You are here

Why encryption backdoors are no silver bullet for investigators

public://pictures/klaus.jpg
Klaus Schmeh, Consultant, cryptovision

Drug traffickers, child pornographers, rapists, and even murderers use encryption. In a recent example, San Bernardino shooter Syed Farook had encrypted the data on his iPhone. This led to a dispute between Apple and the FBI about whether Apple should support investigators in breaking the encryption with a password-cracking tool provided as a part of a manipulated iPhone operation system.

FBI Director James Comey would even like to go a step further: His goal is to establish a compulsory entry point for law enforcement in every crypto product. Such a technology is commonly referred to as a backdoor, though Comey avoids this expression; he prefers to talk about front-door access available only under defined circumstances.

While a compulsory backdoor in U.S. crypto products would certainly help my employer, Cryptovision (we are a German company), I am generally not a supporter of such a law.

Comey’s claim raises an important question: Would backdoors actually help police in solving crimes? For an RSA talk, I tried to find an answer by looking at criminal cases involving encryption. As I don’t have access to police records, I had to rely on cases that have been published in the media. After several weeks of researching, I finally assembled a list of 50 criminal cases involving some kind of computer-based encryption. The list is available online. A video of my RSA presentation is also available:

I did my best to make my RSA presentation both informative and entertaining. I was probably the only speaker at the RSA conference who used self-drawn cartoons and caricatures on his presentation slides, including a Sherlock Holmes-like cartoon of myself.

[ GDPR, CCPA and privacy. TechBeacon's new guide rounds up what your team needs to know. Plus: Get the Best Practices for GDPR and CCPA Compliance white paper. ]

Less than half of encryption break-ins are successful 

Of the 50 cases, the majority (16 cases) involved child pornography. Another seven cases were murders, and six involved terrorism. Five cases were espionage-related. The remaining 16 cases fell into other categories. In 33 of the 50 cases, the police were not able to break or bypass the encryption. They were successful in only 11 cases, while some are unclear. This means that in most cases, the police lost. This situation is certainly a major reason why the Comey started the backdoor discussion. 

In all cases on my list, police obtained access to the encrypted data by confiscating a device (usually a PC or a smartphone). This came as a surprise to me. I had expected to find at least a few cases involving wiretapping or data interception. I am sure that these cases exist, but perhaps law enforcement does not wish to publicly talk about the use of such controversial methods. 

The most popular encryption tool among criminals seems to be TrueCrypt, followed by PGP and the iPhone encryption functionality. Many other encryption solutions are in use. In 25 of the 50 cases, information about the product used was not published. Obviously, law enforcement agents do not want to tell criminals which tool is suited best to baffle them. So far, criminals clearly prefer password-based encryption to smart-card solutions.

In two of the cases on my list (namely the Brittney Mills case and the Ray C. Owens case), the victim of the crime, not the suspect, held encrypted information. 

Interestingly, criminal cases involving encryption are much older than the computer age. I am aware of many criminal cases from the past 500 years in which manual encryption played a major role. I did not include these cases on my list, as they are not relevant for the backdoor discussion. Those interested should take a look at the video of a presentation I gave at an NSA conference in 2015:

This presentation covered eight criminal cases (happening between 1883 and 2015) that involved manual encryption. In all of the cases, both the crime and the encryption are unsolved. As I did not have enough pictures, I used Lego brick models to illustrate my talk. The Lego pictures shown here refer to suspected wife murderer Henry Debosnys, whose encrypted notes have remained unsolved for more than 130 years.

[ Make sure that only the right people have access to the right things at the right times with TechBeacon's guide to identity governance. Plus: Download the report on IGA leaders. ]

Reality check on encryption and police

In none of the 50 cases on my list was law enforcement able to break the encryption. However, bypassing it worked sometimes. For instance, an FBI agent downloaded the contents of an encrypted personal digital assistant spy Robert Hanssen had left unlocked. Russian spy Anna Chapman used a piece of paper to write down her passwords, and the paper was found by the police. In the case of Canadian child porn suspect Justin Gerard Gryba, police applied a dictionary attack, which took two and a half years to complete.

Of the cases I looked at, 25 were solved without the police breaking or bypassing the encryption. In only three of the 50 cases (namely the Susan Powell case and the two aforementioned cases involving the victims using encryption) did police neither solve the crime nor get access to the encrypted data. In none of these three cases is there a guarantee that cracking the encryption would lead to solving the crime. This clearly reveals that backdoors are not a silver bullet for investigators.

Weigh in: Are encryption backdoors necessary given the age of terrorism? What do you make of the situation?

Image credit: Justin Masterson

[ Explore TechBeacon's guide to SecOps challenges and opportunities. Plus: Download the 2019 State of Security Operations report. ]