Australian Privacy Principles and encryption

September 10, 2013 |

Australian Privacy Principle 11 requires an organisation or agency to “..take such steps as are reasonable in the circumstances to protect the information from misuse, interference and loss and from unauthorised access, modification or disclosure. Encryption has been one of the key means of protecting data, both in situ and, especially, in transit to another location.

In the Privacy Commissioner’s guidelines to data security he defines encryption as

Encryption
Encryption is when information is converted into a form that cannot be easily understood by unauthorised individuals or entities. Decryption is the process of converting encrypted data back into its original form, so it can be understood. In order to easily recover the contents of encrypted information, the correct decryption key is required. Encryption methods should be reviewed regularly to ensure they continue to be relevant.
• What encryption methods are used by the entity? Has the entity considered whether it should employ encryption of:
o Portable devices?
o Email communications?
o Databases used to store personal information?
o Communication between internal information systems?
o Hard drives?
o Information stored over a network, such as the Internet or an entity’s internal
network, which has servers at a remote location?
• How are decryption keys managed by the entity?
• Does the entity use a securely encrypted webpage for individuals who carry out transactions with the entity’s website, such as making payments which also involve individuals providing their banking information?
In the context of workplace policies the the Privacy Commissioner specifically refers to encryption as a means of protection, stating:
Workplace policies
Privacy protections have the best chance of being effective if they are integrated into workplace policies. Policies should be regularly monitored and reviewed to ensure that they are effective.
Guide to information security: ‘reasonable steps’ to protect personal information Office of the Australian Information Commissioner
Information security, including appropriate handling of personal information, may be addressed in a single policy document or in a number of separate documents.
Additionally, entities should ensure that staff are trained regarding their responsibilities.
Are there clear polices governing the use of portable/mobile devices, use of staff’s
own devices (known as bring your own device (BYOD)), and procedures for taking
work home?
o Are there minimum standards for security of portable devices (eg password protection, encryption)?
o Are staff members educated about the risks of accessing or handling the entity’s data on unauthorised/insecure devices such as BYODs?
o If it is necessary to take personal information off the entity’s premises, what steps does the entity take to ensure the security of personal information that is removed?
o Is confidential business information segregated from personal user information?
What is becoming clear from recent reportage is that encryption is not as effective as once thought.  The Guardian in Revealed: how US and UK spy agencies defeat internet privacy and security   sets out in detail how intelligence agencies have cracked on line encryption codes. See also an article in the Conversation on the related subject Another NSA entry point – and this time, it’s your smartphone. As a first step an organisation can rely upon guidelines issued by the Privacy Commissioner as the appropriate standard to implement data security protocols and instal programs.  However what should an organisation do when knowledge about weaknesses in data security become ubiquitous.  Is relying on a guideline sufficient if specific and accurate information about weaknesses in an organisations data security is inadequate.  It may not be sufficient to simply say data is encrypted if that encryption has been cracked by a governmental organisation and, most importantly, can be cracked by hackers.  This will be a live issue for privacy practitioners and something organisations who have a need for sophisticated data security to be aware of.
The Guardian article provides:

US and British intelligence agencies have successfully cracked much of the online encryption relied upon by hundreds of millions of people to protect the privacy of their personal data, online transactions and emails, according to top-secret documents revealed by former contractor Edward Snowden.

The files show that the National Security Agency and its UK counterpart GCHQ have broadly compromised the guarantees that internet companies have given consumers to reassure them that their communications, online banking and medical records would be indecipherable to criminals or governments.

The agencies, the documents reveal, have adopted a battery of methods in their systematic and ongoing assault on what they see as one of the biggest threats to their ability to access huge swathes of internet traffic – “the use of ubiquitous encryption across the internet”.

Those methods include covert measures to ensure NSA control over setting of international encryption standards, the use of supercomputers to break encryption with “brute force”, and – the most closely guarded secret of all – collaboration with technology companies and internet service providers themselves.

Through these covert partnerships, the agencies have inserted secret vulnerabilities – known as backdoors or trapdoors – into commercial encryption software.

The files, from both the NSA and GCHQ, were obtained by the Guardian, and the details are being published today in partnership with the New York Times and ProPublica. They reveal:

• A 10-year NSA program against encryption technologies made a breakthrough in 2010 which made “vast amounts” of data collected through internet cable taps newly “exploitable”.

• The NSA spends $250m a year on a program which, among other goals, works with technology companies to “covertly influence” their product designs.

• The secrecy of their capabilities against encryption is closely guarded, with analysts warned: “Do not ask about or speculate on sources or methods.”

• The NSA describes strong decryption programs as the “price of admission for the US to maintain unrestricted access to and use of cyberspace”.

• A GCHQ team has been working to develop ways into encrypted traffic on the “big four” service providers, named as Hotmail, Google, Yahoo and Facebook.

NSA diagramThis network diagram, from a GCHQ pilot program, shows how the agency proposed a system to identify encrypted traffic from its internet cable-tapping programs and decrypt what it could in near-real time.

The agencies insist that the ability to defeat encryption is vital to their core missions of counter-terrorism and foreign intelligence gathering.

But security experts accused them of attacking the internet itself and the privacy of all users. “Cryptography forms the basis for trust online,” said Bruce Schneier, an encryption specialist and fellow at Harvard’s Berkman Center for Internet and Society. “By deliberately undermining online security in a short-sighted effort to eavesdrop, the NSA is undermining the very fabric of the internet.” Classified briefings between the agencies celebrate their success at “defeating network security and privacy”.

“For the past decade, NSA has lead [sic] an aggressive, multi-pronged effort to break widely used internet encryption technologies,” stated a 2010 GCHQ document. “Vast amounts of encrypted internet data which have up till now been discarded are now exploitable.”

An internal agency memo noted that among British analysts shown a presentation on the NSA’s progress: “Those not already briefed were gobsmacked!”

The breakthrough, which was not described in detail in the documents, meant the intelligence agencies were able to monitor “large amounts” of data flowing through the world’s fibre-optic cables and break its encryption, despite assurances from internet company executives that this data was beyond the reach of government.

The key component of the NSA’s battle against encryption, its collaboration with technology companies, is detailed in the US intelligence community’s top-secret 2013 budget request under the heading “Sigint [signals intelligence] enabling”.

NSA Bullrun 1Classified briefings between the NSA and GCHQ celebrate their success at ‘defeating network security and privacy’.

Funding for the program – $254.9m for this year – dwarfs that of the Prism program, which operates at a cost of $20m a year, according to previous NSA documents. Since 2011, the total spending on Sigint enabling has topped $800m. The program “actively engages US and foreign IT industries to covertly influence and/or overtly leverage their commercial products’ designs”, the document states. None of the companies involved in such partnerships are named; these details are guarded by still higher levels of classification.

Among other things, the program is designed to “insert vulnerabilities into commercial encryption systems”. These would be known to the NSA, but to no one else, including ordinary customers, who are tellingly referred to in the document as “adversaries”.

“These design changes make the systems in question exploitable through Sigint collection … with foreknowledge of the modification. To the consumer and other adversaries, however, the systems’ security remains intact.”

The document sets out in clear terms the program’s broad aims, including making commercial encryption software “more tractable” to NSA attacks by “shaping” the worldwide marketplace and continuing efforts to break into the encryption used by the next generation of 4G phones.

Among the specific accomplishments for 2013, the NSA expects the program to obtain access to “data flowing through a hub for a major communications provider” and to a “major internet peer-to-peer voice and text communications system”.

Technology companies maintain that they work with the intelligence agencies only when legally compelled to do so. The Guardian has previously reported that Microsoft co-operated with the NSA to circumvent encryption on the Outlook.com email and chat services. The company insisted that it was obliged to comply with “existing or future lawful demands” when designing its products.

The documents show that the agency has already achieved another of the goals laid out in the budget request: to influence the international standards upon which encryption systems rely.

Independent security experts have long suspected that the NSA has been introducing weaknesses into security standards, a fact confirmed for the first time by another secret document. It shows the agency worked covertly to get its own version of a draft security standard issued by the US National Institute of Standards and Technology approved for worldwide use in 2006.

“Eventually, NSA became the sole editor,” the document states.

The NSA’s codeword for its decryption program, Bullrun, is taken from a major battle of the American civil war. Its British counterpart, Edgehill, is named after the first major engagement of the English civil war, more than 200 years earlier.

A classification guide for NSA employees and contractors on Bullrun outlines in broad terms its goals.

“Project Bullrun deals with NSA’s abilities to defeat the encryption used in specific network communication technologies. Bullrun involves multiple sources, all of which are extremely sensitive.” The document reveals that the agency has capabilities against widely used online protocols, such as HTTPS, voice-over-IP and Secure Sockets Layer (SSL), used to protect online shopping and banking.

The document also shows that the NSA’s Commercial Solutions Center, ostensibly the body through which technology companies can have their security products assessed and presented to prospective government buyers, has another, more clandestine role.

It is used by the NSA to “to leverage sensitive, co-operative relationships with specific industry partners” to insert vulnerabilities into security products. Operatives were warned that this information must be kept top secret “at a minimum”.

A more general NSA classification guide reveals more detail on the agency’s deep partnerships with industry, and its ability to modify products. It cautions analysts that two facts must remain top secret: that NSA makes modifications to commercial encryption software and devices “to make them exploitable”, and that NSA “obtains cryptographic details of commercial cryptographic information security systems through industry relationships”.

The agencies have not yet cracked all encryption technologies, however, the documents suggest. Snowden appeared to confirm this during a live Q&A with Guardian readers in June. “Encryption works. Properly implemented strong crypto systems are one of the few things that you can rely on,” he said before warning that NSA can frequently find ways around it as a result of weak security on the computers at either end of the communication.

The documents are scattered with warnings over the importance of maintaining absolute secrecy around decryption capabilities.

NSA Bullrun 2A slide showing that the secrecy of the agencies’ capabilities against encryption is closely guarded.

Strict guidelines were laid down at the GCHQ complex in Cheltenham, Gloucestershire, on how to discuss projects relating to decryption. Analysts were instructed: “Do not ask about or speculate on sources or methods underpinning Bullrun.” This informaton was so closely guarded, according to one document, that even those with access to aspects of the program were warned: “There will be no ‘need to know’.”

The agencies were supposed to be “selective in which contractors are given exposure to this information”, but it was ultimately seen by Snowden, one of 850,000 people in the US with top-secret clearance.A 2009 GCHQ document spells out the significant potential consequences of any leaks, including “damage to industry relationships”.

“Loss of confidence in our ability to adhere to confidentiality agreements would lead to loss of access to proprietary information that can save time when developing new capability,” intelligence workers were told. Somewhat less important to GCHQ was the public’s trust which was marked as a moderate risk, the document stated.

“Some exploitable products are used by the general public; some exploitable weaknesses are well known eg possibility of recovering poorly chosen passwords,” it said. “Knowledge that GCHQ exploits these products and the scale of our capability would raise public awareness generating unwelcome publicity for us and our political masters.”

The decryption effort is particularly important to GCHQ. Its strategic advantage from its Tempora program – direct taps on transatlantic fibre-optic cables of major telecommunications corporations – was in danger of eroding as more and more big internet companies encrypted their traffic, responding to customer demands for guaranteed privacy.

Without attention, the 2010 GCHQ document warned, the UK’s “Sigint utility will degrade as information flows changes, new applications are developed (and deployed) at pace and widespread encryption becomes more commonplace.” Documents show that Edgehill’s initial aim was to decode the encrypted traffic certified by three major (unnamed) internet companies and 30 types of Virtual Private Network (VPN) – used by businesses to provide secure remote access to their systems. By 2015, GCHQ hoped to have cracked the codes used by 15 major internet companies, and 300 VPNs.

Another program, codenamed Cheesy Name, was aimed at singling out encryption keys, known as ‘certificates’, that might be vulnerable to being cracked by GCHQ supercomputers.

Analysts on the Edgehill project were working on ways into the networks of major webmail providers as part of the decryption project. A quarterly update from 2012 notes the project’s team “continue to work on understanding” the big four communication providers, named in the document as Hotmail, Google, Yahoo and Facebook, adding “work has predominantly been focused this quarter on Google due to new access opportunities being developed”.

To help secure an insider advantage, GCHQ also established a Humint Operations Team (HOT). Humint, short for “human intelligence” refers to information gleaned directly from sources or undercover agents.

This GCHQ team was, according to an internal document, “responsible for identifying, recruiting and running covert agents in the global telecommunications industry.”

“This enables GCHQ to tackle some of its most challenging targets,” the report said. The efforts made by the NSA and GCHQ against encryption technologies may have negative consequences for all internet users, experts warn.

“Backdoors are fundamentally in conflict with good security,” said Christopher Soghoian, principal technologist and senior policy analyst at the American Civil Liberties Union. “Backdoors expose all users of a backdoored system, not just intelligence agency targets, to heightened risk of data compromise.” This is because the insertion of backdoors in a software product, particularly those that can be used to obtain unencrypted user communications or data, significantly increases the difficulty of designing a secure product.”

This was a view echoed in a recent paper by Stephanie Pell, a former prosecutor at the US Department of Justice and non-resident fellow at the Center for Internet and Security at Stanford Law School.

“[An] encrypted communications system with a lawful interception back door is far more likely to result in the catastrophic loss of communications confidentiality than a system that never has access to the unencrypted communications of its users,” she states.

Intelligence officials asked the Guardian, New York Times and ProPublica not to publish this article, saying that it might prompt foreign targets to switch to new forms of encryption or communications that would be harder to collect or read.

The three organisations removed some specific facts but decided to publish the story because of the value of a public debate about government actions that weaken the most powerful tools for protecting the privacy of internet users in the US and worldwide.

Zdnet in In light of the NSA, how to think about encryption undertakes a good overview of the policy and practical issues with encryption.  The unfortunate reality is that government security agencies have an interest and the power, untrammelled or not, to decrypt information.  The Australian experience is highlighted in and Age article, Whistleblower reveals Australia’s spy agency has access to internet codes.  Zdnet is sanguine about the issue.  The rationale is if you are not doing much to interest them, that is contrary to national security, then you are not on their radar.  So don’t worry seems to be the ultimate conclusion.  I am less sure that is right.  It is also, from a public policy and privacy perspective, a silly form of analysis.  Google, not a great respector of privacy normally (see article here for an example), doesn’t agree with the analysis and certainly appreciates the commercial reality of having secure communications (in certain areas) as reported by the Washington Post in Google encrypts data amid backlash against NSA spying.
The problem highlighted in the Zdnet piece is the use of back doors in encryption programs.  As the piece points out if the NSA, for example, knows where the back door is so can others.  That is problematical from the perspective of a maintaining data security generally and possibly may lead to a breach of an APP.  If the party providing the encryption deliberately leaves a back door and does not notify the user of that program it may be exposed to legal action if the breach is discovered by a hacker or those wanting to obtain financial advantage rather than for any data security purposes.
The article provides:
Encryption is an arms race. It is, perhaps, one of the true fundamental arms races in the history of warfare. In World War II, for example, the Allies’ ability to decrypt the Axis communications (without their knowing about it) was a factor leading to ultimate victory.

Encryption has always been the purview of the nation state and those, by virtue of concentration of economic and other resources, who essentially function as nation states (extremely wealthy individuals and large corporations).

The key to this arms race is a simple fact: some people don’t want other people to read their stuff. At the very same time, some people want to read stuff others don’t want them to read.

The most basic point you need to know when considering encryption is that those who encrypt do so to keep things private from those who would otherwise want to read those same private things.

In other words, encryption is a battle of wills. On one side are the encryption users, using ever more complex encryption to keep their adversaries out of their communication. On the other side are the entities who want to read those very same communications. They will use whatever means available to decrypt those communications.

This is as it has always been. This is as it shall always be.

So what does that mean in light of the latest round of NSA revelations and what does it mean for you?

Let’s start with the NSA

At it’s most mission-centered level, the NSA’s role is signals intelligence. Key to signals intelligence is cracking encryption. The NSA lives to crack encryption. So it has been. So it shall always be. To think otherwise would be foolish.

The same is likely true for other states, especially active players like China, India, Brazil, Russia, Israel, the Koreas, the U.K., Germany, Japan, and others. How capable each of these countries are at cracking signals intelligence is a function of the quality of their scientists, their budgets, and the information shared by their allies.

But rest assured, governments crack encryption. If there happens to be some kind of encryption they can’t crack, they don’t just write it off. They redouble their efforts to find a way to get inside those communication streams.

It is what they do. National security (and often national sovereignty) depends on it.

Encryption in the hands of enemy actors

Now, let’s talk about encryption in the hands of consumers and enterprises. But first, let’s talk about encryption in the hands of enemy actors, like terrorists and criminals.

Terrorists and criminals often operate as part of organizations, with leadership and management structures, and rank and file members. Command and control communication critical to the operation of these entities, especially in cases where sleepers have been long embedded in target communities.

These enemy actors use encryption (and a wide array of other methods, often in combination with encryption) to keep their communications private. A terrorist strike, for example, often needs months of global coordination, resource management, and human operative movements to prepare — and all of that often needs to be discussed across national boundaries.

Government agencies like the FBI and NSA and state and local law enforcement need to see into these communications to protect our citizens. This is done through technological methods (like decryption technology) and through very old-school methods, like infiltrating an undercover operative.

The bottom-line, though, is that terrible attacks and major crimes can be prevented by government and law enforcement by gaining visibility into communications the bad guys would like to keep hidden.

Encryption in the hands of consumers and enterprises

Next, let’s move on to the subject of encryption in the hands of people like us and the companies we work for. What do we need encryption for? In a word: privacy.

At the enterprise level, we use encryption to make sure competitors can’t see into our product plans and directions. We use encryption to make sure certain employees can be compartmentalized, so other employees don’t leak information too soon. We use encryption to protect the organization from criminals and hackers who might try to steal corporate trade secrets or financial information.

Consumer-level encryption is where things start to take on shades of gray. Let’s look at the easy aspects of consumer-level encryption first.

We want to be able to encrypt our financial transactions and Web shopping cart pages so hackers can’t steal our credit cards. That’s the simple, obvious, and necessary form of encryption. Generally we don’t care if governments can access that data, because, really, how much does the NSA want to know if you bought another pair of shoes?

But then we get to encryption for personal protection. At the most prurient level, some folks out there want to be able to hide their tracks when they’re doing inappropriate Web searches (let’s say porn). But others want privacy when they’re doing sensitive Web searches (let’s say a search into AIDS symptoms or how to find a divorce lawyer).

Consumers need privacy for personal activities. Medical discussions, spousal abuse issues, family-related problems that they don’t want to see shared far and wide on Facebook.

The key with this level of activity is that while privacy and encryption may be incredibly important, it’s not something the NSA is going to want or need to track. Consumer level encryption that keeps out family members and predators will do fine to keep you safe.

But then we get to the whole dissident issue, where individuals and groups are coordinating activities and discussions under the thumb of oppressive regimes. For example, take the coordinated protects of the Arab Spring. The people participating in these protests (who are trying to change their nations) have need to communicate (and do so in a way their governments can’t see). An intercepted communication could easily mean arrest and possibly execution.

Some here in the Western world would say that private, dissident communication is as necessary in America as it is in, say, Tunisia. State and local governments have different agendas than the federal government and have been known to persecute individuals based on their religious affiliations or their sexual orientation. Private, safe communication is essential to these individuals as well.

In most of these cases, good quality public-key encryption will keep most consumers safe from hackers, predators, and those who would discriminate. These issues are almost never a matter of national security concern — unless, of course, these “weaknesses” are exploited by other nation states or terrorist organizations for nefarious purposes, in which case that is something we’ll need to know to prevent serious repercussions.

My point here, though, is relatively simple: the NSA is probably not worried about your normal communications and the encryption you use for your daily activities is good enough.

There is one issue, though…

The back door problem

Back doors in code have existed since there were code systems in place. The idea is that it’s possible to get back into a system when locked out by other means.

This may need to happen for a variety of reasons, from the prosaic (someone lost the master login password or authenticator) to the terrifying (bad guys got into a system and locked out legitimate users).

But back doors are, by their very nature, security risks. If a back door is available, then not only can legitimate network management get back into a system, anyone who knows how to get into the back door can use it as well.

This is particularly relevant to our discussion of NSA decryption activities because it is has been reported that various encryption vendors have enabled back doors for the NSA. I can see and understand the reason behind this practice, but in this area alone, I have to disagree with the NSA practice.

Enabling back doors levels the playing field among all players and diminishes the NSA’s unique advantage at the same time. One of the reasons the NSA is able to maintain a level of intelligence unparalleled anywhere in the world is its extreme concentration of computing power and SIGINT resources. This is a barrier of entry that almost no other nation, and certainly no other terrorist group, organized crime organization, or even large enterprise can hope to pass through.

This barrier of entry has always meant that the NSA (and only the NSA) can get information that no other entity is capable of getting — and that’s how it should be. But if the NSA is “cheating” and doing deals that are embedding back doors in encryption technology, then those back doors are potentially available for anyone who finds them. And that defeats the NSA’s most powerful advantage while putting many of us at greater risk.

In my opinion, the back door policy the NSA is reportedly encouraging may provide a short-term tactical advantage, but it may prove to cause us all problems in the long-term.

Other than that, don’t sweat the NSA’s decryption capabilities. If you’re not an enemy actor, you’re not going to be on their radar.

Leave a Reply