The Next Crypto Wars 3: Government Mandating Backdoors

Chris Soghoian zeroes in on the government’s attempts to circumvent privacy measures by the Silicon Valley companies that all came to employ encryption.

Silicon Valley vs. telco surveillance

What we have seen in the last few years is a transition. We’ve seen a migration away from telecommunications companies to Silicon Valley companies. In years past, your private messages, your metadata, would be accessible through a backbone provider, through a telephone company, through one of the Ma Bells. And, like it or not, the telephone companies have been providing wiretapping assistance to the U.S. Government for more than a hundred years. The first wiretaps were around 1895 in New York City. For a hundred years these companies have been providing interception assistance to the U.S. Government, and it’s a relationship that everyone is sort of comfortable with, everyone, and by that I mean the companies and the government. And so, these companies don’t just provide targeted access. They don’t just provide access to an individual user’s data; they provide, when the government asks, access to all users’ data.

The assistance of the phone companies is what enables dragnet surveillance. When the government wants to search through every email or search through every phone record, that is only possible because the phone companies provide access to everything.

If you take the Internet companies at their word, the Silicon Valley companies, they only provide targeted access. If the government goes to Google and has a court order with my name on it, Google will hand over my data. But if you take Google at their word, they will not provide access to everyone’s information. And so, what’s happened over the last few years is that consumers have started to migrate their data from the old telecommunications carriers to Silicon Valley companies.

I mean, in many ways the telco’s haven’t had people’s emails for a while – no one is using a Verizon or Comcast email anymore really. But when those email messages were going over the network in the clear it meant the government could still go to the backbone providers. It meant they could go to the AT&T’s and the Verizon’s of the world even if you were using Yahoo! or Google or Hotmail.

But as these Silicon Valley companies have enabled encryption, you can no longer spy on someone’s emails, you can no longer collect bulk information with the assistance of Verizon or AT&T.

The assistance of the phone companies is what enables dragnet surveillance.

I think a great example of this is what Apple did with iOS version 5. In one day they just flipped the switch and suddenly a new version of iMessage was rolled out to users, and if you were an iOS user and you were sending a text message to another iOS user, your messages would go through Apple servers instead of the phone companies. And overnight millions and then billions of messages started flowing through Apple servers, and those were messages that the government cannot get with the assistance of Verizon, AT&T and Sprint.

Now, again, this was a document that was leaked to Declan McCullagh, CNET suggesting that the government can never get messages sent through iMessage. I actually don’t think that is the case. I think that Apple provides access on a targeted basis but I don’t think they are providing wholesale access in the way that the phone companies do.

I think what’s happened here is that there is a difference in culture between the companies. It’s not that Google is trying to make the government go dark. It’s that Google has 350 people doing security and only security. It’s that Apple has a dedicated security team. It’s that Facebook has a dedicated security team. And before you can launch a product at one of these Silicon Valley firms, particularly if it is storing sensitive user data, you have to have crypto. There is no way to secure your users’ data against hackers without crypto.

So, in these companies it’s a corporate policy to encrypt data, not because they want the government to go dark but because that’s what the security teams at the companies demand of them. Realistically, the phone companies don’t have a tradition of security. Your voice mail isn’t secure; you are not getting OS updates to your smartphone if you are using Android, which is by the way something that we have filed a complaint with the Federal Trade Commission about earlier this year. The phone companies just aren’t interested in security. And so, what’s happening is consumers are giving their data to companies that finally invest some resources in security, and that’s making it tougher for the government.

So, what is the solution? How does the government respond to a world in which they can only get selective data from companies? In some cases they cannot get data at all if the companies are using end-to-end crypto. The answer is backdoors, the answer is compelled access forcing companies to modify their products and provide the government with a way of getting data.

The U.S. Government’s attempts at new regulations on the Internet

The U.S. Government’s attempts at new regulations on the Internet

Starting in sort of 2010, we began seeing leaks to the press suggesting that the FBI and others in the law enforcement community were floating these ideas. They were floating legislative proposals expanding CALEA, which is a law mandating backdoors in communications networks and expanding that to Internet companies, to websites and apps and other providers.

We saw sort of these trial balloons floated in 2010 and then ultimately there was a congressional hearing in the spring of 2011 where our friend Valerie Caproni from the FBI testified: “No one should be promising their customers that they will thumb their nose at a U.S. court order…They can promise strong encryption. They just need to figure out how they can provide us plain text, too.”

Initiative to fine tech companies for noncompliance

Initiative to fine tech companies for noncompliance

And this is what the FBI wants, they want the power to go to a company secretly and force the company to quietly insert a backdoor in their own product. As recent as this year, it looked like proposals were coming. It looked like there was a multi-agency working group in Washington, and they were getting ready to drop a bill that would empower the Department of Justice to fine
The guy who slowed surveillance down

The guy who slowed surveillance down

Silicon Valley companies that refuse to provide the assistance demanded of them.

And then something happened. CALEA 2, which is the D.C. nickname for this backdoor proposal, for now is dead. It is dead in the water, no politician wants to touch that kind of surveillance for now; so thank you very much Edward Snowden.

Read previous: The Next Crypto Wars 2: Going Dark

Read next: The Next Crypto Wars 4: Surveillance Tools by Gamma and Hacking Team

Like This Article? Let Others Know!
Related Articles:

Leave a comment:

Your email address will not be published. Required fields are marked *

Comment via Facebook: