Quantcast

Backdoors, Government Hacking and the Next Crypto Wars

Christopher Soghoian, ACLU’s Principal Technologist, presents his study at Defcon highlighting the past and the present of the privacy and cryptography realm.

Christopher Soghoian Good morning or good afternoon, my name is Chris Soghoian, I am the Principal Technologist for the Speech, Privacy and Technology Project at the American Civil Liberties Union (ACLU). I started last September, I am the first ever technologist that the ACLU has had who has focused specifically on surveillance and privacy. I finished the Ph.D. last year, specifically focused on the role the Internet and phone companies play in spying on their customers for the government. It’s an extremely timely topic.

I started last September, the ACLU has been very busy in the last year on surveillance issues. Shortly after the Snowden revelations, we were the first organization to file suit against the National Security Agency, although we are not the last. Several other great organizations have also sued the NSA, and hopefully those will keep coming.

Today I am going to be telling a story of how law enforcement and the government have responded to technical change. This will be a story in, I guess, three acts, and really delves into the relationship between the companies and the governments and the different kinds of relationships, because not all companies are the same, some are friendlier than others to the government.

The first crypto wars

Louis Freeh, Director of the FBI from September 1993 to June 2001

Louis Freeh, Director of the FBI from September 1993 to June 2001

So, the first crypto wars – those of you who are a little bit older may remember there was a time when you couldn’t export strong cryptography from the United States. In the mid-90s, then FBI Director Louis Freeh went before Congress on numerous occasions and warned Congress about the threat of encryption: “The widespread use of robust non-key recovery encryption ultimately will devastate our ability to fight crime and to prevent terrorism.” Freeh said this at a congressional hearing in 1997. He added: “Uncrackable encryption will allow drug lords, spies, terrorists and even violent gangs to communicate about their crimes and their conspiracies with impunity.”

In the mid-90s, encryption was a technology that the government sought to demonize, they sought to control the spread of encryption and ultimately to pressure companies to modify their products.

So, Freeh also said: “The only acceptable answer … is … “socially-responsible” encryption products … that … permit timely law enforcement and national security access and decryption pursuant to court order or as otherwise authorized by law.”

The notorious Clipper chip

The notorious Clipper chip

The “socially-responsible” crypto that the FBI backed in the mid-90s looked like this (see left-hand image). This is called the Clipper chip. Thankfully, the Clipper chip failed. Professor Matt Blaze found several significant security vulnerabilities in the Clipper chip that meant that it actually wasn’t even good at protecting people from everyone other than the NSA.

So, ultimately the first wave of the crypto wars failed. Congress and the Executive Branch ultimately did away with the crypto export control rules. In 1996 President Clinton signed an executive order reclassifying cryptography and in the years that followed the rules were further relaxed.

Pretty Good Privacy (PGP) logo

Pretty Good Privacy (PGP) logo

Ultimately, companies like PGP were allowed to export their technology around the world. Web browser vendors like Microsoft and Netscape were allowed to export full 128-bit crypto to anyone except people in Cuba and Iran and a couple other countries.

And so, really, the FBI’s initial attempts – and the FBI and the NSA were sort of collaborating there – their initial attempts to control crypto failed. Their previous strategy was: “Let’s stop everyone else other than Americans from getting this stuff. If we make it difficult for them to get the technology, they won’t use it and then we will be able to easily monitor their communications and get their data.”

Alma Whitten’s PGP study

Alma Whitten’s PGP study

But even after the crypto export control rules were weakened, and you could download PGP no matter in which country you were, it didn’t actually lead to the widespread use of PGP. Hands up everyone who uses PGP on a daily basis; and for this audience that’s not really that good. I’ll confess I only use it with a handful of colleagues and journalists. Most people who contact me don’t know how to use it. And the reason is PGP is really difficult to use. There is a major important study by Alma Whitten (see left-hand image), who is actually now at Google, ten years ago, pointing out the usability failure of PGP.

Pretty confusing to use

Pretty confusing to use

Turns out that when a tool is ridiculously difficult to understand how to use, people either don’t use it or they use it wrong. They think they are encrypting when they are not encrypting, which is actually worse because then they will say things that they might not have said if they thought their emails were going through the clear.

And so the widespread availably of encryption really didn’t frustrate the FBI in the way that they though it would – terrorists, pedophiles and drug dealers didn’t suddenly rush out and start using PGP because it turns out that terrorists and pedophiles and drug dealers are like the rest of us. They are lazy and they are not experts at difficult-to-use obscure technology. And so PGP wasn’t the threat that they though it would be.

HTTPS – simple but wasn’t widely used

HTTPS – simple but wasn’t widely used

HTTPS, the lock icon that we see in our browsers (see left-hand image), is easier to use because it doesn’t really involve anything from the user side, but even that wasn’t widely deployed. Where SSL was widely used was in e-commerce, online banking. If you were sending your credit card over the web, your communication would be encrypted, but if you were sending your emails, social networking messages, private photos, backing up files, very few of these things would be protected with SSL.

And so, again, the government had a good time, they didn’t have to worry too hard. Although the technologies existed, no one was using them; or at least they were not using them for the things the FBI cared about.

The interest in HTTP

The interest in HTTP

This (see right-hand image) is a slide that the Guardian published lately; it’s from the latest deck that Snowden provided them. This is a deck from XKeyscore, which is the program they have, or the intelligence platform that allows them to monitor vast amounts of communications and then search for it later.

Now, this deck is from 2007-2008, so it’s a little bit old, but you can see clearly, outside of law enforcement and the intelligence space, these folks appreciated that communications were going over the network in the clear. Whether it was Yahoo! or Facebook or Twitter or your emails, they’re easily available for the government to grab with the assistance of their friends at the background Internet providers.
 

Read next: The Next Crypto Wars 2: Going Dark

Like This Article? Let Others Know!
Related Articles:

Leave a comment:

Your email address will not be published. Required fields are marked *

Comment via Facebook: