It’s Scary: Government’s Fight Against Encryption

on January 21, 2015

Cameron-ObamaMost governments’ reaction to the terrorist attack on Charlie Hebdo and a kosher market in Paris seemed sensible. The major exception was a pledge by Prime Minister David Cameron to shut down encryption on messages in the U.K. No better is the push on President Obama to follow the mission. One reason for limited reaction in the U.S. is the lack of memory of the last U.S. fight in the 1990s.

The latest encryption brawl is a bit mysterious since if the police know something about the Paris attackers using encrypted messages they have not shared the knowledge. Instead, Cameron rolled out a promise to restrict encryption he made in his re-election campaign last year. Obama seems to base his position on friendship with Cameron and support for restrictions made last year by FBI Director James Comey.

The British technique would prohibit encryption of communications, likely to cover fast growing chat programs including Google Message, WhatsApp, Apple iMessage and FaceTime. These apps are designed so, unlike most email, messages are encrypted end-to-end by participants and cannot be read even with a warrant. The change would require providers install a mechanism for decrypting the messages as they pass through their equipment. (Good detail on the proposal is written by BoingBoing’s Corey Doctorow.)

Confused cooperation. The U.S. position as of the moment is confusing. The White House issued a “Fact Sheet: U.S.-United Kingdom Cybersecurity” but was only clear in endorsing a broad framework, neither including nor denying the anti-encryption moves proposed by the U.K. (adding to the problem, the links to the U.S. and U.K. documents in the fact sheet don’t link to anything). So we are working with the U.K., but it’s unclear on what. The FBI supports cutting in on encryption, assuming it sticks with the statement of Director Comey: “Encryption is nothing new. But the challenge to law enforcement and national security officials is markedly worse, with recent default encryption settings and encrypted devices and networks—all designed to increase security and privacy.”

In any event, both Obama and Cameron should look back on the 1990s encryption fiasco. Back then, commercial internet communications were just beginning to take off. There was growing pressure for law enforcement to prevent criminals and terrorists–yes, even then–from transmitting secret information in encrypted messages. Then-Senator Joe Biden was the sponsor of the Comprehensive Anti-Terrorism Act of 1991, which would have limited the use of encryption. (( Thanks to Declan McCullagh for pointing this out. ))

Clipper chipThe National Security Agency came up with a scheme called Skipjack, better remembered by its implementation on a chip called Clipper (left). The program would have made available two encryption codes — the regular code for users and an encrypted “escrow” code available to law enforcement. The Clinton administration fiercely supported the plan, with the effort led by Vice President Al Gore (although the effort got started under President George H.W. Bush, it really got rolling under Bill Clinton). The proposal set off a spirited argument between the technology industry and privacy and secrecy advocates on one side and the Clinton Administration, the NSA, and the FBI on the other.

The death of Clipper. Skipjack/Clipper was finally done in by the fact it just plain didn’t work. The flaw was the Law Enforcement Access Field, part of the key that gave officials access to to the encryption data. Matt Blaze, a security scientist at AT&T Research (now at the University of Pennsylvania), published a paper, “Protocol Failure in the Escrowed Encryption Standard”, but the technology it explained became generally known as the “LEAF Blower.” Nothing in a situation like this is more quickly lethal than ridicule; LEAF Blower killed Skipjack/Clipper.

Details of how the government would be able to access classified messages has yet to come out, but the history of Skipjack/Clipper reveals how difficult it is to get it right. Skipjack developers at NSA had worked for years but never realized the flaw. Furthermore, many of the cryptographic plans toughened by Apple, Google, and other message providers were installed after the collection of information was revealed in the data Edward Snowden released from the NSA. Getting their cooperation this time will be very difficult.

This is almost certainly a factor in the U.S. resistance to go as far as the U.K. wants. But Obama is under considerable pressure from Cameron. The Guardian reports the prime minister is working hard to convince Obama to go along. According to the paper, a British government source said: “The prime minister’s objective here is to get the U.S. companies to cooperate with us more, to make sure that our intelligence agencies get the information they need to keep us safe. That will be his approach in the discussion with President Obama – how can we work together to get them to cooperate more, what is the best approach to encourage them to do more.”

This fight is a long way from being over. So far, the opposition is left mainly to the companies trying to protect their information, but it’s a good time for the rest of the industry to get involved.