Encryption has been under attack for several years now, with politicians around the world – specifically in Five Eyes intelligence-sharing countries like the US, UK, and Australia – regularly advocating for “lawful” access to encrypted data.
On June 23, 2020, US Senators Lindsey Graham, Marsha Blackburn, and Tom Cotton introduced a bill that would require companies operating in the US to grant access to encrypted data when law enforcement requests it (through the proper legal channels).
On its face, this sounds like an entirely reasonable request. And GlobalSign has very little appetite to wade into the world of politics. Still, we felt it was important to come out on the record about why the Lawful Access to Encrypted Data Act is a threat to internet security and your own digital privacy.
What is the Lawful Access to Encrypted Data Act?
The Lawful Access to Encrypted Data Act is the bill that the US law enforcement community has been threatening for years, forcing companies to figure out how to comply with a decryption directive that requires law enforcement be afforded legal access to any and all data it requests.
As Riana Pfefferkorn, Associate Director of Surveillance and Cybersecurity at Stanford Law School’s Center for Internet and Society puts it:
“…the bill is an actual, overt, make-no-mistake, crystal-clear ban on providers from offering end-to-end encryption in online services, from offering encrypted devices that cannot be unlocked for law enforcement, and indeed from offering any encryption that does not build in a means of decrypting data for law enforcement.”
There’s a small exception if a company can prove decryption to be “technically impossible,” but there’s no clarity on what that means. It’s also worth noting the bill's sponsors have taken a hardline on the tech industry and are unlikely to be very forgiving.
At the end of last year, after calling representatives for Apple and Facebook to testify about this very issue in front of his committee in the Senate, Graham told an executive from Facebook: “It ain’t complicated for me. You’re going to find a way to do this or we’re going to do it for you.”
What is Wrong with Lawful Access to Encrypted Data?
There are two ways to effectively achieve what the US government is demanding:
- Key escrow
- Encryption backdoors
Key escrow doesn’t even seem to be on the table and that’s probably a good thing. This would create a scenario where a copy of your encryption key would be saved with some third-party database so that, upon subpoena, it could be retrieved to decrypt any data its duplicate (your key) had encrypted.
Obviously, this requires you to have one master bank of keys. That creates a major target that requires significant security to protect. Who protects those keys? The US government? What’s its track record?
Well, the entire internet is currently at the mercy of NSA-designed digital weapons following the Shadow Broker incident and we know the surveillance elements of the Patriot Act were so badly abused two whistleblowers risked their lives to expose them.
That’s not the route this bill takes, though. Instead, it's demanding backdoors. As the Electronic Frontier Foundation writes:
"The bill is sweeping in scope. It gives the government the ability to demand these backdoors in connection with a wide range of surveillance orders in criminal and national security cases, including Section 215 of the Patriot Act, a surveillance law so controversial that Congress can’t agree whether it should be reauthorized."
Ok, So What is an Encryption Backdoor Then?
Describing an encryption backdoor is a bit complicated. At the heart of encryption is something called a Random Number Generator (RNG). In truth though, for the vast majority of cryptosystems the RNG element isn’t truly random. Instead they’re “pseudo-random” and rely on complicated algorithms to generate “random” numbers.
But, any algorithm needs inputs to create an output. Those inputs are called seeds. This is where it gets less random. If you know the seeds, you can crack the encryption with a little bit of computation. The NSA has actually tried this before with an elliptic curve-based cryptosystem, back in 2007.
This weakens encryption. Significantly. The US government won’t be the only one that’s able to access your data once we start building backdoors into encryption. Other nations, state-backed APTs, and even enterprising criminals with the right resources will be able to grant themselves extra-judicial access to encrypted data at that point, too. Yours. Your company’s. All the encrypted defenses you’ve built will now have a backdoor into them.
That undermines the entire point of encryption.
And this comes at a critical moment in time, too. With nearly two-thirds of the US workforce now working remotely, encryption has never been more important to conducting business. Anything the US government does to weaken encryption effectively puts American businesses (and any international organization operating in the US) at risk. Not to mention it gives US law enforcement an invasive new tool at a time when the country is in the midst of a national reckoning about the role and degree of power given to law enforcement.
The Case for “Legal Access to Encrypted Data” Has Not Been Made
A few years ago, the director of the FBI, Christopher Wray, repeatedly made mention of the thousands of devices that the FBI could not unlock. This came in the wake of the San Bernardino mass shooting, when Apple was fighting against the US government over unlocking the shooter’s iPhone.
In the end, the FBI was able to find a third-party firm to crack the iPhone without Apple’s help. Obviously, having a turn-key solution for legal access would, no doubt, be a significant tool for law enforcement. But it would come at the cost of compromising encryption for law-abiding citizens around the world. And clearly there are other, less disruptive approaches.
In other regions, this line of argument has not worked. Notably, the EU’s Working Party 29, opined:
“Imposing backdoors and master keys on law abiding citizens and organisations would not be an effective measure against criminals since they would continue to use or adapt the strongest state of the art encryption to protect their data, keeping them safe from law enforcement access. As a result, backdoors and master keys would only harm the honest citizen by making their data vulnerable.”
The working group also told Law Enforcement organizations to use the tools at their disposal – like making use of available metadata, legally compelling a suspect to unlock their device, and other forms of surveillance already in use.
What Can the Tech Industry Do?
Well beyond the lobbying and influence pedaling that’s become customary for the technology industry, there may be a technical tweak that could scuttle attempts at backdooring encryption.
The concept of an encryption backdoor is entirely premised on knowing the seeds used by the pseudo-random number generator. You can effectively close that gap by switching to a truly random number generator (TRNG). These rely on naturally occurring events to achieve randomness.
A good example of this would be some research being done at Penn State University, which creates seeds by mapping the movement of cells on a fixed grid. Another, more popular, example would be the lava lamps in the lobby at CloudFlare.
There’s true randomness at work with these methods, so backdooring them would be infinitely more complicated. Perhaps even “technically impossible.”
This will likely be a long battle – one that ends up in the courts – but keep an eye on this if you are designing or using encryption products. As Pfefferkorn writes:
“This bill is the encryption backdoor mandate we’ve been dreading was coming, but that nobody, during the past six years of the renewed Crypto Wars, had previously dared to introduce. Well, these three senators finally went there.”