CHALLENGE B: Constitutional Lawful Access?!
- (B.1) Can new international non-governmental certification processes for end-2-end IT service providers with sufficiently extreme transparency, accountability and oversight safeguards – possibly relying on multi-jurisdiction offline citizen-jury or citizen-witness oversight processes – ensure unprecedented and constitutionally-meaningful levels of e-privacy and e-security, effective onsite lawful access, and prevent malevolent use?
- (B.2) Can similarly extreme third-party safeguards – enforceably adopted by states for their use of remote endpoint lawful access schemes (i.e. lawful hacking) – reduce both the risks of grave comprimisation of the investigative processes and of highly-scalable abuse of innocent citizens to acceptable levels? (detailed backgrounder of Challenge B)
(1) NO. Impossible or nearly impossible. It is safer not to discuss or substantially research or discuss option. Here is in detail why.
(2) YES. Significantly or substantially probable. Very extensive joint discussions and research discussion, and very concrete proposals are direly needed. Here are the binding high-level requirements of such standard setting and certification processe?
Today, state-mandated backdoors – hidden or public like the telephone interception systems – or state-sanctioned backdoors – such as undisclosed critical vulnerabilities created, acquired, discovered or used, legally or illegally – are in nearly all IT devices.
Over the last decades, in addition to sanctioning backdoors everywhere, individual states have repeatedly proven to be utterly incapable of either socio-technically designing, or legally managing, or setting proper technical and organizational requirements for state lawful access compliance. Nonetheless, the dire need to reconcile privacy and cyber-investigation remains as crucial as ever.
US and most western states have in place plenty of legislations, and legally authorized intelligence programs, that enable them to access a suspect communications following a legal due process authorization, including: mandatory key disclosure, lawful hacking laws, national security letters, and other laws.
Powerful states invest tens of millions of dollars every year in pressure of all kinds order to ensure that IT systems of meaningfully high-trustworthiness levels are not available to the civilian market and, indirectly, to nearly all of the internal intelligence, military and lawful access systems markets. Such pressures are in the form of creation and discovery of symmetrical backdoor, onsite subversion of various kinds, economic (CIA venture capital, procurement pressures, etc), patenting (NSA secret patents), legal (crypto export) pressure crypto export pressures, and strong pressures to establish high-trustworthiness IT standards, that are incomplete (Common Criteria, FIPS, etc.) and compromised (Dual_EC_DRBG). That is in addition to similar activities by other powerful states, and tens of millions of euros of investments by zero market companies.
Nonetheless, a few of the most knowledgeable and well-funded criminals, state and non-state, regularly do use and could use custom-made end-2-end IT infrastructures that manage to avoid the use of components where critical vulnerabilities are known by powerful states. On the other hand, commercial vendors like Apple – having uniquely full control of their life-cycle, and not being mandated to store a master key – are in theory positioned to render their future systems inaccessible to lawful access. However that is very unlikely because of: the huge relative complexity of their systems and life-cycle, which makes it inherently creation of weakness via subversion, legal or illegal by powerful state actors, as well as to independent discovery of vulnerability; and high-level of plausible deniability in a scenario in which Apple may be purposely leaving highly-safeguarded and asymmetrical backdoors for a few states. The same arguments are valid for current high-assurance IT systems, which in all known case add the lack of control of a number of critical life-cycle phases.
The “NO” Case
While proper use of crypto apps, Tor, Apple devices or “cryptophones” may well protect low-value targets from bulk surveillance by powerful states – the lack of public verifiability and/or grave insufficient verification relative to complexity of many critical parts and processes (in lifecycle and operations, including CPU, fabrication, firmware update, cageroom access), makes so that remotely exploitable critical vulnerabilities are everywhere, very easy to get, share and plausibly deny. NSA Turbine, NSA FoxAcid and similar private tools increasingly enable continuous undetectable continuous compromisation of tens or hundreds of thousands of mid-to-highest value target. The result is that state-mandated or state-sanctioned critical vulnerabilities backdoors are today nearly everywhere, largely unaccounted and unregulated.
World citizens are continuously asked by states and by digital rights activists: “Would you rather be free or safe?”. We suspect digital privacy and public safety are not an ‘either or’ question, but instead a ‘both or neither’ challenge. Albeit acknowledging that solving one or both of the challenges may not be possible, we believe extensive resources intellectual and monetary should be devoted to such attempt. Refusing to make counterproposals that acknowledge the crucial need for constitutional lawful access and attempt to take it into account – as most digital rights activist organizations have done to date – is backfiring for digital civil rights by ensuring that governments go ahead maintaining the status quo or implement”sub-optimal” standards and laws.
– What are the effects on public safety and wellbeing of the current unavailability of IT devices that are reliably resistant to undetected remote compromisation by mid- or high-threat actors, legal or illegal?
– What are the foreseeable effects on public safety and wellbeing of the wide availability of such IT devices, therefore resistant even to remote access by public security agencies with legal due process?
– Could new lawful access schemes for high-assurance IT services and systems rely, not on states, but on provider-managed voluntary “key recovery” schemes certified by “trustworthy 3rd parties”, such as radically citizen-accountable, independent and competent international bodies?
– Could the inevitable added risk be essentially shifted from technical systems to on-site organizational processes?
EU Cybersecurity Strategy (2013) calls for “The same laws and norms that apply in other areas of our day-to-day lives apply also in the cyber domain.”. “Fundamental rights, democracy and the rule of law need to be protected in cyberspace. But freedom online requires safety and security too”
The Brazilian state IT agency SERPRO has internal regulations that intrinsically requires 4 state officials of 4 different public agencies need to be physically present at a specific hosting room and consent in order to allow access to the emails of a state employee based on a court order. More recently, they are increasing the assurance of their solution for both citizens and law enforcement on the server side with additional safeguards, through Kryptus solutions. Such an approach, however, still does not deal adequately with the assurance of several other potential vulnerabilities in the life-cycle, such as: client devices HW-SW, other critical SW and HW stack on the server side, the systems use by law enforcement to manipulate and store the acquired info, hardware fabrication of critical HW components.
In addition to much higher and more comprehensive assurance requirements – given the law trust in government – citizen-witnesses or citizen-juries may want to be added to the officials from different state agencies, in order to add an additional layer of guarantee!
Almost all citizens and many activists recognize the benefits of enabling due process lawful access for criminal investigation, but the grave incompetence and abuse by states have brought most experts to believe that such access cannot be ensured without unacceptable risks for citizens’ liberty.
The IT security industry is creating solutions that either are based on or add to systems which are non verifiable in critical parts, and whose complexity is way beyond what can ever be sufficiently audited. Meanwhile, IT privacy activists push similarly inadequate existing Free and Open source privacy tools to the masses, while just increasing usability, or at best seeking inadequate small grants for very inadequate complexity reduction, and increases in isolation and auditing.
In recent statements, NSA, Europol, UK Cameron, Obama, US Dept of Justice, and FBI have proposed to solve the “going dark” problem by mandating a some kind of backdoor into all IT systems. The FBI has more specifically proposed a “legislation that will assure that when we get the appropriate court order . . . companies . . . served . . . have the capability and the capacity to respond”, while the NSA has been generically referring to organization or technical safeguards ensuring backdoor access authorization approval by multiple state agencies5, and Obama referring to a possible safeguard role of non-state entities6.
From Snowden and Hacking Team revelations, it has become clear that – in addition to covertly introducing, purchasing and sanctioning symmetric backdoors everywhere – most western nations have consistently proven incapable or unwilling to design, standardize, legally oversee or certifying lawful access, by LEA or intelligence agencies, both for traditional phone wiretaps and for IT systems. Current schemes and systems have very poor or no citizen or legislative-branch accountability, because of lack of legal mechanisms as well as adequately accountable socio-technical systems.
Such precedents and a number of technical facts make so that such solution would most likely turn out to be ineffective towards the most serious criminals and causing great risks for civil liberties abuse7. Among the infeasibilities is the fact that – short of mandating a complete and impossibly draconian control over any connected IT devices through unbreakable remote attestation – how can any master-key for lawful access in IT products prevent a suspect to encrypt its messages a second time, possibly through steganography, rendering the master-key useless in reading the plain text or audio, and even hard to prove the suspect has sent an unlawfully encrypted message?
A new report has been commissioned by the EU Parliament which seems to advice that “lawful cracking” lawful access systems “when they are used in Europe with the appropriate oversight and safeguards could have legitimate purposes”. Although, currently such systems appear to unconstitutional in Italy and Germany (except for intelligence purposes) for example, though they are legal in the US.
In an open letter published last July 6th 2015, Keys under Doormats – 14 among the most renowned US computer security experts have made a detailed case against the introduction of new national legislations in the US and elsewhere, and possibly part of international agreements. They also list questions that any such proposal should answer in order for the public and experts to assess the foreseeable risks of grave civil liberties abuses. The document follows is intended as an upgrade to recent development of a very extensive and influential similar proposal from the 1990’s, The Risks of Key Recovery, Key Escrow, and Trusted Third–Party Encryption.
Even some IT security experts that have been for decades the most staunch opposers to lawful access solution for IP communications, acknowledge that some “going dark” problem exists or could potentially exist and – regardless of quite varying opinions about its gravity – a solution will need to be found as political pressures will keep mounting8.
Three of the most prominent among the 14 experts mentioned above, and Sandy Clark, have proposed
- Creation of new vulnerabilities is not allowed, but only discovery and creation of exploit for existing vulnerabilities.
- Mandatory reporting of vulnerabilities to IT vendors on discovery or acquisition, with some exceptions. It counts on the fact that new will be found and that it takes time for vulnerabilities to be patched;
- Limitation of lawful access software to only authorized access actions (whether intercept, search, or else).
They propose to formalize and regulate the use of “lawful cracking” techniques as a way to enable the state to pursue cyber-investigation:
“We propose an alternative to the FBI’s proposal: Instead of building wiretapping capabilities into communications infrastructure and applications, government wiretappers can behave like the bad guys. That is, they can exploit the rich supply of security vulnerabilities already existing in virtually every operating system and application to obtain access to communications of the targets of wiretap orders.
We are not advocating the creation of new security holes, but rather observing that exploiting those that already exist represents a viable—and significantly better—alternative to the FBI’s proposals for mandating infrastructure insecurity. Put simply, the choice is between formalizing (and thereby constraining) the ability of law enforcement to occasionally use existing security vulnerabilities—something the FBI and other law enforcement agencies already do when necessary without much public or legal scrutiny or living with those vulnerabilities and intentionally and systematically creating a set of predictable new vulnerabilities that despite best efforts will be exploitable by everyone.”