path: root/paper.ms

.R1
short-label D.y
sort
.R2
.TL
\f[B]Cryptography, crime, terror, and surveillance
.AU
\f[R]Mohit Agarwal
.AI
March 2022
.LP
Modern encryption methods permit a level of privacy in communication
that has not before been seen: information that is encrypted cannot be
decrypted without the necessary keys, with algorithms such as RSA where security
is ensured by the large primes involved and the current intractability
of prime factorisation. This allows for communication that is
practically guaranteed to be private; a relatively new phenomenon in
communications. In the past, this has been seen with the one-time pad
{Rijmenants} which was cryptographically secure and used by both
the KGB and NSA, well beyond the use of the Enigma and Lorentz
machines by the Nazis which were both decrypted through
cryptanalysis methods during the Second World War. Today, however, secure
cryptographic methods are used not only by government backed agencies
in preventing or practising espionage, but by individual citizens who
are interested in their privacy, security, or are simply using a
computer program that happens to encrypt their communications. Naturally,
current availability of cryptography potentially allows malicious
actors such as criminals or terrorists to use encryption in order to
commit crimes or acts of terror. In response to the threats of
encryption and communications technology generally, governments have
engaged in signals intelligence (Sigint) such as phone line tapping.
Modern Sigint initiatives have become rather complex and
sophisticated and have grown greatly alongside the popular adoption of
information technology.
Part of government interest in Sigint is a direct response
to perceived threats, such as the PATRIOT Act in the US which followed
the 2001 terrorist attacks with the objective of strengthening
national security {PATRIOT ACT Congress}. Later, the FISA Amendments Act of 2008
further increased the powers of law enforcement to access
information, such as allowing the Attorney General and Director of
National Intelligence to gather information about individuals outside
the United States {H.R. FISA congress}. It was, however, the PATRIOT
Act and FISA Amendments Act that was the justification for large scale
surveillance including the government access of phone calls records of
customers of the Verizon network, including calls from the US to other
states as well as calls localised entirely within the US {guardian
greenwald verizon}{guardian NSA roberts}{times savage 2013}. State
sponsored Sigint programmes such as that in the US aims to respond to
encryption and other technological developments with the primary
interest of overcoming it in order to prevent terror and crime. These
measures have, however, had arguably limited effectiveness and have
violated the privacy of individuals who are not suspected to be a
threat to national security. Responses to encryption 
will have significant consequences, given the
potential importance of the information being communicated and the
prevalence of electronic communication methods. Successful
Sigint and cryptanalysis by government agencies can 
respond to modern threats of crime and terror. A failure of
responsible governance, however, may not only threaten the privacy of
individuals unnecessarily but also fail to respond to the ways in
which criminals and terrorists are using encryption, existing thereby
only as a tool of authoritarian control.

An argument is often made against allowing widespread use of
encryption and generally against widespread effective operations
security (OPSEC) in the public sector in the interest of
national security and the prevention of terror. With access to
communications and usage history, governments can gather significant
information on terrorists and use this intelligence against
terrorists. It is clear that intelligence and surveillance play a significant role in
counterterrorism. The 9/11 terrorist attacks are seen potentially as a
phenomenal failure of intelligence as detailed in The 9/11 Commission
report {#9/11 commission report}. The report explores the fact that
there was potentially knowledge to indicate a terrorist attack before
September 2001 (chapter 8). The report details institutional failures
and also emphasised the difficulty and importance of intelligence in
counterterrorism {intelligence and national security}. Graham{#CTC
terrorists} explores the use of encryption by terrorists which is
often cited as a reason for giving governments access to unencrypted
Internet communications so that suspicious activity can be flagged and
investigated in order to prevent a terror attack or in order to better
respond in the case of an attack. Graham describes the extensive use
of end-to-end encryption by terrorists in order to avoid
interception by the authorities. Due to U.S. usage of intercepted
communications to uncover and prevent a number of al-Qaeda plots, the
terrorist organisation and other terrorist groups have increasingly
used encrypted communications. A
significant factor is the use of non-mainstream software in the early use
of encryption by terrorists, including a program that built a wrapper
around the popular, secure, and open source PGP called \fIMujahedeen
Secrets\fR by al-Qaeda. Although now terrorists and criminals use widely
available, popular, and user-friendly software such as the Tails
operating system or Telegram, terrorist
organisations have shown an ability to make use of more obscure and
complicated systems, as well as to use publicly available source code in
order to construct software for operatives to use.

Although the issue of popular messaging technologies and their support
for \[oq]end-to-end encryption\[cq] is often discussed, the argument that the
introduction of end-to-end encryption by large companies such as
Facebook gives an advantage to criminals {conversation Facebook}{home
office} is arguably an invalid one. By preventing the usage of true
end-to-end encryption in industry, we will not be able to prevent
those attempting to evade the law from doing so, as shown in the case
of terrorist organisations who have used more obscure software in the
past and also in the case of the abundance of illegal activity that
occurs on the so-called \[oq]dark web\[cq] in the form of the trade of drugs and
child pornography among others {gulati deep web}. Instead, the
limitation of use of encryption on popular software will only decrease
the privacy of those uninterested in criminal activity and instead
using more popular software without regard for its security features
or lack thereof. The information exposed by Edward
Snowden in 2013 demonstrates that the US government has processed and
collected vast amounts of unencrypted data and possibly
continues to do so. In the case of unencrypted communication, the
problem remains and preventing end-to-end encryption will simply allow
governments to maintain the status quo of being able to intercept and
read all communications between their citizens and individuals outside
of their jurisdictions. Indeed, should end-to-end encryption continue,
perchance, to be opposed by governments both in the West and in
countries like China, it will arguably a method of allowing a
government to practise surveillance and of perpetuating a surveillance
state.

In the GDR (German Democratic Republic, also known as \[oq]East
Germany\[cq]), in order to conduct surveillance on behalf of the
ruling party {Jarausch}, the Stasi (\fIMinisterium für
Staatssicherheit\fR, or \[lq]Ministry for State Security\[rq]) relied
on a sprawling network of informants and agents. In particular,
informants \[en] who greatly outnumbered agents {Bruce 2014} \[en]
formed large parts of this network and were deeply integrated into the fabric of
society. This contributed to a far more complete surveillance state
and an atmosphere of terror amongst the people. Whilst in Nazi Germany
there may have been around one Gestapo agent for every 2300 citizens,
in the GDR it was closer to one informant or officer for every 63
citizens. Those living in the GDR often had experiences involving
investigation by the Stasi and there was clearly an understanding
amongst citizens that one had to be wary of an
informant or agent listening in {funder}. In modern Western society,
there is a similar collective understanding that governments
carry out surveillance on a massive scale on their own
citizens. A key distinction today, however, is that 
this work is not carried out by a vast network of informants,
there are no kilometres of paper, and there are no
collections of film and photographs {The Federal Archives} documenting and aiding the
surveillance of the authorities. Instead, the level of surveillance
that large, secretive groups of individuals once had to carry out in
order to enable a surveillance state can be performed through
bureaucracies and technological methods. In modern times, governments
can operate with a very limited number of operatives \[oq]on the
ground\[cq] and instead focus attention on the giant amounts of data
they have for processing in order to make the findings they intend to:
be it crime, terrorism, or \[en] as was the case in the Gestapo and
Stasi \[en] descent.

.HLINE

.LP
As has occurred with technological developments in the past,
legislation will continue to follow developments relating to
information technology, such as the General Data Protection Regulation
in the European Union which has had significant influence in the
technology industry {EUR-Lex}{Harvard Downes}.
Yet encryption presents unique challenges to
lawmakers. Not only will encryption be difficult to regulate due to
its rapid development, but perhaps expressly due to its decentralised
nature, where a government cannot prevent the existence of software
that enables encryption that is open source and reproducible
internationally. Just as media piracy through torrents and access to
hidden services over Tor are able to evade regulation, regulation of
encryption may prove impossible. An arguably useful tool to the
authorities does exist in the hardware and infrastructure that users
of the Internet rely on. In the West, a small number of companies (such
as Intel, Nvidia, Arm and Apple) design and produce the majority of
hardware in a proprietary and closed source manner.

Concerns have already been expressed with regard to
the Intel Management Engine {Intel Management portnoy} that exists on
modern processors produced by Intel.
Arguments have been made that the Intel Management Engine already acts
as a backdoor for government agencies {TechRepublic backdoor}, and the potential is
clearly there for US government interests in mass data collection and
Sigint following 9/11 to lead to the introduction of backdoors in
popular technology. We are aware that in the case of the Intel
Management Engine a switch for disabling functionality is present for use by
US government authorities such as the NSA, demonstrating the level of
leverage the US government potentially has over organisations
including but not limited to Intel {register kill switch}{intel me
bleepingcomputer}. The potential exists for such systems to be built
into non-open hardware which most people \[en] even those using open
software \[en] use, leaving them open to exploitation from either
state or private actors. Furthermore, there is a visible interest in
increasing the presence of technologies on the hardware level,
including the aforementioned Intel Management Engine, the Trusted
Platform Module {TPM Verge}, and recently Microsoft's Pluton {pluton
goodin} subsystem which will be present on hardware sold in the future. This
variety of hardware within a single computer is a rather interesting
and potentially worrying development, particularly with the clear
level of influence, interest, and competitiveness both the US {US House
chip manufacturing bill} and Chinese governments have in their
respective national
chip manufacturing industries. In light of potential issues with
hardware, there have been developments in \[oq]open hardware\[cq].

RISC-V is an instruction set for processors from the University of
California at Berkeley; as opposed to Arm, Intel, and AMD processors,
RISC-V is an open standard for CPU design {case for RISC-V}. This allows for open
source CPU implementations, such as those designed at UC Berkeley, as
well as those from other parties, such as Alibaba Group {chen risc}. A
significant amount of existing software has been ported to the RISC-V
platform and alongside the Alibaba implementation for data centres,
the standard has been used by Google for a security module in the
\[oq]Pixel 6\[cq] smartphone {Pixel 6 Security Blog}. This attention and interest
potentially signals a shift towards increased demand for and utility
in open hardware for privacy, security or economic reasons. Another
poignant example of open hardware is the laptop created by the
manufacturer Framework Computer Inc, which is designed to be more
expandable, serviceable and repairable than other laptops available on
the market. The company and laptop gained significant media coverage
{Financial Times right to repair}{Wirecutter Framework} showing an
interest from the public in open hardware. An
argument can be made that such projects are for niche interest groups
only and that such solutions will never see the commercial success
seen by the larger, non-open manufacturers.
However, the clear adoption of standards such as RISC-V by large
institutions demonstrates quite the opposite: that open hardware will
continue to become increasingly prevalent and that currently popular
hardware with its susceptibility to surveillance will possibly have a
reduced presence in the future.

Movement towards open standards in both hardware and software
reveals a problem for law enforcement
agencies and counterterrorism forces. The tools of mass surveillance
that once enabled investigation into crime or terror such as reading
messages and e-mails, listening to calls or tracking location
may no longer be effective, thereby potentially
preventing such investigation to occur. For governments, this is
arguably the result of such heavy surveillance in the first place.
It is clear that knowledge such as the 2013 Snowden leaks had an impact
on the public and people are thereby more interested in
their privacy and preventing surveillance. Around the world,
individuals use tools to increase their privacy and anonymity when
using the Internet as well as to overcome censorship of information
by governments. A major exception to the availability of the free
Internet has been China, where the government has unparalleled  and
unprecedented control over the flow of information over the Internet.
This has allowed the filtering of content, prevention from accessing
sites, and the blocking of the anonymity network Tor which would allow
users to circumvent measures put in place by the government
{firewall}{talbot tor china}{winter china tor}. Measures in China have
enabled the government to tightly control and monitor the flow of
information via the Internet; ensuring that citizens can only access
that which the ruling party should allow. Whether such draconian
measures could even be implemented in the more democratic West is
questionable, but the opportunity clearly exists for governments to
undermine the digital privacy of their citizens. Any such measures,
however, will face scrutiny from the media and public in Western
society and thereby open software such as Tor is used to freely share
significant amounts of information away from the observation of law
enforcement, allowing illegal activity to occur {gulati}. The reduced
ability for law enforcement to investigate crime will clearly have an
impact by allowing criminals to act with additional impunity. In
particular, the sharing of child sexual abuse material, trafficking and
other such crimes that are enabled by the Internet present reason for
concern.

It is, however, clear that the methods available to law enforcement are
not all exhausted due to technological change. Social engineering
methods; communications traffic analysis such as phone records;
metadata analysis from the underlying infrastructure of the Internet,
including public blockchains and Internet Service Provider data; and
traditional methods, such as searching for contraband goods are all
available to law enforcement despite measures used by criminals or
terrorists such as encryption. Indeed, one could argue that the
limitations on law enforcement investigations due to technology have a
limited impact on the efficacy of investigation, as other sources of
evidence have been effectively explored when encryption has been used,
particularly in the prevention of terror {Graham}. Thus, encryption
might only have a limited impact on law enforcement investigations
whilst having a serious impact on user privacy. Although encryption
can prevent some investigation the compromise is arguably acceptable
due to the net benefit encryption offers to society.

The rate of development in unconventional computing
methods is increasing rapidly. Effective quantum computing will
result in existing popular cryptographic algorithms such as RSA, which
is used for communications and digital signatures, no longer being
secure {Lily Chen quantum 2016}. 
Significant research in recent years has shown
feasibility in current ideas surrounding quantum computing and
promising results in development towards quantum supremacy and the
future breakdown of current cryptographic methods.
Indeed, both in the US at Google {google supremacy nature} and in China
at a major university
{china quantum advantage}{science photons quantum advantage},
claims of \[oq]quantum supremacy\[cq] have been made,
suggesting that quantum computers will soon
become powerful enough to start making current encryption methods
obsolete.
Although this will not be an overnight transformation, changes
will be made by those implementing cryptography, both in the open
source space and in industry, as well as in government where
government agencies must act in order to protect their data. This
change will take place naturally and some have begun to
consider methods for post-quantum cryptography {nist alagic}. 
Regulatory considerations about post-quantum cryptography are already
being made and arguments can be made that regulation should soon be written
that institutes standards and requirements in order to prepare for a
future with effective quantum computing {bruno post quantum}. Once
more, however, an issue reveals itself with the incongruity between
the speed of regulatory
change and the progress of technology. Changes will likely be made by
open software in order to maintain secure encryption, such as those
used by the open source web servers to encrypt Internet traffic, as
well as by large corporations such as Microsoft which provides
software used by many businesses and individuals. An issue may exist
in software that is less popular and legacy software which may not be
open to the scrutiny of open software and may lead to
vulnerabilities. Furthermore, the usage of post-quantum cryptography
by the public and the potential that it may help terrorists and
criminals to communicate might not be addressed in any meaningful way.
The lack of high level interest, initiative or funding from
governments has arguably prompted more independent development in the
public sphere:
the US National
Institute of Standards and Technology (NIST) made a public request for
nominations of post-quantum cryptographic algorithms {call for
proposals}, leading
to standards that will clearly influence future lawmaking.
This adoption of open processes and the
open auditing and implementation of future cryptographic standards is
most striking when compared with the \fIDual_EC_DRBG\fR algorithm.
This algorithm, which contained a vulnerability, was included in NIST
standards. The vulnerability allowed the NSA to potentially decrypt
Internet traffic such as e-mails. The NSA also allegedly paid
the firm RSA Security in order to implement the algorithm with its
backdoor in their
popular security products {menn nsa contract} and although the NSA
denies wrongdoing there was clearly NSA involvement with the company
that remains significant in the enterprise security space {goodin rsa
denial}{perlroth government}.

Individuals around the world have clearly expressed interest in
matters of privacy and encryption and open source software
allows those with the technical skills to become involved in the
development of technology that enables strong encryption and overcomes
state surveillance. Measures taken by governments to prevent this
development will doubtless be limited unless extreme actions such as
those seen in China are taken. Otherwise, development will continue to
occur in both free and non-free societies in support of individual
freedoms. The assertion of \[oq]Linus' law\[cq] that, \[lq]given enough eyeballs,
all bugs are shallow\[rq] creates a serious inability
for actors such as governments to engineer backdoors into software as
the NSA previously has or to prevent the development of
software altogether. On the other hand, the vast
majority of the software and hardware used by the general public is
proprietary. For many, this will continue to be the norm. Yet, the
pressure from increasing popular open source software will continue to
mount. The open source messaging platform \[oq]Signal\[cq] offers a
security oriented product and publishes requests they receive from
courts and law enforcement alongside their replies online {Signal
Grand Jury}{Ars Signal}. Demonstrating their respect for user privacy and that they are unable
to release data as they do not collect it is perhaps something that
users are finding more appealing. Indeed, when Apple refused to unlock
a phone for the FBI following a terrorist attack it gained
significant media attention and demonstrated that the defence of users'
privacy was a virtue for modern businesses, regardless of the fact
that the FBI was able to unlock the phone independently, which was
rather overlooked {Cook 2016}{FBI encryption Apple Guardian}. To
users today, both those with experience and
ability in technology and to the general public, privacy is
seemingly becoming a major selling point and a significant factor in the
way individuals chose to use technology.

Modern cryptographic algorithms are theoretically secure; the
underlying concepts mean that breaking the encryption to
intercept a communication is not possible in a reasonable amount of time
with current computational limits
and is, therefore, due to the nature of the algorithm, secure. This,
however, does not consider implementational flaws. Indeed,
implementational flaws are the ways in which modern exploits of
algorithms such as RSA occur, and methods such as timing
attacks and voltage level analysis attacks, as well as memory
attacks {Wong Timing attacks}{Barenghi Low Voltage}{RSA Key Cache} have
the potential to overcome any level of theoretical sophistication that
cryptographic algorithms may have, and simply give away information
such as keys. In addition to this, there can be
implementational issues in hardware, such as the recent Spectre
vulnerability which was discovered in 2018; revealing data to
an attacker due to flaws in speculative execution which speeds up processing in
modern processors. The vulnerability allowed for the attack of
cryptographic implementations such as GPG. This is potentially even
more concerning given that processor implementations are proprietary.
This flaw, which affects practically every modern processor and
indicates the potential for vulnerability in computer hardware, could be
exploited by any party with sufficient resources. Intel has released
multiple patches for Spectre, however, there remain concerns that
there is a potential for attacks in modern processors including new
processors made after 2018, and therefore potentially a real
threat to security {kocher spectre}.

The discussion of encryption and related technologies has arguably
limited impact. State actors such as the NSA will continue to act
against individual freedoms and attempt to find or introduce backdoors
in technology that is widely used as part of its actions purportedly
in the interest of national security. Although public reactions to
information such as the 2013 Edward Snowden releases have been very
strong, they have not had significant affects on legislature, the
funding received by the NSA, and quite possibly the level of
surveillance carried out by the NSA. Thus, 
discussions in public or private spheres are unlikely to
influence decisions made inside already secretive agencies where
governments are ready to accept that sacrifices must be made for the
greater good. Of course, the issue arises when surveillance exists
that does not exist simply to protect a nation, but instead mass,
indiscriminate surveillance is carried out on citizens not suspected
of any criminal or terrorist activity such as the Tempora
programme in the United Kingdom {guardian fibre-optic},
however governments nonetheless
prove willing to fund the activities of surveillance agencies and will
seemingly continue to do so regardless of public opinion.

.HLINE

The executive summary of the 9/11 Commission Report {#9/11 commission
report} describes the September 2001 terrorist attacks as \[oq]a shock,
not a surprise\[cq]. In a similar light, the release of information
relating to mass surveillance and mishandling of data such as the 2013
Edward Snowden releases ought to also be potentially considered a
shock, not a surprise, given the level of data that both governments
and private organisations have access to and responsibility for.
Encryption enables people to trust companies and governments with
the handling of communications
such as e-mails and enables companies to be able to work with law
enforcement without compromising user privacy as encrypted data
cannot be read and is therefore useless to authorities.
The free market in the West
arguably has moved itself towards encrypted standards. Open source
initiatives have pioneered free implementations of secure
cryptographic standards, allowing any user to use these tools directly
in order to send information, such as the popular PGP
implementation GPG. Additionally, the open implementation of
cryptographic tools enables developers to integrate secure versions of
these tools into new programs, allowing for the easy development of
programs that allow encrypted communications. The demand for
cryptography in less popular open source applications is arguably
expected, yet there is nonetheless widespread adoption in more popular
software and proprietary software. Companies such as Facebook have
pushed for end-to-end encryption in their products and the software
industry at large has adopted encrypted standards such as
\f[R]HTTPS\fR. 
The largest source of resistance to encryption is government
intervention. Government positions around the world which are opposed
to encryption seemingly have double standards. Just as the Enigma and
Lorentz machines were critical to the Nazi war effort in order to
conduct critical communications and the breaking of those ciphers were
critical to the Allies, encryption remains critical to government
communications and state sponsored espionage. Governments maintain up
to date cryptographic systems in order to keep their own
secure, yet fight hard against encryption in the name
of national security. In some ways this is a valid
argument: the availability of cryptography arguably lowers the
barrier to entry for terror or crime and reduces the ability law
enforcement has to deal with it. Nonetheless, it seems that reducing
the availability of encryption to the public would not decrease the
opportunity for criminals or terrorists to do harm.

Often we see two possible future realities: one with a perfect
surveillance state and police state ruled by fear and one with ultimate privacy and
total encryption. Both are open to significant abuse with those acting
on behalf of the ruling state violating the privacy, basic freedoms
and rights of the people in the former. In the latter criminals are able to use
technology both to hide their activities and enable their crimes
without fear of police interference; creating a near anarchic
existence. It seems that in the West, representations of the former in
dystopian cultural works such as those by George Orwell 
or Margaret Atwood and journalistic coverage of
government surveillance and oppression in China form our view against
highly invasive state surveillance. Yet media coverage of criminals
and terrorists using technology and encryption, particularly following
events of terror; media and government discussing the risks of
technology; and the coverage of law enforcement using surveillance
tools to stop criminals shape our view of the latter scenario. I feel,
however, that this is a fallacious dichotomy that we have collectively
created. In the West, it seems that we have come too far for complete
surveillance to be effectively implemented, as the tools to overcome
such a regime already exist and there is a widespread sentiment of
resistance amongst the public and in governments and courts against
such invasive measures. Yet, even in a world of widespread encryption,
governments and law enforcement would demonstrably still be able to
conduct surveillance and investigation at some level. It is clear that
in the Internet age, it is no longer as easy to disguise or hide the
truth as it once was. Information has been shown extremely powerful in
subverting totalitarianism {Nicholson Cold War broadcast} and due to the
Internet regimes are less and less able to manipulate the truth. I
feel that the most interesting developments in the near future will be
how the Chinese government and people will react to developments in
technology and if the current state of surveillance, censorship and
propaganda will prevail as well as developments relating to encryption
and surveillance in the developing world wherever information
technology has not yet been widely available. In the West it seems
that a reasonable understanding is that being able to use encryption and
live without fear of ongoing surveillance relies on a people's will to
do so and enact such ideas in their own behaviour, even if certain
societal risks are accepted alongside that.

Our fear of crime and terror is justified but it seems that crime and
terror will find ways of existing regardless of policy that is not
excessively draconian. Terrorists are sometimes untrusting of modern
technology and prefer simply to meet in person, outside of the reach
of surveillance or Sigint. To fight crime and terror, it seems we must
turn to their root causes and ensure that ongoing deliberation and
logical dialectic on these complex issues shape policy in a manner
more informed and logical than simply engaging in such paranoid
measures as total mass surveillance or making encryption illegal or
difficult to access for the public.

.nr HY 0
.ad l