In the rock-paper-scissors game of technology, the Internet of Things beats cryptography. This is the conclusion of a new Harvard Law School report focusing on the FBI’s claims that increasing levels of cryptography in consumer devices means that law enforcement loses.
The report retorts that even if cryptography closes some doors, new Internet-connected devices and services will open others.
The stakes are certainly high, said FBI director James Comey in congressional testimony last summer. Bad guys benefit from increased end-to-end cryptography on both devices and networks, as he and others have argued in the media. And that, they say, means losing access to key surveillance opportunities for fighting crime and terrorism.
“We in law enforcement often refer to this problem as ‘going dark,’” Comey said.
But the new report, from Harvard Law School’s Berkman Center for Internet and Society, says Comey is missing the larger picture. While increasingly pervasive cryptography in consumer devices may close some surveillance channels, plenty of other channels are opening up that allow law enforcement to continue to keep an eye on suspected criminals. Most of these new inroads, the report says, come courtesy of two other tech innovations that are dramatically changing the way we use consumer electronics: the cloud and the Internet of Things (IoT).
“We think there are some things that are missing from the debate that really have not been discussed,” says David O’Brien, senior researcher at the Berkman Center and head of the Center’s joint effort with the William and Flora Hewlett Foundation—the so-called “Berklett” Cybersecurity Project.
“Perhaps the future is not one where we have gone dark completely but instead one where there are actually spots of darkness and spots of light at the same time,” O’Brien says. “There’s also this emerging Internet of Things. And if it’s as wildly successful as people forecast it to be, that could really change a lot of methods of conducting surveillance.”
The report notes that for all the powerful encryption a user’s smartphone might offer, other Internet-connected devices have less stringent encryption protocols (if any) on them. So rather than cops being stymied because the bad guy’s iPhone conversations are encrypted, they can find new inroads by turning to his smart TV or voice-activated car entertainment system.
As long ago as 2001, O’Brien says, the FBI was already exploring such a backdoor approach for monitoring a suspected mobster.
“The FBI was surveilling people who were suspected of being members of organized crime, and the suspects… would only talk when they were in the car driving,” O’Brien says. But the suspects’ car was equipped with voice-activated in-car technology—like those used by OnStar, ATX and others. So the FBI asked for permission to wiretap the car through this technology.
The courts ultimately denied the order, but only because enabling the FBI to wiretap the car in that case would have meant turning off other safety features.
The decision, O’Brien says, “Leaves the door pretty wide open…It’s certainly plausible that you could repurpose a microphone or a camera that’s capable of taking video or still images for surveillance purposes.”
Ultimately, O’Brien says, strong cryptography in consumer tech means increased inconvenience and fewer and less powerful features and services. Given the choice, for instance, would you want a perfectly encrypted cloud backup service that would leave you out in the cold if you lost the key, or would you rather have backup that could still restore data even after losing your key? The biggest consumer tech company in the world has an answer to that question.
“iCloud is enabled by default on Apple devices,” the report says. “Although Apple does encrypt iCloud backups, it holds the keys so that users who have lost everything are not left without recourse. So while the data may be protected from outside attackers, it is still capable of being decrypted by Apple.”
Bruce Schneier, one of the report’s co-authors, adds that there’s still plenty for consumers to be concerned about with the technologies the report considers.
In a recent blog post, Schneier calls the problem the “world-sized web”—the increasingly pervasive encroachment of internet-connected devices into every aspect of our lives. So the FBI’s warnings about an individual’s ability to “go dark,” are a paradox, he says, because they highlight just how many points of “light” investigators have now or will soon enjoy.
“We’re not being asked to choose between security and privacy. We’re being asked to choose between less security and more security,” Schneier writes in the new report.
“Ubiquitous encryption protects us much more from bulk surveillance than from targeted surveillance,” he says. “For a variety of technical reasons, computer security is extraordinarily weak. If a sufficiently skilled, funded, and motivated attacker wants in to your computer, they’re in. If they’re not, it’s because you’re not high enough on their priority list to bother with. Widespread encryption forces the listener—whether a foreign government, criminal, or terrorist—to [select a] target. And this hurts repressive governments much more than it hurts terrorists and criminals.”
The bottom line is that, as long as market forces continue to shape consumer technology, it’s doubtful that the FBI’s dire forecasts about losing back doors that enable it monitor criminal behavior will ever come true. The cloud and the Internet of Things will likely provide plenty of snooping opportunities for the agency and others like it.