Friday, October 01, 2010

America is the new China

If you are an American citizen, you should be very frightened at the direction your government is heading. Last week's Security Now podcast talked about two different but related issues regarding privacy and censorship of the internet. Both issues involved the US government attempting to legislate away some problem that they don't know how else to solve, and in both cases the legislation will accomplish precisely nothing.

The first is COICA, the "Combating Online Infringements and Counterfeits Act". The idea of this bill is to allow the government to force the delisting of particular web address from DNS servers around the country, so if you tried to go to www.copyrightinfringer.com, the browser would fail to look up the IP address for that name, so you wouldn't be able to get there. There is no due process here – the US Attorney General could order a web address added to the blacklist (which all ISPs would be required by law to respect) even without any kind of trial. This is obviously at the request demand of the RIAA and MPAA to catch people pirating music and movies, but the bill is worded vaguely enough that the AG can take down any site he wants. As the EFF puts it, "had this law been passed five or ten years ago, YouTube may not exist today". The idea that the US government is considering censoring which web sites its citizens can visit is more than a little scary. There are millions of Americans who are thankful that they don't live in China because the internet is so heavily censored there, and now their own government is considering the same thing. The really dumb thing about this legislation is that it's going to make it slightly more difficult to get to web sites on the blacklist, but not impossible. You can still use the IP address directly to get there, and all the legislation does is make the translation from name to IP address unavailable from US ISPs. I guarantee you that within hours of this bill being passed, there will be people outside the US creating open DNS servers and web sites listing the IP addresses of blacklisted web sites. There will be Firefox plugins that automatically check one of these other servers and retrieve the IP addresses that way. There already exist legal means to take down web sites that contain illegally copyrighted data. So what will this law accomplish?

The second one is even more frightening. The FBI wants the government to legislate that all cryptographic systems have back doors that the FBI can use to decrypt anything. Law enforcement agencies have been complaining for years that they can't do the internet equivalent of wiretapping because the encryption that is used is unbreakable. And they're right: the encryption in use nowadays is unbreakable, despite what you might see on TV. If something is properly encrypted using a modern encryption algorithm, the only way to decrypt it is to correctly guess the key that was used to encrypt it. This is called the "brute force" method, but because keys can be any characters and any length, the number of possible keys they have to check is essentially infinite. And the only way to know if your decryption attempt has worked is to look at the resulting data and see if you recognize it as something useful. Encrypted data just looks like random noise, and it's not even possible to detect that it's encrypted. If you were to encrypt a file twice, even brute force becomes impossible. Even if the bad guys guess the correct key the first time, they wouldn't know that they got it right because the decrypted result looks like more noise. So when they say "unbreakable", they mean it – without the key, the data is simply inaccessible. By anyone. Ever.

I understand that this ties their hands, but I'm afraid it's too late to complain about that. This legislation is doomed to failure because strong encryption routines are already out there. Does the FBI honestly think that terrorists will continue to use Skype if they know the US government can listen in on any conversation (which they currently cannot do)? No, they'll just write their own version of Skype using the existing unbreakable algorithms. Or they'll send email and attach encrypted files. The terrorists are not going to stop using unbreakable encryption just because the government tells them to stop.

Not to mention the obvious – if all encryption has a back door that the FBI can use to break it, how long until the bad guys figure out how?

In my job at Sybase, I am responsible for the encryption aspects of the SQL Anywhere client and server. If this legislation goes through, we will have to:

  • immediately stop sales of our existing products in the US
  • remove the existing encryption algorithms from our products for sale in the US (we'd likely keep the existing stuff for sales outside the US)
  • obtain a specification of the new encryption algorithms that the US government will allow us to use
  • implement them, test our product with them
  • implement some kind of tool that will allow our customers to decrypt data that was encrypted with the old algorithm and re-encrypt it with the new one
  • ship the new software and politely ask our customers to stop using the software they already have and install the new stuff

This is a significant amount of work that we'll have to do in order to comply with this law, and thousands of other software and hardware companies will be similarly affected. Some, like Skype, will likely need to redesign their entire product. The only impact will be that people that were already law-abiding will know that the FBI can get into their data if they want to. If there are any terrorists or criminals using encryption software, they just won't bother upgrading so they'll know that the FBI cannot see their data. And none of the above even addresses the civil liberties issues with the government being able to spy on its any of its citizens' private data.

Not a single terrorist or criminal is worried about these bills being passed. But American citizens should be.

No comments: