Two British intelligence officials have proposed what they see as a potential solution to a key challenge facing law enforcement agencies — an inability to intercept encrypted group calls and messages through services such as WhatsApp and Signal.
Their idea: Add law enforcement as a “silent” user to the chat or call.
The notion had been discussed privately by Obama administration officials, but until now has never been advanced publicly by a government.
Ian Levy and Crispin Robinson of GCHQ — the British equivalent of the National Security Agency — included the proposal in a paper published last week that offered a set of principles aimed at lowering the temperature of the often-heated debate over how to access digital evidence protected by strong encryption.
The debate has been fueled by the rise of “end-to-end” encrypted apps such as Signal and default encryption on devices such as iPhones. It has simmered for about a decade, occasionally boiling over — as in 2016 when the FBI and Apple battled over access to a terrorist’s locked iPhone.
But there has been no resolution, and Levy and Robinson are hoping their principles and potential solution, published in Lawfare, can nudge the debate forward.
“It’s relatively easy for a service provider to silently add a law enforcement participant to a group chat or call,” wrote Levy, who is technical director of GCHQ’s National Cyber Security Center, and Robinson, GCHQ technical director for cryptanalysis.
The provider “usually controls the identity system and so really decides who’s who and which devices are involved — they’re usually involved in introducing the parties to a chat or call,” they wrote.
“You end up with everything still being end-to-end encrypted, but there’s an extra ‘end’ on this particular communication,” they said. “This sort of solution seems to be no more intrusive than the virtual crocodile clips” that are authorized today for traditional phone call intercepts.
That idea drew a range of reactions.
“It’s a bad idea,” said Matthew Green, a cryptographer and computer science professor at Johns Hopkins University. Right now services such as WhatsApp notify users when a new party is added to a chat. Suppressing that message would require a change in the system coding — creating “a hole that didn’t exist before,” he said. “That’s the security vulnerability.’’
Essentially, Green said, “it’s fact that the app software can now lie to you about who you’re talking to.”
Steven Bellovin, a Columbia University computer science professor, said such risks are not theoretical. In what has come to be known as the “Athens Affair,” he said, in 2004 rogue software was implanted by hackers on a Greek cellphone network outfitted with lawful wiretapping mechanisms to eavesdrop on the conversations of about 100 officials. They included the prime minister and the Athens mayor. The hack was never officially claimed, though suspicion has fallen upon the United States.
“Getting stuff like that right is hard,” Bellovin said, referring to building secure wiretapping systems.
Another computer scientist, Lorrie Cranor of Carnegie-Mellon University, said the recommendation "may be reasonable, assuming the access is indeed exceptional and follows appropriate legal processes."
But, she said, "I would also want users of the system to be made aware that this is possible."
If users knew their calls and chats might be covertly monitored, however, that could damage trust between them and the app provider. And not "fundamentally chang[ing] the trust relationship" is one of the GCHQ principles.
Another is "transparency is essential."
If the provider is not telling users that an FBI or MI-6 agent is listening in, says Amie Stepanovich, U.S. policy manager for Access Now, "where is the transparency?"
The comparison to traditional phone wiretaps is inapt, said Susan Landau, a Tufts University computer scientist and former distinguished engineer at Sun Microsystems.
“That’s because the communications being eavesdropped upon in the virtual crocodile clip situation are not designed to exclude silent listeners, whereas communications that are using end-to-end encryption are designed specifically to exclude such eavesdroppers, and users trust the service provider to ensure that,’’ she said.
The principle that law enforcement “can’t expect 100 percent access 100 percent of the time” is important, said Jennifer Daskal, a former Justice Department official who now teaches law at American University. But, she said, she found “troubling” the authors’ assertion that service providers should respond to government demands for access and “not try to independently judge the details” of the case.
“In most if not all instances, providers will be the only ones in the position to respond to any court order, provide the reviewing court full range of applicable information, and, if appropriate, resist,” she said.
In general, the principles aim for a common ground among privacy advocates and the law enforcement community. They include the idea that “Investigative tradecraft has to evolve with technology” and “targeted exceptional access capabilities should not give governments unfettered access to user data.”
They form “a constructive contribution to the encryption debate,” said April Doss, a partner at Saul Ewing Arnstein & Lehr and a former counsel for intelligence law at the NSA. She liked how they noted that the problem of intercepting a live conversation is different from that of gaining access to an encrypted device, and thus the solutions could look very different.
“It’s important to have all the stakeholders come together and look for shared solutions,” Doss said, “because both sets of equities really matter.”
But, as Robinson and Levy noted, “details matter.”
And so far no details have emerged that satisfy cryptographers and security experts that the security risks are worth the law enforcement gains.
|You are reading The Cybersecurity 202, our must-read newsletter on cybersecurity policy news.|
|Not a regular subscriber?|
PINGED: North Korean hacking is ramping up. Cybersecurity expert Dmitri Alperovitch tells me that North Korean government hackers have sent spearphishing emails to a Western manufacturing company, suggesting the country is expanding beyond its traditional set of financial targets and traditional motive of financial gain. “It could be espionage activity,” said Alperovitch, co-founder and chief technology officer of CrowdStrike. He said he’s also seen intrusions into payment system companies, showing that the North Koreans are moving beyond hacking of banks and cryptocurrency targets in the West. “The big picture is North Korea continues to be a world actor in cyberspace and that the charm offensive toward South Korea and the United States has not curtailed their malicious cyber activities,” Alperovitch said.
PATCHED: There may be a wave of attacks from Iran, too. Former NSA deputy director Richard Ledgett, in a 2019 threat forecast, said he expected that Iran is “likely to ramp up” its malicious cyber actions now that the United States has withdrawn from the 2015 nuclear agreement. “I have no doubt that they are planning to use cyber means in the way they did back in 2012-13 against the U.S. financial sector in response to the nuclear sanctions,” he said, referring to massive denial-of-service attacks against the banks. “I expect they will be doing something in the not too distant future, in line with their timeline.”
Speaking in a CipherBrief webinar yesterday, Ledgett also noted that China is not abiding by a 2015 agreement to stop conducting cybereconomic espionage. “Whatever slowdown happened, that slowdown has stopped,” he said. “They are back full speed.” He said China is the most prolific when it comes to data theft. “When they turn it on it’s quite a sight to see,” he said. “They’re very very active now, all around the world — including in the United States, including intellectual property.”
PWNED: While the Marriott breach is potentially among the largest breaches of consumer data in history, it is not the first security blunder the hotel giant has experienced, Forbes's Thomas Brewster reported. “Prior to the four-year-old breach being discovered, Marriott suffered at least one previously unreported hack, including an infection that hit the company’s own cyber-incident response team, Forbes has learned,” Brewster wrote. “And there’s evidence Russian cybercriminals have breached Starwood Web servers.” Independent cybersecurity researchers spotted a security breach that affected Marriott in 2017, according to Forbes. “A source familiar with the event told Forbes that Marriott’s Computer Incident Response Team (CIRT) was compromised thanks to a mistake by a contracted cybersecurity vendor that was supposed to be protecting the hotel giant,” Brewster reported.
Alex Holden, founder of the information security company Hold Security, told Forbes that Starwood has also suffered several security incidents. “He sent Forbes screenshots that appeared to show cybercriminal access to Starwood corporate portals,” Brewster reported. “The images presented a control panel used by Russian criminals to run a network of hacked servers, also known as a botnet. Six of those servers were hosting various starwoodhotels.com domains.” And there is more, according to Holden. “Going back to 2014, the year when Marriott said Starwood’s network had been hacked, Holden claimed there was a serious vulnerability on the company’s website,” according to Forbes. “Known as an SQL injection bug, it could’ve been exploited to gain access to Starwood databases.”
— “Influence agents were responsible for roughly 25% of political support spread via Twitter for candidates in the Arizona and Florida midterm elections, researchers report,” according to Dark Reading. “A new body of research by Morpheus Cybersecurity and APCO Worldwide, entitled ‘Impact of Influence Operations Targeting Midterm Elections,’ explores the effects of disinformation campaigns. They analyzed hundreds of thousands of retweets from thousands of accounts, looking for non-organic behavior – for example, high numbers of daily tweets for a long time frame.”
— More cybersecurity news from the public sector:
— Some deceitful apps rely on the iPhone's Touch ID technology to scam users. “In separately reported incidents, apps posing as health assistants invite users to use Touch ID before they show a calorie tracker, or take a heart rate measurement, or some other seemingly legitimate function,” Wired's Brian Barrett reported. “Once you scan your fingerprint, though, the apps briefly show an in-app purchase popup instead, charging anywhere from $90 to $120, and simultaneously dim the screen to make it hard to see the prompt.”
— “U.S. banks and other financial firms are projecting higher spending on cybersecurity as they face bigger threats and more attacks,” Bloomberg News's Yalman Onaran reported. “In a survey of 100 senior security officers, 84 percent said their firms are planning to spend more this year on cybersecurity, up from 78 percent a year ago, data-security provider Thales eSecurity said in a report to be released Tuesday. About 36 percent of companies said they experienced an intrusion in 2018, up from 24 percent in last year’s survey.”
— More cybersecurity news from the private sector:
— With a new week comes a new data breach disclosure. “Popular question-and-answer site Quora has discovered that hackers broke into its system and took data on 100 million users,” CyberScoop's Greg Otto reported. “The company announced in a blog post Monday that it discovered user data was compromised by a third party who gained unauthorized access to one of its systems. The company says the data taken included names, email addresses and encrypted passwords, along with data imported from linked social media networks. Data related to the site, including upvotes, downvotes, questions, answers, comments and direct messages could also have been accessed.”
— More news about security incidents:
— “Russia’s intelligence services were behind cyber attacks targeting the Czech foreign ministry last year, the Czech security service said on Monday in its annual report,” Reuters's Jason Hovet reported. “The BIS counter-intelligence service has long warned against Russian activity in the Czech Republic, a member of NATO since 1999 and of the European Union since 2004. Many other Western countries have issued similar warnings. In its report, BIS said two separate attacks on the Czech foreign ministry were partly the work of the APT28 hacking group, which is linked to the Russian government and has been blamed for past attacks in Germany and the United States.”
— More cybersecurity news from abroad:
- The Center for Data Innovation presents a report calling for a national artificial intelligence strategy on Capitol Hill.
- House Judiciary Committee hearing on “oversight of the Department of Homeland Security” on Thursday.
- Microsoft President Brad Smith participates in a discussion on facial recognition at the Brookings Institution on Thursday.
- 2018 Cloud Security Alliance Congress on Dec. 11 through Dec. 12. in ChampionsGate, Fla.
George H.W. Bush's legacy honored at U.S. Capitol:
Michelle Obama talks to London girls about “impostor syndrome”:
Multiple tornadoes hit Illinois: