Paper Spells Out Tech, Legal Options for Encryption Workarounds

ID THREATPOST:B79F3784865F9F64F9238B532DC85B59
Type threatpost
Reporter Michael Mimoso
Modified 2017-03-23T15:42:20


FBI Director James Comey’s dogged attachment to the argument that strong encryption hinders criminal investigations by law enforcement is heading into its third year with little signs of abatement.

That insistence comes despite three years of arguments to the contrary from security experts, who point out the potential consequences of the FBI’s desire for a solution that bypasses the secrecy afforded by messaging apps such as Signal, or technological barriers such as those present in the iPhone that wipe a device after a set number of incorrect passcode guesses.

Technologists’ arguments about the intentional weakening of crypto benefiting criminals as well as cops have fallen on deaf ears because as recently as March 8 in Boston, Comey reiterated all of his previous “going dark” arguments, and warned that mainstream adoption of crypto had brought unbreakable secrecy to the world of drug dealers, pedophiles and kidnappers.

This week, two of the loudest critics of “going dark,” Bruce Schneier and George Washington University Law School’s Orin Kerr, released a draft of a paper that provides a straightforward taxonomy of workarounds to existing strong crypto available to law enforcement. The paper, Schneier said, isn’t a proscriptive document, rather technical and legal lay of the land for policy makers explaining how a half-dozen available workarounds can proceed, what potential hurdles exist, and what are the likely legal challenges.

The paper, called “Encryption Workarounds,” explains difficult conceptual areas for policymakers, many of whom are not schooled technologists and are much more likely to be swayed by emotional and political arguments against crypto, without solid technical reasoning.

“I think it’s definitely not understood at all among policy makers. We need more public interest technologists. This marrying of tech and policy is critical, and if you don’t understand the tech, you get bad policy,” said Schneier, CTO at Resilient Systems and Berkman Fellow at Harvard University’s Berkman Center for Internet and Society.

“These sorts of papers are important. Comey will say ‘I want this capability.’ Well, what does that actually mean? He doesn’t know, he just knows he just wants the end result,” Schneier said. “There are a lot of different paths you can take to get there and the path matters. Here we’re laying out the different potential paths and how they might matter.”

The paper identifies six methods at the disposal of investigators that could be used to try to bypass encryption schemes. Those include finding, guessing or compelling an encryption key from a subject, exploiting a flaw in a crypto scheme, accessing plaintext when a device is in use, or locating a plaintext copy. The first three involve accessing the decryption key for a device or file, and investigators either finding a physical copy of the key written down somewhere, guessing a password or passcode (a weak default password, or someone’s birth date used as a passcode), or using a warrant or legal order compelling an organization or individual to turn it over. The three remaining options have their own challenges, requiring either an exploit for a known or unknown crypto flaw or weakness, or accessing a device without a key and when it’s in use, or if there’s a plaintext copy of data stored in the cloud, or drafts in a word-processing program.

Each workaround is described along with technological and legal challenges.

A nuanced part of this discussion is the division between law enforcement’s capabilities in these arenas, and those of intelligence agencies charged with national security. Some have argued, for example, that metadata is a sufficient technological solution for law enforcement, but Schneier points out that while its does provide location data and other pertinent information, it’s not always enough for law enforcement.

“For national intelligence, metadata is much more valuable. For law enforcement, you have to go to court. You need the transcripts. You need the data more. There is more demand for the data in solving crimes than in looking for conspiracies,” Schneier said. “Metadata can place me in a location at this moment, but if we’re planning a crime, it’s not enough that we’re talking. It’s got to be about what we said. It’s got to be what’s on the phone.”

The FBI famously tried to compel Apple a year ago to provide a technological solution to unlocking San Bernardino terrorist Syed Farook’s phone, but ultimately took its legal challenge off the table once it was able to procure a still-unknown technical solution to unlocking the device. The FBI, Schneier said, is not as resourced as the NSA in these areas.

“At this point, they don’t [have in-house expertise to get this done]. They need to get it, but they don’t have it. They’ve lost it,” Schneier said. “I think the whole art of forensics has faded because in the last 20 years, all they’ve had to do is get the phone. You have a whole generation of FBI agents who have been trained to just get the phone.

“If they were denied that, they would have to re-learn all their old tricks,” Schneier said. “And they could, but I think they expertise, they don’t have it. That’s one of the problems, and if they had it, they wouldn’t be in this mess. The national security side is doing OK, they don’t need our help.”