In this picture taken on Tuesday, Jan. 18, 2011, Iranian journalism students use computers in an internet cafe in central Tehran, Iran.

In this picture taken on Tuesday, Jan. 18, 2011, Iranian journalism students use computers in an internet cafe in central Tehran, Iran. Vahid Salemi/AP

Science & Tech

The Best Way To Stick It To Dictators, Help Dissidents, and Boost Privacy

It makes the Internet safer and allows people living under autocracy to get around government censors. But the FBI wants to break it.

Patrick Tucker

|
Patrick Tucker
By Patrick Tucker
Science & Technology Editor, Defense One

On Wednesday, FBI Director James Comey appeared before the Senate Judiciary and Intelligence committees Wednesday with a message of doom: unless tech companies weaken their encryption schemes so that law-enforcement agencies can intercept customers’ data, ISIS and its imitators will launch attacks in the United States. “I cannot see me stopping these indefinitely,” Comey told lawmakers.

Such backdoors might help the FBI, but they would be a terrible thing for dissidents, democracy workers, and journalists living in places like China and, perhaps especially, Iran, according to experts who spoke to Defense One.

Comey’s campaign began last September, after Apple announced that its iPhones would begin encrypting users’ data. Google quickly followed with an encryption update for its Android 5.0 Lollipop operating system. Comey began taking meetings with lawmakers to voice his concerns and has been doing so more and more publically since. On Monday, he wrote in an op-ed for the Lawfare website, “In universal strong encryption, I see something that is with us already and growing every day that will inexorably affect my ability to do that job.”

End-to-end user encryption makes it much harder for the FBI or the NSA to intercept users’ communications as they pass through the communication provider or device manufacturer, forcing would-be eavesdroppers to bug individual devices of targeted users. Other encryption tools, such as TOR, mask individual IP addresses, helping users to communicate anonymously on the Web.

If Comey is able to convince lawmakers to force Google and Apple to give the FBI backdoors into their encryption tools, people working against governments in places like Iran could face arrest or worse.

“FBI backdoor in encryption used in many essential online services available to Iranians, such as Gmail, could provide reason to censor such services in favor of Iranian alternatives, which would offer far less protection of user privacy and security,” Fereidoon Bashar, an Iranian expatriate and one of the directors of the site ASL19 told Defense One in an email. ASL19 is a technology lab that provides technical support to Iranians looking to get around government censorship.

Ali Bangi, another co-director of ASL19, put it this way: Iranian human rights workers and critics of the nondemocratic regime depend on secure communications tools — ones that haven’t been compromised by backdoors — to communicate with their allies in the West.

“Ordinary Iranian internet users, activists, and human rights advocates will not trust encryption that is compromised by the FBI,” Bangi told Defense One via email. “Government surveillance or backdoor access will lead to self-censorship and also puts people at risk of arrest and detention.”

Governments’ effort to fetter communications are documented by David Kaye, UN Special Rapporteur on the Right to Freedom of Opinion and Expression. The latest version of his annual report notes that since 2012, Iran has required citizens to register the IP addresses of their computers with the government, and has forbidden the use of fake names when using computers at cyber cafés.

“I don’t think it’s too strong to say: if security across the net is weakened, activists, journalists and others simply won’t be able to trust the security of their own systems. And they could be put in harm’s way for what they’ve put online. They can be detained,” Kaye told Defense One .

Researcher Collin Anderson , an expert on Iran’s Internet infrastructure, agreed. “It’s a strong statement, but it’s accurate. These people depend on end-to-end encryption and strong cryptography tools in order to provide trustworthy communications that are necessary for their work and ultimately might endanger their safety.”

Anderson also noted that if the U.S. government forces tech companies to expose their customers’ communications, other countries may follow suit. “Once you force Apple to make iMessage be decryptable, then China is going to use their market influence and force the same thing on Apple or kick them out of the market. And that undermines [U.S.] national security,” he said.

The tech giants have said as much themselves. In February, Alex Stamos, Facebook’s chief security officer and a former chief information security officer for Yahoo, had a testy exchange with Adm. Michael Rogers, commander of U.S. Cyber Command and director of the National Security Agency. “If you believe we should build backdoors into products, should we do so for the Chinese government? The Russian government? The Iranian government?” Stamos asked at a New America discussion on cyber issues.

Rogers, in characteristic fashion, refused to engage the question.

Here’s the video

Kaye noted that backdoors anywhere hurt cyber security everywhere, including at home. “The problem with compromising security in one place is a problem of compromised security everywhere, because of the nature of the Internet,” said Kaye.

Anderson added, “There are additional national security interests in these tools not having back doors. For example, a number of the SSL exploits that have come up came out of attempts to comply with export-control restrictions on the proliferation of encryption that imports long key lengths,” he said.

SSL stands for “secure sockets layer,” part of the system that creates an encrypted connection between your browser and, say, your bank’s website and displays a lock icon to show it. Among the most famous SSL malware products is the Heartbleed bug that exposed more than 4.5 million hospital patient records to theft last August.

“There are a couple of examples where explicit backdoors led to the compromise of these cryptographic systems,” says Anderson.

Both Comey and Rogers have said they believe that it might be possible to engineer backdoors that allow U.S. agencies in but keep others out. “I think that this is technically feasible,” Rogers said at the New America event in February. “I believe that it’s achievable.”

That view is not widely shared by cryptography experts. On Monday, a group of cybersecurity luminaries, including Bruce Schneier and Whitfield Diffie, published a lengthy paper, " Keys Under Doormats ," to argue that weakening encryption to serve the U.S. government would weaken it for everyone. A safe, once destroyed, protects nothing.

"Features to permit law enforcement exceptional access across a wide range of Internet and mobile computing applications could be particularly problematic because their typical use would be surreptitious — making security testing difficult and less effective…exceptional access would create concentrated targets that could attract bad actors,” the authors write.

Asked to respond yesterday, Comey insisted that a good-guys-only backdoor might be possible., “A whole lot of good people have said it's too hard...maybe that's so. But my reaction to that is: I'm not sure they've really tried…I’m not willing to give up on that yet.”

Where does the issue stand politically? Comey has an uphill battle. On June 11, the Republican-controlled House voted 255-174 to attach to the 2016 defense appropriations bill a measure to limit the government’s ability to mandate backdoors in consumer communications. And months ago, Republican presidential hopeful Rand Paul announced his support for Apple and Google’s consumer-level encryption.

It’s hardly just a Republican concern. When Democratic presidential frontrunner Hillary Clinton was Secretary of State, she may have given money to nonprofits to help spread encryption and anonymity tools in the Middle East. Michael Hayden, a former chief of both the CIA and NSA, described the effort in 2013: “The Secretary of State is laundering money through NGOs to populate software throughout the Arab world to prevent the people in the Arab street from being tracked by their government.  All right, so on the one hand we’re fighting anonymity; on the other hand we’re chucking products out there to protect anonymity on the net.”

The U.S. government may decide, at some point, to break those same tools and imperil those same activists it was helping not long ago. It won’t be able to do so without committing an act of flagrant hypocrisy.

NEXT STORY: FBI Director Warns Lawmakers ISIS Is Using Encryption To Order Killings

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.