Backdoors: How Will Government Agencies Adapt to

Download Report

Transcript Backdoors: How Will Government Agencies Adapt to

Backdoors: How Will Government
Agencies Adapt to Cybersecurity on the
Internet?
Professor Peter Swire
Ohio State University
Internet Law Scholars WIP
New York Law School
March 23, 2012
The Research Project
• Future of Privacy Forum – Government Access to
Personal Information
– New facts -- much higher adoption of encryption
– Puts pressure on government agencies, globally
– Description - how will they react? (today’s talk)
• What else follows?
– Prescription – what should law & policy be for lawful
access?
– What other implications from high crypto adoption?
Encryption Adoption
•
•
•
•
VPNs
Blackberry
Gmail & Hotmail
SSL pervasive (credit card numbers)
– Dropbox & many more
• Facebook enables HTTPS, may shift default
• Skype & other VoIP
• Result – interception order at ISP or local telco
often won’t work
Ways to Grab Communications
1. Break the encryption (if it’s weak)
2. Grab comms in the clear (CALEA)
3. Grab comms with hardware or software before or
after encrypted (backdoors)
4. Grab stored communications, such as in the cloud
• My descriptive thesis: #4 is becoming FAR more
important, for global communications
• Also, temptation to do more #2 and #3
3
Phone
call
Alice
Local
switch
Telecom
Company
Local
switch
Phone
call
Bob
3
Phone
call
Alice
Local
switch
Telecom
Company
Local
switch
Phone
call
Bob
Hi Bob!
Alice
Alice ISP
Internet:
Many
Nodes
between
ISPs
%!#&*YJ#$
&#^@%
%!#&*YJ#$
&#^@%
%!#&*YJ#$
&#^@%
%!#&*YJ#$
&#^@%
%!#&*YJ#$
&#^@%
%!#&*YJ#$
&#^@%
%!#&*YJ#$
&#^@%
%!#&*YJ#$
&#^@%
%!#&*YJ#$
&#^@%
%!#&*YJ#$
&#^@%
Bob ISP
Hi Bob!
Bob
Problems with Weak Encryption
• Nodes between A and B can see and copy whatever passes
through
• Many potential malicious nodes
• Strong encryption as feasible and correct answer
– US approved for global use in 1999
– India, China new restrictions on strong encryption
– “Encryption and Globalization” says those restrictions are
bad idea
Hi Bob!
Encrypt
Bob's public key
Alice
Encrypted message –
%!#&YJ@$
– Alice's local ISP
%!#&YJ@$
– Backbone provider
%!#&YJ@$
– Bob's local ISP
%!#&YJ@$
Decrypt
Hi Bob!
Bob's private key
Bob
Ways to Grab Communications
1. Break the encryption (if it’s weak)
2. Grab comms in the clear (CALEA)
3. Grab comms with hardware or software before or
after encrypted (backdoors)
4. Grab stored communications, such as in the cloud
Limits of CALEA
• Applies to switched network & connect to that
• Bad cybersecurity to have unencrypted IP go through
Internet nodes
• How deep to regulate IP products & services
– WoW just a game?
– Will all Internet hardware & software be built
wiretap ready?
• That would be large new regulation of the
Internet
• Could mobilize SOPA/PIPA coalition
Ways to Grab Communications
1. Break the encryption (if it’s weak)
2. Grab comms in the clear (CALEA)
3. Grab comms with hardware or software before or
after encrypted (backdoors)
4. Grab stored communications, such as in the cloud
Governments Install Software?
• Police install virus on
your computer
• This opens a back door,
so police gain access to
your computer
• Good idea for the police
to be hackers?
• Good for cybersecurity?
• Soghoian expert here
Ways to Grab Communications
1. Break the encryption (if it’s weak)
2. Grab comms in the clear (CALEA)
3. Grab comms with hardware or software before or
after encrypted (backdoors)
4. Grab stored communications, such as in the cloud
Stored Records: The Near Future
• Global requests for stored records
– Encrypted webmail, so local ISP less useful
– Local switched phone network less useful
• Push for “data retention”, so police can get the
records after the fact
• The “haves” and “have nots”
– Server in your jurisdiction
– Technically ahead of the curve
• MLATs and other upcoming legal battles
Questions Going Forward
• Descriptive thesis correct? Big new focus on lawful
access to stored records in the cloud?
• What global regime for this lawful access?
– What mix of backdoors and front doors?
• What other aspects of Internet governance affected
by this adoption of encryption?