The current state of the post-Paris, post-San Bernardino encryption debate, via the WSJ:
A number of lawmakers on Thursday expressed a growing frustration with technology companies and signaled Congress would consider either curbing encrypted communications or allowing law enforcement to gain new access to records, a sharp reversal from a multi-year shift towards more privacy.
Encryption is one of the most complicated issues weighing on lawmakers now, partly because the technology has far outpaced investigators’ ability to crack it. Some encrypted messages, known as end-to-end encryption, can only be read by the sender and receiver, making it very difficult – and often impossible – for law-enforcement officials or others to crack the code.
FBI Director James Comey Jr. testifies at a Senate Judiciary Committee on Capitol Hill in Washington December 9, 2015, regarding the events in San Bernardino, California. REUTERS/Joshua Roberts.
Companies promote these services as boosting privacy from spying eyes or even hackers, but Mr. Comey, National Security Agency Director Adm. Mike Rogers and others have said this technology can raise national security concerns as well.
Talks between law enforcement and technology companies had faltered earlier this year, and White House officials decided not to press for specific legislation that might give the FBI more power. Some cryptology experts have said either a message is encrypted or it’s not, and if a “backdoor” is left for law enforcement, it would be easy for foreign hackers or governments to hack the information as well.
That italicized point (italicized by me) is a good one. It is one raised by former NSA Director Mike McConnell and Michael Chertoff, former homeland security secretary, in this WaPo op-ed:
First, such [a ubiquitous encryption system] would protect individual privacy and business information from exploitation at a much higher level than exists today. As a recent MIT paper explains, requiring duplicate keys introduces vulnerabilities in encryption that raise the risk of compromise and theft by bad actors. If third-party key holders have less than perfect security, they may be hacked and the duplicate key exposed. This is no theoretical possibility, as evidenced by major cyberintrusions into supposedly secure government databases and the successful compromise of security tokens held by a major information security firm. Furthermore, requiring a duplicate key rules out security techniques, such as one-time-only private keys.
Second, a requirement that U.S. technology providers create a duplicate key will not prevent malicious actors from finding other technology providers who will furnish ubiquitous encryption. The smart bad guys will find ways and technologies to avoid access, and we can be sure that the “dark Web” marketplace will offer myriad such capabilities. This could lead to a perverse outcome in which law-abiding organizations and individuals lack protected communications but malicious actors have them.
Finally, and most significantly, if the United States can demand that companies make available a duplicate key, other nations such as China will insist on the same. There will be no principled basis to resist that legal demand. The result will be to expose business, political and personal communications to a wide spectrum of governmental access regimes with varying degrees of due process.
And this new analysis over at AEI’s Tech Policy Daily:
The “encryption debate” turns out to be a misnomer. The real debate is about two specific use cases: device encryption and communications encryption. In both cases, the government’s law enforcement and intelligence operations are hindered by the way modern technology products are designed. However, in neither case is there any commercially or technically plausible redesign that would address the government’s concerns. For better or worse, we are going to be living in a world with ubiquitous access to encryption. Law enforcement would be better advised to find ways to adapt to new realities, rather than engaging in a quixotic struggle to restore a vanishing status quo.
from AEI » Latest Content http://ift.tt/1SSfbVW
0 التعليقات:
Post a Comment