Britain is rolling out its new Online Safety bill, an update from the Online Harms White Paper released in December 2020, discouraging companies like Facebook from using end-to-end encryption. Priti Patel, UK’s Home Secretary, has been notably against end-to-end encryption for years and is planning to deliver a keynote speech at an April 19th child protection charity’s event focused on exposing the dangers of end-to-end encryption. Richard Blech of XSOC CORP offers perspective.
<p>The US government as well as other nation\’s governments will always come up with an important sounding theme that will focus on the name of said theme to distract the underlying broadness of what their reach will be. To make the issue about child exploitation or other \"news of the day\" issues to be the reason to overreach cannot ever be acceptable in a democratic society.</p> <p> </p> <p>American administrations have grappled with public encryption policy decisions since at least 1972, when the National Bureau of Standards (now called the National Institute of Standards and Technology or NIST) began work on what was to become the Data Encryption Standard or DES. DES was to be a public standard, meaning that it was to be freely available for use by both the government and the private sector. The National Security Agency (NSA) insisted, in the name of national security, that DES be limited to a 56-bit key. (A 56-bit key was barely adequate in 1976 when the DES standard was approved and is laughably insecure today.) The NSA’s insistence was based on the premise that it needed the capability to break DES encryption in matters of, well, national security.</p> <p> </p> <p>And therein lies the rub. The NSA in particular, and the government in general, isn’t interested in information security. It is interested in national security, the definition and priorities of which vary by year and administration. What has been constant is the conflation of security and surveillance. The relationship between the two is inversely proportional. A state of information security prioritizes and preserves data sovereignty and privacy. Surveillance, conversely, is about monitoring behavior or activities for purposes of influence, coercion or protection.</p> <p> </p> <p>Surveillance does not correlate to improved security — it actually weakens it. The Communications Assistance for Law Enforcement Act (CALEA) is a 1994 law mandating that phone companies build wiretapping mechanisms into their call switching mechanisms so that the U.S. government could more efficiently conduct domestic surveillance (e.g., “lawful intercept,” or LI). Unfortunately, CALEA caused unintentional vulnerabilities in internet switches made by Cisco. Indeed, when CALEA-compliant switches were assessed by the NSA for use in Department of Defense (DoD) networks, significant vulnerabilities were found in switches used for testing.</p> <p> </p> <p>The vulnerabilities are not just theoretical. Over a 10-month period (and possibly much longer) ending in 2005, the phones of over 100 senior members of the Greek government were bugged due to an LI capability in Ericsson switches used by Vodafone Greece, the country’s largest cellular communications provider. The LI capability was co-opted and exploited by one or more malicious actors.</p>