Decryption versus Track Record Issues

Actions by Facebook, Google and Apple have made it very difficult, perhaps impossible, for law enforcement and NSA to obtain the content of cell-phone calls and Facebook’s WhatsApp messaging. The moves were technically simple, but required a marketing decision that they would gain more in public approval for supporting privacy than they would lose through legal consequences from irate law enforcement. The strategy is merely to use an encryption protocol that the NSA has not yet cracked.

Provided Facebook, Apple and Google never possess a customer’s key/password, it is impossible for them to decrypt the communications. Before embracing this strategy, the companies used to supply law enforcement with the communications content when they received a court order to do so. Courts can still issue such orders, but compliance is impossible. Apple, Google and Facebook will regret the move when their marketing ploy means law enforcement cannot locate a kidnap victim before she dies. The public relations battle will be ugly.

UK’s David Cameron unexpectedly announced that he wants President Obama’s concurrence in criticizing social networks that offer encrypted communications which cannot be unscrambled.  The sentiment was no surprise, but taking the plea public was.  Since Snowden made public many NSA documents, it has been clear that about half of the widely used encryption protocols have been cracked, i.e. communications and files encrypted by those protocols can be decrypted by NSA or GCHQ (UK’s equivalent to the NSA).

Cracked encryption protocols include VPNs, Internet Protocol Security, Transport Layer Security/Secure Sockets Layer, Hypertext Transfer Protocol Secure (HTTPS), Secure Shell, Point to Point Tunneling Protocol, eChat and eVoIP.  HTTPS will be familiar to those who do online banking or purchase from Internet merchants.  Banking and brokerage transactions can be exposed.

Protocols that appear to be secure include Tor, CSpace, ZRTP, PGP, TrueCrypt, OTR and GnuPG.  Skype’s encryption has been cracked.  The National Institute of Standards recommends an encryption protocol called Advanced Encryption Standard. It is only somewhat secure because “The NSA has only a handful of in-house techniques” (i.e. NSA cannot always crack it).

The claim that the NSA watches everything is implausible. In some classified presentations, it complains that it needs to collect much more but cannot due to equipment and analyst constraints. Still, NSA stores a huge amount of communications between parties it has cause to believe may be dangerous. Some communications and files are decrypted, but a lot is stored until a time when NSA has the right tools. NSA works in private industry associations to set technical standards it can compromise, and it works covertly with tech companies to imbed backdoor access for its own later use.

From the perspective of an innocent victim, the track record of NSA and law enforcement reveal something to be feared – large scale surveillance (which the public thinks includes them), cracking of encryption protocols (which includes protocols the public relies on), and deliberate weakening of security protocols and products (products the public want). NSA’s main target may be terrorists and criminals, but along the way innocent civilians are stripped of privacy too regularly and without cause. These personal exposures make it difficult for Americans to quickly agree with David Cameron’s plea for criticism of social networks’ attempt to deliver a little privacy.

Alan Daley is a retired businessman who writes for The American Consumer Institute Center for Citizen Research