The NSA is reportedly not the only government agency asking tech companies for help in cracking technology to access user data. Sources say the FBI has a history of requesting digital backdoors, which are generally understood as a hidden vulnerability in a program that would, in theory, let the agency peek into suspects' computers and communications.
In 2005, when Microsoft was about to launch BitLocker, its Windows software to encrypt and lock hard drives, the company approached the NSA, its British counterpart the GCHQ and the FBI, among other government and law-enforcement agencies. Microsoft's goal was twofold: get feedback from the agencies, and sell BitLocker to them.
But the FBI, concerned about its ability to fight crime â€" specifically, child pornogry â€" apparently repeatedly asked Microsoft to put a backdoor in the software. A backdoor â€" or trapdoor â€" is a secret vulnerability that can be exploited to break or circumvent supposedly secure systems.
For its part, the FBI categorically denies asking for such access, telling Mashable that the Bureau doesn't ask for backdoors, and that it only serves companies lawful court orders when it needs to access users' data. (And, legally, it would still need a warrant even if a backdoor did exist.)
Peter Biddle, the head of the engineering team working on BitLocker at the time, revealed to Mashable the exchanges he had with various government agents.
"I was asked multiple times," Biddle told us, confirming that a government agency had inquired about backdoors, though he couldn't remember which one. "And at least once the question was more, 'If we were to officially ask you, what would you say?'"
According to two former Microsoft engineers, FBI officials complained that BitLocker would make their jobs harder. "It's going to be really really hard for us to do our jobs if every single person could have this technology. How do we break it?" an FBI agent reportedly said.
The story of how the FBI reportedly asked Microsoft to backdoor BitLocker to avoid "going dark," the FBI's term for a potential scenario when encryption makes it impossible to intercept criminals' communications or break into a suspect's computer, provides a snapshot into how U.S. government agencies may try to persuade tech companies to weaken their security products, or even poke a hidden hole to make them wiretap-friendly.
Last week, The New York Times, ProPublica, and The Guardian revealed that one of the ways the NSA circumvents Internet cryptography is to ask companies to put backdoors in their products.
The FBI is reportedly doing the same in the name of fighting crime, and its persuasion techniques appear to be very similar.
According to reports, both the NSA and the FBI are subtle in their requests, which are never formal, written requests, but are usually uttered during casual conversations, almost jokingly.
Nico Sell, the founder of the privacy-enhancing app Wickr, was approached by an FBI agent after speaking at the security conference RSA at the end of February, as first reported by CNET. "So are you gonna give us a backdoor?" the agent asked, according to Sell. She declined, and after pressing the agent â€" asking him to explain if he had a written request and to reveal his boss â€" the agent backed down.
Cryptography and security expert Bruce Schneier said he's heard of these same types of tactics from others the government has approached seeking technological backdoors.
"It's not an explicit ask, [...] it's an informal, oblique mention, joking conversation, where you're felt out as to whether you're amenable to it," Schneier told Mashable. "If you're amenable to it, that conversation continues, if you're not, it's like it never happened."
Schneier is working with The Guardian on new, undisclosed documents provided by NSA leaker Edward Snowden. And he is now looking for whistleblowers in the tech industry who are willing to share their experience with government officials asking for backdoors.
Despite the requests being informal, Schneier and other surveillance experts are concerned.
"A request is a request," and despite not being illegal, he said, "it's coercive."
Peter Biddle
The FBI's Informal Request to Microsoft
In the case of Microsoft, according to the engineers, the requests came in the course of multiple meetings with the FBI. These kinds of meetings were standard at Microsoft, according to both Biddle and another former Microsoft engineer who worked on the BitLocker team, who wanted to remain anonymous due to the sensitivity of the matter.
"I had more meetings with more agencies that I can remember or count," said Biddle.
Biddle said these meetings were so frequent, and with so many different agencies, he doesn't specifically remember if it was the FBI that asked for a backdoor. But the anonymous Microsoft engineer we spoke with confirmed that it was, in fact, the FBI.
During a meeting, an agent complained about BitLocker and expressed his frustration.
"Fuck, you guys are giving us the shaft," the agent said, according to Biddle and the Microsoft engineer, who were both present at the meeting. (Though Biddle insisted he didn't remember which agency he spoke with, he said he remembered this particular exchange.)
Biddle wasn't intimidated. "No, we're not giving you the shaft, we're merely commoditizing the shaft," he responded.
Biddle, a believer in what he refers to as "neutral technology," never agreed to put a backdoor in BitLocker. And other Microsoft engineers, when rumors spread that there was one, later denied that was ever a possibility.
"The suggestion is that we are working with governments to create a backdoor so that they can always access BitLocker-encrypted data," wrote Niels Ferguson, Microsoft's cryptographer and principal software development engineer. "Over my dead body."
For Biddle, this was proof of a fundamental paradox facing government agencies and security software. How do you get secure software you can rely on, while also retaining the ability to break into it if people use it to commit or cover up their crimes?
"I realized that we were in this really interesting spot, sort of stuck in the middle between wanting to do a much better job at protecting our users' information, and at the same time realizing that this was starting to make government employees unhappy," Biddle said.
Despite Microsoft's refusals to backdoor its product, the engineers kept working with the FBI to teach them about BitLocker and how it was possible to retrieve data in case an agent needed to get into an encrypted hard drive.
At one point, the BitLocker team suggested the agency target the backup keys that the software creates. In some instances, BitLocker prompts users to print out a piece of paper with the key needed to unlock the hard drive, to prevent loss of data if a user forgets his or her key.
"As soon as we said that, the mood in the room changed dramatically," said the anonymous Microsoft engineer. "They got really excited."
In that instance, law enforcement agents wouldn't need a backdoor after all. As the engineer suggested, all they would need was a warrant to access a suspect's documents and retrieve the document that would unlock his or her hard drive.
Microsoft CEO Steve Ballmer
Microsoft's Tarnished Privacy Reputation
For Christopher Soghoian, a privacy and surveillance expert at the American Civil Liberties Union, the fact that BitLocker had a backdoor or not isn't even that relevant, since it's a feature that very few Windows users employ. It's not a default setting -â€" something that, Soghoian said "is not an accident."
"The impact is minimal, because so few people use BitLocker, but it does speak to a friendly relationship between the companies and the government," he told Mashable.
This incident confirms something that Soghoian and other Microsoft critics have pointed out repeatedly over the last few years.
"If you want to keep your data out of the U.S. government's hands, Microsoft is not your friend," he said. "Microsoft is unwilling to really make the government go dark. They are never really willing to protect their customers from the government. They are willing to take some steps but they don't want to go too far."
In fact, in the last few years, Microsoft's commitment to users' privacy has been repeatedly put into question.
Microsoft has been accused of changing Skype's infrastructure to make it easier for governments to intercept and spy on users' calls and chats.
Documents provided by Snowden to The Guardian suggest Microsoft has been very cooperative in making it easier to eavesdrop on its products, including Outlook, Hotmail, and Skype.
The company even seemed to suggest that Skype calls are fair game for the NSA, in a response to that report, despite the fact that, historically, Skype insisted its calls were impossible to intercept.
Even a Microsoft former employee seems skeptical of the company's policies regarding privacy. Caspar Bowden, the former chief privacy advisor at Microsoft Europe, who recently denounced the NSA's PRISM program, describes himself on his Twitter account as "ex-Chief Privacy Adviser MSFT (hey, I tried)."
A Microsoft spokesperson declined to comment for this story, simply pointing us to a June 16 blog post by Microsoft's General Counsel Brad Smith.
The post, written in response to the revelation of the NSA's top secret surveillance program, codenamed PRISM, denies that Microsoft ever provides "any government with direct and unfettered access to our customer’s data. Microsoft only pulls and then provides the specific data mandated by the relevant legal demand."
Smith's post doesn't address Microsoft's relationship with government and law-enforcement agencies, and doesn't directly address the issue of three letter agencies informally asking for backdoors. The company's spokesperson also declined to elaborate on whether Microsoft seeks feedback from the NSA or the FBI when launching products.
The anonymous Microsoft engineer, when talking about the company's relationship with the NSA, said that "they are very, very helpful to the Windows teams in terms of shoring up foolish little mistakes," adding that such consulting doesn't imply anything "weird" or illegal.
The FBI's Fear of Going Dark
The BitLocker story may be studied in the context of what the FBI calls the "Going Dark" problem.
In the last few years, the Bureau has argued that improved encryption technologies threaten its ability to snoop on a suspect's communications.
It's with this potential threat in mind that the FBI has been pushing for an expansion of the Communications Assistance for Law Enforcement Act (CALEA), which compels telecommunication companies â€" but not Internet companies like Google, Facebook or Microsoft â€" to build wiretap-friendly communication systems.
The effort, referred to as CALEA II, seems to have stalled, but the U.S. government's interest in defeating encryption with backdoors is long-standing.
"The FBI has been wanting such access for just about as long as there has been an Internet," said Scott Bradner, a web governance expert and secretary of the Internet Society.
During the so-called "Crypto Wars" of the 1990s, the government proposed the infamous Clipper Chip, an NSA-made encryption device that included a backdoor for the government. The attempt to make it mandatory for telecommunications companies failed after public pressure against it, and after Matt Blaze, a cryptography expert, discovered a serious flaw in its design.
But the FBI didn't stop worrying about encryption â€" it ramped up its rhetoric.
"The widespread use of uncrackable encryption will devastate our ability to fight crime and prevent terrorism," Louis Freeh, the FBI director at the time, told Congress in 1997.
In 2010, Valerie Caproni, at the time the FBI's general counsel, told The New York Times that the FBI needed more wiretapping powers against encryption technologies.
"No one should be promising their customers that they will thumb their nose at a U.S. court order," Caproni said. "They can promise strong encryption. They just need to figure out how they can provide us plain text."
Such a plan has always received strong criticism from cryptography and security experts.
Columbia University professor Steven Bellovin said that inserting backdoors "[I]s a disaster waiting to happen. [...] If they start building in all these backdoors, they will be exploited."
Bellovin's argument is simple: if the FBI, or the U.S. government, obtains a backdoor into a certain technology, that backdoor can be taken advantage of by hackers or cybercriminals as well.
Blaze echoed this sentiment in a column he co-wrote with privacy expert Susan Landau on Wired earlier this year.
"Mandatory wiretap backdoors in Internet services would invite at least as much new crime as it could help solve," the two wrote.
For all the FBI's complaints about the hazards of going dark, the numbers don't necessarily appear to back up such fears.
According to the U.S. courts' annual wiretap report, encryption prevented law enforcement agencies from obtaining communications four of the 15 times they encountered it in 2012. These four included the first time agencies had been thwarted by encryption since 2001, when the courts started publishing the stats.
And even in cases involving full disk encryption â€" and child pornography â€" the FBI has been able at times to crack it.
"The idea that they're going dark is quite silly," said Dan Auerbach, a technologist at the digital rights advocacy group Electronic Frontier Foundation.
Nevertheless, an FBI spokesperson denied that the Bureau ever asks for backdoors, arguing that it's also important to define what a backdoor is.
"We're not asking a company to give us unfettered access to a back channel so that we can get the information ourselves," FBI spokesperson Christopher Allen told Mashable. "To me that's what a backdoor implies."
"We are only talking about lawful, court-ordered intercepts in on-going investigations," he explained in a follow-up email. However, he also added that: "The FBI might explain what obligations a company may have to comply with a court order and what is required pursuant to each order, but it is the responsibility of the company named in the court order to develop the means to perform the lawful intercept."
Pressed for more comments on the specific cases illustrated in this story, Allen simply replied: "The FBI does not ask for backdoors. Period."
Images: Ben Horton/Getty Images for Microsoft; Flickr, eschipul; Justin Sullivan/Getty Images; Chip Somodevilla/Getty Images
No comments:
Post a Comment