Report On Device Encryption Suggests A Few Ways Forward For Law Enforcement

from the time-to-dial-back-the-apocalyptic-narrative dept

Another paper has been released, adding to the current encryption discussion. The FBI and DOJ want access to the contents of locked devices. They call encryption that can be bypassed by law enforcement "responsible encryption." It isn't. A recent paper by cryptograpghy expert Riana Pfefferkorn explained in detail how irresponsible these suggestions for broken or weakened encryption are.

This new paper [PDF] was put together by the National Academies of Science, Engineering, and Medicine. (h/t Lawfare) It covers a lot of ground others have and rehashes the history of encryption, along with many of the pro/con arguments. That said, it's still worth reading. It raises some good questions and spends a great deal of time discussing the multitude of options law enforcement has available, but which are ignored by FBI officials when discussing the backdoors/key escrow/weakened encryption they'd rather have.

The paper points out law enforcement now has access to much more potential evidence than it's ever had. But that might not always be a good thing.

The widespread use of cloud storage means that law enforcement has another potential source of evidence to turn to when they do not have access to the data on devices, either because the device is unavailable or the data on the device is encrypted. Not all of this digital information will be useful, however. Because storage is cheap or even free, people keep all sorts of non-noteworthy electronic documents forever.

What's unsaid here is law enforcement should be careful what it wishes for. Encryption that allows government on-demand access may drown it in useless data and documents. If time is of the essence in cases where law enforcement is seeking to prevent further criminal activity, having a golden key may not move things along any faster. I'm sure the FBI and others would prefer access all the same, but this does point to a potential negative side effect of cheap storage and endless data generation.

And the more access law enforcement has, the more chances there are for something to go horribly wrong on the provider's end.

How frequently might vendors be asked to unlock phones? It is difficult to predict the volume of requests to vendors, but a figure in the tens of thousands per year seems reasonable, given the number of criminal wiretaps per year in the United States and the number of inaccessible devices reported by just the FBI and Manhattan District Attorney’s Office. As a result, each vendor, depending on its market share, needs to be able to handle thousands to tens of thousands of domestic requests per year.

Such a change in scale, as compared to the software update process, would necessitate a change in process and may require a larger number of people authorized to release an unlock code than are authorized to release a software update, which would increase the insider risk.

The paper also runs down stats provided by the FBI and the Manhattan DA's office. It notes the overall number of unlockable phones has continued to rise but points out these numbers aren't all that meaningful without context.

In November 11, 2016, testimony to this committee, then-Federal Bureau of Investigation (FBI) General Counsel James Baker reported that for fiscal year 2016, the FBI had encountered passcodes on 2,095 of the 6,814 mobile devices examined by its forensic laboratories. They were able to break into 1,210 of the locked phones, leaving 885 that could not be accessed. The information Baker presented did not address the nature of the crimes involves nor whether the crimes were solved using other techniques.

[...]

Although existing data clearly show that encryption is being encountered with increasing frequency, the figures above do not give a clear picture of how frequently an inability to access information seriously hinders investigations and prosecutions.

It goes on to note that we may never see this contextual information. Any attempt to collect this data would be hindered by law enforcement's reluctance to provide it, and there are currently no visible efforts being made by agencies to determine just how often encryption stymies investigations. Whatever would actually be reported would be tainted by subjective assessments of encryption's role in the investigation. However, without more context, the endless parade of locked device figures is nothing more than showmanship in service to the greater goal of undermining encryption.

The paper helpfully lists several options law enforcement can pursue, including approaching cloud services for content stored outside of locked devices. It also points out the uncomfortable fact that law enforcement doesn't appear to be making use of tools it's always had available. One of these options is compelled production of passwords or biometric data to unlock phones. While the Fifth Amendment implications of compelled password production are still under debate, it's pretty clear fingerprints or retinas aren't going to receive as much Constitutional protection.

On top of that, there's the fact that a number of device owners have already voluntarily provided copies of encryption keys, and these can likely be accessed by law enforcement using a standard warrant or an All Writs Act order.

[M]any storage encryption products today offer key escrow-like features to avoid data loss or support business record management requirements. For example, Apple’s full disk encryption for the Mac gives the user the option to, in effect, escrow the encryption key. Microsoft Windows’ BitLocker feature escrows the key by default but allows users to request that the escrowed key be deleted. Some point to the existence of such products as evidence that key recovery for stored data can be implemented in a way that sensibly balances risks and benefits at least in certain contexts and against certain threats. In any case, data that is recoverable by a vendor without the user’s passcode can be recovered by the vendor for law enforcement as well. Key escrow-type systems are especially prevalent and useful where the user, or some other authorized person such as the employer, needs access to stored data.

The report also claims law enforcement "had not kept pace" with the increase of digital evidence. It posits the problem is a lack of funding and training. Training is almost certainly a problem, but very few law enforcement agencies -- especially those at the federal level -- suffer for funding or expertise. This might be due to bad assumptions, where officials believed they would always have full access to device contents (minus occasional end user initiative on encryption). When it became clear they wouldn't, they began to seek solutions to the problems. This put them a few steps behind. Then there are those, like Manhattan DA Cy Vance and FBI Director Chris Wray, who are putting law enforcement even further behind by pushing for legislation rather than focusing their efforts on keeping officers and agents well-supplied and well-trained.

While the report does suggest vendors and law enforcement work together to solve this access "problem," the suggestions place the burden on vendors. One suggested fix is one-way information sharing where vendors make law enforcement aware of unpatched exploits, allowing the government (and anyone else who discovers it) to use these vulnerabilities to gain access to communications and data. It's a horrible suggestion -- one that puts vendors in the liability line of fire and encourages continued weakening of device and software security.

The report also points out the calls for harder nerding have been at least partially answered. The proposed solutions aren't great. In fact, one of them (running lawful access keys and software update keys through the same pipeline) is terrible. But it's not as though no one on the tech side is trying to come up with a solution.

Several individuals with backgrounds in security and systems have begun to explore possible technical mechanisms to provide government exceptional access. Three individuals presented their ideas to the committee.

• Ernie Brickell, former chief security architect, Intel Corporation, described ways that protected partitions, a security feature provided by future microprocessor architectures, could be used to provide law enforcement access to devices in their physical possession, provide remote access by law enforcement, or provide key escrowed cryptography for use by applications and nonescrowed cryptography for a set of “allowed” applications.

• Ray Ozzie, former chief technical officer and former chief software architect, Microsoft Corporation, argued that if a user trusts a vendor to update software, the user should be able to trust the vendor to manage keys that can provide exceptional access. He proposed that this extension of the trust model used for software updates could be used to provide government exceptional access to unlock mobile devices. Ozzie also provided the committee with materials describing how this approach could be extended to real-time communications such as messaging.

• Stefan Savage, professor of computer science and engineering, University of California, San Diego, described how phone unlock keys could be stored in hardware and made available via an internal hardware interface together with a “proof-of-effort” lock that together would require physical possession and a time delay before law enforcement could unlock a device.

The report points out these are only suggestions and have yet to be rigorously examined by security professionals. But their existence belies the narrative pushed by the FBI in its search for a federal statutory mandate. There are experts trying to help. Unfortunately, every solution proposed is going to require a sacrifice in device security.

The problem is complex, if you choose to believe it's a problem. It may be troublesome that law enforcement can't have access to device contents as easily as they could five years ago, but it's not the threat to public safety anti-encryption enthusiasts like Chris Wray and Cy Vance make it out to be. Encryption use has gone up while crime rates have remained steady or decreased. The emphasis on cellphones as the ultimate investigative goldmine is misplaced. Plenty of options remain and law enforcement spent years solving crimes without having one-stop access to communications and personal documents. An ancient discovery known as "fire" has put evidence out of reach for hundreds of years, but no one's asking the smart guys at Big Match to come up with a solution. Things are harder but they're not impossible. What is impossible is what Wray and others are asking for: secure compromised encryption.


Reader Comments

The First Word

Subscribe: RSS

View by: Time | Thread


  • identicon
    Anonymous Coward, 22 Feb 2018 @ 4:44pm

    So yet another claim of LEO ignorance justifying brech or rights?

    Not enough training might be an excuse in a few cases but it becomes a funding and political football to give cops more authority and violence and enrich them at the same time, it should be illegal to log cell data of any kind for longer than 3 day's, you don't need more than that for network management, anything else is just surveillance, as for encryption how is it different from physical papers.

    cell phone data encourages guilt by association, it's like reading your daughters journal, you learn things but maybe you kill someone you should not have.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 22 Feb 2018 @ 4:57pm

    Um....no.

    "Ray Ozzie, former chief technical officer and former chief software architect, Microsoft Corporation, argued that if a user trusts a vendor to update software, the user should be able to trust the vendor to manage keys that can provide exceptional access."

    This is a false equivalence. Doubly so given Microsoft's history of "updating software" in ways that compromise user security, invade user privacy, disable functionality, and expose the user to attacks.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 23 Feb 2018 @ 1:05am

      Re: Um....no.

      But if you allow software vendor to update your software, he can put the backdoor, keylogger, pretty much anything there and get your keys. From this perspective Ozzie's argument is valid.

      reply to this | link to this | view in chronology ]

      • icon
        JoeCool (profile), 23 Feb 2018 @ 5:57am

        Re: Re: Um....no.

        From HIS perspective - that of a shady crook. From any other perspective it just proves that they CAN'T be trusted for ANYTHING.

        Users don't "trust" MS to update their computers, they reluctantly or unknowingly tolerate it, weighing the consequences of an unpatched Windows vs the malware out there. There's NO trust involved.

        reply to this | link to this | view in chronology ]

        • identicon
          Thad, 23 Feb 2018 @ 8:05am

          Re: Re: Re: Um....no.

          Users don't "trust" MS to update their computers, they reluctantly or unknowingly tolerate it, weighing the consequences of an unpatched Windows vs the malware out there. There's NO trust involved.

          1. If we're using the word "trust" in a technical, computing sense -- and we are -- then yes, if you're running a Microsoft operating system, you're trusting Microsoft.
          2. While the average Techdirt reader may grant that trust reluctantly, that's not true at all of the typical MS user. Most users, rightly or wrongly, consider MS to be trustworthy.
          3. While I've certainly got my issues with trusting MS (I've used GNU/Linux as my primary OS for the past 15 years or so; my HTPC was still running Windows until last year, when I switched it over to Linux too because of Win10's tough-sell advertising; and I've got a hardware firewall set up that, among other things, blocks connections to the servers Windows 10 phones home to, for the couple of remaining computers in my house it's installed on), it still ranks higher on the trustworthiness scale than random, unknown software sources. Trustworthy software is relative.

          reply to this | link to this | view in chronology ]

          • identicon
            Anonymous Coward, 23 Feb 2018 @ 9:36am

            Re: Re: Re: Re: Um....no.

            If we're using the word "trust" in a technical, computing sense -- and we are -- then yes, if you're running a Microsoft operating system, you're trusting Microsoft.

            Wikipedia gives the definition: "a trusted system is a system that is relied upon to a specified extent to enforce a specified security policy. This is equivalent to saying that a trusted system is one whose failure would break a security policy".

            Replace "system" with "person" or "company", as needed. If Microsoft can defeat your security, you're trusting Microsoft, whether they're trustworthy or not.

            (If you never update your Microsoft OS, that's not strictly true; you'd be trusting the code they wrote in the past, rather than the company.)

            reply to this | link to this | view in chronology ]

            • identicon
              Anonymous Coward, 25 Feb 2018 @ 6:09pm

              Re: Re: Re: Re: Re: Um....no.

              But that doesn't take into account the obvious legal "solution":

              Just force all of the vendors to support this "exceptional access requirement" or the software is illegal to possess or distribute.

              At that point even if you trust the vendor, for the sake of argument let's say you got the OS from kernel.org, then your trust is still being violated by the government. As the government forced itself between the vendor and you and inserted what many would refer to as a rootkit into the software.

              Now you might say that being able to swoop into your house on blackhawks in the middle of the night, armed to the teeth ready to force compliance out of you, means you "trust" the government as well, but some would say that's tyranny just the same.

              Eventually you have to ask yourself: At what point does correlation without causation mean something to you?

              reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 22 Feb 2018 @ 5:27pm

    Let's break this down one by one...

    > "The widespread use of cloud storage means that law enforcement has another potential source of evidence to turn to when they do not have access to the data on devices"
    Many cloud providers are also unable to decrypt stored data (or claim to be unable to do so).

    > "Because storage is cheap or even free, people keep all sorts of non-noteworthy electronic documents forever."
    E.g. the NSA?

    > "How frequently might vendors be asked to unlock phones?"
    Why are you asking vendors in the first place? Their priority is their customers, not their customer's adversaries. If a vendor can unlock a phone, so can criminals. If you want to unlock it, do it yourself.

    > "Ernie Brickell, former chief security architect..."
    > "Ray Ozzie, former chief technical officer and former chief software architect..."
    Keyword: former

    > "...could be used to provide law enforcement access to devices in their physical possession, provide remote access by law enforcement..."
    Replace law enforcement with Russian government / criminal gang / bored hacker and the statement is still true.

    > "...if a user trusts a vendor to update software, the user should be able to trust the vendor to manage keys that can provide exceptional access"
    There's a big difference with 'keep my software working' and 'let anyone in the world access my data'. Also: Don't mess with the software update process. It's already hard enough keeping people up to date.

    > "...phone unlock keys could be stored in hardware and made available..."
    ...made available to anyone who wants them.

    > "Unfortunately, every solution proposed is going to require a sacrifice in device security."
    By which you mean "a complete sacrifice in device security".

    > "An ancient discovery known as "fire" has put evidence out of reach for hundreds of years, but no one's asking the smart guys at Big Match to come up with a solution."
    I wonder how many people saw this little tidbit? :)

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 23 Feb 2018 @ 9:30am

      Re:

      Many cloud providers are also unable to decrypt stored data (or claim to be unable to do so).

      That doesn't mean anything prevents them from gaining the ability to encrypt it. If they wrote the encryption software Alice is using, they can make the next version leak Alice's key. (This isn't entirely hypothetical—Hushmail somehow delivered decrypted messages to the US government.)

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 22 Feb 2018 @ 5:40pm

    Big Match are in league with big Anarchism trying to stop the war

    https://www.popehat.com/2012/09/19/three-generations-of-a-hackneyed-apologia-for-censorship-are-enou gh/

    This is an example of how Big Match distorts free speech to get what it wants... no.. wait that is how the state distorts free speech

    reply to this | link to this | view in chronology ]

  • icon
    Madd the Sane (profile), 22 Feb 2018 @ 5:54pm

    Police Harder

    What I'm getting from a quick glance is that the police are looking for an easy out of doing their hard job.

    Guess what: There's no shortcuts in life. Do your job properly or there will be bad consequences down the road.

    reply to this | link to this | view in chronology ]

  • icon
    dcfusor (profile), 22 Feb 2018 @ 6:59pm

    but they don't say

    Or according to this, don't even try to know, how often encryption gets in the way of actual investigations. They just insist they want a back door.
    They really do appear to think we are that dumb, and looking at social media, I'd have to agree, most are that dumb.

    reply to this | link to this | view in chronology ]

  • identicon
    Andrew Pam, 22 Feb 2018 @ 6:59pm

    Good one

    "rehashes the history of encryption" - that gave me a good chuckle.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 22 Feb 2018 @ 8:12pm

    Police are trained to lie and dominate all situations

    This is not conducive to finding the real killer only who they can bully into taking blame, your remember school yard bully's ? that is cops and the legal system, it is violence and coercion of every turtle, time to stop refuse all authority they are using us to protect themselves from enemies they created themselves but are our enemies because we support them, ben laden, the Taliban, farkig Isis all of them are enemies of people like trump and Clinton not people that where complicit but stupid in the 80's when they thought they where supporting glorious horseback riding RPG wielding rebels in Afghanistan, Rather than sociopathic world trade center destroying mad men that they where. Used as an excuse to monitor and harm all of america indeed all of the world with unlimited uncompromising monitoring that is for harm to individuals and propaganda for the state(sure advertising is not a problem)
    we have been here far to long stop thinking any party in any country will represent you

    START OVER

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 23 Feb 2018 @ 2:17am

    law enforcement aren't interested in 'getting evidence to be able to convict', they are only interested in getting as much info on everyone because just about every govt, everywhere, democratically elected or not, supposedly interested in protecting 'the people and their rights to freedom, freedom of speech and privacy', are so scared that the people will find out exactly what a bunch of lying, self-serving, money grabbing assholes they are, who want to do everything that suits them but have no one know! at the same time, they want to be able to prevent ordinary people from trying to oust them from power and they cant allow that, now, can they!! the way forward? watch everyone, every second and use any excuse possible to have anyone who disagrees arrested and jailed (or, as the entertainment industries would prefer, put on death row!).

    reply to this | link to this | view in chronology ]

  • icon
    Wryhta (profile), 23 Feb 2018 @ 2:38am

    All these solutions ignore the elephant in the room that if these measures are introduced, there is nothing stopping Russia, China, Iran or any other country also demanding the right to decrypt any phone.

    Americans really need to stop view the world from an American only perspective.

    reply to this | link to this | view in chronology ]

  • icon
    DannyB (profile), 23 Feb 2018 @ 5:56am

    I'll say it again

    Encryption is either:
    1. Secure
    2. Insecure

    It's a binary choice. Not a sliding scale. Like being pregnant. You are or you are not. There is no try.

    If encryption is secure, then hackers cannot break it -- but neither can government.

    If encryption is insecure, then government can break it -- but so can hackers.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 23 Feb 2018 @ 1:48pm

      Dangerous lack of nuance.

      Your conflating/confusing device security with encryption security. -Though the second relies on the first, these ARE two different things. Cryptographers CANNOT secure hardware and networks (ring -3) they have no access to- due to this, encryption can be considered flawless, but still be vulnerable due to poor device security...

      To put it more simply: It's not the fault of your window bars (encryption) when someone smashes in a weak front door (device)- the window bars have nothing to do with the strength of the front door, they are mutually responsible for security.

      Failing to note this distinction is confusing the underling issues, and grossly misinforming people who make false assumptions based on true but poorly contextualized statements like the one you've just made.

      Real world security is not binary- that's absurd- it's a metric shit-ton harder to break into an expert setup security focused computer, then an old unpatched winXP box, but neither one is immune, or 'secure' in an absolute binary sense.

      Newsflash: The device your using to read this is vulnerable to multiple 0days- it would be utterly ridiculous to assume that's not the case... spend some time reading CVE's- no matter what you run, it's always been the case, and even if somehow all an OS's codebase magically where scrubbed to secure perfection, the presence of un-auditable ring -3 hardware means the potential for backdoor's can NEVER be eliminated, until consumers demand an end to this practice.

      reply to this | link to this | view in chronology ]

  • identicon
    Rekrul, 23 Feb 2018 @ 5:20pm

    Go to all the people talking about "responsible" encryption and ask them to design a hypothetical "responsible" door that can only be opened by the homeowner and law enforcement, but that will keep out criminals. Most people understand doors and locks, so ask them to describe how a secure door would work that will be impervious to bad guys but that cops can open if they need to.

    reply to this | link to this | view in chronology ]

  • identicon
    i, 18 Apr 2018 @ 9:17am

    we all are know that report device encryption suggests few ways forward law enforcement. people are understand, how to safe a device by encryption. Many people hack a device but encryption you device is safe. you can safe your device very well, you use ipad customer service.

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Use markdown for basic formatting. HTML is no longer supported.
  Save me a cookie
Follow Techdirt
Techdirt Gear
Show Now: Takedown
Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.