There are long-standing, sound reasons why encryption backdoors have failed to get the green light any time they have been proposed in the US or EU

In the midst of the hullabaloo last week over Brexit and article 50 trigger-pulling, not many noticed that EU Commissioner for Justice Vera Jourov proposed the EU-wide introduction of encryption backdoors for popular social apps such as WhatsApp.

Just in case you missed it (and most people likely did, as Jourovs speech to this effect was made on March 28th, the day before the UKs article 50 letter was delivered to EU officials), she said she will announce three or four options in June to allow law enforcement agencies to access encrypted communications.

These will include proposals for binding legislation, as well as voluntary, yet, she suggested, nonetheless mandatory or enforceable compliance from technology companies.

Jourov noted: At the moment, prosecutors, judges, also police and law enforcement authorities are dependent on whether or not providers will voluntarily provide the access and the evidence. This is not the way we can facilitate and ensure the security of Europeans, being dependent on some voluntary action.

She said she intended to introduce clear, simple rules into the European legislation to let law enforcement demand access from technology companies to communications and to do this with swift, reliable response.

However, she said in her speech to the EU Justice and Home Affairs Council that nonlegislative solutions would be needed initially, because legislative solutions, such as a requirement for backdoors, could take years to bring in.

She wouldnt go into details on how that would all work, but we can all look forward now to June, when the proposals arrive in this fresh reconsideration of business, economic, security and, of course, human rights lunacy.

Perhaps we will need some EU shenanigans to exasperate us in June, now that Jourov also has just announced that the joint US-EU review of transatlantic data transfer agreement Privacy Shield wont occur in June, as had been presumed, but has been pushed into September.

Well, proposing encryption backdoors yet again will certainly exasperate.

Backdoors are a secret method of bypassing the normal authentication needed to access the contents of an encrypted file or message. They are built into the application, so that every instance of the application ends up with this secret tunnel. In short, backdoors are deliberate security flaws to cripple a security product.

For example, when you download and install WhatsApp, your messages are automatically encrypted when sent, and can only be decrypted by the user you send them to. But a backdoor would enable law enforcement authorities to also see the message.

Which might seem a good idea given security concerns about terrorism and criminal activity, and Jourov, of course, referenced recent attacks in Europe. And thats why a consideration of backdoors is again on the EU table.

Officials in the UK, France and Germany have been pressing for months for European law enforcement to have a method of accessing encrypted communications. As recently as March 26th, UK home secretary Amber Rudd said the companies that produce encrypted apps should be forced to give police access to contents of messages when asked.

But the problem with encryption is that once you build in a deliberate vulnerability, the application is no longer secure. Even if the key to the backdoor is designed to only be in the possession of security agencies and law enforcement, every shred of evidence in the digital world to date indicates it wont remain a secret and will eventually be located and exploited. Vulnerabilities tend to get found out, one way or another.

And it wont be the good guys that do the exploiting. No, it will of course be the same dark side actors that encryption exists to protect against.

Maybe you are thinking that you dont care if security agencies can read your WhatsApp discussions with your friends if it helps prevent a suicide bomber. But it isnt just about you.

Encryption is ubiquitous, needed for the basic functioning of banks, governments, businesses large and small, utilities, the military, citizen transactions and interactions, just about everything you can think of. Weaken it, and you weaken national and international security, national grids, global transactions, the worlds economies.

Meanwhile, the bad guys will of course just switch to or themselves create something other than WhatsApp (or Signal, or iMessage, any other service forced to install a backdoor).

There are thus long-standing, sound reasons why encryption backdoors have failed to get the green light any time they have been proposed in the US or EU. They can be summed up simply: if you cripple encryption, then you cripple security overall.

Thats not to say legislators are impervious to eventually doing something truly catastrophic. But I wouldnt wager that Europe will bring in backdoors any time soon.

The evidence is far too strong that backdoors would be extraordinarily risky, for little payback. In addition, theres a steep, perhaps impossible challenge of figuring out even some kind of voluntary scheme, given the way encryption services work (secret is secret).

So, the June proposals will be interesting to see. Expect to be exasperated.

Read the original post:
Cripple encryption and you weaken global and national security - Irish Times

6 workarounds for accessing encrypted devices

The story of Syed Farooks iPhone is a perfect illustration of both the power of encryption on personal devices and the governments frustration with such security when it hinders an investigation.

In the wake of the 2015 San Bernadino, Calif., shootings, investigators wanted access to Farooks iPhone. The phone was encrypted, the FBI asked Apple to write software to give it access and Apple refused to comply. What ensued was a long battle that played out in courts and in public. In the end the government allegedly paid $1 million to third party to have the phone unlocked.

Access to encrypted information need not always be as difficult or expensive for investigators, however. Two cybersecurity experts have published an essay that discusses the practical, technological and legal implications of six encryption workarounds.

Encryption raises a challenge for criminal investigators, wrote Orin S. Kerr, director of the Cybersecurity Law Initiative at George Washington University Law School, and Bruce Schneier, fellow at Harvard Universitys Berkman Klein Center for Internet & Society and CTO at Resilient. When law enforcement attempts to access encrypted data, only ciphertext or scrambled information can be seen, which is useless unless it can be decrypted. For government investigators," Kerr & Schneider wrote, "encryption adds an extra step: They must figure out a way to access the plaintext form of a suspects encrypted data.

The following workarounds have been used by investigators since messages have been encrypted back to the time of Elizabeth I when decoded private letters revealed an assassination plot. Today, because encryption is so widespread, investigators come across it in routine cases, making ways to bypass encryption especially timely and relevant.

1. Find the key. The most obvious of the six ways to get around encryption is finding the passwords, passcodes or passphrases required to get into a device. The key might be written down somewhere or stored on an accessible device.

2. Guess the key. Although encryption keys themselves are long and random, the passwords that protect them are usually easier to guess. Investigators have used a suspects date of birth as a password to access personal devices. Password-cracking software can try millions of passwords per second, but investigators can be limited by a devices features that only allow a certain number of password tries before locking out the would-be user.

3. Compel the key. Merely asking, Whats your password? could get investigators the exact information they need, and authorities could legally compel device owners or others who know its password to provide it, the authors said. Both the Fourth and Fifth Amendments provide the device owners with some protection, but considerable ambiguity remains about how much of a burden [these Amendments] impose on investigators.

4. Exploit a flaw in the encryption scheme. This workaround requires finding a flaw in the encryption and using that weakness to gain access to the device. This technique, commonly used by hackers, is analogous to breaking into a locked car by breaking a window instead of picking the lock, the researchers said. The FBI likely gained access to the San Bernardino shooters phone this way, the authors said. The company helping the FBI may have found a flaw in an auto-erase function used on the phone to make it harder to guess passwords. This approach relied on two workarounds in tandem: First, exploit the flaw; second, guess the key, they said.

5. Access plaintext when the device is in use. This workaround requires accessing a device while it is in use and its data has been decrypted, such as when a suspect using a device is arrested before the phone or computer can be shut down. Gaining remote access is much more complicated than physically seizing the machine, the two said. First, hacking will require the government to have figured out a technical means to gain remote access to the device. Second, government hacking can raise complex legal questions under the Fourth Amendment and other laws. Dozens of federal courts are currently considering the legality.

6. Locate a plaintext copy. Cant get into the device? Find the information somewhere else. The information that investigators are looking for likely exists in an unencrypted version somewhere, Kerr and Schneier suggested; cloud copies are increasingly common. In the San Bernardino case, investigators were able to get iCloud backups of the shooters phone. The information was six weeks out of date which is why the FBI paid for the workaround -- but it still provided insight.

Read the full paper here.

About the Author

Matt Leonard is a reporter/producer at GCN.

Before joining GCN, Leonard worked as a local reporter for The Smithfield Times in southeastern Virginia. In his time there he wrote about town council meetings, local crime and what to do if a beaver dam floods your back yard. Over the last few years, he has spent time at The Commonwealth Times, The Denver Post and WTVR-CBS 6. He is a graduate of Virginia Commonwealth University, where he received the faculty award for print and online journalism.

Leonard can be contacted at mleonard@gcn.com or follow him on Twitter @Matt_Lnrd.

Click here for previous articles by Leonard.

Here is the original post:
6 workarounds for accessing encrypted devices - GCN.com