Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud

5/5/2015
04:00 PM
Connect Directly
Twitter
RSS
E-Mail
100%
0%

Law Enforcement Finding Few Allies On Encryption

Cloud providers, mobile device manufacturers, private citizens, and a bipartisan Congressional committee are lining up on the opposite side.

At the RSA Conference in April, Homeland Security Secretary Jeh Johnson asked the assembled audience of information security professionals for their "indulgence on the subject of encryption." Law enforcement is thus far not receiving that indulgence from the security community, cloud services providers, nor some of the most security-savvy members of Congress.

Historically, law enforcement has been able to go straight to cloud service providers with requests for data residing on its servers, without needing, necessarily, to inform the cloud customer whose data is being requested -- or any other customers whose data might also be residing on the same server. This puts cloud providers in an uncomfortable position -- a position they've begun trying to get themselves out of.  

Cloud service providers are now giving data owners the power to create and manage their own encryption keys. Thales e-Security and Microsoft pioneered "Bring Your Own Key" (BYOK) and expanded it in March to Microsoft Azure, so that anything created in the Azure environment can use BYOK as well. Box is also giving its cloud storage customers power over their keys, starting with Amazon. 

What this means, is that when the courts or intelligence agencies want encrypted data residing on a public cloud, they'll need to subpoena the data owner directly if they want to read it. The cloud provider cannot serve as the go-between.  

Richard Moulds, VP of product strategy at Thales e-Security says this suits the cloud providers just fine because encryption keys are just a liability, anyway -- best-case scenario, you don't lose them. Decreasing their own responsibilities and satisfying the users' privacy concerns at the same time is a winning proposition for both parties. 

It does not, however, suit the interests of law enforcement, which is actively lobbying for ways around it. 

Last week, the U.S. House of Representatives Committee on Oversight and Government Reform's Subcommittee on Information Technology held a hearing on the topic of encryption. Officials from the Department of Justice and the FBI requested Congressional intervention, citing concerns that encryption is making it impossible for law enforcement to get access to essential data, even with appropriately obtained court orders, and that this was going to drastically impede criminal investigations.

Dan Conley, district attorney of Suffolk County, Massachusetts gave testimony taking specific aim at Apple and Google for marketing inaccessibility to law enforcement as a major selling point for their newest mobile devices.  

"I am here today to ask Congress to help us find a solution, because what Apple and Google are doing is dangerous and should not be allowed to continue," said Conley.

Conley's remarks were met with strong criticism by the Congressmen.  

Representative Ted Lieu (D-CA), who holds a degree in computer science, said he took "great offense" to Conley's testimony and that the actions of Apple and Google are "a private sector response to government overreach."

"To me it's very simple to draw a privacy balance when it comes to law enforcement and privacy: just follow the damn Constitution," said Lieu. "And because the NSA didn't do that, and other law enforcement agencies didn't do that, you're seeing a vast public reaction to this. Because the NSA, your colleagues, have essentially violated the 4th amendment rights of every American citizen for years by seizing all our phone records, by collecting our internet traffic, that now is spilling over into other aspects of law enforcement. And if you want to get this fixed, I suggest you write to NSA and the FBI should tell NSA 'stop violating our rights' and then maybe you'd have the public much more on the side of supporting some of what law enforcement is asking for." 

The technological solutions that have been floated thusfar -- like some sort of cryptographic backdoor that law enforcement would only activate when it properly obtained a warrant -- have been met with criticism. 

"As a recovering computer scientist, it is clear to me that creating a pathway for decryption only for good guys is technologically stupid," said Lieu. "You just can't do that."

Rep. Will Hurd (R-TX), who is a former CIA agent and former senior advisor for information risk management firm FusionX, asked Dr. Matthew Blaze, who also testified at the hearing, for his opinions about a split-key approach to encryption. Blaze is a computer science professor at the University of Pennsylvania who's been focusing on cryptography, surveillance, and the legal aspects of it since the days of the Clipper Chip:

Blaze: There are things we can do, like splitting the key between multiple locations, that can reduce some aspects of some of the risks in a system like this.

Hurd: But it does create additional vulnerabilities that anyone who has technical capabilities would be able to take advantage of. 

Blaze: That's right. We can move some of the risks around from one part of the system or another, but there is still fundamental problems.

Hurd also questioned Conley's assertions that Google and Apple have made it impossible for law enforcement could obtain data they need with properly issued warrants. Conley said "we could get the device, but we couldn't get the information off the device if it's running iOS 8," which would be secured with a passcode.

Hurd did not buy the argument. He asked Blaze how long it would take to crack a 4-digit PIN, using modern methods. Blaze responded "on modern computing hardware, essentially no time at all."

Hurd: That's the equivalent of taking a safe out of a home and using some safecracking skills -- this would be the digital equivalent?

Blaze: No this would be much easier."

Hurd: [laughs]

Something more complicated than a 4-digit PIN, of course, would be another matter. 

Another solution that's been discussed: holding copies of encryption keys in escrow for government use. Yet, Moulds from Thales points out that confidentiality is not the only thing encryption is used for. Encryption is also used for digital signatures; and holding a key used for that purpose in escrow would entirely defeat the purpose of the digital signature. If more than one copy of a seal exists, then how can you be sure it wasn't forged?

"If I take a back-up of it," says Moulds, "I can never say that [the signature] was really her, because she can always say it was someone else."

The "solutions" that have been proposed may not be solve any more problems than they create, but there's no denying that encryption has a dark side, as anyone who's contended with ransomware knows. 

Speaking at RSA, Assistant Attorney General for National Security John Carlin was asked for his thoughts on the matter. He had an optimistic viewpoint, saying that other complex issues have been handled before by the government and the security community working together to develop norms, and this would just be one more example of that.

"Is there a solution?" said Carlin. "I would think the best minds could come up with one." 

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Thomas Claburn
50%
50%
Thomas Claburn,
User Rank: Ninja
5/6/2015 | 5:23:49 PM
cost benefits
>What this means, is that when the courts or intelligence agencies want encrypted data residing on a public cloud, they'll need to subpoena the data owner directly if they want to read it.

I expect big companies like Google will be able to hire fewer people to respond to legal requests. That's a good thing for businesses.
Whoopty
50%
50%
Whoopty,
User Rank: Ninja
5/6/2015 | 7:43:30 AM
Good to hear
I'm glad that authorities are beginning to understand the technological cause and effect of illegally listening in on citizens at home and abroad. It's had a devastating affect on the the tech sector's trust around the world.

Perhaps more impactful however is the lack of trust many people and companies now have for the authorities. If they had been honest form the start and explained why collecting data was necessary, it wouldn't have been as bad, but the fact that it was done secretly without even a discussion with the public is why there's been such a backlash. Violate freedoms and expect people to defend them far more harshly than if they'd simply been asked. 
Christian Bryant
50%
50%
Christian Bryant,
User Rank: Ninja
5/5/2015 | 9:21:31 PM
I Feel for these Guys
What to do...

So I'm that guy that would lay open my server in a heartbeat if I knew there was child porn on it or plans to bomb American citizens. Law Enforcement wouldn't need to ask twice. But I'm also that guy with a "Come Back With a Warrant" sticker on my pen-testing system. Why the dichotomy?

I truly feel for Law Enforcement. I understand. I'm a father of two children and I would do anything to protect them. I would also do anything to protect someone else's children, even if it meant dumping on someone's "right to privacy" in the digital realm. That's why I stopped doing server admin work, and why I build Tor servers but I won't run one. I'm a vigilante at heart.

So what does this mean for Law Enforcement? Well, guys, here's my suggestion: Beat them at their own game. By "them" I'm referring to criminals - not just people who break the law, because there are good people breaking the law for good reasons. But for these guys who are loading child porn onto the Net like popcorn, or the terrorists trading bomb HOWTOs across Tors and torrents, stop playing nice. Seriously, hire some <black,gray,white>hatters and strike back with everything you've got.

Why? We aren't going to let go of our right to privacy, to encrypt our sensitive data and to provide places for others who need privacy but can't do it themselves. Hacktivism depends upon this privacy and as sad as it is that there are some real a**holes out there using the same tech, the thought of not having it is scarier. That means you (Law Enforcement) have to find other ways to bring the really bad guys down, and get the evidence you need to prosecute.

There are always going to be exceptions, of course. But right now this seems like the only overall solution. Just try to leave the innocent people out of it; let us please stick to bringing down the a**holes, whatever it takes.

I know that's not a very positive outlook, or a long-term solution, but for now I think that is where we are now...
7 Truths About BEC Scams
Ericka Chickowski, Contributing Writer,  6/13/2019
DNS Firewalls Could Prevent Billions in Losses to Cybercrime
Curtis Franklin Jr., Senior Editor at Dark Reading,  6/13/2019
Cognitive Bias Can Hamper Security Decisions
Kelly Sheridan, Staff Editor, Dark Reading,  6/10/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7472
PUBLISHED: 2019-06-15
The &quot;Count per Day&quot; plugin before 3.2.6 for WordPress allows XSS via the wp-admin/?page=cpd_metaboxes daytoshow parameter.
CVE-2019-12839
PUBLISHED: 2019-06-15
In OrangeHRM 4.3.1 and before, there is an input validation error within admin/listMailConfiguration (txtSendmailPath parameter) that allows authenticated attackers to achieve arbitrary command execution.
CVE-2019-12840
PUBLISHED: 2019-06-15
In Webmin through 1.910, any user authorized to the &quot;Package Updates&quot; module can execute arbitrary commands with root privileges via the data parameter to update.cgi.
CVE-2019-12835
PUBLISHED: 2019-06-15
formats/xml.cpp in Leanify 0.4.3 allows for a controlled out-of-bounds write in xml_memory_writer::write via characters that require escaping.
CVE-2019-12830
PUBLISHED: 2019-06-15
In MyBB before 1.8.21, an attacker can exploit a parsing flaw in the Private Message / Post renderer that leads to [video] BBCode persistent XSS to take over any forum account, aka a nested video MyCode issue.