Battle Fronts in the Crypto War

or, These aren’t the droids apps you are looking for…

The Chinese government has passed new anti-terror legislation, drafts of which have been criticized for months due to broad language, and the massive privacy concerns. This legislation is a critical move in the global Crypto War – effectively giving the Chinese what the FBI has been seeking for well over a decade: a CALEA-style law, that mandates providers be able to supply law enforcement with decrypted data. This means no end-to-end encryption, this means adding backdoors (even if they are called something different, they are still backdoors).

Who is really being targeted here?

Seeing a tweet talking about it, I started to comment on the need for open-source, easy to use, hard to censor communication tools – then I realized, that’s not what this is about. They couldn’t care less about open encryption tools; this isn’t about GPG, or Tor, or any of a thousand other tools. This is about iMessage, about WhatsApp, about a small number of widely used applications that are operated as a service and are (sometimes) secure by default.

As a developer, a contributor to open source projects, there is a bit of ego involved here – I’d like to think that something I could do would be enough of a threat to their surveillance programs that they’d care. But that’s not the case, and that isn’t the case for the vast majority of people. Unless you work for one of an exceedingly small number of companies, this doesn’t target your work.

The type of people who really care about security, about hiding their tracks will do so no matter what a government mandates – they will master the tools, they will understand the technology, they will understand the threats they face, and often go to great lengths to protect their identity. Then there’s everybody else.

The vast, and I do mean vast, majority of targets are not nearly so careful, they only use the easiest, most available tools, leak information at every step, don’t fully understand how their enemy operates or how they would be attacked. They are paranoid of the wrong things, and blissfully ignorant of the most pressing threats.

For those that are going to put the effort into hiding, HUMINT is likely the only way they will be discovered, for the rest – all the work can be done from a desk. Some behavioral analysis (likely fairly automated), some paperwork to gain access to their data, and done. A target identified without even leaving the office.

There is a long history of law enforcement using wiretaps to get easy answers – sometimes identifying those involved, other times verifying what actually happened (there is also a long history of abuse). Law enforcement has long sought to extend this ability beyond phone systems to every form of communication, regardless of medium or method of transport. With the advent of accessible encryption, a new complication was put in place that pushed them further away from this rich source of data.

Many in government see encryption the same way: it’s great, as long as we can easily get around it.

Laws like this are aimed at the majority of people who look for easy security, and expect it from a service provider such as Apple. It’s aimed at putting them under the same rules for backdoor access that telecommunications companies are under now. It doesn’t touch those that truly care about protecting themselves, but by adding new backdoors, it does put everyone else at risk.