Christopher Soghoian, ACLU’s Principal Technologist, presents his study at Defcon highlighting the past and the present of the privacy and cryptography realm.
Good morning or good afternoon, my name is Chris Soghoian, I am the Principal Technologist for the Speech, Privacy and Technology Project at the American Civil Liberties Union (ACLU). I started last September, I am the first ever technologist that the ACLU has had who has focused specifically on surveillance and privacy. I finished the Ph.D. last year, specifically focused on the role the Internet and phone companies play in spying on their customers for the government. It’s an extremely timely topic.
I started last September, the ACLU has been very busy in the last year on surveillance issues. Shortly after the Snowden revelations, we were the first organization to file suit against the National Security Agency, although we are not the last. Several other great organizations have also sued the NSA, and hopefully those will keep coming.
Today I am going to be telling a story of how law enforcement and the government have responded to technical change. This will be a story in, I guess, three acts, and really delves into the relationship between the companies and the governments and the different kinds of relationships, because not all companies are the same, some are friendlier than others to the government.
In the mid-90s, encryption was a technology that the government sought to demonize, they sought to control the spread of encryption and ultimately to pressure companies to modify their products.
So, Freeh also said: “The only acceptable answer … is … “socially-responsible” encryption products … that … permit timely law enforcement and national security access and decryption pursuant to court order or as otherwise authorized by law.”The “socially-responsible” crypto that the FBI backed in the mid-90s looked like this (see left-hand image). This is called the Clipper chip. Thankfully, the Clipper chip failed. Professor Matt Blaze found several significant security vulnerabilities in the Clipper chip that meant that it actually wasn’t even good at protecting people from everyone other than the NSA.
So, ultimately the first wave of the crypto wars failed. Congress and the Executive Branch ultimately did away with the crypto export control rules. In 1996 President Clinton signed an executive order reclassifying cryptography and in the years that followed the rules were further relaxed.Ultimately, companies like PGP were allowed to export their technology around the world. Web browser vendors like Microsoft and Netscape were allowed to export full 128-bit crypto to anyone except people in Cuba and Iran and a couple other countries.
And so, really, the FBI’s initial attempts – and the FBI and the NSA were sort of collaborating there – their initial attempts to control crypto failed. Their previous strategy was: “Let’s stop everyone else other than Americans from getting this stuff. If we make it difficult for them to get the technology, they won’t use it and then we will be able to easily monitor their communications and get their data.”But even after the crypto export control rules were weakened, and you could download PGP no matter in which country you were, it didn’t actually lead to the widespread use of PGP. Hands up everyone who uses PGP on a daily basis; and for this audience that’s not really that good. I’ll confess I only use it with a handful of colleagues and journalists. Most people who contact me don’t know how to use it. And the reason is PGP is really difficult to use. There is a major important study by Alma Whitten (see left-hand image), who is actually now at Google, ten years ago, pointing out the usability failure of PGP. Turns out that when a tool is ridiculously difficult to understand how to use, people either don’t use it or they use it wrong. They think they are encrypting when they are not encrypting, which is actually worse because then they will say things that they might not have said if they thought their emails were going through the clear.
And so the widespread availably of encryption really didn’t frustrate the FBI in the way that they though it would – terrorists, pedophiles and drug dealers didn’t suddenly rush out and start using PGP because it turns out that terrorists and pedophiles and drug dealers are like the rest of us. They are lazy and they are not experts at difficult-to-use obscure technology. And so PGP wasn’t the threat that they though it would be.HTTPS, the lock icon that we see in our browsers (see left-hand image), is easier to use because it doesn’t really involve anything from the user side, but even that wasn’t widely deployed. Where SSL was widely used was in e-commerce, online banking. If you were sending your credit card over the web, your communication would be encrypted, but if you were sending your emails, social networking messages, private photos, backing up files, very few of these things would be protected with SSL.
And so, again, the government had a good time, they didn’t have to worry too hard. Although the technologies existed, no one was using them; or at least they were not using them for the things the FBI cared about.This (see right-hand image) is a slide that the Guardian published lately; it’s from the latest deck that Snowden provided them. This is a deck from XKeyscore, which is the program they have, or the intelligence platform that allows them to monitor vast amounts of communications and then search for it later.
Now, this deck is from 2007-2008, so it’s a little bit old, but you can see clearly, outside of law enforcement and the intelligence space, these folks appreciated that communications were going over the network in the clear. Whether it was Yahoo! or Facebook or Twitter or your emails, they’re easily available for the government to grab with the assistance of their friends at the background Internet providers.
Read next: The Next Crypto Wars 2: Going Dark