CybersecurityBypassing encryption: “Lawful hacking” is the next frontier of law enforcement technology

By Ben Buchanan

Published 11 May 2017

The discussion about how law enforcement or government intelligence agencies might rapidly decode information someone else wants to keep secret is – or should be – shifting. One commonly proposed approach, introducing what is called a “backdoor” to the encryption algorithm itself, is now widely recognized as too risky to be worth pursuing any further. The scholarly and research community, the technology industry and Congress appear to be in agreement that weakening the encryption that in part enables information security – even if done in the name of public safety or national security – is a bad idea. Backdoors could be catastrophic, jeopardizing the security of billions of devices and critical communications. A lawful hacking approach offers a solution that appears to gain greater favor with experts than encryption backdoors. A group of scholars proposed some ways we should begin thinking about how law enforcement could hack. Agencies are already doing it, so it’s time to turn from the now-ended debate about encryption backdoors and engage in this new discussion instead.

The discussion about how law enforcement or government intelligence agencies might rapidly decode information someone else wants to keep secret is – or should be – shifting. One commonly proposed approach, introducing what is called a “backdoor” to the encryption algorithm itself, is now widely recognized as too risky to be worth pursuing any further.

The scholarly and research community, the technology industry and Congress appear to be in agreement that weakening the encryption that in part enables information security – even if done in the name of public safety or national security – is a bad idea. Backdoors could be catastrophic, jeopardizing the security of billions of devices and critical communications.

What comes next? Surely police and spy agencies will still want, or even need, information stored by criminals in encrypted forms. Without a backdoor, how might they get access to data that may help them solve – or even prevent – a crime?

The future of law enforcement and intelligence gathering efforts involving digital information is an emerging field that I and others who are exploring it sometimes call “lawful hacking.” Rather than employing a skeleton key that grants immediate access to encrypted information, government agents will have to find other technical ways – often involving malicious code – and other legal frameworks.

Decades of history
In the mid-1990s, the Clinton administration advanced a proposal called the Clipper Chip. The chip, which ultimately was doomed by its technical shortcomings, was an attempt to ensure government access to encrypted communications. After the chip’s introduction and failure, a group of cryptographers formally studied various mechanisms that might allow a trusted third party (in this case, the government) to read encrypted data in emergencies. They concluded that each approach had significant security risks.

Overall, the cryptographers’ view was that introducing this new capability into an encryption system made an already complicated process even more complex. This increased complexity made it more likely that there would be an unintentional vulnerability hidden in the encryption protocol that malicious hackers could find, gaining access to the trusted third party’s emergency system or otherwise breaking the code. The hackers could then read secret messages for their own purposes – a huge risk.