Encryption plays a critical role in protecting our data from hackers and theft. But at the same time, it presents a challenge for law enforcement when it comes to their work catching dangerous criminals and terrorists. What are the possible options at the end of the encryption debate, and are any of them actually viable? How can we protect our data while still enabling law enforcement to do their jobs? Erka Koivunen, CISO of F-Secure, stopped by for episode 42 of Cyber Security Sauna to discuss the encryption “sweet spot” that we’ve currently found, why some parties want to change it, and why there are no easy answers.
Janne: Welcome, Erka.
Erka: Thanks for having me, Janne.
So Erka, you’ve talked about encryption before.
Yeah, I got fascinated about encryption in the nineties already. I’ve been mostly interested in the societal aspects of cryptography lately, since I’ve seen quite concerted attacks against the freedom of businesses and individuals on using encryption.
You’re doing a horrible job tooting your own horn. You’re not mentioning the UK parliament or anything like that at all.
I was invited by the British parliament, actually. They had a joint committee when they were deliberating the Investigatory Powers Bill, back in the day. So they invited me to give evidence on encryption. And I was happy to explain how what they were planning to do was horrible. They were nicely listening, and they paid no attention to my opinions.
I was also participating in the European Union Commission panel on the dual use aspects of encryption and similarly, the European Commission noted that this guy from Finland appeared and they paid no attention to what I was telling. So I have a good track record of being listened to, but not necessarily followed.
Well, that’s all any one of us can ask for. But you sound like the right person to briefly summarize what the encryption debate is all about.
From the technology, and from the mathematics point of view, we have gotten to a point where good quality encryption is now available. And good enough quality would in this context mean that if I choose to protect some piece of information and some communication with quality cryptographic means, it is too costly for the adversary to try to break that encryption in a reasonable amount of time. So everybody on this planet currently has access to technology and know-how on good quality encryption. And this is unprecedented in our times.
And of course, this makes a bunch of authorities unhappy because quite many of those intelligence gathering mechanisms and law enforcement, investigatory methods have been built around the notion that the authorities would be given access to people’s communication and data, regardless of how it was protected, in case there is a legitimate need to obtain that access.
If there’s good quality cryptographic protections, there’s nobody but the actual person of interest that the authorities are now tracking or trying to interrogate. So nobody else would be in a position to decrypt the material. So that makes, of course, the authorities a bit unhappy, and that discussion has been going on for centuries. And only now the small people, the citizens and the individuals, are in a position to utilize encryption without having to ask for permission.
Yeah. So before, when regular citizens tried to encrypt their information so that it wasn’t available for law enforcement, law enforcement was just like, “Oh, you sweet summer child,” and just cracked it anyway. But now they can’t do that anymore.
The implementations, they were either weak because the computing power was not that abundant in the past, or they were artificially weakened. So they were basically either backdoored or they were deliberately written to be faulty so that the authorities would be in a position to crack the conversation open.
Okay. Well, let’s look at some of the ways of approaching this thing. So what if we just capitulate to law enforcement, establish a world without any encryption whatsoever? What does that look like? What services currently are relying on encryption, and how would those services then have to change?
Well, I guess if we let go of encryption altogether, we would end up having a Chinese internet, in effect. So we kind of currently expect that when we download a piece of software or an app to our devices, we know who has released that piece of software. And we know that at least somebody has done their best to ensure that the composition of that application is in a known state and it’s as secure as possible.
So this is called signing, cryptographic signing. So, when we currently expect that an application that we download from an app store is what it says, there’s lots of cryptographic signing and identity checking and signing algorithms taking place so that we can trust at least the application store owner and the original vendor of that application.
So if we would remove these protections, we would need to verify each and every piece of software that we download by hand on our own. And we’re not qualified to do that. If we want to communicate with others, without encryption we would not be in a position to even validate who the other party is, and if there are an extra pair of ears listening in to that conversation. So there’s that confidentiality aspect also at play.
So every time you use the library or a cafe Wi-Fi to log onto the internet and then go to your Facebook page, you’re just sort of relying on the world to be a decent place, and that you’re actually on Facebook’s page and not a scammer’s page that just happens to look like Facebook.
Pretty much. And even going further, we are expecting the world to be a messy place. We are expecting there to be people who want to man-in-the-middle the traffic. They want to alter. They want to reroute, redirect. They want to display to you false content.
And with encryption, even when we’re connecting to an untrusted network, and even when all the traffic is being routed through networks that we have no ownership and we have no control over, we can trust that the content that we requested is the same content that we’ve received. And the party that we are discussing and having an exchange with is who they claim to be and they remain so during the length of the session.
Okay. So no confidentiality, no integrity. What about availability? If we lived in a world without encryption, how would companies store their data?
Well, if you cannot rely on the fact that access controls are being enforced with the help of encryption, or if the identity management and authentication would rely on good faith, you would not be in a position to even share anything. So the availability aspects, primarily in reference to encryption or cryptography, from my point of view, they rely on the fact that we can trust the platform enough to be able to share content, share material with the knowledge that only those who are allowed to access the data can do so.
Okay. So this doesn’t sound like a world that we, as a society, could even live in, even if we wanted to. Putting aside even the fact that like, how would you even abolish encryption entirely? Even if you outlawed encryption, surely criminals would then, you know…Criminals are not known for their respect of the law.
That’s true. The laws, like locks, they are there to keep the honorable and the law abiding people from doing nasty and silly things. The criminals will not follow the law. They will not respect your kind request not to read your email.
No, and once the math is out there, you can’t put that genie back in the bottle.
Yeah, fair point. Coming from an engineering community, I always find it a bit laughable when the legislative body or the judges try to rule something that is physically impossible. So the law cannot dictate whether a mathematical algorithm or equation exists or doesn’t exist. So the cat is out of the bag already in terms of quality encryption.
But then recognizing that of course, the law can shape the market. So the supply and demand aspects of which types of services the service providers are pushing out, what type of software, what type of hardware is made available to businesses and consumers and nation states. That of course is what the law can affect. And yeah, this is where legislation like dual use or export control comes in.
Yeah. And then we just hope that there isn’t some sort of like a dark market where the criminals can meet and trade in unlicensed software and hardware.
And even if there is, and there are, with that type of an activity being outlawed, at least there’s something that the authorities then can utilize to provide them with investigatory powers, and they can then indict people when they learn of their identity and are able to catch them.
All right. But then again, like the law enforcement agencies, for example, they’re not talking about abolishing encryption entirely. The solution they’re often providing is let’s just install these law enforcement backdoors in all the current encryption communication methods so that law enforcement can eavesdrop on the bad guys, not the good guys, but just the bad guys, and everything will be great. Now, on principle, sure. But how would that even work? How do you backdoor an end-to-end encrypted message platform? What would that look like?
So a backdoor might be an artificially weakened implementation of an encryption algorithm. So people and the organizations that are using that product to protect their data, they might assume that it’s working, and it probably is producing so-called ciphertext. So the material that you put in will be scrambled and it would be unrecognizable so it appears encrypted. And yet the authorities that are behind this scheme, they would have inside knowledge in terms of where the weaknesses are. So they would be able to, for instance, just throw computing power to that problem and decrypt the conversations, maybe even in real time. That would be one way of introducing a backdoor.
Some systems would implement a backdoor in a fashion that even though the information is protected by quality encryption, you would be in a position to just approach the system and speak some magic words. And it would then recognize you as an insider or a participant of the conversation or otherwise authorized person, and they would just provide you with decryption keys. So you would be in a position to obtain the original content without having to go through the trouble of decrypting it.
There’s even all these schemes about every two-way conversation being actually a three-way conversation with the third party, sort of keys held in key escrow or something like that, where they would only be released to law enforcement after a court ruling or a warrant, or something like that.
Yeah, that’s a concept called additional decryption key. Sometimes I refer to them as parasitical keys.
It doesn’t sound like you like the idea.
I hate the idea. But to be fair, from a service provider’s point of view, if you allow people to store data or carry conversation on your platform and you would be providing them with so-called end-to-end encryption, then you open up avenues for misuse, like child exploitation, you’ll get criminals scheming their criminal plans. So there’s a certain level of ethical dilemma on the service provider’s point of view.
But we already talked about how the criminals don’t always respect the law. So even if we backdoor all the currently available legal applications and tools, why can’t the criminals just make one of their own? Like we said, the math is not going away. They know how that stuff is made. So why can’t they just make their own?
There are logistical problems with that. Of course, if you are tech savvy, you can create your own tools, but you would also create a wide enough user base for that tool. We already have prior examples of the Al-Qaeda and ISIS fighters using encrypted communications tools of their own making, which turned out to be buggy. Not necessarily backdoored, but they were buggy, because it’s extremely difficult to get encryption right. There’s key management problems. There’s session management problems. And then you would need to be able to accommodate different types of endpoints with different capabilities and configurations.
So if law enforcement and if the governments want to shape the market, they of course go for the big players. Probably it was in February, there was a two-part podcast of the New York Times where the problem of child exploitation on online platforms was being discussed. And it was quite shocking to find that a large majority of those voluntary reports by the service providers to law enforcement, a large majority of those reports came from Facebook.
The reason is that the Facebook Messenger chat or the private groups in the Facebook app itself, they are not encrypted end-to-end. So Facebook as a service provider has an ability to see the contents of that exchange. And of course, Facebook, they have lots of algorithms and machine learning and artificial intelligence going through that content. And as such, they have an ability to spot illegal activity as well. And they are doing that and they are helping the community by reporting those cases.
So Facebook sort of has…Well, it’s not even a backdoor, it’s the front door into those conversations and are able to then do exactly what law enforcement wants us to do to sort of report to them, and law enforcement has access to those discussions and can capture and prosecute these individuals.
Absolutely. And I think this is something that we, as an end user community should even applaud. And now Facebook has been quite open about the fact that if you use Messenger, and if you post something to Facebook, they have an ability to read the content and they have these so-called community rules that they want to uphold, so you are not able to incite violence. You’re not able to share exploitative material and you are not going to be able to share hate speech on their platform, which is a good thing.
Here’s where the ethical and technological dilemma comes into play. Facebook has plans to start deploying end-to-end encryption more widely on their platforms. And of course, the law enforcement and the child protection community is outraged because that would essentially dry up that source of reports about criminal activity. And of course, one argument is that Facebook finds the burden of having to track criminal activity on their platforms too big. They find that it’s too burdensome to report those occurrences to law enforcement, and it’s too burdensome for them to assist in investigations.
So one argument that I’ve heard is that Facebook is now seeking to kind of clean their desk by way of deploying encryption. And while from the technology point of view, I would applaud the fact that yeah, the world is being made a better place by more widespread use of quality encryption, there’s also the more human side in me that sees that, yeah, there’s criminal activity, serious crimes taking place on that platform. And now the service provider is willing to turn their blind eye on that, not necessarily for the reasons that I subscribe to.
And this is something that each and every service provider who is in a position to act as a middleman, if you will, they would need to have serious ethical discussions amongst themselves. Where do they draw the line?
Yeah. Well, okay. Let’s say we leave the ethics to the Ethics Sauna Podcast, and sort of get back to the backdoors of law enforcement. So, they have access to this. They have the third set of keys or whatever. So how do we make sure now that only law enforcement has that access? Because we see criminal hackers accessing systems they’re not supposed to access all the time.
Well, we don’t. The arrangement that I described in terms of what Facebook is doing and what Apple is doing in terms of iCloud backups, that pretty much relies on the processes and access control mechanisms of the service provider. So it’s not that much a thing and discussion about whether encryption takes place or not. It’s the procedures in terms of who is being then granted access to that wealth of information.
I guess it’s quite useful to compare the approach of Apple and the approach of Facebook. Apple is stating that whenever they are storing your iCloud backups, they are not actually going through that material because they claim that they don’t have any monetization schemes that they would need to go through that material with.
Whereas Facebook is applying really advanced artificial intelligence algorithms so that they can profile who you are, what is it that you’re interested in. So we already know that Facebook provides wide access to that data. We expect that Apple is extremely conservative about to whom they are giving access of that information, but at least they have means to do that.
And now in the European Union, there is this so-called E-evidence Act being prepared where law enforcement would want to have a single service point to be established, where the companies can cater to those law enforcement requests regardless of where those requests come from.
As a company, F-Secure has opposed this proposition because a company of our size and smaller, we’re ill equipped to determine whether a Bulgarian or Polish or French authority has a legitimate need to access that data. And whether that is applicable to the seriousness of the crime that they are investigating.
Well, that was going to be my next question. Like if we have these law enforcement backdoors, do we then just make them available for all law enforcement agencies or just some, and who gets to choose?
That’s a fair point. And of course there’s going to be lots of pressure, lots of coercion taking place. The more dictatorial the government is going to be, the more difficult it is for the companies to then refuse those access requests. And the more economic power the government has, the more compelling mechanisms they have to make the companies comply.
And we see that if you want to conduct business in China, you need to modify your service so that it would provide this exceptional access to law enforcement and you would even need to modify your systems so that the censorship laws would be taken into account. So yeah, there’s quite a lot that a government can do either through legislative means or by applying commercial pressure towards companies.
Our ability to enjoy the benefits of quality encryption, that is quite a novel thing. You could even argue that we have only been able to enjoy encrypted communications easily since 2016 when WhatsApp unilaterally turned on end-to-end encryption.
And looking from a historical perspective, this era that we currently live in and this ability for us to enjoy quality encryption, this is something of an anomaly that the authorities and many lawmakers would want to be reversed quickly. They have enjoyed centuries and decades of unrestricted or mildly restricted access to personal and private communications. And for the last four years, they have had it pretty rough.
No, I get that. Okay, so we can’t get rid of encryption entirely, and you’re not huge on law enforcement backdoors. But you seem to be thinking that there’s maybe a way we could, like that the benefits of having proper law enforcement outweigh maybe some of the privacy concerns that people have. So I guess the only existing option is then some sort of marriage where we can do effective law enforcement, but coexisting with the tools for privacy and strong encryption. Is that correct?
Well, I think you’re right. And there has to be a balance, and I’m the last person to advocate that this is a purely technical topic. From a technical community point of view, we should be allowed and given an ability to continue utilizing cryptographic means as they are supposed to work. So they are not supposed to be backdoored. They are not supposed to be artificially weakened.
But from a business and commercial point of view, there has to be a debate about which areas of life, which areas of business, would we need to be able to open up for big brother, if you will, so that the criminals can’t get away with hiding.
But there is also a requirement that the governments stop misbehaving. So in the current situation, there’s little trust that these added investigatory powers would be used wisely. There’s little trust that government would be in a position to protect the access that they have to the data, and they would be tempted to be expansive in their interpretations.
So now that from the service provider community there are no guarantees to where the limits are going to be, the natural response would be that hell no, you’re not getting anything.
We have been stuck with that debate in the past years. And we’ve seen commentary from the U.S. Senate where the senior lawmakers have had enough with that, and they are now trying to move the needle. They are trying to advance that conversation by force.
There is an argument that pops up every now and then that I find incredibly unhelpful. And that’s when somebody ambles to the podium and says, “Well, I have nothing to hide. I don’t need encryption for anything.” Wouldn’t that just lead to a world where just the fact of having encryption would be suspicious? Is this really what we want?
Well, definitely if we want to get back to the old times when anything with cryptographic implementations would have been suspect, this would be the time when the so-called Wassenaar Arrangement that is meant to limit the proliferation of so-called dual use items, items that you could use both in civilian and military context. So, in the old times, anything with encryption in it was seen as a weapon and the public was not allowed to enjoy those tools.
Currently, there are lots of exceptions that make it possible for us to have secure net banking. It is possible for me to have a WhatsApp call with my father, without having to explain the mathematical foundations and the computer quirks of protecting that conversation to a 70 plus year old person. So for a moment, it seems that we found that sweet spot, but yeah, there are powers that want to change the status quo.
I’ve got to tell you, it doesn’t sound like we solved this problem in this podcast, but maybe at least we’ve brought some sort of clarity or highlighted some of the key arguments from all sides. So, thank you for being with us today.
Thanks for having me, and sorry about not being able to bring clarity over this topic. It has been puzzling me since the nineties. I’m expecting that I will retire with the sense of confusion.
That was our show for today. I hope you enjoyed it. Make sure you subscribe to the podcast, and you can reach us with questions and comments on Twitter @CyberSauna. Thanks for listening.