Now it was the turn of Facebook, and end to end encryption apps, to face the grilling. This. however, wasn't as intense as Apple's because the main witness, the New York DA, was mostly concerned with Apple's doings regarding device encryption. For his part, Facebook's representative Mr. Jay Sullivan, noted that even when you manage to control and compromise WhatsApp or FB Messenger, people would switch to applications like Telegram, that are beyond the US government's reach and repeated its assurance that FB Messenger will start encrypting messages in 2 years time, while WhatsApp had encryption built in from the beginning.

There was an interesting question at this point: given FB's lax privacy practices, how is FB going to profit from the Messenger app if it can no longer read the messages circulating through its network? No clear answer was given..

One panelist pondered, if we leave out the good parts of encryption and someone dies because of it, do you (Apple, FB) accept responsibility/liability?

I would argue that a car can be used for good, taking people from home to work, but at the same time it can also be used to slam into people. Is Toyota to blame?

At last, at 1:19:30, things were put into the right perspective, courtesy of Senator Mr Mike Lee, who appeared to possess the appropriate technical background to ask the right questions.

He asked whether is it feasible to technically introduce a backdoor for law enforcement without leading to a vulnerability which in turn could result in a breach of the device's user's privacy, who could very well be a child? Neuenschwander's response was that Apple wouldn't be able to find a way to do that without weakening its product. Then Senator Lee asked Mr Vance for his response. The answer reiterated the points he had made earlier and confirmed his entrenched position that Apple is being deliberately obstructive.

Later Senator Lee asked even tougher questions, something along the lines of:

Mr Vance, you prosecute drug cartels who have revenues that most US blue chip companies would envy. Don't you think that they could invest a lot of money on reverse engineering a backdoor and break into an Apple device? Would you feel comfortable if the Sinaloa cartel could hack into your device?

Personally I think that the deeper issue is the government's perceived lack of control over the tech industry and its opinion that it is time to step up and regain it. It was mentioned that the tech industry enjoys immunity and does as it pleases, like deciding by themselves to switch to end-to-end encryption without consulting anyone. Frankly they do so because technology is springing forward so fast that the gaps it leaves behind are so wide that they can't be filled in time. Technology pushes the boundaries and raises new challenges for society to tackle,moving too fast for legislation to keep pace with. This is especially conspicuous in the field of AI technology and the many questions on law and ethics it leaves unanswered, see Ethics Guidelines For Trustworthy AI and How AI Discriminates.

I understand where the government comes from and what it is looking to achieve. Criminals should not be allowed to use encryption in order to go about their doings unhindered, they can't be above the law. I think that everybody recognizes and agrees with that. But there are, or there should be, better alternatives to compromising encryption. The trade offs of  backdoors have been extensively presented in this hearing.

It's important to understand that software engineers strive to produce bug free software driven by both quality and security. As far as the latter goes, they're always looking to eliminate potential attack vectors. Asking them to do the reverse,that is to deliberately introduce attack vectors to weaken their product, goes against everything they strive for in their craft.

If you are familiar with the reverse engineering scene, you should also be familiar with the term "keygen". Software houses make their software fully functional or allow it to be operated or registered by issuing unique keys only to their buyers, that way countering piracy. Pirates however are very smart people who, in many cases, manage to reverse engineer the algorithms which validate those keys, so that they can generate new ones in order to break the licensing scheme and own the applications without paying. The next step is to automate this procedure by writing keygens, or key generators, small executables which can spit out such keys. The last step is to release the keygens to the public or circulate them in underground dark markets. In that sense a backdoor on an Apple device requiring a key could also result in the crafting of the corresponding keygen, that way exposing the device to not just one or two, but hundreds of foul actors with malicious intent.

Another example is the Web and HTTPS encryption. Each server has got a private RSA key with which encrypts its session with your browser so that all data exchanged in between can't be read by third parties. Getting hold of this key can decrypt all communication, past or future, going through that server;,say all email you've ever exchanged. For this reason Google and the rest of the industry have switched their key exchange algorithms from RSA to Diffie-Hellman (which provides perfect forward secrecy) because the latter uses ephemeral keys, that is disposable keys which even when intercepted can be used only for decrypting the current session. This goes to show why the idea of installing a backdoor with some keys to the gate is a very dangerous idea.

Compromising such backdoors is a scenario which requires resources, but is quite plausible if you consider the interested parties: drug cartels, states, hacking groups, industrial spies and those very bright, but peculiar enough, and inclined to break things just for the sake of it.

As a matter of fact, the panelists looked like having second thoughts and retreating a bit only when the terms "Foreign","China" or "Russia" were mentioned. Adopting foreign apps if the US tries to regulate, or China and Russia managing to exploit these backdoors. After all,the scare and banning of Huwaei allegedly planting backdoors into 5g networks is very recent.

A comment made at the beginning of the hearing noted that although everybody's privacy should be respected, upon a warrant being issued law enforcement should be able to break into your home.The same should hold true for breaking into your phone too. The problem with this statement when it comes to installing backdoors is that the warrant doesn't just affect the suspect at hand, but it also affects everyone else, you can break into anyone's phone be it a suspect or not.

In closing the hearing, Senator Lee concluded that approaching such a delicate issue should not descend into a contest of who loves children and who acts with reckless disregard towards them. One of the reasons that such extreme examples are used is to demonize someone; if you can make them look recklessly indifferent to the needs of children then you can make them an enemy, hence able to disqualify everything they say. This is the opposite of the civility necessary in our society, prompting him to ask for more respect for each other and the witnesses in particular in approaching such a difficult and sensitive issue. And to prove how delicate the issue is, he flipped the argument; that if encryption is to be weakened then children could be harmed as a consequence too.

I urge you to listen to Senator Lee's second round in the final ten minutes of the hearing, starting around 2:12. It's really enlightening and reflects the true state of affairs.

The witnesses' seats in the hearing were occupied by Facebook and Apple but it's important to note that the rest of industry, such as IBM (against Australia’s anti-encryption laws) as well as critical public institutions such as the US Department of Defense, have openly spoken out against backdoors.

This just about nicely sums up the hearing. Its purpose wasn't to discuss, but to serve an ultimatum; give us access or we will get it by force. In an ideal world, the topic should have been more like: "Ways to assist law enforcement without breaking encryption".

More Information

Encryption and Lawful Access: Evaluating Benefits and Risks to Public Safety and Privacy

Related Articles

Ethics Guidelines For Trustworthy AI

How AI Discriminates

To be informed about new articles on I Programmer, sign up for our weekly newsletter, subscribe to the RSS feed and follow us on Twitter, Facebook or Linkedin.

Comments

Make a Comment or View Existing Comments Using Disqus

or email your comment to: comments@i-programmer.info