Home / Blogs

The Crypto Wars Resume

Steven Bellovin

For decades, the US government has fought against widespread, strong encryption. For about as long, privacy advocates and technologists have fought for widespread, strong encryption, to protect not just privacy but also as a tool to secure our computers and our data. The government has proposed a variety of access mechanisms and mandates to permit them to decrypt (lawfully) obtained content; technologists have asserted that "back doors" are inherently insecure. (James Comey used the phrase "golden key”; the neutral term is "exceptional access".)

I personally have been involved with this issue for more than 25 years, and in a fairly strong sense I have nothing new to say-- as I and others explained four years ago, from a technical perspective exceptional access is a thoroughly bad idea: it will create insecurity. Cryptography is a complex, subtle discipline; it's really, really hard to get even the basics right. Adding new, unusual requirements creates a high likelihood that there will be new vulnerabilities.

Despite all that, U.S. Attorney-General William Barr has now issued a new call for Facebook to add exceptional access features to its WhatsApp encrypted communications platform. The evils he cites — terrorism, organized crime, and child pornography — are indeed evils; I don't think most people would dispute that. But his focus on Facebook is a significant change in direction and, arguably, an escalation of the battle over cryptography.

There is, broadly speaking, a consensus that the exceptional access problem is easier (note: I did not say easy) for devices, and in particular for phones, than for communications. Many reasons are given in the excellent Carnegie Foundation report on the problem; I'll note one more: because secure communications generally require interaction between the parties, there are many more opportunities to get things wrong. By contrast, when law enforcement presents an encrypted phone, all of the cryptography has already taken place. Encrypting objects still isn't easy — witness these new attacks on encrypted PDF files — but the attack surface is smaller.

Why, then, the escalation? Why is Barr going for everything, rather than seeing if there is a feasible solution for encrypted phones? Does he judge that the political moment is right? Is it because Facebook is politically weak right now? Or is it because law enforcement can read devices now?

By Steven Bellovin, Professor of Computer Science at Columbia University
Follow CircleID on
SHARE THIS POST

If you are pressed for time ...

... this is for you. More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Vinton Cerf, Co-designer of the TCP/IP Protocols & the Architecture of the Internet

Share your comments

To post comments, please login or create an account.

Related

Topics

New TLDs

Sponsored byAfilias

DNS Security

Sponsored byAfilias

Whois

Sponsored byWhoisXML API

Domain Names

Sponsored byVerisign

Cybercrime

Sponsored byThreat Intelligence Platform

IP Addressing

Sponsored byAvenue4 LLC

Cybersecurity

Sponsored byVerisign