014 it couldn't help because it couldn't access its own devices.

The DA's reasoning was that product designs are man-made, which means that tech companies can do as they please in designing their products and that by extension they could design to support government access.

Neuenschwander replied that weakening encryption for the government, would weaken it for everyone else, even for the most vulnerable whom law enforcement was looking to protect; weakening everybody's privacy and security as a consequence. He also reiterated the merits of encryption in keeping us safe from perpetrators, keeping e-commerce and transactions over the internet rolling, in safely controlling our home and vehicles, and even protecting the country's infrastructure in healthcare and electricity grids.

Professor Matt Tait, Cyber Security Fellow at the University of Texas at Austin, outlined another dimension to the issue of encryption; that it is important to distinguish between the types of encryption and the challenges that each pose to law enforcement:

  1. device encryption, which the DA was most concerned with
  2. end to end encrypted messaging apps, which prevent wire tapping
  3. cyber-tips, that is detecting illegal material such as child exploitation images over a communication platform

The current countermeasures for type 1,device encryption, is to use hacking tools to exploit vulnerabilities in the phone's Operating System. As for types 2 and 3, since the communication can't be intercepted, other countermeasures can be employed, like scanning for malicious material on the end device itself.

In summing up, Professor Tait explained that there are, or can be solutions, that do not require circumventing encryption.

At this point both Apple's and Facebook's representatives told the panel that they closely cooperate with authorities, replying to requests, training law enforcement officials, scanning their networks with AI, doing behavioral analysis and using the unencrypted meta-data to prevent illegal activities. Facebook has 35K employees working on this particular field taking down videos, imagery and fake accounts, detecting and preventing harm. These initiatives I think clearly answer one panelist's question of "Do you care about the victims?".

Again, a senator called out Apple for only filing 43 child abuse reports compared to Facebook's millions, so by definition Apple doesn't care as much or doesn't do as much as Facebook. Of course, Apple's representative, whose anguish one could clearly read, tried to reply that these cases are different and can't be compared; devices versus messaging apps that serve billions of messages.

But the discussion was veering towards one and only direction: find a way to let us in or we will impose our will on you! I had thought that a hearing on evaluating the "Benefits and Risks to Public Safety and Privacy" meant that all stakeholders would come together and discuss possible solutions by trying to find middle ground; this defied the purpose. You could however sense that the parties are so far apart that only legislation could settle it. The problem is what kind of legislation and how applicable is it going to be?



Last Updated ( Thursday, 09 January 2020 )