diff options
| -rw-r--r-- | formatting.ms | 2 | ||||
| -rw-r--r-- | paper.ms | 222 | ||||
| -rw-r--r-- | refer | 13 |
3 files changed, 125 insertions, 112 deletions
diff --git a/formatting.ms b/formatting.ms index 48e2f41..53cfd04 100644 --- a/formatting.ms +++ b/formatting.ms @@ -1,7 +1,7 @@ .nr LL 5.15i .nr PO 1.55i .\" top margin -.nr HM 1.00i +.nr HM 1.20i .\" bottom margin .nr FM 1i .\" header/footer width @@ -9,29 +9,30 @@ Cryptography, crime, terror, and surveillance .AI March 2022 .LP -Modern encryption methods allow a level of privacy in communication +Modern encryption methods permit a level of privacy in communication that has not before been seen: information that is encrypted cannot be -decrypted without the necessary keys, such as with RSA where security +decrypted without the necessary keys, with algorithms such as RSA where security is ensured by the large primes involved and the current intractability of prime factorisation. This allows for communication that is -practically guaranteed to be private: a relatively new phenomenon in -communications, seen with inventions such as the one-time pad +practically guaranteed to be private; a relatively new phenomenon in +communications. In the past this has been seen with the one-time pad {Rijmenants} which was cryptographically secure and used by both -the KGB and NSA, beyond the use of the Enigma and Lorentz -machines by the Nazis which were both decrypted by -cryptanalysis methods during the Second World War. Today, secure +the KGB and NSA, well beyond the use of the Enigma and Lorentz +machines by the Nazis which were both decrypted through +cryptanalysis methods during the Second World War. Today, however, secure cryptographic methods are used not only by government backed agencies in preventing or practising espionage, but by individual citizens who are interested in their privacy, security, or are simply using a -program that happens to encrypt their communications. Naturally, +computer program that happens to encrypt their communications. Naturally, current availability of cryptography potentially allows malicious actors such as criminals or terrorists to use encryption in order to commit crimes or acts of terror. In response to the threats of encryption and communications technology generally, governments have -engaged in signals intelligence (SIGINT) such as phone line tapping. -Modern SIGINT initiatives have become incredibly complex and -sophisticated and have grown greatly as popular adoption of technology -has grown. Part of government interest in SIGINT is a direct response +engaged in signals intelligence (Sigint) such as phone line tapping. +Modern Sigint initiatives have become rather complex and +sophisticated and have grown greatly alongside the popular adoption of +information technology. +Part of government interest in Sigint is a direct response to perceived threads, such as the PATRIOT Act in the US which followed the 2001 terrorist attacks with the objective of strengthening national security (cite). Later, the FISA Amendments Act of 2008 @@ -44,33 +45,34 @@ surveillance including the government access of phone calls records of customers of the Verizon network, including calls from the US to other states as well as calls localised entirely within the US {guardian greenwald verizon}{guardian NSA roberts}{times savage 2013}. State -sponsored SIGINT programs such as that in the US aims to respond to +sponsored Sigint programs such as that in the US aims to respond to encryption and other technological developments with the primary interest of overcoming it in order to prevent terror and crime. These measures have, however, had arguably limited effectiveness and have -violated the privacy of individuals who are not suspected of being a -threat to national security. Responses to encryption domestically and -internationally will have significant consequences, given the -potential importance of the information being communicated. Successful -SIGINT and cryptanalysis by government agencies can successfully +violated the privacy of individuals who are not suspected to be a +threat to national security. Responses to encryption +will have significant consequences, given the +potential importance of the information being communicated and the +prevalence of electronic communication methods. Successful +Sigint and cryptanalysis by government agencies can respond to modern threats of crime and terror. A failure of -responsible governance, however may not only threaten the privacy of +responsible governance, however, may not only threaten the privacy of individuals unnecessarily, but also fail to respond to the ways in -which criminals and terrorists are using encryption existing thereby +which criminals and terrorists are using encryption, existing thereby only as a tool of authoritarian control. An argument is often made against allowing widespread use of encryption and generally against widespread effective operations security (OPSEC) in the public sector in the interest of -national security, and the prevention of terror. With access to +national security and the prevention of terror. With access to communications and usage history governments can gather significant information on terrorists and use this intelligence against -terrorists. It is clear that intelligence plays a significant role in +terrorists. It is clear that intelligence and surveillance play a significant role in counterterrorism. The 9/11 terrorist attacks are seen potentially as a phenomenal failure of intelligence as detailed in The 9/11 Commission report {#9/11 commission report}. The report explores the fact that there was potentially knowledge to indicate a terrorist attack before -September 2001 (chapter 8). The report detailed institutional failures +September 2001 (chapter 8). The report details institutional failures and also emphasised the difficulty and importance of intelligence in counterterrorism {intelligence and national security}. Graham{#CTC terrorists} explores the use of encryption by terrorists which is @@ -78,23 +80,23 @@ often cited in a reason for giving governments access to unencrypted Internet communications so that suspicious activity can be flagged and investigated in order to prevent a terror attack or in order to better respond in the case of an attack. Graham describes the extensive use -of end to end encryption used by terrorists in order to avoid +of end to end encryption by terrorists in order to avoid interception by the authorities. Due to U.S. usage of intercepted -communications to uncover and prevent a number of al-Qa'ida plots, the +communications to uncover and prevent a number of al-Qaeda plots, the terrorist organisation and other terrorist groups have increasingly -used encrypted communications (read citation from Graham). An -significant factor is the use of non-mainstreams software in early use +used encrypted communications (read citation from Graham). A +significant factor is the use of non-mainstream software in the early use of encryption by terrorists, including a program that built a wrapper around the popular, secure, and open source PGP called \fIMujahedeen -secrets\fR. Although now terrorists and criminals use widely +Secrets\fR by al-Qaeda. Although now terrorists and criminals use widely available, popular, and user-friendly software such as the Tails operating system or Telegram (Graham citation 28), terrorists organisations have shown an ability to make use of more obscure and -complicated systems, as well as use publicly available source code in +complicated systems, as well as to use publicly available source code in order to construct software for operatives to use. Although the issue of popular messaging technologies and their support -for 'end-to-end encryption' is often discussed, the argument that the +for \[oq]end-to-end encryption\[cq] is often discussed, the argument that the introduction of end-to-end encryption by large companies such as Facebook gives an advantage to criminals {conversation Facebook}{home office} is arguably an invalid one. By preventing the usage of true @@ -102,18 +104,18 @@ end-to-end encryption in industry, we will not be able to prevent those attempting to evade the law from doing so, as shown in the case of terrorist organisations who have used more obscure software in the past and also in the case of the abundance of illegal activity that -occurs on the so called dark web in the form of the trade of drugs and +occurs on the so called \[oq]dark web\[cq] in the form of the trade of drugs and child pornography among others {gulati deep web}. Instead the limitation of use of encryption on popular software will only decrease the privacy of those uninterested in criminal activity and instead using more popular software without regard for its security features or lack thereof. The information exposed by Edward Snowden in 2013 demonstrates that the US government has processed and -collected vast amounts of unencrypted data (cite) and possibly +collected vast amounts of unencrypted data and possibly continues to do so. In the case of unencrypted communication the -problem remains and preventing end to end encryption will simply allow +problem remains and preventing end-to-end encryption will simply allow governments to maintain the status quo of being able to intercept and -read all communications between its citizens and individuals outside +read all communications between their citizens and individuals outside of their jurisdictions. Indeed, should end-to-end encryption continue, perchance, to be opposed by governments both in the West and in countries like China, it will arguably a method of allowing a @@ -122,11 +124,11 @@ state. In the GDR (German Democratic Republic, also known as \[oq]East Germany\[cq]), in order to conduct surveillance on behalf of the -rulling party {Jarausch}, the Stasi (\fIMinisterium für +ruling party {Jarausch}, the Stasi (\fIMinisterium für Staatssicherheit\fR, or \[lq]Ministry for State Security\[rq]) relied on a sprawling network of informants and agents. In particular, informants \[en] who greatly outnumbered agents {Bruce 2014} \[en] -formed large parts of this network by integration into the fabric of +formed large parts of this network and were deeply integrated into the fabric of society. This contributed to a far more complete surveillance state and an atmosphere of terror amongst the people. Whilst in Nazi Germany there may have been around one Gestapo agent for every 2300 citizens, @@ -134,22 +136,22 @@ in the GDR it was closer to one informant or officer for every 63 citizens. Those living in the GDR often had experiences involving investigation by the Stasi and there was clearly an understanding amongst citizens that one had to be wary of an -informant or agent listening in {funder}. In modern western society +informant or agent listening in {funder}. In modern Western society there is a similar collective understanding that governments -attempting to carry out surveillance on a massive scale on their own +carry out surveillance on a massive scale on their own citizens. A key distinction today, however, is that this work is not carried out by a vast network of informants, -there are no gargantuan gargantuan stores of paper, and there are no +there are no kilometres of paper, and there are no collections of film and photograph {The Federal Archives} documenting and aiding the surveillance of the authorities. Instead, the level of surveillance that large, secretive groups of individuals once had to carry out in order to enable a surveillance state can be performed instead through bureaucracies and technological methods. In modern times, governments can operate with a very limited number of operatives \[oq]on the -ground\[cq], -and instead focus attention on the giant amounts of data they have for -processing in order to make the findings they intend to: be it crime, -terrorism, or \[en] as was the case with the Gestapo and Stasi - descent. +ground\[cq] and instead focus attention on the giant amounts of data +they have for processing in order to make the findings they intend to: +be it crime, terrorism, or \[en] as was the case in the Gestapo and +Stasi - descent. .HLINE @@ -158,9 +160,10 @@ As has occurred with technological developments in the past, legislation will continue to follow developments relating to information technology, such as the General Data Protection Regulation in the European Union which has had significant influence in the -technology industry. Yet encryption presents unique challenges to +technology industry {EUR-Lex}{Harvard Downes}. +Yet encryption presents unique challenges to lawmakers. Not only will encryption be difficult to regulate due to -its rapid development, but perhaps moreso due to its decentralised +its rapid development, but perhaps expressly due to its decentralised nature, where a government cannot prevent the existence of software that enables encryption which is open source and reproducible internationally. Just as media piracy through torrents and access to @@ -177,92 +180,90 @@ modern processors produced by Intel. Arguments have been made that the Intel Management Engine already acts as a backdoor for government agencies (cite), and the potential is clearly there for US government interests in mass data collection and -SIGINT following 9/11 to lead to the introduction of backdoors in +Sigint following 9/11 to lead to the introduction of backdoors in popular technology. We are aware that in the case of the Intel -Management a switch for disabling functionality is present for use by -US government authorities such as the NSA, demonstrating a level of +Management Engine a switch for disabling functionality is present for use by +US government authorities such as the NSA, demonstrating the level of leverage the US government potentially has over organisations including but not limited to Intel {register kill switch}{intel me bleepingcomputer}. The potential exists for such systems to be built into non-open hardware which most people \[en] even those using open -software \[en] use, leaving them more open to exploitation from either +software \[en] use, leaving them open to exploitation from either state or private actors. Furthermore, there is a visible interest in increasing the presence of technologies on the hardware level, including the aforementioned Intel Management Engine, the Trusted Platform Module (cite), and recently Microsoft's Pluton (cite) -subsystem, which will be present on hardware sold in the future. This +subsystem which will be present on hardware sold in the future. This variety of hardware within a single computer is a rather interesting and potentially worrying development, particularly with the clear level influence, interest, and competitiveness both the US {US House -chip manufacturing bill} and Chinese governments have in the -chip manufacturing industry. In light of potential issues with +chip manufacturing bill} and Chinese governments have in their +respective national +chip manufacturing industries. In light of potential issues with hardware, there have been developments in \[oq]open hardware\[cq]. RISC-V is an instruction set for processors from the University of -California at Berkeley; opposed to ARM, Intel, and AMD processors, +California at Berkeley; opposed to Arm, Intel, and AMD processors, RISC-V is an open standard for CPU design {case for RISC-V}. This allows for open source CPU implementations, such as those designed at UC Berkeley, as well as those from other parties, such as Alibaba Group {chen risc}. A significant amount of existing software has been ported to the RISC-V -platform and alongisde the Alibaba implementation for data -centres, the standard has been used by Google for a security module in -the \[oq]Pixel 6\[cq] smartphone (cite). -This attention and interest potentially signals a shift towards -increased demand for and utility in open hardware for privacy, -security or economic reasons. -Another poignant example of open hardware is the laptop created by the +platform and alongside the Alibaba implementation for data centres, +the standard has been used by Google for a security module in the +\[oq]Pixel 6\[cq] smartphone (cite). This attention and interest +potentially signals a shift towards increased demand for and utility +in open hardware for privacy, security or economic reasons. Another +poignant example of open hardware is the laptop created by the manufacturer Framework Computer Inc, which is designed to be more -more expandable, serviceable and repairable than other laptops -available on the market. -The company and laptop gained significant media coverage +expandable, serviceable and repairable than other laptops available on +the market. The company and laptop gained significant media coverage (cite) showing an interest from the public in open hardware. An argument can be made that such projects are for niche interest groups -only, and that such solutions will never see the commercial success -seen by the larger, non-open manufacturers such as Intel and ARM. +only and that such solutions will never see the commercial success +seen by the larger, non-open manufacturers. However, the clear adoption of standards such as RISC-V by large -institutions demonstrates quite the opposite: -that open hardware will continue to -become increasingly prevalent and that currently popular hardware with -its susceptibility to surveillance will possibly have a reduced -presence in the future. +institutions demonstrates quite the opposite: that open hardware will +continue to become increasingly prevalent and that currently popular +hardware with its susceptibility to surveillance will possibly have a +reduced presence in the future. Movement towards open standards in both hardware and software reveals a problem for law enforcement agencies and counterterrorism forces. The tools of mass surveillance that once enabled investigation into crime or terror such as reading -messages/e-mails, listening to calls, tracking location, or analysing -metadata may no longer be effective, thereby potentially +messages and e-mails, listening to calls or tracking location +may no longer be effective, thereby potentially preventing such investigation to occur. For governments, this is arguably the result of such heavy surveillance in the first place. It is clear that knowledge such as the 2013 Snowden leaks had an impact -on the public, and people are therby more interested in +on the public and people are therby more interested in their privacy and preventing surveillance. Around the world individuals use tools to increase their privacy and anonymity when -using the Internet, as well as to overcome censorship of information +using the Internet as well as to overcome censorship of information by governments. A major exception to the availability of the free -Internet has been -China, where the government has unparalleled control over the -flow of information over the Internet. This has allowed the filtering -of content, prevention from accessing sites, and the blocking of the -anonymity network Tor which would allow users to circumvent measures -put in place by the government {firewall}{talbot tor china}{winter -china tor}. Measures in China have enabled the government to tightly -control and monitor the flow of information via the Internet; ensuring -that citizens can only access that which the ruling part should allow. -Whether such draconian measures could even be implemented -in the more democratic West is questionable, but the opportunity -clearly exists for governments to undermine the digital privacy of its -citizens. Any such measures, however, will face scrutiny from the -media and public in Western society and thereby open software such as -Tor is used to share significant amounts of information away from the -observation of law enforcement, allowing illegal activity to occur -{gulati}. The reduced ability for law enforcement to investigate crime -will clearly have an impact by allowing criminals to act with -additional impunity. In particular, the sharing child sexual abuse -material, trafficking and other such crimes that are enabled by the -Internet present reason for concern. +Internet has been China, where the government has unparalleled and +unprecedented control over the flow of information over the Internet. +This has allowed the filtering of content, prevention from accessing +sites, and the blocking of the anonymity network Tor which would allow +users to circumvent measures put in place by the government +{firewall}{talbot tor china}{winter china tor}. Measures in China have +enabled the government to tightly control and monitor the flow of +information via the Internet; ensuring that citizens can only access +that which the ruling part should allow. Whether such draconian +measures could even be implemented in the more democratic West is +questionable, but the opportunity clearly exists for governments to +undermine the digital privacy of its citizens. Any such measures, +however, will face scrutiny from the media and public in Western +society and thereby open software such as Tor is used to freely share +significant amounts of information away from the observation of law +enforcement, allowing illegal activity to occur {gulati}. The reduced +ability for law enforcement to investigate crime will clearly have an +impact by allowing criminals to act with additional impunity. In +particular, the sharing child sexual abuse material, trafficking and +other such crimes that are enabled by the Internet present reason for +concern. -It is however clear that the methods available to law enforcement are +It is, however, clear that the methods available to law enforcement are not all exhausted due to technological change. Social engineering methods; communications traffic analysis such as phone records; metadata analysis from the underlying infrastructure of the Internet, @@ -279,7 +280,7 @@ whilst having a serious impact on user privacy. Although encryption can prevent some investigation the compromise is arguably acceptable due to the net benefit encryption offers to society. -In addition, the rate of development in unconventional computing +The rate of development in unconventional computing methods is increasing rapidly. Effective quantum computing will result in existing popular cryptographic algorithms such as RSA, which is used for communications and digital signatures, no longer being @@ -305,7 +306,8 @@ Regulatory considerations about post-quantum cryptography are already being made and arguments can be made that regulation should soon be written that institutes standards and requirements in order to prepare for a future with effective quantum computing {bruno post quantum}. Once -more, however, an issue reveals itself with the speed of regulatory +more, however, an issue reveals itself with the incongruity between +the speed of regulatory change and the progress of technology. Changes will likely be made by open software in order to maintain secure encryption, such as those used by the open source web servers to encrypt Interet traffic, as @@ -316,8 +318,8 @@ open to the scrutiny of open software and may lead to vulnerabilities. Furthermore, the usage of post-quantum cryptography by the public and the potential that it may help terrorists and criminals to communicate might not be addressed in any meaningful way. -This lack of high level interest, initiative or funding from -governments has arguable prompted more independent development in the +The lack of high level interest, initiative or funding from +governments has arguably prompted more independent development in the public sphere: the US National Institute of Standards and Technology (NIST) made a public request for @@ -327,7 +329,7 @@ This adoption of open processes and the open auditing and implementation of future cryptographic standards is most striking when compared with the \fIDual_EC_DRBG\fR algorithm. This algorithm, which contained a vulnerability, was included in NIST -standards. This vulnerability allowed the NSA to potentially decrypt +standards. The vulnerability allowed the NSA to potentially decrypt Internet traffic such as e-mails (cite). The NSA also allegedly paid the firm RSA Security in order to implement the algorithm with its backdoor in their @@ -348,7 +350,7 @@ freedoms. The assertion of \[oq]Linus' law\[cq] that , \[lq]given enough eyeball all bugs are shallow\[rq] (cite - CathBaz) creates a serious inability for actors such as governments to engineer backdoors into software as the NSA previously has or to prevent the development of -software altogether (find example). On the other hand, the vast +software altogether. On the other hand, the vast majority of the software and hardware used by the general public is proprietary. For many, this will continue to be the norm. Yet, the pressure from increasing popular open source software will continue to @@ -361,10 +363,11 @@ users are finding more appealing. Indeed, when Apple refused to unlock a phone for the FBI following a terrorist attack (cite) it gained significant media attention and demonstrated that the defence of users privacy was a virtue for modern businesses, regardless of the fact -that the FBI was able to unlock the phone independently which is +that the FBI was able to unlock the phone independently, which was rather overlooked. To users today, both to those with experience and -ability in technology, and to the general public, in privacy is -seemingly becoming a major selling point. +ability in technology and to the general public, privacy is +seemingly becoming a major selling point and significant factor in the +way individuals chose to use technology. The discussion of encryption and related technologies has arguably limited impact. State actors such as the NSA will continue to act @@ -372,7 +375,7 @@ against individual freedoms and attempt to find or introduce backdoors in technology that is widely used as part of its actions purportedly in the interest of national security. Although public reactions to information such as the 2013 Edward Snowden releases have been very -strong, they have not had significant effects on legislature, the +strong, they have not had significant affects on legislature, the funding received by the NSA, and quite possibly the level of surveillance carried out by the NSA. Thus, discussions in public or private spheres are unlikely to @@ -384,7 +387,8 @@ indiscriminate surveillance is carried out on citizens not suspected of any criminal or terrorist activity such as the Tempora program in the United Kingdom {guardian fibre-optic}, however governments nonetheless -prove willing to fund the activities of surveillance agencies. +prove willing to fund the activities of surveillance agencies and will +seemingly continue to do so regardless of public opinion. Modern cryptographic algorithms are theoretically secure; the underlying concepts mean that breaking the encryption to @@ -441,7 +445,7 @@ expected, yet there is nonetheless widespread adoption in more popular software and proprietary software. Companies such as Facebook have pushed for end to end encryption in their products and the software industry at large has adopted encrypted standards such as -\f[C]HTTPS\fR. There +\f[R]HTTPS\fR. There are seemingly two sources of resistance to fully encrypted communications. The first of these is the largest, which is government intervention. Government positions around the world which are opposed @@ -517,5 +521,3 @@ https://www.openrightsgroup.org/ Todo: program -> programme - SIGINT -> Sigint ? - @@ -173,7 +173,7 @@ %T One-time Pad %A Dirk Rijmenants -%D date unknown +%D n.d. %O https://www.ciphermachinesandcryptology.com/en/onetimepad.htm (Accessed 26th February 2022) @@ -349,3 +349,14 @@ %T About the Stasi Records Archive %D n.d. %O https://www.stasi-unterlagen-archiv.de/en/archives/about-the-archives/ Accessed 2 April 2022 + +%D n.d. +%O https://eur-lex.europa.eu/procedure/EN/201286 Accessed 25 March 2022 +%A EUR-Lex +%T Procedure 2012/0011/COD + +%O https://hbr.org/2018/04/gdpr-and-the-end-of-the-internets-grand-bargain Accessed 25 March 2022 +%T GDPR and the End of the Internet’s Grand Bargain +%D April 2018 +%A Larry Downes +%J Harvard Business Review |