This morning (17th Feb 2016) global headlines are discussing Apple’s move to oppose a court order issued by the US government regarding breaking into it’s own iPhone. This case has far reaching consequences and is part of a wider debate on cryptography and whether consumers and businesses should have access to strong cryptography and the data protection that comes with it.
I’m going to start by explaining what is happening in the Apple case. Then we’ll discuss the wider implications and why Wordfence supports Apple’s move to oppose the order by the US government. I’ll also explain how this affects you, both in the WordPress space and in your wider business and personal activities.
Yesterday a Federal District Court judge in California issued a court order which compels Apple to develop software that will unlock an iPhone used by one of the two attackers who killed 14 people in San Bernardino in California in December 2nd of last year.
This morning Apple issued a statement expressing sympathy for the victims in the San Bernardino attack and supporting the search for justice, but making it clear that they will oppose the order. The statement explains that by developing a custom version of iOS, the iPhone operating system, as the order requests, they will be creating a master key that will allow the government to unlock all iPhones and access their data too.
According to Apple:
Building a version of iOS that bypasses security in this way would undeniably create a backdoor. And while the government may argue that its use would be limited to this case, there is no way to guarantee such control.
The legal mechanism that the US government is using to compel Apple to build this back door is the All Writs Act of 1789. The relevant quote from the law is that it allows judges to “..issue all writs necessary or appropriate in aid of their respective jurisdictions and agreeable to the usages and principles of law.” Apple argues that this new interpretation of the All Writs Act could allow the government to:
…extend this breach of privacy and demand that Apple build surveillance software to intercept your messages, access your health records or financial data, track your location, or even access your phone’s microphone or camera without your knowledge.
Now lets chat about why Wordfence supports Apple’s opposition to this order.
What the government is asking for is a back-door into the encryption that protects the iPhone. Whether this back-door is a key that gives them access, or is a custom built operating system that lets them gain access, is not relevant. The results are the same and the back-door is binary data in both cases.
The first problem this introduces is that this back door will need to be protected. It will need to be stored by the US government on a secure network or system. If criminals gain access to this back-door or the techniques it employs, or if they are able to reverse engineer the back-door, they will gain access to all iPhones. Criminals will then have the same extraordinary access to encrypted consumer data that the US government has.
In handing a set of keys to the government, we assume two things:
- The US government is infallible. Specifically, they are able to keep all their confidential data secure all the time.
- The US government is unimpeachable. Specifically, all employees can be completely trusted.
At Wordfence, we have the greatest respect for the work that many in government and in public service do. This includes the intelligence community where we have friends who make extraordinary sacrifices to work in those roles. But we think it’s fair to acknowledge that our government and it’s people are human and therefore can make mistakes.
This problem affects most companies in the same way, but to illustrate, we will use ourselves as an example. Wordfence uses strong encryption to protect your data. Specifically we use public key cryptography along with symmetric cryptography to encrypt sensitive data as it moves across the network. In order to keep that data secure, we need to keep our private keys secure. That’s our job and our responsibility.
If we were to create a back-door into that encryption, we would be trusting that the holder of that back-door is able to keep the back-door secure. That creates a big problem for us as a practical matter. Right now we have a limited number of entry points or “endpoints” in security speak, that we need to protect.
If we hand a new set of keys to the government, we suddenly have to protect a huge number of new endpoints that need to be protected to protect those keys. If those endpoints are on a US government network, classified or not, it probably would expand into the tens or hundreds of thousands of new endpoints that need to be protected to protect our secure data.
We would have no visibility into those endpoints because they would all be ‘classified’. We have no access to audit the government’s network. We simply have to trust that they are infallible and unimpeachable.
Introducing a back-door with keys for that backdoor into our own cryptography has the effect of massively expanding the number of endpoints that need to be protected to protect our network and our customers.
This problem extends in a similar way to other companies who use cryptography to protect your data. It also affects consumer devices and software like web browsers and the secure connection they currently enjoy with web servers.
The effect of this on WordPress publishers is that they may be compelled, or their vendors may be compelled into providing backdoors into cryptography that protects their customer or website data. They may also be forced to provide a backdoor into the secure connection between a visitor web browser and their website. The problems it introduces are:
- The size of the network that needs to be protected to protect your customer data is suddenly much larger.
- If the backdoor is compromised, your customer data and website data is compromised.
- You now have the responsibility of protecting a much larger attack surface behind which are the private keys to your network and you have no visibility into that network or the ability to audit it’s security.
I’d like to make three more points that relate to this argument:
Even if you create backdoors into encrypted data used by consumers and businesses, it is a mathematical reality that a bad guy, or terrorist in this case, can write their own encryption software that is unbreakable and has no backdoor. It is relatively easy to write an application that provides unbreakable encryption to a criminal or terrorist – the algorithms are open source. If backdoors are mandated by governments, then the only people with secure encryption will be the very people you are trying to surveil.
It is possible to perform effective surveillance without backdoors. Tor is an anonymous browser that hides the identities of users by using strong encryption. Using a timing attack (also called end-to-end correlation) you can confirm a Tor user’s identity simply by monitoring the network without being able to break Tor’s encryption. This is an example of using meta-data for surveillance rather than decrypted data. Not having access to a backdoor does not prevent the intelligence services from doing their job.
Finally, as Alex Stamos, Facebook Chief Security Officer asked Admiral Rogers (Director of the NSA) at a security conference last year: If we give the US government a backdoor into encrypted data, should we give other governments that same access? How do we justify giving the United States extraordinary access if we do business in France and don’t give the French government the same access? The results of granting the US government a backdoor could well be that all governments require that same access if you do business in their jurisdiction.
Framing this debate as leaving “no stone unturned as we gather as much information and evidence as possible.”, as US Attorney Eilleen M. Decker said, does not fully capture the complexity of this debate and the cost of granting extraordinary access to systems and cryptography. Granting that extraordinary access runs the risk of leaving us less secure while criminals are free to choose to use strong unbreakable encryption.
For this reason, Wordfence supports Apple in their move to oppose the court order to create a back door into their smartphones.