Paper: From Real-Time Intercepts to Stored Records: Why Encryption Drives the Government to Seek Access to the Cloud
15/08/2012From Real-Time Intercepts to Stored Records: Why Encryption Drives the Government to Seek Access to the Cloud
Abstract:
This paper explains how changing technology, especially the rising adoption of encryption, is shifting law enforcement and national security lawful access to far greater emphasis on stored records, notably records stored in the cloud. The major and growing reliance on surveillance access to stored records results from the following changes:
(1) Encryption. Adoption of strong encryption is becoming much more common for data and voice communications, via virtual private networks, encrypted webmail, SSL web sessions, and encrypted Voice over IP voice communications.
(2) Declining effectiveness of traditional wiretaps. Traditional wiretap techniques at the ISP or local telephone network increasingly encounter these encrypted communications, blocking the effectiveness of the traditional techniques.
(3) New importance of the cloud. Government access to communications thus increasingly relies on a new and limited set of methods, notably featuring access to stored records in the cloud.
(4) The “haves” and “have-nots.” The first three changes create a new division between the “haves” and “have-nots” when it comes to government access to communications. The “have-nots” become increasingly dependent, for access to communications, on cooperation from the “have” jurisdictions.
Part 1 of the paper describes the changing technology of wiretaps and government access. Part 2 documents the growing adoption of strong encryption in a wide and growing range of settings of interest to government agencies. Part 3 explains how these technological trends create a major shift from real-time intercepts to stored records, especially in the cloud.
Information:
Paper by Pete Swire – access online
Brief Discussion:
This paper discusses the effect of technical changes on likely paths for lawful access to communications information. Although none of the discussed topics are new, it is interesting to see how they are related to each other when it comes to lawful access to communications information.
The author discuss the traditional CALEA approach stating that telecommunications carriers and manufacturers of telecommunications equipment design their products and services with the intention to ensure that they could carry out a lawful order to provide government access to communications. Secondly, the impact of strong encryption mechanisms on wiretapping capabilities are discussed.
In the third chapter, the four ways for agencies to access communications information are discussed:
- Break encryption in transit: Check out the implementation flaws of SSL/TLS implementations, basic PKI issues such as establishing trust relationships in the first instance etc.
- Intercept before or after encryption: Very important – so basically we have to entities that come into the play here: a) the client and b) the server. The connection between a) and b) is encrypted but not the endpoints leading to item 4.
- Assure access in unencrypted form
- Access after the fact, in stored form, often in the Cloud:The following statement given by the author is probably not know to the broad public but seems to be straightforward:“Similarly, because Skype interconnects with the traditional telephone network, it is required to be wiretap-ready under the 2005 FCC CALEA order, and agencies have reason to come to that company for access.”
This whole section four is providing very good reasons why the key should never be stored at the CSP and therefore cloud-based solutions storing the encryption key right beside the ciphertext are somehow useless from a security perspective. However, the author also shares the opinion that proper encryption concepts will not be a big barrier for lawful access since a) there are still significant technical challenges for efficient search and retrieval of encrypted data and b) it is extremely risky for users to store data in the cloud without having a backup of the keys.
