Has the deciding shot been fired in the crypto wars?

The battle for the privacy of our digital devices stretches back to 1993, when the National Security Agency (NSA) developed the Clipper chip, which would provide the government with backdoor access to any mobile device the chip was installed in.  It sparked what came to be known as the "crypto wars" between the government and the phone manufacturers, who eventually won out when the project was scrapped in 1996.

This desire to allow the state to overcome increasingly sophisticated encryption didn't die there, however, with the NSA working to weaken encryption standards and get hold of master keys, whether by agreement or force.  The Edward Snowden leaks revealed how far these efforts had gone, with the intelligence agencies capable of bypassing the encryption of both iOS and Android smartphones.  The leak prompted both Apple and Google to redo their encryption so that this technical capability ceased to exist.

This famously culminated in a legal battle in 2016 after the FBI were unable to access the iPhone of one of the shooters involved in the San Bernardino terrorist attack.  The phone was designed to delete all of its data after ten failed attempts to log in. After the NSA were unable to assist the FBI in accessing the phone, the pair tried to strong arm Apple into not only providing access to the phone, but developing a new version of iOS with various security features disabled.

The fatal blow

Step forward to June 23, 2020, and potentially the deciding shot in the crypto wars, as US Senators Marsha Blackburn, Tom Cotton and Lindsey Graham introduced the Lawful Access to Encrypted Data Act, which would force technology companies operating in the US to give the government and law enforcement agencies access to encrypted data when asked to do so.

The bill has three main provisions.  Firstly, it allows courts to order operating system providers, device manufacturers, communication service providers, and so on to assist the government in any request for information sought via a search warrant.  What's more, stakeholders will now be mandated to ensure they are able to provide that assistance, which will include requiring them to report “any technical capabilities that [are] necessary to implement and comply with anticipated court orders”.

The bill effectively marks the end of digital service providers being able to offer unabashed, end-to-end encryption to users that are truly secure and private to all comers.  Indeed, it marks the end of being able to offer any form of encryption that does not contain a back door for government law enforcement agencies to access.

Why it matters

It might seem that this is, and has always been, a somewhat cherlish argument.  After all, if law enforcement agencies want to have access to something, they should be able to have it, right?  The problem with this is not so much in the theory behind it as it is in the way it could be achieved.

For the government to access data, it will require either encryption backdoors to be built in, or a key escrow.  Thankfully, key escrows don’t appear to be discussed as a viable option as it would require a copy of the encryption key to be stored somewhere so that it could be accessed under subpoena from the courts.  In itself, that would present a major security risk.

Instead, the plan is to utilize encryption backdoors.  This is where the seeds that are fed to the algorithms that in turn fuel the random number generators at the heart of modern encryption is made available.  The problem is our assumption that it will only be the “good guys” who will gain access to these seeds.  History tells us that this is unlikely to be the case, and once the encryption doors have been bust open it will be easier for others to burst through, whether those are other nation state agencies or even cyber criminals.  Every defence you’ve put together to keep people out has a back door deliberately built in, which undermines every effort you’ve made to be secure.

A justified breach?

Given the fuss the FBI and NSA made during the Apple dispute, the ability to unlock any device they choose is clearly hugely appealing to the law enforcement community, but as is so often the case in such matters, such over-reach comes at the expense of law abiding citizens.  This over-reach is especially egregious because there are other approaches in evidence around the world that don’t provide such an erosion of civil liberties.

For instance in the European Union, they have clearly stated that imposing master keys and backdoors on law abiding citizens is not only morally wrong, but ineffective against criminals, who would continue using state of the art encryption to protect their data, and therefore be a step ahead of law enforcement agencies.  As such, they believe the approach used by the US will only harm honest citizens by rendering their data vulnerable.  Instead, they argue that law enforcement agencies should use the tools at their disposal, such as existing laws to compel suspects to unlock their device, the available metadata, and various other forms of surveillance.

With the tech giants in the crosshairs of legislators for various reasons at the moment, lobbying seems unlikely to yield any remediation of the bill, but we might see encryption instead utilizing truly random number generators rather than seeding a pseudo-random number generator.  This would negate the effectiveness of any backdoor.

There is likely to be a combination of technological and legal developments in a debate that may appear to have been fatally decided by the government, but which in reality is likely to rumble on for some time to come.