Going dark: implications for private, public sector protocol
Updated: Aug 25, 2018
Memo: “Going Dark” and its Implications for Private, Public Cyber Protocol
What is it? Going Dark is a situation in which the government has lawful access to data, information, networks, servers, or the like, yet cannot access the communications because of a lack of technological ability to do so. Legal hacking by government-sponsored entities is met with well-encrypted information that the hackers simply cannot access, even when a warrant fully allows this action.
Key events surrounding “Going Dark”:
February 2016 - Apple v. FBI legal battle concerning FBI’s legal right to the information on a terrorist’s phone during a mass-murder investigation versus their actual capabilities to hack the phone; Apple refused to help the FBI hack the phone, even though they had the capabilities to do so, because of what it would mean and demonstrate to their customers about Apple’s respect to consumer privacy
Big idea: code is protected by free-speech; Apple’s hand being forced to hack their own customers; this act creating a channel through which the government (and other, possibly illegal, entities) can exploit user information and weaknesses within Apple protection
January 2017 - Microsoft Corp v. United States ruled that a warrant cannot compel American companies to produce data stored in servers outside the United States, following Microsoft’s refusal to comply
What can the government do to circumvent this? Creative Policy Solutions
Forcing a backdoor: The government could potentially compel companies to maintain the technological capacity to comply with these court orders as to produce plain-text data that can be interpreted easily by the investigators. Two senators have already advanced draft legislation that would effectively implement this.
Pros: Investigations would be smoother within the private sector; potential to catch more criminals; potential to shut down extended terrorist networks/foresee and stop future malicious activity if the individual was not working alone
Cons: Creating a “backdoor” that the government could access creates a clear weakness in security policy for these private companies because hackers will be acutely aware of these channels through which information can be obtained; Violation of user privacy; Compromising user security overall
Would effectively represent a “government win”
Focusing on metadata: Changing focus from encrypted data to metadata may completely circumvent the need for backdoor channels, as metadata isn’t encrypted, and is likely to remain that way, as metadata needs to stay unencrypted for many systems to be able to operate. By simply finding a new avenue of information that, in many cases, can still put together the puzzle, the federal government doesn’t need to fight Silicon Valley for information; it can simply find it itself.
Pros: Limited legal conflict; doesn’t open up nearly as many vulnerabilities; provides an enormous amount of surveillance data; faster than waiting for decryption processes;
Cons: metadata only supplies a summary, and sometimes more information is required or useful;
Note: because encryption does not prevent intrusions at endpoints, law enforcement can use this under the “meta-data” umbrella as to obtain information while still avoiding having to authorize location
Allowing for lawful hacking: This is a middle-ground solution that would lawfully allow the government to develop hacking capabilities and deploy them (with the appropriate warrants) without forcing all of Silicon Valley and beyond to develop intentional inadequacies in their code.
Pros: Middle-ground solution; doesn’t expose companies to increased risk; allows for private maintenance of strongly encrypted code;
Cons: Difficult for public sector to keep up with private encryption and security tactics; expensive to retain hackers with these capabilities; keeping the successful hacking tactics secure; Resource-intensive; Difficult to create anticipatory legislation that will be effective in a lot of different situations; Must be cautiously deployed and only as a last resort;
International organizations present a significant barrier in this kind of decision-making, as the line is blurred between what is considered domestic traffic and international traffic (ex. Microsoft Corp v. United States)
Companies are able to simply store and process their information out of U.S. jurisdiction, evading federal control