Cryptography Fellow Riana Pfefferkorn will be speaking at the 2018 InfoSec Southwest.
Encryption shields private information from malicious eavesdroppers. After years of slow adoption, encryption is finally becoming widespread in consumer-oriented electronic devices and communications services. Consumer-oriented encryption software is now more user-friendly, and much of it turns on encryption by default. These advances enhance privacy and security for millions of people.
However, encryption also poses an impediment to law enforcement’s ability to gather electronic evidence. Law enforcement calls this the “going dark” problem. U.S. law enforcement agencies have responded through both legal and technological means to encryption’s perceived threat to their capabilities. The scope of encryption’s impact on those capabilities is not yet clear, and police still have a wealth of data and technical tools at their disposal. Nevertheless, sophisticated criminals can use encryption to stymie investigators, forcing them to resort to resource-intensive, tailored measures to investigate those individuals.
One means of doing so is through a “side-channel attack.” Our electronic devices are always radiating something—electromagnetic emissions, heat, and so forth. Those emissions reveal information, called “side channel information,” about the device. The physical implementation of a cryptosystem leaks electromagnetic emissions from which academic researchers have shown it is possible to extract the system’s secret encryption keys. Side-channel cryptanalysis is not a known law enforcement tactic at present, but that may change in time.
Law enforcement use of side-channel attacks will raise Fourth Amendment issues that will require a fact-intensive analysis to resolve. In determining what legal process (if any) will authorize a side-channel attack, a court will have to carefully examine what information will be acquired, from where, and how. The Supreme Court’s Fourth Amendment jurisprudence does not provide clear, predictable guidance for those inquiries. Its decision in Kyllo v. United States supplies the touchstone for the legal analysis of side-channel attacks. However, the Court’s current framework for electronic surveillance cannot adequately safeguard Americans’ privacy interests from erosion by technological advances.