Encryption has gained the attention of actors on both sides of the mass surveillance debate. For example in a speech at the Brookings Institution FBI Director James Comey complained that strong encryption was causing U.S. security services to āgo dark.ā Comey described encrypted data as follows:
āItās the equivalent of a closet that canāt be opened, a safe deposit box that canāt be opened, a safe that canāt ever be cracked.ā
Got that? Comey essentially says that encryption is a sure bet. Likewise during an interview with James Bamford whistleblower Ed Snowden confidently announced that:
āWe have the means and we have the technology to end mass surveillance without any legislative action at all, without any policy changes⦠By basically adopting changes like making encryption a universal standardāwhere all communications are encrypted by defaultāwe can end mass surveillance not just in the United States but around the world.ā
If you glanced over the above excerpts and took them at face value youād probably come away thinking that all you needed to protect your civil liberties is the latest encryption widget. Right? Wow, let me get my check book out! Paging Mr. Omidyarā¦
Not so fast bucko. Thereās an important caveat, some fine print that Ed himself spelled out when he initially contacted film director Laura Poitras. In particular Snowden qualified that:
āIf the device you store the private key and enter your passphrase on has been hacked, it is trivial to decrypt our communications.ā
This corollary underscores the reality that, despite the high profile sales pitch thatās being repeated endlessly, strong encryption alone isnāt enough. Hi-tech subversion is a trump card as the Heartbleed bug graphically illustrated. In light of the NSAās mass subversion programs it would be naĆÆve to think that there arenāt other critical bugs like Heartbleed, subtle intentional flaws, out in the wild being leveraged by spies.
The FBIās Tell
James Comeyās performance at Brookings was an impressive public relations stunt. Yet recent history is chock full of instances where the FBI employed malware like Magic Lantern and CIPAV to foil encryption and identify people using encryption-based anonymity software like Tor. If itās expedient the FBI will go so far as to impersonate a media outlet to fool suspects into infecting their own machines. It would seem that crooks arenāt the only attackers who wield social engineering techniques.
In fact the FBI has gotten so adept at hacking computers, utilizing what are referred to internally as Network Investigative Techniques, that the FBI wants to change the law to reflect this.Ā The GuardianĀ reports on how the FBI is asking the U.S. Advisory Committee on Rules and Criminal Procedure to move the legal goal posts, so to speak:
āThe amendment [proposed by the FBI] inserts a clause that would allow a judge to issue warrants to gain āremote accessā to computers ālocated within or outside that districtā (emphasis added) in cases in which the ādistrict where the media or information is located has been concealed through technological meansā. The expanded powers to stray across district boundaries would apply to any criminal investigation, not just to terrorist cases as at present.ā
In other words the FBI wants to be able to hack into a computer when its exact location is shrouded by anonymity software. Once they compromise the targeted machine itās pretty straightforward to install a software implant (i.e. malware) and exfiltrate whatever user data they want, including encryption passwords.
If encryption is really the impediment that director Comey makes it out to be then why is the FBI so keen to amend the rules in a manner which implies that they can sidestep it? In the parlance of poker this is a ātell.ā
Denouement
As a developer who has built malicious software designed to undermine security tools I can attest that there is a whole burgeoning industry which prays on naïve illusions of security. Companies like Hacking Team have found a lucrative niche offering products to the highest bidder that compromise security and⦠a drumroll please⦠defeat encryption.
Thereās a moral to this story. Cryptomeās John Young prudently observes:
āProtections of promises of encryption, proxy use, Tor-like anonymity and āmilitary-gradeā comsec technology are magic acts ā ELINT, SIGINT and COMINT always prevail over comsec. The most widely trusted and promoted systems are the most likely to be penetrated, exploited, spied upon, successfully attacked, covertly compromised with faults hidden by promoters, operators, competitors, compromisers and attackers all of whom warn against the others while mutually benefiting from continuous alarms about security and privacy.ā
When someone promises you turnkey anonymity and failsafe protection from spies, make like that guy on The Walking Dead and reach for your crossbow. Mass surveillance is a vivid expression of raw power and control. Hence what ails society is fundamentally a political problem, with economic and technical facets, such that safeguarding civil liberties on the Internet will take a lot more than just the right app.
Bill BlundenĀ is an independent investigator whose current areas of inquiry include information security, anti-forensics, and institutional analysis. He is the author of several books, includingĀ The Rootkit ArsenalĀ , andĀ Behold a Pale Farce: Cyberwar, Threat Inflation, and the Malware-Industrial Complex. Bill is the lead investigator at Below Gotham Labs.
ZNetwork is funded solely through the generosity of its readers.
Donate