The FBI and other law enforcement and intelligence agencies have warned for years that the increased use of encryption by consumers is making surveillance and lawful interception much more difficult, impeding investigations. But a new study by a group of experts at Harvard’s Berkman Center says those claims are largely overblown and that the IoT revolution will give agencies plenty of new chances for clear-channel surveillance.
The report is the result of discussions among a group of security, privacy, policy, and law experts about the issue of law enforcement “going dark” at a time when more and more people are employing encrypted phone and electronic communications. Politicians and law enforcement officials have argued that legitimate surveillance and intercept capabilities are greatly decreased because of the rise of encrypted communications, which are widely available now for consumers. The Harvard study finds that a number of factors detract from the validity of the “going dark” line of reasoning.
“We argue that communications in the future will neither be eclipsed into darkness nor illuminated without shadow. Market forces and commercial interests will likely limit the circumstances in which companies will offer encryption that obscures user data from the companies themselves, and the trajectory of technological development points to a future abundant in unencrypted data, some of which can fill gaps left by the very communication channels law enforcement fears will ‘go dark’ and beyond reach,” the Berkman Center report says.
The “going dark” argument isn’t a new one, but some recent developments in technology have brought it back to the fore. Moves by Apple and Google to encrypt their phones by default have angered law enforcement agencies, as the encryption keys are held on the users’ devices and not by the vendors. That makes it much more difficult for law enforcement to get access to the contents of an encrypted device. Paired with the proliferation of encrypted text services such as TextSecure and encrypted email systems such as Proton Mail, that has led to the frustration among intelligence and law enforcement agencies.
“We argue that communications in the future will neither be eclipsed into darkness nor illuminated without shadow.”
However the authors of the Harvard study, who include Bruce Schneier, Jonathan Zittrain, and Susan Landau, say the spread of encrypted communications is not the major threat these agencies believe it to be, especially when it comes to commercial companies deploying it. Many of the companies that have rolled out encrypted services–most notably Google–make their money on mining users’ data.
“End-to-end encryption and other technological architectures for obscuring user data are unlikely to be adopted ubiquitously by companies, because the majority of businesses that provide communications services rely on access to user data for revenue streams and product functionality, including user data recovery should a password be forgotten,” the report says.
Another factor the experts say will mitigate the problem of going dark is the rise of all manner of IoT devices, connected thermostats, light bulbs, baby monitors, and watches that collect and spew data about users’ and their activities–virtually all of it stored and sent unencrypted.
“As data collection volume and methods proliferate, the number of human and technical weaknesses within the system will increase to the point that it will overwhelmingly likely be a net positive for the intelligence community. Consider all those IoT devices with their sensors and poorly updated firmware. We’re hardly going dark when — fittingly, given the metaphor — our light bulbs have motion detectors and an open port,” Zittrain, a co-founder of the Berkman Center for Internet and Society and a professor at Harvard Law School, wrote in a blog post accompanying the report.
“The label is ‘going dark’ only because the security state is losing something that it fleetingly had access to, not because it is all of a sudden lacking in vectors for useful information.”
Also, Schneier wrote in an appendix to the report, the use of encrypted communications forces law enforcement and intelligence agencies to switch from bulk to targeted surveillance tactics.
“Ubiquitous encryption protects us much more from bulk surveillance than from targeted surveillance. For a variety of technical reasons, computer security is extraordinarily weak. If a sufficiently skilled, funded, and motivated attacker wants in to your computer, they’re in,” Schneier wrote.
“If they’re not, it’s because you’re not high enough on their priority list to bother with. Widespread encryption forces the listener – whether a foreign government, criminal, or terrorist – to target. And this hurts repressive governments much more than it hurts terrorists and criminals.”
Image from Flickr stream of Kevin Galens.