Subscribe Now

* You will receive the latest news and updates on the Canadian IT marketplace.

Trending News

Blog Post

Tip of the iceberg
SECURITY SHELF

Tip of the iceberg 

Clipper used the Skipjack algorithm developed by the National Security Agency. Each communication secured by Clipper included a 128-bit “Law Enforcement Access Field” that uniquely identified the chip and would allow law enforcement agencies to obtain the required decryption key. This big brother approach ensured US government access to encrypted communications and also provided unencrypted metadata uniquely identifying the involved devices.

Widespread opposition to Clipper eventually sunk the initiative. Within the United States cryptographers and organizations such as the Electronic Privacy Information Center and the Electronic Frontier Foundation challenged the Clipper Chip proposal. It also became rapidly apparent to to US manufacturers that incorporating Clipper into their products would create significant issues abroad. For example, at one RSA Conference, a representative of the German government referred to the potential import of Clipper Chip-containing products into Germany as a “violation of German sovereignty.”

Since the demise of Clipper, the US government (accompanied by close allies) has taken a more covert approach by influencing standards, quietly partnering with vendors, and using secret court orders. However, in the wake of global surveillance revelations and widespread awareness of law enforcement intrusion into our private lives, major vendors like Apple are changing their approach.

Apple’s latest mobile operating system, iOS 8, includes new strong cryptographic protection for data on iPhones, iPads, and iPods. If users choose a sufficiently strong passphrase it will be impractical for an adversary to retrieve messages, contacts, photos, and other information. While consumer demand may have contributed to the improved data protection, Apple’s primary motivation is more likely to sidestep sticky legal and customer relations issues. Rather than facing secret court orders pitting them against their customers, Apple is placing the keys solely into their customers’ hands. Law enforcement agencies must now deal directly with the device user instead of involving Apple. Google is reportedly moving in the same direction.

Law enforcement has been critical of Apple’s improved security. For example, the Washington Post reported John J. Escalante, chief of detectives for Chicago’s police department stated, “Apple will become the phone of choice for the pedophile.” What he apparently fails to understand is that the average soccer mom also deserves to have her information protected from criminals.

While government agencies operate on the right side of the law, many of their methods are identical to those used by criminals. The same technical controls that prevent a criminal from extracting personal information from a stolen iPhone also stops law enforcement forensic specialists.

Governments must acknowledge that they are largely the cause of the cryptographic advances to which they loudly protest. Revelations by Snowen and others have publicly demonstrated that the Internet has become a global surveillance platform. The US government’s secretive assault on Lavabit clearly displayed that they are willing to breach the privacy of more than 410,000 customers to target one individual. Law enforcement agencies have developed a culture of entitlement around data on a suspect’s mobile phone; only recently did the US Supreme Court rule that a warrant was required. Closer to home, our Conservative government is ramming Bill C-13 through the House of Commons despite the fact that the Supreme Court of Canada has ruled that some components of the proposed law are unconstitutional.

Apple’s enhanced cryptography in iOS 8 is just the tip of the iceberg. Rather than become embroiled in controversy surrounding their customers’ private data, other savvy companies will place cryptographic keys in the hands of their customers and have no data to offer in response to court orders. This approach will become the standard for email and cloud service providers as US-based companies seek to regain global customer confidence.

Related posts