Backdoors, Spyware, and 'Going Dark'

The past week or two have been fascinating ones for those following cyber security news… 

- The director of the FBI has taken to the blogosphere to further push for a discussion about the problem of law enforcement “going dark” (or being unable to access the encrypted information of criminals) reiterating arguments he has made before about the law enforcement desire for companies to include capability  for “lawful interception.”  This also comes on the heels of a letter from Senator Chuck Grassley’s office asking the FBI to describe – in considerable detail – their use of spyware and hacking techniques. 

- The release of a new paper by cyber security luminaries on the issue of encryption and just these types of backdoors has not just been noted by the tech press, but also gotten high-profile treatment in the New York Times. 

- Finally, a major commercial provider of spyware to governments – Italy’s Hacking Team – has been the victim itself of a major hack, the perpetrators of which have dumped hundreds of gigabytes of their private and proprietary data.

Each of these stories would be, by themselves, fascinating data points for thinking about security and “backdoors,” but together they almost provide a panoramic view of a current set of very tough questions. 

Comey on the Discussion About “Going Dark”

FBI Director Comey’s recent post at the blog Lawfare rightfully notes that “The Fourth Amendment reflects a trade-off inherent in ordered liberty: To protect the public, the government sometimes needs to be able to see an individual's stuff, but only under appropriate circumstances and with appropriate oversight…” and further notes correctly that “These two things are in tension in many contexts.”  He goes on to suggest, “Democracies resolve such tensions through robust debate.”  Indeed.  He’s right to argue that instead of making such decisions by default, there should be a vigorous public debate about them.  “Those are decisions Americans should make, but I think part of my job is make sure the debate is informed by a reasonable understanding of the costs.”   Last week, Comey spoke to lawmakers on Capitol Hill about these issues, engaging in exactly the debate he is calling for.

Technologists on the Discussion About “Going Dark”

Another view of this debate also weighed in last week, in the form of a number of very well known technologists and cryptographers speaking out against the idea of building “lawful intercept” capabilities – or as their often termed by opponents “backdoors” – into security products for a host of reasons.  This group included Whitfield Diffie, Bruce Schneier, Ron Rivest and Susan Landau among other big names.  The group, described as “14 of the world’s pre-eminent cryptographers and computer scientists” by Nicole Perlroth, wrote and issued a report entitled “Keys Under Doormats: Mandating Insecurity by Requiring Government Access to All Data and Communications.”  Many of these same technologists had been involved in similar efforts during the “crypto wars” in the 1990s, a very similar debate about which the New America Foundation recently released a very worthwhile report.  The Keys Under Doormats report was quickly followed up by activity in the blogosphere by very thoughtful technologist (and paper contributor) Susan Landau, researchers like Benjamin Wittes, and former policymakers like Paul Rosenzweig. 

Rosenzweig offers a particularly pithy proposal… “So I propose a simple rule… encryption providers may be required to adopt a government sponsored "back door" technology if, and only if, the methodology for that technology has been published publicly for more than 12 months and no efforts to subvert or defeat it have been successful.  NIST [National Institute of Standards and Technology] gets to judge success.  That way if the NSA/FBI have a real solution that can withstand public scrutiny (and, I assume, sustained attack) they can use it.  Absent that ... the risks outweigh the rewards.”

Hmmm.  Sounds like Comey’s proposed debate may be underway.

Hacking Team Hacked

Finally, the Italian company Hacking Team, a provider of commercial spyware and surveillance technology, was the victim of a serious hack that resulted in huge amounts of its proprietary and technical data being made public and scrutinized.  There is more than enough coverage of this story out there, including lists of the less-than-scrupulous regimes they were selling these tools to, so that need not be duplicated here.  There are however two points in the story that are probably worth drawing some extra attention to:

- State and Local Governments as Spyware Customers

Hacking Team was apparently planning to expand its client base from national governments and intelligence agencies to include state and local law enforcement in the United States, and perhaps elsewhere.  The Florida Center for Investigative Reporting has also picked up the story.  That seems like a fairly major development, and one worthy of discussion.

- Backdoors and “Watermarks” in Tools Sold to Government Security Services

Hacking Team also, according to Vice’s Motherboard, apparently included “watermarks” (to identify or track users) and even “backdoors” in their main product line to enable them to both monitor and perhaps even stop/manipulate the usage of their products by those government agencies and law enforcement organizations that purchased them.  That may or may not come as a surprise to those clients.

All these stories overlap, interact and relate, though exactly how is hard to chart out.  What a lot of smart people seem to agree on – from all corners – is that none of these are easy or simple questions, that they involve serious tradeoffs and risks, and that (thus far at least) the quality of our debate on them hasn’t been as strong as it should be given the stakes.