The global encryption war begins
By Ajith Ram April 27, 2016
- Battle between FBI and Apple was just the start
- Malaysian Government yet to define its stance
WE recently witnessed the opening salvoes of a new war. In fact, the first battle has already been fought and both sides withdrew without any clear victor. This is a war between the tech industry and the governments of the world.
Like the First World War, it started with a single incident which in the decades to come might be seen as a major turning point in the history of the tech industry.
To recap the very first battle of this new war, a US federal court had ordered Apple to create a tool that would bypass security in Apple’s software. This tool would have allowed the US Federal Bureau of Investigation (FBI) to mount a brute force hack on the iPhone owned by terrorist Syed Rizwan Farook, from San Bernardino, California.
Apple vehemently opposed this, arguing it would create a permanently open backdoor for the US Government and other non-state hackers. Just as things were about to get a bit more interesting and a higher court was scheduled to hear Apple’s appeal, the FBI backed off, claiming that it had found a way to break into the device.
According to later reports, the FBI had paid more than a million dollars to a group of hackers to crack Apple’s software.
If it could be done so easily by a group of freelance hackers, why couldn’t the FBI – with all the resources at its disposal – do so directly?
The answer is obvious. The US Government and many other governments are itching for a fight with the tech industry on the subject of encryption. And this is not even the first time that this situation has risen.
Back to the future
Until 1992, the export of encryption technology and devices containing the technology was severely restricted by US law. Due to ceaseless campaigning by the tech industry, it started being eased after that in a gradual manner.
Modern encryption algorithms use a ‘key’ to encrypt and decrypt messages by turning text and data into digital nonsense and then restoring them to their original form. The longer the key, the more computing power required to crack the code.
In order to decrypt by brute force, every possible combination of the key will need to be tried. An eight-bit key has 256 possible values. But a 56-bit key creates 72 quadrillion possible combinations.
Until 1996, the US Government considered anything stronger than 40-bit encryption as a ‘munition’ and its export, therefore, was illegal. The US Government now allows the export of 56-bit encryption, with some restrictions.
But the problem is that 128-bit encryption is now becoming the global standard. If the key is 128 bits long, a brute force attack would be 4.7 sextillion (4,700,000,000,000,000,000,000) times more difficult than cracking a 56-bit key.
These days, a 56-bit key is considered crackable. This is also probably the reason why the United States now allows the export of 56-bit encryption algorithms.
But according to hackers, even 128-bit encryption can be cracked via the brute force method. Thanks to the dramatic increase in computing power achieved via GPGPU computing, given enough time, even 128-bit encryption can be cracked.
Why a courtroom?
So why did the FBI choose to drag Apple into an open courtroom brawl if even 128-bit encryption can be broken?
There are two major reasons for this.
Firstly, it takes time to crack any type of encryption. And for most security agencies, time is a luxury they cannot afford. For instance, according to the Manhattan District Attorney, there are at least 175 iPhones in pending criminal cases which require unlocking.
Instead of trying to crack the password of every phone in such cases on an individual basis, it is much easier to have a permanently open backdoor for all government agencies.
Thanks to Edward Snowden, everyone is now aware of the US Government’s snooping capabilities. After those revelations, Apple and the other tech companies have been steadily improving the privacy features on their devices and operating systems.
This has led to a digital arms race between the security agencies and the tech companies – an arms race which the security agencies are likely to lose. So instead of fighting a war which it cannot win, the FBI seems to have chosen a battlefield over which it has more influence – the courtroom.
Secondly, the courtroom saga is more than about just one accused terrorist’s iPhone or the strength of its encryption. It is all about bringing the entire tech industry to heel and setting a legal precedent which would absolutely require the tech industry to help US government agencies.
An expanding problem
From the perspective of the US Government, the privacy bug that has afflicted the tech industry, post-Snowden, is a highly infectious one. Immediately after FBI’s withdrawal of the lawsuit against Apple, Facebook announced that its popular mobile messaging app, Whatsapp, will now include end-to-end encryption.
Other app providers and tech companies are likely to follow suit – a real nightmare for the official snoopers. In a hypothetical future, even if FBI wins in the courtroom against Apple, it does not automatically give it access to every single app on an Apple device which uses encryption. Or all the apps on all devices.
This situation gets exacerbated if some of the app developers are based outside the United States in regions where the country’s courts have no standing. For instance, WeChat, another popular mobile app, is owned by a Chinese company. It is hardly going to tremble at the proclamation of an American court.
The war begins
But this does not mean that the US Government is about to give up – far from it.
As a prelude to the next battle, there is a new law currently under discussion in the US Congress that would allow federal courts order tech companies to provide decrypted data to law enforcement. Even if it does not become law, the proposed bill still speaks loudly of the US Government’s intentions.
Since 2014, the FBI’s Going Dark Initiative has been asking for legal backdoors into software and devices. Even before that, in 1997, then FBI director Louis Freeh said, “Law enforcement is in unanimous agreement that the widespread use of robust non-key recovery encryption ultimately will devastate our ability to fight crime and prevent terrorism.
“Uncrackable encryption will allow drug lords, spies, terrorists and even violent gangs to communicate about their crimes and their conspiracies with impunity. We will lose one of the few remaining vulnerabilities of the worst criminals and terrorists upon which law enforcement depends to successfully investigate and often prevent the worst crimes.”
With such a historical track record of campaigning against encryption, the FBI and the US Government are hardly going to back down now.
Not just the US
The encryption debate is raging not just in the United States. Across the Atlantic, the UK Parliament is considering a bill with the innocuous title, Investigatory Powers Bill.
Its critics have dubbed it the ‘Snoopers’ Charter’. In addition to a requirement for Internet service providers (ISPs) to keep data for a year, including all websites visited by their customers, the bill gives sweeping powers to UK security agencies to hack anyone’s computers, including those of journalists and their sources.
In some ways, this pending British legislation goes even further than its American counterpart. Along with removing the right to privacy, it enshrines the government’s omnipotence in law.
The Malaysian view
According Cybersecurity Malaysia chief executive officer Dr Amirudin Abdul Wahab (pic above), there is no definite procedure at the moment to guarantee both privacy and public security. Currently in Malaysia, there is no policy either to encourage or prevent private data encryption. It is up to the users or data owners to handle or manage their private data.
Dr Amirudin does point out that although Malaysia guarantees privacy rights and the right to freedom of expression; these guarantees are not absolute.
The freedom to use cryptography could be limited by future Malaysian law. Under certain circumstances, he says, invasions of privacy are necessary to safeguard national security. The same principle would apply to encrypted information when legal access to the keys is required for the purpose of assisting the investigation.
In a strange way, Syed Rizwan Farook, the San Bernardino terrorist, may have done the global public a great favour. Thanks to his use of a password in his iPhone 5C, the public now has a much greater awareness of encryption and the attempts by governments to bypass it.
The looming encryption war is certain to have proponents on both sides of the debate.
Encryption genie is out of the bottle: Ex-NSA director
Apple vs FBI: What you need to know
Snowden Revelations a blessing, trust needs to be built: Microsoft
For more technology news and the latest updates, follow us on Twitter, LinkedIn or Like us on Facebook.