A draft of the Compliance with Court Orders Act of 2016 was officially released last week, confirming that the WikiLeaks release was accurate. Written by Senate Select Committee on Intelligence Chairman Richard Burr and Vice Chairman Dianne Feinstein, the bill ensures that “everyone must comply with court orders to protect America from criminals and terrorists.”
Before the bill is formally introduced, the senators are required to solicit input from the public and key stakeholders.
“I am hopeful that this draft will start a meaningful and inclusive debate on the role of encryption and its place within the rule of law,” Chairman Burr stated. “Based on initial feedback, I am confident that the discussion has begun. We remain eager to sit down and discuss a way forward with all who are willing to engage constructively on this critically important and challenging issue.”
“I have long believed that data is too insecure, and feel strongly that consumers have a right to seek solutions that protect their information – which involves strong encryption.”
- Richard Burr, Senate Select Committee
Earlier this year, Apple refused to introduce a “backdoor” into its software for the Federal Bureau of Investigation (FBI). “The government asked a court to order Apple to create a unique version of iOS that would bypass security protections on the iPhone Lock screen. It would also add a completely new capability so that passcode tries could be entered electronically,” states the company on its website.
According to the tech giant, there are two very dangerous implications that could result from allowing a bypass. Apple designed their passcode to be manual for a reason, allowing electronic entries would open the device to brute force attacks, weakening security immensely.
Compliance would have also expanded governmental powers. “Should the government be allowed to order us to create other capabilities for surveillance purposes, such as recording conversations or location tracking? This would set a very dangerous precedent,” asked the company.
Both Chairmans of the draft bill appear to disagree. “No entity or individual is above the law,” said Vice Chairman Feinstein. “The bill we have drafted would simply provide that, if a court of law issues an order to render technical assistance or provide decrypted data, the company or individual would be required to do so.”
“Today, terrorists and criminals are increasingly using encryption to foil law enforcement efforts, even in the face of a court order. We need strong encryption to protect personal data, but we also need to know when terrorists are plotting to kill Americans.”
- Dianne Feinstein, Senate Intelligence Committee
Despite the governmental drive to open up communications, it could prove to be difficult. In a time when privacy is so highly regarded, a variety of options are becoming readily available to the public, and technology is always advancing.
Traditional emails are sent using SMTP, one of the oldest technologies on the internet. Emails are sent in plain text, so anyone listening in can read them. Pretty Good Privacy (PGP) is a solution to some of the problems with SMTP email, as the email body is encrypted. However, the encryption keys must be saved and stored securely, and the email metadata is still prone to interception and mass surveillance.
“When we interact over our modern communications infrastructure, the content of our communication is not the only information we send. We also send data about the communication that allows the communication to successfully reach its intended recipient. Traditionally this is what was called communications metadata - data about data.”
- Privacy International
Version 1.1.0 of Davemail, an alternative to SMTP email, was released on GitHub today. “Davemail is an alternative to SMTP email. Data is stored in json format with user data separated from the encrypted message data,” states the project page. “The json data is open source and decentralised using git but it is impossible for anyone to deduce which encrypted message was sent to or from which users (unless you hold the key to messages sent to you).”
Other companies have also been working on solutions. Bitmessage is an open source, peer-to-peer, communications protocol which launched in 2013. Inspired by bitcoin, it’s designed to be a decentralised and trustless system. It has the ability to send encrypted messages to individuals and subscribers, and non-content metadata isn't made available to outside parties.
Bitmessage replicates all the encrypted messages inside its own network, then mixes them with all the other messages, making it almost impossible to track. The Bitmessage system stores messages for two days before erasing them, which means there are no archives to search.
Perhaps the most successful offering is Telegram. The service was launched in 2013 by brothers Nikolai and Pavel Durov, who founded VK, Russia’s largest social network.
Telegram users can exchange encrypted self-destructing messages, as well as transfer audio and video files up to 1 gigabyte. The accounts are connected to a user’s phone number, which can be changed at anytime without losing messages.
There are two types of ‘chats’ associated with the Telegram application. The ordinary chats use client to server encryption, and can be accessed from multiple devices. The second is secret chats, which use end-to-end encryption and can only be accessed from the two devices participating in the conversation. In the secret chat application, if one user decides to delete information from the conversation, it will delete the information on every device in the chat.
In 2014, Telegram introduced its Perfect Forward Secrecy within the secret chats. In order to keep past communications safe, the platform switches cryptographic keys. This occurs once a key has been used to decrypt and encrypt more than 100 messages, or has been in use for more than one week, provided the key has been used to encrypt at least one message. Old keys are then securely discarded and cannot be reconstructed, even with access to the new keys currently in use.