Encryption and lawful government-access debate raging for over two decades has become more important in present scenario of ever increasing cyber crimes and terrorism. EastWest Institute's seventh Global Cybersecurity Summit, held at University of California, Berkeley, from March 14-16, included this as an important part of the summit agenda. It looked at policy development in the United States, India and Europe. Both the threat landscape and technology landscape have changed during this period. Encryption was not easy to deploy in the 1990s though it was available since it required high skills to use it. Hence, the intercepted communications were largely in plain text. Clipper and key escrow, though presented as solutions for lawful government access, were not accepted by technologists.
It was concluded that the society would be exposed to more risk if either of these were to be compromised.
The technology developments during the last few years have made it easier for encryption to be used. End-to-end encryption (E2EE) is provided by apps such as WhatsApp and Telegram which are overthetop (OTT) applications. Encryption keys, which are ephemeral, are with the enduser. Since app providers don't have keys, they can't enable access to law-enforcement agencies, even if they have a court warrant. This is a unique situation where even with a warrant, the law-enforcement can't access data in a device of a suspect or shared via an E2EE app.
There is universal agreement that strong encryption is essential for secure etransactions, both by the government and industry. But then, is the cyberspace "going dark" to use the famous phrase of the FBI Director? Is the law-enforcement unable to track terrorists and investigate crimes involving criminals using encryption?
There is increasing use of encrypted smartphones such as the Apple. E2EE messaging traffic is also on the rise, with terrorists using E2EE apps to communicate. This traffic is already touching 275 billion messages per day. Is the Internet truly going dark?
In the "going dark" debate, cryptographers and others have come up with a number of policy options which centre around the following: weak encryption not a solution, hence lawenforcement needs to work around strong encryption by learning to use metadata which continues to grow in the form of location data and call data records; cooperate with tech companies; above all use lawful hacking of devices under court warrant. Compelled disclosure too is an option that lawenforcement often resorts to.
Lawful hacking is possible only for known vulnerabilities, which is often a small subset of the vulnerabilities in a target device. It is the vulnerabilities in underlying software platforms operating system, browser or apps that are exploited before encryption takes place in a device, which enables access to plaintext. So, lawenforcement would like to discover or pay to find as many vulnerabilities and exploits, as possible. They are thus not worried about having to decrypt strong encryption.
Governments have the responsibility to enhance cybersecurity and promote trust in cyberspace. The agencies that discover vulnerabilities should let the vendors know, so that these are plugged through software patches. Cyber surveillance and weapon development is old story. What is new is that it is lawful hacking under court orders that is trying to keep the underlying IT platforms vulnerable. Do we need an encryption policy at all? It is this that reinforces suspicion among policy makers in countries like India, that notwithstanding any encryption policy instrument, the U.S. and the UK will have access to all encrypted data, while India will be advised to work with tech companies and use metadata! No wonder, the Indian government has been unable to come up with a revised encryption policy after it withdrew the draft policy in September 2015.
Read this piece on The Economic Times.
The views expressed in this post reflect those of the author and not that of the EastWest Institute.