Backdoors

Earlier this week, the Guardian in conjunction with its partner publishers, New York Times and ProPublica ran an article, Revealed: how US and UK spy agencies defeat internet privacy and security. As we’ll see, the title is a bit misleading, but the agencies certainly gave it their best shot. This story builds on the initial Snowden leaks that the NSA has been using computer technology to spy on everyone using the internet in the USA. The story rapidly came to the UK where it became clear that Britain’s GCHQ was tapping the UK/USA telecom links, sharing intelligence with the USA and providing the NSA with a slightly more legal way of spying on US citizens. There is little doubt that the US & UK’s intelligence agencies have outsourced their own domestic spying which is legally restricted to each other.

The UK and US have fundamentally different legal systems when it comes to the powers of the State. One has a constitution based on the separation of powers with residual powers vested in the people, while the UK is an evolved monarchy; its closest basic laws are the EU accession treaties and the Human Rights Act but Royal Prerogative means that many powers and actions can be exercised by the government. without parliamentary approval and without judicial review. There’s an expectation that the US government would be constrained by the 4^th amendment which guarantees citizens against search without a warrant, while the UK citizens should be protected against general surveillance and unwarranted (or any) search by Article 8 of the European Charter of Human Rights.

In the UK, the data collection has been as extensive and egregious. We can now see why the securocrats were so desperate to get the Communications Data Bill through; it would have legalised what they had been doing. Monitoring and reading internet traffic of people without a reason, without probable cause is against the law in both jurisdictions. The Government claim that GCHQ’s actions have been overseen by warrants issued by the Foreign Secretary and the programme has been in place since 2008, so that would mean Margaret Beckett, David Miliband and William Hague have signed off on this programme.

GCHQ though boasted to the NSA, that

“We have a light oversight regime compared with the US”.

The clear ambition of the spy agencies is to read, listen and mine everyone’s communication, both by phone and on the internet.. The most important, axiomatic role of a state is to protect its citizens. Domestic spying on this scale is not that! It is immoral, and if not illegal it should be,

Reactions have varied from the “So what? We always knew this!”, to more outraged responses.

We have a right to privacy, and thus a right to effective encryption tools.

In the US, the Bill of Rights’ 4^th Amendment states,

The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.

In the UK, the Human Rights Act makes the European Convention on Human Rights part of the UK’s body of law. The ECHR establishes privacy as a human right,

Article 8 – Right to respect for private and family life

1. Everyone has the right to respect for his private and family life, his home and his correspondence
2. There shall be no interference by a public authority with the exercise of this right except such as is in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others.

It would seem that the US NSA have decided that conversations between citizens and foreigners are legal to monitor and that they can’t determine if US citizens abroad are in fact US citizens.

We, the people, have established a right to privacy; the right not to incriminate ourselves is much older, although more strongly established in the USA. IT vendor leader’s such as Scott McNealy and Eric Schmidt’s self serving polemics that privacy is over are merely the latest advocates of over energetic snooping and a defence of their privilege, and their assumed rights to make money. In this case, it’s about money, since they both make/made surveillance equipment. On the internet, and on the phone, we, the people, have a right to privacy and to effect this we need effective encryption.

The spies subversion of encryption is a morally defective

The new story is that the US government have been bribing and coercing product vendors and standards bodies to weaken encryption products and standards to either insert ‘back doors’ or weaken the products to make them more amenable to brute force attacks, because the US government clearly has a lot of I.T. brute force.

I have argued in this blog, earlier this year, Government databases, even those created for the most benign of reasons will leak and/or be misused. The EFF, in this story, reinforced by other sources including this a one at Forbes show this leakage in the USA, from National Security, via the War on Drugs to Tax Evasion, copyright infringement and littering. (I made the last one up.) We should note that Article 8 allows exclusions for fraud prosecutions and that in the UK the Music and Film industries have used the Fraud Acts to mount legal attacks on alleged copyright infringement. Governments and vested interests will always over- reach themselves.

The secrecy and illegality of the NSA’s actions and it’s suborning of the I.T. Supply industry means that we need to re-think a number of our personal and collective I.T. Security strategies, together with a rethink of our regulation of the industry. Most companies will need to do so also. The actions of the NSA and GCHQ are crimes. They are crimes in so many ways, against their citizen’s rights and against their basic laws. It now seems that they are also against their anti-corruption laws.

Not only have our secret police infringed our rights to privacy, but they have tried to break the privacy tools that we might use to protect ourselves.

As British political actors we should be outraged; there’s little doubt that across Europe, where the memories of the surveillance state are more recent that opposition and voices for reform will be louder.

Qui Bono?

Firstly, the NSA is a military organisation, it is led by soldiers and while the debate and while the development of the legal authority to regulate war has advanced massively , the military is always fighting a war. The US view of the legal context of military operations differs from that in Europe and it certainly does not accept foreign jurisdictions authority over US citizens or entities. An example of this is that the US has refused to subscribe to the International War Crimes tribunal because it does not accept that International Law applies to US Citizens. There’s little doubt that the spies have done it because they can. Various theories exist to explain non-market organisations growth and institutional goals. So the first winners are the spooks.

The second winners are the IT, telecom & software service providers. The equipment, software and people involved in setting up these networks in the private sector collaborators have not done this for free. Although the inevitable leaking is causing massive reputational damage to these companies.

The business of the American people is business”, is still a lietmotif for US politics. Anyone who thinks that the NSA will not share information with US business to further the interests of US business is being naive. Today’s conservatives across the world, who despite a Democrat President hold hegemonic control of the US Federal Government and the European Commission believe that the purpose of politics is to enable trade, commerce and profit. The third set of winners is the rest of US big business.

How bad is it?

In my professional life, I seem to have been alone in arguing that data has jurisdictional attributes and anyone or any company with privacy duties and/or secrets should not put their data on foreign located storage systems or should chose the location of their storage servers based on the legal privacy framework. Many colleagues have argued that encryption is is good enough; it would seem that not all of it is. The world though is held hostage to the US techno-economy. There are now no major European based systems software companies and the vast majority of the world’s network equipment providers are US based and owned and with the exception of the Chinese, the remainder suffer regulatory capture through the necessity of operating in the USA.and/or using US ‘owned’ software.

The entwining of politics and business is causing historical inertia. Today’s rich and powerful have more political capital than tomorrow’s, and the corrupt and corrupted regulatory environment inhibits “creative destruction” and the evolution of the production platform. It now seems that effective cryptography is also seen as a prohibited good. In the USA, the once secret corruption of the IT supply chain has frighteningly led to the closure of Lavabits, a provider of secure e-mail, and famously used by Ed Snowden to mail people after he had admitted to being the NSA whistle blower. We also only need to briefly review the response of the US Government to the Wikileaks exposures where the US Government sought to cut of its DNS resolvers and sources of funding to see that neither US capitalism, nor the US Government has a neutral stance when it comes to its relationships with the rest of the world.

Capitalism has no patriotism and no morality, the expansion of ‘Free Trade’ with its new companion, Investor State Dispute Resolution weakens the rights of all of us, except the ultra rich. Free Trade is to the benefits of companies and money, it ignores both the economic and human-rights interests of the other economic stake holders, the workers, customers, and neighbours.

If there are weaknesses in the encryption products, then these weaknesses are available to everyone and while it may take a massive grid to exploit these weaknesses it is clear that despite the US’s ‘look over there’ faux panics that the Chinese government certainly has the IT capability and the human resources to build the tools to break these, now, sub standard products. Anonymous, bittorrent & earlier SETI@home have shown that large and massive loosely coupled computer grids can be built using home systems. N.B. Encryption costs cycles. If you rent them, this matters; in the home, we have more than we need. Powerful compute grids can be built by anyone.

The US ‘ownership’ of the internet and the wilful breach of law by the police and engineers who build the internet means that citizens of other polities need to consider their response. The US own it, they build it and they use it to reinforce their wealth and power, or at least the wealth and power of their elites. One small example is the legacy entertainment industry’s attack on the bit-torrent protocols, where a small number of exceptionally rich legacy businesses are seeking to inhibit the next stage of the Internet’s development since it minimises their attempts to make profit. (In fact they seem to have won this battle probably in co-operation with the spooks since the latter want the limited number of choke points.)

One positive reaction has been the review by non-US corporates and peoples of their use of US social networks and cloud provided infrastructure-as-a-service. It’s one of the reasons that companies like Google and Yahoo are going to court to try and get what they see as their true voices into the public domain. It’s possible that companies like Amazon and Rackspace who rent time and space as opposed to hosting content will suffer, unless they can re-establish people’s trust in encryption. The software as a service companies(SaaS) have suffered massive reputational damage in the rest of the world.

There’s two huge political issues raised by this story. One is national supply, or in the case of Europe maybe supra-national supply. The EU’s FP7 ICT programme is an ICT R&D incubator and one source of software security innovation, but the sale of Nokia’s handset division is not necessarily a good signpost as to Europe maintaining its lead in cellular phone systems and standards. Without the ability to develop encryption and appropriate security tools Europe is excluded from the participating tin the engine of wealth creation for the next generation. It interests me that any conversation about avoiding Google’s search engine talks about US hosted alternatives ignoring ixquick, which distinguishes itself with a privacy offering and Exalead owned by Alcatel.

The second is the Human Rights issues. The US internet & legacy businesses have been spending vast sums of money lobbying for the laws they want. There’s been a huge expense throughout Europe and across the world to introduce ‘three strikes’ laws; seeking to remove internet access from even casual and accidental ‘pirates’ and in the case of the French, even the innocent and also in Brussels trying to get the Data Protection laws weakened to allow them to continue to mine and sell our personal data. As I have said elsewhere, while the Western Europeans and much of the old commonwealth seem happy enough to follow the lead of Hollywood and Nashville, the eastern Europeans with a more recent memory of an all encompassing surveillance state take a different view. For more about this see, Privacy International’s write up of the campaign in Brussels surrounding the re-write of Europe’s Data Protection laws, and Monica Horten’s write up of the contending politics once it reached the Council of Ministers. During the Parliamentary scrutiny over 3000 amendments were put to the Parliamentary scrutiny process, the vast majority written by lobbyists and the vast majority of those written on behalf of the US owned social networks.

This is all before we consider the weakening of trust. Encryption technology is used to build trust not just keep secrets. This is not the place for how safe encryption is not just about free speech, but also the foundation for economic co-operation. We can’t do ecommerce without trusted authentication and non-repudiation, I am who I say I am, and my word is my bond in cyberspace!

How to protect ourselves

The Guardian, in an article, “Revealed: how US and UK spy agencies defeat internet privacy and security” details the way in which the NSA and GCHQ have been building decryption capabilities. <

Bruce Scneier, one of the USA’s leading cryptologists has written in his blog, about the likely strengths and capabilities of the spook’s decryption capability. He wrote more in an article in the Guardian, “NSA surveillance: A guide to staying secure”, where he repeats his advice that strong encryption works, but that all end points i.e. phones and personal computers and laptops are vulnerable. Apart from the possible Windows Backdoor, securing these devices is hard, takes expertise and the resources at the disposal of the NSA are immense. Basically if they want in, they’re in.

But the maths is sound, they’ve only broken its implementation. Schneier says,

Basically, the NSA asks companies to subtly change their products in undetectable ways: making the random number generator less random, leaking the key somehow, adding a common exponent to a public-key exchange protocol, and so on. If the back door is discovered, it’s explained away as a mistake.

but strong encryption works, the maths is still secure and the crypto-engineers are changing up.

In order to protect ourselves we need to make it too expensive to bother with you, by increasing the cost of attacking your endpoints.

So Schneier’s advice is,

• Hide, use anonymous services
• Use encryption
• Take your encryption engines offline, use an airwall
• Be suspicious of commercial closed source software

My guess is that most encryption products from large US companies have NSA-friendly back doors, and many foreign ones probably do as well. It’s prudent to assume that foreign products also have foreign-installed backdoors. Closed-source software is easier for the NSA to backdoor than open-source software. Systems relying on master secrets are vulnerable to the NSA, through either legal or more clandestine means.

• Use public standards with multiple implementations.

He adds,

Since I started working with Snowden’s documents, I have been using GPG, Silent Circle, Tails, OTR, TrueCrypt, BleachBit, and a few other things I’m not going to write about. There’s an undocumented encryption feature in my Password Safe program from the command line); I’ve been using that as well.

I understand that most of this is impossible for the typical internet user. Even I don’t use all these tools for most everything I am working on. And I’m still primarily on Windows, unfortunately. Linux would be safer.

The EFF add the following advice in their article, Tahoe and Tor: Building Privacy on Strong Foundations, advertise the afore mentioned TOR, for anonymity, and Tahoe-FS as an encrypted decentralised file system,

I shall be checking up on these, now shall I get buy myself a new Linux laptop.

The one thing that surprises me is that they’d bother to capture it all. It seems so expensive, if not in IT then in terms of people to read the output and decide whether to act.

<ooOOOoo

1. The picture at the top is Batman’s surveillance machine from the Dark Knight. I don’t have the dialogue in front of me, but Alfred and Lucius are appalled and Batman hands over the delete key so the machine can be destroyed, but Batman is not the Director of the NSA.
2. David Allen Green in an omnibus blog article at his Jack of Kent blog highlights the Tory led Government and the Lord Chancellor’s attack on the right of access to judicial review; he says,

The Ministry of Justice has launched a further consultation on judicial review.  This was accompanied by a fairly silly article by the Lord Chancellor.  Adam Wagner’s response to that article is excellent.

3. At ORGcon2013, Casper Bowden and Duncan Campbell both explored the Paradox of the Republic. The 4^th Amendment and the other protections of the US Constitution only apply to citizens. This designed loophole and the US’s sense of exceptionalism, mean that the US political mainstream think they have a right to deny the rest of the world’s citizens and peoples rights that they demand themselves. Human rights are universal, you get them because you are human. So despite its caveats, the ECHR might be a better protection than the 4^th amendment and we might be seeing the further evolution of world citizenship.  I wanted to write a bit more about the Paradox of the Republic but the thing has got pretty long as it is.
4. Those arguing against transfer of internet governance to the UN’s ITU because it would jeopardise freedom by allowing non-democracies a say must be feeling a bit stupid. (I know I am.)
5. Also at ORGcon2013, at least one speaker suggested that Microsoft’s purchase of Skype had been suggested by the NSA in order to extend the NSA’s PRISM programme to Skype.
6. Nokia’s sale to Microsoft should be seen as the result of it deciding that it could make money building and selling mobile handsets using someone else’s operating system. Nokia cancelled two Linux operating system projects in order to pursue this economic cul-de-sac, which leaves Canonical, in the UK as the last European system software house, unless you count Alcatel or Nokia-Siemans.

This took me over a week to write, I have back dated it to the day I started it. (I am beginning to admire those jounralists that have to write to a deadline.)