USENIX Enigma 2016 – The Global Conversation on Encryption

USENIX Enigma 2016 – The Global Conversation on Encryption


STEPANOVICH: All right,
hey, everybody. Thank you so much
for having me here today and for sticking
out the entire conference to hear what I have to say. I am really grateful
to be here today because it means I am not
back in Washington, DC, under many feet of snow, so I doubly thank you for that. My name is Amie Stepanovich. I am a US Policy Manager
at Access Now. My contact information
is on the screen behind me. It will come up again
at the end. If you have any questions
and you don’t get to ask them today, please
feel free to reach out, and I will try
to get back with you. So, just to digress for a second
before we start, Access Now is a global nonprofit
civil-society organization. Our mission is to defend
and extend the rights of users at risk around the world. What that means is
that my colleagues and I at six different
offices globally and several satellite
presences work — do a three-pronged method
to solve the problems of the users
who are most at risk, which we’ve heard
quite a bit about, namely from Morgan and Eva
a little bit earlier. So, we do this through
technology solutions, policy solutions,
and advocacy work. That means that we’re in a lot
of conversations with high-ranking
government officials and corporate executives about how laws and policies are going to impact
the human rights abusers. We also run a 24-hour-a-day, 7-day-a-week digital
security help line where activists and journalists
can e-mail into us and have technologists answer some of the questions
about the threats that they are facing
in their everyday work on the ground. So, I’m gonna tell you today a few crypto stories
to tell in the dark, and my first story is maybe
a little more of a parable than a story. It’s about Juniper Networks.
So, last year, late last year,
it was revealed — Juniper revealed that
there were two vulnerabilities in one of their software suites. One of the vulnerabilities was
the result of Dual EC — the use of a random-number
generator called Dual EC. This is really important. NIST — the National Institute
for Standards and Technology, in 2013, had actually
recommended against the continued use
of Dual EC. They had generated the standard. They said
that it could be engineered to allow for a back door. So, the technical questions about why Juniper still
decided to use Dual EC, about how they implemented it,
there are extensive — A lot of minds
that are much more technically inclined
than mine is as a lawyer and a policy analyst
have dove into this. If you’re interested in that,
I suggest you look it up. But the result — the result of that vulnerability was that any information that was sent over VPN that
used the vulnerability that was collected
by other government or a malicious actor
could now be decrypted. And so we’ll get into the causes
a little bit later, but the moral
of the story is that security is really,
really insanely hard. I heard Jan say
earlier no product ships without a vulnerability. The security game
is stacked against us. We only need to have
one vulnerability for a bad actor
to take advantage. Those of us playing defense, we have to get everything
exactly right, and that’s really difficult when you’re trying
to get it exactly right. When you’re being forced
to put in vulnerabilities, you’re much more at risk
of putting the users that are going
to use your products in a really bad situation. Encryption is basically,
for those of you who don’t know, the math that protects
our digital information. It’s sometimes demonized
in the media as something the terrorists use
or something for bad people, but really,
if you’re using encryption, it might mean that
you just have an iPhone, or that you do online banking, or that you’re using WhatsApp
and you have a WhatsApp account. Quick show of hands,
does anybody in here think that they do not use encryption
on a daily basis? Anybody? I’m seeing
absolutely zero hands. Yes, you are probably all right. You do use encryption
every single day. In fact, recently,
in a really great report by some of the top
cryptographers of our time, it was said
that to undermine encryption would be to force a U-turn in the best practices,
the security best practices. It would add
much more complexity to security systems, and it would create
a huge target for bad actors to go after. Encryption also
protects human rights. In a wonderful, groundbreaking,
miraculous report that was released
last year by David K., who, for those of you
who don’t know, is the United Nations
Special Repertoire for Freedom of Expression, he explained at length how encryption software
and software that supports anonymity
are actually absolutely vital to the exercise of freedom
of speech, and by extension, to the exercise
of your privacy rights. Encryption and human rights are
just inexplicably intertwined. To relate this to the people
at the ground level, encryption means that people, LGBT activists
in the Middle East and North Africa,
the MENA region, can protect themselves
against government persecution. By contrast,
a couple years ago or a year ago,
a citizen activist in Mexico who had been
tweeting about cartel — drug cartel activity was actually murdered
when her phone was compromised and the cartels were able
to link her specifically to an account they had put
a hit out on. So, crypto, encryption, especially
really strong encryption, enabled by default, we found is necessary
to ensure the continued safety for the users
who are most at risk. But the problem is is that
this all gets really complicated when governments
start getting involved. Governments want access to data.
Now, that could be different depending on the government
that we’re talking about. Some governments want mass
access to all of your data. Some only want it
in certain investigations in a targeted manner.
Some want both. Some governments
put in place more due process procedures or more privacy protections
against getting your data. But no matter what,
all governments want some form
of access to data. And this means that encryption
is getting in their way, because the strongest types of encryption,
end-to-end encryption — or what I like to call
end-to-end encryption, which is real
end-to-end encryption — and device encryption
sometimes is designed in a way that doesn’t allow
law enforcement to get the access
that they want. So in that sense,
they say they are going “dark.” Many of you might have heard
the term from people in the US government specifically saying
that they are going dark. and what does that mean? It means that they have — much like I am
right now on this stage — been staring in the digital
transition from paper to digital at a supernova of data, this huge,
bright, wonderful, beaming circle of data
that we are all generating. No matter what website we visit, no matter
what store we go to, we’re creating data
all the time in a way that we have never
in the history of mankind created data before. And encryption is starting to turn that down just
ever so slightly. They’re putting a little,
tiny, black spot in this supernova of data. And only certain types of data. Let’s remember
that metadata is not necessarily
encryptable at this moment, or at least not
easily encryptable, although we can obfuscate it. And so it really is
only certain types of data and we’re only turning it down
ever so slightly. But this is a problem
for law enforcement. To combat this,
governments have gotten really inventive
at coming up with ways in order to fight encryption. The first one
and probably the most extreme is by outright banning
the use of encryption. Alternatively, they have limited
the exports of certain types or strengths of encryption,
most famously in the US. In fact, export controls
on encryption going into the ’90s
are largely believed to be responsible
for the FREAK bug that was uncovered
in early 2015. Other ways that they do this are
through the insertion, the mandatory insertion
of back doors or golden keys
or vulnerabilities, whatever you really
want to call them, or through key escrow systems that create large,
bright, glowing targets for bad actors
to go after. Getting back
to the Dual EC conversation we had at the beginning, governments can also go
after encryption standards. So, the reason
that Dual EC has this weird vulnerability
piece to it, largely believed, is because the NSA
made it happen. NIST, again, the agency that created Dual EC
is required by US law to consult with the NSA and their amazing array
of cryptographers when they create
encryption standards. And this was envisioned as a way to make sure that we had
the best standards. But NSA really wants to be able to continue
conducting surveillance, so they don’t want
a standard to be so great that they can’t get past it. And this is a problem
when you house the lock breakers in the same house
or in, figuratively, the same house
as the lock makers. Eventually, one of the missions
is going to win out. Finally, a lot
of these different things can be implemented
not necessarily through mandate, but through
pressuring companies, and you would have had
to be living in a box or maybe an igloo
in Washington, DC, to have missed this playing out
in real time right now. Has anybody seen a headline
or a news story over the past month
or so linking encryption to the terrorist attacks
in San Bernardino or in Paris? Anybody?
It’s about half of you. So, law enforcement
is increasingly tying — or people in law enforcement,
people in Congress, people all over the world are increasingly
tying encryption to bad actors
and to violent attacks and to loss of life. And they are doing this in order
to pressure companies to stop using certain types
of encryption that they feel like
they cannot get around. Which brings me
to the central point of this talk — the UK
wants to own the Internet. Late last year,
the United Kingdom put out a draft
Investigatory Powers bill, or IP bill,
as we call them in DC, because in DC, we love acronyms. The bill is largely intended to replace all existing
surveillance law in the UK and to upgrade that law for the modern age,
which, in regular terms, means to expand it and give them
a lot more authority. One of the provisions —
there are a lot of troubling provisions
in this law. It’s not a wonderful law. In fact, Access Now, other organizations like the
Electronic Frontier Foundation, have filed comments with multiple different committees
in the United Kingdom. Companies
like Apple and Google have also filed comments saying
all of the different ways that this law
violates human rights and will make
security less robust. But one
of the provisions is basically saying that the Secretary
of State in the UK can order that companies build systems
or change systems in a way to allow for continued access. Which is bad
in its own right. If this system is allowed to go
into place, the Secretary of State in the UK can effectively prevent the use
of end-to-end encryption or device encryption. And it’s all the more
complicated because it comes with an extra
territoriality provision, which is a really long word
for saying that it’s not only going
to apply to companies in the UK, but any company
that touches the UK. And on the Internet,
that kind of means everybody. Because you can’t really
stop touching the UK when you’re conducting
an online business. And, so,
this basically means the UK is trying to find a way
to impose their values and their morae
on the entire world. And this takes us down
a really dark path. It gives companies effectively
only three options on how to deal with this. They can create a hybrid service
that serves only the UK, which means
they have to create and update
an entirely additional service to the one they supply
to the rest of the world. They can pull out of the UK altogether and try
to geographically block their service
from showing up there. Or they can undermine
the security that they are trying
to build into their system and create one weaker service
that they supply to everybody. This is not an easy choice,
and we’re going to find that most companies really
can only afford option three, because it’s
the cheapest, easiest way to comply with these laws. That means that
they’re not going to be able to compete on security
the way that we are finding that companies have really
started to compete on security. And they’re going
to have to really fall behind the larger companies that are already cementing
their place at the top and might be able
to afford option one and be able to build out
an entirely second service to serve some of
these customers in the UK. In fact, we already saw
at the end of last year a study by “USA Today” that said
that only five companies take in 70% of the revenue
on the Internet — five companies. And, so,
if you look at clauses like this that are going
to require people put a lot more money
into security, it may only cement
that path and harm users by limiting choice. And this is not only a story
in the UK. Late last year,
a few other stories. We saw China pass a law that effectively prohibited
end-to-end encryption. They wrote it in and they passed
that law in December. The fine for companies that commit serious violations
of this law — so, build a system that will not be
able to turn over data — have no maximum financial limit. So China can impose
any amount of fine that they want
to against companies that do not obey this law. Also, last year,
Kazakhstan decided to require users — all end users — to install what they call
“National Security Certificates” on their computers. This is a really fancy way
of saying we’re going to require you to install a vulnerability
right on your laptop. Supposedly, that is to allow for
telecoms in Kazakhstan to decrypt otherwise
encrypted communications. This is a policy
that one telecom actually published on its website before “The New York Times”
went in and started fishing around
and asking questions, and then the telecom
took it down. And, so, we really don’t know
exactly the status of this policy right now, but we know
that this was in place the last time
anybody could check. We talked a little about what
the UK is going to do this year. We’re expecting the IP bill to be formally introduced
sometime soon. We’re also going to see, likely
this year, action in India. Last year, India put into place a policy on encryption
that was so bad and created such an outroar that they had to withdraw it
the same day they published it. The policy allowed for the use
of encryption — please go forth
and use encryption, you can store information
in an encrypted way — but it required that companies
store the plaintext of that encrypted information right alongside
the encrypted text. This is absolutely absurd. So, the Indian government
finally recognized that it was absurd
a few hours after they published it
and they withdrew the policy, but we’re expecting
their next encryption policy to be published sometime soon. Other countries
are likely going to follow. We could see things
from Australia or France. Those are areas
that we’re watching. And other countries
really like to use the political cover
provided by countries that they look up to
to pass bad laws. We’ve seen this before
with data retention. We’ve seen it with a lot
of other issues. So countries
really could slide in and try to implement
bad provisions just by looking
at other countries talking about this. And, of course, in the US,
we have heard this all before over and over
and over again from the export controls debates I talked about from the ’70s
to the ’90s, the debates over the Clipper Chip
in the 1990s, where we learned, once
and for all, we hoped, that there is no such thing as a “secure back door,” into the going
dark debates today. And, finally, I think
the activists, the advocates, the policy experts,
the cryptographers, and everybody else who agreed
that the US government needed to shut up
said that we have had enough. Access Now, along with EFF
and some many dozen of other organizations
and companies filed a petition
with the US government last year at savecrypto.org. That petition very quickly
reached and surpassed the requisite 100,000 signatures needed to compel an answer
from the U. S government and get them to put into place some policy on the record,
and we are awaiting for that policy
to be put into place. The official word right now is
they will not seek mandates at this time. “At this time”
being the key words. And that hasn’t been said
by the administration. It has been said
for the administration in “The New York Times”
and “The Washington Post.” So far, we’ve gotten
two interim responses to that petition
from the government asking for more information, asking people to supply
more examples or information about how they use encryption, but we haven’t really had
a final, real response. And so we’re pushing
for something strong. Because every different mandate,
every different hole, every different vulnerability,
every different law puts another hole
in the Internet ecosystem, puts another hole
in our security. And I fear that with
too many holes, the system is going
to collapse on itself. And so we need a leader.
We need a strong, global leader that will step in and try to take us forward
toward a more secure Internet and not a weak Internet
that we can’t trust. So, I want to leave you with a little bit
of hope and positivity, because this has been
fairly negative and it’s been a day
of a lot of scary things. And, so, I do think that
there is hope on the horizon. Earlier this month, Access Now, with over 200
other organizations, companies, experts,
launched SecureTheInternet.org, which is really simple. It’s five tenets that we think have
to guide governments when they create
laws or policies on the issue of encryption. Things like, “You cannot
undermine encryption. You cannot require back doors
to be built.” In the very short time
this website has been active, we’ve already had
thousands of people sign the letter and add their support to it. We’ve had it sent to the US
government, to the Australian government. We hope soon to send it to the California state
government because they’re also proposing
some really bad laws to put into place
that would basically prevent sale of an iPhone
in this great state. And governments are responding. Governments are responding
in a positive way also. On the screen
behind me is a statement from the government
of the Netherlands, where they actually
issued a report saying that encryption was vital
to the Internet economy, it’s vital to security, a really strong,
positive statement on the use of encryption. We also saw an amendment
in France knocked down, but not yet out, that would have been harmful
to the use of encryption. And we’re seeing, all over
the world, people come together and really rise up
against bad laws. Eva and Morgan
also talked about RightsCon at the end of March,
beginning of April, back here in San Francisco. In conjunction
with RightsCon, we will be holding
the second Crypto Summit. And, so, right now, if you go
to the Crypto Summit website, you can see the schedule
for that event, and you can supply some comments on some of the things
that we’re hoping, praying that the conversation
can move on to, that we can get past this idea
that there can be a secure back door, and we can
start talking about other things
that governments are trying to do
to undermine user security, things like government hacking, so-called “equipment
interference,” in government parlance, and that we can move together, all of us together,
toward a really good, happy ending to this otherwise
really scary story. [ Applause ]

Leave a Reply

Your email address will not be published. Required fields are marked *