Magical Thinking in Cyberspace

Rule Number Two Revisited

Terry Gray       <teg@acm.org>               www.TerryGray.org               Rev 2             June 2016

The San Bernardino iPhone case, wherein Apple refused to help the FBI defeat the phone’s security mechanisms, has triggered a huge amount of passionate debate.  As long as the debate is informed by facts rather than fallacies, that’s a healthy thing in our democracy.  But some of what I have heard from government officials and legislators strikes me as pretty far over the fallacy line, well into magical thinking territory.  Very dangerous magical thinking.

While there are others far better able to make this case, I can’t help but add my two cents.  The focus here is the future of secure communication and data storage via strong cryptography, which is under attack.  There are other important and related privacy and security issues, e.g. mass surveillance, due process, and attribution or anonymity but those won’t be discussed here.

RULE TWO

While pondering the latest crypto wars, which have a very familiar ring to anyone who remembers the Clipper Chip debacle, I was reminded of a very poignant scene in a 1973 MASH episode, entitled Sometimes You Hear the Bullet.  In it,  Cmdr Henry Blake says to Hawkeye:

Look, all I know is what they taught me at command school: There are certain rules about a war, and rule number one is young men die, and rule number two is, doctors can't change rule number one.

It seems to me there are some parallel rules for cyberwars, and technology policy in general.

Rule number one is that technology is a two-edged sword, capable of good or evil.  It always has been and always will be.  Either through incompetence, accident, greed, or malice any technology is susceptible to misuse.  Rule number two is that neither technologists nor politicians can change rule number one.

Corollary: A technology that can only be used by the Good Guys does not exist, and passing a law mandating one will not change that fact.  To imagine that it is possible to mandate backdoors in crypto systems that can only be used by the Good Guys is fantasy, even as technologists search for ways to provide selective access while reducing the risk of collateral damage^[1].

FACTS & FALLACIES

Fallacy:  Mandating a crypto backdoor will ensure that Good Guys can access criminal’s data.

Fact:  It will not.  Cryptography has the unusual property that it can be used to create secure communication channels on top of insecure ones.  Thus, even if basic communication or storage services on a mobile phone were protected by “approved” crypto with backdoors for law enforcement, there is nothing to stop an adversary from installing an app that used strong crypto which would make stored data or communications opaque to the Good Guys using the backdoor.  The secure communication application Telegram Messenger is one example.  Adversaries, including ISIS, are already reported to be promoting alternatives to US crypto software due to fears of government mandated backdoors.

Fallacy: Strong crypto can be controlled and its distribution limited.

Fact:  It cannot.  The essence of cryptography is math, not some exotic, hard to obtain or handle material.  As such, it’s distribution cannot be effectively controlled.  The basic algorithms for cryptography can be --and have been-- printed on T-shirts.  Moreover, banning US manufacturers from selling products with strong crypto will simply drive the market to overseas manufacturers, who will not be similarly constrained.  Attempts to ban the import of such products will backfire, leaving foreigners unhampered and only US citizens disadvantaged.  As a colleague put it: “the genie is out of the bottle.”

Fallacy:  Those not engaged in criminal activity have nothing to fear from crypto backdoors.

Fact: Strong crypto is essential for individual privacy, infrastructure security, and modern commerce.  Crypto backdoors bring very serious risks to national security, legitimate businesses, and individuals, not to mention risks to whistleblowers and activists opposing oppressive regimes.  

For example, researchers who analyzed a number of current security vulnerabilities attribute them to earlier government efforts to weaken encryption.  They conclude:

Today, some policy makers are calling for new restrictions on the design of cryptography in order to prevent law enforcement from “going dark.” While we believe that advocates of such backdoors are acting out of a good faith desire to protect their countries, history’s technical lesson is clear: weakening cryptography carries enormous risk to all of our security.

Fallacy:  Without crypto backdoors, the Good Guys are completely blind to criminal activity.

Fact: Lack of access to encrypted files or communications undoubtedly hampers law enforcement, but the bleak picture portrayed by some of “going dark” is totally overblown.  A Berkman Center report says:

“We argue that communications in the future will neither be eclipsed into darkness nor illuminated without shadow. Market forces and commercial interests will likely limit the circumstances in which companies will offer encryption that obscures user data from the companies themselves, and the trajectory of technological development points to a future abundant in unencrypted data, some of which can fill gaps left by the very communication channels law enforcement fears will ‘go dark’ and beyond reach,”  

Fallacy: Metadata is “just numbers” --with no great intelligence value-- therefore, law enforcement needs to have complete access to mobile devices and communications.

Fact: Notwithstanding claims by government officials, including the President, that metadata collection is innocuous, it is actually a treasure trove of intelligence data.  For examples, see The secret things you give away through your phone metadata. 

Fallacy: Forcing companies to provide crypto backdoors for the US government would not have adverse ripple effects throughout the rest of the world.  

Fact: It should be obvious that if the US government insists on crypto backdoors in mainstream products, then many other governments will do the same, including (or especially) those with poor human rights records, interested in suppressing dissent.

RULE ZERO

If Senators Feinstein and Burr succeed in persuading their colleagues that the growing security needs of the USA require that strong crypto must be banned, the inescapable conclusion will be  that our legislators are indeed woefully ignorant of how these systems actually work.  Worse, it will confirm what we might call Rule Zero, namely: fear nearly always trumps reason and rights.   And the corollary to rule zero is that tactical benefits often outweigh strategic costs, i.e. the long-term collateral damage.

Rule Zero and its corollary explain our government’s fear and anger-based over-reaction to 9/11, e.g. Iraq, the Patriot Act, use of torture (even when FBI experts said it was not necessary and did more harm than good.)  And the cost?  Simply the loss of our country’s moral high ground, and with it, the historic influence for good the United States has (often) had around the world.  

Rule Zero also explains earlier efforts to control access to crypto technology that led to long term weaknesses in critical systems and continue to cause problems today.  Backdoors weaken trust in government, but Rule Zero explains why they are still given a pass when it comes to law enforcement and national security, even when mistrust of government is extreme.  (Compare the 1975 Church Committee with the muted post 9/11 response to Edward Snowden’s revelations!)  

CONCLUSIONS

1. Mandating crypto backdoors for law enforcement will not achieve the stated policy goals, because adversaries can easily layer strong crypto on top of “approved” crypto.
2. The adverse impact of strong crypto on law enforcement has been vastly overstated.
3. The adverse impact of crypto backdoors on everyone else has been vastly understated.
4. Mandating weak crypto or backdoors will have serious negative consequences for citizens and society.  Solutions without these downsides do not exist today, and may never.

Accordingly, well-intentioned efforts to increase security by banning strong crypto are ill-advised.

Finally, these two excerpts from the 1996 report Cryptography's Role in Securing the Information Society  by the NRC Committee to Study National Cryptography Policy are worth considering:

If cryptography can protect the trade secrets and proprietary information of businesses and thereby reduce economic espionage (which it can), it also supports in a most important manner the job of law enforcement. If cryptography can help protect nationally critical information systems and networks against unauthorized penetration (which it can), it also supports the national security of the United States. Framing discussion about national cryptography policy in this larger law enforcement and national security context would help to reduce some of the polarization among the relevant stakeholders.

Recommendation 1: No law should bar the manufacture, sale, or use of any form of encryption within the United States. Specifically, a legislative ban on the use of unescrowed^[2] encryption would raise both technical and legal or constitutional issues. Technically, many methods are available to circumvent such a ban; legally, constitutional issues, especially those related to free speech, would be almost certain to arise, issues that are not trivial to resolve.

REFERENCES

1. FBI–Apple encryption dispute
2. The Top 5 Claims That Defenders of the NSA Have to Stop Making to Remain Credible
3. The secret things you give away through your phone metadata
4. Transcript: Obama’s Remarks on NSA Controversy
5. What You Should Know About Congress's Latest Attempt to Criminalize Encryption
6. Indefinite prison for suspect who won’t decrypt hard drives, feds say
7. Export of cryptography from the United States
8. ISIS Supporters Abandon U.S. Encryption Tools As Apple-FBI Fight Rages
9. FREAK, Logjam, DROWN All a Result of Weaknesses Demanded By US Gov't
10. Feinstein-Burr: The Bill That Bans Your Browser
11. Top Security Experts Say Anti-Encryption Bill Authors Are 'Woefully Ignorant'
12. Leaked Senate encryption bill called 'ludicrous, dangerous' by security experts
13. Senate Bill Draft Would Prohibit Unbreakable Encryption
14. Words of warning — not celebration — in Silicon Valley after FBI ends Apple fight
15. 'Chilling Effect' of Mass Surveillance Is Silencing Dissent Online, Study Says
16. Microsoft’s Brad Smith stands with Apple while passionately defending encryption
17. Paris Attacks Would Not Have Happened Without Crypto
18. Paris Terrorists Used Burner Phones, Not Encryption, To Evade Detection
19. N. Carolina Senator Drafting Bill To Criminalize Apple's Refusal To Aid Decryption
20. Congressman: Court Order To Decrypt iPhone Has Far-Reaching Implications
21. Harvard: No, Crypto Isn't Making the FBI Go Dark
22. The Father of Online Anonymity Has a Plan to End the Crypto War
23. Why Apple's CEO thinks we can have both encryption and national security
24. Fact-Checking the Debate on Encryption
25. Why Governments Lie About Encryption Backdoors
26.  Snoopers' Charter: Met Police says IP Bill needed to 'help find you innocent'
27. Russia Lawmakers Pass Spying Law That Requires Encryption Backdoors
28. Cryptography's Role in Securing the Information Society (1996)