Report: Encryption Is No Hurdle to Targeting Bad Guys

"[T]he FBI and other government agencies are facing a potentially widening gap between our legal authority to intercept electronic communications pursuant to court order and our practical ability to actually intercept those communications," wrote FBI General Counsel Valerie Caproni in 2011. She fretted over the growing sophistication of encryption technology and its use by the general public. "We call this capabilities gap the 'Going Dark' problem."

Caproni insisted the government needed to "find a solution that restores and maintains the ability of law enforcement agencies to intercept communications and collect related data."

Three years later, FBI Director James Comey repeated the warnings of a world of electronic communications slipping beyond the government's reach. And then last year, he called for "a productive and meaningful dialogue on how encryption as currently implemented poses real barriers to law enforcement's ability to seek information in specific cases of possible national security threat."

Oh, you poor feds. Don't panic! Really—that's the title of a new report from the Berkman Center for Internet and Society at Harvard University. Prepared by security and policy experts from inside and outside government, the authors cast a skeptical eye on Comey and company's warnings that they're wandering blind into a privacy-shrouded world—and their demands for legal limits on people's ability to ward off snoops.

"Are we really headed to a future in which our ability to effectively surveil criminals and bad actors is impossible?" the report asks. "We think not."

It's not that encryption isn't being embraced by those with a serious aversion to folks looking over their shoulder, the report notes. "Short of a form of government intervention in technology that appears contemplated by no one outside of the most despotic regimes, communication channels resistant to surveillance will always exist."

But that's not as big a deal for most of the population as the "going dark" crowd would have it. The majority of online services are likely to resist adopting end-to-end encryption "because the majority of businesses that provide communications services rely on access to user data for revenue streams and product functionality."

At the same time, that user data is becoming available from more and more components integrated into people's lives. The "Internet of everything" ensures that televisions, cars, thermostats, and widgets of all sorts provide more data than ever to paw through. "Thus an inability to monitor an encrypted channel could be mitigated by the ability to monitor from afar a person through a different channel."

And metadata—basically, the routing information for messages that reveals where information is coming from and going to—remains largely unencrypted by necessity. That's especially true since systems in a dynamic world are fragmented, with software packages and communications systems connecting to one another across multiple junctions. Each connection provides a likely weak point in security.

What this means is that it's as easy as ever to monitor most people's online activities. All but the most privacy-minded are probably more trackable than ever before, no matter the FBI's complaints about encrypted smart phones and secure apps.

Exceptionally privacy minded individuals, with or without bad intent, it should be noted, are highly unlikely to confine themselves to leaky, law enforcement-friendly products. They can acquire sturdier alternatives or develop their own in a world "in which new services and software can be made available without centralized vetting."

Interestingly, government snoops have been insisting that the sky is falling on its ability to monitor bad guys for the better part of the past two decades—the big change is just the recent adoption of "going dark" branding for their seemingly eternal battle against the equivalent of sealed envelopes.

Declan McCullagh, a journalist who covered Caproni and Comey's recent complaints and push for related expanded powers wrote very similar stories 20 years ago. Alarmingly, when Clinton administration assaults on encryption stumbled, McCullagh noted in 1999 that the feds substituted under-the-table arrangements with security firms for backdoor access to communications. "The Commerce Department and NSA could simply pressure a firm to insert flaws into its encryption products with a back door for someone who knows how to pick the lock."

Since then, though, you've had a rise of a new generation of less-cooperative companies willing to push back against official pressure. Apple and Google have led the pack in explicitly spurning federal demands for weakened privacy protections. The old unspoken deals aren't producing the same results.

But aren't the feds aware that they're not really losing the ability to monitor suspects, and that the "going dark" campaign is a lot of crap?

Of course they are—the Harvard report includes government experts as participants after all. But as security expert Bruce Schneier notes in a statement appended to Don't Panic, "Ubiquitous encryption protects us much more from bulk surveillance than from targeted surveillance… Widespread encryption forces the listener–whether a foreign government, criminal, or terrorist–to target."

Under the Fourth Amendment, that's what the government is supposed to do—identify a suspect, make the case for a warrant, and conduct surveillance subject to specific parameters. But in this post-Snowden world, is it any surprise that taking an indiscriminate vacuum cleaner to private communications seems to be the real end goal for law enforcement?

 What's "going dark" because of commercially available encryption isn't the government's ability to monitor suspected bad guys—they're not going to obey laws against secure products anyway. Darkness is falling instead on officials' ability to snoop on us all simultaneously, on the off chance that any of us are up to something the powers that be don't like.

And there's certainly no reason to panic over that.