Two British intelligence officials have proposed what they see as a potential solution to a key challenge facing law enforcement agencies — an inability to intercept encrypted group calls and messages through services such as WhatsApp and Signal.
Their idea: Add law enforcement as a “silent” user to the chat or call.
The notion had been discussed privately by Obama administration officials, but until now has never been advanced publicly by a government.
Ian Levy and Crispin Robinson of GCHQ — the British equivalent of the National Security Agency — included the proposal in a paper published last week that offered a set of principles aimed at lowering the temperature of the often-heated debate over how to access digital evidence protected by strong encryption.
The debate has been fueled by the rise of “end-to-end” encrypted apps such as Signal and default encryption on devices such as iPhones. It has simmered for about a decade, occasionally boiling over — as in 2016 when the FBI and Apple battled over access to a terrorist’s locked iPhone.
But there has been no resolution, and Levy and Robinson are hoping their principles and potential solution, published in Lawfare, can nudge the debate forward.
“It’s relatively easy for a service provider to silently add a law enforcement participant to a group chat or call,” wrote Levy, who is technical director of GCHQ’s National Cyber Security Center, and Robinson, GCHQ technical director for cryptanalysis.
The provider “usually controls the identity system and so really decides who’s who and which devices are involved — they’re usually involved in introducing the parties to a chat or call,” they wrote.
“You end up with everything still being end-to-end encrypted, but there’s an extra ‘end’ on this particular communication,” they said. “This sort of solution seems to be no more intrusive than the virtual crocodile clips” that are authorized today for traditional phone call intercepts.
That idea drew a range of reactions.
“It’s a bad idea,” said Matthew Green, a cryptographer and computer science professor at Johns Hopkins University. Right now services such as WhatsApp notify users when a new party is added to a chat. Suppressing that message would require a change in the system coding — creating “a hole that didn’t exist before,” he said. “That’s the security vulnerability.’’
Essentially, Green said, “it’s fact that the app software can now lie to you about who you’re talking to.”
Steven Bellovin, a Columbia University computer science professor, said such risks are not theoretical. In what has come to be known as the “Athens Affair,” he said, in 2004 rogue software was implanted by hackers on a Greek cellphone network outfitted with lawful wiretapping mechanisms to eavesdrop on the conversations of about 100 officials. They included the prime minister and the Athens mayor. The hack was never officially claimed, though suspicion has fallen upon the United States.
“Getting stuff like that right is hard,” Bellovin said, referring to building secure wiretapping systems.
Another computer scientist, Lorrie Cranor of Carnegie-Mellon University, said the recommendation “may be reasonable, assuming the access is indeed exceptional and follows appropriate legal processes.”
But, she said, “I would also want users of the system to be made aware that this is possible.”
If users knew their calls and chats might be covertly monitored, however, that could damage trust between them and the app provider. And not “fundamentally chang[ing] the trust relationship” is one of the GCHQ principles.
Another is “transparency is essential.”
If the provider is not telling users that an FBI or MI-6 agent is listening in, says Amie Stepanovich, U.S. policy manager for Access Now, “where is the transparency?”
The comparison to traditional phone wiretaps is inapt, said Susan Landau, a Tufts University computer scientist and former distinguished engineer at Sun Microsystems.
“That’s because the communications being eavesdropped upon in the virtual crocodile clip situation are not designed to exclude silent listeners, whereas communications that are using end-to-end encryption are designed specifically to exclude such eavesdroppers, and users trust the service provider to ensure that,’’ she said.
The principle that law enforcement “can’t expect 100 percent access 100 percent of the time” is important, said Jennifer Daskal, a former Justice Department official who now teaches law at American University. But, she said, she found “troubling” the authors’ assertion that service providers should respond to government demands for access and “not try to independently judge the details” of the case.
“In most if not all instances, providers will be the only ones in the position to respond to any court order, provide the reviewing court full range of applicable information, and, if appropriate, resist,” she said.
In general, the principles aim for a common ground among privacy advocates and the law enforcement community. They include the idea that “Investigative tradecraft has to evolve with technology” and “targeted exceptional access capabilities should not give governments unfettered access to user data.”
They form “a constructive contribution to the encryption debate,” said April Doss, a partner at Saul Ewing Arnstein & Lehr and a former counsel for intelligence law at the NSA. She liked how they noted that the problem of intercepting a live conversation is different from that of gaining access to an encrypted device, and thus the solutions could look very different.
“It’s important to have all the stakeholders come together and look for shared solutions,” Doss said, “because both sets of equities really matter.”
But, as Robinson and Levy noted, “details matter.”
And so far no details have emerged that satisfy cryptographers and security experts that the security risks are worth the law enforcement gains.
PINGED: North Korean hacking is ramping up. Cybersecurity expert Dmitri Alperovitch tells me that North Korean government hackers have sent spearphishing emails to a Western manufacturing company, suggesting the country is expanding beyond its traditional set of financial targets and traditional motive of financial gain. “It could be espionage activity,” said Alperovitch, co-founder and chief technology officer of CrowdStrike. He said he’s also seen intrusions into payment system companies, showing that the North Koreans are moving beyond hacking of banks and cryptocurrency targets in the West. “The big picture is North Korea continues to be a world actor in cyberspace and that the charm offensive toward South Korea and the United States has not curtailed their malicious cyber activities,” Alperovitch said.
PATCHED: There may be a wave of attacks from Iran, too. Former NSA deputy director Richard Ledgett, in a 2019 threat forecast, said he expected that Iran is “likely to ramp up” its malicious cyber actions now that the United States has withdrawn from the 2015 nuclear agreement. “I have no doubt that they are planning to use cyber means in the way they did back in 2012-13 against the U.S. financial sector in response to the nuclear sanctions,” he said, referring to massive denial-of-service attacks against the banks. “I expect they will be doing something in the not too distant future, in line with their timeline.”
Speaking in a CipherBrief webinar yesterday, Ledgett also noted that China is not abiding by a 2015 agreement to stop conducting cybereconomic espionage. “Whatever slowdown happened, that slowdown has stopped,” he said. “They are back full speed.” He said China is the most prolific when it comes to data theft. “When they turn it on it’s quite a sight to see,” he said. “They’re very very active now, all around the world — including in the United States, including intellectual property.”
PWNED: While the Marriott breach is potentially among the largest breaches of consumer data in history, it is not the first security blunder the hotel giant has experienced, Forbes’s Thomas Brewster reported. “Prior to the four-year-old breach being discovered, Marriott suffered at least one previously unreported hack, including an infection that hit the company’s own cyber-incident response team, Forbes has learned,” Brewster wrote. “And there’s evidence Russian cybercriminals have breached Starwood Web servers.” Independent cybersecurity researchers spotted a security breach that affected Marriott in 2017, according to Forbes. “A source familiar with the event told Forbes that Marriott’s Computer Incident Response Team (CIRT) was compromised thanks to a mistake by a contracted cybersecurity vendor that was supposed to be protecting the hotel giant,” Brewster reported.
Alex Holden, founder of the information security company Hold Security, told Forbes that Starwood has also suffered several security incidents. “He sent Forbes screenshots that appeared to show cybercriminal access to Starwood corporate portals,” Brewster reported. “The images presented a control panel used by Russian criminals to run a network of hacked servers, also known as a botnet. Six of those servers were hosting various starwoodhotels.com domains.” And there is more, according to Holden. “Going back to 2014, the year when Marriott said Starwood’s network had been hacked, Holden claimed there was a serious vulnerability on the company’s website,” according to Forbes. “Known as an SQL injection bug, it could’ve been exploited to gain access to Starwood databases.”
— “Influence agents were responsible for roughly 25% of political support spread via Twitter for candidates in the Arizona and Florida midterm elections, researchers report,” according to Dark Reading. “A new body of research by Morpheus Cybersecurity and APCO Worldwide, entitled ‘Impact of Influence Operations Targeting Midterm Elections,’ explores the effects of disinformation campaigns. They analyzed hundreds of thousands of retweets from thousands of accounts, looking for non-organic behavior – for example, high numbers of daily tweets for a long time frame.”