path: root/paper.ms

.R1
short-label D.y
sort
.R2
.TL
\fBCryptography, crime, terror, and surveillance
.AU
\f[R]Mohit Agarwal
.AI
March 2022
.LP
Modern encryption methods permit a level of privacy in communication
that has not before been seen: information that is encrypted cannot be
decrypted without the necessary keys, with algorithms such as RSA
where security is ensured by the large primes involved and the current
intractability of prime factorisation. This allows for communication
that is practically guaranteed to be private; a relatively new
phenomenon in communications. In the past, this has been seen with the
one-time pad {Rijmenants} which was cryptographically secure and used
by both the KGB and NSA, well beyond the use of the Enigma and Lorentz
machines by the Nazis which were both decrypted through cryptanalysis
methods during the Second World War. Today, however, secure
cryptographic methods are used not only by government backed agencies
in preventing or practising espionage, but by individual citizens who
are interested in their privacy, security, or are simply using a
computer program that happens to encrypt their communications.
Naturally, current availability of cryptography potentially allows
malicious actors such as criminals or terrorists to use encryption in
order to commit crimes or acts of terror. In response to the threats
of encryption and communications technology generally, governments
have engaged in signals intelligence (Sigint) such as phone line
tapping. Modern Sigint initiatives have become rather complex and
sophisticated and have grown greatly alongside the popular adoption of
information technology. Part of government interest in Sigint is a
direct response to perceived threats, such as the PATRIOT Act in the
United States which followed the 2001 terrorist attacks with the
objective of strengthening national security {PATRIOT ACT Congress}.
Later, the FISA Amendments Act of 2008 further increased the powers of
law enforcement to access information, such as allowing the Attorney
General and Director of National Intelligence to gather information
about individuals outside the United States {H.R. FISA congress}. It
was, however, the PATRIOT Act and FISA Amendments Act that was the
justification for large scale surveillance including the government
access of phone calls records of customers of the Verizon network,
including calls from the United States to other states as well as
calls localised entirely within the United States {guardian greenwald
verizon}{guardian NSA roberts}{times savage 2013}. State sponsored
Sigint programmes such as that in the United States aims to respond to
encryption and other technological developments with the primary
interest of overcoming it in order to prevent terror and crime. These
measures have, however, had arguably limited effectiveness and have
violated the privacy of individuals who are not suspected to be a
threat to national security. Responses to encryption will have
significant consequences, given the potential importance of the
information being communicated and the prevalence of electronic
communication methods. Successful Sigint and cryptanalysis by
government agencies can respond to modern threats of crime and terror.
A failure of responsible governance, however, may not only threaten
the privacy of individuals unnecessarily but also fail to respond to
the ways in which criminals and terrorists are using encryption,
existing thereby only as a tool of authoritarian control.

An argument is often made against allowing widespread use of
encryption and generally against widespread effective operations
security (OPSEC) in the public sector in the interest of national
security and the prevention of terror. With access to communications
and usage history, governments can gather significant information on
terrorists and use this intelligence against terrorists. It is clear
that intelligence and surveillance play a significant role in
counterterrorism. The 9/11 terrorist attacks are seen potentially as a
phenomenal failure of intelligence as detailed in The 9/11 Commission
report {#9/11 commission report}. The report explores the fact that
there was potentially knowledge to indicate a terrorist attack before
September 2001 (chapter 8). The report details institutional failures
and also emphasised the difficulty and importance of intelligence in
counterterrorism {intelligence and national security}. Graham{#CTC
terrorists} explores the use of encryption by terrorists which is
often cited as a reason for giving governments access to unencrypted
Internet communications so that suspicious activity can be flagged and
investigated in order to prevent a terror attack or in order to better
respond in the case of an attack. Graham describes the extensive use
of end-to-end encryption by terrorists in order to avoid interception
by the authorities. Due to U.S. usage of intercepted communications to
uncover and prevent a number of al-Qaeda plots, the terrorist
organisation and other terrorist groups have increasingly used
encrypted communications. A significant factor is the use of
non-mainstream software in the early use of encryption by terrorists,
including a program that built a wrapper around the popular, secure,
and open source PGP called \fIMujahedeen Secrets\fR by al-Qaeda.
Although now terrorists and criminals use widely available, popular,
and user-friendly software such as the Tails operating system or
Telegram, terrorist organisations have shown an ability to make use of
more obscure and complicated systems, as well as to use publicly
available source code in order to construct software for operatives to
use.

Although the issue of popular messaging technologies and their support
for end-to-end encryption is often discussed, the argument that the
introduction of end-to-end encryption by large companies such as
Facebook gives an advantage to criminals {conversation Facebook}{home
office} is arguably an invalid one. By preventing the usage of true
end-to-end encryption in industry, we will not be able to prevent
those attempting to evade the law from doing so, as shown in the case
of terrorist organisations who have used more obscure software in the
past and also in the case of the abundance of illegal activity that
occurs on the so-called \[oq]dark web\[cq] in the form of the trade of
drugs and child pornography among others {gulati deep web}. Instead,
the limitation of use of encryption on popular software will only
decrease the privacy of those uninterested in criminal activity and
instead using more popular software without regard for its security
features or lack thereof. The information exposed by Edward Snowden in
2013 demonstrates that the US government has processed and collected
vast amounts of unencrypted data and possibly continues to do so. In
the case of unencrypted communication, the problem remains and
preventing end-to-end encryption will simply allow governments to
maintain the status quo of being able to intercept and read all
communications between their citizens and individuals outside of their
jurisdictions. Indeed, should end-to-end encryption continue,
perchance, to be opposed by governments both in the West and in
countries like China, it will arguably a method of allowing a
government to practise surveillance and of perpetuating a surveillance
state.

In the GDR (German Democratic Republic, also known as \[oq]East
Germany\[cq]), in order to conduct surveillance on behalf of the
ruling party {Jarausch}, the Stasi (\fIMinisterium für
Staatssicherheit\fR, or \[lq]Ministry for State Security\[rq]) relied
on a sprawling network of informants and agents. In particular,
informants \[en] who greatly outnumbered agents {Bruce 2014} \[en]
formed large parts of this network and were deeply integrated into the
fabric of society. This contributed to a far more complete
surveillance state and an atmosphere of terror amongst the people.
Whilst in Nazi Germany there may have been around one Gestapo agent
for every 2300 citizens, in the GDR it was closer to one informant or
officer for every 63 citizens. Those living in the GDR often had
experiences involving investigation by the Stasi and there was clearly
an understanding amongst citizens that one had to be wary of an
informant or agent listening in {funder}. In modern Western society,
there is a similar collective understanding that governments carry out
surveillance on a massive scale on their own citizens. A key
distinction today, however, is that this work is not carried out by a
vast network of informants, there are no kilometres of paper, and
there are no collections of film and photographs {The Federal
Archives} documenting and aiding the surveillance of the authorities.
Instead, the level of surveillance that large, secretive groups of
individuals once had to carry out in order to enable a surveillance
state can be performed through bureaucracies and technological
methods. In modern times, governments can operate with a very limited
number of operatives \[oq]on the ground\[cq] and instead focus
attention on the giant amounts of data they have for processing in
order to make the findings they intend to: be it crime, terrorism, or
\[en] as was the case in the Gestapo and Stasi \[en] dissent.

.HLINE

.LP
As has occurred with technological developments in the past,
legislation will continue to follow developments relating to
information technology, such as the General Data Protection Regulation
in the European Union which has had significant influence in the
technology industry {EUR-Lex}{Harvard Downes}. Yet encryption presents
unique challenges to lawmakers. Not only will encryption be difficult
to regulate due to its rapid development, but perhaps expressly due to
its decentralised nature, where a government cannot prevent the
existence of software that enables encryption that is open source and
reproducible internationally. Just as media piracy through torrents
and access to hidden services over Tor are able to evade regulation,
regulation of encryption may prove impossible. An arguably useful tool
to the authorities does exist in the hardware and infrastructure that
users of the Internet rely on. In the West, a small number of
companies (such as Intel, Nvidia, Arm and Apple) design and produce
the majority of hardware in a proprietary and closed source manner.

Concerns have already been expressed with regard to the Intel
Management Engine {Intel Management portnoy} that exists on modern
processors produced by Intel. Arguments have been made that the Intel
Management Engine already acts as a backdoor for government agencies
{TechRepublic backdoor}, and the potential is clearly there for US
government interests in mass data collection and Sigint following 9/11
to lead to the introduction of backdoors in popular technology. We are
aware that in the case of the Intel Management Engine a switch for
disabling functionality is present for use by US government
authorities such as the NSA, demonstrating the level of leverage the
US government potentially has over organisations including but not
limited to Intel {register kill switch}{intel me bleepingcomputer}.
The potential exists for such systems to be built into non-open
hardware which most people \[en] even those using open software \[en]
use, leaving them open to exploitation from either state or private
actors. Furthermore, there is a visible interest in increasing the
presence of technologies on the hardware level, including the
aforementioned Intel Management Engine, the Trusted Platform Module
{TPM Verge}, and recently Microsoft's Pluton {pluton goodin} subsystem
which will be present on hardware sold in the future. This variety of
hardware within a single computer is a rather interesting and
potentially worrying development, particularly with the clear level of
influence, interest, and competitiveness both the United States {US
House chip manufacturing bill} and Chinese governments have in their
respective national chip manufacturing industries. In light of
potential issues with hardware, there have been developments in
\[oq]open hardware\[cq].

RISC-V is an instruction set for processors from the University of
California at Berkeley; as opposed to Arm, Intel, and AMD processors,
RISC-V is an open standard for CPU design {case for RISC-V}. This
allows for open source CPU implementations, such as those designed at
UC Berkeley, as well as those from other parties, such as Alibaba
Group {chen risc}. A significant amount of existing software has been
ported to the RISC-V platform and alongside the Alibaba implementation
for data centres, the standard has been used by Google for a security
module in the \[oq]Pixel 6\[cq] smartphone {Pixel 6 Security Blog}.
This attention and interest potentially signals a shift towards
increased demand for and utility in open hardware for privacy,
security or economic reasons. Another poignant example of open
hardware is the laptop created by the manufacturer Framework Computer
Inc, which is designed to be more expandable, serviceable and
repairable than other laptops available on the market. The company and
laptop gained significant media coverage {Financial Times right to
repair}{Wirecutter Framework} showing an interest from the public in
open hardware. An argument can be made that such projects are for
niche interest groups only and that such solutions will never see the
commercial success seen by the larger, non-open manufacturers.
However, the clear adoption of standards such as RISC-V by large
institutions demonstrates quite the opposite: that open hardware will
continue to become increasingly prevalent and that currently popular
hardware with its susceptibility to surveillance will possibly have a
reduced presence in the future.

Movement towards open standards in both hardware and software reveals
a problem for law enforcement agencies and counterterrorism forces.
The tools of mass surveillance that once enabled investigation into
crime or terror such as reading messages and e-mails, listening to
calls or tracking location may no longer be effective, thereby
potentially preventing such investigation to occur. For governments,
this is arguably the result of such heavy surveillance in the first
place. It is clear that knowledge such as the 2013 Snowden leaks had
an impact on the public and people are thereby more interested in
their privacy and preventing surveillance. Around the world,
individuals use tools to increase their privacy and anonymity when
using the Internet as well as to overcome censorship of information by
governments. A major exception to the availability of the free
Internet has been China, where the government has unparalleled  and
unprecedented control over the flow of information over the Internet.
This has allowed the filtering of content, prevention from accessing
sites, and the blocking of the anonymity network Tor which would allow
users to circumvent measures put in place by the government
{firewall}{talbot tor china}{winter china tor}. Measures in China have
enabled the government to tightly control and monitor the flow of
information via the Internet; ensuring that citizens can only access
that which the ruling party should allow. Whether such draconian
measures could even be implemented in the more democratic West is
questionable, but the opportunity clearly exists for governments to
undermine the digital privacy of their citizens. Any such measures,
however, will face scrutiny from the media and public in Western
society and thereby open software such as Tor is used to freely share
significant amounts of information away from the observation of law
enforcement, allowing illegal activity to occur {gulati}. The reduced
ability for law enforcement to investigate crime will clearly have an
impact by allowing criminals to act with additional impunity. In
particular, the sharing of child sexual abuse material, trafficking
and other such crimes that are enabled by the Internet present reason
for concern.

It is, however, clear that the methods available to law enforcement
are not all exhausted due to technological change. Social engineering
methods; communications traffic analysis such as phone records;
metadata analysis from the underlying infrastructure of the Internet,
including public blockchains and Internet Service Provider data; and
traditional methods, such as searching for contraband goods are all
available to law enforcement despite measures used by criminals or
terrorists such as encryption. Indeed, one could argue that the
limitations on law enforcement investigations due to technology have a
limited impact on the efficacy of investigation, as other sources of
evidence have been effectively explored when encryption has been used,
particularly in the prevention of terror {Graham}. Thus, encryption
might only have a limited impact on law enforcement investigations
whilst having a serious impact on user privacy. Although encryption
can prevent some investigation the compromise is arguably acceptable
due to the net benefit encryption offers to society.

The rate of development in unconventional computing methods is
increasing rapidly. Effective quantum computing will result in
existing popular cryptographic algorithms such as RSA, which is used
for communications and digital signatures, no longer being secure
{Lily Chen quantum 2016}. Significant research in recent years has
shown feasibility in current ideas surrounding quantum computing and
promising results in development towards quantum supremacy and the
future breakdown of current cryptographic methods. Indeed, both in the
US at Google {google supremacy nature} and in China at a major
university {china quantum advantage}{science photons quantum
advantage}, claims of \[oq]quantum supremacy\[cq] have been made,
suggesting that quantum computers will soon become powerful enough to
start making current encryption methods obsolete. Although this will
not be an overnight transformation, changes will be made by those
implementing cryptography, both in the open source space and in
industry, as well as in government where government agencies must act
in order to protect their data. This change will take place naturally
and some have begun to consider methods for post-quantum cryptography
{nist alagic}. Regulatory considerations about post-quantum
cryptography are already being made and arguments can be made that
regulation should soon be written that institutes standards and
requirements in order to prepare for a future with effective quantum
computing {bruno post quantum}. Once more, however, an issue reveals
itself with the incongruity between the speed of regulatory change and
the progress of technology. Changes will likely be made by open
software in order to maintain secure encryption, such as those used by
the open source web servers to encrypt Internet traffic, as well as by
large corporations such as Microsoft which provides software used by
many businesses and individuals. An issue may exist in software that
is less popular and legacy software which may not be open to the
scrutiny of open software and may lead to vulnerabilities.
Furthermore, the usage of post-quantum cryptography by the public and
the potential that it may help terrorists and criminals to communicate
might not be addressed in any meaningful way. The lack of high level
interest, initiative or funding from governments has arguably prompted
more independent development in the public sphere: the US National
Institute of Standards and Technology (NIST) made a public request for
nominations of post-quantum cryptographic algorithms {call for
proposals}, leading to standards that will clearly influence future
lawmaking. This adoption of open processes and the open auditing and
implementation of future cryptographic standards is most striking when
compared with the \fIDual_EC_DRBG\fR algorithm. This algorithm, which
contained a vulnerability, was included in NIST standards. The
vulnerability allowed the NSA to potentially decrypt Internet traffic
such as e-mails. The NSA also allegedly paid the firm RSA Security in
order to implement the algorithm with its backdoor in their popular
security products {menn nsa contract} and although the NSA denies
wrongdoing there was clearly NSA involvement with the company that
remains significant in the enterprise security space {goodin rsa
denial}{perlroth government}.

Individuals around the world have clearly expressed interest in
matters of privacy and encryption and open source software allows
those with the technical skills to become involved in the development
of technology that enables strong encryption and overcomes state
surveillance. Measures taken by governments to prevent this
development will doubtless be limited unless extreme actions such as
those seen in China are taken. Otherwise, development will continue to
occur in both free and non-free societies in support of individual
freedoms. The assertion of \[oq]Linus' law\[cq] that, \[lq]given
enough eyeballs, all bugs are shallow\[rq] creates a serious inability
for actors such as governments to engineer backdoors into software as
the NSA previously has or to prevent the development of software
altogether. On the other hand, the vast majority of the software and
hardware used by the general public is proprietary. For many, this
will continue to be the norm. Yet, the pressure from increasing
popular open source software will continue to mount. The open source
messaging platform \[oq]Signal\[cq] offers a security oriented product
and publishes requests they receive from courts and law enforcement
alongside their replies online {Signal Grand Jury}{Ars Signal}.
Demonstrating their respect for user privacy and that they are unable
to release data as they do not collect it is perhaps something that
users are finding more appealing. Indeed, when Apple refused to unlock
a phone for the FBI following a terrorist attack it gained significant
media attention and demonstrated that the defence of users' privacy
was a virtue for modern businesses, regardless of the fact that the
FBI was able to unlock the phone independently, which was rather
overlooked {Cook 2016}{FBI encryption Apple Guardian}. To users today,
both those with experience and ability in technology and to the
general public, privacy is seemingly becoming a major selling point
and a significant factor in the way individuals chose to use
technology.

Modern cryptographic algorithms are theoretically secure; the
underlying concepts mean that breaking the encryption to intercept a
communication is not possible in a reasonable amount of time with
current computational limits and is, therefore, due to the nature of
the algorithm, secure. This, however, does not consider
implementational flaws. Indeed, implementational flaws are the ways in
which modern exploits of algorithms such as RSA occur, and methods
such as timing attacks and voltage level analysis attacks, as well as
memory attacks {Wong Timing attacks}{Barenghi Low Voltage}{RSA Key
Cache} have the potential to overcome any level of theoretical
sophistication that cryptographic algorithms may have, and simply give
away information such as keys. In addition to this, there can be
implementational issues in hardware, such as the recent Spectre
vulnerability which was discovered in 2018; revealing data to an
attacker due to flaws in speculative execution which speeds up
processing in modern processors. The vulnerability allowed for the
attack of cryptographic implementations such as GPG. This is
potentially even more concerning given that processor implementations
are proprietary. This flaw, which affects practically every modern
processor and indicates the potential for vulnerability in computer
hardware, could be exploited by any party with sufficient resources.
Intel has released multiple patches for Spectre, however, there remain
concerns that there is a potential for attacks in modern processors
including new processors made after 2018, and therefore potentially a
real threat to security {kocher spectre}.

The discussion of encryption and related technologies has arguably
limited impact. State actors such as the NSA will continue to act
against individual freedoms and attempt to find or introduce backdoors
in technology that is widely used as part of its actions purportedly
in the interest of national security. Although public reactions to
information such as the 2013 Edward Snowden releases have been very
strong, they have not had significant affects on legislature, the
funding received by the NSA, and quite possibly the level of
surveillance carried out by the NSA. Thus, discussions in public or
private spheres are unlikely to influence decisions made inside
already secretive agencies where governments are ready to accept that
sacrifices must be made for the greater good. Of course, the issue
arises when surveillance exists that does not exist simply to protect
a nation, but instead mass, indiscriminate surveillance is carried out
on citizens not suspected of any criminal or terrorist activity such
as the Tempora programme in the United Kingdom {guardian fibre-optic},
however governments nonetheless prove willing to fund the activities
of surveillance agencies and will seemingly continue to do so
regardless of public opinion.

.HLINE

The executive summary of the 9/11 Commission Report {#9/11 commission
report} describes the September 2001 terrorist attacks as \[oq]a
shock, not a surprise\[cq]. In a similar light, the release of
information relating to mass surveillance and mishandling of data such
as the 2013 Edward Snowden releases ought to also be potentially
considered a shock, not a surprise, given the level of data that both
governments and private organisations have access to and
responsibility for. Encryption enables people to trust companies and
governments with the handling of communications such as e-mails and
enables companies to be able to work with law enforcement without
compromising user privacy as encrypted data cannot be read and is
therefore useless to authorities. The free market in the West arguably
has moved itself towards encrypted standards. Open source initiatives
have pioneered free implementations of secure cryptographic standards,
allowing any user to use these tools directly in order to send
information, such as the popular PGP implementation GPG. Additionally,
the open implementation of cryptographic tools enables developers to
integrate secure versions of these tools into new programs, allowing
for the easy development of programs that allow encrypted
communications. The demand for cryptography in less popular open
source applications is arguably expected, yet there is nonetheless
widespread adoption in more popular software and proprietary software.
Companies such as Facebook have pushed for end-to-end encryption in
their products and the software industry at large has adopted
encrypted standards such as \f[R]HTTPS\fR. The largest source of
resistance to encryption is government intervention. Government
positions around the world which are opposed to encryption seemingly
have double standards. Just as the Enigma and Lorentz machines were
critical to the Nazi war effort in order to conduct critical
communications and the breaking of those ciphers were critical to the
Allies, encryption remains critical to government communications and
state sponsored espionage. Governments maintain up to date
cryptographic systems in order to keep their own secure, yet fight
hard against encryption in the name of national security. In some ways
this is a valid argument: the availability of cryptography arguably
lowers the barrier to entry for terror or crime and reduces the
ability law enforcement has to deal with it. Nonetheless, it seems
that reducing the availability of encryption to the public would not
decrease the opportunity for criminals or terrorists to do harm.

Often we see two possible future realities: one with a perfect
surveillance state and police state ruled by fear and one with
ultimate privacy and total encryption. Both are open to significant
abuse with those acting on behalf of the ruling state violating the
privacy, basic freedoms and rights of the people in the former. In the
latter criminals are able to use technology both to hide their
activities and enable their crimes without fear of police
interference; creating a near anarchic existence. It seems that in the
West, representations of the former in dystopian cultural works such
as those by George Orwell or Margaret Atwood and journalistic coverage
of government surveillance and oppression in China form our view
against highly invasive state surveillance. Yet media coverage of
criminals and terrorists using technology and encryption, particularly
following events of terror; media and government discussing the risks
of technology; and the coverage of law enforcement using surveillance
tools to stop criminals shape our view of the latter scenario. I feel,
however, that this is a fallacious dichotomy that we have collectively
created. In the West, it seems that we have come too far for complete
surveillance to be effectively implemented, as the tools to overcome
such a regime already exist and there is a widespread sentiment of
resistance amongst the public and in governments and courts against
such invasive measures. Yet, even in a world of widespread encryption,
governments and law enforcement would demonstrably still be able to
conduct surveillance and investigation at some level. It is clear that
in the Internet age, it is no longer as easy to disguise or hide the
truth as it once was. Information has been shown extremely powerful in
subverting totalitarianism {Nicholson Cold War broadcast} and due to
the Internet regimes are less and less able to manipulate the truth. I
feel that the most interesting developments in the near future will be
how the Chinese government and people will react to developments in
technology and if the current state of surveillance, censorship and
propaganda will prevail as well as developments relating to encryption
and surveillance in the developing world wherever information
technology has not yet been widely available. In the West it seems
that a reasonable understanding is that being able to use encryption
and live without fear of ongoing surveillance relies on a people's
will to do so and enact such ideas in their own behaviour, even if
certain societal risks are accepted alongside that.

Our fear of crime and terror is justified but it seems that crime and
terror will find ways of existing regardless of policy that is not
excessively draconian. Terrorists are sometimes untrusting of modern
technology and prefer simply to meet in person, outside of the reach
of surveillance or Sigint. To fight crime and terror, it seems we must
turn to their root causes and ensure that ongoing deliberation and
logical dialectic on these complex issues shape policy in a manner
more informed and logical than simply engaging in such paranoid
measures as total mass surveillance or making encryption illegal or
difficult to access for the public.

.nr HY 0
.ad l