From Real-Time Intercepts to Stored Records: Why Encryption Drives the Government to Seek Access to...
-
Upload
hannah-turner -
Category
Documents
-
view
214 -
download
0
Transcript of From Real-Time Intercepts to Stored Records: Why Encryption Drives the Government to Seek Access to...
“From Real-Time Intercepts to Stored Records: Why Encryption Drives the Government
to Seek Access to the Cloud”
Peter SwireMoritz College of LawOhio State University
TPRC 2012September 22, 2012
Current Research:Crypto & De-Identification
Encryption and Globalization• India, China, and first full legal/policy analysis since the crypto wars
Going Dark vs. a Golden Age of Surveillance
From Real-Time Intercepts to Stored Records: Why Encryption Drives the Government to Seek Access to the Cloud (today’s paper)
Next: De-ID project with Future of Privacy Forum• Law and policy of masking technologies• The articles available online
Setting the Context …
1990’s FBI and NSA worry that encryption would block lawful surveillance
1999 White House shift to permit strong encryption
“Why Johnny Can’t Encrypt”• Whitten & Tygar, 1999
• Low encryption adoption
• Tech literature had not shifted from that view
Encryption Adoption Now Widespread
VPNsSkype & other VoIPBlackberry emailGmail now, other webmail soonSSL pervasive (credit card numbers)
• Dropbox & many more
Facebook enables HTTPS, may shift default
Result: interception order at ISP or local telco often won’t work
What are the agencies to do?
Ways to Get Communications
1. Break the encryption
2. Get comms in the clear (CALEA)
3. Get comms before or after encrypted (backdoors)
4. Get stored communications, such as in the cloud
#4 is becoming FAR more important, for global communications
Also, temptation to do more #2 and #3
Overview
Local switch
Local switch
Phone call
Phone call
Telecom Company
Alice
Bob
Overview
Local switch
Local switch
Phone call
Phone call
Telecom Company
Alice
Bob
Bob ISP
Alice ISP
%!#&*YJ#$&
#^@%
%!#&*YJ#$&
#^@%
Hi Bob!
Hi Bob!
Many
Nodes
between
ISPs
Alice
Bob
%!#&*YJ#$&
#^@%
%!#&*YJ#$&
#^@%
%!#&*YJ#$&
#^@%
%!#&*YJ#$&
#^@%
%!#&*YJ#$&
#^@%
%!#&*YJ#$&
#^@%
%!#&*YJ#$&
#^@%
%!#&*YJ#$&
#^@%
Problems with Weak Encryption
Nodes between A and B can see and copy whatever passes through
Many potential malicious nodes
Strong encryption as feasible and correct answer
When encryption adoption rises . . .
Encrypt
Encrypted message –
Hi Bob!
AliceBob's public
key
Bob's private key
– Alice's local ISP
%!#&YJ@$
%!#&YJ@$
Decrypt Hi Bob!
%!#&YJ@$
%!#&YJ@$
– Bob's local ISP
– Backbone provider
Bob
Ways to Grab Communications
1. Break the encryption:1. Keys are with the individuals2. Crypto today is very hard to break
2. Get comms in the clear1. CALEA requires that for phone2. FBI proposal to extend to Internet
3. Get comms with hardware or software before or after encrypted (backdoors)
4. Get stored communications, such as in the cloud
Don’t Extend CALEA to Internet
Bad cybersecurity to have unencrypted IP go through Internet nodes
How deep to regulate IP products & services
• WoW just a game?
• Make all Internet hardware & software be built wiretap ready?
• That would be large new regulation of the Internet
• Could mobilize SOPA/PIPA coalition
Ways to Grab Communications
1. Break the encryption
2. Get comms in the clear
3. Get comms before or after encrypted (backdoors)
4. Get stored communications, such as in the cloud
Governments Install Software?
Police install virus on your computer
This opens a back door, so police gain access to your computer
Good idea for the police to be hackers?
Good for cybersecurity?
Governments Install Hardware?
Reports of telecom equipment that surveil communications through them
Can “phone home”
Good to design these vulnerabilities into the Net?
“Chinese Telecoms May Be Spying on Large Numbers of Foreign Customers”[The Atlantic, 2/16/2012]
Ways to Grab Communications
1. Break the encryption (but can’t)
2. Grab comms in the clear (but CALEA a bad idea)
3. Grab comms before or after encrypted (but backdoors a bad idea)
Therefore:
4. New emphasis on stored communications, such as in the cloud
Conclusions
Technology• Gmail & Skype can encrypt, even if Johnny can’t• Change our assumptions about adoption
Law• Important emerging debates on data retention mandates & lawful access rules• Split between “have” & “have not” jurisdictions
Industry• Cloud providers at the center of future debates on government access