path: root/paper.ms

.R1
short-label D.y
sort
.R2
.TL
Cryptography, crime, terror, and surveillance
.AU
\f[TI]Mohit Agarwal
.AI
February 2022
.LP
Modern encryption methods allow a level of privacy in communication
that has not before been seen: information that is encrypted cannot be
decrypted without the necessary keys, which in the case of RSA is
ensured by the large primes involved and the current intractability of
large prime factorisation. This allows for communication that is
practically guaranteed to be private: a relatively new phenomenon in
communications, seen with inventions such as the one-tme pad {Rijmenants} (cite)
which was cryptographically secure and used by the both the KGB and
NSA (cite), beyond the use of the Enigma and Lorentz machines by the
Nazis which were both of which were decrypted by cryptanalysis methods
during the Second World War. Today, secure cryptographic methods are
used not only by government backed agencies in preventing or
practising espionage, but by individual citizens who are interested in
their privacy, security, or are simply using a program that happens to
encrypt their communications. Naturally, current availability of
cryptography potentially allows for malicious actors such as criminals
or terrorists to use encryption in order to commit crimes or acts of
terror.
In
response to the threats of encryption and communications technology
generally, governments have often engaged in signals intelligence
(SIGINT) such as phone line tapping. Modern SIGINT initiatives have
become incredibly complex and sophisticated and have grown greatly as
popular adoption of technology has grown. Part of government interest
in SIGINT is a direct response to perceived threads, such as the
PATRIOT Act in the US which followed the 2001 terrorist attacks with
the objective of strengthening national security (cite). Later, the
FISA Amendments Act of 2008  further increased increased the powers of
law enforcement to access information, such as allowing the Attorney
General and Director of National Intelligence to provide information
about individuals outside the United States {H.R. FISA congress}. It was,
however, the PATRIOT Act and FISA Amendments Act that was the
justification for large scale surveillance including the records of
phone calls of customers of the Verizon network, including calls from
the US to other states as well as calls localised entirely within the
US {guardian greenwald verizon}{guardian NSA roberts}{times savage
2013}. State sponsored SIGINT programmes such as that in the US aims
to respond to encryption and other technological developments with the
primary interest of overcoming it in order to prevent terror and
crime. These measures have, however, had arguably limited
effectiveness and have violated the privacy of individuals who are
not suspected of being a threat to national security. Responses to
encryption domestically and internationally will have significant
consequences, given the potential importance of the information being
communicated. Successful SIGINT and cryptanalysis by government
agencies can successfully respond to modern threats of crime and
terror. A failure of responsible governance, however may not only
threaten the privacy of individuals unnecessarily, but also fail to
respond to the ways in which criminals and terrorists are using
encryption existing thereby only as a tool of authoritarian control.

An argument is often made against allowing widespread use of
encryption and generally against widespread effective operations
security (OPSEC) in the public sector in the interest of
national security, and the prevention of terror. With access to
communications and usage history governments can gather significant
information on terrorists and use this intelligence against
terrorists. It is clear that intelligence plays a significant role in
counterterrorism. The 9/11 terrorist attacks are seen potentially as a
phenomenal failure of intelligence as detailed in The 9/11 Commission
report {#9/11 commission report}. The report explores the fact that
there was potentially knowledge to indicate a terrorist attack before
September 2001 (chapter 8). The report detailed institutional failures
and also emphasised the difficulty and importance of intelligence in
counterterrorism {intelligence and national security}. Graham{#CTC
terrorists} explores the use of encryption by terrorists which is
often cited in a reason for giving governments access to unencrypted
Internet communications so that suspicious activity can be flagged and
investigated in order to prevent a terror attack or in order to better
respond in the case of an attack. Graham describes the extensive use
of end to end encryption used by terrorists in order to avoid
interception by the authorities. Due to U.S. usage of intercepted
communications to uncover and prevent a number of al-Qa'ida plots, the
terrorist organisation and other terrorist groups have increasingly
used encrypted communications (read citation from Graham). An
significant factor is the use of non-mainstreams software in early use
of encryption by terrorists, including a program that built a wrapper
around the popular, secure, and open source PGP called \fIMujahedeen
secrets\fR. Although now terrorists and criminals use widely
available, popular, and user-friendly software such as the Tails
operating system or Telegram (Graham citation 28), terrorists
organisations have shown an ability to make use of more obscure and
complicated systems, as well as use publicly available source code in
order to construct software for operatives to use.

Although the issue of popular messaging technologies and their support
for 'end-to-end encryption' is often discussed, the argument that the
introduction of end-to-end encryption by large companies such as
Facebook gives an advantage to criminals {conversation Facebook}{home
office} is arguably an entirely invalid one. By preventing the usage
of true end-to-end encryption in industry, we will not be able to
prevent those attempting to evade the law from doing so, as shown in
the case of terrorist organisations who have used more obscure
software in the past and also in the case of the abundance of illegal
activity that occurs on the so called dark web in the form of the
trade of drugs and child pornography among others {gulati deep web}. Instead the
limitation of use of encryption on popular software will only decrease
the privacy of those uninterested in criminal activity and instead
using technology to communicate. In the case of platforms such as
Instagram (which is owned by Facebook) it is quite clear that the vast
majority of communications (cite) will not contain anything illegal
(reword) and that it is these conversations that will suffer from a
lack of encryption. The information exposed by Edward Snowden in 2013
demonstrates that the US government has processed and collected vast
amounts of unencrypted data (cite) and possibly continues to do so. In
the case of unencrypted communication the problem remains and preventing
end to end encryption will simply allow governments to maintain the
status quo of being able to intercept and read all communications
between its citizens and individuals outside of their jurisdictions.

In order to conduct the vast amounts of surveillance they did in the
GDR (German Democratic Republic) in support of the ruling party
{Jarausch}, the Stasi gathered information from a vast network of
informants who greatly outnumbered Stasi agents {Bruce 2014}. Whilst
in Nazi Germany there may have been around one Gestapo agent for every
2300 citizens, in the GDR it was closer to one informant or officer for
every 63 citizens. Those living in the GDR often had experiences
involving investigation by the Stasi and there was clearly an
understanding amongst citizens {funder} of the GDR that one had to be
wary of an informant or agent listening in. In modern western society
there is a similar collective understanding that governments
attempting to carry out surveillance on a massive scale on their own
citizens. A key distinction, however, is that in societies such as the
UK, this work is not carried out by a vast network of informants,
there are no gargantuan gargantuan stores of paper, and there are no
hundreds of miles of film (cite all) documenting and aiding the
surveillance of the authorities. Instead, the level of surveillance
that large, secretive groups of individuals once had to carry out in
order to enable a surveillance state can be performed instead through
bureaucracies and technological methods. In modern times, governments
can operate with a very limited number of operatives `on the ground`,
and instead focus attention on the giant amounts of data they have for
processing in order to make the findings they intend to: be it crime,
terrorism, or - as was the case with the Gestapo and Stasi - descent.

As with any technology, regulation has followed behind technological
development. Just as automotive regulation
followed the increase in popularity of cars in areas such as the UK
and US, regulation will no doubt follow the newfound popularity of
The rate of change with modern
technology, particularly encryption, is far greater than has been seen
in the past. Not only will encryption be difficult to regulate due to
its rapid development, but 
perhaps moreso due to its decentralised nature, where a government
cannot prevent the existence of software that enables encryption which
is open source and reproducible internationally. Just as media piracy
through torrents and access to hidden services over Tor are able to
evade regulation, regulation of encryption may prove
impossible. An arguably useful tool to the authorities does exist in
the hardware and infrastructure that users of the internet rely on.
The vast majority (cite) of users in the foreseeable future
will continue to use the highly popular CPUs designed by Intel in the
personal computer space.

Concerns have already been expressed with regard to
the Intel Management Engine {Intel Management portnoy} that exists on
modern processors produced by Intel.
Arguemnts have been made that the Intel Management Engine already acts
as a backdoor for government agencies (cite), and the potential is
clearly there for US government interests in mass data collection and
SIGINT following 9/11 to lead to the introduction of backdoors in
popular technology.
We are aware that in the case of
the Intel Management there was potentially an ability for it to be
disabled by US government authorities such as the NSA, demonstrating a
level of leverage the US government potentially has over organisations
including but not limited to Intel {register kill switch}{intel me
bleepingcomputer}.

Regardless of the level of influence governments might or
might not hold over private corporations, the potential exists for
systems built into non-open hardware which most people, even those
using open software, leaving them more open to exploitation from
either state or private actors. Furthermore, there is a visible
interest in increasing the presence of technologies on the hardware
level, including the aforementioned Intel Management Engine, the
Trusted Platform Module (cite), and recently Microsoft's Pluton (cite)
subsystem, which will be present on hardware sold in the future. This
variety of hardware within a single computer is a rather interesting
and potentially worrying development, particularly with the clear
level influence, interest, and competitiveness both the US {US House
chip manufacturing bill} and Chinese governments (cite) are
respectively showing (the US and China are the two largest chip
manufacturers (cite, reword)). In light of potential issues with
hardware in a privacy sense, there have been developments in `open
hardware'.

RISC V is an instruction set for processors from the University of
California, Berkeley; opposed to ARM, Intel, and AMD, RISC V is an open
standard. This allows for open source CPU designs, such as
those designed at UC Berkeley, as well as those from other parties,
such as Alibaba Group (cite all). A significant amount of existing
software has been ported to the RISC V platform (cite) and been
implemented commercially by companies such as Google, for a security
module in the `Pixel 6' smartphone (cite). This attention and interest
in the technology potentially indicates a shift in attitude and want
for more open hardware and a general concern for the source of
computing equipment. Examples, such as a laptop created by the
manufacturer Frame Work Inc which aims to be more expandable,
serviceable and repairable then existing laptops, gaining significant
media coverage (cite) further show an interest from the public in open
hardware. An argument can be made that such projects are for niche
interest groups only, and that such solutions will never see the
commercial success seen by the larger, non-open manufacturers such as
Intel and ARM, however clear adoption of standards such as RISC V by
large institutions (cite) as well as the clear interest the public
have demonstrated in commercially available open solutions (research,
cite) demonstrate quite the opposite: that open hardware will continue
to become increasingly prevalent and that currently popular hardware
with its susceptibility to surveillance will possibly start to
disappear. 

A shift toward open standards reveals a problem for law enforcement
agencies and counterterrorism forces. The tools of mass surveillance
that once enabled investigation into crime or terror such as reading
messages/emails, listening to calls, tracking location, or analysing
metadata (cite?) may no longer be effective, thereby potentially
preventing such investigation to occur. For governments, this is
arguably the result of such heavy surveillance in the first place.
It is clear that knowledge such as the 2013 Snowden leaks had an impact
on the public (cite), and that people are therby more interested in
their privacy and preventing surveillance. The exception to this has
been in China, where the government has unparalleled control over the
flow of information over the internet. This has allowed the filtering
of content, prevention from accessing sites, and the blocking of the
anonymity network Tor which would allow users to circumvent measures
put in place by the government {firewall}{talbot tor china}{winter
china tor} Whether such draconian measures could even be implemented
in the more democratic West is questionable, but the opportunity
clearly exists for governments to undermine the digital privacy of its
citizens. Any such measures, however, will face scrutiny from the
media and public in Western society and thereby open software such as
Tor is used to share significant amounts of information away from the
observation of law enforcement, allowing illegal activity to occur
{gulati}.

In addition, the rate of development in unconventional computing
methods is increasing rapidly. Effective quantum computing will
mean that existing popular cryptographic algorithms such as RSA will
no longer be secure due to the potential for computations that would
take unreasonable amounts of time on classical computers to be solved
quickly (reword) such as prime factorisation on which RSA encryption
relies {lily chen quantum}. RSA encryption is currently in use for
applications such as private communications and digital signatures.
Significant research such as at IBM in recent years (cite) has shown
feasibility in current ideas surrounding quantum computing and
promising results in development towards quantum supremacy and in the
future the breakdown of current cryptographic methods.
Indeed, there
have already been claims to quantum supremacy in recent years (recent
years -- overused phrase), suggesting that quantum computers will soon
become powerful enough to start making current encryption methods
obselete. Although this will be no overnight transformation, changes
will be made by those implementing cryptography, both in the open
source space and in industry, as well as in government where
government agencies must act in order to protect their data. This
change will take place naturally and many have already started to
consider methods for `post-quantum cryptography' (cite). The
significant factor however will be regulatory responses to
post-quantum cryptographic methods.

    https://www.natlawreview.com/article/preparing-post-quantum-migration-race-to-save-internet
    https://csrc.nist.gov/Projects/post-quantum-cryptography
    https://universitypress.unisob.na.it/ojs/index.php/ejplt/article/download/1225/665
    https://universitypress.unisob.na.it/ojs/index.php/ejplt/index
    https://www.meritalk.com/articles/reps-khanna-mace-developing-quantum-computing-bill-to-secure-fed-data/ .

Once more, the significant research is occurring as aforementioned in
the US and in China {quantum research in china}. Both in the US at
Google {google supremacy nature} and in China {china quantum
advantage}{science photons quantum advantage}. 

The question must be asked as to whether the discussion of encryption
and surveillance is necessary.

Individuals around the world have clearly expressed interest in
matters of privacy and encryption (cite) and open source software
allows those with the technical skills to become involved in the
development of technology that enables strong encryption and avoids
state surveillance. Measures taken by governments to prevent this
development will doubtless be limited unless extreme actions such as
those seen in China are taken. Otherwise, development will continue to
occur in both free and non free societies in support of individual
freedoms. The assertion of `Linus' law` that "given enough eyeballs,
all bugs are shallow" (cite - CathBaz) creates a serious inability
for actors such as governments to engineer backdoors into software as
the NSA previously has (cite) or to prevent the development of
software altogether (find example). On the other hand, a significant
amount of the software and hardware 

The discussion of encryption and related technologies has arguably
limited impact. State actors such as the NSA will continue to act
against individual freedoms and attempt to find or introduce backdoors
in technology that is widely used as part of its actions purportedly
in the interest of `national security`. Although public reactions to
information such as the 2013 Edward Snowden releases have been very
strong, they have not had significant effects on legislature, the
funding received by the NSA, and quite possibly the level of
surveillance carried out by the NSA (cite all). Thus, from recent
history, discussions in public or private spheres are unlikely to
influence decisions made inside already secretive agencies where
governments are ready to except that sacrifices must be made for the
greater good. Of course, the issue arises when surveillance exists
that does not exist simply to protect a nation, but instead mass,
indiscriminate surveillance is carried out on citizens not suspected
of any criminal or terrorist activity such as the Optic Nerve
program in the United Kingdom (cite), however governments nonetheless
prove willing to fund the activities of surveillance agencies.
Furthermore, there are options available to authorities that are
regularly made use of. (Give example from Graham)

Modern cryptographic algorithms are theoretically secure; the
underlying concepts mean that breaking the encryption to
intercept a communication not possible in a reasonable amount of time
with current computational limits
and is therefore, due to the nature of the algorithm, secure. This
however, does not consider implementational flaws. Indeed,
implementational flaws are the ways in which modern breaks of
algorithms such as RSA (cite) occur, and methods such as timing
attacks (cite) and voltage level analysis attacks, as well as memory
attacks (cold boot, rubber hose ...) (do some light explaining) (cite
all) have the potential to overcome any level of sophistication that
cryptographic algorithms may have, and simply give away information
such as keys (research, cite).

The executive summary to the 9/11 Commission Report {#9/11 commission
report} describes the September 2001 terrorist attacks as 'a shock,
not a surprise'. In a similar light, the release of information
relating to mass surveillance and mishandling of data such as the 2013
Edward Snowden releases and the 2018 Facebook-Cambridge Analytica
scandal ought to also be potentially considered a shock, not a
surprise given the level of data that both governments and private
organisations have access to and responsibility for. Encryption
enables people to trust that their data that they wish to be private
truly is and allows 

.nr HY 0
.ad l
Intro
    Foreign Intelligence Surveillance Act of 1978 Amendments Act of 2008
	USA FREEDOM Act (2015)(HR 2048)

Cryptography
    https://wikiless.org/wiki/Kerckhoffs%27s_principle?lang=en
    Timing Attacks
        RSA

Spectre and Meltdown (disucss speculative execution)
    https://googleprojectzero.blogspot.com/2018/01/reading-privileged-memory-with-side.html
    https://www.nytimes.com/2018/01/03/business/computer-flaws.html
    https://support.apple.com/en-us/HT208394
    https://www.ibm.com/blogs/psirt/potential-cpu-security-issue/
    https://www.ibm.com/blogs/psirt/potential-impact-processors-power-family/
     -- Speculative execution?

IME/Pluton -- backdoors
    https://www.techrepublic.com/article/is-the-intel-management-engine-a-backdoor/
    https://www.techrepublic.com/article/why-the-nsa-may-not-need-backdoors/
    Disabled on new ThinkPads: https://www.theregister.com/2022/01/20/microsoft_amd_pluton_lenovo/

Heatbleed (2014) (occured in open source software)

Government
    https://rules.house.gov/bill/117/hr-4521

    https://www.theguardian.com/world/2014/feb/27/gchq-nsa-webcam-images-internet-yahoo
    https://archive.nytimes.com/www.nytimes.com/interactive/2013/09/05/us/documents-reveal-nsa-campaign-against-encryption.html
    https://www.propublica.org/article/the-nsas-secret-campaign-to-crack-undermine-internet-encryption
    https://www.nytimes.com/2013/09/06/us/nsa-foils-much-internet-encryption.html
    !! https://wikiless.org/wiki/Dual_EC_DRBG
    https://www.reuters.com/article/us-usa-security-rsa-idUSBRE9BJ1C220131220
    https://web.archive.org/web/20131223121638/http://blogs.rsa.com/news-media-2/rsa-response/
    https://www.technologyreview.com/2012/04/04/186902/how-china-blocks-the-tor-anonymity-network/
    https://www.nytimes.com/2016/09/03/technology/nso-group-how-spy-tech-firms-let-governments-see-everything-on-a-smartphone.html
    Leahy Law
    DeadHand and MonsterMind

Terror
    September 2001
    2001 Anthrax attacks

Privacy
    Apple and App Tracking Transparency
    https://www.flurry.com/blog/ios-14-5-opt-in-rate-att-restricted-app-tracking-transparency-worldwide-us-daily-latest-update/
    https://www.bloomberg.com/news/articles/2021-07-14/facebook-fb-advertisers-impacted-by-apple-aapl-privacy-ios-14-changes

Quantum computing
    https://sci-hub.se/10.1007/978-3-540-88702-7_1
    https://aapt.scitation.org/doi/abs/10.1119/1.1891170
    https://ieeexplore.ieee.org/abstract/document/8490169
    https://digitalcommons.dartmouth.edu/senior_theses/23/
    https://www.sciencedirect.com/science/article/abs/pii/S1361372317300519
    https://arxiv.org/abs/1804.00200

Surveillance
    https://www.nytimes.com/2022/02/10/us/politics/cia-data-privacy.html
    https://www.eff.org/deeplinks/2022/02/we-need-answers-about-cias-mass-surveillance

crowd supply boosts open hardware: linux magazine

{firewall}