Featured Post

Welcome to the Forensic Multimedia Analysis blog (formerly the Forensic Photoshop blog). With the latest developments in the analysis of m...

Monday, December 29, 2014

A rebuttal to the case against encryption

In an article over on SC Magazine UK, a senior Met investigator argues against the use of encryption.

"In any democratic society we need to provide law enforcement with a right to obtain information authorised by a judge, based on a clear suspicion, in cases involving serious crime or terrorism. This applies to the offline world and should also apply to the online world."

“Full encryption of communication and storage online will make life very easy for the criminals and terrorists and very difficult for law enforcement and law abiding citizens. We have to find the right balance between security and freedom - and this balance has to be set by citizens in a political and ethical discussion on the trade-offs.”

Remember, of course, that in the UK there's a completely different legal system than here in the US.

In the US, you have the right to remain silent, including the right not to present evidence which may incriminate you (5th Amendment).

"The Fifth Amendment creates a number of rights relevant to both criminal and civil legal proceedings. In criminal cases, the Fifth Amendment guarantees the right to a grand jury, forbids “double jeopardy,” and protects against self-incrimination. It also requires that “due process of law” be part of any proceeding that denies a citizen “life, liberty or property” and requires the government to compensate citizens when it takes private property for public use."

We also enjoy protection against unreasonable searches and seizures (4th Amendment).

"The Fourth Amendment originally enforced the notion that “each man’s home is his castle”, secure from unreasonable searches and seizures of property by the government. It protects against arbitrary arrests, and is the basis of the law regarding search warrants, stop-and-frisk, safety inspections, wiretaps, and other forms of surveillance, as well as being central to many other criminal law topics and to privacy law."

Put these two together.

You have the right to remain silent and to protect yourself from self-incrimination. Encryption can be seen as a digital affirmation of that right.

You have the right to be protected against unreasonable searches and seizures. The problem with setting up weak protection schemes, or "trap doors" that law enforcement can open when it deems necessary is that it is simply weak protection. Hackers can and do exploit weak protection.

"Now just as then, the FBI is trying to convince the world that some fantasy version of security is possible—where "good guys" can have a back door or extra key to your home but bad guys could never use it. Anyone with even a rudimentary understanding of security can tell you that's just not true. So the "debate" Comey calls for is phony, and we suspect he knows it. Instead, Comey wants everybody to have weak security, so that when the FBI decides somebody is a "bad guy," it has no problem collecting personal data.

That's bad science, it's bad law, it's bad for companies serving a global marketplace that may not think the FBI is always a "good guy," and it's bad for every person who wants to be sure that their data is as protected as possible—whether from ordinary criminals hacking into their email provider, rogue governments tracking them for politically organizing, or competing companies looking for their trade secrets."

If you run a business, you must keep your customer data private and protected from being distributed against your customers' wishes. Think about the data breaches that happened to Target, Home Depot, and Sony for an example of how weak physical and digital security combined to negatively affect millions of people's lives.

So where does that leave us? Here's an analogy. California passed a law recently created a "civil right to clean drinkable water." Many believed that this meant they'd never have to pay their water bills again. After all, water was now a human right. But, the law mandates that water delivered must be clean and safe. The law did not create a civil right to "water pressure." The law did not mandate that water be delivered to you, just that if it was delivered that it be safe and clean.

Courts may order that data be seized. So take it. Use it as is. If you can crack the encryption, great. If not, (for the time being) the US Constitution sill allows me to remain silent and to choose to not incriminate myself. Given that we in the US are innocent until proven guilty, once you remove the 5th Amendment's protections you might as well be done the concept of freedom as we know it. Without the 5th Amendment's protections, we will be living in a "police state." I'm not about to go down that road willingly.

Just like you can't be a little bit pregnant, you can't encrypt a file just a little bit. Thus, I say full encryption is great. Encryption protects freedom of communication. Encryption protects property. Encryption was a proper response to government and industry's mishandling of private data.

No comments: