Encryption and the Problems with Regulating It

Privacy Apr 14, 2020

I should mention that I am not an encryption expert. Far from it. I am an encryption enthusiast who has spent some time learning the basics, and who feels that there is some fundamental misunderstandings of it as well as how it applies to the new EARN IT Act.

Encryption has been a topic of discussion a lot recently, from the FBI's frustrations with breaking into iPhones to the latest EARN IT Act.

What is Encryption?

Does your house have a lock?

It probably does, because the lock makes your house more secure (prevents robberies). You put trust in the lock to protect you, your house, and your valuables. Encryption is like a lock for your data. You trust that only people who have the key can get access to your data.

However, no matter how much trust you put in your lock, it can be picked, and fairly simply at that. Just like a lock can be picked, encrypted data can be cracked. At that point, the attacker has access to your data and can take whatever they want.

Encryption happens both in data transfer and data storage. Transfer stops bad actors from finding data as it moves (to prevent what is called a man-in-the-middle attack), and storage helps preventing people when it gets its at the server or endpoint (such as a computer or smartphone).

The Mythical Government-Only Key

When there is a keyhole, it can be picked. It is just a matter of time, but it can be picked. A key can also be recreated, redistributed, and reused, which make the situation worse.

Despite what they like to tell you, the US Government is not great at keeping stuff private. There has been an idea floating around of a key that only the government has to break encryption. While this sounds great, there is a problem: we have already tried that, just with suitcases.

The TSA created a master key that can open all travel locks, and sure enough, you can now get the model online for free, 3D print it, and crack into any luggage. This master key was supposed to be private, only for the government, yet it is now available for free.

Senators and Representatives have brought up the idea of government access to encrypted data, back during the iOS cracking days and now with the EARN IT Act. However, if there is a government back-door, I would be willing to bet good money that the crack will be found by someone not in the government. That is because our government can't keep data securely, and people would put a lot of effort into deconstructing the data. Even if there isn't a government-kept key, any central key management is dangerous since it can be reconstructed, and attempts for an application to read and censor user data would require centralized key management.

National Security

Imagine there is one key that can unlock any data in the world, which people trust only the US government has access to. Now imagine that ISIS, North Korea, and the Sinaloa Cartel have access to that key. They could easily break into all of the systems that the US government has, and the government couldn't keep anything secret anymore.

Whenever there is a system for good actors, bad actors will exploit it. That is the same reason why you might have a key for your house, but it gets robbed. There is a system for good actors to get access, but since there is a system, it can be exploited.

Now I want you to image a second scenario. The US Government buys encryption software from a different country, let's say Switzerland. They use it for all of their systems, and trust the code. However, one day it is revealed that this company is owned by the Iranian VAJA Intelligence Agency. Everything that the US has done has been leaked to the Iranian VAJA for years, and the government has used that data against the US consistently. Would you want Iran to have access to all of that data? How would you react if Iran then demanded access to every computer and application on the planet to help prevent human trafficking? If I were in this situation, I would speculate whether they were actually going to use it for human trafficking purposes.

That situation happened, but just flip the roles of Iran and the Untied States. The CIA owned Crypto AG, a Swiss encryption company that provided services to countless governments and private companies. As you can imagine, the customers were beyond pissed.

Leaked documents reportedly show the CIA secretly bought an encryption company and used it to spy on clients — while turning a profit
The CIA secretly listened in on communications by spies, diplomats, military officials, calling it “the intelligence coup of the century.”

After this breaks, the US starts work on the EARN IT Act, which would require that companies create insecure security or have their first amendment rights violated. Especially due the the Crypto AG situation, I have doubts about the validity of the US's claims that these security vulnerabilities will be solely used for child trafficking, and whether we want this to be codified in US law.

Regardless of who is control, having a single entity who has access to to everything seems highly dangerous, since they have control over all data on the internet.

The Best Lock is No Door

If you wanted to make your house as secure as possible with no regards for entry or exit, you would not have a door. That is because doors, and the keys that are associated with it, are an inherently a week point.

That being said, you still want to be able to enter and exit your house. What cyber-security experts are working for is essentially to make a very complex key that takes so long to pick, it would unrealistic to get in without the specific key. They also use a different key everywhere so that it can't be used elsewhere. They also want the equivalent of a vault door, so that people can't get barge in without the key.

The problem is that if you have a complex key with a strong door, the police can't barge in whenever they want. This is fundamentally the problem that the US government has with current encryption. It is too strong, and they can't barge in and get information. While I understand and respect their desire to have access to people's homes, if the police can barge in, bad actors (robbers) can barge in as well.

I am of the belief, that I would rather have complicated keys that only I know than let the government have access to it, since government access opens up a world of opportunity for attacks.

The Problem with Jurisdiction in the Internet Age

What laws apply to whatever website you are on? That is a surprisingly hard question to answer. Let's take a scenario of an Australian citizen visiting the UAE using an app that I wrote for my robotics team:

  • The website is hosted on Cloudflare servers, which could be in one of any ninety countries
  • The website uses code from Alibaba, a Chinese company
  • The website talks to a server that is hosted by an individual in the United States
  • The website also talks to a server in Singapore, that is owned by Alibaba Cloud, a Singaporean division of Alibaba, a Chinese company
  • When talking to the US server, the data goes through a random set of countries, such as Saudi Arabia, Jordan, Egypt, Libya, Algeria, Italy, Switzerland, France, Spain, and Canada
  • When talking to the Singapore server, the data goes through a random set of countries, such as Saudi Arabia, Kuwait, Iran, Pakistan, Indian, Myanmar, Thailand, and Malaysia
  • One of the Singapore servers is accessed through a .ee (Estonia) domain registered through a Luxembourg company
  • The primary domain is a .mp domain (Northern Mariana Islands, a United States territory)
  • The user is an Australian citizen, even though data never goes through Australia

So who has jurisdiction over the website? Arguably, there could be upwards of 90 countries who have theoretical jurisdiction over the website, each with different, potentially conflicting laws.

The point is that the internet is complicated, and I as someone who wrote a small app, can't realistically ensure that it follows Swiss data privacy laws while also following contradictory Chinese government reporting laws.

Many countries try to regulate the internet, but it is unclear who actually has to follow them. This matters even more when it comes to encryption, and especially national security. If the North Korean Embassy in Mexico needs to communicate with a government official back in North Korea, do they have to abide by the US laws regarding encryption?

There are no easy answers to these questions, and it could only realistically be resolved with an international treaty. Any attempts at regulation are unrealistic because of the complex nature of data transfer between jurisdictions.

EARN IT Act

I have mentioned EARN IT earlier in this post, but I now want to take the opportunity to directly address it.

But EARN IT Doesn't Mention Encryption!

The EFF has a great response to this:

The so-called EARN IT bill, sponsored by Senators Lindsay Graham (R-SC) and Richard Blumenthal (D-CT), will strip Section 230 protections away from any website that doesn’t follow a list of “best practices,” meaning those sites can be sued into bankruptcy. The “best practices” list will be created by a government commission, headed by Attorney General Barr, who has made it very clear he would like to ban encryption, and guarantee law enforcement “legal access” to any digital message.
The EARN IT Bill Is the Government’s Plan to Scan Every Message Online
Imagine an Internet where the law required every message sent to be read by government-approved scanning software. Companies that handle such messages wouldn’t be allowed to securely encrypt them, or they’d lose legal protections that allow them to operate.Take ActionStop the Graham-Blumenthal...

It is impossible to have mass-surveillance of messages, by government or by applications, and also have end to end encryption. It is technologically impossible, because the act of doing verification means that it needs to exist in a decrypted form.

If you sue the life out of companies who don't follow your "best practices" list, then it isn't really "best practices." And if those "best practices" are directly incompatible with end to end encryption, then the bill is ending E2E encryption. I don't want anyone in Congress saying that this was an unintended side effect, because it is immensely clear that this will be the end result.

I find that this description from Signal is very accurate:

It is as though the Big Bad Wolf, after years of unsuccessfully trying to blow the brick house down, has instead introduced a legal framework that allows him to hold the three little pigs criminally responsible for being delicious and destroy the house anyway. When he is asked about this behavior, the Big Bad Wolf can credibly claim that nothing in the bill mentions “huffing” or “puffing” or “the application of forceful breath to a brick-based domicile” at all, but the end goal is still pretty clear to any outside observer.
Signal Messenger: Privacy That Fits in Your Pocket
Say “hello” to a different messaging experience. An unexpected focus on privacy, combined with all of the features you expect.

But the Government are the Good Guys!

I am against any binary representation of people as "good guys" or "bad guys," because life doesn't simply operate that way. There have been many times throughout history, where unless you see the world through the American supremacy point of view, the US has been in the wrong. It would be unfair for the US to impose our beliefs onto other countries, purely because of our belief that we are the good guys, and I strongly believe that it is a more ethical decision to give people privacy.

The congressional supporters of the bill say that it is to help child trafficking victims "and other purposes." I have two problems with this. First, I have not seen evidence that suggests that it will help child trafficking victims. Secondly, holding the platforms accountable won't help. There simply aren't enough resources nor technological ability to analyze messages on a large scale, even if you don't care about E2E encryption.

I know that Senators and Representatives will say that AI is the answer, because that is always their answer. However, they are naively unaware of the fact that AI is still in very early development and nowhere near accurate enough. They just say AI because it makes them seem smart and makes it seem like they have a solution, when in reality they have no idea how to handle the situation. If any person in Congress could explain how they would implement this law without putting security at risk, I would love to hear it, but I highly doubt that will evew happen.

China

This policy would be very similar to the abuses committed by the People's Republic of China. They ban end to end encryption in the name of national security, but in reality it turned into a dystopian monitoring system that checks every Weibo post, Weixin message, and Youku video. People get scared when national security is at stake, and it makes abuse of power. If Congress passes this bill, we will be no better than China, and should be shamed by the rest of the world.

The government is so concerned about devices from Huawei and apps from Bytedance, because they see it as a national security threat. It certainly would be ironic if the rest of the world took the same approach to American technology. If this bill passes, then US hardware and software would truly pose a serious threat to the national security of the rest of the world, and the ironic world would become reality.

America's Future

America is falling behind the world when it comes to technology. China is dominating R&D, Switzerland and Israel dominate security, India dominates contract work. Passing EARN IT would make America fall further behind. As someone who has spent twelve years in American public education, we need to do everything we can to make sure that international companies want to start and grow in the USA, because frankly our schools are failing us. We are not getting the high-quality STEM education that other countries offer, and the lack of competition means that people tend to perform worse than other countries.

If we want America to not be trampled by other countries when it comes to science and research, we need to show that we care about supporting privacy, security, and business. EARN IT goes against all of these, and merely shows that we have a legislature that can't be bothered to do basic research and will screw over businesses at every opportunity. I encourage Congress to think about the ramifications that this could have, and I don't want America to be the laughing stock of the security and privacy world (like Australia is now as a result of their screwing over of encryption).

Alex Beaver

Hi! I'm Alex, and I am on leadership and software on Team 100. I want to help others through the FRC process by sharing tips and tricks on how to be effective in FRC.