From the German Interior and FBI-NY lawful access proposals to the prospect of meaningful IT privacy for all.
Five years after Snowden, although unbreakable end-to-end encryption is widely available, all or nearly all IT devices and systems remain remotely and continuously exploitable by several western public security agencies, through a combination of technologies and human processes, called lawful hacking, except for very limited use case of the most advanced and well funded individuals. Lawful hacking is legal and its use is being expanded for more crimes and more security agencies, in the US and Germany, and increasingly regulated.
In a World increasingly full of enraged individuals and a reduced cost to cause great human harm, this lawful hacking capability serves a critical and invaluable function as it enables democratic security agencies to investigate suspects that use unbreakable encryption and anonymization apps to successfully skirt the execution of lawful access requests approved through a due legal process.
The Dramatic Downsides of “Lawful Hacking”
Nonetheless, lawful hacking has substantial and critical disadvantages for both suspects, general citizens, and investigators.
Firstly, it can be rendered temporarily non-functioning by firmware updates or user’s cyber-defense provisions. Secondly, its very high technical and procedural complexities create substantial risks of abuse of the rights of the investigated citizens, the cybersecurity of general citizens, and to the integrity of the investigation and the evidence so acquired, which often is therefore contested in higher courts. Thirdly, it forces nations to continuously stockpile updated hacking tools, that end up in the hands of criminals, as per Vault 7 and Shadow Brokers scandals. Fourthly, it creates a strong indirect economic incentive for both a huge market of critical vulnerabilities.
Fifthly, and most crucially, the utility of lawful hacking to nations relies on ensuring that no device in the market exists, no matter at what price, is beyond their own hacking capability or that of one of its most powerful allies. So that the most dangerous criminals have to resort to way less efficient and slower means of communication. Therefore nations have spent and keep spending huge amounts of money and intelligence activity to break everything – down to an operating system, CPU designs, fabrication processes, and even standards and certifications – to ensure that every single computing has at least one remotely-exploitable critical vulnerability at any given time.
Mitigating the Downsides of Lawful Hacking
In order to mitigate such downsides of lawful hacking, mostly for the law enforcement side, western democracies have been periodically proposing various implementations of the 2 main class of alternatives to lawful hacking, key/data escrow solutions or state-mandated backdoors, i.e. technical requirements in IT products that guarantee remote access for lawful enforcement. There is, however, a very well documented and wide consensus of experts for over 30 years that affirms, rightly we believe, that any foreseeable implementation of such solutions would create unacceptable additional risks of abuse to the privacy of citizens, and cybersecurity in general.
It is to be noted, however, that those studies evaluated scenarios of implementations of such solutions as a legislative mandate by a national or international institution, and in case where such solutions would be applicable to all IT communication systems and not just ultra-high assurance systems, i.e. systems – entirely or mostly non-existent today – that are beyond the capabilities of the most advanced lawful hacking techniques.
Most recently, last December the German legislators have proposed a state-mandated backdoor extended even to IoT devices and connected cars, rightly criticized by many.
The Recent FBI/Symphony Lawful Access Proposal
Last January, for the 1st time since Snowden, the FBI has publicly endorsed a specific new key/data escrow solutions or models as a best practice solution to solve the problems of lawful hacking, and alternative to state-mandated backdoors through Director Wray. He referred to an agreement signed between secure messaging provider Symphony and New York State financial crime authorities that basically involves a third-party custodian entity deputed to hold logs of the data, and respond to the lawful access request. Here is what Wray had to say:
Some of you may know about the chat and messaging platform called Symphony. This was used by a group of major banks, and marketed as offering something called “guaranteed data deletion,” among other things. Maybe the labeling, maybe the content didn’t sit too well with the friendly regulator down the street—the New York Department of Financial Services. DFS was concerned that the feature could be used to hamper regulatory investigations of Wall Street. In response, the four banks reached an agreement with the Department to help ensure responsible use of Symphony. They agreed to keep a copy of all communications sent to or from them through Symphony for a period of seven years. The banks also agreed to store duplicate copies of the encryption keys for their messages with independent custodians who aren’t controlled by the banks.
so at the end, the data in Symphony was still secure, still encrypted, but also accessible to the regulators so they could do their jobs. I’m confident that by working together and finding similar areas to agree and compromise, we can come up with solutions to the Going Dark problem.
Though the information available is exceedingly scant, we believe this approach indicated by the FBI, to be a promising architectural approach, if detailed with extreme additional safeguards.
A solution for ultra-high assurance IT for all and better cyber-investigation capabilities
From the information publicly available about the Symphony key/data escrow model, there is no evidence whatsoever that technical, socio-technical and governance safeguards and resilience provided by the third-party escrow agent (custodian) and by the offered IT service, provide the ultra-high levels of transparency and trustworthiness that would be needed to sufficiently mitigate great risks to both (1) the privacy of user of the IT service, by state agencies or criminals; as well as (2) the integrity and availability of the logs that are saved for future access of legitimately authorised investigations.
A possible declination of such model could lead to a radical mitigation of the problems creates by lawful hacking to individual civil freedoms and to the effectiveness of law enforcement, in so far as both the key escrow procedure, and IT service being escrowed, are subject to transparency, accountability, oversight and security-review in relation to complexity, that are on par with those applied of critical nuclear systems, best-of-breed paper-based elections processes or commercial aviation.
Since 2014, at the Trustless Computing Association, and more recently with its spin-off startup TRUSTLESS.AI, we are have been building and promoting a model of voluntary third-party key/data escrow solution for ultra-high assurance IT systems centered around an extremely international, citizen-accountable, transparent, resilient and technically proficient non-governmental body, with functions of standards setting, certification and oversight to enforce ultra-high levels of transparency and trustworthiness for all technologies, life-cycle, governance and human processes that are critically-involved in both the key/data escrow process as well as in the offering of ultra-high assurance IT service.
More details on our proposal for such a Trustless Computing Certification Bodycan be found on our website, and especially in the Trustless Computing Paradigms that are detailed in our Position Paper.
A new and much more detailed Position Paper will be presented at the 5th Edition of our Free and Safe in Cyberspace event series in Berlin on May 4th, 2018, dedicate to discuss if and how such a certification body could really radically increase both personal freedom and public safety.