Debate on Exceptional Access to IT Systems by Law Enforcement

20 Aug 2015
Author: HSD Foundation

Recent developments in the field of surveillance technology for IT systems have sparked the debate on the security, legal, and ethical issues regarding government access to digital information. Some experts in this field argue that intentional backdoors and the use of vulnerabilities to create backdoors in software undo progress on security at a time when Internet vulnerabilities are causing extreme economic harm. The expert opinions within the Dutch security cluster HSD could be of great use in furthering this discussion and finding solutions to these issues.


Experts from MIT in their report ‘Keys Under Doormats: Mandating insecurity by requiring government access to all data and communications’ argue that there are three general problems related to providing exceptional access to communications by governments:  “First, providing exceptional access to communications would force a U-turn from the best practices now being deployed to make the Internet more secure. These practices include forward secrecy — where decryption keys are deleted immediately after use, so that stealing the encryption key used by a communications server would not compromise earlier or later communications. A related technique, authenticated encryption, uses the same temporary key to guarantee confidentiality and to verify that the message has not been forged or tampered with.


Second, building in exceptional access would substantially increase system complexity. Security researchers inside and outside government agree that complexity is the enemy of security — every new feature can interact with others to create vulnerabilities. To achieve widespread exceptional access, new technology features would have to be deployed and tested with literally hundreds of thousands of developers all around the world. This is a far more complex environment than the electronic surveillance now deployed in telecommunications and Internet access services, which tend to use similar technologies and are more likely to have the resources to manage vulnerabilities that may arise from new features. Features to permit law enforcement exceptional access across a wide range of Internet and mobile computing applications could be particularly problematic because their typical use would be surreptitious — making security testing difficult and less effective.


Third, exceptional access would create concentrated targets that could attract bad actors. Security credentials that unlock the data would have to be retained by the platform provider, law enforcement agencies, or some other trusted third party. If law enforcement’s keys guaranteed access to everything, an attacker who gained access to these keys would enjoy the same privilege. Moreover, law enforcement’s stated need for rapid access to data would make it impractical to store keys offline or split keys among multiple keyholders, as security engineers would normally do with extremely high-value credentials. Recent attacks on the United States Government Office of Personnel Management (OPM) show how much harm can arise when many organisations rely on a single institution that itself has security vulnerabilities. In the case of OPM, numerous federal agencies lost sensitive data because OPM had insecure infrastructure. If service providers implement exceptional access requirements incorrectly, the security of all of their users will be at risk."


However, government organisations are also trying to exploit software vulnerabilities to get access to IT systems. In July this year, Italian software developer Hacking Team, developing espionage software for governments to enter IT systems via vulnerabilities in software, itself became victim of a hack. The hackers obtained passwords, internal documents, source codes, and email conversations. They made the stolen information public and shortly after criminals made use of this information to exploit vulnerabilities in the widely used Flash software. This led to serious economic damage.


It also became clear who Hacking Team’s customers are. Although Hacking Team stated at the UN that it doesn’t do business with countries that don’t respect human rights, the hack revealed that the company has for example worked for Sudan, which has a poor record on human rights.