Forget spying, now the NSA wants your password list
The NSA isn't interested in a sneaky back door into your smartphone or computer any more, it just wants you to leave the front door wide open. While arguments continue around just what the National Security Agency can and can't get access to – dragging more than one big tech name into the controversy – the spy organization's chief is suggesting a far more blunt approach: in effect, handing over the keys to encryption upfront.
The risk, NSA director Adm. Michael S. Rogers argues, is that increasingly strong – not to mention enabled by default – methods of device encryption are making it tougher for law enforcement to check through phones, tablets, laptops, and more.
Until now, the NSA has been tight-lipped on what it would prefer, but Rogers changed that last week. Speaking at Princeton University, he dismissed the idea of the NSA sneaking in through mysterious loopholes.
"I don't want a back door," he explained, the Washington Post reports, "I want a front door. And I want the front door to have multiple locks. Big locks."
Those locks would have NSA access rights baked into them from the start. Although the proposals aren't finalized, insiders with knowledge of some of the options being weighed outline both a "key escrow" and a "split key" process.
For the escrow system the user of the device would obviously get access, but a second key would be kept in a secure way, so that agencies like the FBI could sift through the data stored in the case of an emergency.
As for the split key system, that would see the FBI or similar cooperate with device or software manufacturers – such as Apple or Google – with each having part of a key that, combined, would unlock the phone.
Unsurprisingly, security experts and privacy advocates aren't convinced that either proposal is the right approach. For a start, there're the technical requirements involved in maintaining a secure enough escrow for all of the skeleton keys to the devices used by the American public.
Should that store be hacked, for instance, it could have catastrophic implications.
More broadly, though, it relies on users and manufacturers trusting government agencies to handle the access responsibly, something that in this post-Wikileaks world can't necessarily be taken for granted.
Back in January, UK Prime Minister David Cameron made similar demands to instant messaging services, making it a campaign pledge that, should he be re-elected, he would insist on unhampered access to all conversations in WhatsApp and other platforms.
Without the modern day equivalent of a skeleton key, however, lawmakers are struggling to figure out a way to access encrypted data even with a warrant, given expecting suspects to voluntarily unlock their phones and tablets could fall foul of the Fifth Amendment.
Another proposal would involve services creating a completely identical mirror of a suspect account, on which security agencies could eavesdrop. Exactly how practical that might be in a situation such as where iOS phones are locked in such a way that even Apple can't gain access remains to be seen.
VIA BoingBoing
SOURCE Washington Post