Encryption & Key Management , Next-Generation Technologies & Secure Development , Security Operations
Study: Default Encryption Won't Hinder Surveillance
Harvard Report Challenges FBI Director Comey's 'Going Dark' MetaphorLaw enforcement and intelligence agencies will have plenty of chances to snoop on criminals, terrorists and citizens even as communications vendors enable default encryption on mobile devices, a study from Harvard University says.
FBI Director James Comey has spurred a debate with his comments that default encryption by the makers of mobile devices inhibits law enforcement and intelligence agencies, even with court orders, from collecting information terrorists and criminals they try to hide (see Is Idea of Backdoor Really Dead?).
But the report from Harvard University's Berkman Center for Internet & Society, Don't Panic: Making Progress on the Going Dark Debate, says default encryption will not greatly inhibit the ability of law enforcement and intelligence agencies to cull data about criminal and terrorist activities. Because of the way mobile devices and the Internet function, along with the rapid growth of the Internet of Things and networked sensors, the report contends police and intelligence services will have more opportunities to intercept communications from terrorists, criminals and ordinary citizens.
"The report explains why the risks to law enforcement is less than the police often believe they are," says Peter Swire, a former White House privacy counsel.
Not So 'Dark'
The report challenges Comey's contention that default encrytion allows cybercriminals and others to "go dark."
"Our issue with the metaphor is that we are trending toward the future in which communications and the ability of law enforcement to conduct surveillance is just not going to be what it is today," says David O'Brien, a Berkman senior researcher who was a member of the group that produced the report. "We don't think that's an accurate take on the situation. ... We really wanted to contextualize the debate by adding in some of these things that have not been part of the conservations."
The group's leader, Jonathan Zittrain, an Internet law professor at Harvard Law School, blogs that a number of human and technical weaknesses within the Internet ecosystem will increase to the point that they will likely create an advantage for the law enforcement and intelligence communities as data collection volume and methods proliferate.
"Consider all those IoT devices with their sensors and poorly updated firmware," Zittrain says. "We're hardly going dark when - fittingly, given the metaphor - our light bulbs have motion detectors and an open port. The label is 'going dark' only because the security state is losing something that it fleetingly had access to, not because it is all of a sudden lacking in vectors for useful information."
Report's Findings
The report reaches five conclusions:
- End-to-end encryption and other technological architectures for concealing user data are unlikely to be adopted universally by companies because most businesses that provide communications services rely on access to user data to generate income and profit and enhance functionality, including user data recovery should a password be forgotten.
- Software ecosystems tend to be disjointed. For encryption to become widespread and comprehensive, far more coordination and standardization than exists would be required.
- IoT and networked sensors will grow significantly, with the potential to significantly change surveillance. The still images, video and audio captured by these devices could enable real-time intercept and recording with after-the-fact access. An inability to monitor an encrypted channel could be mitigated by the ability to monitor from afar a person through a different channel.
- Metadata is not encrypted, and that's unlikely to change. This data, which includes for example, location data from cell phones and other devices, telephone calling records and header information in e-mail, needs to stay unencrypted for systems to operate. Metadata provides a massive amount of surveillance information that was unavailable before these systems became widespread.
- These trends raise novel questions about how we will protect individual privacy and security. Today's debate is important, but for all its efforts to take account of technological trends, it is largely taking place without reference to the full picture.
Strong Business Case
The report makes a strong business case for why failing to get Apple, Google and other mobile device providers to stop default encryption wouldn't deter law enforcement's efforts to collect information from terrorists and criminals devices and Web accounts, says Swire, Georgia Tech law and ethics professor.
"This report is not about mathematics; it shows business reasons why evidence often will be accessible to law enforcement even when some data is encrypted," Swire says.
Besides Zittrain and O'Brien, the report's signatories include Urs Gasser, Berkman Center executive director; Nancy Gerner, retired federal district court judge; Jack Goldsmith, former U.S. assistant attorney general; Susan Landau, Worcester Polytechnic Institute professor of cybersecurity policy; Joseph Nye, former Defense assistant secretary; Matthew Olsen, U.S. National Counterterrorism Center director; Daphna Renan, Justice Department adviser; Bruce Schneier, noted cryptographer, blogger and author; and Larry Schwartztol, Harvard Law School's Criminal Justice Program of Study, Research and Advocacy executive director.