Bring technologists and members of the intelligence community together to figure out what to do about unbreakable encryption and guess what they conclude?
They conclude that they don’t really need to worry about it.
Unbreakable encryption — which prevents easy, conventional surveillance of digital communications — isn’t a big problem for law enforcement, says a new report published by Harvard’s Berkman Center for Internet and Society on Monday. The report, titled “Don’t Panic,” finds that we are probably not “headed to a future in which our ability to effectively surveil criminals and bad actors is impossible” because of companies that offer end-to-end encryption, such as Apple.
That’s because the technology isn’t universally marketable and there are so many other spying options on the table, as everything from fitness trackers to fridges is getting hooked up to the internet and transmitting vast amounts of data about our everyday lives.
The Berkman Center convened a diverse group of technologists, cryptographers, and former and current government officials — from think tanks, universities, the NSA, FBI, ODNI, and others — to hold meetings over the course of a year to discuss encryption privately, and then publish their conclusions.
A very public debate over encryption was taking place simultaneously. FBI Director James Comey, in hearings and speeches, has repeatedly stressed the dangers of “going dark” — saying that law enforcement is losing the ability to get its hands on digital evidence because end-to-end encryption scrambles messages for everyone except for the sender and the receiver. Even the company that sends the message can’t decrypt it when served with a warrant.
The public response from scientists and privacy advocates has largely focused on the technological impossibility of creating a secure way to give law enforcement special access to those communications without tearing a hole in the protection encryption provides.
While the signers of the report (excluding government attendees, who were unable to sign on “because of their employment”) mention this cybersecurity risk — the bigger takeaway is about why end-to-end encryption, likely here to stay, doesn’t pose an existential threat to law enforcement investigations.
First, the signatories conclude, not every company is going to jump on the end-to-end encryption bandwagon, because it’s not going to make them money. All the data that applications and cloud services and social media networks amass about their users — what kind of clothing you like to buy, what sports you play, where you eat out — is incredibly valuable to advertisers.
Facebook has claimed it can send you ads you’ll care about with 89 percent accuracy, based on where you live, your online behavior, the things you like, and other information about you, like your age and gender. Plus, in case you forget your password, the company can send you the backup data kept on its own servers.
“Internet companies more recently have been shifting towards data-driven advertising, and the technology that facilitates advertising delivery has become more reliant on user data for targeting ads based on demographics and behaviors,” the report says. “Implementing end-to-end encryption by default for all, or even most, user data streams would conflict with the advertising model and presumably curtail revenues.”
Some companies have concluded that end-to-end encryption isn’t user friendly. While Facebook has supported third-party plugins for encryption on its messaging platforms, and reportedly has the ability to end-to-end encrypt its platforms by default, its former Chief Security Officer Joe Sullivan said in 2014 that encryption makes it “hard for the average person to communicate.”
Plus, different applications, software systems, and cloud computing services are not end-to-end encrypted, even if the data is encrypted on a specific device. An Apple phone running on iOS8 or later will have its data encrypted — but many of its social media applications, as well as the automated iCloud backups, will not. This leads to “fragmentation in software ecosystems,” the report concludes, which can “impede the degree to which new conventions and architectural changes — especially those that would enable user-to-user encryption across different devices and services — become widespread.”
And even if end-to-end encryption were ubiquitous, metadata — or information about the communications — is not encrypted. Phone numbers, email addresses, email subject lines, and other information is still accessible to law enforcement, and will continue to be, because it’s impossible for the company to send something somewhere without knowing its destination. “Encryption does not prevent intrusions at the end points, which has increasingly become a technique used in law enforcement investigations,” the authors write.
Finally, the ever-growing Internet of Things presents a whole swath of new spying possibilities, the authors of the report suggest. “Networked sensors and the Internet of Things are projected to grow substantially, and this has the potential to drastically change surveillance,” the report says. “The still images, video, and audio captured by these devices may enable real-time intercept and recording with after-the-fact access.”
Gartner, a technology consulting firm, estimates that there will be about 6.4 billion objects connected to the internet in the world this year — including light bulbs, watches, security systems, cameras, bracelets, digital ice cubes, digital socks, digital diapers, and more.
And unless everyone is encrypting everything all the time, investigators might be able to spy on you from the person sitting next to you on the metro, or in the office next door. “Thus an inability to monitor an encrypted channel could be mitigated by the ability to monitor from afar a person through a different channel,” the report says.
“In this report, we’re questioning whether the ‘going dark’ metaphor used by the FBI and other government officials fully describes the future of the government’s capacity to access communications,” Berkman Center fellow Bruce Schneier said in a press release. “We think it doesn’t. While it may be true that there are pockets of dimness, there are other areas where communications and information are actually becoming more illuminated, opening up more vectors for surveillance.”