June 2, 2015
DUAL_EC_DRBG is the name of a program that played an important role in the National Security Agency’s infiltration of communication protocols, which was revealed by whistleblower Edward Snowden. The program, at the time, drew the suspicion of many cryptographers who wondered why it was being used instead of the NIST’s more advanced standards. The answer arrived in December 2013: DUAL_EC_DRBG was a backdoor.
A backdoor is a vulnerability deliberately inserted into a piece of software to allow specific parties to decrypt it whenever they want to. When the NSA wasn’t forcibly getting companies to hand over private data, it was exploiting pre-inserted backdoors to enter and snoop around. Following 9/11, the Patriot Act made such acts lawful, validating the use of programs like DUAL_EC_DRBG that put user security and privacy at stake to defend the more arbitrarily defined questions of national security.
However, the use of such weakened encryption standards is a Trojan horse that lets in the weaknesses of those standards as well. When engineers attempt to use those standards for something so well-defined as the public interest, such weaknesses can undermine that definition. For example, one argument after Snowden’s revelations was to encrypt communications such that only the government could access them. This was quickly dismissed because it’s open knowledge among engineers that there are no safeguards that can be placed around such ‘special’ access that would deter anyone skilled enough to hack through it.
It’s against this ‘power draws power’ scenario that a new report from the UN Office of the High Commissioner for Human Rights (OHCHR) makes a strong case – one which the influential Electronic Frontier Foundation has called “groundbreaking”. It says, “requiring encryption back-door access, even if for legitimate purposes, threatens the privacy necessary to the unencumbered exercise of the right to freedom of expression.” Some may think this verges on needless doubt, but the report’s centre of mass rests on backdoors’ abilities to compromise individual identities in legal and technological environments that can’t fully protect those identities.
On June 1, those provisions of the Patriot Act that justified the interception of telephone calls expired and the US Senate was unable to keep them going. As Anuj Srivas argues, it is at best “mild reform” that has only plucked at the low-hanging fruit – reform that rested on individuals’ privacy being violated by unconstitutional means. The provisions will be succeeded by the USA Freedom Act, which sports some watered-down notions of accountability when organisations like the NSA trawl data.
According to the OHCHR report, however, what we really need are proactive measures. If decryption is at the heart of privacy violations, then strong encryption needs to be at the heart of privacy protection – i.e. encryption must be a human right. Axiomatically, as the report’s author, Special Rapporteur David Kaye writes, individuals rely on encryption and anonymity to “safeguard and protect their right to expression, especially in situations where it is not only the State creating limitations but also society that does not tolerate unconventional opinions or expression.” On the same note, countries like the US that intentionally compromise products’ security, and the UK and India which constantly ask for companies to hand over the keys to their data to surveil their citizens, are now human rights violators.
By securing the importance of strong encryption and associating it with securing one’s identity, the hope is to insulate it from fallacies in the regulation of decryption – such as in the forms of the Patriot Act and the Freedom Act. Kaye argues, “Privacy interferences that limit the exercise of the freedoms of opinion and expression … must not in any event interfere with the right to hold opinions, and those that limit the freedom of expression must be provided by law and be necessary and proportionate to achieve one of a handful of legitimate objectives.”
This anastomosis in the debate can be better viewed as a wedge that was created around 1995. The FBI Director at the time, Louis Freeh, had said that the bureau was “in favor of strong encryption, robust encryption. The country needs it, industry needs it. We just want to make sure we have a trap door and key under some judge’s authority where we can get there if somebody is planning a crime.”
Then, in October 2014, then FBI Director James Comey made a similar statement: “It makes more sense to address any security risks by developing intercept solutions during the design phase, rather than resorting to a patchwork solution when law enforcement comes knocking after the fact.” In the intervening decades, however, awareness of the vulnerabilities of partial encryption has increased while the law has done little to provide recourse for the gaps in online protection. So, Comey’s arguments are more subversive than Freeh’s.
Kaye’s thesis is from a human rights perspective, but its conclusions apply to everyone – to journalists, lawyers, artists, scholars, anyone engaged in the exploration of controversial information and with a stake in securing their freedom of expression. In fact, a corollary of his thesis is that strong encryption will ensure unfettered access to the Internet. His report also urges Congress to pass the Secure Data Act, which would prevent the US government from forcibly inserting backdoors in software to suit its needs.
Given the current digital ecosystem, fighting for privacy is a lost cause. When the users themselves aren’t aware of the way their privacy is being violated, exhortations to protect it are futile. Furthermore, when informed of such nefarious activities taking place, people tend to ignore it for the sake of convenience (am guilty of this myself). I think unless someone takes a radical step and changes things without giving a damn about the opinions of the masses, this trend will continue, probably to the detriment of society as a whole.
However, I laud your efforts at educating the world, in whatever way you can. Fight on 🙂
“When the users themselves aren’t aware of the way their privacy is being violated, exhortations to protect it are futile.” – This is where we differ, I think.