You can hardly read the news today without being confronted with some new revelations about governments engaging in surveillance, or panicked op-eds that argue widespread adoption of encryption will cripple law enforcement authorities and prevent them from effectively tackling terrorism. The phrase ‘going dark’ has been coined to describe the issues. Will network traffic become impenetrable, turning so dark that nobody can see what messages are carried apart from the users at either end? Or will the government’s arsenal of electronic spotlights leave no message hidden from their view? This was the subject of a recent report by the Berkman Center for Internet & Society, who convened a group of academics and intelligence professionals to discuss and report on whether networks will be darker or lighter in future. The report was entitled “Don’t Panic”, which gives you an immediate clue about their conclusions. Here are five key takeaways from the report.
1. People have always found ways to avoid surveillance, and the issues are not new.
Short of a form of government intervention in technology that appears contemplated by no one outside of the most despotic regimes, communication channels resistant to surveillance will always exist.
This is not the first debate about the public’s ability to use encryption and the government’s ability to access communications. Often recounted as the “crypto wars,” government access to encrypted communications has been the subject of hot debate and restrictive policy [in the USA] since the 1970s, with the [US] government ultimately relaxing many export-control restrictions on software containing strong cryptographic algorithms in 2000. The roles and obligations of telecommunications companies in providing a means for government actors to wiretap voice communications – in particular on the legacy telephone system that predated the PC and Internet era – have also been debated extensively over these decades.
2. Comms providers will not encrypt everything.
Market forces and commercial interests will likely limit the circumstances in which companies will offer encryption that obscures user data from the companies themselves, and the trajectory of technological development points to a future abundant in unencrypted data, some of which can fill gaps left by the very communication channels law enforcement fears will “go dark” and beyond reach.
…the majority of businesses that provide communications services rely on access to user data for revenue streams and product functionality, including user data recovery should a password be forgotten.
Metadata is not encrypted, and the vast majority is likely to remain so. This is data that needs to stay unencrypted in order for the systems to operate: location data from cell phones and other devices, telephone calling records, header information in e-mail, and so on. This information provides an enormous amount of surveillance data that was unavailable before these systems became widespread.
3. Building encryption into devices like Apple and Android phones was a game-changer.
…individuals have been able to use encryption software to send and receive end-to-end encrypted messages for a long time. For example, the first widely available public-key crypto software, Pretty Good Privacy (PGP), was made available to the public in the early 1990s. However, for the average computer user, e-mail encryption software has proven difficult to use, especially when it is not supported natively by communication software. There is a well-documented learning curve to using the software and it adds several steps to sending messages – both the sender and the recipient need to understand the encryption process, possess the software, generate a key pair, share the public keys, and encrypt and decrypt the messages. Much of this adds complexity and friction that is simply too much for most users to bother.
The complexity is substantially reduced when encryption is supported natively by communication software. When encryption is seamlessly integrated, a user does not have to take any affirmative actions to encrypt or decrypt messages, and much of the process occurs on the back end of the software. In fact, an average user might not be able to tell the difference between an encrypted message and an unencrypted message. When these options are enabled by default on popular devices and platforms, like the iPhone, a large swath of communications is encrypted.
4. The IoT will create lots of new opportunities for spies.
Networked sensors and the Internet of Things are projected to grow substantially, and this has the potential to drastically change surveillance. The still images, video, and audio captured by these devices may enable real-time intercept and recording with after-the-fact access. Thus an inability to monitor an encrypted channel could be mitigated by the ability to monitor from afar a person through a different channel.
When, say, a television has a microphone and a network connection, and is reprogrammable by its vendor, it could be used to listen in to one side of a telephone conversation taking place in its room – no matter how encrypted the telephone service itself might be.
Even children’s toys are beginning to possess these features. In April 2015, Mattel introduced “Hello Barbie,” an interactive doll capable of responsive speech, which is accomplished by recording children’s interactions with the doll through a microphone, processing it in the cloud, and sending verbal responses through a speaker on the doll.
5. National debates about laws ignore the international ramifications of changes to technology.
…many U.S. companies must also answer to governments of foreign countries in which they do business. In this vein, they are increasingly playing a quasi-sovereign role as they face difficult decisions when foreign government agencies pressure them to produce data about citizens abroad. Many companies refuse to change the architecture of their services to allow such surveillance. However, if the U.S. government were to mandate architectural changes, surveillance would be made easier for both the U.S. government and foreign governments, including autocratic regimes known to crack down on political dissidents. The comparatively well-developed legal doctrines, procedural requirements, and redress mechanisms that serve as backstops to the U.S. government’s surveillance activities are not mirrored worldwide.
We concluded that the “going dark” metaphor does not fully describe the future of the government’s capacity to access the communications of suspected terrorists and criminals. The increased availability of encryption technologies certainly impedes government surveillance under certain circumstances, and in this sense, the government is losing some surveillance opportunities. However, we concluded that the combination of technological developments and market forces is likely to fill some of these gaps and, more broadly, to ensure that the government will gain new opportunities to gather critical information from surveillance.
Looking forward, the prevalence of network sensors and the Internet of Things raises new and difficult questions about privacy over the long term. This means we should be thinking now about the responsibilities of companies building new technologies, and about new operational procedures and rules to help the law enforcement and intelligence communities navigate the thicket of issues that will surely accompany these trends.
The Berkman Center “Don’t Panic” report can be freely downloaded from here.