AWS, Azure, cloud computing, device encryption, e-discovery, ediscovery, encryption, FBI, Google Cloud, Interpol, iphone encryption, law enforcement, Personally Identifiable Information, phone encryption, PII, privacy, Quantum computing, Secret Service, Sensitive Personal Information, smart phone encryption, SPI, terrorist communication, USSS, VMware, Windows Azure
Mar 15 UPDATE: Here is a good read against weakening encryption that I came across this a.m.: “Why Weakening Encryption Could be Throwing the Baby Out with the Bathwater” dated Mar 10th http://www.infosecurity-magazine.com/opinions/weakening-encryption-throwing-baby/
Okay, for quite some time now, we’ve been hearing about encryption on smart phones in great detail, specifically on iPhones. As well as the individual right to privacy versus the need for law enforcement to access these encrypted devices – all smart phones, not just Apples’.
Personally, this has been tearing many people apart, those who care about privacy and those who care about law enforcement.
This posting is not an “be all, end all” type of writing. However, hopefully, it is a step in the right direction. Overall, we need a strategy or a strategic view of where to go next and not continual pointless finger-pointing exercises.
Many, many people believe vehemently in their right to privacy, no matter what, even in preventing e-discovery of crucial information on an encrypted phone.
So, do these individuals truly have it right in that everything on an encrypted phone is personal and private and should not be rifled through?
Or do they have it wrong when it comes to matters of criminal activities such as:
- Children sexting (not criminals but still illegal)
- Illicit drug activities (pick one or many)
- Human Trafficking
- Bank robbers and not to forget,
- Terrorists of any stripe (home grown or transported)
Yes, there are many, many things on a persons’ device that they do not wish anyone else, excepting for specific others, to see. The items could range from:
- Medical information,
- Preciously private love letters,
- Credit card & Bank information,
- Intimate photos (between consenting adults), and/or
- Parents’ photos of their babies in a tub making funny soap faces.
No one wants some stranger (law enforcement or thief) scrolling through their lives on their devices.
On the other hand, law enforcement wants to be able to obtain and peruse visually and forensically the encrypted phone in question. Of course the phone or any other digital device will have been obtained through the use of legally obtained and valid search warrants. You have to remember the times when some bad apples in the FBI and other local/state law enforcement had the tendency of going rogue and going “very” far beyond their scope in their pursuit of the alleged criminal. (Links to publicized incidents of rogue FBI agents going beyond their mandates could be included but you can do an easy search yourself. Be sure to read at least three or four articles, from different sources so you can be sure of not reading content with the same perspective. You do not want to fall into any self-filter trap.)
Gaining a valid search warrant is most definitely the right way to go in gaining possession of any encrypted digital device. It is pure and simple, the most logical step to take.
And on top of that, law enforcement wants to be able to immediately unlock a legally obtained device to get the evidence they need. Especially when it is a time critical event where there may be lives hanging in the balance of unlocking that protected device.
Law enforcement does have a valid need to gain evidence to stop / prevent tragedies or catastrophic events from occurring (or re-occurring).
New Law Enforcement Encryption Model
What do we do then, if both parties only, and vociferously, want their way?? That is the $900 million dollar question – we are far beyond the scope of a $64,000 question scenario.
International Law Enforcement (Interpol)
Because of the global scope of what has been transpiring over the past few years, we need to further strengthen an international law enforcement entity (hint: Interpol) to have the power to have global reach, in any country (and working with that countries law enforcement, not impeded…) to counter and terminate international interactions amongst criminals (including corporate espionage), terrorists and bad nation-state actors (dare we say N. Korea).
We also need the next tier down, each country’s’ national law enforcement (i.e. FBI, Secret Service, ATF&E) and the next tier down law enforcement (State & Local police) to be able to get into these devices and rapidly share any discovered “incriminating” information with each other in an open (but restricted) network, such as another division of NCIC (National Crime Information Center).
Okay, so what if a company who created the encryption scheme (i.e. Apple, Telegram app) for the digital devices do not willingly take part in unlocking a device on the grounds of security and privacy?
Well, you could see the advent of law enforcement working on cracking digital device encryption themselves. You could be thinking of quantum computing right about here. Unfortunately, quantum computing is not quite ready for prime time yet.
However, the next best thing –> cloud computing…
Cloud computing could be a nifty little thing for those who are not up to speed on virtualization and cloud computing. Or ‘maybe’ parallel time on a pair of supercomputer such as Watson and one of the other top 10 beasts (Titan – NUDT at Oak Ridge National Laboratory in Tennessee or Sequoia – Blue Gene/Q at Lawrence Livermore National Lab in California)…
One supercomputer alone is not nearly enough to crack AES-256, the toughest encryption on the planet to crack (that we know of…).
If law enforcement has to get into the act of breaking encryption, with legally sanctioned approval, why not do so with a private/government consortium solution? Think about it realistically for a moment and don’t just poo-poo the idea.
We could have a consortium of say, VMware or AWS working with law enforcement where 1,000 or more of the largest virtualized compute and RAM (& network & storage) instances (basically this is a combination of processors with varying sizes of memory) are used in a Beowulf like configuration (think grid/network).
Many people and companies do this all the time and more are coming on board in using cloud computing.
- Individuals use cloud computing figuring out BitCoin algorithms/issuances;
- Some use the cloud for criminal activities such as clickjacking purposes (where they simulate users clicking on ads and illegally gleaming revenue from these ghost clicks) amongst many other criminal activities
- Predicting where the next trend will be in clothing styles,
- More accurate weather pattern predictions further and further into the future (2 – 3 weeks…),
- Criminal hotspots,
Why not join the flight to working in the cloud to, lawfully sanctioned, break encryption? Why not have:
- One or two locations in the U.S. (just looking at the U.S. right now) as secure facilities – where encrypted devices (or the encrypted data) could be delivered.
- Security clearances would not have to be gained by individuals working there (look at all the good that did in regards to Robert Hanssen, Aldrich Ames & others). But, they would have to undergo strenuous and deep background checks as well as signing iron clad non-disclosure agreements.
- Everyone working at these facilities would follow the least privilege principle – you only get access to what you need to successfully and efficiently do your job.
- Everyone would be under the aegis of segregation of duties – workers would not be allowed to do two roles for the same job (unless that second role is one where it half of a two-party effort – and even then, roles would still be restrictive).
- Access to the decrypted data would be even more restrictive, both, in the facility doing that decryption and the law enforcement entity who requested the decryption.
- Primarily, the facility (or facilities) would have data protection safeguards in place to rival the U.S. Treasury, CIA or NSA, if not more, due to what is at stake…
Okay, maybe this paper is overthinking it.
Or maybe the topic has not been covered in enough depth?
There are quite a few other aspects that could be considered, such as ethics of privacy in not unlocking a device for law enforcement. Or, we have the ethics of law enforcement gaining additional powers and going down the slippery slope to who knows where. Then we have an even slipperier slope of insurance companies and employers wanting in on the act and we know that is a path best left closed.
The writer is the first one to state that he is not an encryption expert nor is he law enforcement.
The writer is one who, though torn and split right down the middle, is for:
- Privacy at all costs to prevent anyone else, without permission, from seeing personal and private information (PII – aka Personally Identifiable Information or SPI – Sensitive Personal Information) and
- Law enforcement to do the job they need to do to prevent / stop harm from happening to law abiding citizens (nationally or internationally)
We are in a dilemma where not everyone can be right or ‘only’ have their way, there has to be give and take (pun definitely not intended).
In the end, we need to unlock encryption in criminalist / terroristic matters – that is the bottom line…