Presentation is loading. Please wait.

Presentation is loading. Please wait.

Conflicting Privacy Regimes: (1) Encryption and (2) Access to Cloud Records Peter Swire Ohio State University Future of Privacy Forum IAPP Global Summit.

Published byCleopatra Lindsey Modified over 9 years ago

Similar presentations

Presentation on theme: "Conflicting Privacy Regimes: (1) Encryption and (2) Access to Cloud Records Peter Swire Ohio State University Future of Privacy Forum IAPP Global Summit."— Presentation transcript:

1 Conflicting Privacy Regimes: (1) Encryption and (2) Access to Cloud Records Peter Swire Ohio State University Future of Privacy Forum IAPP Global Summit 2012 Washington, D.C. March 6, 2012

2 Overview Part I: Encryption and globalization – Brief history of wiretaps – Encryption on the Internet Crypto Wars of 1990s India and China today Part II: Emerging battles on access to the Cloud – Where will law enforcement get communications? – Encryption – CALEA-type laws – Seize before/after encryption – The cloud

3 Relevant Background Chair, White House Working Group on Encryption, 1999 Chair, White House Working Group on updating wiretap laws for the Internet, 2000 Current project at Future of Privacy Forum on government access to data in global setting

4 Are These Good Ideas? India: maximum crypto key length of 40 bits China: require use of Chinese-created cryptosystems, prohibit use of global standards

5 Local switch Phone call Telecom Company 3 Alice Bob

6 Local switch Phone call Telecom Company 3 Alice Bob

7 Bob ISP Alice ISP %!#&*YJ#$ &#^@% Hi Bob! Internet: Many Nodes between ISPs Alice Bob %!#&*YJ#$ &#^@%

8 Problems with Weak Encryption Nodes between A and B can see and copy whatever passes through From a few telcos to many millions of nodes on the Internet – Hackers & criminals – Foreign governments – Amateurs Strong encryption as feasible and correct answer – US approved for global use in 1999, after the “crypto wars” – India, China new restrictions on strong encryption – “Encryption and Globalization” says those restrictions are bad idea, at http://ssrn.com/abstract=1960602http://ssrn.com/abstract=1960602

9 India Since 1990s, law on book: 40 bit legal limit on key length No enforcement then Mumbai attack, 2008 RIM and newly vigorous enforcement Key escrow proposal 2011 (blocked) Security agencies insist on ability to wiretap in real time – Didn’t like the new technical reality

10 Encrypt Encrypted message – Hi Bob! Alice Bob's public key Bob's private key – Alice's local ISP %!#&YJ@$ Decrypt Hi Bob! %!#&YJ@$ – Bob's local ISP – Backbone provider Bob

11 Encrypt Encrypted message – Hi Fred! Jill at Corporation A, Tata Public key of Corporation B – Reliance Private key of Corporation B, Reliance – Corporation A's ISP %!#&YJ@$ Decrypt Hi Fred! %!#&YJ@$ – Corporation B's ISP – Backbone provider Fred at Corporation B Reliance. Lawful process: (1)Ask Tata before encryption (2)Ask Reliance after decryption Lawful process: (1)Ask Tata before encryption (2)Ask Reliance after decryption

12 India RIM enforcement – Threaten import controls if no cooperation – RIM announces server in India – Nokia announces server there as well Ban SSL, VPNs, and all the other crypto? – Still have old law – 40 bit limit – Big gap between law and reality – Not clear how India will use its leverage going forward

13 China – Its Apparent Goals Internal surveillance – General limits on effective crypto Trade promotion – Indigenous Innovation Policy To sell in China, make in China Give them your IP – Use non-standard crypto-systems If make in China and export, their system spreads

14 China 1999 law generally prohibits commercial crypto, and requires license for import or domestic use of crypto Later soft law that no need for license except where “core function” is encryption – Microprocessors, PCs, mobile phones OK – VPNs are not OK, “core function” is crypto – Great uncertainty about meaning of “core function”, where you need their license

15 China License requires use of non-standard crypto – Algorithms were provided only to Chinese companies – In 2011, public release of 3 algorithms Testing from non-Chinese has begun Chinese algorithms/cryptosystems robust? Problems of interoperability with global standards – Additional limits on sales to state sector, which is large

16 What’s Chinese Strategy? Surveillance – “Air gap” at border, plaintext there International standards – Support Chinese standards Trade promotion – Spread Chinese standards BUT – Threat to interoperability – Threat to end-to-end cybersecurity – No effective peer review of Chinese crypto

17 Why Crypto Matters Crypto central to computing & thus cybersecurity Crypto deeply embedded in modern computing: – SSL, HTTPS, VPNs, Skype/VOIP, Blackberry – Offense is ahead of the defense – The world is our bad neighborhood – Defense and the weakest link problem – Crypto as perhaps the largest category for effective defensive – Don’t play cybersecurity with two hands tied behind your back

18 The Least Trusted Country Problem 1990’s Clipper chip debate – Many expressed lack of trust in government access to the keys Globalization and today’s encryption debate – What if a dozen or 50 countries with the keys, or enforced crypto limits? – What if your communications in the hands of your least trusted country? India/Pakistan; China/Taiwan; Israel/Iran – Don’t create security holes in global Internet

19 Wrap-Up on Part I Strong crypto crucial to your cybersecurity Are you implementing VPNs and other crypto globally? (I hope so) If so, legal risks in any of your countries? Should your organization get more involved in assuring secure computing and communications?

20 Part II: The Cloud International Conflicts to Come

21 Law Enforcement Perspective You’re the police – how do you wiretap communications on the Internet? – 9/11, Mumbai bombing – Want to implement lawful court order – Want to get content In the clear (not encrypted) In real time (the attack may be soon!) BUT (finally) voice and e-mail are being encrypted

22 Ways to Grab Communications 1.Break the encryption (if it’s weak) 2.Grab comms in the clear (CALEA) 3.Grab comms with hardware or software before or after encrypted (backdoors) 4.Grab stored communications, such as in the cloud My thesis: #4 is becoming FAR more important, for global communications Global rules for the “front doors” of cloud providers become far more important

23 Break the Crypto? Just analyzed why crypto is pervasive and strong India limits unlikely to work Chinese standards might work, breaking cybersecurity – How much of the rest of standard Web technology will they refuse?

24 Ways to Grab Communications 1.Break the encryption (if it’s weak) 2.Grab comms in the clear (CALEA) 3.Grab comms with hardware or software before or after encrypted (backdoors) 4.Grab stored communications, such as in the cloud

25 Local switch Phone call Telecom Company 3 Alice Bob

26 Bob ISP Alice ISP %!#&*YJ#$ &#^@% Hi Bob! Internet: Many Nodes between ISPs Alice Bob %!#&*YJ#$ &#^@%

27 Limits of CALEA Very bad security to have unencrypted IP go through those web nodes Skype and VOIP pervasive How deep to regulate IP products & services? – WOW just a game? – Pre-clearance for IP communications? – FBI’s “going dark” argument has serious flaws and will face opposition in the IP space

28 Ways to Grab Communications 1.Break the encryption (if it’s weak) 2.Grab comms in the clear (CALEA) 3.Grab comms with hardware or software before or after encrypted (backdoors) 4.Grab stored communications, such as in the cloud

29 Governments Install Software? Police install virus on your computer This opens a back door, so police gain access to your computer Good idea for the police to be hackers? Good for cybersecurity?

30 Governments Install Hardware? Reports of telecom equipment that surveil communications through them Can “phone home” Good to design these vulnerabilities into the Net? 2/16/2012, The Atlantic: “Chinese Telecoms May Be Spying on Large Numbers of Foreign Customers”

31 Ways to Grab Communications 1.Break the encryption (if it’s weak) 2.Grab comms in the clear (CALEA) 3.Grab comms with hardware or software before or after encrypted (backdoors) 4.Grab stored communications, such as in the cloud

32 The New Emphasis on Stored Records Strong crypto now widely deployed for email & web – Webmail using SSL, so local ISPs go dark From switched voice to VOIP & other IP – CALEA less effective at the tower/local switch

33 Stored Records: The Near Future Growth of the cloud Global requests for stored records – Encrypted webmail, so local ISP less useful – VOIP, so local switched phone network less useful If no Magic Lantern, then police go to stored records Push for “data retention”, so police can get the records after the fact

34 Wrap Up on Part II If you are in law enforcement or national security, new emphasis on access to stored records – If in country with cloud server, local service – If stored elsewhere, big new obstacle Copyright holders want stored records, too Stronger communication encryption But new battles about stored record security – Many knocks on the front doors of cloud providers and other record holders

35 For Your Organization How respond to records requests in-country? How respond to records requests from other countries? – Internal procedures – Lawyers – Want to cooperate with lawful access – Want your brand to say that records are stored securely Worth a review for the coming requests?

36 Sources Swire & Ahmad, “Encryption and Globalization”, at http://ssrn.com/abstract=1960602 http://ssrn.com/abstract=1960602 “Going Dark vs. A Golden Age of Encryption”, https://www.cdt.org/blogs/2811going-dark- versus-golden-age-surveillance https://www.cdt.org/blogs/2811going-dark- versus-golden-age-surveillance www.peterswire.net

Download ppt "Conflicting Privacy Regimes: (1) Encryption and (2) Access to Cloud Records Peter Swire Ohio State University Future of Privacy Forum IAPP Global Summit."

Similar presentations

Privacy and the Internet Professor Peter P. Swire Ohio State University National Press Foundation February 14, 2001.

Privacy and the Internet Professor Peter P. Swire Ohio State University National Press Foundation February 14, 2001.
Electronic Surveillance, Security, and Privacy Professor Peter P. Swire Ohio State University InSITes -- Carnegie Mellon February 7, 2002.

Electronic Surveillance, Security, and Privacy Professor Peter P. Swire Ohio State University InSITes -- Carnegie Mellon February 7, 2002.
Elephants and Mice Revisited: Law and Choice of Law on the Internet Professor Peter P. Swire Moritz College of Law Ohio State University Penn Law Review.

Elephants and Mice Revisited: Law and Choice of Law on the Internet Professor Peter P. Swire Moritz College of Law Ohio State University Penn Law Review.
Security Through Obscurity: When It Works, When It Doesnt Peter P. Swire The Ohio State University DIMACS, Rutgers January 18, 2007.

Security Through Obscurity: When It Works, When It Doesnt Peter P. Swire The Ohio State University DIMACS, Rutgers January 18, 2007.
From Real-Time Intercepts to Stored Records: Why Encryption Drives the Government to Seek Access to the Cloud Peter Swire Moritz College of Law Ohio State.

From Real-Time Intercepts to Stored Records: Why Encryption Drives the Government to Seek Access to the Cloud Peter Swire Moritz College of Law Ohio State.
Lessons for Biometrics from SSNs & Identity Fraud Peter P. Swire Ohio State University National Academy of Sciences March 15, 2005.

Lessons for Biometrics from SSNs & Identity Fraud Peter P. Swire Ohio State University National Academy of Sciences March 15, 2005.
The Strategy of Using Security to Protect Privacy Peter P. Swire Ohio State University Consultant, Morrison & Foerster, LLP Data Protection Commissioner.

The Strategy of Using Security to Protect Privacy Peter P. Swire Ohio State University Consultant, Morrison & Foerster, LLP Data Protection Commissioner.
Balancing Cybersecurity and Trade

Balancing Cybersecurity and Trade
Privacy and Cybersecurity Law in India and the U.S. Professor Peter Swire Ohio State University National Law University, Dwarka March 31, 2011.

Privacy and Cybersecurity Law in India and the U.S. Professor Peter Swire Ohio State University National Law University, Dwarka March 31, 2011.
Lawful Access in the EU: The Pipe to the Cloud? Professor Peter Swire Ohio State University & Future of Privacy Forum Georgetown Law School Conference.

Lawful Access in the EU: The Pipe to the Cloud? Professor Peter Swire Ohio State University & Future of Privacy Forum Georgetown Law School Conference.
Security Through Obscurity: When It Works, When It Doesn’t Peter P. Swire The Ohio State University DIMACS, Rutgers January 18, 2007.

Security Through Obscurity: When It Works, When It Doesn’t Peter P. Swire The Ohio State University DIMACS, Rutgers January 18, 2007.
Jinhyun CHO Senior Researcher Korea Internet and Security Agency.

Jinhyun CHO Senior Researcher Korea Internet and Security Agency.
“Encryption’s Vital Role in Safeguarding the Digital Economy” Professor Peter Swire Ohio State University ASSOCHAM International Conference Safeguarding.

“Encryption’s Vital Role in Safeguarding the Digital Economy” Professor Peter Swire Ohio State University ASSOCHAM International Conference Safeguarding.
Beyond “I Fought The Law” Educating Law Enforcement about Privacy Services Adam Shostack.

Beyond “I Fought The Law” Educating Law Enforcement about Privacy Services Adam Shostack.
Encryption and Globalization Professor Peter Swire IP Scholars Conference Chicago August 11, 2011.

Encryption and Globalization Professor Peter Swire IP Scholars Conference Chicago August 11, 2011.
A Gift of Fire, 2edChapter 3: Encryption and Interception of Communications1 PowerPoint ® Slides to Accompany A Gift of Fire : Social, Legal, and Ethical.

A Gift of Fire, 2edChapter 3: Encryption and Interception of Communications1 PowerPoint ® Slides to Accompany A Gift of Fire : Social, Legal, and Ethical.
Chapter 12 Network Security.

Chapter 12 Network Security.
A Gift of Fire, 2edChapter 3: Encryption and Interception of Communications1 PowerPoint ® Slides to Accompany A Gift of Fire : Social, Legal, and Ethical.

A Gift of Fire, 2edChapter 3: Encryption and Interception of Communications1 PowerPoint ® Slides to Accompany A Gift of Fire : Social, Legal, and Ethical.
Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.

Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.
Foundations of Network and Computer Security J J ohn Black CSCI 6268/TLEN 5831, Fall 2004.

Foundations of Network and Computer Security J J ohn Black CSCI 6268/TLEN 5831, Fall 2004.

Similar presentations

Ads by Google