Civics is Boring. So, Let's Encrypt Something!

IT professionals can either passively suffer political solutions or participate in the process to achieve something better.

Poul-Henning Kamp

It's a common trope in entertainment for some character to deliver a nonlinear response to something seemingly trivial, only for that to later prove to have been a vitally important clue. So, that room the janitor won't let anybody into? Right, that isn't actually a storage closet, but instead it's the Portal to Hell. Governments have a quirk like that in the sense that you can get away with a lot of crap—in particular, if it looks like it might benefit the economy—But Nobody Messes with Fundamental Human Rights, OK?

As I write this, the founder of the encrypted communication service Telegram is under arrest in France. And, depending on where you get your news, he's either a freedom fighter subject to political persecution or a criminal mastermind getting his due. He probably is a bit of both, but he's under arrest now because he messed with the Fundamental Human Rights of people in France.

I'll spare you a long civics lesson, but I will provide two important clues to figure out what is going on with politicians and encryption right now. First, when legislators write laws to protect human rights, they decide who has to take responsibility for the problem, and what happens if they fail to lift the burden. So, if you're present when somebody falls off a ladder, the law has made it your problem to try to save that person's life. If you witness a crime, the law has made it your problem to tell the truth about what you saw in court. Similarly, if you publish something that somebody else wrote, the law makes you responsible for ensuring it doesn't endanger national security.

Second clue: Judges are superusers. To perform their job, which is to correct wrongs, judges are empowered to write court orders that sanction otherwise illegal violations of human rights. So, a judge who is convinced you're about to kill somebody can unleash the police to follow you everywhere in hopes of preventing that crime. Similarly, a judge who thinks your computer system contains information related to financial crimes can allow the police to hack that system. Likewise, a judge who thinks you're stalking your ex can order you to stay out of a certain part of town. And if there doesn't seem to be any other way to keep you from harming somebody else's human rights, you can be jailed.

Then, should you fail to comply with a court order, that's considered contempt of court and can be addressed with punishments far more severe than most people imagine, since court orders are deemed to be crucially important to the maintenance of law and order. What's more, a judge who becomes convinced you are planning a crime or human-rights violation—or have participated in one—can order that the privacy of your communications be violated as part of a search for evidence.

The problem for law enforcement in all this is that modern computer-aided encryption is fast, effortless, omnipresent, and unbreakable, thus negating many of these efforts. This is the frustration law-enforcement types are referring to whenever they complain about "criminals going dark." It's also what leads some politicians to say silly things about "banning encryption."

It's not as if people didn't communicate in code previously, if only to save on telco expenses. But this used to be slow, bothersome, and error prone, which limited usage and left law enforcement with places to insert the knife—so it was somewhat tolerated.

IT libertarians have gone so far as to set up "offshore" services that employ encryption specifically designed to make it impossible for anyone to comply with a court order. So, because the Internet is global, now even petty criminals in Hoople, North Dakota, can effortlessly prevent judges from employing their superuser privileges.

This is a direct, in-your-face challenge to any state that considers itself to be a nation built on laws. Predictably, a response delivered with all due force is certain to come. The United Nations' new "cybercrime" treaty, readied for signatures at the time of this writing, is very much focused on how to get court orders to work quickly and efficiently across borders. Bear in mind that international bodies don't fashion treaties like this unless they think an urgent response is vital.

Which means we, as IT professionals, now have a choice to make. We can either sit by passively and suffer the consequences of whatever ill-conceived solution the politicians cook up for us, or we can participate in the process in hopes of achieving a less awful solution.

In terms of what might be done in that way, here's one straw-man proposal to consider.

First, we provide legislators with the essential technical tools.

We can make it possible for one side of a TLS protocol negotiation to declare, "I'll deal with court orders related to this communication," in such a way that law enforcement can find out where to send the court order for their wiretap without learning more than they already know.

Moreover, parties to a TLS connection should be able to insist that the session key starts with a certain number of zero bits. If the other party thinks that isn't good enough, the TLS handshake fails.

Then the legislators can get to work. First, they'll need to make it a crime to force or trick anyone into using stronger encryption than they consent to, no matter how that might be done. (Note that IT liberalists who claim encryption is a human right never realize this should also include the right not to be forced to use encryption against one's will.)

Second, they'll need to lay out what it takes for an attestation to handle court orders to be validated—along with the consequences for noncompliance. This will probably be something along the lines of: "The attestation must be signed with Interpol's or XYZ government's certificate."

Third, it will need to be legislated that, if the other end attested to handling court orders or if the session key requires fewer than N bits to brute force, you will not be subject to any adverse treatment for using encryption. (N is a political choice since the hardware that law enforcement will need in order to brute-force the N bits will be paid for out of your taxes. Don't argue here; take it up with your politicians.)

Then, fourth and finally (drum roll, please!), they'll need to allow courts to jail the accused until: (a) the communication has been decrypted by someone; (b) the maximum penalty for the charged crime has been exceeded; or (c) the court decides to release the accused.

Following a bit of implementation work, your browser or mobile phone will then work as follows:

You'll configure your jurisdiction—for example, USA, EU, or China—so that the browser will know how to validate attestations from the other end.

Whenever you connect to a site that attests, you'll be able to use any kind of encryption with any key size, and since almost all commercial sites, such as your bank, already are legally required to keep records and respond to court orders, they'll have no trouble attesting.

Should you contact a site that does not attest—be it Crimes R Us in Elbonia or your Homeowner Association's "50 Rules for Appropriate Lawn Maintenance," your browser will keep you out of jail by refusing to use a session key longer than the N legal bits.

If for some reason, however, you think that isn't nearly enough encryption, you'll also be at liberty to go into your browser settings to select whatever session key size you are willing to use—provided, of course, that the other end accepts that as well.

The slider should probably be graduated in units of time, days, weeks, months, and years since what you're really setting is the length of time you're willing to rot in jail while refusing to comply with a court order.

It goes without saying that you'll suffer no ill consequences even if you set the slider to "eternity," provided you keep a logfile of all your session keys and then hand them over whenever a court order demands it. Just make sure you don't lose that file.

Companies can also set up client-side proxies that attest to handling court orders and insist upon proper session key sizes, according to company policy, so their employees won't even have to think about it.

Which is to say that this straw-man proposal, in theory, ought to make everybody happy. What's not to like? Law enforcement will have ways to gain access to communications, provided they can convince a judge it's necessary. All important communications will be able to continue using the same strength of encryption they use today. Communications that didn't require encryption in the first place, like that HOA guide to proper lawn maintenance, will be able to employ sufficient encryption to prevent trivial wiretapping, but nothing strong enough to prevent brute-force access should a judge decide that's necessary. And if legislators think that too much or too little encryption is being brute-forced, they can always revise the law to change N.

IT libertarians, meanwhile, will have the freedom to encrypt any way they please, and they can even throw away their session keys if they so choose, but they won't be able to force anyone else to do so. If they try, they'll have to stand up in court for it—just like that IT libertarian who's currently in French custody.

In reality, I expect that law enforcement will demand more access and that IT libertarians will consider any kind of compromise to be treasonous. So, no, I do not expect my proposed compromise has any chance of adoption whatsoever.

But, then, don't tell me 10 or 20 years from now that we didn't have any other options.

Poul-Henning Kamp has haunted the Unix world for 40 years and written a lot of widely used open-source software, including bits of FreeBSD and the Varnish HTTP Cache. Living in Denmark with his wife, two cats, and three lawn-mower robots, he remains unconvinced that an older/wiser correlation exists.

Originally published in Queue vol. 22, no. 5—
Comment on this article in the ACM Digital Library

More related articles:

Jinnan Guo, Peter Pietzuch, Andrew Paverd, Kapil Vaswani - Trustworthy AI using Confidential Federated Learning
The principles of security, privacy, accountability, transparency, and fairness are the cornerstones of modern AI regulations. Classic FL was designed with a strong emphasis on security and privacy, at the cost of transparency and accountability. CFL addresses this gap with a careful combination of FL with TEEs and commitments. In addition, CFL brings other desirable security properties, such as code-based access control, model confidentiality, and protection of models during inference. Recent advances in confidential computing such as confidential containers and confidential GPUs mean that existing FL frameworks can be extended seamlessly to support CFL with low overheads.

Raluca Ada Popa - Confidential Computing or Cryptographic Computing?
Secure computation via MPC/homomorphic encryption versus hardware enclaves presents tradeoffs involving deployment, security, and performance. Regarding performance, it matters a lot which workload you have in mind. For simple workloads such as simple summations, low-degree polynomials, or simple machine-learning tasks, both approaches can be ready to use in practice, but for rich computations such as complex SQL analytics or training large machine-learning models, only the hardware enclave approach is at this moment practical enough for many real-world deployment scenarios.

Matthew A. Johnson, Stavros Volos, Ken Gordon, Sean T. Allen, Christoph M. Wintersteiger, Sylvan Clebsch, John Starks, Manuel Costa - Confidential Container Groups
The experiments presented here demonstrate that Parma, the architecture that drives confidential containers on Azure container instances, adds less than one percent additional performance overhead beyond that added by the underlying TEE. Importantly, Parma ensures a security invariant over all reachable states of the container group rooted in the attestation report. This allows external third parties to communicate securely with containers, enabling a wide range of containerized workflows that require confidential access to secure data. Companies obtain the advantages of running their most confidential workflows in the cloud without having to compromise on their security requirements.

Charles Garcia-Tobin, Mark Knight - Elevating Security with Arm CCA
Confidential computing has great potential to improve the security of general-purpose computing platforms by taking supervisory systems out of the TCB, thereby reducing the size of the TCB, the attack surface, and the attack vectors that security architects must consider. Confidential computing requires innovations in platform hardware and software, but these have the potential to enable greater trust in computing, especially on devices that are owned or controlled by third parties. Early consumers of confidential computing will need to make their own decisions about the platforms they choose to trust.