Same old story: 40 years of debating encryption

 

The encryption debate is heating up once again, even though previous disputes resulted in a consensus that it is critical to security. In his guest blog, cybersecurity researcher Matthias Schulze maps out past attempts to control encryption from the Cold War era to the present days.

 

Cold War era – The battle of intelligence agencies and researchers

When US researchers Whitfield Diffie and Martin Hellman theorized openly about public key encryption with asymmetric keys in 1976, warning bells must have started to ring at GCHQ, Britain’s top-secret signals intelligence agency. The technique of Diffie and Hellman promised almost unbreakable encryption – and it was also discovered around that time by British intelligence agencies. However, GCHQ kept it top-secret in order to keep it away from the Cold War enemy, Soviet Union, and maintain NATO’s ability to listen into the Kremlin’s communication. For the very same reasons, the US National Security Agency launched a secret initiative to cut off government funding for encryption research outside their walls.

While intelligence agencies were desperate to keep encryption top-secret, academics, led by Diffie and Hellman, argued that science demands that such powerful knowledge should be discussed and evaluated openly. For the first, but not the last, time in history, the “going-dark” concern was born: intelligence agencies feared that all communication would be encrypted and thus unreadable for them.

Around the same time, the personal computer revolution began and the problem of cyber-crime or hacking became visible. As a tool that made communicating via public networks secure, encryption was too useful against these threats. A ban was not feasible. Instead, NSA classified cryptography and began to lobby for limiting its export.

1990s – Clipper chip failure & consensus on strong encryption

In 1993, the same year the World Wide Web started to spread globally, NSA proposed adding the Clipper chip to telephones. The aim was to fight criminals and giving agencies access to their communications by a chipset with a built-in backdoor access. With this chipset, the encrypted communication was accessible not just for the sender and recipient, but also for the government who held a third key in escrow in a secret database.

The Clipper chip proposal followed a clear logic: if encryption was too valuable to be banned, it should be influenced in NSA’s favor by setting a government standard that industry had to adopt in telephones and computer systems.

In 1994, a fierce public reaction followed, opposing the Clipper chip due to security reasons and fearing that the Internet could spread with an inferior technical standard in place. After a security researcher discovered a vulnerability in Clipper, a consensus was born. Law-makers, the public and the research community agreed that systems with built-in backdoors are fundamentally less secure than those without. Backdoors do not exist just for law enforcement, but also for hackers and intelligence agencies from other states. As a result, the US began to ease controls and the funding of secure communications technology such as the Tor Project.

In 1999, Germany also published a policy paper mandating safe encryption and promising not to interfere with technical standards or banning encryption, but instead promoting its widespread use.

2000-2016 – The encryption debate starts again

Unfortunately, this consensus did not last very long. After 9/11, both democratic and authoritarian states launched enhanced surveillance initiatives and governments, yet again aimed to restrict the widespread use of encryption. Countries like China, the United Arab Emirates or Iran arguably were the first, by VPN-blocking or banning the use of encrypted services. The NSA and GCHQ began to undermine encryption standards with classified programs like Bullrun and Edgehill. These were not the only initiatives: in 2013, Edward Snowden revealed the existence of multiple other programs.

In the past years, we could see a coordinated campaign of Western democracies arguing that due to national security reasons, governments should have access to encrypted communications, either via backdoors or via software exploits:

  • After the San Bernardino attack last year, the FBI started to lobby against Apple’s iOS security because it prohibited brute-force attacks guessing the passcode of iPhones. At the same time, the Burr-Feinstein proposal wanted to mandate that tech companies build backdoors to their products. Eventually, the bill was not introduced.
  • In January 2015, UK’s Prime Minister Cameron launched a proposal to ban end-to-end encryption in messaging services such as iMessage to deny criminals a “safe space to communicate”.
  • In summer 2016, German security minister Thomas De Maiziere and French interior minister Bernard Cazeneuve joined the chorus, demanding exceptional access for law-enforcement especially in encrypted messaging apps (WhatsApp and Telegram).

At the same time, events like the Arab Spring of 2011 demonstrated how state surveillance and hacking could be used against citizens and that encryption is an important, privacy-enhancing tool for journalists and activists worldwide.

What next? – Privacy and security require strong encryption

In 1994, a vast majority of citizens and politicians opposed the government regulation and/or weakening encryption for very good reasons. It was perceived as an unreasonable and potentially dangerous intervention on digital technologies.

Strong encryption is required not only because of privacy but also national security. Former head of NSA, Michael Hayden, for example, argued convincingly in March, 2016: „the number one threat facing America is the cyber threat …I think the government has a right to demand this [weakening encryption], I just don’t know if its a wise thing for the government to demand this. My judgement is that we are probably better served by not punching any holes into a strong encryption system, even well-guarded holes.

Although almost all the arguments of the Clipper debate are still valid, 2016 seems not to be a time of reason and careful evaluation. Except for the experts and the tech community, there is no grass-roots momentum against exceptional government access and the weakening of encryption.

A number of countries, both authoritarian and democratic ones, want to restrict the widespread use of encryption under the pretense of counter-terrorism. This is potentially dangerous because, in the worst case, it could lead to an international initiative prohibiting encryption. If the European Union, with its focus on human rights, privacy and freedom of speech, will not act as a steward of privacy-enhancing encryption, no one else will.

About the author

Matthias Schulze is Ph.D. researcher in international relations, working on state surveillance, cryptopolitics, cyber-security and cyber-war. He currently writes his thesis “From Cyber-Utopia to Cyber-War. Advocacy Coalitions and Normative Change in Cyberspace”, where he analyzes the evolution of Internet control practices such as surveillance or state-hacking in liberal-democracies. You can follow his English-German blog Percepticon and contact him at matthias.schulze@mailbox.org.

Sources

Abelson, H., Anderson, R., Bellovin, S. M., Benalo, J., Blaze, M., Diffie, W., . . . Weitzner, D. J. (2015). Keys Under Doormats: Mandating insecurity by requiring government access to all data and communications. Computer Science and Artificial Intelligence Laboratory Technical Report, MIT-CSAIL-TR-2015-026.

Bari Kolata, G. (1980). Cryptography: A New Clash Between Academic Freedom and National Security. Science, 209/4460), 995-996.

Diffie, W., & Hellman, M. (1976). New directions in cryptography. IEEE transactions on Information Theory, 22(6), 644-654.  

Hayden, M. V. (2016). Hayden: The Pros and Cons of Access to Encrypted Files

Inman, B. R. (1979). The NSA Perspective on Telecommunications Protection in the Nongovernmental Sector. Cryptologia, 3, 129-135. doi:10.1080/0161-117991853954

Kehl, D., Wilson, A., & Bankston, K. S. (2015). Doomed to repeat history? Lessons from the Crypto Wars of the 1990s. Report from the New America Foundation.

Levy, S. (1994c). Battle of the Clipper Chip. The New York Times

Nakashima, E., & Peterson, A. (2015). Obama faces growing momentum to support widespread encryption

Rid, T. (2016). Maschinendämmerung: Eine kurze Geschichte der Kybernetik. Propyläen Verlag.

Senate, U. S. (1994). The administration’s clipper chip key escrow encryption program: hearing before the Subcommittee on Technology and the Law of the Committee on the Judiciary United States Seneate.

Suggested posts