Don’t be fooled by Big Tech’s rhetoric about protecting your electronic devices from government snoops. From Bill Blunden at theamericanconservative.com:
The law can already get into your phone anytime. But Apple needs you to think it isn’t helping them.
In the wake of this year’s Munich Security Conference, members of the European Union are pushing back against warnings by the United Statesabout networking gear sold by Chinese telecom giant Huawei. American officials have alleged that Huawei can covertly access its equipment through backdoors designed for law enforcement, and voiced concerns about the risk associated with installing hardware that could give the Chinese government the ability to remotely monitor or even disable other nation’s networks.
The insistence of countries like Britain and Germany on integrating technology from a police state directly into their digital infrastructure is definitely curious. But it’s not like supply chain subversion hasn’t already transpired on an industrial scale. For example, we know now, thanks to a recent Washington Post report, that during the early days of the Cold War, the Central Intelligence Agency succeeded in secretly compromising encryption technology used by over 120 different countries. For years, American spies were tapping lines and pilfering secrets from all over the globe.
Back to 2020. American officials are sounding alarms about Huawei having backdoors, though that hasn’t stopped them from supporting U.S. law enforcement getting their own access to everyone’s data whenever they want. But theirs is a “noble” cause: high ranking members of the political establishment are warning that they won’t be able to protect us against terrorists, drug cartels, and child pornographers unless Silicon Valley allows in American security services.
The tech industry has responded by assuming a defiant stance that seems to side with user privacy. Yet history informs us that this Manichean soap opera is not always what it appears to be. Concealed behind the headlines is a choreographed routine in which executives and politicians confront each other across the table while secretly shaking hands underneath.
The “Going Dark” Narrative
At the core of the matter is encryption technology. This past summer, Attorney General William Barr complained that encryption “allows criminals to operate with impunity, hiding their activities under an impenetrable cloak of secrecy.” Such that the government’s ability to discern illegal conduct online is “going dark.” The Five Eyes intelligence alliance (consisting of the United States, the United Kingdom, Canada, Australia, and New Zealand) publicly proposed weakening cryptographic protocols so they could engage in “lawful interception” of digital communications.
Upping the ante, in December, Senator Lindsey Graham issued an ultimatum to business leaders at a Judiciary Committee hearing. He asserted that “this time next year, if you haven’t found a way that you can live with it, we will impose our will on you.” Graham has begun drafting a bill to this end.
It goes without saying that the tech industry opposes this strategy of government-imposed backdoors. That’s mainly because security boosts brand, and that in turn boosts sales. Not to mention that standing up to the big bad government provides street cred and scads of free publicity. When Barr presented his case for mandated backdoors, Facebook replied that his scheme “would be a gift to criminals, hackers and repressive regimes.” Apple likewise protested that “Backdoors can also be exploited by those who threaten our national security and the data security of our customers…encryption is vital to protecting our country and our users’ data.”
Of course, there’s something missing from this debate. Something that merits careful attention.
Strong Crypto as a Speed Bump
It just so happens that strong encryption isn’t the cure-all that it’s cracked up to be. This is an inconvenient truth that’s confirmed on a daily basis. For example, in mid-October of 2019, the Department of Justice announced the takedown of a massive online repository of child pornography. The portal resided on the dark net, leveraging both the Tor anonymity suite as well as Bitcoin to conceal the identities of its user base. Yet in spite of these countermeasures, federal agents unearthed terabytes of evidence. The ensuing crackdown led to charges against more than 300 people.
And this isn’t the first time the feds succeeded in collectively unmasking large swathes of presumably nameless users. In 2015, the Federal Bureau of Investigation launched Operation Pacifier, which used a “court-approved network investigative technique” (e.g. hacking) to track down and arrest over 350 members of yet another website that was hosting child pornography.
Suddenly the dark net doesn’t seem so dark.
The public record indicates that there’s a whole industry devoted to sidestepping device encryption, catering primarily to the intelligence community. Companies like Israel’s NSO Group have garnered substantial media attention. The NSO Group has openly boasted that “it developed a hacking tool that can break into just about any smartphone on Earth.”
Please rewind and ponder the implications of that previous sentence. Then perhaps reassess the risk associated with allegedly secure messaging software like WhatsApp or seemingly impregnable devices like the iPhone. Glenn Greenwald himself may be having second thoughts after Brazilian security services intercepted messages he exchanged with hackers.
There are countless vendors in this space, companies like Hacking Team and Gamma International whose surveillance tools have garnered media attention. Wade around in this shadowy milieu long enough and the underlying subtext becomes clear: encrypt confidential data all you want; it doesn’t matter if someone can hack your computer and make off with the data inside.
Backdoors and Backroom Deals
These spyware companies thrive because the backdoors that everyone is arguing about are already out there, wide open in the field. They exist in the form of plausibly deniable technical flaws, aka bugs. These bugs are legion because market incentives favor low costs over security. And also because industry titans like RSAhave been known to secretly cooperate with spy chiefs while vocally rebuffing their agendas in the press.
During the crypto wars of the 1990s, the president of RSA proudly announced that “for almost 10 years, I’ve been going toe to toe with these people at Fort Meade. The success of this company is the worst thing that can happen to them. To them, we’re the real enemy, we’re the real target.” Pay no heed to the backdoor that they planted for the NSA.
Sound familiar? That’s the kayfabe in action. Feud in public and fraternize in private. Coquettishly wink at spies while making noise for rubes.
Apple has likewise shown a propensity for quiet cooperation. A couple of years ago, they decided against encrypted iCloud backups after the FBI balked. And when the FBI initially requested help accessing the iPhone used by one of the San Bernardino shooters, Apple was perfectly happy to help them so long as the FBI quietly submitted the request under seal. Only after the request went public did Tim Cook adopt a more antagonistic posture. For users in Russia, Apple discreetly adjusted its maps and weather apps so that Crimea appears to be a part of Russian territory.
Pity the Overworked Bureaucrat
This obviously raises a question. With the abundant supply of commercial tools and the ongoing success against dark nets, why are officials so keen to paint their investigative programs as “going dark”?
One answer pivots on the nature of bureaucracies, a world where budgets are fixed and overworked apparatchiks are under pressure from above to get results with limited resources. In a nutshell, state-sanctioned backdoors are convenient. They don’t require the resources necessary to launch and maintain an extended hacking campaign. Clandestine cyber ops can involve multiple teams of technical specialists working around the clock in conjunction with field officers and support staff. Faced with a towering case load and impatient bosses, the typical civil servant will understandably opt for whatever solution makes their job easier.
To use an analogy, why spend hours to break into a bank vault, lugging around heavy equipment and making a huge mess, when you can nonchalantly walk up and swing it open with the factory-enabled bypass combination?
Legally mandated cryptographic backdoors are the path of least resistance, a surveillance geodesic compliments of the justice system. While you can’t necessarily fault government officials for wanting to take the easy route, it’s important to recognize when they’re wielding imperfect metaphors to justify their demands. Thanks to clandestine arrangements, perpetually buggy code, and cheap gear, American security services aren’t going dark anytime soon.
Bill Blunden is an independent investigator focusing on information security, anti-forensics, and institutional analysis. He is the author of several books, including The Rootkit Arsenal and Behold a Pale Farce: Cyberwar, Threat Inflation, and the Malware-Industrial Complex. Bill is the lead investigator at Below Gotham Labs.