Culture

Governments Demand Encryption Backdoors

The Blonde Bombshell warned us about the “Five Eyes”. It’s illegal for our most beneficent government, which loves us and only wants what is best for us, to spy on us. Of course, that depends on what is meant by “spying.” But never mind that for a moment.

Our most loving government still wants to know about many of us, and since they cannot spy legally, they ask a friend to do it for them. Or so the rumor goes. We ask, say, England to spy on our citizens, and we in turn spy on Australia’s, who spy on Canada’s, who spy on New Zealand’s, who spy on England. Or Australia spies on New Zealand, who…ah, never mind. It’s a merry skulduggery mixup!

The real headline is this: ‘Five Eyes’ governments call on tech giants to build encryption backdoors — or else.

A pact of five nation states dedicated to a global “collect it all” surveillance mission has issued a memo calling on their governments to demand tech companies build backdoor access to their users’ encrypted data — or face measures to force companies to comply.

The international pact — the US, UK, Canada, Australia and New Zealand, known as the so-called “Five Eyes” group of nations — quietly issued the memo last week demanding that providers “create customized solutions, tailored to their individual system architectures that are capable of meeting lawful access requirements.”

This kind of backdoor access would allow each government access to encrypted call and message data on their citizens. If the companies don’t voluntarily allow access, the nations threatened to push through new legislation that would compel their help.

In other words, you will be forced to let the government spy on you. And they will, as they always have, put that information only to good, moral, upright use. Because of love.

There’s only a couple more terms we need grasp. One is “end-to-end encryption — where the data is scrambled from one device to another — even the tech companies can’t read their users’ messages.”

Another is the difference in encryption, which we can take as the mathematical scrambling of a message, and encoding, which is the stating of a message in a different language.

Finally, “Security researchers and other critics of encryption backdoors have long said there’s no mathematical or workable way to create a ‘secure backdoor’ that isn’t also susceptible to attack by hackers, and widely derided any backdoor effort.”

This is true. Even if your device and your friend’s device employed unbreakable one-time-pad encryption, there must still come the point at which the device decodes and decrypts the message and displays it in plain text. Anything that can hack what’s on the screen can then read the message. You cannot make a device invulnerable to this kind of hacking (other kinds of hacks exist, too, such as keystroke reading, etc.). Backdoors into the encryption code are thus not strictly necessary: the government can mandate “screen readers” instead.

Encryption, then, only slows down a determined enemy. Still, slowing down an enemy is a valuable strategy.

Now suppose you are one of the very, very few individuals your government does not love, and you want to make life hard on those who would spy on you. What can you do? Encryption is good, but imperfect, as mentioned. You have to limit your “meta” data, which is liable to sigint spying. The NSA, for instance, collected where you made calls (or texts or emails, etc.), to whom you made calls, what time you made calls, the duration of those calls, on what devices (and who owned them) you made calls, the pattern of those calls and non-calls (your device is tracking you wherever you go), the pattern of calls of whom you called, and so on. All this together paints a rich picture of your message, even if the exact message remains hidden.

There are only three solutions. The best is the old fashioned way. Use non-electronic means to communicate with your friends. Written one-time pads cannot be spoofed or broken, and you only need worry about cameras recording you reading the message (which you can burn). Sigint is still possible—the cameras in public spaces see you coming and going—but it can be reduced.

Spoofing is still fun. Send random messages at odd times from strange locations that seem to laden with content but which are nonsense. Be careful who you’re sending them, too, of course. Spoofing keeps ’em guessing.

Last, use layers of code (before encryption). Your device encodes your plain text into 0-1 bits, but that’s a trivial code. Remember the Navajo code talkers? That worked because only a few knew what the encoding meant. You want messages like this:

Hello, Lucky. Hello, Lucky. Report my signal. Report my signal. Over.

Hello, George Mike Walters. Strength three. Over.

Recon reports Indians on the warpath in your area. Over.

Ain’t no Indians around here. Over.

Do not take literally. Repeat. Do not take literally.

The vultures are circling the carcass. Repeat. The vultures are circling the carcass. Over.

I see a couple of gulls, but I don’t…

The pit bull is out of the cage. The crips are raiding the store.

Make yours a little more inventive. Mix real ones with spoofed ones. And NEVER, not ever, repeat a scheme. Even one repeat and they gotcha.

Categories: Culture, Statistics

7 replies »

  1. Amen, brother.

    Here’s a fun alternative. Quote passages from the Quran. In today’s PC-ridden atmosphere, they’re bound by anti-discrimination rulings to leave you alone, because reasons.

    Mix it up with Biblical references and extracts from Moby Dick to really confuse them.

  2. While paranoia over electronic media is fun for a while, the reality is you were watched always. It might be the old guy sitting on a bench at your favorite department store. Maybe the old lady across the street with the very powerful binoculars. Or your kid’s teacher learning about you through your child. Likely, these are just people who like watching what people do, but law enforcement has always exploited that resource. It doesn’t have to be “real” spying. Come on, even in the 40’s and 50’s you could be tracked and traced virtually anywhere. Paper correspondance was fairly safe, except there were those who claimed the Post Office routinely opened mail and then resealed it or just marked it damaged. All of this is scary because TV and fiction told us to believe that. If you don’t know you’re being watched all the time, no one can really help you. You’re too naive for help. If you don’t know how to hide your activities, you shouldn’t be doing things that need hidden. Just as it has been forever. (It was more difficult before photos and telephones, but people were still tracked down and found or tracked down and arrested. Just took more leg work.)

  3. While paranoia over electronic media is fun for a while, the reality is you were watched always.

    But not to the extent and coherence that it is today.

    Maybe someone could interview that old guy or old lady but it would have been necessary to interview a lot of people to get a good picture of your activities. A very time consuming and error prone process. Nowadays, your phone is always watching. Even when you think you told it not to.
    https://www.youtube.com/watch?v=0s8ZG6HuLrU
    http://video.foxnews.com/v/5821694318001/?#sp=show-clips
    And its stored for perhaps forever.

    It’s disconcerting that sometimes off-hand comments can lead to target ads based on those comments. I searched Amazon once for prices on a device and for the next month received ads for it and similar on nearly every web page I visited. The Amazon search wasn’t done with my phone. Creepy.

    Your phone is always listening to you. How do you think it knows when you want Google Assistant to do something? Does it record and report what it hears? Probably not but it could.

    There are a lot of Android phones so it’s unlikely anyone outside of Google is paying attention. However, should a follow-up be triggered, all of that info could become available.

    While android phones present the greatest threat, iPhones could be used the same way.

    Yes you were watched before while in public but there were still places you could expect privacy. Nowadays, no so much.

  4. The underlying issue is the trade-off between law enforcement’s (LE’s) ability to access info needed by LE to monitor, disrupt and apprehend the minority engaged in illegal activities (including terrorism) versus broader rights and interests of the law-abiding public to maintain privacy (and, in the U.S., not be unlawfully subjected to intrusive searches, and perhaps seizures (e.g. of data) contrary to Constitutional protections.

    Clearly the trend we’re seeing advocated by LE/governments is to subordinate the rights of the masses to allow LE to pursue the criminals. What is unclear is how much leeway shifts the noble goal of thwarting criminals to enabling/creating the infrastructure that might enable a police state. Why countries with a supposedly republican (aka democratic) form of government are taking such a stand without putting the matter to popular vote/referendum/etc is itself disconcerting.

    The “Five Eyes” countries provide for similar, sometimes fundamentally different, Constitutional (or Constitution-equivalent) rights and protections to their respective citizens. Thus, one might have greater, or unrestricted legitimate authority to broadly intrude in suspects via electronic “backdoors.” The ability of all (e.g. the U.S.) to assert and expect to succeed in getting lawful authority to force access via “backdoors” is not equal.

    This is a time to be writing/phoning your elected representatives to let them know how you want them to vote on matters relating to forced “backdoors”.

  5. The claims by security researchers about the impossibility of secure back doors are simply nonsense. It certainly is mathematically possible, and if these folks know much about encryption, they know that. The weakness is in the human side of the implementation: where is the key kept; who has it; who can use it. Those weaknesses can be overcome. Nobody has ever gotten the master key to Visa’s PIN encryption, for example. The human protection is similar to that with nuclear missile launches: three different people, all responsible and in high positions, each have a different fragment of the key. It takes the concurrence of all three to create the key, and the hardware systems prevent any one of them from seeing what the other inputs. Or at least it worked that way when I worked for Visa.

    I think the practical problem is with end-to-end encryption, and it isn’t a privacy problem, it’s an intelligence problem. Where is the back door? How do you keep people from running open source encryption software – PGP back in the ’90s? Part of the solution to that is detecting that people are doing so – classic SIGINT. That doesn’t get the content, but it does tell you who to watch – unless a whole lot of people do this, just to confuse the watchers, even though those people have nothing to hide.

Leave a Reply

Your email address will not be published. Required fields are marked *