What is FBI director Comey asking for?
Comey called for a “front-door” approach to customer data access in an but he was unclear about how this might work outside of a nebulous call for tech companies to build “intercept solutions” into their products. National Security Agency (NSA) Director Michael Rogers proposed when he suggested that technology companies be required to create a digital key that could open any smartphone or other locked device, but dividing that key into pieces so it could not be used unilaterally. The Center for Democracy & Technology the split-key proposal as impractical.
In his written statement before the Senate Judiciary Committee, Comey was careful to avoid asking companies to allow surreptitious “backdoor” access to customer data and communications. Documents leaked by former NSA contractor Edward Snowden in 2013 indicated that his former agency had done this, for example, by deliberately issued by the National Institute of Standards and Technology. The backlash against the government’s alleged tampering with encryption standards and government demands for customer data has created a growing rift between Silicon Valley companies and Washington, D.C.
Why does the government say it should have this capability?
Federal law enforcement officials are concerned that criminals and terrorists will go “dark” by hiding their communications in encrypted e-mails and smartphones. Newer versions of the Apple iOS and Google Android mobile operating systems have emphasized encryption, to the point where company executives have said they would be unable to unlock customer data for law enforcement . “With sophisticated encryption, there might be no solution [for law enforcement], leaving the government at a dead end—all in the name of privacy and network security,” Comey said in October. Others in law enforcement have taken even more extreme positions. “Apple will become the phone of choice for the pedophile,” John Escalante, chief of detectives for the Chicago Police Department, told in September.
New York City District Attorney (NYCDA) Cyrus Vance, who , was more specific in his objection to device encryption. In his written testimony, he stated that asking his office to investigate the more than 100,000 criminal cases they handle each year without smartphone data is to “fight crime with one hand tied behind our backs.” Following the hearing, Wired reported that the NYCDA’s office has since September encountered 74 iPhones whose full-disk encryption locked out a law enforcement investigation. Vance later singled out Apple during his testimony for having a double standard with regard to its encryption policy. The company allows its customers to have sole possession of the decryption key for gadgets running iOS 8. Meanwhile, Apple does have the ability to decrypt customer data stored in the company’s iCloud storage service if ordered to do so.
The FBI does need to intercept communications from time to time. Doesn’t Comey have a point?
Security experts have criticized law enforcement officials for overstating the need for access. “It's all bluster,” security expert wrote on his blog in October. Schneier, one of 15 co-authors of the new report by Massachusetts Institute of Technology’s Computer Science and Artificial Intelligence Laboratory (CSAIL), added, “Of the 3,576 major offenses for which for communications interception in 2013, exactly one involved kidnapping. And, more importantly, there's no evidence that encryption hampers criminal investigations in any serious way. In 2013 encryption nine times, up from four in 2012—and the investigations proceeded in some other way.”
What technical objections do security experts have to “special access”?
CSAIL issued its 34-page report yesterday—. It highlights several reasons why special access would create more problems than it would solve. The security researchers interpret Comey’s comments to mean tech companies should create a cryptographic key escrow—in other words, a stored digital skeleton key—that law enforcement could use to unlock encrypted information for use in criminal or terrorism investigations. But any cryptographic key created for law enforcement would become a major target for hackers, would be difficult to secure and would discourage newer security practices such as “forward secrecy,” in which decryption keys are deleted immediately after use and new keys are created for each subsequent transaction. A small but growing number of sites—including Google, Twitter, the Wikimedia Foundation and Facebook—have over the past few years to secure transactions and data.
Is there any way to create special access that would make everyone happy?
What is the government’s track record for protecting sensitive data?
Not good. the government reported successful hacks into unclassified White House, State and Defense department e-mail systems. The security researchers, led by Daniel Weitzner, director of M.I.T.’s and a former deputy chief technology officer at the White House, specifically cite the recent hack of the U.S. Office of Personnel Management (OPM) to illustrate the harm that can arise when many organizations entrust private information to a single institution for safekeeping. In the case of OPM, numerous federal agencies lost sensitive data because the office had insecure infrastructure.
Is there any precedent for what the government is asking to do?
The current debate must seem like déjà vu for many of the report’s authors, many of whom in 1997 opposed a Clinton administration proposal that sought to require information and communication services to engineer their products to guarantee law enforcement access to all data. The White House ultimately abandoned its push to have tech companies install what came to be known as the . The plan behind Clipper was to have all encryption systems retain a copy of keys necessary to decrypt information entrusted to a third party who would turn over the keys to law enforcement on proper legal authorization.
No comments:
Post a Comment