How the FBI Could Damage Everyone’s Security Online

The recent furore between Apple and the FBI over access to the San Bernadino shooter’s iPhone has brought privacy debates firmly into the public eye. Despite tech giants, politicians and privacy campaigners explaining the potential ramifications of the case, many people are still sitting on the fence. A recent survey by the Pew Research Centre found that the majority of Americans side with the FBI and believe that Apple should comply with its demands. I find this deeply concerning because it shows how easily our collective privacy could be eroded in the name of national security, and also how little most people seem to understand the encryption technologies which protect us all.

As the UN high commissioner for human rights explained recently, encryption is vital to freedom of expression and opinion, and without it, lives may be endangered. Currently, the only way to communicate securely online is to encrypt everything, so that even if your data were to be accessed by someone else, it would remain private. But any process that weakens the mathematical models used to encrypt data will make the whole system less secure, because it will also weaken the protection. The FBI believes it can manipulate security in such a way that only it can take advantage of that subversion, but this is a fallacy. This is why Apple talks of the San Bernadino case setting a dangerous precedent. While it is possible to create an entirely new operating system which undermines the iPhone security features, there is no way to guarantee that this will not one day be used by someone other than the FBI. There is no way to determine when an attacker could discover a vulnerability, and once accessed, exploit it to harm anyone using that connected device, service or system. The same vulnerabilities used by intelligence agencies to spy on global citizens can also be used by criminals to steal your passwords. We either enable spying – by either governments or hackers – or we defend against it. Backdoors will be exploited by anyone, not just the US Government.

Just like the Snooper’s Charter proposals here in the UK, these demands also force tech companies to make a difficult ethical decision. How can you tell your customers that your products are secure, but also knowingly compromise that security by building backdoors, weakening encryption and storing personal data on a huge scale? Complying with this kind of warrant equates to a catastrophic invasion of customers’ privacy, and has historically required tech companies to collude with the Government and then essentially lie about it to their customers by not disclosing it to them.

The Snowden leaks revealed how the National Security Agency in the United States convinced Microsoft to make changes to security on its Skype program to make it easier for the NSA to eavesdrop on conversations. We also know from the Snowden leaks that the NSA subverted a government standards process to be able to break encryption more easily. Leaked documents revealed that the agency planted vulnerabilities in a cryptographic standard adopted in 2006 – effectively inserting a backdoor by writing a flaw into a random-number generator which made it easier to unscramble numbers generated by that algorithm and crack technologies using the specification.

This kind of Government coercion doesn’t just damage the products and technologies in question, it damages the trust in the Internet entirely. Internet governance was historically left largely to the United States because most people assumed that they were focussed on ensuring the security of the Internet, rather than using it as a means of surveillance. The Snowden revelations quashed that belief, and the system is now in turmoil. Some of the potential applications of the Internet that would benefit citizens and entrepreneurs have already been stymied by unresolved trust issues. E-Voting has stalled and migration to the cloud is suffering. For the Internet to continue to grow and flourish, we need to re-establish the foundation for trust.

For trust to be effectively restored, users need to believe that the systems they use online are not part of a government program to spy and snoop on its citizens. Part of the problem is architectural – the single points of failure within the outdated public key infrastructure that governs so many of the so-called secure connections to the Internet mean that vulnerabilities are rife and well-established.

But advances in pairing-based cryptography are paving the way for a new system, where a private key can be split into several different parts, eliminating the single point of failure that exists in the current system. This means that governments wanting to access that key for surveillance purposes would have to fight across multiple different legal jurisdictions in order to gain access. Even better, individual organisations may soon be able to choose how their root key would be split, empowering them to choose geographies which they feel are least likely to allow Government access. These kinds of changes put power back into the hands of the individual and give users valuable new tools in the fight to keep our data secure. We all own the Internet, and we need to fix it together.

Brian Spector, CEO, MIRACL