The debate over the use of strong encryption in mobile devices and other communications methods can be a difficult one to understand for casual observers. Encryption is the most complex of security disciplines, but there can be no clearer picture of what a backdoored encryption system would like than what’s emerged this week from a complex organized crime investigation in Canada.
That case, which involves alleged organized crime operatives from New York, hinged in part on supposedly private messages sent and received by the suspects in the killing. Those texts were sent using BlackBerry devices via the company’s BlackBerry Messenger system, which encrypts messages from end to end. However, the Royal Canadian Mounted Police were able to intercept and decrypt those messages–more than a million in total–and used the plaintext messages in the subsequent trial.
“Over one million private messages were intercepted and analysed as evidence using the PIN to PIN interception technique. This was the first time that this technique was used on such a large scale in a major investigation in North America,” the RCMP said in a statement at the time of the arrests in 2014.
But how did the RCMP decrypt the BBM messages? The answer, apparently, is with the master encryption key hardcoded in consumer BlackBerry devices.
“[T]he RCMP maintains a server in Ottawa that ‘simulates a mobile device that receives a message intended for [the rightful recipient]’,” according to a report Thursday by Vice’s Motherboard.
Encryption isn’t a tool for just the paranoid and privacy conscious.
How the RCMP obtained the master key isn’t clear, but the options are limited. BlackBerry could have handed it over, either under government order or voluntarily, or the RCMP got it surreptitiously. In either case, the result is the same: massive interception capabilities for encrypted traffic. In the age of pervasive encrypted communications, this is the dream scenario for law enforcement agencies. And it’s the nightmare scenario for consumers.
The FBI just spent several weeks fighting Apple in the courts and the media over the ability to unlock one encrypted iPhone. One. The bureau wanted Apple to write and sign a version of iOS that didn’t include the security protections that the company has spent nearly a decade developing. Full-disk encryption is at the heart of iOS security, and Apple officials and engineers saw any attempt to undermine that, even for just one device, as an assault on the work the company had done, as well as on the privacy of its customers. What starts with one device could quickly turn into a continuous stream of demands from the FBI and state and local law enforcement agencies.
“I don’t know where this stops, but I do know this isn’t what should be happening in this country,” Apple CEO Tim Cook said of the case.
Meanwhile, a pair of senators have introduced a bill that would have the effect of banning American companies from offering services that employ end-to-end encryption. The Burr-Feinstein bill requires vendors and communications providers to “provide, in a timely manner, responsive, intelligible information or data, or appropriate technical assistance to to obtain such information or data.” In other words, if vendors are going to offer encrypted services, they have to make sure they have a back door for law enforcement or a master key they can hand over on demand.
Encryption isn’t a tool for just the paranoid and privacy conscious, it’s a vital technology for protecting both users and their data in many different scenarios. Human rights activists, journalists, students, and many other people use encrypted email, SMS, and other services for sensitive communications. And hundreds of millions of people rely on encrypted services every day, often without even realizing it. The encryption protects them from eavesdropping and from attackers of all kinds. The security is woven into the fabric of services such as Gmail, iMessage, and sites served over HTTPS connections, services that users have grown to trust implicitly.
If technology companies are forced to betray that trust, whether on a large scale through a bill such as Burr-Feinstein, or bit by bit in a string of individual cases, everyone loses. Users lose the security and privacy they’ve come to rely on, vendors lose the trust they’ve built with their customers and the work they’ve done to build secure tools, and law enforcement likely will lose whatever goodwill they may have accumulated with vendors over the years.
No one wins.
Image from Flickr stream of Jan Kalab.