SAN
FRANCISCO — An elite group of security technologists has concluded
that the American and British governments cannot demand special access
to encrypted communications without putting the world’s most
confidential data and critical infrastructure in danger.
A new paper
from the group, made up of 14 of the world’s pre-eminent cryptographers
and computer scientists, is a formidable salvo in a skirmish between
intelligence and law enforcement leaders, and technologists and privacy
advocates. After Edward J. Snowden’s revelations — with security
breaches and awareness of nation-state surveillance at a record high and
data moving online at breakneck speeds — encryption has emerged as a
major issue in the debate over privacy rights.
That
has put Silicon Valley at the center of a tug of war. Technology
companies including Apple, Microsoft and Google have been moving to
encrypt more of their corporate and customer data after learning that
the National Security Agency and its counterparts were siphoning off
digital communications and hacking into corporate data centers.
Yet
law enforcement and intelligence agency leaders argue that such efforts
thwart their ability to monitor kidnappers, terrorists and other
adversaries. In Britain,
Prime Minister David Cameron threatened to ban encrypted messages
altogether. In the United States, Michael S. Rogers, the director of the
N.S.A., proposed that technology companies be required to create a
digital key to unlock encrypted data, but to divide the key into pieces
and secure it so that no one person or government agency could use it
alone.
The
encryption debate has left both sides bitterly divided and in fighting
mode. The group of cryptographers deliberately issued its report a day
before James B. Comey Jr., the director of the Federal Bureau of
Investigation, and Sally Quillian Yates, the deputy attorney general at
the Justice Department, are scheduled to testify before the Senate
Judiciary Committee on the concerns that they and other government
agencies have that encryption technologies will prevent them from
effectively doing their jobs.
The
new paper is the first in-depth technical analysis of government
proposals by leading cryptographers and security thinkers, including
Whitfield Diffie, a pioneer of public key cryptography, and Ronald L.
Rivest, the “R” in the widely used RSA public cryptography algorithm. In
the report, the group said any effort to give the government
“exceptional access” to encrypted communications was technically
unfeasible and would leave confidential data and critical infrastructure
like banks and the power grid at risk.
Handing
governments a key to encrypted communications would also require an
extraordinary degree of trust. With government agency breaches now the
norm — most recently at the United States Office of Personnel Management,
the State Department and the White House — the security specialists
said authorities could not be trusted to keep such keys safe from
hackers and criminals. They added that if the United States and Britain mandated backdoor keys to communications, China and other governments in foreign markets would be spurred to do the same.
“Such
access will open doors through which criminals and malicious
nation-states can attack the very individuals law enforcement seeks to
defend,” the report said. “The costs would be substantial, the damage to
innovation severe and the consequences to economic growth hard to
predict. The costs to the developed countries’ soft power and to our
moral authority would also be considerable.”
A
spokesman for the F.B.I. declined to comment ahead of Mr. Comey’s
appearance before the Senate Judiciary Committee hearings on Wednesday.
Mr. Comey recently told CNN, “Our job is to find needles in a nationwide
haystack, needles that are increasingly invisible to us because of
end-to-end encryption.”
A
Justice Department official, who spoke on the condition of anonymity
before the hearing, said that the agency supported strong encryption,
but that certain uses of the technology — notably end-to-end encryption
that forces law enforcement to go directly to the target rather than to
technology companies for passwords and communications — interfered with
the government’s wiretap authority and created public safety risks.
Paul
Kocher, the president of the Rambus Cryptography Research Division, who
did not write the paper, said it shifted the debate over encryption
from how much power intelligence agencies should have to the
technological underpinnings of gaining special access to encrypted
communications.
The
paper “details multiple technological reasons why mandatory government
back doors are technically unworkable, and how encryption regulations
would be disastrous for computer security,” Mr. Kocher said. “This
report ought to put to rest any technical questions about ‘Would this
work?’ ”
The
group behind the report has previously fought proposals for encryption
access. In 1997, it analyzed the technical risks and shortcomings of a
proposal in the Clinton administration called the Clipper chip.
Clipper would have poked a hole in cryptographic systems by requiring
technology manufacturers to include a small hardware chip in their
products that would have ensured that the government would always be
able to unlock scrambled communications.
The
government abandoned the effort after an analysis by the group showed
it would have been technically unworkable. The final blow was the
discovery by Matt Blaze,
then a 32-year-old computer scientist at AT&T Bell Laboratories and
one of the authors of the new paper, of a flaw in the system that would
have allowed anyone with technical expertise to gain access to the key
to Clipper-encrypted communications.
Now
the group has convened again for the first time since 1997. “The
decisions for policy makers are going to shape the future of the global
Internet and we want to make sure they get the technology analysis
right,” said Daniel J. Weitzner, head of the MIT Cybersecurity and
Internet Policy Research Initiative and a former deputy chief technology
officer at the White House, who coordinated the latest report.
In
the paper, the authors emphasized that the stakes involved in
encryption are much higher now than in their 1997 analysis. In the
1990s, the Internet era was just beginning — the 1997 report is littered
with references to “electronic mail” and “facsimile communications,”
which are now quaint communications methods. Today, the government’s
plans could affect the technology used to lock data from financial and
medical institutions, and poke a hole in mobile devices and countless
other critical systems that are moving rapidly online, including
pipelines, nuclear facilities and the power grid.
“The
problems now are much worse than they were in 1997,” said Peter G.
Neumann, a co-author of both the 1997 report and the new paper, who is a
computer security pioneer at SRI International, the Silicon Valley
research laboratory. “There are more vulnerabilities than ever, more
ways to exploit them than ever, and now the government wants to dumb
everything down further.”
Other
authors of the new paper include Steven M. Bellovin, a computer science
professor at Columbia University; Harold Abelson, a computer science
professor at MIT; Josh Benaloh, a leading cryptographer at Microsoft;
Susan Landau, a professor of cybersecurity at Worcester Polytechnic
Institute and formerly a senior privacy analyst at Google; and Bruce
Schneier, a fellow at the Berkman Center for Internet and Society at
Harvard Law School and a widely read security author.
“The
government’s proposals for exceptional access are wrong in principle
and unworkable in practice,” said Ross Anderson, a professor of security
engineering at the University of Cambridge and the paper’s sole author
in Britain. “That is the message we are going to be hammering home again
and again over the next few months as we oppose these proposals in your
country and in ours.”
Culled from:
New York Times
Image credit: unixmen.com
No comments:
Post a Comment