Thursday, December 10, 2015

Crypto Wars, Déja Vu All Over Again

Hal and I were talking recently about how sorry we were that we don't have time to bring out a new edition of Blown to Bits, which was published in 2007. Then last night a student asked me a question about cryptography and I reread Chapter 5, and this morning I read the New York Times report that F.B.I. Chief Says Texas Gunman Used Encryption to Text Overseas Terrorist. Maybe there isn't that much to revise.

September 13, 2001. Fires were still smoldering in the wreckage of the World Trade Center when Judd Gregg of New Hampshire rose to tell the Senate what had to happen. He recalled the warnings issued by the FBI years before the country had been attacked: the FBI’s most serious problem was “the encryption capability of the people who have an intention to hurt America.” “It used to be,” the senator went on, “that we had the capability to break most codes because of our sophistication.” No more. “The technology has outstripped the code breakers,” he warned. (p. 161)

The F.B.I. director, James B. Comey, said Wednesday that investigators could not read more than 100 text messages exchanged by one of the attackers in a shooting this year in Garland, Tex., because they were encrypted, adding fuel to law enforcement agencies’ contention that they need a way to circumvent commercially available encryption technology.Mr. Comey, who two months ago appeared to have lost a battle inside the Obama administration over forcing companies like Apple and Google to give investigators a way to decode messages, told the Senate Judiciary Committee that one of the attackers “exchanged 109 messages with an overseas terrorist” the morning of the shooting. “We have no idea what he said because those messages were encrypted,” Mr. Comey said. “And to this day, I can’t tell you what he said with that terrorist 109 times the morning of that attack. That is a big problem. We have to grapple with it.” 
What was needed, Senator Gregg asserted, was “the cooperation of the community that is building the software, producing the software, and build- ing the equipment that creates the encoding technology”—cooperation, that is, enforced by legislation. 
But Mr. Comey argued in his testimony on Wednesday that the technology companies’ defense of “end-to-end encryption,” in which only specific users of a phone or computer hold the keys, was rooted in business decisions.… But he asked if that model could be changed, and “if that can’t be done voluntarily, what are the other alternatives?” 
Will some major supplier of email services and software, responding to consumers wary of information theft and government surveillance, make encrypted email the default option? (p. 191)
 OK, that part needs to be updated. Now:
For Mr. Comey, whose 10-year term extends well beyond President Obama’s, the recent attacks have provided renewed arguments to pressure technology companies. Cyrus R. Vance, the Manhattan district attorney, and William J. Bratton, New York City’s police commissioner, have faulted the encryption used by Apple, Facebook and Google for thwarting terrorism investigations.
In a very real sense, the dystopian predictions of both sides of that debate are being realized: On the one hand, encryption technol- ogy is readily available around the world, and people can hide the contents of their messages, just as law enforcement feared—there is widespread specu- lation about Al Qaeda’s use of PGP, for example. At the same time, the spread of the Internet has been accompanied by an increase in surveillance, just as the opponents of encryption regulation feared. 
The bottom-line question is this: As encryption becomes as ordinary a tool for personal messages as it already is for commercial transactions, will the benefits to personal privacy, free expression, and human liberty outweigh the costs to law enforcement and national intelligence, whose capacity to eaves- drop and wiretap will be at an end?  
But even if Apple rolled back its technology — which Tim Cook, the company’s chief executive, has emphatically insisted will never happen — it is unclear whether it would make it easier for American law enforcement to track terrorists. 
Of the encrypted mobile apps recommended in the Islamic State tutorial, the top five “safest” encryption schemes recommended by the group were made by companies outside the United States — in places like Switzerland, where a United States court order would not be enforceable. “We have far more to lose by having our information attacked than gained from weakening everyone’s information security,” Mr. Kocher said. He added that rolling back encryption in those products would only drive terrorists to use other products, or create their own.
“You can’t delete encryption software off the Internet or delete all the textbooks telling people how to write it,” Mr. Kocher said. 
Amen to that.


  1. (Bill Gasarch)
    Hopefull the bad guys will use PIN 1234 and password
    password, like 10% of all Americans do.

    Does Blown to bits need an update? In terms of telling
    more stories YES, in terms of the underlying issues.... probably not. Still, the new stories may be worth telling.

  2. This comment has been removed by a blog administrator.