June 04, 2015

Governments of the World Agree: Encryption Must Die!

Finally! There's something that apparently virtually all governments around the world can actually agree upon. Unfortunately, it's on par conceptually with handing out hydrogen bombs as lottery prizes.

If the drumbeat isn't actually coordinated, it might as well be. Around the world, in testimony before national legislatures and in countless interviews with media, government officials and their surrogates are proclaiming the immediate need to "do something" about encryption that law enforcement and other government agencies can't read on demand.

Here in the U.S., it's a nearly constant harangue over on FOX News (nightmarishly, where most Americans apparently get their "news" these days). On CNN, it's almost as pervasive (though anti-crypto tirades on CNN must share space with primetime reruns of a globetrotting celebrity chef and crime "reality" shows).

It's much the same if you survey media around the world. The names and officials vary, but the message is the same -- it's not just terrorism that's the enemy, it's encryption itself.

That argument is a direct corollary to governments' decidedly mixed feelings about social media on the Internet. On one hand, they're ecstatic over the ability to monitor the public postings of criminal organizations like ISIL (or ISIS, or Islamic State, or Daesh -- just different labels for the same fanatical lunatics) that sprung forth from the disastrously misguided policies of Bush 1 and Bush 2 era right-wing neocons -- who not only set the stage for the resurrection of long-suppressed religious rivalries, but ultimately provided them with billions of dollars worth of U.S. weaponry as well. Great job there, guys.

Since it's also the typical role of governments to conflate and confuse issues whenever possible for political advantage, when we dig deeper into their views on social media and encryption we really go down the rabbit hole.

While governments love their theoretical ability to track pretty much every looney who posts publicly on Twitter or Facebook or Google+, governments simultaneously bemoan the fact that it's possible for uncontrolled communications -- especially international communications -- to take place at all in these contexts.

In particular, it's the ability of radical nutcases overseas to recruit ignorant (especially so-called "lone wolf") nutcases in other countries that is said to be of especial concern, notably when these communications suddenly "go dark" off the public threads and into private, securely encrypted channels.

"Go dark" -- by the way -- is now the government code phrase for crypto they can't read on demand. Dark threads, dark sites, dark links. You get the idea.

One would be remiss to not admit that these radical recruiting efforts are of significant concern.

But where governments' analysis breaks down massively is with the direction of their proposed solutions, which aren't aimed at addressing the root causes of fanatical religious terrorism, but rather appear almost entirely based on preventing secure communications -- for anybody! -- in the first place.

Naturally they don't phrase this goal in quite those words. Rather, they continue to push (to blankly nodding politicians, journalists, and cable anchors) the tired and utterly discredited concept of "key escrow" cryptography, where governments would have "backdoor" keys to unlock encrypted communications, supposedly only when absolutely necessary and with due legal process.

Rewind 20 years or so and it's like "Groundhog Day" all over again, back in the early to mid 90s when NSA was pushing their "Clipper Chip" hardware concept for key escrowed encryption, an idea that was mercilessly buried in relatively short order.

But like a vampire entombed without appropriate rituals, the old key escrow concepts have returned to the land of the living, all the uglier and more dangerous after their decades festering in the backrooms of governments.

The hardware Clipper concept dates to a time well before the founding of Twitter or Facebook, and a few years before Google's arrival. Apple existed back then, but centralized social media as we know it today wasn't yet even really a glimmer in anyone's eye.

While governments generally seem to realize that stopping all crypto that they can't access on demand is not practical, they also realize that the big social media platforms (of which I've named only a few) -- where most users do most of their social communicating -- are the obvious targets for legislative, political, and other pressures.

And this is why we see governments subtly (and often, not so subtly) demonizing these firms as being uncooperative or somehow uncaring about fighting evil, about fighting crime, about fighting terrorism. How dare they -- authorities repeat as a mantra -- implement encryption systems that governments cannot access at the click of a mouse, or sometimes access at all under any conditions.

Well, welcome to the 21st century, because the encryption genie isn't going back into his bottle, no matter how hard you push.

Strong crypto is critical to our communications, to our infrastructures, to our economies, and increasingly to many other aspects of our lives.

Strong crypto is simply not possible -- let's say that once more with feeling -- not possible, given key escrow or other government backdoors designed into these systems. There is no practical or even theoretically accepted means for including such mechanisms without fatally weakening the entire associated encryption ecosystem, and opening it up to all manner of unauthorized access via hacking and various subversions of the key escrow process.

But governments just don't seem willing to accept the science and reality of this, and keep pushing the key escrow meme. It's like the old joke about the would-be astronaut who wanted to travel to the sun, and when reminded that he'd burn up, replied that it wasn't a problem, because he'd go at night. Right.

Notably, just as we had governments who ignored realistic advice and unleashed the monsters of religious fanatical terrorism, we now have many of the same governments on the cusp of trying to hobble, undermine, and decimate the strong encryption systems that are so very vital.

There's every reason to believe that we'd experience a similarly disastrous outcome in the encryption context as well, especially if social media firms were required to deploy only weak crypto -- putting the vast populations of innocent users at risk -- while driving the bad guys even further underground and out of view.

If we don't vigorously fight back against government efforts to weaken encryption, we're all going to be badly burned.

--Lauren--

Posted by Lauren at June 4, 2015 02:07 PM | Permalink
Twitter: @laurenweinstein
Google+: Lauren Weinstein