This paper was prepared for PSAA 655 – Domestic Intelligence Operations at the Bush School of Government and Public Service at Texas A&M University. For this paper, we as students were expected to research an important topic related to intelligence operations and look at how certain policy decision affect the intelligence cycle. In this particular case I disucssed the public availability of strong data encryption.
The increased ubiquity of technology has brought great new tools of communication to our society allowing us to communicate across the globe with people from almost any culture. It has also brought the same ability to communicate to terrorist organizations, drug cartels, human traffickers, and other threats to our country. With this ability to communicate has come an ability to secure and encrypt those communications in a practically unbreakable way that has been controversial in the privacy vs. security debate.
While the balance between privacy and security must be maintained, it must be understood that there is no legislative way to prevent strong encryption from getting in the hands of terrorists and criminals in this internet connected world. Instead law enforcement and intelligence agencies should focus their efforts on thinking like hackers to get at the information they need, and access data either before it is encrypted at the point of origin or after it is decrypted when it reaches its destination.
Technology has boomed since the 1980s. We started first with personal computers (PCs) arriving in the home from companies like Apple and IBM. In the 1990s we saw the advent of the internet which created a whole new world for commerce and communication across the globe. In the 2000s we saw the emergence of social media like Facebook and Twitter which were further enabled by the development of smartphones like the Apple iPhone which were essentially personal computers that could fit in our pockets and take anywhere. This ubiquity of technology has brought with it tremendous advantages for society as well as the potential for use by adversaries to carry out terrorist attacks and criminal activities such drug trafficking, human trafficking, and many others. One topic within the world of technology that has seen huge use both legitimate and nefarious is the topic of strong encryption and its use in securing all of this technology. Most encryption has reached a level that is practically unbreakable by even the most sophisticated hackers in the world. To understand the challenges seen both by hackers and intelligence operations alike we must first understand what is involved with modern encryption.
One of the great things about our internet enabled society is that everyone is able to join in on the conversation about important topics. Unfortunately that is also one of the big challenges our internet enabled society has. While everyone is able to discuss important policy issues, not everyone has the necessary knowledge or experience to understand the issues being discussed. As a result the body politic will draw invalid conclusions from less than all the facts or from facts that are simply not true. Because of the relative newness of strong encryption to the general public this is definitely the case in regards to this issue. Frequently there will be pundits interviewed on national news channels discussing the San Bernardino case or other related cases who have an extensive background on topics of terrorism and national security who make the assertion that technology companies should be criminally prosecuted for not breaking the strong encryption used in their technology. Or they will assert that companies know how to do it, and should simply be forced to break the encryption. These are suggestions that are simply not feasible. As much expertise as these individuals have in regards to issues surrounding terrorism and security, they rarely have any information technology expertise much less any expertise about data encryption in the internet age. It is very important to understand the technology surrounding strong encryption in order to make good policy decisions on this issue. Policy made based on less than accurate information can have many negative consequences. Like any privacy/security debate a balance must be struck. But in order to do so we must know where the center of gravity is and what exists near that center of gravity by understanding the technology behind encryption.
The concept of cryptography is not something that was born in the internet age. One of the earliest known ciphers is “Caesar’s Cipher” named for Julius Caesar of Ancient Rome from over two thousand years ago (CIA, 2007). By today’s standards this is a very simple version of encryption. The basic method used is to shift letters in the message by a predetermined direction and number of places in the alphabet. For instance using a left shift of three places the message “THE QUICK BROWN FOX JUMPS OVER THE LAZY DOG” becomes “QEB NRFZH YOLTK CLU GRJMP LSBO QEB IXWV ALD”. The idea here is that two parties could communicate in private as long as they are the only ones who know the shift being performed. This simple cipher insured that Caesar could communicate with his subordinates and allies in secret even if the encrypted message were intercepted by an enemy. This is the most fundamental purpose of cryptography. To ensure that two or more parties can communicate in the open without potential adversaries being able to understand that communication and gain access to sensitive information.
A fundamental rule of cryptography is that increased complexity in the cipher being used equates to increased difficulty for an adversary to break that cipher. The history of cryptography is therefore a history of ever increasing incremental complexity in the ciphers used. For example one of the methods used to increase the complexity of the Caesar Cipher was what is known as a substitution cipher in which the same shift in letter is used, but then that letter is replaced with a number corresponding with the shifted letter. So the message “THE QUICK BROWN FOX JUMPS OVER THE LAZY DOG” becomes “17-05-02 14-18-06-26-08 25-15-12-20-11 03-12-21 07-18-10-13-16 12-19-02-15 17-05-02 09-24-23-22 01-12-04”. Many reading the description of this cipher may recognize this from their childhood as a toy that has been sold in various forms for a number of generations. It was even featured in the 1983 movie, “A Christmas Story”, in which the main character uses a “Little Orphan Annie decoder ring” to receive a message from his favorite radio show. The main character was of course disappointed to find out that the message was nothing but a “crummy commercial” to drink Ovaltine, but it was only those with the decoder ring who were able to decipher that message that was broadcast over the air.
These are very basic forms of cryptography that were groundbreaking for their time. If you fast forward to the twentieth century, specifically to World War II, you start to see even more complex ciphers with the help of mechanical devices like the Enigma Machine which was used by the German military both before and during the war (Crypto Museum, 2012). Two parties operating Enigma Machines would have a series of secret settings for the machine that would tell that machine how to encrypt and decrypt messages. These secret settings were basically a “key” that had to be kept out of the hands of an adversary or that adversary would have everything they needed to decrypt messages using their own Enigma Machine. While these newer methods of cryptography used more and more complexity to prevent a third party from accessing sensitive data, they were still at the end of the day using the same principle that the Caesar Cipher used. A key that was shared between two or more parties wanting to communicate securely, that key would then be used both for encrypting plaintext and for decrypting cipher text. A weak point can be found in this system without having to break the math behind the cipher that is being used. If, as an adversary, you are able to acquire the key being used by those parties engaged in secure conversation you can then listen in on that conversation by decrypting the messages using the stolen key. Taken a step further, if the only means of communication between two parties is remote over a radio for example, you could even pose as one of those parties and feed false information to the other.
Symmetric and Asymmetric Cryptography
Cryptography as most people look at it is what is known as Symmetric Cryptography. The examples that have already been covered are all different methods of symmetric cryptography. What makes a cryptography method symmetric is the use of a single key for both encryption and decryption (IBM Knowledge Center, 2017). While this has been a very effective method for maintaining secrecy for communication between parties, it still has the weak point that was previously mentioned. If an adversary is able to acquire the single key being used for the conversation then the security of the entire conversation is now gone.
We will use Alice and Bob as an example. Alice and Bob want to be able to securely communicate over the internet from one side of the country to the other. The only encryption method that they have available to them is a symmetric cryptography algorithm on their smartphones known as Advanced Encryption Standard (AES). This is considered the top industry standard for symmetric encryption and is used to protect information by the government as well as by the private sector including banks (TechTarget, 2017). For Alice and Bob to communicate securely using AES, Alice must send a key to Bob. In the case of AES (as well as other computer based symmetric algorithms) a key will be a random collection of bytes of a fixed length. For AES this key will be 32 bytes in length which has a number of possible combinations that has seventy-seven digits to the left of the decimal (256 possible values per byte raised to the 32nd power). This makes the task of randomly guessing the correct key statistically impossible and using a “brute force” attack to go through every possible key would take even the most powerful computers decades to discover the correct key. The strength of AES as a means of secure communication is without question in the industry which is why it is so widely used. But Alice still has to share a key with Bob in order for it to work. This is where AES is at its weakest since Alice and Bob are separated by geography. Alice could send the key to Bob via email or regular mail. But an adversary could intercept that message and gain access to the key without either one knowing and then listen in on their communications from then on.
This is where the concept of Asymmetric Cryptography comes in. Asymmetric Cryptography, sometimes called Public Key Cryptography, uses multiple keys to secure the communications between two parties. Each person generates their own pair of keys that are mathematically related. One key is the owner’s “public key” while the other is their “private key”. As the name suggests the public key can be shared openly while the private key is kept private by the owner. Because of how the math works with public/private key pairs, a private key cannot be derived from its public key. A public key can be handed to another party who can then encrypt a message with that public key. That encrypted message can only be decrypted by the person with the associated private key (IBM Knowledge Center, 2017). A good real world example is that of a mail drop off box that the US Postal Service uses. Letters can be dropped off through the slot at the top by the public. However, only the Postal Service is able to open the door on the back to access those letters. The slot at the top is like the public key in asymmetric cryptography while the door in the back that only the Postal Service can access is the private key. The downside for many of the standard asymmetric algorithms is that there is a relatively small limit to the amount of data they can encrypt. This is partially due to the math involved using so much processor power on computers. The Rivest-Shamir-Adelman (RSA) cipher which is the leading standard in asymmetric cryptography is limited to 4096 bytes. So while using it to encrypt small text messages under 4096 characters is feasible, using it to encrypt files or photographs is not recommended since they are typically a thousand times the limit for RSA and up. To resolve this, most programmers use a combination of asymmetric and symmetric cryptography. Returning to Alice and Bob who still have the challenge of securely sharing their 32 byte long symmetric key for AES encryption of their communication. They can now use the asymmetric cryptography algorithm, RSA, to share their AES key by first sharing their public RSA keys and then using those public keys to encrypt that AES key and transmit it over the air securely. Clear as mud? Here are the steps involved in a slightly clearer way:
- Alice and Bob generate their own different asymmetric RSA key pairs.
- Alice sends Bob her public RSA key, while Bob sends Alice his public RSA key.
- Alice generates a random AES symmetric key that is 32 bytes in length.
- Alice uses Bob’s public key to encrypt the AES key that she just generated, and sends the encrypted key to Bob.
- Bob then uses his private key to decrypt the AES key that he was just sent.
- Alice and Bob now both have the AES key and can communicate securely with that key.
This methodology is a simplified version of what is going on behind the scenes between you and the secure websites that you visit that use Secure Socket Layer (SSL). You can identify these websites if the web address starts with HTTPS://, as opposed to the unsecured HTTP://. That extra ’S’ literally stands for “secure”. When visiting a website using SSL such as your bank or an online store, behind the scenes your computer and the website’s server are working through the same steps that Alice and Bob did above. This technology and the way it is used is a significant part of what makes the internet far more secure today than it was twenty years ago at the start of the Internet Boom in the 1990s.
With this level of sophistication in encryption the ability to access encrypted messages leaves an attacker only three methods. The first is a brute force attack in which the attacker goes through every possible combination of the key. With current encryption standards and the computing power available in the industry today, a properly selected key would take decades to discover using this method, therefor it is not practical. The second method is to gain access to the key. This can be done either by being the person that issues the key or by stealing it from the person that holds the key. This is a very effective method and represents the bulk of the cases that you hear about in the news in which encrypted data is accessed without authorization. The third method is to gain access to the information before it is encrypted in the first place or after it has been decrypted to be read by the owner. A good real world comparison would be a file stored in a vault that can only be accessed by a three number combination. The file is the information an attacker wants access to, the vault is the encryption being used, and the combination to the door is the properly generated key. Just like any bank heist movie scene that Hollywood has ever produced, an attacker only has three methods to get to that file. Drilling through the walls is practically impossible because of reinforcements and other countermeasures. Going through every possible combination on the door would take too long and the attacker would risk discovery by the security guard. So the best options are to be an insider threat for the vault company that sets the combination or try to coerce the bank manager into giving up the combination. Another viable option is to gain access to the file before the file’s owner puts the file in the vault or retrieves it from the vault for some purpose.
End To End Encryption and Text Messaging
Much of the encryption that has been covered so far is primarily used between users and the websites they visit (online shopping, personal banking, etc.) or the communications between two servers on the internet (email servers, financial institutions). Encryption is very much a significant part of the protection of our cyber infrastructure in that it protects sensitive communications for other critical infrastructures that rely on the internet including the financial industry, healthcare industry, and others. Most recently, however, there has been an increase in the number of services being made available for direct communication between individuals using what is known as End to End Encryption. To understand end to end encryption we must first understand how messaging between people on the internet works.
The internet was primarily designed to work using a client to server mechanism. For example, when you visit a website your web browser is working as a client of a server that holds the data for that website. When you are sending an email to someone on the internet the contents of this email does not go directly to the recipient. Instead the message travels from your email client software, to your email company’s server (Yahoo for example), to the recipient’s email company’s server (Gmail for example), to the recipient’s email client software. As a result an email from you to a recipient is in the hands of two other parties other than you and the recipient (the two different email services). A similar model is used for other common internet based messaging services such as Blackberry Messaging, Apple’s iMessage, and Facebook Messenger. If messages are sent unencrypted, a message being sent this way is potentially vulnerable on the email company’s servers that work as a relay point between you and the intended recipient of your message. This is where the concept of end to end encryption was developed.
“End-to-end encryption is a system of communication where the only people who can read the messages are the people communicating” (Wired, 2014). Put another way, this is a method of encryption to ensure that only Alice and Bob can read the messages in a conversation, even if another party (such as an email or text messaging company) handles the message while it is in transit across the internet. “Messages are encrypted in a way that allows only the unique recipient of a message to decrypt it, and not anyone in between. In other words, only the endpoint computers hold the cryptographic keys, and the company’s server acts as an illiterate messenger, passing along messages that it can’t itself decipher” (Wired, 2014).
Several companies have developed unique messaging services whose primary selling point is the use of end to end encryption that provides privacy for its users. One of the largest companies in terms of customer base to utilize end to end encryption is a company called WhatsApp with over 1 billion users globally. WhatsApp uses the below language to advertise this feature to their customers:
“Some of your most personal moments are shared on WhatsApp, which is why we built end-to-end encryption into the latest versions of our app. When end-to-end encrypted, your messages and calls are secured so only you and the person you’re communicating with can read or listen to them, and nobody in between, not even WhatsApp” (WhatsApp Website, 2017).
WhatsApp provides end to end encryption for text messaging, file transfers, and phone calls and operates all around the world. While they describe the primary reason for providing this level of privacy for communications as simply being about protecting conversations from prying eyes even from their own company, some have asserted that this technology is in place with the purpose to prevent access by government intelligence operations and law enforcement trying to listen in on conversations.
Another company in the same industry, called Open Whisper Systems, carries their marketing further for their app, called Signal. On their website they include a list of endorsements. The first of which is from Edward Snowden in which he states “Use anything by Open Whisper Systems” (Open Whisper Systems, 2017). Mr. Snowden is described as a “whistleblower and privacy advocate” which of course is an oversimplification given that his primary claim to fame was that while working for Booz Allen as a contractor for the National Security Agency (NSA) he perpetrated “one of the most significant leaks in US political history” (The Guardian, 2013). The primary subject of his leaks were the details surrounding the NSA’s massive surveillance program. One of Snowden’s claims was “they are intent on making every conversation and every form of behavior in the world known to them (NSA)” (The Guardian, 2013). Therefore, the placement by Open Whisper Systems of an endorsement from an individual who is known to be critical of government surveillance at the top of their marketing materials is intended to send a clear message about their product and at least part of its purpose. That Signal and its related technologies are built specifically to prevent electronic eavesdropping both by individuals and by government intelligence and law enforcement operations. Some of the built in technologies within the freely available app include options called “Censorship Circumvention” which is designed to get around filters that are put in place by some countries on internet service providers (ISPs) to prevent their citizens from accessing certain websites or internet services (like Signal). “In countries with a small number of ISPs that all apply filtering rules defined by the state, circumventing censorship can be difficult. After all, they can always turn off network access entirely. The goal for an app like Signal is to make disabling internet access the only way a government can disable Signal” (Signal Blog, 2016). One country in particular that is known for applying such filters on their ISPs is China (Washington Post, 2016). So it is clear that while apps like WhatsApp seek to utilize their technology to provide a level of confidence to their customers that their conversations are private, other apps like Whisper System’s Signal are marketing themselves as a way to circumvent what they see as possible government intrusion into the privacy of citizens by governments from all over the world.
The Good and The Bad Of Encryption
All of the encryption technology that has been discussed is a major part of what keeps us secure today with our always on connections to the internet. Whether it is through smartphones, laptops, desktops, or servers, without this encryption we would be extremely vulnerable to all kinds of attack. Some of the targets that may be attacked for the average individual would be their financial records, medical records, social media, home security and the “internet of things” (IoT). All of these elements could be used against individuals to steal their identity, threaten their family’s safety, or to simply rob them. As information moves across the internet it is essential that this information is protected using strong encryption methodologies and not left vulnerable to attack. In the case of end to end encryption for messaging, this can be very useful for families, coworkers, and many others who need to communicate sensitive information across the internet securely. One example would be a college student attending school in a different state from where his parents live. How can a student and his parents communicate sensitive but needed information for those inevitable situations that occur in which the student or their parents need to communicate information such as account numbers, passwords, and other pieces of information that could be used by a malicious third party to do harm to either the student or their parents? Another good example may be an attorney who needs to communicate sensitive privileged information to their client who is on the other side of the country. Or what about a doctor who needs to send test results on a patient to a specialist located far away? Going outside of the freedom that we enjoy in the United States, what about the political dissident in countries with oppressive governments like Iran and Syria? How can they avoid arrest or even the death penalty while coordinating with others who oppose their government the same way they do? The best way for each of these scenarios is to use encryption technology like what has been discussed. There are countless examples of legitimate uses of encryption that go on every day in a way that most people are not even aware of. What typically grabs the headlines, however, is when that encryption is used to protect the bad guys. Like any technology, encryption can be used in support of threats to health and safety just as well as it can be used to support legitimate purposes.
On December 2nd, 2015 in San Bernardino, California fourteen people were killed and twenty-two were injured in a mass shooting and attempted bombing at a Christmas Party at the County Department of Public Health. This attack was carried out by a married couple, Syed Rizwan Farook and Tashfeen Malik who were both killed in a shootout with law enforcement after the attack. Farook was a US born citizen of Pakistani descent and Malik was a lawful permanent resident from Pakistan (LA Times, 2015). During the investigation of the aftermath of this attack, the Federal Bureau of Investigation (FBI) recovered an Apple iPhone 5C that was owned by the San Bernardino County government and was issued to Farook as an employee of that agency. Seeking to track down any potential leads that may explain the motive of the attack, accomplices, and potential future related attacks, the FBI sought to access the contents of this phone like would normally be done with any other phone or computer related to an incident of this type. However, the core operating system on the iPhone (iOS 8 at the time) was designed in such a way as to prevent unauthorized access to the data being stored on the phone. Unauthorized access in this case being defined as anyone who is not the user of that phone. The way in which Apple achieved this was through the use of strong encryption of all data stored on the device. Additionally, all text messages sent using Apple’s proprietary iMessage service were sent using end to end encryption so that only the people in a text conversation can access the contents of that conversation. An iPhone 5C encrypts all of its information using a four to six digit PIN code as the encryption key. Additionally, iOS has a kind of self destruct function for when a PIN code is entered incorrectly after a number of times. Once this number of incorrect tries is reached all information stored on the phone is securely destroyed and cannot be recovered thus eliminating the possibility of a brute force attack by trying every four to six digit combination possible. This put the FBI investigators into a very difficult situation in which they basically had a vault that could only be accessed by Farook who was killed in a shootout with law enforcement.
The FBI initially turned to the National Security Agency (NSA) for assistance in breaking into the phone. However, the NSA was unsuccessful since the phone in question was not one that they had broken into before (ZDNet, 2016). From there the FBI turned to Apple as the original manufacturer of the phone to break the security of the device. Apple refused stating its policy to never undermine the security of its products. The request by the FBI, which later became an order from a US Magistrate, was to create a “cracked” version of the iOS operating system that would bypass the security features of the phone. Put another way, they sought to compel Apple to produce malware for their own product to bypass the security that they had developed. Eventually, after a lengthy legal battle between Apple and the FBI, the FBI was able to break into the iPhone 5C on their own through other means which have yet to be revealed by the FBI. While they were able to gain access there has yet to be any information released on whether or not gaining access to the phone revealed any useful information to the investigation including whether or not the couple was in contact with terrorist organizations such as ISIS or if there were additional shooters or future planned attacks. It is likely, however, that it did reveal useful information about the Farook’s day to day activities in the time leading up to the attack which can have value in and of itself (Fortune, 2016).
The San Bernardino case created a great deal of debate in the technology industry and the government sector about the need for strong encryption by average citizens. Though it may be more of a war of words than a debate at this point. A great deal of rhetoric has been thrown back and forth around the security/privacy debate between law enforcement, intelligence, security advocates, technology companies, and privacy advocates. “FBI Director James Comey told a Boston audience this morning that ‘ubiquitous strong encryption’ – the kind now available on most smartphones and other digital devices – is threatening to undermine the ‘bargain’ that he said has balanced privacy and security in the US since its founding” (CSO, 2017). The director, and others on the security side of the debate, have gone on to say repeatedly that the public availability of strong encryption makes the investigation of incidents and the prevention of terrorist attacks or other dangerous activities almost impossible as terrorists and criminals move information that used to be easily found in their home on a piece of paper after a warrant is issued to a digital platform that cannot be broken into by law enforcement no matter what warrant they may have. On the one hand this proves the strength of properly implemented strong encryption against an adversary. If even law enforcement operating within the bounds of US Constitutional law are unable to access information that has been secured using strong encryption, then it is obvious that the ultimate obstacle to access for anyone attempting to access that data is the encryption itself and not policy restrictions.
Earlier this summer on June 3rd, 2017 a terrorist drove a van off the road near the London Bridge in the United Kingdom and proceeded to drive it into pedestrians on the side of the road killing eight people and severely injuring forty-eight more (Telegraph, 2017). As the investigation into this incident proceeded, the following August, United Kingdom Home Secretary, Amber Rudd, stated that “real people” do not need strong end to end encryption. “Real people often prefer ease of use and a multitude of features to perfect, unbreakable security” (Business Insider, 2017). Put another way, the secretary is saying that average users care more about usability issues and less about the privacy and personal security that is included in the technology they buy. Ultimately the security side of the debate can be boiled down to one simple reality about strong encryption. It severely hinders a government’s ability to stop threats to the public’s safety including terrorist attacks and criminal activity from organized crime, drug cartels, and human trafficking. It hinders the governments ability to do so because it successfully blocks completely their ability to access information about the individual involved in the activity and the ability to connect them to other potential threats.
On the privacy side of the debate it is a strongly held belief that to provide any kind of backdoor or to compromise the security of encryption in any way will put innocent users at risk of an invasion of privacy by governments (such as China for example), or at risk of a hacker identifying a way through that backdoor or compromise and be able to steal their identity or put them at some kind of other risk. This debate between the use of encryption by average citizens and the ability of law enforcement and intelligence agencies to access the data of criminals and terrorists is the privacy vs security debate at its core. In a lot of ways it is the privacy/security debate in its purist form since there really is no real way to work around encryption through legislative or policy methods.
Both sides of the debate agree that terrorists and criminals need to be stopped while maintaining the privacy of innocent civilians. The primary issue is in how to satisfy both concerns. Is there a way to keep strong encryption available to citizens without compromising its effectiveness while also ensuring that law enforcement and intelligence agencies are still able to gather the information they need to stop terrorism and criminal activity? Some have suggested a “backdoor” into encryption technologies that can only be used for legitimate government activity backed up by due process of law. However, security experts agree that any backdoor would be a target for any hacker with malicious intent against an individual. Not to mention that same backdoor could be used by oppressive regimes around the world where political enemies of the state may be using encryption to work against that oppression. Plus, given that we are talking about software that can be easily transmitted across the internet, an arena that is almost impossible to regulate, passing laws that prohibit the distribution of strong encryption will not be effective if entities from outside of that law’s jurisdiction distribute their encryption technology on the internet. So simply eliminating the ability of US companies to legally distribute encryption technology will not be effective given that the technology can be easily distributed by entities over the internet. This makes this primarily a technical issue in nature and not a policy issue. Therefore, to solve this issue we have to address this the same way a hacker would by looking at the technology itself. Returning to the previously mentioned three basic methods of attack against encryption. It has been established that breaking the encryption is not feasible. Giving copies of the keys to someone other than the user (such as a government) would potentially compromise their privacy. So this leaves accessing the data BEFORE it is encrypted or AFTER it is decrypted.
Data that in an encrypted state is useless even to the owner of that data. That data has to originate from somewhere in an unencrypted state before it is encrypted. And data’s end purpose cannot be realized by the owner unless it has been decrypted. Therefor, data that is of use will be in an unencrypted and vulnerable state at some point in its lifespan. Maybe even multiple points. This same set of rules can be applied to any type of encrypted data whether it is your account password for your bank or a list of phone numbers of terrorists within a terrorist cell. By understanding these simple facts about encrypted data there is the opportunity to get to the data that is needed for an investigation. This is where law enforcement and intelligence agencies must focus their efforts, where the data exists in an unencrypted and vulnerable state. For example, a message sent through an app like Signal will be unencrypted at two or more points. First between the keyboard being used to type the message and the smartphone or PC with the Signal app installed. Then the message will be unencrypted again when it is displayed on the screen to the intended recipient. Those are two points of vulnerability for what is considered one of the most secure text messaging systems in the market today. While this is an oversimplification of the opportunities that are available, an effective strategy could be developed to access the data under legitimate circumstances by law enforcement and intelligence operations. This takes a change in thinking about this problem that could provide the right balance between privacy and security on this issue without compromising the effectiveness of encryption technology.
- “Cracking the Code.” 2016. Central Intelligence Agency. https://www.cia.gov/news-information/featured-story-archive/2007-featured-story-archive/cracking-the-code.html (November 25, 2017).
- Enigma History. 2012. Crypto Museum http://www.cryptomuseum.com/crypto/enigma/hist.htm (November 25, 2017).
- “Symmetric Cryptography.” 2017. IBM Knowledge Center. https://www.ibm.com/support/knowledgecenter/en/SSB23S_184.108.40.206/gtps7/s7symm.html (November 25, 2017).
- “Asymmetric Cryptography.” 2017. IBM Knowledge Center. https://www.ibm.com/support/knowledgecenter/en/SSB23S_220.127.116.11/gtps7/s7pkey.html (November 25, 2017).
- “What is Advanced Encryption Standard (AES)? – Definition from WhatIs.Com.” 2017. SearchSecurity. http://searchsecurity.techtarget.com/definition/Advanced-Encryption-Standard (November 25, 2017).
- Greenberg, Andy. 2017. “Hacker Lexicon: What Is End-to-End Encryption?” Wired. https://www.wired.com/2014/11/hacker-lexicon-end-to-end-encryption/ (November 25, 2017).
- “WhatsApp Features.” 2017. WhatsApp.com. https://www.whatsapp.com/features/ (November 25, 2017).
- “Signal.” 2017. Open Whisper Systems. https://signal.org/ (November 25, 2017).
- Greenwald, Glenn, Ewen MacAskill, and Laura Poitras. 2013. “Edward Snowden: the whistleblower behind the NSA surveillance revelations.” The Guardian. https://www.theguardian.com/world/2013/jun/09/edward-snowden-nsa-whistleblower-surveillance (November 25, 2017).
- “Doodles, stickers, and censorship circumvention for Signal Android.” 2016. Signal Blog. https://signal.org/blog/doodles-stickers-censorship/ (November 25, 2017).
- Denyer, Simon. 2016. “China’s scary lesson to the world: Censoring the Internet works.” The Washington Post. https://www.washingtonpost.com/world/asia_pacific/chinas-scary-lesson-to-the-world-censoring-the-internet-works/2016/05/23/413afe78-fff3-11e5-8bb1-f124a43f84dc_story.html (November 25, 2017).
- “San Bernardino shooting updates.” 2015. Los Angeles Times. http://www.latimes.com/local/lanow/la-me-ln-san-bernardino-shooting-live-updates-htmlstory.html (November 25, 2017).
- Whittaker, Zack. 2016. “NSA finally admits why it couldn’t hack San Bernardino shooter’s iPhone.” ZDNet. http://www.zdnet.com/article/nsa-comes-clean-on-why-it-couldnt-hack-san-bernardino-shooters-iphone/ (November 25, 2017).
- Reisinger, Don. 2016. “FBI Got Useful Information Off San Bernardino iPhone.” Fortune. http://fortune.com/2016/04/20/fbi-san-bernardino-iphone/ (November 25, 2017).
- Armerding, Taylor. 2017. “Comey: Strong encryption.” CSO Online. https://www.csoonline.com/article/3178299/security/comey-strong-encryption-shatters-privacy-security-bargain.html (November 25, 2017).
- Alexander, Harriet. 2017. “London Bridge attack – everything we know.” The Telegraph. http://www.telegraph.co.uk/news/2017/06/03/london-bridge-everything-know-far/ (November 25, 2017).
Charles Teel is an experienced Cyber and Information Security Professional and founder of SR2 Solutions with a demonstrated history of working in the the business world including in a variety of sectors. Skilled in Secure Software Development, Team Building, Leadership, and Management Consulting. Graduated from Lamar University MBA Program. Currently an Executive Masters Student at the Bush School of Government and Public Service at Texas A&M University with a concentration in Homeland Security and Critical Infrastructure Protection.