GCHQ Propose A 'Going Dark' Workaround That Creates The Same User Trust Problem Encryption Backdoors Do (original) (raw)
from the wiretaps-but-for-Whatsapp dept
Are we “going dark?” The FBI certainly seems to believe so, although its estimation of the size of the problem was based on extremely inflated numbers. Other government agencies haven’t expressed nearly as much concern, even as default encryption has spread to cover devices and communications platforms.
There are solutions out there, if it is as much of a problem as certain people believe. (It really isn’t… at least not yet.) But most of these solutions ignore workarounds like accessing cloud storage or consensual searches in favor of demanding across-the-board weakening/breaking of encryption.
A few more suggestions have surfaced over at Lawfare. The caveat is that both authors, Ian Levy and Crispin Robinson, work for GCHQ. So that should give you some idea of which shareholders are being represented in this addition to the encryption debate.
The idea (there’s really only one presented here) isn’t as horrible as others suggested by law enforcement and intelligence officials. But that doesn’t mean it’s a good one. And there’s simply no way to plunge into this without addressing an assertion made without supporting evidence towards the beginning of this Lawfare piece.
Any functioning democracy will ensure that its law enforcement and intelligence methods are overseen independently, and that the public can be assured that any intrusions into people’s lives are necessary and proportionate.
By that definition, the authors’ home country is excluded from the list of “functioning democracies.” Multiple rulings have found GCHQ’s surveillance efforts in violation of UK law. And a number of leaks over the past half-decade have shown its oversight is mostly ornamental.
The same can be said for the “functioning democracy” on this side of the pond. Leaked documents and court orders have shown the NSA frequently ignores its oversight when not actively hiding information from Congress, the Inspector General, and the FISA court. Oversight of our nation’s law enforcement agencies is a patchwork of dysfunction, starting with friendly magistrates who care little about warrant affidavit contents and ending with various police oversight groups that are either filled with cops or cut out of the process by the agencies they nominally oversee. We can’t even get a grip on routine misconduct, much less ensure “necessary and proportionate intrusions into people’s lives.”
According to the two GCHQ reps, there’s a simple solution to eavesdropping on encrypted communications. All tech companies have to do is keep targets from knowing their communications are no longer secure.
In a world of encrypted services, a potential solution could be to go back a few decades. It’s relatively easy for a service provider to silently add a law enforcement participant to a group chat or call. The service provider usually controls the identity system and so really decides who’s who and which devices are involved – they’re usually involved in introducing the parties to a chat or call. You end up with everything still being end-to-end encrypted, but there’s an extra ‘end’ on this particular communication. This sort of solution seems to be no more intrusive than the virtual crocodile clips that our democratically elected representatives and judiciary authorise today in traditional voice intercept solutions and certainly doesn’t give any government power they shouldn’t have.
We’re not talking about weakening encryption or defeating the end-to-end nature of the service. In a solution like this, we’re normally talking about suppressing a notification on a target’s device, and only on the device of the target and possibly those they communicate with. That’s a very different proposition to discuss and you don’t even have to touch the encryption.
Suppressing notifications might be less harmful than key escrow or backdoors. It wouldn’t require a restructuring of the underlying platform or its encryption. If everything is in place — warrants, probable cause, exhaustion of less intrusive methods — it could give law enforcement a chance to play man-in-the-middle with targeted communications.
But there’s a downside — one that isn’t referenced in the Lawfare post. If both ends of a conversation are targeted, this may be workable. But what if one of the participants isn’t a target? This leaves them unprotected because the suppressed messages wouldn’t inform other non-target parties the conversation isn’t protected. Obviously it wouldn’t do the let anyone targets converse with know things are no longer normal on the target’s end, as it’s likely one of those participants will let the target know they’ve encountered a security warning while talking to them.
In that respect, it is analogous to a wiretap on someone’s phones. It will capture innocent conversations irrelevant to the investigation. In those cases, investigators are told to stop eavesdropping. It’s unclear how the same practice will work when the communications are being harvested digitally via unseen government additions to private conversations.
This proposal seems at odds with the authors’ suggested limitations, especially this one:
Any exceptional access solution should not fundamentally change the trust relationship between a service provider and its users.
When a service provider starts suppressing warning messages, the trust relationship is going to be fundamentally altered. Even if users are made aware this is only happening in rare instances involving targets of investigations, the fact that their platform provider has chosen to mute these messages means they really can’t trust a lack of warnings to mean everything is still secure.
On the whole, it’s a more restrained solution than others have proposed — but it still has the built-in exploitation avenue key escrow does. It’s better than a backdoor but not by much. And the authors of this proposal shouldn’t pretend the solution lives up to the expectations they set for it. Their own proposal falls short of their listed ideals… and the whole thing is delivered under the false pretense law enforcement/intelligence agencies are subject to robust oversight.
Filed Under: backdoors, encryption, gchq, going dark, third parties, vulnerabilities