At the RSA Conference in April, Homeland Security Secretary Jeh Johnson asked the assembled audience of information security professionals for their "indulgence on the subject of encryption." Law enforcement is thus far not receiving that indulgence from the security community, cloud services providers, nor some of the most security-savvy members of Congress.
Historically, law enforcement has been able to go straight to cloud service providers with requests for data residing on its servers, without needing, necessarily, to inform the cloud customer whose data is being requested -- or any other customers whose data might also be residing on the same server. This puts cloud providers in an uncomfortable position -- a position they've begun trying to get themselves out of.
Cloud service providers are now giving data owners the power to create and manage their own encryption keys. Thales e-Security and Microsoft pioneered "Bring Your Own Key" (BYOK) and expanded it in March to Microsoft Azure, so that anything created in the Azure environment can use BYOK as well. Box is also giving its cloud storage customers power over their keys, starting with Amazon.
What this means, is that when the courts or intelligence agencies want encrypted data residing on a public cloud, they'll need to subpoena the data owner directly if they want to read it. The cloud provider cannot serve as the go-between.
Richard Moulds, VP of product strategy at Thales e-Security says this suits the cloud providers just fine because encryption keys are just a liability, anyway -- best-case scenario, you don't lose them. Decreasing their own responsibilities and satisfying the users' privacy concerns at the same time is a winning proposition for both parties.
It does not, however, suit the interests of law enforcement, which is actively lobbying for ways around it.
Last week, the U.S. House of Representatives Committee on Oversight and Government Reform's Subcommittee on Information Technology held a hearing on the topic of encryption. Officials from the Department of Justice and the FBI requested Congressional intervention, citing concerns that encryption is making it impossible for law enforcement to get access to essential data, even with appropriately obtained court orders, and that this was going to drastically impede criminal investigations.
Dan Conley, district attorney of Suffolk County, Massachusetts gave testimony taking specific aim at Apple and Google for marketing inaccessibility to law enforcement as a major selling point for their newest mobile devices.
"I am here today to ask Congress to help us find a solution, because what Apple and Google are doing is dangerous and should not be allowed to continue," said Conley.
Conley's remarks were met with strong criticism by the Congressmen.
Representative Ted Lieu (D-CA), who holds a degree in computer science, said he took "great offense" to Conley's testimony and that the actions of Apple and Google are "a private sector response to government overreach."
"To me it's very simple to draw a privacy balance when it comes to law enforcement and privacy: just follow the damn Constitution," said Lieu. "And because the NSA didn't do that, and other law enforcement agencies didn't do that, you're seeing a vast public reaction to this. Because the NSA, your colleagues, have essentially violated the 4th amendment rights of every American citizen for years by seizing all our phone records, by collecting our internet traffic, that now is spilling over into other aspects of law enforcement. And if you want to get this fixed, I suggest you write to NSA and the FBI should tell NSA 'stop violating our rights' and then maybe you'd have the public much more on the side of supporting some of what law enforcement is asking for."
The technological solutions that have been floated thusfar -- like some sort of cryptographic backdoor that law enforcement would only activate when it properly obtained a warrant -- have been met with criticism.
"As a recovering computer scientist, it is clear to me that creating a pathway for decryption only for good guys is technologically stupid," said Lieu. "You just can't do that."
Rep. Will Hurd (R-TX), who is a former CIA agent and former senior advisor for information risk management firm FusionX, asked Dr. Matthew Blaze, who also testified at the hearing, for his opinions about a split-key approach to encryption. Blaze is a computer science professor at the University of Pennsylvania who's been focusing on cryptography, surveillance, and the legal aspects of it since the days of the Clipper Chip:
Blaze: There are things we can do, like splitting the key between multiple locations, that can reduce some aspects of some of the risks in a system like this.
Hurd: But it does create additional vulnerabilities that anyone who has technical capabilities would be able to take advantage of.
Blaze: That's right. We can move some of the risks around from one part of the system or another, but there is still fundamental problems.
Hurd also questioned Conley's assertions that Google and Apple have made it impossible for law enforcement could obtain data they need with properly issued warrants. Conley said "we could get the device, but we couldn't get the information off the device if it's running iOS 8," which would be secured with a passcode.
Hurd did not buy the argument. He asked Blaze how long it would take to crack a 4-digit PIN, using modern methods. Blaze responded "on modern computing hardware, essentially no time at all."
Hurd: That's the equivalent of taking a safe out of a home and using some safecracking skills -- this would be the digital equivalent?
Blaze: No this would be much easier."
Something more complicated than a 4-digit PIN, of course, would be another matter.
Another solution that's been discussed: holding copies of encryption keys in escrow for government use. Yet, Moulds from Thales points out that confidentiality is not the only thing encryption is used for. Encryption is also used for digital signatures; and holding a key used for that purpose in escrow would entirely defeat the purpose of the digital signature. If more than one copy of a seal exists, then how can you be sure it wasn't forged?
"If I take a back-up of it," says Moulds, "I can never say that [the signature] was really her, because she can always say it was someone else."
The "solutions" that have been proposed may not be solve any more problems than they create, but there's no denying that encryption has a dark side, as anyone who's contended with ransomware knows.
Speaking at RSA, Assistant Attorney General for National Security John Carlin was asked for his thoughts on the matter. He had an optimistic viewpoint, saying that other complex issues have been handled before by the government and the security community working together to develop norms, and this would just be one more example of that.
"Is there a solution?" said Carlin. "I would think the best minds could come up with one."