Top global security exports defend encryption

As government officials continue to plea the case against strong encryption, a group of high-profile international security experts have published a paper arguing that allowing government agents special access to communications would have detrimental effects on personal privacy, enterprise security, and our national economy.

"In the long run, what would help law enforcement and make us secure is that we do the best we can to make the infrastructure as secure as possible," said Hal Abelson, the lead author on the paper. "The calls for adding exceptional access -- whether front doors or back doors -- are going in the opposite direction."

Abelson, who is a well-known professor of computer science and engineering at MIT, is also a founding director of Creative Commons and Public Knowledge, and a director of the Center for Democracy and Technology.

He added, however, that government officials have not released any details about what they would like to see happen.

"The devil is in the details," he said.

For example, he said, if a vendor must give government agents access to customer communications, then that means that the vendor themselves has that access.

"If you knew that Apple has access to all of your communications, would you use that if you were Microsoft?" he asked.

Vendors would prefer to have as little ability to access customer information as possible, he said.

For example, keys to encrypted communications are typically destroyed automatically after every interchange, he said.

But that means that there's no way for law enforcement to get at this data, either, he said.

"This is a very complicated issue and it's not going to go away," he said.

FBI Director James Comey called it "Going Dark."

"Changing forms of Internet communication are quickly outpacing laws and technology designed to allow for the lawful intercept of communication content," he told the Senate Intelligence Committee Wednesday.

Terrorist groups such as ISIL are using modern communications methods, he said -- but the laws haven't kept up.

For example, traditional telephone companies are required to have the capability to provide wire taps to law enforcement, but there's no such requirement on Internet technology companies.

"Such services can be developed and deployed without any ability for law enforcement to collect information critical to criminal and national security investigations and prosecutions," he said.

In addressing the Senate Judiciary Committee that same day, Comey went even further, saying that there were more and more criminal cases relying on data stored on computers or mobile devices -- and that strong encryption would hinder prosecution in these cases.

"If we cannot access this evidence, it will have ongoing, significant impacts on our ability to identify, stop, and prosecute these offenders," he said.

Comey stopped short of making any concrete proposals, but urged for more discussion of how "encryption as currently implemented poses real barriers to law enforcement's ability to seek information in specific cases of possible national security threat."

The government is between a rock and a hard place, said Richard Blech, CEO at Secure Channels.

"You cannot have a backdoor that only the 'good guys' can use, it will be exploited by the bad guys," he said.

Kunal Rupani, senior product manager at Accellion, said that existing communication protocols actually don't go far enough in protecting privacy and security.

The paper published this week by security experts focused on protecting content, he said. "A big piece that is missing is metadata -- and the metadata can be even more useful than the content."

Metadata, which is usually transmitted in unencrypted form, allow marketers, criminals, and agents of both local and foreign governments to track how messages are communicated, he said.

"Who am I sharing the file with? What time did I look at the file?" he asked. "Very few people really talk about this information."

Other metadata can be used to track online behavior, physical locations, and much more.

There are efforts underway to close down some of these security holes.

But, according to Rupani, there is government opposition, and this restricts innovation and hurts competitiveness.

"As we globalize, the need for open communications increases, and the actions that the government is trying to take is definitely concerning," he said.

Join the CSO newsletter!

Error: Please check your email address.

Tags applicationssoftwareCenter for Democracy and TechnologyKnodata protectionPublic Knowledge

More about AccellionAppleCreativeFBIMicrosoftMITTechnology

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Maria Korolov

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place