Delving further into crypto evolution, Chris Soghoian focuses on the relationship between law enforcement and companies that adopted strong privacy algos.
And so, things were good for a while. It didn’t really matter that your browser could do strong crypto. It didn’t really matter that you could download tools from a website and configure them and then have a key signing party, because no one was doing that. But that didn’t stop the FBI from worrying because down the road they saw that things were going to get bad. And it wasn’t going to be because people could download tools, but it was going to be because companies were going to start building crypto into their products by default.This is Valerie Caproni (see right-hand image), she was until I think a year ago the General Counsel for the FBI, the top FBI lawyer. She’s testified before Congress on numerous occasions. And in 2011 at a congressional hearing, she warned Congress about what the FBI was calling the “Going Dark” problem. “Going Dark” is the FBI’s term for what happens when everyone uses encrypted communications. The FBI has coined this term and spent lots of money researching this issue because they are worried about a day in which all of the communications that users are sending are going to be off limits to the FBI.
This is a quote from 2011: “The FBI and other government agencies are facing a potentially widening gap between our legal authority to intercept electronic communications pursuant to court order and our practical ability to actually intercept those communications.” The FBI says they can get a court order, but when they actually try and get the communications, either the company doesn’t have the capability because they haven’t built wiretapping systems into their networks, or the company cannot provide the data.
She added: “Encryption is a problem. It is a problem we see for certain providers.” And so, what she was describing there was the fact that over a couple of years starting in 2010, companies in Silicon Valley started rolling out SSL encryption by default.
In a Washington Post story, a former FBI official described this to the Post: “Officials say that the challenge was exacerbated in 2010, when Google began end-to-end encryption. That made it more difficult for the FBI to intercept email by serving a court order on the ISP, whose pipes would carry the encrypted traffic.”In 2010 Google was the first of the big free webmail providers to turn on SSL by default. Google had always offered SSL as an option, but it was an option deep in several layers of configuration screens. I think it was the last of 13 options, after the vacation, auto away message, after Unicode. There was nothing less important in the Google configuration screen than SSL, and so of course no one used it. When the option was hidden and disabled by default, no one’s emails were secure between the user and Google.
But in January 2010 Google flipped the switch and enabled SSL by default. And in the years that followed, several other Silicon Valley companies did the same. It was Twitter, then Microsoft – they renamed Hotmail to Outlook and they turned on SSL at the same time. Facebook started doing it last year, started rolling out, and I think just this week announced that all Facebook communications will be SSL encrypted from the user to Facebook servers.
In addition to that, several companies started rolling out perfect for its secrecy and improved algorithm that makes it much more difficult for government agencies to go to companies and demand private keys. They are upping their key sizes. These Silicon Valley companies are making passive interception much more difficult.
Now, of course that doesn’t mean that the Government can’t get things from Google. Your communications between your computer and Google servers are encrypted, but once the files actually arrive at Google, whether it’s your emails or your private photographs or your instant messages, they are sitting there in plain text.This is Vint Cerf (see right-hand image), he is Google’s Chief Internet Evangelist; he is also sort of the father of TCP/IP. I was on a panel with him in 2011 in Nairobi. We started talking about Google’s lack of stored encryption. And he said: “We couldn’t run our system if everything in it were encrypted because then we wouldn’t know which ads to show you. This is a system that was designed around a particular business model.”
This is a very honest statement from a Google executive, and I don’t begrudge Google. They offer a fantastic easy-to-use service and they don’t charge people for it. Neither does Twitter, neither does Facebook. These companies all offer one and only one product. There is no way to pay for Facebook, there is no way to pay for Twitter, there is no way to upgrade your Gmail account to a corporate account, a Google Apps account. They have the accounts for users and then the accounts for businesses. And when the only accounts they offer are free ones that are supported by ads, then it makes sense why they are not encrypting your data in the cloud with a key that only you have, because it would be very difficult to monetize that.
Now, what if the companies could, and maybe will at some point, switch to a business model where you give them money and they give you a secure service? That isn’t the business that they are in right now though.
And so, what this means then is that the companies can and do receive requests from law enforcement agencies and intelligence agencies. Even before the PRISM revelations, we have known that Google gets thousands of requests a year from law enforcement and intelligence agencies. This isn’t a surprise.
Read previous: Backdoors, Government Hacking and the Next Crypto Wars