Cryptographers Fear Misguided Encryption Laws

Article By : Dylan McGrath

Tal Rabin, manager of the Cryptographic Research Group, said regulations such as GDPR and CCPA will act as a catalyst, spurring the tech industry to push out new security technologies under development.

SAN FRANCISCO — Government policies that give law enforcement the tools to access encrypted communications could represent a significant security danger at a time when keeping data private is becoming both more critical and more difficult, according to a panel of cryptographer experts gathered at the RSA Conference 2019 here.

Meanwhile, recent laws enacted to protect the privacy of user data — such as the European Union's General Data Protection Regulation (GDPR) and the new California Consumer Privacy Act (CCPA), which takes effect next year — represent necessary early attempts to compel companies to treat consumer data with utmost care, experts said.

The worlds of law enforcement and privacy advocacy are often at odds. The U.S. Federal Bureau of Investigation (FBI) and Apple engaged in a heated dispute in 2016, for example, when Apple challenged an FBI request to create software that would give the FBI access to the data on an iPhone recovered from a shooter involved in a terrorist attack in San Bernardino, Calif., which left 14 dead and 22 injured. The case was headed for a courtroom showdown before the FBI found a vendor that could unlock the phone.

While few would argue that law enforcement needs tools and technologies to keep the public safe from threat, participants in the RSA Conference annual Cryptographer's Panel here Tuesday said laws such as Australia's controversial Access Assistance Bill passed last year represent a threat to the very privacy that cryptographers and other security experts strive to protect.

"I would like to see issues of personal privacy and autonomy taken out of the hands of legislators," said Whitfield Diffie, a well-known cryptographer and security expert who appeared on the panel.

Whitfield Diffie, a well-known cryptographer and security expert, speaks at the RSA Conference Cryptographer's Panel Tuesday.

FBI Director Christopher Wray, who appeared in a separate session at the RSA Conference following the panel, said he recognized the balance that the FBI must attain with private companies that the agency relies on for much of the technology that the FBI relies on for cybersecurity.

"We are not seeking to destroy encryption," Wray said, adding that the FBI is not seeking to have back doors inserted into electronics to allow the agency a way to access encrypted data. "But we are duty bound to protect the American people. We need to come together to figure out a way to do this — there can't be a space beyond the reach of law enforcement where criminals can hide their communication."

The Dangers of Back Doors

Australia's Access Assistance Bill, which was voted into law in December, requires tech companies to provide access to encrypted data at the request of law enforcement. The law virtually assures that tech companies will have to build a back door into their encryption in order to comply, weakening the security of devices. The law also provides for heavy fines and even jail time for failure to comply. It has been criticized by numerous tech firms, including Amazon, Apple, Facebook and Google.

"Under Australia's new law, developers can go to jail for not putting back doors in," said Paul Kocher, another well-known cryptography who participated in the panel. "This is not going to end well for any of us to have this type of policy enacted in Australia or anywhere else."

On the other hand, Kocher and other panelists applauded the increased emphasis on data privacy brought by policies such as GDPR and CCPA. "We desperately need regulation here," Kocher said, adding that he expects initial laws to be messy.

"The scope of GDPR is starting to become clear," said Kocher. He added that the industry will get perspective of CCPA from California's attorney general prior to the legislation taking effect next Jan. 1. He wondered if regulations such as these will set up "an Arthur Anderson type situation" where large companies that flaunt data privacy rules will be forced out of business.

Tal Rabin, a distinguished researcher and manager of the Cryptographic Research Group at IBM Research group, said regulations such as GDPR and CCPA will act as a catalyst, spurring the tech industry to push out new security technologies under development.

Panelists also offered their thoughts on blockchain, with most saying that it is not the security silver bullet that it is often made out to be. Rabin — who earlier Tuesday received RSA's annual award for Excellence in the Field of Mathematics — described the emergence of the so-called 51% attack, which can enable hackers to gain control for a certain amount of time of the generation of a blockchain. Rabin described this type of attack as dangerous and not very expensive.

"To get control of the Bitcoin network for one hour would cost something on the order of about $250,000," she said.